I have a mental model of how my system should work. For example, if my system is the DNS server, then in my mind it is receiving queries, answering queries, and accessible on the network. Occasionally the world breaks my system and violates my model. A hard drive might die suddenly, someone might knock an ethernet cable out, or a router dies. An administrator might execute the wrong command as root and cause an interruption of traffic.
These events, while I do not want them to happen, are understandable. I have models for how my system might break, and I have models for how I can fix it. These models are a kind of general knowledge security practitioners can be expected to have. Hardware dies. People make mistakes. Things happen in the ordinary events of managing a system. Resiliency is about responding to events, not just preventing them.
Thirty years ago, an event such as a DDoS was not understandable because we did not have a mental model for that kind of breakage. In 1999 DDoS was the subject of a Distributed Systems Intruder Tools (DSIT) Workshop held by the CERT/CC. In the intervening two decades, DDoS has become part of the background noise of providing services on the internet. Incidents are still noteworthy at times, but they are managed as part of resilience. The models for attack and defense mechanisms are reasonably well known.
Big gaps in our mental models can lead to totally unexpected and unmanageable events. I expect common security events to happen and plan for them by, for example, buying DDoS defense, managing updates to my system, and monitoring the system closely.
Determining the most threatening gaps in our mental models and general knowledge, and explaining how we can adjust for those holes, is a valid research path for Digital Threats.