Information security has a central concept called the attack surface: the sum of the points where an unauthorised person could try to get in. Reduce the attack surface and you reduce the ways you can be reached. It is one of the few ideas in the field that almost everyone agrees on.
It is also not new. Criminologists have spent nearly fifty years studying the same phenomenon under older names: exposure, target suitability, capable guardianship. They were studying burglary, stalking, and fraud, not networks. They arrived at the same structure anyway.
That is the part worth sitting with. Two fields that did not cite each other, working decades apart on completely different problems, built the same model of why some people and things are victimised more than others. When separate disciplines converge on the same structure independently, it is usually because the structure is real. And this one comes with a practical edge that most security advice lacks: it tells you which variables you can actually move.
The same structure, described twice
In 1979 the sociologists Lawrence Cohen and Marcus Felson published Routine Activity Theory. Their claim was almost mechanical: a predatory crime requires three things to converge in time and space — a motivated offender, a suitable target, and the absence of a capable guardian. Remove any one and the crime becomes less likely. They were explaining why crime rose in post-war America as daily life moved out of the home and left targets less guarded.
Set that beside how a security engineer describes a breach: a threat actor, a valuable or vulnerable asset, and inadequate controls. It is the same three-body problem. Offender and threat actor. Suitable target and exposed asset. Capable guardian and security control. The vocabulary changed; the model did not. How that logic decides who actually gets surfaced, and why it is rarely personal, we examine separately.
Cohen and Felson went further and specified what made a target suitable. They called it VIVA: Value, Inertia, Visibility, and Access. Value is the desirability of the target. Visibility is how easily it is found. Access is how easily it is reached and left. Inertia is everything that resists removal: weight, size, locks, resistance. A heavy safe in a watched lobby is low-suitability not because it lacks value but because its inertia and guardianship are high. Security people rebuilt this too, under "asset value," "exposure," and "reachability." They were re-deriving a 1979 acronym.
The re-derivation is easy to reproduce. Try to compress the principle into a rule of thumb and the natural form is: likelihood rises with visibility, accessibility, and value. That is three of VIVA's four terms, rebuilt without reference to the 1979 paper at all. The convergence is not a historical curiosity. It is what the idea does to anyone who works the problem through.
Laid side by side, the two vocabularies line up term for term. The top three are the elements of a crime; the bottom four are what Cohen and Felson called target suitability.
| Criminology (1979) | Cybersecurity (2003–) |
|---|---|
| Motivated offender | Threat actor |
| Suitable target | Asset |
| Capable guardian | Controls & detection |
| Value | Value |
| Visibility | Visibility |
| Access | Accessibility |
| Inertia | Near zero — the asset is information, which is weightless and infinitely copyable |
Why digital data has almost no inertia
The fourth VIVA term is the one that explains why digital exposure is uniquely dangerous, and it is the term security borrowed least carefully.
Inertia is what physical security has always quietly relied on. Cash is heavy. A building has walls and locks. A filing cabinet resists being carried out of the office. Most of the protection around physical targets is not active defence; it is the simple fact that the target is hard to move. Raise the effort required and you lower the suitability, even if value and visibility stay high.
Digital data has almost no inertia. It is weightless, copies perfectly, and can be removed at scale from a great distance by someone who never enters a room. The term that did most of the protecting in the physical world drops close to zero online. What remains of target suitability is Value, Visibility, and Access. Two of those three are precisely what a digital footprint controls. The 1979 model, applied to a person's online presence, predicts that the variables left in play are exactly the ones exposure governs. That is not a metaphor stretched to fit. It is the theory running on a target type its authors never imagined, and still describing the situation correctly.
2003: when "attack surface" and crime science converged
The convergence even has a date.
In 2003, Michael Howard at Microsoft introduced the phrase "attack surface" in a magazine article, arguing that security should be measured not by counting bugs but by the opportunities a system exposes. Carnegie Mellon researchers formalised it into a measurable metric over the next few years. This is the birth of the term that now organises an entire industry.
The same year, 2003, the criminologists Graeme Newman and Ronald Clarke published Superhighway Robbery, applying situational crime prevention — the discipline of reducing criminal opportunity by modifying the environment — directly to e-commerce crime. They treated information itself as the target and worked through where opportunity concentrated and how to remove it. Situational crime prevention was not new in 2003 either; Clarke had been building it since around 1980, two decades before "attack surface" had a name.
Two books, one field coming from network engineering and the other from fifty years of studying theft and stalking, published in the same year, describing the same move: reduce the exposed opportunity. Neither cited the other. One discipline named the surface; the other had already spent a generation studying how to shrink it.
More exposure, more victimisation — the evidence
A model is only as good as what it predicts. Both the criminological and the security version predict the same gradient: more exposure, more victimisation. Across domain after domain, measured by researchers who were not coordinating, the gradient appears.
Identity theft. A study in Preventive Medicine Reports tested lifestyle-routine-activity theory against two combined waves of the U.S. National Crime Victimization Survey's Identity Theft Supplement: 128,419 people. The exposure side held. People who shopped online daily were more than five times as likely to suffer existing-account identity theft as those who never shopped online; weekly shoppers, three and a half times. The same study measured the other direction. Each additional routine protective behaviour a person adopted, such as changing passwords, checking credit reports, or monitoring statements, was associated with a 25 to 35 percent reduction in the odds of victimisation. Exposure raised risk; deliberate reduction lowered it. Both directions of the same relationship, in one large dataset.
