Following a security assessment, the Chief Information Security Officer (CISO) is reviewing the results of the assessment and evaluating potential risk treatment strategies. As part of the CISOs evaluation, a judgment of potential impact based on the identified risk is performed. To prioritize response actions, the CISO uses past experience to take into account the exposure factor as well as the external accessibility of the weakness identified. Which of the following is the CISO performing? A. Documentation of lessons learned B. Quantitative risk assessment C. Qualitative assessment of risk D. Business impact scoring E. Threat modeling

This has been posted by others, but both times it was answered differently, please provide an explanation.