In the 1980 movie Superman 2, there is a scene where Clark Kent – Superman without his superhero costume – is standing with a girl near a large waterfall. At that moment, a small boy climbs the railing that surrounds the waterfall. Superman calls out to him, “Watch out!” and the boy’s parents, realizing where the boy is, pull him down. No word is spoken to Clark Kent in response to his warning. Shortly afterwards, the boy climbs back up the railing and falls into the waterfall. Superman – now in his “professional” costume – shoots down, grabs the falling boy and flies with him in his arms to the cheering crowd.
The scene demonstrates a curious principle: preventing a problem is usually unseen and therefore unrewarded, while solving a problem that has already occurred makes you a hero.
After all, for a prevented problem, it is often not clear what would have happened and what the consequences would have been if the right actions had not been taken. This is also because it is not clear how you measure what did not actually happen.
For a doctor, curing a person from a terrible disease is to become a hero. But early detection and prevention is nothing more than a routine job. For a footballer, not conceding a goal is less heroic than scoring the winner at the end of the game. Preventing crime from developing in a neighborhood and stopping a criminal problem from escalating in a timely manner is less rewarding than catching a dangerous criminal gang that has already caused significant damage.
This can result in a situation where it becomes more profitable to solve problems than to avoid them.
It’s the same story with cybersecurity, of course. Fighting new system vulnerabilities may look more spectacular, but the approach of avoiding dangerous system states at the design level, though boring, is more profitable in the long run. No matter how exciting the prospect of fighting cyber-evil may seem, the boring stories of a second-rate action movie are still better. An intruder with poor voice acting decides to hack into the system, and after a series of clumsy attempts and sluggish fights, he fails. The end.
In the 1980 movie Superman 2, there is a scene where Clark Kent – Superman without his superhero costume – is standing with a girl near a large waterfall. At that moment, a small boy climbs the railing that surrounds the waterfall. Superman calls out to him, “Watch out!” and the boy’s parents, realizing where the boy is, pull him down. No word is spoken to Clark Kent in response to his warning. Shortly afterwards, the boy climbs back up the railing and falls into the waterfall. Superman – now in his “professional” costume – shoots down, grabs the falling boy and flies with him in his arms to the cheering crowd.
The scene demonstrates a curious principle: preventing a problem is usually unseen and therefore unrewarded, while solving a problem that has already occurred makes you a hero.
After all, for a prevented problem, it is often not clear what would have happened and what the consequences would have been if the right actions had not been taken. This is also because it is not clear how you measure what did not actually happen.
For a doctor, curing a person from a terrible disease is to become a hero. But early detection and prevention is nothing more than a routine job. For a footballer, not conceding a goal is less heroic than scoring the winner at the end of the game. Preventing crime from developing in a neighborhood and stopping a criminal problem from escalating in a timely manner is less rewarding than catching a dangerous criminal gang that has already caused significant damage.
This can result in a situation where it becomes more profitable to solve problems than to avoid them.
It’s the same story with cybersecurity, of course. Fighting new system vulnerabilities may look more spectacular, but the approach of avoiding dangerous system states at the design level, though boring, is more profitable in the long run. No matter how exciting the prospect of fighting cyber-evil may seem, the boring stories of a second-rate action movie are still better. An intruder with poor voice acting decides to hack into the system, and after a series of clumsy attempts and sluggish fights, he fails. The end.