Cost of Attack
Indifference to detection
Time to corrective action
Any one can reduce the requirements for any of the others; there is enough of these in the world to break any system.
Notes:
Any successful attack requires some combination of these factors. An excess of one may reduce the requirements for any of the others. Protective measures reduce what is available to the attacker or raise the requirements.
For example, in one attack (by an outside auditor) against one of our clients the success involved work to discover numbers answered by modems and pcAnywhere (special knowledge), access to LANs via pcAnywhere on workstations. More work produced special knowledge about passwords on LAN servers. Attack was discovered when they triggered alarms, i.e.., ran out of elapsed time.