Mellow Root

Make attacking not worth the effort

Crime opportunity theory suggests that offenders make rational choices and thus choose targets that offer a high reward with little effort and risk.1

If I can make an attack require more effort than the value an attacker could get from it, I have essentially won the battle against potential attackers. While 100% security is not attainable, my goal is to make my systems not worth attacking in the first place.

A useful mental model for risks is considering the potential efforts and rewards for attackers. Like most mental models, it's useful but not perfect.

Efforts of attacking

I don't want to be an easy target, "opportunity makes the thief" as the saying goes. I want to be as much pain in the ass as possible for potential attackers. If attacking me is taxing enough, attackers will lose interest and move on to something else. Some factors that may impact the level of effort needed to execute an attack:

I don’t want to be the low-hanging fruit. By for example keeping systems up to date, using 2FA and good and unique passwords, and generally trying to make attacking me tedious and expensive however I can, I hope to not be an easy target.

Risks of attacking

An attacker wants to minimize their risk, and while cyber attacks are much less risky than other types of attacks, there are still some scenarios that are more or less risky. Usually though, they’re out of our control. Attacking governments and infrastructure is riskier since it might mean you get a nation-state after you, but unfortunately you can’t just decide to be a government and get that benefit.

I don’t worry too much about attacks that require physical access. If possible, I use physical devices or presence as a tool to make things riskier to attack. People aren’t likely to cut off my thumb to unlock my phone, they’re also unlikely to steal my Yubikey to get access to my email.

Lowering the reward

To make my systems less attractive targets for attackers, I try to lower the potential rewards of an attack. Here are a few ways to do this:

Of course, an attacker needs to know about these things so they understand that the reward is limited. This is why you see signs saying "We're a cash-free store", "Cashiers can't open the safe", "Registers are emptied every evening", and similar in some stores.

Conclusion

Making an attack more expensive (in terms of effort) than the reward is a way to protect your systems from potential attackers. By understanding what makes an attack demanding, avoiding factors that make it effortless, and limiting the value an attacker sees, you can help make your systems less attractive targets for attackers.

  1. Crime Opportunity Theory - Wikipedia

  2. Principle of Least Privilege - Wikipedia

  3. Blast Radius - Wikipedia

#security #risk #mental-model