A headline in USA Today last week read: "Jakarta blasts put spotlight on hotel security."

In the same week, a headline on CNN read: "Twitter hack raises questions about 'cloud computing.'"

Why are these two headlines linked? It's because they're making sweeping assumptions about the consistency of security threats based on two isolated incidents.

Let's start by stating the obvious: Security threats to all users regardless of sizes and geographic location exist across the Internet. Those threats come in the form of worms, viruses, Trojans, sniffers, keystroke loggers, botnets, lone hackers, hacker gangs, organized crime syndicates and hostile nation states. The number of malware unique and variant malware samples detected in 2008 exceeded 800,000. A PC receives a hostile ping within 20 to 40 seconds of connecting to the Internet.

Given the diversity, scope and breadth of these attacks, it stands to reason that everyone is at risk, which is true. But just because these threats exist doesn't mean that you will be attacked with the same intensity or suffer the same damage as the next person.

Now, let's get back to the hotel bombing incident.

Indonesia, the world's largest Muslim nation and the largest economy in Southeast Asia, suffered its first major terrorist attack last week when a group linked to al-Qaeda launched suicide attacks against two hotels in the capital, Jakarta. These hotels were fortified, meaning that visitors and guests must pass through a security checkpoint before entering the grounds and bags are inspected upon entering the building.

The fact that terrorists defeated these security measures has some people calling for an examination of security measures at hotels around the world. In much of the Western world, people can drive right up to hotels, leave vehicles idling outside the main lobby, park cars in underground garages, and bring bags and crates into the building without inspection. While the threat is global, Western hotels are able to forgo extraordinary security because they do not face the same threat level as their Middle East, Asia and South America counterparts.

The Twitter hack—much like major hacks again TJX, Monster.com, Ameritrade, AOL, ChoicePoint, Heartland, and the numerous compromises of the Pentagon and NASA—are more than just random breaches, but rather targets of opportunity. They were both target rich (meaning that they had valuable assets worth stealing or compromising) and accessible, much like the Ritz Carlton and J.W. Marriott in Jakarta. The combination of those two elements makes targets such as these of high value to hackers (or terrorists). But that doesn't mean that every high-value target is being attacked or targeted.

Let's look back 14 years to the bombing of the Murrah Federal Building in Oklahoma City. At the time, I was the editor of The Tewksbury Advertiser, a small weekly newspaper in a suburban Massachusetts town. Before anyone knew that Americans Timothy McVeigh and Terry Nichols were the culprits, everyone was seeing terrorists (particularly Islamic) behind every telephone pole, mailbox and tree. My office's phone was ringing off the hook (the age before e-mail) with reports of suspicious vehicles around public drinking water reservoirs, strange activity at telephone exchange buildings and low-flying aircraft over downtown (forget the fact that there was a municipal airport downtown).

In the absence of clear intelligence, everyone from the White House to local residents were seeing the bogyman and calling for more stringent security measures at every level of public and critical infrastructure. The Tewksbury water supply and telephone exchange were extremely vulnerable (or soft targets), but that didn't mean they were at the top of the terrorist hit list.

Exclude viruses and worms that are automated and random, and you begin to see that Internet-born threats are not uniform or constant. In fact, businesses can somewhat calculate the threat activity against their network based the value of their assets, the profile of their company and number of entry points (applications, workstations, distributed locations) to their network. Military networks, government agencies, power utilities, telecommunications and universities have, by definition, high threat exposure because they have presence, valuable data and resources, and too many points of entry to adequately defend. Whereas a small manufacturer in Binghamton, N.Y., won't have the same profile, since it won't be as interesting to a hacker; small network, no data of consequence, small amounts of personal information for identity theft and no money.

What's needed by businesses today is a measured response to security threats. Total protection is not only expensive, but counterproductive. The old security axiom is as true today as when it was first uttered: "Security is inversely proportional to functionality (or ease of use or productivity)." The more security you layer onto a network, client or application, the less practical it becomes as a business tool. Besides, total security is a myth; even after the expense and inconvenience of a "bulletproof system," some hacker or malicious insider will find a way to circumvent the controls (did we learn nothing from Tom Cruise in "Mission: Impossible"?). As Frederick the Great said, "He who defends everything defends nothing."

The Twitter hack will have people talking for a few weeks about password management and cloud computing security for weeks to come. Solution providers should resist the temptation of resorting to FUD in conversations with clients and use the incident as an opportunity educate and enlighten. Good IT and security managers will understand the practicality of measured security, but line-of-business managers and C-level executives may not. By explaining the difference between practical and reactionary security, you will further the trust they place in your guidance.