Which of the following lists are valid data-gathering activities associated with a risk assessment?

Which of the following lists are valid data-gathering activities associated with a risk assessment?

A.
Threat identification, vulnerability identification, control analysis

B.
Threat identification, response identification, mitigation identification

C.
Attack profile, defense profile, loss profile

D.
System profile, vulnerability identification, security determination