I think I've said this before, but we're really not good at visualising or understanding risk. One of the biggest issues with security is that you are often talking about predicting events that will occur and taking actions so that they don't occur. But given that we have a truly terrible internal sense of probability and likelihood, it can be really difficult to justify the expense of security controls. This is especially true if the effect of the security control is to take the estimated likelihood of a thing happening down from 1/20 to 1/30.
Cyberweekly #160 - Competent adversaries and us
Cyberweekly #160 - Competent adversaries and…
Cyberweekly #160 - Competent adversaries and us
I think I've said this before, but we're really not good at visualising or understanding risk. One of the biggest issues with security is that you are often talking about predicting events that will occur and taking actions so that they don't occur. But given that we have a truly terrible internal sense of probability and likelihood, it can be really difficult to justify the expense of security controls. This is especially true if the effect of the security control is to take the estimated likelihood of a thing happening down from 1/20 to 1/30.