Mulla Nasiruddin’s Cybersecurity Wisdom — Wool Is Not Salt

Dave On Cyber
2 min readJun 15, 2023


One day, Mulla took his donkey with loaded salt to the market. They pass through the river, and salt melts!

The donkey was happy, but Mulla had to bear the loss.

After a few days, Mulla and the donkey had to pass through the same stream. However, this time, the wool was loaded on the donkey. The wool soaked water, and it became ten times heavy.

The donkey’s mind couldn’t figure it out, but Mulla was laughing and said,

“Remember, wool is not salt.”

Wool vs Salt — The Metaphores

Cybersecurity Wisdom

Perfect security doesn’t exist.

You can never eliminate the risk. You can only reduce to the accepted level. Organizations rely on implementing security controls for risk mitigation.

You probably know the classific formula of the CISSP world.

Threat * Vulnerability = Risk

It’s important to note that the above equation is not just a multiplication or addition. It’s a combination of several factors.

Let’s merge salt and wool from Mulla’s story as metaphors to understand risk.

Donkey = Solution

River = Threat

Salt/ Wool = Vulnerabilities

Some business solutions are deployed in production without implementing security controls. They are like salt. Although it’s vulnerable to various threat actors, the risk factor melts due to timing, luck or nature, and we don’t see the impact. But remember the moral of the story.

Wool is not salt.

Sometimes external and internal factors multiply beyond your control. You will see the opposite effect with wool-like vulnerabilities that soak threats like water. It results in a significant breach.

This story is an excellent reminder of why we cannot compare security breaches. When everything is at risk, it’s challenging to determine the pattern. You can only implement the defence of multiple controls, hoping that the other will kick in if one fails.

Cyber attack is possible with many security controls.

The cyber attack can bypass itself with fewer security controls.

It’s a matter of whether the threat intersects with salt or wool.

I have been fascinated with Mullah Nasruddin’s stories since childhood. He is a folk hero of the Muslim world.

I read a few stories and decided to adapt and integrate his wisdom, wit and humour into cybersecurity. The original story name is SALT IS NOT WOOL — you can read it here.

This is the first article of the ongoing series — Cybersecurity With Mulla Nasiruddin.

If you like this article, please subscribe to this blog and newsletter.



Dave On Cyber

CISSP Certified professional writes cybersecurity with digital sketch and storytelling form. Check out for notes and downloads.