December 10, 2025

Synopsis

The analysis concludes that a financially motivated ransomware actor fully encrypted the production systems and backups of a small local government, forcing the Village of Golf Manor into extended service disruption, reliance on external experts, and formal consideration of a ransom payment under Resolution No. 2025-30. Strategically, this elevates ransomware and backup resilience to board- and council-level priorities, requiring explicit governance, updated risk registers, and clear decision criteria for ransom versus rebuild. Operationally, it exposes weaknesses in backup architecture, monitoring, incident handling, and contingency planning that must be addressed through improved controls, tested recovery processes, and more mature IR playbooks. Tactically, it drives immediate needs for stronger logging, ransomware-focused detection, hardening of privileged access and backup systems, and realistic exercises that validate readiness. Overall risk posture is shown to be high for availability-impacting events, with moderate-to-high threat capability and only low-to-moderate control strength translating into significant susceptibility and a nontrivial probability of recurrence. Financial resilience is strained by estimated losses in the tens to hundreds of thousands of dollars per event, plus potential secondary costs for legal, regulatory, reputational, and process remediation, underscoring the value of investing in preventive and recovery capabilities before incidents occur.

Evaluated Source, Context, and Claim

Artifact Title

Computer services impacted after ransomware attack hits Ohio village

https://www.whio.com/news/local/computer-services-impacted-after-ransomware-attack-hits-ohio-village/THLCYEIEM5GAZKHNPSFBZLQ4G4/

A RESOLUTION REGARDING A RECENT CYBERSECURITY INCIDENT AND

AUTHORIZING A RANSOMWARE PAYMENT IN RESPONSE TO THE

CYBERSECURITY INCIDENT

https://www.golfmanoroh.gov/wp-content/minutes/2025/OLP/Leg%20Memo/Nov%2024%2C%202025/Village%20of%20Golf%20Manor%20-%20Resolution%20for%20Payment%20%5BDRAFT%5D.pdf

Ohio village gets hit with cybersecurity ransom attack

https://www.fox19.com/2025/11/28/ohio-village-gets-hit-with-cybersecurity-ransom-attack/

Source Type

Local news websites (WXIX, WHIO) and official municipal council resolution.

Publication Date: November 24-30, 2025

Credibility Assessment

The information combines two local news outlets, citing named council members and an official village resolution that strongly supports basic factual accuracy regarding the incident and response. Technical details of the attack, threat actor, and intrusion vector are not provided and therefore remain unknown.

General Claim

A ransomware attack fully encrypted the Village of Golf Manor’s computer network and all available backups, prompting the council to pass Resolution No. 2025-30 to hire third-party experts who may advise whether paying a ransom for a decryption key is in the village’s best interest, while officials state they are not currently inclined to pay.

Narrative Reconstruction

An unidentified external threat actor conducted a ransomware attack against the Village of Golf Manor, a small political subdivision in Ohio, encrypting its entire computer network and all available backups and rendering computer services unavailable. The actor is not described in the OSINT. Still, the demand for a decryption key and the potential ransom suggest a financially motivated ransomware group using a killchain-like flow that culminates in the bulk encryption of production systems and backup data. The primary targeted assets appear to be the village’s administrative IT systems, data repositories, and backup infrastructure, with possible indirect impact on resident-facing services. However, no confirmed personal data compromise is reported. The operational goal of the attack is to extort payment in exchange for a decryption key, forcing the village council to consider guidance from third-party experts and potentially authorizing ransom payment under Resolution No. 2025-30 while they evaluate legal, financial, and service-delivery implications.

Risk Scenario

Risk Scenario

A financially motivated ransomware threat actor compromises a local government entity's administrative IT environment, encrypting production systems and backups and forcing the entity to either pay a ransom or undertake costly restoration and continuity measures, resulting in service disruption, incident response costs, and potential reputational and regulatory impacts.

Threat

Unidentified external actors, likely financially motivated cybercriminals, are operating ransomware campaigns against small local governments.

Method

Compromise of the village’s computer network followed by deployment of ransomware that encrypts the entire network and all available backups, creating pressure to pay for a decryption key.

Asset

Village of Golf Manor’s administrative IT systems, data stores, and backup infrastructure supporting municipal services and records.

