In addition to protecting important assets, security rules and procedures should

Information security rules and procedures should not exist for their own sake — they are put in place to protect important assets and, thereby, support the overall organizational mission. All of the answers are good, but the best answer is c . It brings into focus additional requirements beyond those mentioned in the other answers. The other answers are really subsets of the “protecting important assets” as listed in the question.