Information Security Mental Models

Because other well-established fields have been in cognitive crisis and come out the other side more formalized and effective, there is hope for information security as well. Information security practitioners desperately crave new models, further highlighting the cognitive crisis. Similarly, I’ve seen new security organizations center their entire detection and prevention strategies around ATT&CK without first defining their threat model, understanding the high-value assets, and gaining any sense of the risk they want to mitigate.

Source: chrissanders.org