The first two steps an organization must take to perform a security risk assessment are to identify $\_\_\_\_\_,$ respectively.

a$.$ the impact and frequency of each possible loss event

b$.$ hardware, software, and information systems used to achieve business objectives and possible occurrences that would negatively impact them

c$.$ the costs of each possible loss event and the benefits of investing resources to prevent each

d$.$ the current protections against cyberattacks that are already in place and the least expensive ways to upgrade or expand them