Iang raises an excellent point in his remarks on my post:

…the attacker is aggressive. Whatever we measure, the attacker actively perverts. So, unlike insurance models, security doesn’t work well with just statistics. Much as we say we need more data, if we had all the data in the world, and fixed what we could see, the attacker would simply move faster than we could.

Attackers will always hold the advantage over even the best-funded and most responsive organization for the simple reason that the attacker is acting and the defender is reacting. Attackers will cheat if they see an opportunity. It’s in their nature as attackers.

Effective security systems are those with the latitude to effectively cheat back and which can identify and, as Schneier likes to note, prevent or react to generic threats rather than specific (usually past) threats, often to the point of ignoring the generic.

As to relative leverage of attackers and defenders, John Robb has coined the term “Open Source Warfare” to describe the rapid pace of innovation highlighted in case after case where insurgents have seen immediate-term ROI’s on their attacks of 5,000% or more from their operations. These sorts of imbalances are becoming the norm in conflicts between formal actors such as governments or multi-national corporations and insurgents or crackers.

Throw in Gen. Boyd’s OODA Loop, which works great for fighter pilots where everyone is working at the same rate of response, but produces a loop that looks more like a solar orbit in Enterprise and Government timeframes, and you should immediately see why responding to specific threats is a losing proposition.

Personally, I think that many people get so caught up in “winning” or “losing” versus an attacker that they forget that you can never really win*; you can only make the attacker go bother someone else. Damage by attackers is eventually inevitable. The key is to ensure that the impact of incidents and cost of countermeasures does not exceed a tolerable level over time (e.g. through methodologies such as ALE or FMEA). Any other approach leads only to over-spending on defense, lost business agility and stomach ulcers.

* Ironically, the way that you would “win” against an attacker once it becomes personal would be to suffer a big enough loss that you can get the police to prosecute the (successful) attacker.

“So, unlike insurance models, security doesn’t work well with just statistics.”

I simply can’t agree. Remember, just because you’re seeing all white swans doesn’t mean there isn’t a black swan out there (black swans meaning people who can get security to work quite well with statistics).

“Attackers will always hold the advantage over even the best-funded and most responsive organization for the simple reason that the attacker is acting and the defender is reacting.”

This will always be true until law enforcement is enabled to fight back in real time. Until then, it a very difficult proposition, this constant defense. But hey, it’s a living.