Traditional security models partition the security universe into two distinct and completely separate worlds: us and them. This partition is absolute and complete. More complex situations are most commonly treated as sets of increasingly more secure domains. This view is too simplistic for cyber-physical systems. Absolute divisions are conceptually clean, but they do not reflect the real world. Security partitions often overlap, frequently provide for the high level to have complete access to the low level, and are more complex than an impervious wall. We present a model that handles situations where the security domains are complex or the threat space is ill defined. To demonstrate our method, we examine a 'drive by wire' system from both the traditional view and in light of the modern reality. This paper examines the system from the viewpoint of the driver with special emphasis on the driver's inability to determine who, or what, is actually in control of the automobile during critical situations.