Security Lessons From Sun Tzu and Hannibal

History books are full of lessons relevant to today’s data security battles. Hackers understand history’s lessons and reduce their risk by carefully studying a potential target before designing attacks with a high probability of overcoming defenses. This sort of risk assessment is one criterion that Sun Tzu, author of The Art of War, used more than 2,500 years ago to evaluate the chances of success in a looming conflict.

Although we’re not losing the war against hackers, one problem we face is that an elusive and unknown enemy picks the time and place of the engagement, which gives him an extremely powerful advantage.

This “when and where” advantage, combined with other innovations or surprises, greatly increases the odds that the bad guys will stay one step ahead of the cops, whether they’re stealing cars or information. But nothing lasts forever, and sooner or later things change for the bad guys. Maybe they keep using the same old tricks too long, fate intervenes and they make a simple mistake, or the targets wise up.

The pages of history also provide some positive examples in the struggle to secure online assets. The Romans learned all about managing risk during the Punic Wars (264-146 BC), when the excellent Carthaginian general Hannibal won every battle but lost the war. The Romans suffered numerous humiliating defeats at Hannibal’s hands and finally realized that the probability of winning an engagement was low. So they barricaded themselves inside walled cities as Hannibal rampaged up and down the Italian peninsula.

Hannibal’s forte was fast-moving warfare with fluid maneuvers, so he viewed siege warfare against fortified Roman cities to be an unacceptable risk. The Romans licked their wounds and settled in for a war of attrition. They revised their tactics and ultimately conquered Carthage with a new generation of leadership.

Successfully managing risk is a delicate balance between probability and impact. If we choose more security, we must strengthen countermeasures to make the probability of a successful attack unattractive. The bad guys will look elsewhere for lower-hanging fruit — and a skilled and determined foe will always find lower-hanging fruit.

Risk management is increasingly being used in planning and managing information security because risk is about business, not technology. Just as the Romans correctly deduced that they could win a war of attrition in a clash of civilizations, risk management provides the framework and tools for evaluating and managing the threats to an organization.

Viewed through a risk management lens, some threats will be deemed acceptable risks because the probability that they would occur is low or because their impact would be slight. However, the threshold for acceptable risk is dynamic. Risk managers must be vigilant in re-evaluating a constantly changing universe of threats. Most notable security failures can be traced to a failure to recognize changed risk conditions, where the probability of an attack or the force of its impact increased.

Conversely, some threats have such high probability or would deliver such a fierce impact that risk is omnipresent. Earthquake countermeasures and defenses must be baked into businesses in California. Similarly, companies that manage large amounts of cash must take extraordinary measures to protect and account for this most liquid of assets.

Some organizations try to strengthen security with more technology. Smarter organizations are changing the rules of engagement, like the Romans did 2,250 years ago, by adopting risk management methods. They evaluate the probabilities and impacts of threats to the organization, both known and unknown.

Most new developments in security technologies over the past several years have been driven by a better understanding of the risks to information assets. The perimeter “M&M” approach to security, dominated by firewalls as the protective hard shell, has been replaced with a new model. This new model, sometimes called the Swiss Cheese Model, layers defenses throughout the organization based on where risk is present.

The growth in identity management is driven by the realization that people, especially internal employees and contractors, are the chief risk to information assets. Being certain of who is launching a session or requesting a service is fundamental to successfully managing risk and extending access to customers and partners.

If we focus solely on M&M security as a goal, we’ll be distracted with technology and surrender the advantages of time, place and technical innovation to hackers. When risk management guides the investment, we focus more on the business, and technology takes a back seat.

Mark Willoughby, CISSP, is a 20-year IT industry veteran and journalist. Contact him at

Copyright © 2006 IDG Communications, Inc.

8 highly useful Slack bots for teams
Shop Tech Products at Amazon