How do you assess the business and operational risk of a vulnerability before deciding on mitigation?