Two Men and a Bear


Of all the proverbs, analogies and metaphors associated with cybersecurity, my favourite is the story of the two men and the bear.  In the tale, two men are camping in the woods and all of a sudden, one man turns to the other and proclaims that he has heard a noise emanating from the trees behind them.  The second man reassures the first that he is hearing things and his mind is playing tricks on him: “it was simply the wind”, the first suggests.  The second, still unsure, accepts that he might be overly nervous based on stories of bears living in the forest.  Out of nowhere, a bear appears from the trees.  The two men, unprepared for such a turn of events don’t know what to do.  The first man decides to make a run for it; he bolts away bare (excuse the heterophonic pun) footed as fast as his legs will carry him.  The second man doesn’t seem to be leaving the campsite as swiftly, he feverishly looks through his backpack, finds a pair of trainers and proceeds to put them on.  In a moment of incredulity, the first man bellows back to the first: “why are you wasting your time with running shoes?  You’ll never outrun a bear.  The first man turns to the first and asserts that “I don’t need to outrun the bear, I just need to be faster than you.

The aforementioned story has several variations, the men and the shark being one of them.  I hear the reference on a periodical basis and always smile.  It’s used in the cyber realm to suggest that an enterprise just needs to be better than its peers; that cybersecurity is about not being the worst in your sector.  For some threat actors and motivations, this is true.  An indiscriminate, financially-motivated criminal is going to look for the path of least resistance and the company with the weakest defences, but a more motivated, targeted attack cannot be prevented with an approach predicated on merely not being the worst.  The two men and the bear story highlights some of the challenges with cybersecurity, a view that a one size fits all approach to defence is suitable.  Organisations MUST profile their threat actors, their motivations and proficiency.  A metaphorical pair of running shoes will prevent you from being attacked by certain bears (attackers) but not all of them!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s