The current international dynamic characterized by tension between nations in the midst of gray zone conflicts highlights the challenges in cyberspace and how cyberoperations affect the relationships of enterprises and countries.1 Although many enterprises choose to stay in their comfort zones, depending on standards and good practices, others are beginning to mobilize, troubled by a new reality situated in the Fourth Industrial Revolution (4IR) that extends beyond the international health emergency caused by the COVID-19 pandemic.
An enterprise’s search for stability and efficiency is generally contrasted with the volatile and uncertain environment in which it operates, making it difficult to achieve greater profitability. Reality can change in unexpected ways, creating new patterns and dynamics. A culture of learning must be cultivated to embrace different dynamics that reveal and incorporate formerly hidden relationships and introduce new options for consideration and analysis.
Seeking the dynamic balance of control, understood from the systemic-cybernetic perspective as a permanent flow with increasing and decreasing variety, is an exercise in which the cause-and-effect paradigm must be broken to consider scenarios that include possible and not just current relations. This challenge demands that security and control professionals recognize existing blind spots, often generated by previous knowledge, to interrogate and suspend the dynamic of the current reality.2
Creating a benchmark for security and control that takes into account the evolution of the environment means transforming current practices to align with reality, recognizing visible and emerging relations, linking different points of view, and going beyond the limits imposed by existing frameworks. This means moving from an educated security, based on maps and structured matrices (the more detailed the better), to a de-educated security, based on latent and emergent risk.3 With de-educated security, only general and known aspects can be planned, leaving open the possibility of alternative routes for which there is no detailed map.
When the security or cybersecurity function adopts a de-educated perspective, it can overcome a false sense of security, which requires nothing more than recognizing the dynamic and random nature of the environment. Despite the great benefits of an orderly and linear approach to protecting information assets (standards and good practices), it rests on the supposition that causality and what is known is safe and secure behavior.
Cybersecurity functions can use several concepts and practices to overcome that false sense of security and create opportunity for proposals that question prior knowledge and lessons learned and can transform the essence of security and control into a scenario that is more digital and technologically modified.
A Sense of Security
Modern science has made great strides in simplifying the world, dividing it into parts and studying its conditions, characteristics and dynamics to determine how it functions. This academic exercise suggests that it is possible to explain what occurs from one particular way of looking at the world and to understand the visible relationship that can be identified and defined.
However, this form of configuring reality often contrasts with the manifestations and experiences that arise when trying to predict the behavior of any study objects. Conduct that is not foreseen, characteristics that appear unexpectedly and consequences that are not anticipated occur often. This implies that a change of perspective is needed to understand what is behind the categories and distinctions made.
It has been said that “the object is for its complement,” that is, an object cannot be discovered or analyzed through one perspective; rather, its hidden face or its contrasting relationship is as real as the object itself.4 Security involves learning the false arguments and movements of adversaries and thereby increasing knowledge and vision—not to imitate the adversaries’ wrongful acts, but to better understand why they frequently get the upper hand and how they manage to turn their actions into reality with minimum effort and maximum benefit.
The distinctions, systems, relationships and perspective (DSRP) method can be used by information security and cybersecurity teams to challenge the key elements of security and its counterpart, insecurity, to advance an understanding of the sense of security.5 Figure 1 presents a set of key questions that can be used to build a perception of security and control.6
Security begins as a bivalent concept: to be either secure or insecure. It then migrates to a multivalent concept with a scale of grays between security and insecurity related to context and the perspective of each participant. This can then be expanded based on specific individual and enterprise challenges; it involves a permanent process of reinvention that identifies thresholds rather than results.
Security involves learning the false arguments and movements of adversaries and thereby increasing knowledge and vision.
This is a modern approach. Information insecurity is understood as a dual distinction, where it is possible:
…to suggest elements to analyze extreme situations in organizations that lead not just to considering the vulnerabilities and information risks from company processes, but also to rethink those same processes to make them more reliable, as they consider the different perspectives of security implicit in each of the participants.7
A False Sense of Security: Confronting Certainty and Stability
An organization can assume at least two positions when seeking to increase its levels of security and control. There is a goal to decrease uncertainty and instability caused by known or unknown vulnerabilities to maintain the efficiency of the information security function and investments in controls. The second goal recognizes and establishes operating thresholds and fault tolerances capable of maintaining the business dynamic despite possible breaches caused by real or unknown risk factors, where the culture of learning coexists with the demand for business efficiency.
