Security people (digital, physical, or otherwise) really need to ask themselves why vast quantities of trivially vulnerable systems are not being taken advantage of, and what that should mean for their threat modelling process
Consider: the majority of critical physical infrastructure of modern-day society could be disrupted trivially, and with very little risk of consequences.
There are vast swathes of unguarded infrastructure that could be attacked without anyone being there to spot you, or having any real way to track you down. Nobody would notice until it were too late.
And yet, we don't have critical infrastructure being torn down every hour of the day. Why? How can you possibly draw any useful conclusions about security and threat modelling if you can't answer this very basic (yet deceptively complex) question?
(And you'd be unpleasantly surprised by how many people who work in security professionally, *can't* answer this question)
You can tell when a security person falls into this category because they constantly focus on making things impossible in an absolutist, technical sense, and never talk about motivations and reasons for people to do things
@joepie91 This aspect of security is mostly studied by politologists, and the best-known one-word term for what you're looking for, unfortunately poorly coined the influencers of the MBA culture, is buy-in.
@joepie91 do you mean, like, motive, or something else?
@ChlorideCull The many complex human factors that go into it; that includes motive, but also more fundamental questions like "will people actually take advantage of others by default, like is so commonly claimed"
And like, if you work in security and you don't have at least a credible answer to this, what the fuck are you even doing