Security teams and individuals face a constant tension. Threats evolve quickly, yet the hours available to monitor, respond, and maintain defenses do not. Proportionate security starts from this reality: build threat models that respect human time. When controls ignore how much attention operators and end users can give, they create fatigue, missed signals, and brittle systems. The goal is not maximum protection but calibrated effort that aligns with actual risk and realistic capacity.
Puru Pokharel works with executives and engineers who must make these tradeoffs daily. From device hardening to vendor posture reviews, the recurring pattern is the same. Overbuilt defenses consume time that could have gone to higher-priority work. Underbuilt ones leave gaps that adversaries exploit. Proportionate security asks a simpler question first: how much of a person's day should this control reasonably require?
The Cost of Misaligned Threat Models
Many organizations still default to all-hazards thinking. Every possible vector receives equal weight on paper. In practice this produces long lists of alerts, mandatory trainings, and policy updates that no one can sustain. Industry incident writeups repeatedly show the same sequence: defenders drowned in noise while the actual breach used a simple, overlooked path.
Human time is the scarcest resource. An analyst can review only so many logs before attention degrades. A non-technical executive can absorb only so many new authentication steps before workarounds appear. When threat models ignore these limits they become performative rather than protective. The result is a false sense of security that collapses under pressure.
Alert Fatigue as a Predictable Failure Mode
Security information and event management systems generate thousands of events per day in mid-sized environments. Most teams lack the staffing to triage them all. The predictable outcome is habituation. Important signals get buried because every alert looks urgent on arrival. Academic security literature and regulatory notices document this pattern across sectors. The fix is rarely more staff. It is better triage rooted in a threat model that ranks likelihood, impact, and required response time.
Proportionate security therefore begins with pruning. Ask what fraction of alerts truly require human judgment today. Automate the rest or accept the risk. This respects the finite minutes an analyst has in a shift.
Building Threat Models Around Human Constraints
Start with concrete situations instead of abstract risk matrices. Map the daily workflows of the people who must live inside your controls. A finance team that processes vendor payments faces different time pressures than an engineering team maintaining production systems. Their threat models should differ in granularity and cadence.
Key questions to ask during model construction:
- What is the realistic dwell time an adversary needs to achieve their goal in this environment?
- How many distinct security decisions does a typical user make per day, and at what cognitive cost?
- Which controls can run silently with automated verification, and which truly need human oversight?
- What evidence would actually surface if the modeled threat occurred?
These questions surface assumptions that generic frameworks often hide. They also reveal when a control is disproportionate. Requiring monthly password changes across thousands of accounts, for example, creates more support tickets and user frustration than meaningful protection once modern authentication is in place.
Identity Hardening Without Endless Friction
Password-only trust has collapsed under the weight of credential stuffing and phishing. Yet replacing it with layers of MFA that demand constant user interaction creates its own problems. Why Password-Only Trust Is Collapsing: Identity, Credentials, and Hardening outlines how phishing resistance must balance with usability.
Proportionate approaches favor passkeys or hardware-backed credentials for high-risk accounts while allowing fast, low-friction paths for routine access. The model respects that most user time should go to their primary job, not security theater. Teams should verify defaults rather than assume every account needs enterprise-grade hardening.
Incident Readiness That Fits Real Timelines
Incident response plans often assume perfect recall and unlimited bandwidth during a crisis. Realistic planning accounts for the fact that responders will be tired, context-switching, and working with incomplete information. Proportionate security builds playbooks that fit the actual time available in the first hours of detection.
This means prioritizing observables that can be checked quickly. It also means designing backup and restore paths that do not require heroic effort. Cloud Backup and Restore Paths Under Realistic Ransomware Pressure shows how many organizations discover too late that their recovery time objective was aspirational rather than tested.
Preparation should include dry runs that measure actual human time consumed. If restoring a critical system takes longer than the business can tolerate, the threat model must adjust. Either accept longer outages or invest in faster paths. Pretending otherwise wastes planning time.
Privacy-Aware Controls and Data Stewardship
Security and privacy are not opposing forces when modeled proportionately. Data minimization reduces both attack surface and compliance overhead. Teams that collect only what they need spend less time securing, auditing, and deleting excess information.
Privacy Engineering: Data Minimization That Teams Can Actually Ship demonstrates practical patterns that engineering teams can adopt without slowing velocity. The same principle applies to threat modeling. When you treat personal data as a liability with its own time cost, retention policies become shorter and access controls tighter by default.
This mindset also limits insider risk. Fewer people with broad access means fewer accounts to monitor and fewer opportunities for negligence or intent to cause damage. Insider Risk: Intent, Negligence, and Broken Incentive Design highlights how incentive structures often undermine technical controls.
AI and Automation Limits in Proportionate Security
Automation can absorb large volumes of repetitive work, but it cannot replace human judgment in ambiguous cases. Over-reliance on AI-generated alerts without calibration creates new forms of fatigue. Models that classify every anomaly as high severity simply move the triage burden rather than reduce it.
Proportionate security treats automation as a time multiplier, not a replacement for reasoning. Use it to filter noise and surface candidates for review. Reserve human time for decisions that involve context, tradeoffs, or novel tactics. This requires continuous tuning of detection thresholds based on actual incident outcomes, not vendor benchmarks.
Similar caution applies to AI-assisted social engineering. Phishing and Social Engineering at Scale in the AI Tooling Era describes how attackers now generate convincing lures at volume. Defenders must therefore focus limited training time on recognition patterns that survive synthetic variation rather than generic rules.
Supply Chain and Vendor Posture in Realistic Models
Modern systems depend on dozens of external services. Threat models that attempt to secure every dependency equally become unmanageable. Instead, rank vendors by criticality to core operations and by the time required to switch or mitigate them.
Contract language, shared responsibility matrices, and periodic validation exercises should scale with risk. Low-impact SaaS tools need lighter review than core identity providers. This respects the finite hours available in security and procurement teams. Software Updates as Supply Chain Risk: When Fixes Become Vectors illustrates how even trusted update mechanisms can introduce disproportionate effort when not segmented.
Grounded Recommendations for Teams and Individuals
Proportionate security is iterative. Begin by documenting the actual time spent on current controls. Measure response times during exercises. Survey users on friction points. These data points reveal where models have drifted from reality.
Required actions include:
- Rank assets and workflows by both impact and the human time needed to protect them.
- Design controls that default to silent operation with exceptions routed to humans only when necessary.
- Test recovery paths end-to-end, measuring calendar time and staff hours consumed.
- Review policies quarterly for accumulated complexity that no longer matches current threats.
- Accept some residual risk explicitly rather than promising perfect prevention.
Executives should ask their security leads not for the latest tool but for evidence that current controls fit within realistic human capacity. Engineers should push back on requirements that consume attention without commensurate risk reduction.
At the individual level the same logic applies. Choose device hardening steps that fit your daily routine. Use password managers and hardware keys where they save time overall rather than add steps. Back up important data in ways that require minimal ongoing effort. These choices compound into sustainable privacy-aware security.
Uncertainty and Continuous Adjustment
No threat model is permanent. Adversary capabilities, business priorities, and staff bandwidth all shift. Proportionate security therefore includes regular recalibration. What felt reasonable last year may now consume too many hours or leave new gaps.
This humility is central. We cannot eliminate every risk, nor should we pretend that exhaustive controls are feasible. The professional practice is to make defensible choices, document assumptions, and revisit them when conditions change.
Puru Pokharel advises teams to treat security as stewardship of limited resources, chief among them human attention and time. When threat models start from that constraint they become more honest, more maintainable, and ultimately more effective against the threats that matter most.