Not all threats and vulnerabilities are the same, nor should they be treated with the same level of response. For example, consider the following scenario. A database server in your organization

was implemented 14 years ago and stopped being supported six years ago but serves an important process for a department of nine people, who are its only users. Last week, you discovered a critical vulnerability that was reported to the Common Vulnerabilities and Exposures (CVE) List Links to an external site. https://cve.mitre.org/ . The vulnerability concerns the underlying database product, and no patches are available to remediate the vulnerability. What are some practical risk management techniques you could apply to the situation to reduce risk to an acceptable level, providing access to the system for the small team while limiting the access to everyone else? What might you do to counter the threat of continued use of the system?