Variety Defines Complex Systems

Variety is perhaps the defining element of complexity; what we tend to describe as “complex” systems are those with a great degree of variety. Systems are replete with all kinds of variety: the variety of components, the variety of interactions between those components, and the variety of potential outcomes in the system. Our computer systems involve a lot of variables and components—wetware (our brains), software, hardware—and thus offer a large variety of potential future states too.

Because complex systems involve a veritable festival of variables cavorting and gallivanting together in often unconventional ways, they can present a large variety of possible states.⁸ Safety research organization Jepsen notes that distributed systems “have a logical state which changes over time” and all types of complex computer systems are no different. This is why prediction is perceived as an extravagant distraction in a resilience paradigm. With so many possible future states within the system, there is never just one path that will lead to a particular outcome.⁹ Even trickier, performing the same sequence of actions in the system may result in different outcomes. Getting from point A to point B in a complex system is less “as the crow flies” and more “as the cat wanders (or zoomies).”

Complex Systems Are Adaptive

Importantly, complex systems are adaptive; they change and evolve over time and space, especially in response to changes in their external environment. Our software systems are complex adaptive systems and, as some computer people sometimes forget, they are sociotechnological in nature. Both machines and humans qualify as components of our tech systems, whether production systems or corporate IT systems. The cybersecurity ecosystem is a complex adaptive system in itself, consisting of not only a huge variety of machines, but also developers, defenders, end users, government regulators, government-sponsored attackers, criminal organizations, auditors, and countless other human stakeholders.

Complex systems are adaptive because change cannot be stopped—and therefore failure cannot be stopped from ever occurring. A resilient complex system is one that can handle this failure gracefully, adapting its behavior to preserve its critical functions.¹⁰ Understanding the transitions between the variety of potential future states—how a system adapts to ongoing changes—is key to understanding your system’s resilience and security over time.

We also must appreciate how humans are a source of strength when a system nears the boundary between success and failure; humans are, in many cases, our mechanism for adaptation in the face of adverse and evolving conditions due to their natural tendency to be curious about the problems they face.¹¹ In healthcare, for example, emergency departments are often brittle due to management-driven changes imposed by financial and operational pressures, making them less resilient in the face of “accumulating or cascading demands” that push them beyond their known-safe capacity.¹² The emergency department system therefore must “stretch” in the face of greater demands on its operation so individual failures—like necessary activities falling through the cracks—do not accumulate and tip the overall system into failure. How does this stretching happen? The humans in the system are the ones who enable this stretching. Humans can work harder, adjust their strategies, and scour for extra resources, like asking other humans to come help out to provide additional adaptive capacity.¹³

The Holistic Nature of Complex Systems

The complexity of a system—and its behavior—is defined holistically; little can be gleaned from the behavior of individual constituent components.¹⁴ Systems thinking is not natural to most humans and security professionals aren’t exempt. The cybersecurity industry has trended toward componentization, even down to specific tooling and environments. Unfortunately, this component-based focus restricts your ability to understand how your slice of security relates to all the other components, which together shape how the system operates. Only looking at one component is like a narrow viewing frustum—or, if you prefer, like a cone collar that makes it difficult to navigate nimbly about the world. Nancy G. Leveson, professor of aeronautics and astronautics at MIT, cautions us that “a narrow focus on operator actions, physical component failures, and technology may lead to ignoring some of the most important factors in terms of preventing future accidents.”¹⁵

Attackers perceive the holistic nature of systems, routinely taking advantage of interrelations between components. They look for how interactions within a system can give them an advantage. All the attack phase “lateral movement” means is leveraging the connection between one component in a system to others within the system. Defenders, however, traditionally conceive security in terms of whether individual components are secure or whether the connections between them are secure. Status quo security thinks in terms of lists rather than graphs, whereas attackers think in graphs rather than lists. There is a dearth of systems knowledge in traditional cybersecurity defense, which attackers are all too happy to exploit.

The high-profile SolarWinds compromise highlights this dynamic well. The Russian Foreign Intelligence Service (SVR) had a particular objective in mind: gaining access to federal agencies and Fortune 500 companies alike for (presumably) espionage purposes. One way they could achieve this outcome was by looking for any components and subsystems these target systems had in common. SolarWinds’ Orion platform, offering infrastructure monitoring and management, was a tool that was not only used by many federal agencies and large enterprises, but also possessed functionality that granted it access to customers’ internal infrastructure. Through this lens, attackers exploited interrelations and interactions at multiple levels of abstraction.

