Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?
a. The level of acceptable risk to the organization
b. The number of vulnerabilities to the system
c. The number of threats to the system
d. The organization's available budget