A security analyst has been asked to create a list of external IT security concerns, which are applicable to the organization. The intent is to show the different types of external actors, their attack vectors, and the types of vulnerabilities that would cause business impact. The Chief Information Security Officer (CISO) will then present this list to the board to request funding for controls in areas that have insufficient coverage. Which of the following exercise types should the analyst perform?

1. Summarize the most recently disclosed vulnerabilities
2. Research industry best practices and the latest RFCs
3. Undertake an external vulnerability scan and penetration test.
4. Conduct a threat modeling exercise.