1. 123456
2. password
3. 12345
4. 12345678
5. qwerty

The fact this list was compiled from password information stolen in data breaches underlines the problem: by using a simple password, users leave the door open to anyone that wants to walk in and steal their data.

But finding ever more elaborate ways to pick a password may be missing the point. Of course all routes to the digital future lead through security. But just as overbearing airport security checks can put people off flying, we may soon find that people start avoiding digital engagement. And whether that’s customers who don’t buy online any more or employees who become less satisfied and productive, there comes a point where security starts getting in the way of business.

It’s this paradox – that protecting people’s data sufficiently may stop people trusting companies with their data – that has led to a concept known as risk-based security –  one of the hot tech topics for 2015.

The first step toward better protection? Knowing nothing is safe.

The principle behind risk-based security also looks like a paradox at first glance: to improve security, you first have to realize and accept that nothing is or ever can be 100% secure. Someone will always leave their password on a sticky note next to their monitor. Someone else will use the same password for everything – and another person could leave a memory stick on a train that contains masses of personal data.

Attackers are becoming more motivated and more persistent – often using tools specifically designed and developed to get round your infrastructure. And their relentless assault is only going to get worse. With billions of connected devices in the Internet of Things, your perimeter is getting awfully big.

That is where more sophisticated risk-assessment and mitigation tools come in. Recognizing that perimeter defense – attempting to protect everything inside your network with passwords and firewalls – is  inadequate leads to applications taking a more active role in security, which in turn leads to a multi-faceted approach.

Your security must provide broad coverage across all potential categories of attack, rapidly adjust to and learn from new attack methods, and implement the intelligence back into the infrastructure after each attack.

You also have to focus on business risk. Concentrating on the threats that can do the most damage allows you to improve the effectiveness of security controls by expanding the use of automated, dynamic controls to block the most serious threats.

Designing security aware applications that can respond and adapt to changing threats and protect themselves automatically is necessary for a new, smarter and more robust approach to security, switching the focus from a perimeter and firewall model towards apps that are smarter, more self-aware and self-protecting.