Prioritizing Response Actions

B.

The CISO is performing a qualitative assessment of risk to prioritize response actions based on the identified risk.

Qualitative risk assessment is a process that identifies, analyzes, and evaluates risks based on their potential impact, likelihood, and other qualitative factors, such as the exposure factor and external accessibility.

The CISO is using past experience to take into account the exposure factor as well as the external accessibility of the weakness identified to judge the potential impact of the identified risk. This judgment helps the CISO to prioritize response actions, such as risk treatment strategies.

Quantitative risk assessment, on the other hand, involves assigning numerical values to potential losses and the likelihood of their occurrence. This type of assessment relies on statistical analysis and mathematical modeling to estimate risk.

Business impact scoring is a method of assessing the impact of a risk by assigning scores to different categories of potential impact, such as financial, operational, and reputational impact.

Threat modeling is a structured process for identifying potential threats and vulnerabilities in an application or system by analyzing its architecture and design.

Documentation of lessons learned is a process of capturing and sharing knowledge gained from past experiences to improve future performance.

Therefore, based on the above, the correct answer is C. Qualitative assessment of risk.