An ancient African proverb goes like this:
Every morning in Africa, a gazelle wakes up.
It knows it must run faster than the fastest lion or it will be killed.
Every morning a lion wakes up.
It knows it must outrun the slowest gazelle or it will starve to death.
It doesn’t matter whether you are a lion or a gazelle.
When the sun comes up, you better start running.
Jeremiah Grossman recently commented on a curious topic which I have long thought about – if the statistics are so grim (75% of attacks are against the application, and almost 90% of applications are vulnerable), why then do we not see more incidents in the real world?
We are gazelles and yet I have never have been bitten? What if 75% of lion attacks were on gazelles and 90% of gazelles could not run faster than lions – then what? Would the gazelle population be reduced by 90%. No.
I would argue that being attacked by the lion is only one consideration. The reality is not so simple.
The Number of the Lions
It is an unavoidable truth that there are lions. Further, I’m sure the gazelle would like to know when it wakes up how many lions happen to be crouching in the tall grass nearby. However, the gazelle has little to no warning of an imminent attack. The smart gazelle assumes that at all times, there is one lion stalking them. Reality? The gazelles continue to exist as there are far more of them and their population grows quickly.
I don't have any real good statistics on how many malicious attackers are attempting harm in the web application space, but I have to believe that the number of applications and organizations far outnumber those who would attack us.
The Number of Gazelles
True or false? The gazelle must run faster than the fastest lion. False. The gazelle only must outrun as many gazelles as there are lions. If there are 20 lions and 40 gazelles, he merely needs to come in as one of the top 20 of his peers. In this manner, his peers might also be his enemy. If he is on the low end of the speed spectrum, it may be that he ends up as the soft target.
We all agree that there is no such thing as "secure". Sometimes it may be enough to merely not be the one who is the least secure. Is that a defense? No. But sometimes we accept rather than mitigate risk, and we are not bitten.
As a target, some gazelles might appear more attractive? Distinguishing oneself from the herd can be a dangerous game and one that should not be lightly entered. Collection of highly attractive data (financial information, military secrets, and valuable assets) often makes one gazelle appear plumper than its peers. While this distinction is often unavoidable, it seems to be a certainty that the lions consider some targets as more attractive.
Do you have a choice in how attractive you are? Sometimes yes. Sometimes no. It may be that the business dictates your attractiveness. Certainly a Microsoft is more attractive than Mom and Pop's Bait and Tackle. However, we would do well to remember one of the key tenets of the IAPP fair information practices: limiting collection. Sometimes we could make ourselves a more attractive target by retaining more information than needed
I do not want to leave you with the impression that you can hide within the herd. Playing the "wait and see" game can be dangerous. However at the same time, I believe it spreads fear, uncertainty and doubt when we only talk about the lion. There are gazelles that die of old age, despite the fact that they can not outrun the lions.