Once there was this guy like many others: he got married, had kids, bought a house, bought a car… like pretty much everybody else he knew. And also like many other human beings, he was looking for security, more precisely, the place which seems to be his secure ground.
The simple notion of being secure was so comforting, that he started to look for threats only outside of his trustworthy circle. Then, after ten years, he found out his wife had been overspending the family money for the last four years. But how could she do that? For four years? Simple, he assumed he could trust her forever, and at some point he stopped watching carefully enough, he stopped monitoring the family finances. He stopped risk assessing his own attitudes.
How many of you behave like this in your personal lives? You take some time to build trust towards someone and then take it for granted to be endless? This behaviour exists in most people and is exploitable. Take a look now at how we behave in our enterprises. For example, we check job applicants’ references before hiring them, so that we can feel more “secure” about them and and ensure they will behave properly once hired. But then we stop watching carefully enough allowing corruption to take place here and private data to be stolen there.
In short, it does not matter how much you’re going to spend on your security programmes (to build your trustworthy circle), you have to keep self-assessing constantly, for things will change over time, and people’s behaviour will too.
This self-assessment can be achieved through risk management. With that notion in mind you will realize that the real question is not whether your site login page needs a captcha, but if it needs to be active now, or can be turned off. And for sure, it can be turned on again as soon as your security monitoring spots a threat and responds to it turn your defences up again, whether they come from the outside, or not.