In the days before computers, adversaries used physical measures to attack targets. In the physical realm, targets defend not just against crime and war, but also natural disasters. Understanding the foundations of our response to physical threat events makes it easier to understand the evolution of cybersecurity event response. For example, lightning is a significant threat, but it only causes harm if it actually makes contact, so there are physical methods to prevent that contact from occurring. The lightning rod in Figure 3.1 is one such method. However, lightning rods do not always work. If lightning bypasses the rod and a fire starts, then the target can at least detect that a fire has started. A fire alarm is one such detection method. Perhaps the community also has a fire station that detects the smoke and alarms the fire department. These capabilities provide information that the fire is occurring. Of course the building is still burning, so just detecting that smoke and knowing there is a fire does not actually help us thwart the lightning. So the target also needs some kind of mechanism with which to respond to the fire alarms. Figure 3.1 includes all three elements of the prevent, detect, respond triad. Unfortunately, regardless of how soon a lightening fire is caught, it is very likely that the fire will cause damage. For a physical security incident, the best that can be done is to try to prevent; if you cannot prevent, at least detect; and once detected, ...