Your team discovers a recurring phishing campaign exploiting a known vulnerability. What risk assessment step does this fall under?