Security professionals and departments seem to be making their assessments based on a theoretical probability scale to attempt to categorize threats into an algorithm which will seem logical. This process shows a complete lack of respect for the adversary liabilities and reflects that most security systems are built on the interpretation of reality and what seems most comfortable and logical to accept.
The obsession with the term deterrence shows the incapacity to understand what is deterrence and what causes deterrence on part of the adversary. An adversary will not feel deterred given the existing security systems as they invite the problem to come in, increase the motivation and require limited capabilities for success. In fact, most terrorist attacks occur because of our incapability rather than the capabilities of the adversary.
Deterrence can only occur in a state where an organization has been attacked numerous times by the same adversary and succeeded in preventing or neutralizing the attack. However, this deterrence is only limited to this specific adversary and not to other ones which see how your capabilities may be effective for some attacks rather than for others. Your capabilities will be limited and will usually be where it is most convenient for you .
Time has arrived for concrete security systems and not theoretical security systems based on assumptions, probability, frequency or likelihood. The only factor guiding us should be in the building of a security posture for events that have the greatest impact and damage. If we secure our organization against high risk impact events, then our security posture can deal with smaller events. But the opposite is not true.