Comment by Kalium
5 years ago
This is a great comparison!
With physical security, you need to trust that the lock designers and manufacturers didn't make material mistakes. It is impossible to check for the layman and extremely hard even for experts. You can watch people install it, but that only offers so much assurance and is limited mostly to their expertise in installation. Further, we know that any lock can be bypassed given enough effort, so we have insurance against theft and maybe additional layers of security (cameras, a fence, watchful neighbors, etc.).
With cyber security your position is similar. You're working with a series of tools, none of which you can trust completely, and most of which have limitations or flaws. You layer them with the goal of increasing the amount of effort requires to breach all your defenses to be too high for your adversaries to want to take on.
In both security domains, the basic positions are the same. Non-experts need to layer imperfect defensive systems atop one another to make successful attacks more difficult to achieve. Risk assessments play an important role in helping people decide how much is enough.
The difference is the scale. While you may have one burglar try and break in, in cyberspace, you could have thousands of state sponsored hackers trying to break in.
A burglar needs to quickly break in, otherwise they risk getting caught. Hackers never get caught. There is absolutely no risk, and high reward.