Help me study for my Computer Science class. I’m stuck and don’t understand.

An information technology (IT) security policy framework is the foundation of an organization’s information security program. Organizations use these documents to build process, determine acceptable technologies, and lay the foundation for enforcement. The security policy framework documents and their implementation express management’s view of the importance of information security.

1. What business factor(s) do YOU think should be considered when building an organizational IT security policy framework? Why?

2. What is the difference between risk tolerance vs risk appetite?