Impact

Loss of availability of core municipal IT services, potential disruption of resident-facing services, costs for incident response and third-party experts, possible ransom payment, and secondary reputational and legal impacts depending on any eventual finding of data compromise.

Evidentiary Basis for Synopsis and Recommendations

Supporting observations from the analysis help clarify how the threat landscape, control environment, and organizational behaviors interact to shape overall risk exposure. These insights provide the foundation for identifying where controls perform well, where gaps or weaknesses create unnecessary vulnerability, and how attacker methods intersect with real-world operational conditions. Building on these findings, the recommendations that follow focus on strengthening resilience, improving decision-making, and guiding readers toward practical steps that enhance both security posture and risk-informed governance.

FAIR Breakdown

Threat Event Frequency (TEF)

Because the OSINT describes a specific ransomware incident against a small municipality and notes a similar ransomware event in another Ohio city the same year, TEF must be inferred from sector patterns rather than hard counts. For a single village-level government, TEF is estimated to be low-to-moderate (around once every 1–2 years), given that small public-sector entities are recurring targets, but each entity is not hit continuously.

Contact Frequency (CF)

The OSINT does not detail scanning, phishing, or initial access vectors, so CF is inferred from typical ransomware behavior against local governments. Golf Manor is likely exposed to occasional opportunistic scanning and periodic phishing or intrusion attempts, as many municipalities are, suggesting low-to-moderate CF at the individual-entity level while overall sector-wide CF is high. Sector targeting appears focused on local governments that operate critical but often under-resourced IT environments, as evidenced by multiple Ohio municipalities experiencing ransomware incidents in the same year.

Probably of Action (PoA)

Ransomware operators are strongly motivated by financial gain, and the OSINT shows that the actors successfully encrypted both production systems and backups and issued or implied a ransom demand, indicating a high willingness to act once they find a viable target. The complete encryption of the village’s network and backups implies the actors followed through with the full ransomware killchain rather than conducting only reconnaissance, supporting a high PoA conditional on successful initial access.

Threat Capability (TCap)

TCap is assessed as moderate-to-high for this incident because the attackers were able to fully encrypt the village’s computer network and all available backups, which typically requires at least competent lateral movement and backup targeting.

Exploit sophistication: The OSINT does not describe specific exploits, but the outcome of encrypting the entire network and backups suggests the actors can navigate small-enterprise environments and deploy ransomware effectively, indicating at least moderate sophistication.

Bypass ability: Successfully encrypting both operational systems and backups implies some ability to bypass or overcome existing backup protections and availability safeguards. However, we cannot infer specific control evasion techniques.

Tooling maturity: The attack outcome is consistent with mature ransomware tooling that can encrypt at scale and potentially enumerate or disable backup systems; however, no specific family or tooling is named.

Campaign success rate: At least in this case, the ransomware achieved complete impact on the village’s systems, pointing to a high success rate once an environment is targeted and compromised.

Attack path sophistication: Complete network and backup encryption typically requires multi-step activity (privilege escalation, lateral movement, discovery of backup targets, and coordinated encryption), suggesting a reasonably sophisticated attack path even if the underlying tools are commodity.

Cost to run attack: Operational cost is low-to-moderate for threat actors, as ransomware campaigns can reuse infrastructure and tooling across many small public-sector targets, with each successful compromise offering a potentially favorable ransom-to-effort ratio.

Control Strength (CS)

Typical small-village environments have constrained budgets and staff, which can limit the depth of preventive, detective, and recovery controls; in this case, the fact that backups were fully encrypted indicates gaps in backup architecture and segmentation. Control strength is therefore assessed as low-to-moderate overall, with particular weaknesses in backup resilience and recovery planning. In contrast, some governance and legal controls are in place through the formal council resolution and coordination with insurance-assigned legal counsel.

Resistive Strength (RS) Effectiveness of preventive/detective controls:

• Backups existed, but their architecture did not prevent them from being encrypted alongside production systems, indicating that backup protections against ransomware were weak.

• The need to pass a special resolution and seek third-party expert guidance suggests that incident response and contingency structures exist at the governance level but are not fully mature operationally.

Control Failure Rate

• The lack of logically or physically isolated, immutable, or offline backups enabled ransomware to encrypt “all available backups,” representing a critical failure in backup design.

• The incident progressed to full network encryption, indicating that preventive and detective controls (e.g., network monitoring, endpoint protection, and least privilege) did not stop or contain the attack in time.

