> as long as identifying vulnerabilities and exploiting them without detection is more expensive than the value of the assets the system protects, defenders are winning.
I'm not sure what "winning" means or why it's valuable.
I don't have an interest in the payoffs of the attacker being small. I have an interest in the costs to myself being small.
In this context, "winning" means "not getting breached". I leave it up to you to decide why it might be valuable.
I believe the author's point is that would-be attackers are in essence economic actors. They seek some gain from compromising a system. If the cost in time, energy, money, or other resources exceeds the anticipated gains, then the attacker will tend to move on to seek easier targets.
You're absolutely right. You don't have any interest whatsoever in the attacker's payoff being small. You may have an interest in keeping it lower than the cost of compromising your systems, but only to the extent that you actually value winning.
If you don't value "winning", then you you can definitely guarantee that the costs to you will be small!
I'm not sure what "winning" means or why it's valuable.
I don't have an interest in the payoffs of the attacker being small. I have an interest in the costs to myself being small.