A holistic systems perspective must not be limited to specific technology, however. The way in which organizations use technology also involves economic and social factors, which are all too frequently ignored or overlooked by traditional enterprise cybersecurity programs. Economic factors in an organization include revenue and profit goals, how compensation schemes are structured, or other budgetary decisions. Social factors in an organization include its key performance indicators, the performance expectations of employees, what sort of behavior is rewarded or reprimanded, or other cultural facets.

As an industry, we tend to think of vulnerabilities as things borne by flaws in software, but vulnerabilities are borne by incentive paradigms too. We overlook the vulnerability in incentivizing employees to do more work, but faster. We overlook the vulnerability in giving bonuses to “yes” people and those who master political games. These vulnerabilities reduce the organization’s resilience to failure just the same as software flaws, but they rarely appear in our threat models. Occasionally, we will identify “disgruntled employees” as a potential insider threat, without exploring the factors that lead them to be disgruntled.

These “layer 8” (human) factors may be difficult to distinguish, let alone influence, in an organization. But when we consider how failure manifests, we must nevertheless take them into account.

Acute and Chronic Stressors in Complex Systems

When we think about security incidents, we may tend to blame the incident on an acute event—like a user double-clicking on a malicious executable or an attacker executing a crypto miner payload. In resilience lingo, these acute events are known as pulse-type stressors. Pulse-type stressors are negative inputs to the system that occur over a short duration, like hurricanes in the context of ecological systems. Press-type stressors, in contrast, are negative inputs that occur over longer periods of time; in ecological systems, this can include pollution, overfishing, or ocean warming. For clarity, we’ll call pulse-type stressors “acute stressors” and press-type stressors “chronic stressors” throughout the book.

The problem with a myopic focus on acute stressors in any complex system is that those events will not tip the system over into failure modes on their own. The background noise of chronic stressors wears down the resilience of the system over a longer period of time, whether months or years, so when some sort of acute event does occur, the system is no longer able to absorb it or recover from it.

What do chronic stressors look like in cybersecurity? They can include:

• Regular employee turnover

• Tool sprawl and shelfware

• Inability to update systems/software

• Inflexible procedures

• Upgrade-and-patch treadmill

• Technology debt

• Status quo bias

• Employee burnout

• Documentation gaps

• Low-quality alert signals

• Continuous tool maintenance

• Strained or soured relationships across the organization

• Automation backlog or manual procedure paradigm

• Human-error focus and blame game

• Prevention mindset

And acute stressors in cybersecurity can include:

• Ransomware operation

• Human mistake

• Kernel exploit

• New vulnerability

• Mergers, acquisitions, or an IPO event

• Annual audit

• End-of-life of critical tool

• Outage due to security tool

• Log or monitoring outage

• Change in compliance standard

• New product launch

• Stolen cloud admin credentials

• Reorg or personnel issues

• Contractual changes (like SLAs)

While recovery from acute stressors is important, understanding and handling chronic stressors in your systems will ensure that recovery isn’t constrained.

Surprises in Complex Systems

Complex systems also come with the “gift” of sudden and unforeseen events, referred to as “surprises” in some domains. Evolutionary biologist Lynn Margulis eloquently described the element of surprise as “the revelation that a given phenomenon of the environment was, until this moment, misinterpreted.”¹⁷ In the software domain, the surprises we encounter come from computers and humans. Both can surprise us in different ways, but we tend to be less forgiving when it’s humans who surprise us. It’s worth exploring both types of surprises because accepting them is key to maintaining resilience in our complex software systems.

Critical Functionality

If you want to understand a system’s resilience, you need to understand its critical functionality—especially how it performs these core operations while under stress from deleterious events. Simply put, you can’t protect a system if you don’t understand its defining purpose.

Defining the system’s raison d'être is an essential requirement to articulate a system’s resilience. The goal is to identify the resilience of what, to what, and for whom. Without this framing, our notion of the system’s resilience will be abstract and our strategy aimless, making it difficult to prioritize actions that can help us better sustain resilience.

This foundational statement can be phrased as “the resilience of <critical functionality> against <adverse scenario> so that <positive customer (or organization) outcome>.”

For a stock market API, the statement might read: “The resilience of providing performant stock quotes against DoS attacks for financial services customers who require real-time results.” For a hospital, the statement might read: “The resilience of emergency room workstations against ransomware so healthcare workers can provide adequate care to patients.” Defining what is critical functionality, and what is not, empowers you during a crisis, giving you the option to temporarily sacrifice noncritical functionality to keep critical functionality operational.