• The village’s reliance on external experts and insurance counsel for guidance suggests internal incident-handling capabilities and playbooks may be limited or immature for dealing with modern ransomware.

Susceptibility

Given moderate-to-high threat capability and low-to-moderate control strength, overall susceptibility of Golf Manor’s municipal IT environment to comparable ransomware attacks is estimated at approximately 50–65 percent over a relevant exposure period (for example, per successful threat contact or per year, depending on modeling assumptions).

Probability the asset will be harmed is influenced by:

Exploitability: Because attackers have already demonstrated the ability to fully encrypt systems and backups in this environment, exploitability for similar future attacks is estimated at 60–75 percent unless significant improvements in hardening and monitoring are implemented.

Attack surface: Small village networks usually have a limited number of externally exposed services and staff, but may rely on shared vendors and legacy systems; this suggests that 40–60 percent of the environment could be reachable or affectable by typical ransomware intrusion vectors (remote access, email, third-party compromise).

Exposure conditions: Ongoing connectivity to the internet, use of third-party services, and potential remote access for IT support create persistent exposure; municipal reliance on IT for core operations heightens the consequences of any successful attack, which in turn incentivizes threat actors to target such environments.

Patch status: The OSINT does not describe patching or vulnerability management; in the absence of evidence of strong programs, patch status is conservatively assumed to offer only modest mitigation (for example, a 10–20 percent reduction in successful exploitability if basic patching and updates are in place but not optimized).

Numerical Frequencies and Magnitudes

All values relating to actual dollar amounts are for example/speculative purposes only. Organizations would need to take into account their own asset values, control strength, telemetry, etc., and adjust numbers accordingly.

Loss Event Frequency (LEF)

.5/year (estimated)

• Justification: For a single small village, a successful ransomware event is unlikely to occur every year. Still, OSINT evidence of multiple Ohio municipalities being hit in the same year supports an estimate of one significant event every 2 years on average under current controls.

Vulnerability (probability of harm per contact): .5

• Justification: Once meaningful threat contact occurs (for example, a successful foothold or exploitable misconfiguration), the demonstrated ability to encrypt both systems and backups, and the limited control strength suggest roughly a 50 percent chance that such contact leads to a major availability-impacting loss event unless controls are improved.

Secondary Loss Event Frequency

0.25/year (estimated)

• Justification: Not every primary ransomware event results in secondary consequences such as regulatory investigations, lawsuits, or prolonged reputational damage; assuming that about half of primary events trigger secondary consequences yields an estimated SLEF of 0.25/year, based on an LEF of 0.5/year.

Loss Magnitude

Estimated range:

• Min: $50,000

• Most Likely: $250,000

• Maximum: $1,000,000

Justification:

• Minimum reflects IR consulting, limited downtime of municipal services, overtime for staff, and technical recovery efforts without ransom payment or significant data-breach fallout.

• Most likely accounts for extended disruption of administrative systems, broader service interruption, higher consulting and legal fees, temporary manual workarounds, and possible modest ransom-related costs (including negotiation or partial payment).

• Maximum represents a worst-case scenario involving prolonged outage, extensive contract support, significant data restoration efforts, substantial overtime, and potential infrastructure replacement costs if a complete rebuild is required.

Secondary Loss Magnitude (SLM)

Estimated range:

• Min: $25,000

• Most Likely: $150,000

• Maximum: $500,000

Justification:

• Secondary losses may include reputational repair, communication and public-relations efforts, potential regulatory reviews or legal expenses, and downstream operational inefficiencies.

• Most likely values reflect a combination of public communication, modest legal work, and process changes without severe findings of negligence or significant data loss.

• Maximum assumes a scenario where evidence of personal data compromise emerges, leading to regulatory scrutiny, legal claims, and more extensive reputational and policy remediation costs.

Mapping, Controls, and Modeling

MITRE ATT&CK Mapping

Impact

T1486 – Data Encrypted for Impact

Reference: “The Village of Golf Manor fell victim to the ransomware attack, resulting in the loss of its computer files, including all of their backups, according to Resolution No. 2025-30.”

T1490 – Inhibit System Recovery

Reference: “The Village of Golf Manor became the victim of a cybersecurity ransomware attack which has completely encrypted their computer network including all available data backups.”

