An organization has determined that specific regulations require additional network security measures that are not aligned with their current risk tolerance strategy. However, they have decided not to implement these measures due to prohibitive costs and complexities. Which type of risk management action is MOST appropriately applied in this scenario?
The organization is mitigating the risk by implementing alternative controls.
The organization is exercising an exception to standard policy.
The organization is transferring the risk to a third-party provider.
The organization is avoiding the risk by changing business practices.