Uncertainty in security: managing cyber senescence

TL;DR

The paper discusses how the aging and accumulation of uncertain security controls in cybersecurity create operational risks, likening this process to biological senescence, and emphasizes the need for pruning control frameworks to prevent system collapse.

Contribution

It introduces the concept of cyber senescence, highlighting the risks of control accumulation and uncertainty, and advocates for pruning security controls to mitigate aging in cyberspace.

Findings

Control overlap leads to increased uncertainty.

Accumulation of controls causes cybersecurity ecosystem aging.

Pruning controls can reduce operational risks.

Abstract

My main worry, and the core of my research, is that our cybersecurity ecosystem is slowly but surely aging and getting old and that aging is becoming an operational risk. This is happening not only because of growing complexity, but more importantly because of accumulation of controls and measures whose effectiveness are uncertain. I introduce a new term for this aging phenomenon: cyber senescence. I will begin my lecture with a short historical overview in which I sketch a development over time that led to this worry for the future of cybersecurity. It is this worry that determined my research agenda and its central theme of the role of uncertainty in cybersecurity. My worry is that waste is accumulating in cyberspace. This waste consists of a multitude of overlapping controls whose risk reductions are uncertain. Unless we start pruning these control frameworks, this waste accumulation causes aging of cyberspace and could ultimately lead to a system collapse.