
The worst truism in information security - danjoc
https://alexgaynor.net/2018/jul/20/worst-truism-in-infosec/
======
j88439h84
> as long as identifying vulnerabilities and exploiting them without detection
> is more expensive than the value of the assets the system protects,
> defenders are winning.

I'm not sure what "winning" means or why it's valuable.

I don't have an interest in the payoffs of the attacker being small. I have an
interest in the costs to myself being small.

~~~
Kalium
In this context, "winning" means "not getting breached". I leave it up to you
to decide why it might be valuable.

I believe the author's point is that would-be attackers are in essence
economic actors. They seek some gain from compromising a system. If the cost
in time, energy, money, or other resources exceeds the anticipated gains, then
the attacker will tend to move on to seek easier targets.

You're absolutely right. You don't have any interest whatsoever in the
attacker's payoff being small. You may have an interest in keeping it lower
than the cost of compromising your systems, but only to the extent that you
actually value winning.

If you don't value "winning", then you you can definitely guarantee that the
costs to you will be small!

