In 2009 there was "New Zealands Hacker con" in Wellington, which had this awesome picture:
Hackers/Attackers dont care about your...
- ...About your projects scope
- ...It's managed by a third party
- ...lt's a legacy system
- ...lt's 'too critical to patcht'
- ...About your outage windows
- ...About your budget
- ...You've always done it that way
- ...About your Go-Live Date
- ...lt's only a of concept
- ...About Non-Disclosure Agreements
- ...lt wasnt a requirement in the contract
- ...lt's an intemal system
- ...lt's really hard to change
- ...lt's due for replacement
- ...You're not sure how to fx it
- ...lt's handled in the Cloud
- ...About your Risk Register entry
- ...The vendor doesnt support that configuration
- ...lt's an interim solution
- ...lt's [insert standard here]compliant
- ...lt's encrypted on disk
- ...The cost beneft doesn't stack up
- ..."Nobody else could figure that Out"
- ...You can't explain the risk to the Business
- ...You've got Other priorities
- ...About yourfaith in the competence of your intemal users
- ...You dont have a business justifacation
- ...You cant show Retum on Investment
- ...You contracted out that risk