Frameworks help you avoid getting fancy

NIST, in their cybersecurity framework, describe 5 primary pillars of a holistic cybersecurity program. Those are "Identify", "Protect", "Detect", "Respond", and "Recover". Let's look at these 5 functions through a metaphor about traveling.

When you put that water bottle in your luggage, you want to know if your (paper) passport is in there.

You want to prevent the water from spilling out of the bottle and into your luggage. So you put it in a plastic bag.

The plastic bag is not water proof, so you want to be aware of what's going on in there. And you want to react before the water comes out of the plastic bag.

You also want to know you will to react the right way when that happens. This depends on you understanding what's at stake. There's a valuable document in there, and it's vulnerable to liquids.

In the worse case, your passport is unusable. You might need to replace it.

In the most probable case, your passport is fine, but you won't have water during that meeting. You might need to get another drink.

We don't seem to like thinking through scenarios like this. Systematically, I mean. Maybe it reminds us of our anxious ruminations. I don't know. But this is what assessing risk can look like. It doesn't have to be fancy.