| This is a fascinating discussion because it betrays two fundamental attitudes of society to risk. RyanZAG is "correct". If someone breaks into my house and steals my TV, then my security was a failure. This leads to the next problem - its not a catastrophic failure in today's (western) society. I am probably out at work, and I am insured, and the burglar is unlikely to be waiting when I get home to murder me. However, there have been plenty of societies in the past, and are many now, where the expectation of loss would be almost total - someone breaches your security, they take the tv, kill you and your family and burn the house down on the way out. So its not a judgement on the resources of the attacker that matters, it is the expected consequences of the breach - the expected value of damage. Which side of the argument you come down on depends on whether you see the Internet as basically a nice London suburb with a few bad eggs in it, or a violent amalgam of Feudal Middle England and Mogadishu on a bad day. |
"So its not a judgement on the resources of the attacker that matters, it is the expected consequences of the breach - the expected value of damage."
I nodded at this when I mentioned resiliency and recovery, but I still think resources of the attacker matters. A determined attacker could doubtless breach your front door with a battering ram or axe and enough time. Part of the reason you don't worry about this, I assert, is that it's not likely because the costs to the attacker (in terms of chances of getting caught and penalties if they are) are too high. Part of it, as you say, is that we have some amount of resiliency against the threats posed. And probably part of it is that most of us are not terribly inclined to do damage to each other without provocation and there are many possible targets for the few who are - I'm not really sure the degree to which we should legitimately consider that bit a part of "security" but it certainly merits weight in calculating risks.