Basics:Threat Asymmetry and Security Posture

The concept of threat asymmetry is quasi-military concept that has been adapted for use in IT Security. In traditional terms, “threat symmetry” refers to concept of equivalent military power creating a standoff situation. Since the commitment of fighting force to an attack is expected for result in equivalent damage to both sides neither side commits to expending those resources needlessly.

Threat Asymmetry refers to use of a tool or weapon that can achieve significant gain or tactical advantage without expending valuable resources or materiel. In traditional security, an example would be espionage or spying. In espionage, a few people could destroy a bridge that might otherwise require a large-scale attack.

In IT Security, there are several forms of such attacks. For example, spam email costs little and can be used to deliver a phishing payload. Even a 0.01% (1 in ten thousand) phishing response rate can deliver a large number of successful attacks. Phishing costs so little in time and resource to implement and deliver account compromise on a large enough scale.

Note that non-specific or non-targeted account compromise provides resources for expanding the attack platform by adding more compute resource to email or malware platform. Therefore extending the theatre of operations.

The Asymmetry comes in terms of the cost to defend against these attacks. Companies must implement content scanning for all content & constantly maintain those systems. The cost of developing these defences is large and incurs costs in terms of the human and physical infrastructure needed to build and maintain them.

IT Security is plagued with Threat Asymmetry in many areas. Consider that successful legal prosecution is complex when attackers can be based in other jurisdictions where legal compliance is less onerous. The financial cost of prosecution is high and limited chances of success. Virus scanning is deeply asymmetric since:

* the cost of AntiVirus software on desktops in high
* serious usability impacts i.e. performance and
* Antivirus software reduces the system integrity
* Maintenance

The asymmetric nature of IT security is a significant business challenge. There is no productive gain from IT Security for the business owner and many negatives in terms of usage and maintenance. Solving root cause through legal means is no practical. On the other hand, recognising asymmetry is important to talk with managers and understanding the psychology involved. Money spent on IT security is about preventing loss or protecting assets and not a profit or revenue oriented task. Once the extended management structure can comprehend that security is equivalent to insurance or other revenue protection functions that when IT Security starts to fit into typical businesses.

The EtherealMind View

I feel it’s important to understand that most IT threats cost the attacker very little and that, as a result, your network will be attacked. The debate isn’t when it’s simply “which tool” will they . A modestly priced computer and a low-speed Internet connection can be leveraged into good-enough money for people who live in a country where a modest hard currency income . Therefore, your security posture should take this into account by planning for non-specific, non-directed but sophisticated attacks from Internet vectors.


I have nothing to disclose in this article. My full disclosure statement is here

Image Credit

  • Will

    Wow! I’m stunned at how awesome this post is.