Cool find and all, but for the all the bad scenarios...
Should be fairly straight forward:
- Identify risks / threats
- Assess risks / threats (inc. existing mitigations, and predisposing conditions for risk realisation)
- Accept and/or mitigate risks / threats
- Manage risks / threats
It's what we do for just about any other vulnerability or flaw in a system, why should this finding be any different?