Diminishing Returns on Mitigations

So now that I have the DBIR Attack Graph, I wanted to test something out.  How does the shortest attack path from start to end change when you mitigate things in the graph?  The short answer is, it plateaus quickly, probably due to there always being a direct connection to some attribute from some action.  Ultimately, that means that you need to pick the attributes you're protecting, not try and stop everything.  Check out the full analysis in this blog post on the Verizon Security Blog.