18.  C. Whaling is a form of phishing that targets high-level executives.
                    Spear phishing targets a specific group of people but not

                    necessarily high-level executives. Vishing is a form of phishing that
                    commonly uses Voice over IP (VoIP).

               19.  B. Threat modeling helps identify, understand, and categorize
                    potential threats. Asset valuation identifies the value of assets, and
                    vulnerability analysis identifies weaknesses that can be exploited
                    by threats. An access review and audit ensures that account

                    management practices support the security policy.
              20.  A. Asset valuation identifies the actual value of assets so that they

                    can be prioritized. For example, it will identify the value of the
                    company’s reputation from the loss of customer data compared
                    with the value of the secret data stolen by the malicious employee.
                    None of the other answers is focused on high-value assets. Threat
                    modeling results will identify potential threats. Vulnerability

                    analysis identifies weaknesses. Audit trails are useful to re-create
                    events leading up to an incident.