Risk Management:
What is the best value that should be assessed when evaluating the worth of an information asset to the organization: replacement cost or the lost income while repairing or replacing? What is the likelihood value of a vulnerability that no longer must be considered?
In what instances is baselining or benchmarking superior to cost benefit analysis? How can we find out what the organization's risk appetite is? Why is this important?