When you walk into a hardware store and gaze upon the vast array of locks for your house, there's one thing you'll never see on any of the colorful packaging: "This lock prevents burglaries!" Likewise, down the aisle of your local office-supply superstore  where they keep the safes, you don't see this on any of the labels: "This safe prevents theft!" Why, then, do we fall for their tricks when marketers of computer security products claim "This product prevents attacks!"?
 Come on, admit it: office supplies are fun .
Physical access controls, like all forms of access control, erect barriers. The lock on your computer room door is a barrier to many forms of attempted unauthorized access, but has very little protective influence against a strategically located stick of dynamite. Does that mean you need super-thick walls and explosion-resistant steel doors? Probably not, if your threat assessment indicates that such an attack is highly unlikely and your risk assessment indicates that the expense of providing security that strong outweighs the value of the assets you're protecting.
A lock on the door, a camera in the hall, and a single-entry/single-exit building watched by highly involved (read: paid enough to care) guards are probably sufficient enough protection. They'll have the necessary effect of discouraging an attacker from attempting a break-in, possibly motivating him or her to move on to someone else who hasn't implemented appropriate physical security. If someone tries to breach your security anyway, physical access controls buy you time to detect that a breach has occurred and to react accordingly . Indeed, controls such as locks and safes are often rated according to their resistance to attack or time to failure: a safe might be rated as TL-15, meaning it can withstand 15 minutes of attack by common hand tools, or TTL-45, 45 minutes of attack by torches and hand tools. Buy the safe that provides the level of response you need against the attacks you anticipate.
The same logic applies to all the physical, network, host, application, and data security controls we mention throughout the rest of the book. Nothing we describe here is completely preventively secure . We give you techniques and procedures to stop many of today's attacks, to slow down or discourage attackers , to erect barriers, to give you time. We make strong recommendations based on our extensive experience. But only your threat and risk assessments can really help you determine exactly what is appropriate for you.