Your Attacker Already Knows Which Box You Picked
There is a thought experiment that has been quietly breaking philosophers' brains since the 1960s. I am going to use it to explain why your current approach to cybersecurity is probably already broken. Bear with me. I promise this is going somewhere useful.
It is called Newcomb's Paradox. Here is how it works.
The Setup
A predictor with a near-perfect track record places money in two boxes. Box A always contains £1,000. Box B contains £1,000,000, but only if the predictor judged, in advance, that you would take just Box B. If the predictor believed you would grab both, Box B is empty.
The decision is already made before you walk in the room. The boxes are sealed. Nothing you do in the moment changes what is inside them.
So: do you take one box or two?
The "rational" argument says take both. The money is already set. You cannot change it. Grabbing both guarantees you at least the £1,000, and potentially the million on top. Pure two-box logic. It is the kind of argument that sounds completely airtight in a seminar room.
Except. People who follow that logic almost always walk away with £1,000.
People who commit to taking just Box B almost always walk away with a million.
The predictor, it turns out, is very good at identifying the kind of person who will grab both boxes. And they act accordingly, in advance. The two-boxer's logic is impeccable. Their result is terrible. That is not a coincidence.
The paradox has divided philosophers for sixty years. Evidential decision theorists say take one box: the contents correlate with your character, so choosing one box is evidence that you are the type of person the predictor filled it for. Causal decision theorists say take both: your choice now cannot causally affect a decision already made.
I am not here to settle that argument. I am here to tell you it does not matter for our purposes. Because in the real world of cybersecurity, the predictor does not wait for your choice. They have already moved on to someone else.
"If you want the full philosophical treatment before we get to the security angle, Veritasium's recent deep-dive is worth 30 minutes of your time."
Your Threat Actor Is a Predictor
Here is where this stops being philosophy and starts being your problem.
Before a serious threat actor targets a business, they study it. This is not a quick look. Sophisticated actors conduct structured reconnaissance campaigns that can run for days before a single malicious packet is sent to your network.
They scan your internet-facing systems for exposed services: open RDP ports, unpatched VPN appliances, publicly accessible admin interfaces. They check whether your staff email addresses appear in breach databases, because if your finance director's credentials were leaked in a 2022 data breach and they have not changed their password, that is a key that already works. They examine your SSL certificates and DNS records for infrastructure clues. They look at whether your domain has SPF, DKIM, and DMARC records configured, because if it does not, impersonating you in a phishing campaign is trivially easy. They look at your Companies House filings to identify directors, their roles, and the scale of your operation. They look at LinkedIn to understand your headcount, your tech stack, and who your suppliers are.
This is not speculation. MITRE ATT&CK documents reconnaissance as Tactic TA0043, the first phase of nearly every structured attack, with specific techniques covering active scanning, gathering victim identity information, gathering victim network information, and searching open technical databases. Threat actors complete this work before you have any idea they exist.
By the time they decide whether to target you, the decision is effectively made.
They have looked at your boxes.
If what they see is an organisation that has done the minimum, ticked the compliance boxes, and considers security a cost to be minimised, they know. You are the two-boxer. Box B is empty before you ever get to choose.
According to Mandiant's M-Trends 2025 report, the global median dwell time in 2024 was 11 days. In the EMEA region, which includes the UK, it was 27 days. That means in many cases, an attacker is already inside your environment for weeks before you have any idea. The reconnaissance happened even earlier than that, before the intrusion began.
More concerning: 57% of organisations first learned about a 2024 compromise from an external source. Not from their own monitoring. From law enforcement, from a cybersecurity firm, or from the attacker themselves via a ransom note.
They knew before you did. They always do.
The Reconnaissance Economy
I want to be specific about what modern reconnaissance actually involves, because too many people imagine it as a lone individual typing furiously in a dark room. That is not how it works in 2026.
Credential markets are industrialised. Infostealer malware harvests usernames, passwords, and session tokens from infected machines and sells them in bulk on criminal marketplaces. Mandiant's M-Trends 2025 report found that stolen credentials featured in 16% of intrusions in 2024, up from 10% in 2023. That is not because attackers got more creative. It is because the supply of stolen credentials expanded, and buying access is faster and cheaper than finding a zero-day vulnerability.
