Visualizing Cybersecurity Risk through the Cynefin Framework

Cybersecurity risk remains one of the biggest concerns for companies in today’s interconnected world. As attacks become increasingly more sophisticated and dangerous, it is vital to identify those areas of focus for one’s cybersecurity efforts to maximize risk mitigation. While standard risk management methodologies have traditionally been used to identify these areas, they fail to consider the complexities associated with cybersecurity decision-making.?

The Cynefin Framework can help revitalize how we view Cybersecurity risk management. In this article, we’ll take a close look at the Cynefin Framework, discuss how it relates to decision making, and examine how it can provide a more robust mechanism for mitigating cybersecurity risk.?

What is the Cynefin Framework?

Dave Snowden created the Cynefin Framework back in 1999. Snowden’s goal was to consider the uncertainty and complexity present in our modern digital landscape and?help users understand that every situation is different and requires a unique approach. Before considering the Cynefin Framework for problem solving, one must first understand how it categorizes decision-making into five areas.?

The primary Cynefin Framework Domains are as follows:?

1. Clear (Obvious): This refers to situations where the path is obvious, and the relationship between cause and effect is evident.?Following X action leads to Y result.?
2. Complicated: This category refers to situations where the path is not immediately apparent, and users may need help to decide on the best action. Cynefin Framework best practices describe this as a scenario where one might have a good idea of what to do, but still require an expert’s help and guidance.?
3. Complex: This category refers to a situation that is both unclear and unpredictable. In such a scenario, the relationship between the cause and effect might only be understood after taking action. One expects to make mistakes and learn from them through a process of trial and error.
4. Chaotic: This category refers to an urgent situation in which there is limited time to make decisions. In such a scenario, users require quick action to rectify the solution.?Cynefin Framework examples include ransomware incidents and other malware-based attacks.??
5. Confused (Disorder): This refers to situations in which it is unclear which category is most appropriate. In such a case, users are advised to break down the situation into more manageable tasks to see which domain they might fit.?

When considering how to use the Cynefin Framework properly, one must consider the relationship between the cause and the effect. Doing so will help guide where a decision may fall. The framework is unique in that it focuses specifically on decision-making instead of other criteria. Ultimately, this makes it ideal for situations with unclear or ambiguous results.?

How to Apply the Cynefin Framework to Cybersecurity Risk?

Suppose we apply this framework to various types of Cybersecurity risks. Given the ever-changing nature of cybersecurity risks, this allows us to see the benefits we can realize by considering various decision-making approaches.?

Let us take a look at a few common cybersecurity risks and how they would map to the Cynefin Framework:?

• For example, applying a software patch to fix a critical vulnerability is a straightforward decision that would fall under the?Clear or Obvious Domain. This is because the relationship between the causes and effects in this scenario is much more apparent.?
• An example of a scenario that falls in the?Complicated Domain?would be a cybersecurity analyst identifying architecture risks during the initial phases of an application. However, given the other controls that may be present, the user would require expert help to determine if these risks will materialize.?
• We mentioned that in?Complex scenarios, the cause-and-effect relationship is unclear and only becomes apparent afterward. This applies to newly emerging risks, such as those related to Artificial Intelligence (AI) and Machine Learning (ML) applications, as existing security practices would not be applicable. Therefore, cybersecurity professionals must experiment with existing controls and devise new strategies to mitigate these risks.?
• The?Chaotic Domain?refers to situations requiring immediate action to mitigate risk. This would map to scenarios such as critical cyber attacks, where the cybersecurity profession must make urgent decisions. Examples include taking a system offline, implementing a new rule within a web application firewall, etc. Once the situation stabilizes, the risk can move to other domains within the framework.?
• The?Confused or Disorder?Domain?pertains to cybersecurity risks that do not fall in the other listed domains. This primarily refers to complex situations with many moving parts. An example would be acquiring another company with a completely different technology infrastructure. Such a scenario requires that the user break down the situation into smaller parts or risks, then assign those to the previously-listed domains.?

How the Cynefin Framework Reduces Cybersecurity Risk?

As we can see from the previous examples, the Cynefin Framework promotes a rational and wiser approach to cybersecurity. By performing a deep analysis of the decisions to be made and the relationships between cause and effect, cybersecurity professionals can better understand their environments and the impact of implementing controls.?

The framework is also a valuable tool for managing risks within cybersecurity projects, where decisions made in the initial phases can have long-term impacts further down the road. By properly understanding how to use the Cynefin Framework, cybersecurity professionals can analyze how a particular risk will impact a scenario by mapping control decisions to these categories.?

The Cynefin Framework Explained

I hope this article made it clear how the Cynefin Framework provides a unique approach to Cybersecurity Risk Management. Instead of forcing risks to conform to a qualitative or quantitative scoring method, it provides a structured decision-making approach that can adapt to any situation or risk. By embracing the uncertainty in today’s technology landscape, the Cynefin Framework gives organizations the confidence necessary to navigate modern cybersecurity challenges without compromising their risk posture.

References

https://thecynefin.co/about-us/about-cynefin-framework/