A tool you might not see mentioned often in security literature is imagination. It isn’t very
technical, and it isn’t very procedural, but failing to employ your imagination can often lead to
disaster.

If I had only believed I could win

My favorite story is that of a young businessman who wrote about his early hobby of sailing.
He went up against the “big boys” in a race off Australia. During the middle of the race, he was
further out than the rest of the sailors and he thought he should go closer to their path, nearer
the shore. Later he realized that if he had simply taken the water temperature with his
thermometer, he would have seen that he was on a faster path and finished much earlier. He notes “If
I had only believed that I could win, I would have.”

Also consider “The Empire doesn’t consider a small, one-man fighter to be any threat.” -— Rebel General Dodonna,
shortly before a small, one-man fighter destroys the Death Star.

Some failures of imagination are more severe. Do you remember one of our leaders standing in the
rubble of New York buildings saying “Who could have imagined this would happen.” Well, the
people who did it is who.

Defense by presumed motive

In talking to teams about how to build defenses, I often hear “Well, if the attackers
get into one of my servers, the database is encrypted so they can’t get anything.” There are
several problems with this thinking. First, if attackers can get into a server, you probably need
to presume