Cyber security leaders deal with complex problems all the time, but only a few are well equipped to deal with such challenges effectively. Systems thinking is a discipline that can help CISOs improve their ability to see the bigger picture and move beyond simplistic linear cause-effect relationships and point-in-time snapshots.
Systems thinking is a mindset that encourages you to see interdependencies, processes and patterns of complex systems. Complex systems contain multiple interacting feedback loops and it is this feature that make them so challenging to understand, diagnose and improve.
In this blog I outline some examples of complex systems, recommend tools to begin to understand and influence them and demonstrate how these techniques can be applied to improve digital safety and security.
This quick 6-minute video illustrates the M&A integration dynamics and serves as an example of one of the key tools of system thinkers in the business context – causal loop diagrams.
A causal loop diagram can help visualise the problem more dynamically and start facilitating discussions about potential drivers of these dynamics.
For instance, I developed the below causal loop diagram while brainstorming ideas to increase revenue for an organisation. It illustrates delayed effects, one of the key characteristics of complex systems, that make the system so difficult to analyse.
Such diagrams can also be used in environmental and social impact fields to uncover dynamics and causal relationships in complex systems. As an example, I developed the below interconnected self-reinforcing and balancing feedback loops to visualise the causal relationships leading to climate change.
Cross-sector collaboration as well as engagement from government and academia is often required to tackle these complex system challenges.
Now, let’s have a look how this technique can be applied to cyber security. In this simplified example, I illustrated the interconnected nature of the cyber crime ecosystem. Cyber crime actors attack organisations because of the perceived financial gain. This financial gain is a result of, for example, ransomware payouts, that increase the attractiveness of this ‘profession’ creating a vicious cycle of increasing cyber attacks.
On the other hand, successful cyber attacks increase the overall public awareness and often lead to increased investment to uplift cyber maturity. These efforts tend to increase the costs for the attackers and, therefore, reduce their likelihood of success, creating a balancing feedback loop. Another example of such a balancing loop is the law enforcement action that is triggered as the number of victims grows. Such action decreases the attractiveness of cyber crime and can lead to the overall decrease of cyber attacks.
As you can see, there are multiple levers we can start pulling as an industry and even individually to influence this complex system. The aim is to affect both negative and positive causal loops to get the feedback to flow in the right direction. Developing and implementing cyber strategies for long term system level change will help create a safer world for all.
Cyber Security Leadership 
1 Comment