I disagree with Bruce’s opinion that being in Code Yellow generally is a bad thing (at least, that’s the impression I got from his piece). Like much in life, there is a balance between seeing danger in every shadow and being alert and aware in our daily lives. For instance, how many people are not living in the moment due to the smartphones in their pockets and what are they missing out on? What danger are they placing themselves in?
Cybersecurity can have a similar problem: jumping at those shadows can be dangerous, but not acknowledging that there could be danger in that shadow can be just as bad as many attacks are dependent upon catching the victim unawares. It does take practice however to strike the balance between paranoia and alertness, but its one that must be worked at. Organizations with a mature risk management function can successfully negotiate the trade off of conducting their business and not drowning in losses. Being “In Yellow” really is the job of the risk function of an organization; its the equivalent of that voice in your head reminding you of the bad things that could happen so that you can make a well-informed decision.