Notes

1. Those new to the field of network security may think that this example is one of the enduring "urban legends" of networking. Those with more experience will nod sagely and recognize this very behavior in their own network users.

2. An examination of this formula, although simplistic, shows a fundamental relationship between the elements of risk. A vulnerability without a threat does not produce risk, and a threat without a vulnerability to exploit likewise does not produce risk.

3. These are not actual statistical chances of this event occurring. Please contact your local insurance agent for current "devastating meteorite" odds.

4. The discipline of risk analysis is particularly attractive to those who have either a pessimistic streak or a macabre fixation with what could go wrong given the chance. Murphy was a risk analyst.

5. The honeynet project (project.honeynet.org) has repeatedly demonstrated that the life expectancy of a "default" installation of most operating systems on the Internet is less than 24 hours. Default means no patches or other security mechanisms are applied — a sorry state for a device connected to the Internet.

6. Do not let this fact alarm you too much. When we discuss VPNs, we will see that even devices with modest hardware (such as an old Pentium 133 sitting in the closet) will provide adequate throughput for links up to T-1 speeds of 1.544 Mbps.