The Two Kinds Of Security Threats, And How They Affect Your Life

Written by rmogull | Filed under Non-Geek, Risk | 6 comments



When we talk about security threats we tend to break them down into all sorts of geeky categories. Sometimes we use high level terms like client-side, targeted attack, and web application vulnerability. Other times we dig in and talk about XSS, memory corruption, and so on. You’ll notice we tend to mix in vulnerabilities when we talk about threats, but when we do that hopefully in our heads we’re following the proper taxonomy and actually thinking about that vulnerability being exploited, which is closer to a threat.

Anyway, none of that matters.

In security there are only two kinds of threats that affect us:

  1. Noisy threats that break things people care about.
  2. Quiet threats everyone besides security geeks ignore, because it doesn’t screw up their ability to get their job done or browse ESPN during lunch.

We get money for noisy threats, and get called paranoid freaks for trying to prevent quiet threats (which can still lose our organizations a boatload of money, but don’t interfere with the married CEO’s ability to flirt with the new girl in marketing over email).

Compliance, spam, AV, and old-school network attacks are noisy threats. Data breaches (unless you get caught), web app attacks, virtualization security, and most internal stuff are quiet threats.

Don’t believe me? Slice up your budget and see how much you spend preventing noisy vs. quiet threats. It’s often our own little version of security theater. And if you really want to understand a vertical market, one of the best things you can do is break out noisy vs. quiet for that market, and you’ll know what you’ll get money for.

The problem is, noisy vs. quiet may bear little to no relationship to your actual risk and losses, but that’s just human nature.

Posted on November 10

6 comments

  1. Rani Nov 10

    Rich, THANK YOU! Amen to that. It’s an irrational bias that I’ve observed as well, and it is human nature but also budgeting inertia.

    The situation is actually worse than what you describe. Not only is budget spend much greater for “noisy” threats, but the baseline defenses are also in much better shape, since this spending pattern has been around for a while.
    So while investments are made in defenses against noisy threats, in order to take them from 97.7% coverage to 98.4% (with diminishing returns), quieter threat get baseline coverage that’s anything from 0% to 70% (at best).

  2. Ted Doty Nov 12

    You get more of what you measure. It’s pretty easy to measure noisy threats, but hard to measure quiet ones. Fundamentally this keeps quiet threats as a “Fear” sell, and nobody likes those.

  3. Allen Baranov Dec 1

    I agree totally with this article. Well done Rich (again).

    I have drafted a response on my blog explaining why we prefer the “noisy” information security but why “quiet” is where we are moving.

  4. Michael Dickey Dec 7

    I wonder how these two categories would relate to “technical” knowledge?

    Noisy threats are the obvious things, and the ones most people will go, “Ahh, yeah.” Quiet threats may be things that only technical people seem to understand, and thus fully appreciate.

    Just a thought, nice post and you’re spot on!

  1. Interesting Information Security Bits for 11/10/2008 at Infosec Ramblings
  2. Friday Summary | securosis.com

Leave a reply

Related Posts

Friday Summary
Could Yahoo!/Microsoft Affect Web 2.0 Security?
Off Topic: Welcome to 2008