The famous proverb “Knowledge is power” is attributed (probably wrongly) to Sir Francis Bacon, one of the founding fathers of the modern science. Usually referring to the contribution of science to the progress in human well-being in modern times, it is often criticized on the grounds that it takes action and not just knowledge to achieve progress.
The world of information security presents a similar dilemma. In my previous post, “black cat, white cat”, I divided the world of security controls into black listing tools for detecting and preventing attacks and whitelisting tools enforcing policies. However this is not the only categorization one can make of security tools: an orthogonal categorization would be between passive controls, the “knowledge”, and active controls, the “action”. Is knowledge power? Are passive controls which provide us with information but do not take an action effective?