What does this mean in practice? It means that before a threat actor ever looks at your firewall, they may have already checked whether any of your staff credentials are available for purchase. If they are, the reconnaissance is effectively complete. Your security posture did not even get a chance to deter them.
This is the part that genuinely makes my blood pressure rise when I hear "we are too small to be targeted." You are not being targeted. You are being assessed as part of a bulk operation across thousands of businesses. Automated tools scan, score, and rank potential victims by ease of access and likely value. You do not get a threat actor's personal attention until after the automated assessment has already flagged you as viable.
The predictor is not a single genius sitting in a basement hand-picking victims. The predictor is a pipeline. It runs continuously. It does not care about your size. It cares about your exposure. And your two-box posture feeds into it perfectly.
There is also the matter of what happens when the automated assessment finds something interesting. Initial access brokers, a well-documented category of criminal actor, specialise in obtaining access to organisations and selling that access to others. Your compromised credentials or exposed service does not just attract one threat actor. It gets listed. It gets auctioned. The predictor's decision about what your box contains gets shared across an entire market.
By the time you have any idea, the decision about your box has been made, sold, and potentially resold.
The Two-Boxer Trap in Security
I have been doing this for over 40 years. The single most common thing I hear from small business owners when they eventually call me after an incident is some variation of: "We thought we were too small to be a target."
That is two-box thinking. It feels rational. Why spend money on security you might not need? Why go beyond what the insurance policy or compliance framework requires? The money is already in the boxes either way, right?
Except the predictor has already been through your LinkedIn page, your MX records, and your domain configuration. They assessed you. They made their call. And if your posture said "minimum viable compliance," you got the thousand quid. Or rather, you got the ransom demand, the ICO notification, the customer churn, and the legal bill.
Compliance theatre is the ultimate two-box strategy. You follow the checklist. You pay for the certificate. You tell your insurers you are covered. And you genuinely believe you have protected yourself. But the predictor does not look at your certificate. They look at your actual configuration.
Let me be precise about what that means. A business can hold a valid Cyber Essentials certificate and still have staff using personal email accounts for work. It can have MFA enabled on its Microsoft 365 tenant but not enforced, so staff simply dismiss the prompt when they find it inconvenient. It can have a patch management policy documented and approved by the board while running software that has not been updated since the last annual assessment. The certificate exists. The controls do not.
The automated scanner doing your attacker's reconnaissance does not check IASME's certification database. It checks your actual exposed services, your actual email authentication records, your actual credential exposure in breach databases. The gap between the certificate and the configuration is exactly the gap the attack goes through.
Cyber Essentials without genuine implementation is two-box thinking with paperwork.
I am not saying certification is worthless. Properly implemented, it genuinely addresses the most common attack vectors and closes the doors that most automated attacks try first. But passing the assessment is not the same as being protected. One is a document. The other is a configuration. The predictor only reads one of them.
The MSP Question Nobody Is Asking
Here is a dimension of this that gets far too little attention.
Your managed service provider, if you have one, is also a signal.
Threat actors increasingly target MSPs as a route to their clients rather than attacking each client individually. The logic is simple: compromise the MSP and you have potential access to dozens or hundreds of client environments simultaneously. If your MSP has weak controls, you inherit their exposure. If your MSP cannot tell you what their security posture looks like, or responds to the question with vague reassurances rather than specific evidence, that tells the reconnaissance pipeline something very specific about what your environment probably looks like inside.
The NCSC has published explicit supply chain security guidance precisely because this attack route is well-established and consistently exploited. We have seen it at scale with Kaseya in 2021. We have seen it with smaller, UK-focused MSPs compromised as entry points to their SMB client base.
When a threat actor is assessing whether to target your business, they are assessing your entire attack surface. That includes who manages your infrastructure, what tools they use to do it, and how well they have secured their own systems. Your individual security decisions become partially irrelevant if your MSP is running unpatched remote management tooling or has not implemented MFA on their own management consoles.
