Fresh Thoughts #54: What Can a Stolen Handbag Teach Us About Threats?

woman holding a handbag and laptop case

The new version of ISO 27001:2022 has a new control. Threat Intelligence.

It's a sign that certification bodies are starting to expect more from businesses.

What Can a Stolen Handbag Teach Us About Threats?

Last week my wife's handbag was stolen.

We were visiting family for a birthday, and we made a mistake.

The car was left unlocked.

We came back to find every compartment had been rifled through. Every coin had been taken… along with my wife's handbag, purse, iPad, and phone.

It's not the first time we've made this mistake.

But it is the first time we've had valuables taken.

So why this time? What changed?

The risk.

Or, more accurately, the threat.

Risk and Threat Are Linked

Risk is a central part of cybersecurity and business.

Nothing is guaranteed, so in cybersecurity, we balance the likelihood of something bad happening with the impact it will cause.

Commonly, this is presented as the quasi-formula:

risk = probability x impact

At first glance, this seems useful. But when you look closer, follow-up questions start to arise - How do I calculate the probability of the bad thing happening?

The typical answers you'll receive to this question are:

  • Guess
  • Use a rule-of-thumb to estimate based on past experience
  • Follow the wisdom of the crowd by asking many people to estimate

But there's a different way. Consider threats and opportunities.

Threat is something that defence and intelligence analysts deal with daily. They're taught:

threat = capability x intent

The idea is - that if someone or something can inflict harm and the intention to do so, then they are a high threat. Similarly, if they are incapable of taking action or don't care to, they are a lesser threat.

But being a threat is insufficient. A situation or opportunity needs to arise that will crystallise the threat into action. And so, a more advanced risk equation used in defence and intelligence analysis is:

risk = (capability x intent x opportunity) x impact

Taking away capability, intent or opportunity reduces the likelihood of a risk occurring. If you watch international news closely, you'll see that most activities are designed to reduce one of these three in some way.

How Do I Judge Threats?

Put simply, by using threat Intelligence.

You can collect, refine and assess threats on your own. However, most businesses will subscribe to one or more threat intelligence services or feeds. And the most critical factor is using this information to improve your security.

Threat intelligence is generally categorised at three levels:

  • Strategic - Broad trends and high-level information about the threat landscape, often produced for non-technical audiences.
  • Tactical - Information on the tools and techniques used in attacks, likely to be technical in nature.
  • Operational - Deeply technical information about specific attacks and campaigns that are currently taking place.

In cybersecurity, threat intelligence often looks like:

And so, What of the Handbag?

At a strategic threat level, we were in a place where inflation and the cost of living crisis are having a significant impact. Compounding the historic substance abuse problems that are common in the area. (The inside of the car smelled like a distillery after seemingly only a few moments of compromise). This increases intent - often out of desperation.

At a tactical threat level - having 40 years of experience in the area, cars are commonly targeted for petty crime. The efficiency in emptying every compartment - including the ones I didn't know existed - was an oddly impressive capability.

And, of course, the mistake of leaving the car unlocked provided the opportunity. But for this mistake, the handbag would not have been stolen.

And so, the action we should have taken to reduce the threat...

Double check the car was locked to remove the opportunity.

February 21, 2023
3 Minutes Read

Related Reads

creating a checklist in a notebook

Fresh Thoughts #50: The 10 Immutable Laws of Security Administration

This hard-to-find blog post from 2000 lays out ten fundamental truths of cyber security. 23 years on... it's still insightfully brilliant.

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868