NIST 800-53 Affected Controls

CP-9 – System Backup

Ransomware encryption of all available backups.

Reference: “The Village of Golf Manor became the victim of a cybersecurity ransomware attack which has completely encrypted their computer network including all available data backups.”This activity directly undermines the objective of CP-9 (System Backup), which expects backups to preserve availability and integrity even during disruptive events; the fact that all backups were encrypted indicates that backup frequency, protection, or separation were insufficient to maintain a usable recovery copy.

CP-10 – System Recovery and Reconstitution

Inability to restore systems from uncompromised backups.

Reference: “The Village of Golf Manor fell victim to the ransomware attack, resulting in the loss of its computer files, including all of their backups…” and “may make a ransom payment for receipt of a decryption key to decryption backup data and computer network.”Because recovery now depends on obtaining a decryption key from attackers or rebuilding from scratch, the control objective of CP-10 (recovering the system to a known state within defined time periods) is severely challenged, showing that recovery and reconstitution capabilities were not resilient against this type of incident.

IR-4 – Incident Handling

Reliance on external experts and insurance counsel to manage ransomware response.

Reference: “On Nov. 24, the village council met to discuss Resolution No. 2025-30, which proposes to pay for the guidance of a third-party group of experts to help.” and “the legal counsel that was assigned to us by our insurance company did recommend that we pass this.” These statements illustrate that incident handling is in progress but heavily dependent on external parties, which interact with IR-4 (Incident Handling) requirements to have coordinated preparation, detection, containment, eradication, and recovery processes; the attack stresses this control by forcing the village to formalize its handling through a resolution after the fact rather than relying on a fully mature internal capability.

IR-8 – Incident Response Plan

Formal resolution to authorize possible ransom payment and define response path.

Reference: “RESOLUTION NO. 2025-30 A RESOLUTION REGARDING A RECENT CYBERSECURITY INCIDENT AND AUTHORIZING A RANSOMWARE PAYMENT IN RESPONSE TO THE CYBERSECURITY INCIDENT.” This resolution functions as part of the organizational response framework and highlights the need for a documented incident response plan (IR-8) that covers ransomware-specific decision criteria, roles, and authorities in advance; the necessity of passing a dedicated resolution post-incident suggests that the existing plan may not have fully anticipated ransomware payment decisions and associated governance.

IR-5 – Incident Monitoring

Tracking the incident status and public communications.

Reference: “This story was updated with additional clarifying information.” and “It is unknown if any personal data had been compromised.”Ongoing updates and acknowledgment of unknowns indicate that monitoring and information collection are occurring; this aligns with IR-5 (Incident Monitoring), but the fact that data compromise status remains unknown also indicates that incident monitoring and forensic capabilities may not yet fully satisfy the control’s intent to maintain detailed records and analysis of incident details.

CP-2 – Contingency Plan

Need to formalize response actions and potential ransom payment to ensure continuity of operations.

Reference: “The village council passed Resolution No. 2025-30… It proposed to pay for the guidance of a third-party group of experts to help.” and “The village council will meet again in December to discuss whether they want to pass the resolution.”The ransomware incident and related resolution highlight contingency concerns regarding the continuity of municipal operations; this interacts with CP-2 (Contingency Plan), as the organization must ensure that contingency planning addresses ransomware events, third-party support, and decision-making processes for restoring mission and business functions when normal operations are disrupted by total system and backup encryption.

Monitoring, Hunting, Response, and Reversing

Monitoring

Monitoring should prioritize complete visibility across the network, endpoint, identity, email, DNS, and any cloud-hosted municipal services, with at least security-relevant logs (authentication, process creation, service changes, file and volume events, backup operations, and admin actions) retained at a level that supports reconstruction of lateral movement and bulk encryption. Recommended changes include elevating log levels on domain controllers, backup servers, hypervisors, and file servers, and ensuring DNS, VPN, and email security logs are centralized in a SIEM. Key indicators to prioritize are abnormal access to backup infrastructure, sudden spikes in file modifications or encryption-like extensions, mass authentication failures followed by successful admin logons, disabled security tools, and large volumes of SMB or RPC traffic between unusual hosts. The incident exposes gaps around backup monitoring, segmentation, and early-stage indicators of compromise, suggesting a need for correlation rules that link suspicious admin behavior, backup status changes, and file-event anomalies, with thresholds tuned to the small size of the environment (for example, alerts on any backup deletion or policy change). Dashboards should surface ransomware-relevant metrics such as backup job success and integrity, privileged account usage, endpoint isolation status, and incident counts over time, and monitoring should be validated by replaying simulated ransomware activity in a test or lab environment to confirm that alerts fire and support timely triage.

