Security by Anonymity

Most of us in the security profession have heard the term “security through obscurity”—the flawed model that assumes systems are safe just because they’re secret. But what about its lesser-known cousin, “security by anonymity”? Maybe we don’t like talking about it because it’s the proverbial elephant in the room. I may be a security heretic for saying so, but I think it’s actually the most common security strategy for the average person.

At the risk of mixing my metaphors, the typical individual lives life as a security zebra. They aren’t fierce. They don’t have an in-depth battle strategy. Instead, they rely on one simple idea: don’t get singled out! This is security by anonymity.

As security professionals, we know better, don’t we? It’s only a matter of time before a casual observer stumbles across a get-rich-quick opportunity thanks to someone’s false sense of security. And we also know to be naturally wary of others—even those on the inside. Trust no one!

So yes, security by anonymity is a flawed model. And? Most people just shrug. The security mindset says, what about opportunistic hackers? Sure, like thieves checking car doors in a parking lot. Except that assumes three things: A) we have a car with anything worth stealing, B) there are thieves, and C) we’re in a parking lot where there are higher odds of finding an unlocked door. It’s a false sense of security! Have you read the news lately? Even the Fort Knoxes of the world still seem to be getting popped. So does it really matter? So what happens when you get discovered? Discovered? Who’s out there looking for me, Netflix password bandits? And what about internal threats? Please. Everyone knows everyone else, and we trust each other for that matter.

Why should the typical user take our advice? Honestly, we don’t make it easy. As a profession, we’ve built our reputation on shaming mistakes and spotlighting failures. To some, the only difference between a security vendor and an advanced persistent threat (APT) is legality—both profit when you’re vulnerable. Ambulance-chasing after every breach hasn’t exactly earned us any trust either.

So what do we do about security by anonymity? One of cybersecurity’s greatest challenges isn’t quantum computing. It isn’t password encryption. It isn’t even AI. It’s this: communicating security’s value in a way that brings trust and clarity. This leads me to the following conclusions.

The best security solutions are simple solutions. Realizing that most people’s default is security through anonymity puts into perspective the uphill climb to implement true security. The simpler the solution, the smoother the adoption process will go. Even in more layered approaches, modular simple solutions outperform complex systems. Complexity is the enemy of security.

Know your audience. While we can lament for example that SMS or 2FA authentication apps are less secure than passkeys, either “inferior” solution far surpasses no multi-factor authentication at all. Don’t let best be the enemy of the good!

Don’t take yourself so seriously. Seriously, don’t! 🤪 A little self-deprecating humor with a healthy dose of humility goes a long way. You don’t have to have all the answers. Security isn’t about being perfect—it’s about being approachable and practical.

“Security by anonymity” isn’t a real defense—it’s a rationalization people use to avoid thinking about risk. Our job isn’t just to roll our eyes and move on but to dismantle the excuse and replace it with something simple, accessible, and effective. Complexity isn’t strength, shame isn’t motivation, and fear isn’t good persuasion. If we want people to actually care, we need to show them security can be practical, approachable, and worth their while.