A Complexity-Informed Approach to Optimise Cyber Defences

TL;DR

This paper presents a new complexity-informed framework for cybersecurity management that helps optimize defenses, identify improvement areas, and support strategic decision-making by quantifying and managing complexity within cyber defenses.

Contribution

It extends complexity theory to cybersecurity, providing a systematic, quantitative method to de-complexify defenses and enhance decision-making processes.

Findings

Validated through a case study on cybersecurity defenses.

Provides a quantitative framework for assessing complexity.

Enhances threat-informed defense strategies with complexity management.

Abstract

This paper introduces a novel complexity-informed approach to cybersecurity management, addressing the challenges found within complex cyber defences. We adapt and extend the complexity theory to cybersecurity and develop a quantitative framework that empowers decision-makers with strategies to de-complexify defences, identify improvement opportunities, and resolve bottlenecks. Our approach also provides a solid foundation for critical cybersecurity decisions, such as tooling investment or divestment, workforce capacity planning, and optimisation of processes and capabilities. Through a case study, we detail and validate a systematic method for assessing and managing the complexity within cybersecurity defences. The complexity-informed approach based on MITRE ATT&CK, is designed to complement threat-informed defences. Threat-informed methods focus on understanding and countering adversary tactics, while the complexity-informed approach optimises the underlying defence infrastructure, thereby optimising the overall efficiency and effectiveness of cyber defences.