What is the first thing that needs to be completed in order to create a security program for your organization?

When dealing with risk, the information security practitioner may choose to:

When deploying an Intrusion Prevention System (IPS) the BEST way to get maximum protection from the system is to deploy it

Scenario: An organization has recently appointed a CISO. This is a new role in the organization and it signals the increasing need to address security consistently at the enterprise level. This new CISO, while confident with skills and experience, is constantly on the defensive and is unable to advance the IT security centric agenda.
From an Information Security Leadership perspective, which of the following is a MAJOR concern about the CISO's approach to security?

Annual Loss Expectancy is derived from the function of which two factors?