Prerequisites for Attacking an Information System

In order for an attack on an information system to succeed, an attacker must possess three specific things: (1) method, (2) opportunity, and (3) motive. One useful way of remembering these prerequisites is through the acronym MOM (Method, Opportunity, and Motive). In the context of conducting attacks on information systems, method refers to the skills, knowledge, tools, experience, and so forth that an attacker must have in order for an attack to be realistically attempted. Opportunity, by contrast, refers to the time and the necessary access that are required in order for an attacker to attempt an attack on an information system. Finally, motive simply refers to the purpose for conducting an attack or the reason for which an attacker desires to carry out an attack.

From an information security perspective, it is critical that security personnel understand these three prerequisites for conducting attacks on information systems. If any of these three prerequisites can be eliminated -- that is, if we are able to effectively remove or disrupt an attacker’s method, opportunity, or motive -- then the attack will not succeed. If efforts aimed at defending against attacks on information infrastructure or protecting information assets are to have the best chance possible of succeeding, those efforts should therefore target one or more of these three prerequisites.