Which statement correctly describes the primary goal of a security vulnerability assessment (SVA)?

A security vulnerability assessment is about systematically identifying weaknesses in physical and information security controls that could be exploited, and then outlining concrete mitigations to reduce risk. This involves a structured look at facilities, systems, and procedures to pinpoint gaps, assess how serious they are, and prioritize fixes so security can be strengthened before an attacker takes advantage of them. The other activities described—auditing security spending, conducting security awareness training, or testing disaster recovery plans in isolation—address different objectives (cost management, personnel readiness, or continuity procedures) and don’t capture the primary purpose of discovering vulnerabilities and recommending fixes to close them.