This illustrates why the status quo of security teams sitting in an ivory tower silo won’t cut it for the resilience reality. To design, build, and operate systems that are more resilient to attack, you need people who understand the system’s purposes and how it works. Any one person’s definition of a system’s critical functions will be different from another person’s. Including stakeholders with subjective, but experience-informed, perceptions of the system becomes necessary. That is, “defenders” must include a blend of architects, builders, and operators to succeed in identifying a system’s critical functions and understanding the system’s resilience. The team that manages security may even look like a platform engineering team—made up of software engineers—as we’ll explore in depth in Chapter 7.

Safety Boundaries (Thresholds)

Our second resilience potion ingredient is safety boundaries, the thresholds beyond which the system is no longer resilient to stress. We’ll avoid diving too deep into the extensive literature²² on thresholds²³ in the context of system resilience.²⁴ For SCE purposes, the key thing to remember about safety boundaries is that any system can absorb changes in conditions only up to a certain point and stay within its current, healthy state of existence (the one that underlies our assumptions of the system’s behavior, what we call “mental models”). Beyond that point, the system moves into a different state of existence in which its structure and behavior diverge from our expectations and intentions.²⁵

A classic example of safety boundaries is found in the book Jurassic Park.²⁶ When the protagonists start their tour of the park, the system is in a stable state. The dinosaurs are within their designated territories and the first on-rail experience successfully returns the guests to the lodge. But changes in conditions are accumulating: the lead geneticist fills in gaps in velociraptors’ DNA sequences with frog DNA, allowing them to change sex and reproduce; landscapers plant West Indian lilacs in the park, whose berries stegosauruses confuse for gizzard stones, poisoning them; a computer program for estimating the dinosaur population is designed to search for the expected count (238) rather than the real count (244) to make it operate faster; a disgruntled employee disables the phone lines and the park’s security infrastructure to steal embryos, causing a power blackout that disables the electrical fences and tour vehicles; the disgruntled employee steals the emergency Jeep (with a rocket launcher in the back), making it infeasible for the game warden to rescue the protagonists now stranded in the park. These accumulated changes push the park-as-system past its threshold, moving it into a new state of existence that can be summarized as chaos of the lethal kind rather than the constructive kind that SCE embraces. Crucially, once that threshold is crossed, it’s nearly impossible for the park to return to its prior state.

Luckily with computer systems, it’s a bit easier to revert to expected behavior than it is to wrangle dinosaurs back into their designated pens. But only a bit. Hysteresis, the dependence of a system’s state on its history,²⁷ is a common feature of complex systems and means there’s rarely the ability to fully return to the prior state. From a resilience perspective, it’s better to avoid passing these thresholds in the first place if we can. Doing so includes continual evolution of the system itself so its safety boundaries can be extended to absorb evolving conditions, which we’ll explore later in our discussion of flexibility and openness to change.

If we want our systems to be resilient to attack, then we need to identify our system’s safety boundaries before they’re exceeded—a continuous process, as safety boundaries change as the system itself changes. Security chaos experiments can help us ascertain our system’s sensitivity to certain conditions and thereby excavate its thresholds, both now and as they may evolve over time. With an understanding of those safety boundaries, we have a better chance of protecting the system from crossing over those thresholds and tipping into failure. As a system moves toward its limits of safe operation, recovery is still possible, but will be slower. Understanding thresholds can help us navigate the tricky goal of optimizing system performance (gotta go fast!) while preserving the ability to recover quickly.

Finally, remember that complex systems are nonlinear. What may seem like a minor change can be the proverbial final straw that pushes the system past its resilience threshold. As eloquently stated by ecological resilience scholars, “relatively small linear changes in stressors can cause relatively abrupt and nonlinear changes in ecosystems.”²⁸ It is never just one factor that causes failure, but an accumulation that breaches the boundaries of the system’s safe operation.

Interactions Across Space-Time

Because complex systems involve many components interacting with each other, their resilience can only be understood through system dynamics across space and time. As variables (not the programming kind) within your system interact, different behaviors will unfold over time and across the topology of the system. The temporal facets of resilience include the timing of an incident as well as the duration between the incident occurring and recovery of system functionality. The spatial facet is the extent of the incident’s impact—the resulting state of the system across its components, functionality, and capability.

