My experience playing strategy games (like Go) is that, it's not always about plugging in numbers like that, at least for human decision makers. Mainly:
- There are limited resources (time and money)
- Which of the other seemingly urgent things also need to be done?
If you don't differentiate between finer-grained severities, then you won't be able to differentiate or triage between existential threats, and something that can hurt and be ok. And probably more controversially for people who don't know Go, sometimes you accept losses in order to capture greater gains elsewhere.
No action will always guarantee a risk-free decision, so this is about managing or mitigating risk, rather than become risk-free. There are the risks that are statutory, and therefore requires compliance in order to stay legal. And then there are the risks that are not legal, and depends upon an organization's appetite for risk. Risk is something that is always present in some form (we don't have perfect-information for every decision we want to make, let alone know all of the available choices), so it is up to each individual organization and individual to make. Being able to differentiate between severity allows an organization to weigh risk against cost, time, and opportunity.
And if we want to eliminate this whole class of problems (like stack overflow), we could also look at using something like rust instead.
And that's also not getting into nation-state actors sabatoging standards so that vulnerabilities in OpenSSL keep popping up.
In this particular case, the response my team is doing is inventorying our existing systems to find anything using OpenSSL 3.0.x, and therefore vulnerable. So far, all the systems we have found are using OpenSSL 1.1.1 ... as is probably the case for most organizations.
- There are limited resources (time and money)
- Which of the other seemingly urgent things also need to be done?
If you don't differentiate between finer-grained severities, then you won't be able to differentiate or triage between existential threats, and something that can hurt and be ok. And probably more controversially for people who don't know Go, sometimes you accept losses in order to capture greater gains elsewhere.
No action will always guarantee a risk-free decision, so this is about managing or mitigating risk, rather than become risk-free. There are the risks that are statutory, and therefore requires compliance in order to stay legal. And then there are the risks that are not legal, and depends upon an organization's appetite for risk. Risk is something that is always present in some form (we don't have perfect-information for every decision we want to make, let alone know all of the available choices), so it is up to each individual organization and individual to make. Being able to differentiate between severity allows an organization to weigh risk against cost, time, and opportunity.
And if we want to eliminate this whole class of problems (like stack overflow), we could also look at using something like rust instead.
And that's also not getting into nation-state actors sabatoging standards so that vulnerabilities in OpenSSL keep popping up.
In this particular case, the response my team is doing is inventorying our existing systems to find anything using OpenSSL 3.0.x, and therefore vulnerable. So far, all the systems we have found are using OpenSSL 1.1.1 ... as is probably the case for most organizations.