When a potentially major security flaw gets announced, \u00e0 la SandWorm, Shellshock, and Heartbleed, those of us in the computer security field can\u2019t be sure it\u2019s a \u201cbig one\u201d that would attack or compromise the majority of the computers in the world or your enterprise. Whether the technical methods are familiar or novel, most of the discovered attack methods don\u2019t go big.We\u2019ve had lots of \u201cbig ones\u201d in the past. The Robert Morris worm of 1988 infected around 6,000 computers. That doesn\u2019t sound like a lot today, but back then, it represented about 10 percent of the computers hooked to the Internet. Since then, far bigger and faster-spreading worms appeared, most notably Michelangelo, Code Red, Melissa, SQL Slammer, ILoveYou, and Blaster.In those heady days, a single infection would turn into a global outbreak in a day or less. The record belongs to SQL Slammer, which infected nearly every unpatched SQL server on the Internet and clients running SQL in about 10 minutes.Luckily, we haven\u2019t seen a worm go global at such a pace in a while. Gladly behind us are the days when we had to shut down the mail server, get everyone off their computers so that we could clean them up, and call everyone who received one of our infected emails. Then again, maybe I shouldn\u2019t be so confident. Now we have to worry about advanced human attackers that steal intellectual property and money. I\u2019d love to fret about a simple, noncriminal malware program.We are very bad at predicting what vulnerability will go global. As with our real-life wars, no one can predict which conflict will turn into a global world war until we are in it. As in the digital world, real-life experts are constantly predicting the latest conflict will lead to nuclear Armageddon. But it hasn\u2019t happened.In the digital world, for an infestation to quickly go global, it must be \u201cwormable,\u201d meaning that a hacker can take advantage of the vulnerability using roving malicious code that bounces from computer to computer, instead of having to manually test each computer. If it can\u2019t be wormed, it probably won't go international.That\u2019s the conventional thinking today. Perhaps in the future a malicious coder will mess with a big cloud service and create a new malware propagation method. Viruses, which are malicious piece of code that infect other code or documents to spread, can go global quickly, too. But they aren\u2019t as popular as worms anymore.However, most worms and viruses don\u2019t go big. Why? Because there is a huge gap between ability and action, between capability and causation.I don\u2019t know why some malware programs go big and others don\u2019t, but I have noticed a few ways to categorize those that went global:Vulnerabilities that we knew about, that we worried about, and that still went big, such as Blaster and Michelangelo -- these are uncommonTechniques that come out of the blue and surprise us all, such as SQL Slammer and Code RedTechniques that we knew about for a while but for unknown reasons take off later than when they were discovered, such as Melissa and ILoveYouLong-known public techniques used continuously by multiple attackers over long periods of time, such as spearphishing and pass-the-hash attacks (popular today)Those broad classes don\u2019t help identify what might be a \u201cbig one.\u201d What causes an attack to be a \u201cbig one\u201d remains a mystery to the computer defense industry. But I believe three nontechnical factors are often involved:Motivation and intent: A criminal agency, a spy organization, or another entity wants to use a method to achieve one or more goals.Loss of control: The malware coder didn\u2019t seem to realize how quickly his creation would spread, such as with the Robert Morris worm, SQL Slammer, and Melissa.Placement and timing: The malware happened to resonate with people. For example, I\u2019ve always believed Melissa went global because its creator promised free porn in a day when free porn wasn\u2019t the norm.If I had to pick one reason a worm went global, I'd have to go with motivation and intent. Many of the hacks we worried about didn\u2019t happen until a bad guy finally tried it, such as Kerberos ticket manipulation.I\u2019m sure there are other factors I\u2019m not thinking about right now. But I know that capability and potential are still poorly correlated with actual damage. If we could better predict what will go big, our job would be a lot easier.You can think of cyber threats the same way the military thinks about weapons of mass destruction: Many nations (even individuals) know how to build weapons of mass destruction. The major entities won\u2019t use them unless absolutely necessary, if ever. But now more entities have access to them than can possibly be controlled over the long term.Someday a weapon of mass destruction will be used against a major (unsuspecting) population. That day is coming, and we can\u2019t possibly predict when. The capability and potential have been there for a long time; it\u2019s a question of timing.Even more unsettling, it doesn't matter if we make it harder or easier to carry off the big attacks that will cause huge disruption. Plus, we are so poor at computer security (in general) that we give attackers dozens to hundreds of avenues to try when they get motivated.