• United States



Invincibility vs Vulnerability

Mar 10, 20093 mins
Business ContinuityCareersData and Information Security

What does Sun Tzu have to do with Information Security?

I expect that some of you asked this question after reading the teaser headline.  While not the only treatise on military strategy, it does offer relevant insights that can be applied to our field.  This is the first installment of a weekly series exploring the Sun Tzu paradigm.  This week we will discuss the concepts of invincibility and vulnerability.

“Invincibility is in oneself, vulnerability is in the opponent” – Sun Tzu defines invincibility as being “incapable of being conquered, defeated, or subdued.”  In the context of The Art of War, this is accomplished through self-defense.  Individual self-defense requires awareness of one’s tactical and strategic strengths and vulnerabilities.  Once this awareness is developed, one projects the image that reduces the risks created by potential opponents.  While different in scope, this model is applicable to a corporation. defines vulnerability as being “capable of or susceptible to being wounded or hurt, as by a weapon.”  Interestingly, this is viewed as being a function of the opponent.  This perspective seems inaccurate until you consider that vulnerabilities are discovered when a system is viewed from the perspective of an attacker.  It is difficult to see the vulnerabilities in a process or system through the eyes of a user.

So how do I apply this to my environment?

In practice, it is unrealistic to build an invincible security plan for your organization.  However, there are things that can increase the attack costs for potential attackers.

  1. Give your employees a stake in the business.  On 3/15 I will post a discuss on business-case centered security awareness training.  Your team must understand the value of security to the success of the business and know they are enabled to act to ensure that success.

  2. Understand the core competencies of the business and how your IT infrastructure supports them.  This will allow you to connect securty investment to business goals.  Learn to view security risk from a business risk perspective.

  3. View the organization from an attacker’s perspective.  Now that you understand the value of your assets, put yourself in the shoes of someone who wants to control or disrupt those assets.  This will allow you to identify process and IT vulnerabilities that could be exploited.

  4. Finally, encourage a movement towards tactical and strategic agility.  The threats that face your organization are evolving. These threats may take the form of physical, cyber, or competitive threats that don’t currently exist.  You must be ready to identify and prepare for those threats.

What are your thoughts on the implications of what Sun Tzu has to say? 

Next week I will discuss how invincibility and vulnerability apply in the context of cyber warfare.  According to Sun Tzu, victory can not be manufactured.  It can only be discerned.  Feel free to explore this statement between now and next week!

Works cited: “The Ilustrated Art of War” translated by Thomas Cleary


Steven F. Fox provides security guidance to ensure compliance with Federal standards and requirements as a Senior Security Architecture and Engineering Advisor for the IRS. Fox contributes to multiple working groups including the IPv6 transition team, Developer Security Testing workgroup and the Security and Privacy workgroup. He brings a cross-disciplinary perspective to the practice of information security; combining his experience as a security consultant, an IT Auditor and a systems engineer with principles from behavioral/organizational psychology to address security challenges. He is a syndicated blogger covering IT Governance, Risk Management and IT-Business fusion topics. He also volunteers his time to the Ponemon Institute and Security BSides Detroit. Follow him on Twitter - Join his LinkedIn network -