In the old days, a bank robber's potential victims were limited to real world proximity. They had to be physically present to perpetrate the crime. Also, their available time and man-power played a role in how much reconnaissance they could conduct, not to mention the amount of money they could steal. Threats were defined in a local geographic scope. Vaults, bullet proof glass, armed guards and alarm systems were designed to counter this type of well-defined threat model.

In the last twenty years, the internet has made everyone equidistant. Today's technology-savvy crooks do not have to be physically near their victims; they may remain comfortable hundreds or thousands of miles away while they act. Through automation, they can perform reconnaissance on a large number of targets within minutes. They also don't have to take the time to physically carry cash and instead rely on electronic transfer.

With hundreds of thousands of businesses and more than 1 billion people online, information security in the last 20 years has evolved to the point where risk must be assessed globally. From the levels of cybercrime, it is clear our current approach to information security is not working and we need better metrics to succeed.