Hunting

Hunting should be framed around hypotheses such as “If a ransomware actor is present, there will be signs of unauthorized privileged access, suspicious use of remote admin tools, and pre-encryption staging on key servers and backup systems,” and “If the actor tested access previously, older anomalies may exist in VPN, email, or identity logs.” Telemetry for hunts should pull from domain controller logs, endpoint telemetry on servers and workstations, backup system logs, firewall and VPN records, DNS, and any email or web security gateways. Detection logic should focus on sequences rather than single events, such as unusual logons to backup servers followed by changes in backup policies, rapid file-access or encryption-style patterns on shared drives, new services or scheduled tasks created by non-standard accounts, and any signs of tools used for discovery or credential theft. Noise-to-signal must be managed by baselining the small village environment, suppressing known administrative maintenance patterns, and prioritizing deviations from regular working hours, unfamiliar admin accounts, and actions originating from unexpected IP addresses or devices, keeping rules as explainable and straightforward as possible for a lean team.

Response

Response recommendations center on ensuring that logs from domain controllers, file servers, backup platforms, VPNs, email gateways, and security tools are preserved and collected early, because they will underpin both incident containment and later FAIR loss estimation. Expected artifacts include ransomware binaries or scripts on servers, evidence of mass file changes or encryption, Windows event logs reflecting privilege escalation and service changes, and backup application logs showing deletion, modification, or failure of backup jobs; the absence of certain artifacts may also reveal anti-forensic behavior such as log clearing or tampering. Reconstruction of events should follow a time-sequenced approach that ties initial suspicious access to privilege escalation, lateral movement, backup targeting, and final encryption, with DFIR outputs feeding estimates of affected systems, outage duration, labor hours, and third-party costs that map directly into primary and secondary loss parameters. Likely containment in this kind of environment will involve rapid network segregation, server isolation, disabling compromised accounts, and ensuring any surviving backups are taken offline and validated before use, with priority given to preserving forensic images of key servers and backup controllers. Telemetry requirements include sufficient retention and integrity guarantees to prevent logs from being overwritten or altered mid-incident, and IR gaps include a lack of predefined playbooks for ransomware, unclear decision criteria for ransom payment, and limited in-house DFIR capability. Validation strategies should consist of tabletop exercises using this incident as a scenario, running through log collection, containment decisions, external coordination, and post-incident loss estimation to confirm that both technical and governance processes work as intended.

Reverse Engineering

Given that the specific ransomware family is not described, reverse engineering efforts should focus on any recovered samples or artifacts from affected servers, with an emphasis on understanding loader behavior, how the binary or script is initially executed, and how it propagates encryption across the network and backup infrastructure. Analysts should document any evasion mechanisms, such as attempts to disable services, skip specific directories, or evade security tools, and persistence techniques, such as scheduled tasks, services, or registry modifications, that may remain on partially affected systems. Indicators such as file hashes, command-line arguments, ransom note structure (if available), encryption extension patterns, and network callbacks should be cataloged and fed into detection and blocking controls. At the same time, dynamic and static analysis hooks can focus on file-system access patterns, process creation, registry modifications, and network activity in a sandboxed environment. Expected artifacts include encrypted files, possible ransom notes, registry keys, and logs showing process behaviors, and reverse engineering should also explore configuration elements (for example, hardcoded C2 endpoints or public keys) to inform broader CTI and potential victim-overlap analysis. Additional suggestions include leveraging shared malware repositories and trusted third-party reverse-engineering reports to identify similar ransomware behaviors, being careful not to assume a specific family without evidence, and using the findings to refine both preventive controls and monitoring logic.

