Attack Scenario ≠ Threat

The below video gives an example of what some people would call a threat model. For all I can tell the video leaves out some detail but is otherwise accurate. Why does it appear hilarious or silly rather than reasonable?

As a joke the video exploits a mismatch between the sensible, even verifiable analysis it presents and the ridiculous assumptions it implies. If this attack scenario manifested itself it would play out pretty much as presented. However, the implied very narrow and specific mode of operation – firing cannon rounds at computers – does not correspond with the behavior of any reasonably imaginable threat agent. Any agent with the capability to deploy main battle tanks is facing a wide range of possible uses and targets. Shooting individual personal computers remains not only far from being one of the more profitable applications of this capability, but guarantees a negative return. The cost is high and destruction of specific, low-value items promises rather limited gains. There are also much cheaper methods to effect any desired condition on the specific type of target, including its complete destruction.

While the attack scenario is accurate, it lacks, therefore, a corresponding threat that would produce actual attacks. Such a threat would exist, for example, if the assumed target were other main battle tanks rather than personal computers.

2 Kommentare zu „Attack Scenario ≠ Threat

  1. Well, the analysis was accurate but why did you make such a strange conclusion? The threat exists since someone has thought of it, just like many other silly threats. I think the correct conclusion should be that since this attack path is astronomically expensive, its probability is near zero and therefore should be safely ignored. Or, alternatively, since the probability is near zero and the defense mechanisms required are way more expensive than the cost of the asset, the risk should be accepted.

    1. This is perhaps a matter of terminology and associated concepts. I tend to think of threats as forces that exist independent of any particular target, characterized by objectives, constraints, and capabilities of one or more threat agents. In abstract terms, military action would be threat corresponding with deployment of main battle tanks, and deploying tanks is a capability. Attack scenarios, in contrast, capture possible interactions with targets given certain capabilities and constraints, leading to results that may or may not correspond with a threat agent’s objectives.

Schreiben Sie einen Kommentar

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden /  Wechseln )

Google Foto

Du kommentierst mit Deinem Google-Konto. Abmelden /  Wechseln )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden /  Wechseln )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden /  Wechseln )

Verbinde mit %s