[dllthomas]

Great perspective!

"So its not a judgement on the resources of the attacker that matters, it is the expected consequences of the breach - the expected value of damage."

I nodded at this when I mentioned resiliency and recovery, but I still think resources of the attacker matters. A determined attacker could doubtless breach your front door with a battering ram or axe and enough time. Part of the reason you don't worry about this, I assert, is that it's not likely because the costs to the attacker (in terms of chances of getting caught and penalties if they are) are too high. Part of it, as you say, is that we have some amount of resiliency against the threats posed. And probably part of it is that most of us are not terribly inclined to do damage to each other without provocation and there are many possible targets for the few who are - I'm not really sure the degree to which we should legitimately consider that bit a part of "security" but it certainly merits weight in calculating risks.

[lifeisstillgood]

That is a good point - I factor in the security of a effective police force, a legal system that will not tolerate using threats to sign over a business for $1 - all of these are part of our security.

Curiously I am not convinced of the total damage done by these various break-ins. Stealing credit card numbers is not the same as getting the loot into a laundered bank account. Grabbing bitcoin wallets is closer, but the liquidity does not exist to extract much.

The damage is seemingly more reputational, or other internal costs to the hacked company (like paying security consultants). The actual "money the thieves ran off with and could convert into real cash" is pretty thin - would value some pointers at studies here.