Assessing Vendor Cybersecurity Risks: Which Approach Is Best?