In military thinking, there is a simple framework of four types of knowing:
- There are things you know that you know.
- There are things you know that you don't know but you can know them, by reading, listening, talking to somebody, and so on.
- There are unknown knowns. There are things which you definitely are going to know someday, for example, the cause of somebody's death before it happens. However, you don't know it now.
- There are unknown unknowns. There are threats, which you don't know, which in turn you don't know they exist. Once they come, you don't know which form they take.
Unfortunately, with security, it gets worse. With these four vectors, we've got another four types of knowing:
- We can stay confused.
- We can stay in doubt for what we do.
- We can stay afraid of compliance punishments, security risks. Your boss being angry at you overspending your budget.
- We can be risk averse. We can just pretend that nothing is wrong.
Reference: Designing Secure Architectures the Modern Way, Regardless of Stack
Notable link: Implementing a Staged Approach to Evolutionary Architecture