For instance, when considering the resilience of a consumer-facing application against a distributed denial-of-service (DDoS) attack, one or some or all services might be affected. The attack can happen during peak traffic hours, when your servers are already overwhelmed, or during sleep time for your target customers, when your servers are yawning with spare capacity. Recovery to acceptable performance standards might be milliseconds or hours. A long outage in one service can degrade performance in other services to which it’s connected. And an outage across all services can lead to a longer recovery time for the system as a whole. As this example shows, time and space are inherently entwined, and you must consider both when assessing resilience.

There’s one caveat to the notion of “time” here (other than the fact that humanity still doesn’t understand what it really is).²⁹ Time-to-recovery is an important metric (which we’ll discuss in Chapter 5), but as we learned in our discussion of safety boundaries, it’s equally important to consider that there might be preferable alternative states of operation. That is, continually recovering to the current equilibrium is not always desirable if that equilibrium depends on operating conditions that don’t match reality. As in our example of dinosaurs gone wild in Jurassic Park, sometimes you simply can’t return to the original equilibrium because reality has changed too much.

Feedback Loops and Learning Culture

Resilience depends on remembering failure and learning from it. We want to handle failure with ease and dignity rather than just prevent it from occurring; to do so, we must embrace failure as a teacher. Feedback loops, in which outputs from the system are used as inputs in future operations, are therefore essential for system resilience. When we observe an incident and remember the system’s response to it, we can use it to inform changes that will make the system more resilient to those incidents in the future. This process of learning and changing in response to events is known as adaptation, which we introduced earlier in the chapter and will cover in more detail shortly. Unfortunately, we often hear the infosec folk wisdom of how quickly attackers adapt to defenses, but there isn’t as much discussion about how to support more adaptation in our defenses (outside of hand-wavy ballyhoo about AI). SCE aims to change that.

The importance of operational memory for resilience is seen across other domains too. For instance, ecological memory, the ability of the past to influence an ecosystem’s present or future responses,³⁰ involves both informational and material memory. Informational memory includes adaptive responses while material memory includes new structures, like seeds or nutrients, that result from a disturbance.³¹

Maintaining this memory is nontrivial, but diversity within a system helps. Socioecological systems that adapt through modular experimentation can more effectively reorganize after a disturbance.³² When a system’s network of variables is more diverse and the connections between them more modular, failure is less likely to reach all functions within a system. This ability to reorient in the face of failure means that fewer variables and connections between them are lost during a disturbance—preserving more memories of the event that can be used as inputs into feedback loops.

As an example, the urbanization of Constantinople was successful in part because the community learned from repeated sieges upon the city (on average every half-century).³³ These repeated incidents, write archaeology and urban sustainability scholars, “generated a diversity of socioecological memories—the means by which the knowledge, experience, and practice of how to manage a local ecosystem were stored and transmitted in a community.” It wasn’t just historians preserving these memories. Multiple societal groups maintained memories of the siege, leading to adaptations like decentralization of food production and transportation into smaller communities that were less likely to be disrupted by a siege—conceptually akin to a modular, service-oriented architecture that isolates disruption due to a resource spike in one component. Defensive walls were actually moved to make space for this new agricultural use as well as for gardens. These walls served as visual reminders of the lessons learned from the siege and protected those memories from dissolving over time.

As we will continue to stress throughout the book, our computer systems are sociotechnical in nature and therefore memory maintenance by communities is just as essential for systems resilience in our world as it was for Constantinople. No matter who is implementing the security program in your organization, they must ensure that insights learned from incidents are not only stored (and in a way that is accessible to the community), but also leveraged in new ways as conditions change over time. We’re all too familiar with the phenomenon of a company being breached by attackers and suddenly investing a mountain of money and a flurry of energy into security. But, as memory of the incident fades, this enhanced security investment fades too. Reality doesn’t take a break from changing, but not experiencing a shocking event for a while can reduce the need to prepare for them in the future.

A learning culture doesn’t just happen after an incident. Feedback loops don’t happen once, either. Monitoring for changes in critical functions and system conditions is complementary to preserving incident memories. Incidents—whether caused by attackers or security chaos experiments—can provide a form of sensory input that helps us understand causal relationships within our systems (similar to touching a hot stove and remembering that it leads to “ouch”). Monitoring, logging, and other forms of sensing help us understand, based on those causal relationships, whether our systems are nearing the boundaries of safe operation. While past behavior isn’t an indicator of future behavior, the combination of learning from memories, collecting data on system behavior, and conducting experiments that simulate failure scenarios can give us far more confidence that when the inevitable happens, we’ll be prepared for it.

