Every child who’s ever played a board game understands that the act of rolling dice yields an unpredictable result. In fact, that’s why children’s board games use dice in the first place: to ensure a random outcome that is (from a macro point of view, at least) about the same likelihood each time the die is thrown.
Consider for a moment what would happen if someone replaced the dice used in one of those board games with weighted dice — say dice that were 10 percent more likely to come up “6” than any other number. Would you notice? The realistic answer is probably not. You’d probably need hundreds of dice rolls before anything would seem fishy about the outcomes — and you’d need thousands of rolls before you could prove it.
A subtle shift like that, in large part because the outcome is expected to be uncertain, makes it almost impossible to differentiate a level playing field from a biased one at a glance.
This is true in security too. Security outcomes are not always entirely deterministic or directly causal. That means, for example, that you could do everything right and still get hacked — or you could do nothing right and, through sheer luck, avoid it.
The business of security, then, lies in increasing the odds of the desirable outcomes while decreasing the odds of undesirable ones. It’s more like playing poker than following a recipe.
There are two ramifications of this. The first is the truism that every practitioner learns early on — that security return on investment is difficult to calculate.
The second and more subtle implication is that slow and non-obvious unbalancing of the odds is particularly dangerous. It’s difficult to spot, difficult to correct, and can undermine your efforts without you becoming any the wiser. Unless you’ve planned for and baked in mechanisms to monitor for that, you probably won’t see it — let alone have the ability to correct for it.
I am Youtube USER