As I get older and (hopefully) wiser it has become ever more apparent that all the issues and risks we face arise from a small number of basic “forces”. These manifest in different ways in different contexts - strip away the detail and most issues usually stem from one of these. I don’t claim originality here - some have been said and used by others before me. I’m also not convinced this list is actually complete.
Information wants to be free. Data leaks unless managed, access degrades w/o rules, information is ethereal. In the broader context of the term, from Stewart Brand: “Information wants to be free. Information wants to be expensive....that tension will not go away”.
Code wants to be wrong. Bugs are inevitable (in all their forms - requirements, design, implementation), some bugs are security vulnerabilities, exploitable bugs can become realized risk. I first heard this from @bobblakley I think.
Services want to be on. Attack surface grows, risk is proportional to attack surface, unknown services are never checked. There’s a - Murphy’esque - corollary of this which is “Services want to be on, unless you really want them to be on and then they often fail.”
Entropy is king. Unchecked controls degrade with time, untested resilience fades with time, constant counterbalance is needed. Everything degrades unless countered with a force to keep it in place.
Complex systems break in unpredictable ways. Simple systems that work may still collectively fail when composed together - and will often do that in unpredictable and volatile ways.
People and organizations respond to incentives - but not always the ones we think are rational. The macro/micro economics of InfoSec are important to align incentives to reduce the right risks with the right priorities with factors like opportunity and productivity cost.
Bottom line: new issues and risks surface all the time. The more we can resolve those to some basic forces, and counter (or use) those forces - the less likely we will be surprised by those new issues.