Enterprises generally engage in a permanent search for a certain operating space that reassures top- level executives, where the cultures of zero risk and invulnerability are assisted by investments in IT and the political capital of IT security executives and their persuasiveness.
Despite this effort, reality often surpasses the enterprise’s ability to recognize innovative signs and patterns in the environment. The security function must often dig deeper to understand the challenges of insecurity, not just as a response to vulnerability and conformity, but also as an opportunity to remain vigilant for possible attacks and to anticipate and defend against attackers’ actions and attempt to surprise adversaries in their own territory.
In this sense, it is necessary to recognize the perspectives and biases that exist within the organization around the issue of information protection (underestimation, evasion, denial, optimism and simplification). If ignored, the organziation will remain a prisoner of the inevitability of failure and its effects; a prison where the adversary will be the one who manages the equation of uncertainty in the security and control model of the organization, limiting the organization’s ability to delay the intruder and intercept them before they succeed.
Reality often surpasses the enterprise’s ability to recognize innovative signs and patterns in the environment.
Figure 2 shows a range of perceptions between ingenuousness and preparedness, showing how a lack of preparedness can lead to a downward spiral of compliance that could end with a security breach that erodes enterprise confidence and damages the business reputation.8
These biases and notions occur at different organizational levels. They must be identified, recognized and overcome to increase the enterprise’s capacity to anticipate and respond to threats. The challenge is to protect the value generation model in an untamed and unstable digital environment.
Embracing Uncertainty and Instability
Today’s volatile, uncertain, complex and ambiguous world calls for the de-education of information security practices. That is, it requires practices to change to focus on recognizing and accepting the latent and emergent risk factors of the uncertain relations that are constantly changing and that test the enterprise’s ability to respond to the unexpected.
Accepting and practicing this new approach can be aided by understanding the Deming Model of Quality Management—which is used at the global level to plan, do, verify and act to repeatedly achieve known and expected results9—and the model based on anticipation, risk, response and monitoring (A2RM)— where reading the environment and its instabilities becomes the basis of security management and control (figure 3).10
Management executives and security and control professionals who apply A2RM understand that uncertainty and complexity present opportunities to change adversary risk from an element of discomfort to an opportunity for testing and flexible learning. When events do not turn out as expected, this confirms that “no process is lineal or sequential, neither coherent nor consistent;” rather, changes emerge from relations that are often invisible to an analyst’s eyes.11
Implementing this new cycle involves recognizing inherent and unrevealed vulnerabilities in an enterprise’s basic business processes, infrastructure, third parties and information flows. The possibility of failure is hidden within the joining of these and other components that form the business dynamic.
Figure 4 presents some key actions for each component of the A2RM cycle.
Conclusion
Modern enterprises are facing an unprecedented dynamic environment. The 4IR anticipates at least four key trends that involve a complete renovation of the modern enterprise tool kit to deal with medium- and long-term instability:12
- Enterprises no longer operate within a specific sector.
- Machines learn faster than people.
- Competitors need one another to prosper.
- Prosperity implies unlearning, failing more and learning faster.
Meeting these challenges can change the perspective on digital confidence and security, but it cannot eliminate risk or system vulnerabilities.
These four trends establish concrete challenges for current models of security and control. They do “not teach good standards and practices, but rather amaze with some mystery so that the organization creates new relations thanks to its natural propensity for learning.”13 This inverts the equation of uncertainty and focuses on attempting to surprise adversaries on their own ground.
The security and control challenges of 4IR can be classified and summarized as:
- Resilient supply chains and defense ecosystems
- Physical systems, cybersystems and personal data
- Believable dreams14
- Defense of mobile objectives15
- Cognitive counterintelligence and artificial adversarial intelligence16
Meeting these challenges can change the perspective on digital confidence and security, but it cannot eliminate risk or system vulnerabilities. Rather, the goal is to be able to continue to operate, despite being compromised by a known or unknown risk.
The A2RM model provides a curatorship of available information to conduct a review, analysis and dependability study to distinguish between what is important and what may be only noise in the environment. It is clear that although the future cannot be predicted, instability and uncertainty can be used to explore new proposals when there are no definitions and no rules imposed by others.17
Confronting the opportunities and instabilities of the 4IR should help enterprises recognize and overcome the risk of falling into a false sense of security; understand its complement, which is insecurity; and ask the questions necessary to allow security and control professionals to uninstall their standard certainties, deconstruct their current frameworks, disconnect their achievements and skills from known risk factors, and enable learning that leads them to decipher the adversary’s reality. It is important to remember that “All models are wrong; the practical question is, how wrong must they be to stop being practical” and useful?18
Confronting the opportunities and instabilities of the 4IR should help enterprises recognize and overcome the risk of falling into a false sense of security.
