cyber-security approach, philosophy, business, protection

How much security is enough security?

I am often asked how much security is enough security and the answer I give is always “depending on your case”.
That is because each case has different threat levels. In fact, even the same case might have (different) variant threat levels depending on the situation and current conditions. Security is a living organism always affected by the environmental conditions. If. Even just one parameter of the environment was to change we would see a big fluctuation of the threat levels for the same entity.

Let me give you an example to understand this better.

We dress based on the environmental conditions, right?
How easy does that change?
With just one parameter change, temperature!
When the temperature gets higher you wear lighter clothes and when it drops you wear more clothes.

Here is another example:
During the day you can see naturally. During night time which is basically the alteration of the position of the sun you need electricity to power up a lamp and see. Again, just one environmental parameter is enough, light.

Want a little help?
cyber-security approach, philosophy, business, protection
Where am I going with this?
The way we define your needs in security is by crafting a threat assessment evaluation. In that assessment we separate between two types of scenarios; normal and extreme cases.

Before you consider this technical language, hold on a second.


I always explain concepts in simple terms because I am talking to people who are not security experts.


Normal scenarios are comprised by all scenarios that can happen when everything is operating properly aka the environmental parameters stay constant for long periods of time.

Extreme case scenarios refer to those scenarios that do not happen often but if they happen the threat level and/or the impact is higher.


Here is a tangible example to understand the difference.

Imagine having a car which you drive at a speed of 120km per hour. When the weather is not rainy or snowy the threat level you have to crash is dramatically lower than when you are driving in a road with piled snow. Right?

Why? Because your wheels are slippery on the snow.

How often do you drive in a snowy road? Hopefully not often but you need to consider this scenario as well and change your approach i.e. avoid driving during snowy days, add tires with chains and slow down your speed. Without being familiar with the threat levels for such a scenario though you cannot be prepared properly.

The threat level assessment is your compass for protection by allowing you to anticipate for each case accordingly.

So, if we were doing a threat level assessment for your car we would consider

  • Weather conditions (i.e. sunny day, rainy day, snowy day,
  • Materials blocking the road (dropped by other cars, caused by physical conditions, caused by accident of another car)
  • Traffic percentage
  • Road quality
  • your cars’ speed
  • maintenance of your car (i.e. tires condition, oil change, service condition, burned out lights)
  • driver characteristics (experience, focus, emotional condition, physical condition-tired)
  • time driving (morning, night)


You got the point. By the way, the above list is not exhausted. In order to do a solid threat assessment, you must consider as many scenarios as possible. Thus, being analytical and having knowledge of the conditions and environmental parameters is essential.

Environmental parameters as you may understand do not include only the physical and temperature properties. Especially with Security they include so much more.

  • Your physical environment,
  • Your virtual environment (data & systems),
  • your habits and behavior,
  • your status,
  • competitors,
  • asset value
  • exposure to danger etc

All beforementioned are defining factors of your threat levels and are not the only ones.


That is why defining the customized needs is essential and the more customized and unique your “security architecture” is, your protection levels do increase exponentially.

Please note that customized and unique is not the same thing.

  • Customized means designed or altered specifically for your needs and requirements and
  • unique means having an element of surprise as it is not something that the cyber-criminal is already familiar with.


And let’s have a tweetable to summarize this episode’s message:

I am now turning it over to you and get some paper because I want you to write down the following questions and most importantly answer them.

  1. Did you build your protection by first examining your threat levels?
  2. How long has it been since you performed your last threat levels evaluation? Environmental parameters change at high speed with technology.

This is the only way to find how much security is enough for you.

Apply what you learn immediately. Download “Master your protection” free quick start guide.
cyber-security approach, philosophy, business, protection


and get the latest updates