I’ve been known, now and again, to mouth off sarcastically that we don’t have any idea what “Cybersecurity” is, strategically – that we have no real concept of what “it” is.  So, as a preface to my upcoming talks, I’ve sketched out a very, very draft and incomplete framework off the top of my head that is, I think, STILL more complete than anything else out there. It’s done in terms of “Environments” that must be managed or that pose describable, discernible, solvable problem spaces that pertain to cybersecurity risk.  Note how different this looks than the NIST Framework, NERC CIP, SANS guidance, what you hear panels talk about, etc. Just remember, I have a lot to add here, which I’ll do after my upcoming talks have been given.


Conflict Environment

  1. Sieges & Unity (Defense problem of community siege-breaking, not incidents)
    1. Game Theory & International Relations
    2. Norms, Stabilization, and Confidence Building Measures
  2. Parasite Management
    1. Single Organization Value Control
    2. Competition for use of shared, not owned infrastructure
  3. Information vs Kinetic Warfare
    1. Long term abuse of misplaced cultural, political, and legal redlines

Technical Environment

  1. Complexity (exposure rising directly and infinitely with complexity)
  2. Competency (technical competency required by all, who cannot maintain)
  3. Security Express-ability (lower layers are approximating upper layer expressions)

Physical Environment 

  1. Geography & Power Delegation (Targets are Geography, cannot insert gov between industry and adversary)
  2. Geography & Proximity (Everyone is a Neighbor)

Single Organizational Environment

  1. Developing Sustainable Practices without requiring core Competency
  2. Decision Making Capacity Building
  3. Full System (Human) Threat Modeling
    1. Self Awareness
    2. Vulnerability/Exposure Identification & Management
    3. Exploitation Opportunity Identification & Management

Human Environment

  1. Stakeholder psychology requires targeted action to achieve desired behavior change
  2. Exceptional Distance between decisions, actions and risk limits involvement
  3. Ability to Process sufficient incoming knowledge tangential to core

National Environment

  1. Common Problem Space Consensus Development/Socialization
  2. Development and Engagement of Appropriate Regimes
  3. Stabilizing vs Developing managed Environments
  4. Business Value Production is inherently and completely tied to exposure creation/mgt, how does gov manage?

Market Environment

  1. Entrenched Industry is sucking needed resources away uselessly, needs derailment (fail, iterate, improve)
  2. Abstract, tenuous connection between market and risk

Leadership Environment 

  1. We Need Generals: Now Guys with Guns Espousing Tactical Requirements in Place of Strategies to Win (Win = Desired level of risk for desired investment over time)
  2. Formal Roles limiting Routing of Knowledge/Capability into available levers (ie, if you’re not selling something, you’re not participating)