CTI

CTI recommendations should prioritize PIRs that clarify whether similar ransomware actors are systematically targeting small local governments in the same state or region, how frequently comparable incidents recur, and which TTPs are consistently used against municipal administrative IT and backup environments. SIR work should focus on filling concrete gaps, such as collecting and sharing hashes, file paths, and any identified infrastructure from this and related cases, obtaining malware samples where legally and ethically feasible, and improving understanding of infrastructure reuse or overlap across campaigns to refine attribution confidence without over-claiming. Collection requirements include sustained OSINT monitoring of vendor advisories and case studies on municipal ransomware, internal aggregation of logs and incident records across local agencies, participation in relevant public-sector ISAC/ISAO channels, and optional dark-web monitoring for potential mention of the village or region, while also leveraging malware sandboxes and repositories for technical enrichment. Mapping and clustering should align observed behaviors (complete network and backup encryption, governance pressure through ransom demands) with ATT&CK techniques, compare them with historical incidents affecting similar entities, and use this to identify patterns in targeting, timing, and impact that increase confidence in scenario modeling and inform updated hypotheses about evolving attacker capabilities and preferred victims.

GRC and Testing

Governance

Governance should start with a policy review to ensure ransomware-specific expectations are clearly documented for backup architecture (offline/immutable copies), incident handling, contingency planning, and ransom decision-making, with explicit ties to RA, PM, and PL family documents (for example, risk assessment procedures that consider loss of all backups, project management requirements for modernizing infrastructure, and planning documents that codify recovery objectives and roles). Oversight functions for council and executive leadership should be clarified so that cyber risk and continuity issues are regularly reported, not only when an incident occurs, using a standing risk committee or equivalent to track ransomware exposure, control maturity, and recovery readiness. The risk register should be updated to include a distinct scenario for complete network and backup encryption for small local governments, with fields reflecting TEF, susceptibility, LEF, and loss-magnitude ranges to drive prioritization of investment in backup redesign, monitoring, and IR capabilities. Board and executive communication requirements should mandate brief, structured updates during and after incidents that cover business impact, estimated recovery timelines, legal and insurance considerations, decision criteria for ransom payment versus rebuild, and lessons learned, feeding into formal policy updates and governance metrics (for example, time to detect, time to restore, and coverage of immutable/offline backups across critical systems).

Audit and Offensive Security Testing

Audit and testing programs should explicitly examine whether findings and evidence address the risks highlighted by the incident, such as incomplete backup segregation, weak incident-handling procedures, and limited monitoring of privileged access and backup systems, ensuring that gaps are documented with clear remediation owners and timelines. Evidence gaps to prioritize include the lack of proof of offline/immutable backups, the absence of tested recovery time objectives, and incomplete logging coverage for admin actions and backup operations, all of which should trigger targeted audits and follow-up validation. Policies and controls around backup management, incident response, and contingency planning require practical validation through red-team and purple-team exercises that simulate ransomware targeting domain controllers, file servers, and backup infrastructure, with defenders evaluated on detection, containment, and recovery performance. Penetration testing scope should include remote access paths, vendor-managed systems, and backup platforms, with exploit reproduction focused on demonstrating how privilege escalation and lateral movement could lead to complete encryption, while control validation confirms whether technical and governance controls (segmentation, least privilege, backup isolation, IR playbooks) actually prevent or mitigate that path.

Awareness Training

Awareness training should incorporate realistic ransomware narratives even though the OSINT does not specify the initial social engineering vector, emphasizing common patterns such as phishing, malicious attachments, and abuse of remote access tools that typically precede encryption events against small public entities. Training should highlight human failure modes like approving unexpected remote access, ignoring warnings from security tools, reusing credentials, or postponing incident reporting when systems “act strange,” and should be tailored to roles: admins need deep coverage of secure backup handling and privileged access hygiene; finance and procurement staff should understand the risks of fraudulent payment or negotiation channels; customer-facing staff and executives should recognize signs of system compromise and know communication and escalation expectations. Employees should be coached to notice behavioral indicators such as unusual login prompts, unplanned maintenance messages, unexplained file inaccessibility, or repeated application errors and to escalate quickly rather than attempting self-fix workarounds. Phishing simulations and tabletop exercises should be updated to reflect realistic ransomware precursors and decision points, including scenarios in which systems and backups appear at risk. At the same time, communication guidelines reinforce safe handling of email, external documents, and remote support requests. Training effectiveness should be measured through participation metrics, simulation performance, time-to-report suspicious activity, and periodic reviews of incident metrics, with reinforcement cycles at least annually and after major incidents to ensure lessons learned from real events are rapidly folded back into the program.