This is another form of the two-box problem. You can do everything correctly in your own environment and still be compromised because you chose your MSP based on price rather than posture. You made a locally rational decision. The predictor assessed globally. The box was already empty.
Ask your MSP these specific questions. Do they hold Cyber Essentials Plus? What MFA controls do they operate on their management platforms? How do they manage privileged access to client environments? If they cannot answer those questions concretely, you already have your answer about what the reconnaissance pipeline sees when it looks at them.
What One-Box Thinking Looks Like
The philosopher's genuine insight in Newcomb's Paradox is not about any single decision. It is about the kind of actor you are. The predictor is assessing your character, your disposition, your pattern of behaviour, not your choice in a single moment.
Genuine security posture works the same way.
When a threat actor scans your infrastructure and finds MFA properly enforced on every account, email authentication controls fully configured, software patched consistently within the vendor's recommended window, no unnecessary services exposed to the internet, and credential monitoring active, they are not just seeing individual good decisions. They are reading your character as an organisation. They are seeing that you are the type of business that takes this seriously. The automated assessment scores you accordingly and, in many cases, you get deprioritised in favour of a softer target nearby.
That is a deterrent. Not a guarantee, but a significant and measurable one. Hard targets get skipped. Not because criminals are noble, but because their time has value and easier targets exist.
One-box businesses do the following:
Implement Cyber Essentials and actually configure it properly, then verify the configuration independently rather than simply passing the assessment
Enforce MFA on every account that touches customer data, financial systems, or email, with no opt-out and no exceptions for senior staff who find it inconvenient
Keep software patched because they understand why: patches close the specific vulnerabilities that appear in exploit kits within days of public disclosure
Brief their staff on phishing at regular intervals, not just during induction, because social engineering remains the entry point in a substantial proportion of intrusions
Test their backups by actually restoring from them, not just confirming that a backup job shows green in the monitoring dashboard
Know specifically what their critical data is, where it lives, and who has access to it
Ask their MSP directly: "What does your security posture look like, and can you show us the evidence?"
Monitor for credential exposure using services that flag when staff email addresses appear in breach databases
None of that requires significant expenditure. Most of it is configuration and process, not procurement. All of it changes what the predictor sees when they look at you. And the sum of those changes is the difference between being assessed as a viable target and being passed over.
The Pre-Commitment Problem
The deepest version of Newcomb's Paradox is about pre-commitment. The one-boxer wins not because of any clever move in the moment, but because they have already committed to being the kind of person who takes one box. The predictor can see that commitment. The decision is made before the game begins.
Your security posture is a pre-commitment signal.
This is why the timing of Cyber Essentials version 3.3, landing in April 2026, matters more than most businesses currently appreciate. The update tightens requirements around cloud services, home working environments, and device management: precisely the areas that expanded dramatically during and after the pandemic and have remained under-secured ever since. Cloud-hosted services, personal devices used for work, and home routers sitting between staff laptops and corporate systems are all in scope in ways the previous version did not fully address.
Businesses that get ahead of v3.3 and implement it thoroughly before the certification deadline are sending a very specific signal: we understand the threat landscape is not static, and we update our controls to match it. Businesses that scramble to pass the assessment at the last moment, make the minimum changes required, and then do nothing until the next renewal cycle are sending a completely different signal. The predictor can tell the difference, not by checking your certification date, but by checking your actual configuration.
The pre-commitment that matters is not signing a policy document or submitting an assessment form. It is building the kind of organisation where good security is the default, not the exception. Where MFA is enforced because it is standard practice, not because the insurance renewal form asked whether it was in place. Where patching happens because the IT function understands what unpatched software means for real-world exposure, not because a compliance checklist mentioned it.
That is what the one-boxer looks like to the reconnaissance pipeline. That is the character the predictor reads. And that is what shifts their assessment before the game even starts.
The paradox ultimately teaches us that rationality is not just about what you decide in the moment. It is about who you have already decided to be. In security, as in Newcomb, the time to make that decision is before you are standing in front of the boxes.
