Regularisation plays an important role in hedging against adversarial attacks. In our recent pre-print we show that regularising with respect to the dual norm of the attacker is often a good strategy, but that it can be suboptimal when data is scarce.