Which of the following lists are valid data-gathering activities associated with a risk assessment?

Which of the following lists are valid data-gathering activities associated with a risk assessment?

A.
Threat identification,vulnerability identification,control analysis

B.
Threat identification,response identification,mitigation identification

C.
Attack profile,defense profile,loss profile

D.
System profile,vulnerability identification,security determination