The Best Information to Present for Control Cost Justification

D.

When justifying costs related to controls, the BEST information to present to business control owners would be the return on IT security-related investments (option A).

Here's why:

Return on IT security-related investments refers to the measurable benefits or gains that the organization will receive from investing in information security controls. It provides a clear picture of the value of the investment and helps the business control owners to assess the effectiveness and efficiency of the controls. By presenting this information, the business control owners can understand how the controls can benefit the organization and how the investment aligns with the business objectives.

On the other hand, the previous year's budget and actuals (option B) may not be the best information to present because it does not necessarily reflect the effectiveness of the controls or the benefits that the organization can receive from investing in them. It only shows how much money was spent in the previous year, and may not provide enough justification for future investments.

Similarly, industry benchmarks and standards (option C) may not be the best information to present because they are only general guidelines and may not be specific to the organization's needs. The business control owners may require more detailed information about the benefits of specific controls in their organization, which may not be covered by industry benchmarks and standards.

Loss event frequency and magnitude (option D) may not be the best information to present because it only shows the potential negative consequences of not having the controls in place. It does not provide a positive rationale for investing in controls, and may not be the most effective way to convince business control owners to invest in controls.

Therefore, return on IT security-related investments is the BEST information to present to business control owners when justifying costs related to controls.