The executive targeting myth. The corporate version of exposure is widely misread. The assumption is that attackers go after the most senior people. Proofpoint's analysis of who actually receives targeted attacks found that the most attacked people in an organisation are often not the top executives at all. They are the people with useful access or high visibility: the assistant to a chief executive, the person who authorises payments, the staff in public relations or investor relations whose names sit on the company's own website. These individuals can be attacked many times more than the average employee. Targeting follows exposure and access, not title. VIVA, in a corporate inbox.
Stalking and public figures. Research on stalkers and their victims describes why public figures are so heavily represented: high visibility, abundant public information, parasocial familiarity, and easy identification. Raw prevalence figures for celebrities have to be read with care, because the studies often draw on protection-service files rather than the general population, but the mechanism is not in dispute. And the most exposed people respond exactly as the model says they should. They retain protective security, remove their home address from public listings, and scrub the records that place them in time and space. They are reducing visibility and access on a target whose value they cannot lower. They are managing attack surface; most would not use the phrase.
Email and phone. The cleanest natural experiment is the spam trap: an address posted publicly accumulates phishing and abuse at a scale a private address never sees, having changed nothing but its visibility. Phone numbers follow the same rule. A published, active number attracts more unwanted contact than an unpublished one, and an answered number tends to attract more over time, because reachable, confirmed-active targets are exactly what high-volume operations reuse. Exposure is not a single event of being found. It is being added to the lists that get worked again and again.
Guardianship: the term security under-uses
One element of the older model is richer than its security translation, and it points to where the practical work sits.
Criminology's "capable guardian" is broader than "control." A guardian need not be a guard. It is any presence that makes a target less suitable: a neighbour at the window, a lit street, a dog, a credit alert, someone who would notice. Felson's insight was that most guardianship in everyday life is informal and ambient, not professional. Security tends to translate guardianship as walls and software, and loses the part that matters most for an individual: watchfulness. Knowing what is exposed, and noticing when it changes, is itself a form of guardianship, the kind that does not require a fortress, only attention. It is also, not coincidentally, the function a firm like ours performs: not a one-time wall, but an ongoing eye on a surface that keeps shifting as data is published, leaked, and re-listed.
Reduce your attack surface: what you can actually move
Because two independent disciplines agree, and because the victimisation data confirms the gradient, the practical conclusion is not a leap. It is the move both fields prescribe: reduce target suitability.
You usually cannot change Value. You are who you are, you hold the role you hold, you have the assets you have. Inertia, the term that protected physical targets, has all but vanished online. That leaves Visibility and Access: how findable you are, and how many open channels reach you. Those are not fixed. They are the product of what is published, listed, leaked, and left in place. They are the two terms a person can actually move.
We are careful about what this proves. Most of the gradient evidence is correlational; it establishes that exposure tracks victimisation, not that removing an established footprint guarantees a lower outcome for one specific person. But the intervention evidence points the same way. Each additional protective behaviour cut victimisation odds by a quarter to a third. Studies of data-broker removal show that exposure on people-search platforms can be reduced, though partially and unevenly: manual work outperforms automated services, and re-listing means the job is never quite finished. Put the gradient and the intervention evidence together and the honest conclusion is not "remove your data and you are safe." It is narrower and sturdier: reducing visibility and access moves you down a risk gradient that two separate fields spent decades establishing, partially and never to zero. You can't be unattackable; you can be less likely and less rewarding. Against activity that selects on exposure rather than on persons, that is most of the protection there is.
Reducing your attack surface starts with seeing it accurately. The Mirror maps what is genuinely discoverable about you; the Shield models what an adversary could assemble from it and reduces what can be reduced.
Talk to an AnalystThe oldest principle, the newest surface
The people most exposed to serious harm already act on all of this, and have for as long as protective security has existed. They do not delist their home address because it is tidy. They do it because exposure raises the probability of an incident they cannot afford, and lowering that probability is the whole job.
The principle scales down to anyone. Knowing what is discoverable about you, reducing what can be reduced, and anticipating where the open channels are is not paranoia and not a modern invention. It is the oldest finding in the study of who becomes a victim. "Attack surface" is simply its most recent translation, and the work of shrinking it was understood long before it had that name.
Sources
- Cohen, L. & Felson, M. (1979). Social Change and Crime Rate Trends: A Routine Activity Approach. American Sociological Review 44(4):588–608. Introduces VIVA: Value, Inertia, Visibility, Access.
- Hindelang, M., Gottfredson, M. & Garofalo, J. (1978). Victims of Personal Crime. The foundation of Lifestyle Exposure Theory.
- Clarke, R. V. (from c.1980). Situational Crime Prevention. ASU Center for Problem-Oriented Policing.
- Newman, G. & Clarke, R. (2003). Superhighway Robbery: Preventing E-commerce Crime. Willan Publishing.
- Manadhata, P. & Wing, J. Measuring a System's Attack Surface. Carnegie Mellon, formalising the term Michael Howard introduced at Microsoft in 2003.
- Burnes, D., DeLiema, M. & Langton, L. (2020). Risk and protective factors of identity theft victimization in the United States. Preventive Medicine Reports 17:101058. NCVS-ITS, N=128,419.
- Stalking risks to celebrities and public figures (2017). BJPsych Advances. See also Mullen, P., Pathé, M. & Purcell, R. (2000), Stalkers and Their Victims, Cambridge University Press.
- Proofpoint. Very Attacked People: the most targeted are often not executives.
- Consumer Reports (2024), Data Defense (manual removal outperformed automated services); PoPETs 2025 (measured data-broker removal efficacy).