I am a positivist and don’t like to focus on security incidents, but the number of incidents, especially the repetition of these security incidents, make me doubt that organizations truly understand cybersecurity. It appears to me that organizations focus on the wrong things within the cybersecurity domain. What do I mean by this?