Endnotes
1 Jordan, J.; “El Conflicto en la Zona Gris: antagonismo por debajo del umbral de la guerra” (“Gray Zone Conflict: Antagonism Below the Threshold of War”), Global Strategy, 2021, https://global-strategy.org/el-conflicto-en-la-zona-gris-antagonismo-por-debajo-del-umbral-de-la-guerra
2 Cano, J.; “Rethinking Security and Cybersecurity Practices in Organizations: A Systemic-Cybernetic Review,” Global Strategy Report 58, 2020, https://global-strategy.org/repensando-la-practica-de-la-seguridad-y-la-ciberseguridad-en-las-organizaciones-una-revision-sistemico-cibernetica/
3 Calvo, C.; Ingenuos, ignorantes, inocentes: De la educación informal a la escuela autoorganizada (Ingenuous, Ignorant, Innocent: From Informal Education to Self-Organized Schooling), Editorial Universidad de la Serena, Chile, 2017
4 Borges de Meneses, R. D.; “Deconstruction by Jacques Derrida: What Is and What Is Not a Strategy,” Universitas Philosophica, vol. 30, iss. 60, 2013, https://revistas.javeriana.edu.co/index.php/vniphilosophica/article/view/10788
5 Cabrera, D.; L. Cabrera; Thought System Simple Fact: A New Hope for Solving Complex Problems, 2nd Edition, Odyssean Press, USA, 2021
6 Ibid.
7 Cano, J.; “Computer Insecurity: A Dual Concept in Computer Security,” Revista de Ingeniería (Journal of Engineering), iss. 19, 2004, p. 40–44
8 Based on Smith, S.; J. Marchesini; The Craft of System Security, Pearson Education, USA, 2008
9 Deming, W. E.; Out of the Crisis, MIT Press, USA, 1986
10 Cano, J.; “The ‘False Sense of Security:’ The Challenge of Shaking Up Standard Certainties and Trying to ‘Tame’ Uncertainties,” SISTEMAS Magazine, Colombian Association of Systems Engineers, vol. 159, 2021, https://doi.org/10.29236/sistemas.n159a6
11 Op cit Calvo
12 Lanteri, A.; CLEVER: The Six Strategic Drivers for the Fourth Industrial Revolution, Lioncrest Publishing, USA, 2019
13 Op cit Calvo
14 Fraunholz, D.; et al.; “Demystifying Deception Technology: A Survey,” National Reference Project for IT Security in Industry 4.0, April 2018, https://www.researchgate.net/publication/324584502_Demystifying_Deception_TechnologyA_Survey
15 Cho, J.; D. Sharma; H. Alavizadeh; S. Yoon; N. Ben-Asher; T. Moore; D. S. Kim; H. Lim; F. Nelson; “Toward Proactive, Adaptive Defense: A Survey on Moving Target Defense,” IEEE Communications Surveys and Tutorials, 2019
16 This can be defined as “[T]he set of activities implemented to locate, identify and monitor, in order to neutralize and, as applicable, counteract and report, unauthorized activities of the automatic learning algorithms; that is, those that break with initially established rules and materialize inherent risks to the development and start-up of artificial intelligence algorithms.” Jiménez, F.; Manual de inteligencia y contrainteligencia (Intelligence and Counterintelligence Manual), CISDE, Spain, 2019
17 Consejo Nacional de Innovación para la Competitividad, “Strategic Guidelines for Innovation: Building Your Bridge to the Future Chile on the Horizon 2025,” May 2013, https://www.cnid.cl/wp-content/uploads/2013/05/Surfeando-2013.pdf
18 Box, G. E. P.; Empirical Model-Building and Response Surfaces, John Wiley and Sons, USA, 1987, p. 74
Jeimy J. Cano M. | PH.D., ED.D., CFE, CICA
Has more than 25 years of experience as an executive, academic and professional in information security, cybersecurity, forensic computing, digital crime and IT auditing. In 2016, he was named Cybersecurity Educator of the Year for Latin America. He has published more than 200 articles in various journals and presented papers at industry events at the international level.