How to Turn This Into a Competitive Advantage
This is where the philosophy pays dividends in the real world.
Signal your posture visibly. Cyber Essentials certification, properly implemented and clearly displayed, tells clients and prospects that you are not a liability in their supply chain. As large organisations tighten supplier security requirements, being a demonstrable one-boxer becomes a procurement advantage, not just a defensive measure.
Use it in tender responses. If you operate in sectors that serve public bodies, NHS, local government, or large corporates, your security posture is increasingly a differentiator. Document it. Reference specific controls. Be specific about what you do, not just what certificate you hold.
Brief your clients before your competitors do. If you understand that threat actors assess targets before attacking, you can explain supply chain risk to your own clients in terms they have not heard before. That conversation positions you as a trusted adviser, not just a vendor.
Make it part of your story. "We take security seriously because our clients' data matters to us" is marketing. "We implement Cyber Essentials v3.3 controls because we understand how attackers actually work" is evidence. One sounds like everyone else. The other is distinctive.
How to Sell This to Your Board
The philosophical framing is useful for you. For your board, strip it back to the financial argument.
The cost of looking like a soft target is not theoretical. Mandiant's 2025 data shows a median dwell time of 27 days in EMEA before detection. That is 27 days of potential data exfiltration, lateral movement, and credential theft before you even know there is a problem. The cost of responding to an incident that has been running for a month is categorically different from the cost of one caught in hours.
Cyber insurance premiums are pricing in your posture. Insurers are getting better at assessing what organisations actually do rather than what they certify. Poor controls mean higher premiums, policy exclusions, or declined renewals. Basic controls demonstrably lower your cost of cover.
Director liability is not a hypothetical. The ICO has enforcement powers that can reach individual directors for systematic failures. The DSG Retail ruling at the Court of Appeal confirmed that inadequate security measures for the scale of data held is not a defensible position. The board is not insulated from that.
Key arguments for budget approval:
Proactive security demonstrably reduces incident response costs, which run to tens of thousands of pounds minimum for even a modest breach
Cyber Essentials v3.3 compliance is increasingly required for public sector contracts, representing a direct revenue risk if you fall behind
Cyber insurers are tightening requirements; demonstrable controls protect renewal and premium levels
Director accountability under GDPR and the Data Protection Act 2018 means personal exposure, not just organisational
What This Means for Your Business
Audit what the predictor sees. Use free tools like the NCSC's Cyber Action Plan and check your internet-facing footprint. If you would not want a threat actor to find it, fix it before they do.
Implement Cyber Essentials v3.3 properly. Not to pass an assessment. To actually configure your systems the way the assessment requires. The April 2026 update tightens cloud and home working controls specifically. Get ahead of it now, not in March next year.
Brief your directors. Show them the Mandiant dwell time data. Show them the DSG Retail ruling. Make it concrete. A board that understands this is a pre-commitment decision, not a reactive one, is a board that will fund it.
Make your posture visible. Update your website, your tender submissions, your client communications. Being the kind of business that takes security seriously is only useful as a competitive signal if people can see it.
Stop doing security for the certificate. Compliance theatre is two-box thinking. The predictor is not reading your certificate. They are reading your configuration.
| Source | Article |
|---|---|
| Mandiant / Google Cloud | M-Trends 2025: Global Median Dwell Time and Detection by Source |
| Stanford Encyclopedia of Philosophy | Newcomb's Problem (Nozick, 1969 — "Newcomb's Problem and Two Principles of Choice") |
| MITRE ATT&CK | Reconnaissance Tactic (TA0043) |
| NCSC | Cyber Essentials Scheme Overview |
| DSIT | Cyber Security Breaches Survey 2024 |
| ICO | ICO Enforcement Actions and Powers |
| judiciary.uk | DSG Retail Ltd v ICO — Court of Appeal Judgment |
| NCSC | NCSC Small Business Guide: Cyber Security |
| NCSC | Supply Chain Security Guidance |
| Veritasium | Newcomb's Paradox (2026) |
