Which of the following scenarios BEST describes a risk reduction technique?
A . A security control objective cannot be met through a technical change, so the company purchases insurance and is no longer concerned about losses from data breaches.
B . A security control objective cannot be met through a technical change, so the company implements a policy to train users on a more secure method of operation.
C . A security control objective cannot be met through a technical change, so the company changes as method of operation
D . A security control objective cannot be met through a technical change, so the Chief Information Officer (CIO) decides to sign off on the risk.
Answer: B