Business analysis is responsible for ensuring the solution is correctly understood in terms of business purpose, process flows, data handling, user roles, integrations, and non-functional requirements such as security and privacy. If the solution is not understood well enough, security risks will be missed early, leading to gaps that are expensive and difficult to correct later. This is why option C is the best answer: inadequate understanding prevents reliable identification of threats, sensitive data paths, trust boundaries, and misuse cases during requirements and design stages.
Cybersecurity documents emphasize “security by design” and “shift-left” practices, meaning risks should be identified and addressed before build and test. Business analysis contributes by eliciting and documenting security requirements, clarifying data classification and retention needs, defining user access and privilege expectations, identifying regulatory and policy constraints, and ensuring interfaces and third-party dependencies are known and assessed. BA also supports threat modeling inputs by providing accurate context about actors, workflows, and data movement, which are essential for identifying where controls like authentication, authorization, logging, encryption, and validation must exist.
Other options align to different roles or stages: budgets are governance and project management constraints, QA limitations are testing risks, and coding-introduced vulnerabilities are primarily addressed through secure coding standards, code review, and developer practices. BA’s key cybersecurity risk is incomplete understanding that prevents correct security requirements and risk identification.