---
id: "concept-relative-cybersecurity"
type: "concept"
source_timestamps: ["¶16", "¶17"]
tags: ["security-philosophy", "deterrence"]
related: ["quote-faster-than-the-bear", "contrarian-total-safety-impossible"]
definition: "The strategic posture of making an organization's digital defenses just difficult enough to breach that opportunistic attackers abandon the effort in favor of weaker targets."
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-sig-57-smb-cyber-risk"
sourceUrl: "https://hbr.org/2026/06/ai-is-changing-cyber-risk-heres-how-smbs-can-respond"
sourceTitle: "AI Is Changing Cyber Risk. Here’s How SMBs Can Respond."
---
# Relative Cybersecurity (The Bear Philosophy)

A pragmatic approach to cybersecurity that starts by accepting that achieving absolute, 100% safety is impossible (the position argued in [[contrarian-total-safety-impossible]]). Instead of an impenetrable perimeter, the strategic goal is to elevate the organization's defensive posture *just enough* to make a breach difficult and time-consuming.

Because many attackers are opportunistic — scanning for the easiest vulnerable systems — encountering a hardened target will often cause them to abandon the attempt and pivot to a softer one. [[entity-daniel-dobrygowski|Daniel Dobrygowski]] captures this with the bear analogy: [[quote-faster-than-the-bear|"You don't have to be faster than the bear — just faster than the guy next to you."]]

This philosophy is the strategic "why" underneath the tactical playbook in [[framework-dobrygowski-smb-cyber-defense]]: every affordable control (MFA, inventory pruning, data architecture, vendor vetting) raises the relative cost of attacking *you* versus the next target.

> [!note] Enrichment nuance
> As a heuristic for **commodity threats** (drive-by ransomware, mass phishing), the bear analogy aligns well with reality — raising cost and difficulty diverts opportunistic attackers to softer targets. It is **incomplete** for **targeted, motivated adversaries** (finance, healthcare, critical infrastructure), who will invest sustained effort regardless of relative hardness. For those, relative hardness is necessary but not sufficient: strategy must also include detection, incident response, and resilience (plan for eventual compromise), consistent with Zero Trust thinking (NIST SP 800-207).


## Related across articles
- [[concept-airline-safety-analogy]]
- [[concept-compliance-security-conflation]]


## Related across segments
- [[concept-deterministic-security-mismatch]]
- [[concept-ai-fueled-threat-escalation]]
- [[framework-four-imperatives-ai-security]]