Flexibility and Openness to Change

Finally, maintaining flexibility across space-time is an essential part of resilience. This is often referred to as “adaptive capacity” in resilience engineering.³⁴ Adaptive capacity reflects how ready or poised a system is for change—its behaviors, models, plans, procedures, processes, practices—so it can continue to operate in a changing world featuring stressors, surprises, and other vagaries.³⁵ We must sustain this flexibility over time too, which can get tricky in the face of organizational social dynamics and trade-offs.³⁶

As we mentioned with learning cultures and feedback loops (and will discuss more in Chapter 4), modularity can support resilience. Keeping the system flexible enough to adapt in response to changes in operating conditions is one element of this. The system must be able to stretch or extend beyond its safety boundaries over space and time. (Hopefully you’re starting to see how all the ingredients in our resilience potion complement each other!) Another way to think about this, as David D. Woods pithily puts it, we must “be prepared to be surprised.”

As always, the human element is poignant here too. We, as stakeholders who wish to keep our systems safe, also need to be open to change within ourselves (not just in our machines). We might be wedded to the status quo or we may not want to change course because we’ve already invested so much time and money. Maybe something was our special idea that got us a promotion. Or maybe we’re worried change might be hard. But this cognitive resistance will erode your system’s ability to respond and adapt to incidents. A good decision a year ago might not be a good decision today; we need to be vigilant for when our assumptions no longer ring true based on how the world around us has changed.

There’s never just one thing that will affect your systems; many things will continue to surprise or stress the system, constantly shifting its safety boundaries. Flexibility is the essential property that allows a system to absorb and adapt to those events while still maintaining its core purpose. We’ll never cultivate complete knowledge about a system, no matter how much data we collect. Even if we could, reducing uncertainty to zero may help us understand the system’s state right now, but there would still be plenty of ambiguity in how a particular change will impact the system or which type of policy or procedure would enhance the system’s resilience to a particular type of attack. There are simply too many factors and interconnections at play.

Because we live in this indeterministic reality, we must preserve an openness to evolution and discard the rigidness that status quo security approaches recommend. Building upon the feedback loops and learning culture we discussed, we must continue learning about our systems and tracking results of our experiments or outcomes of incidents to refine our understanding of what a truly resilient security program looks like for our systems. This continual adaptation helps us better prepare for future disruptions and gives us the confidence that no matter what lies ahead, it is within our power to adjust our response strategies and ensure the system continues to successfully fulfill its critical function.

Myth: Robustness = Resilience

A prevalent myth is that resilience is the ability of a system to withstand a shock, like an attack, and revert back to “normal.” This ability is specifically known as robustness in resilience literature. We commonly see resilience reduced to robustness in the cybersecurity dialogue, especially in overzealous marketing (though cybersecurity is not the only domain felled by this mistake). The reality is that a resilient system isn’t one that is robust; it’s a system that can anticipate potential situations, observe ongoing situations, respond when a disturbance transpires, and learn from past experiences.⁴³

A focus on robustness leads to a “defensive” posture. Like the giant oak of Aesop’s fable, robustness tries to fight against the storm while the reeds—much like adaptive systems—humbly bend in the wind, designed with the assumption that adverse conditions will impact them. As a result, the status quo in cybersecurity aims for perfect prevention, defying reality by attempting to keep incidents from happening in the first place. This focus on preventing the inevitable distracts us from preparing for it.

Robustness also leads us to prioritize restoring a compromised system back to its prior version, despite it being vulnerable to the conditions that fostered compromise.⁴⁴ This delusion drives us toward technical or punitive controls rather than systemic or design mitigations, which in turn creates a false sense of security in a system that is still inherently vulnerable.⁴⁵ Extracting a lesson from the frenetic frontier of natural disasters, if a physical barrier to flooding is added to a residential area, more housing development is likely to occur there—resulting in a higher probability of catastrophic outcomes if the barrier fails.⁴⁶ To draw a parallel in cybersecurity, consider brittle internal applications left to languish with insecure design due to belief that a firewall or intrusion detection system (IDS) will block attackers from accessing and exploiting it.

The resilience approach realizes that change is the language of the universe. Without learning from experience, we can’t adapt to reality. Resilience also recognizes that thriving is surviving. Robustness, the ability to withstand an adverse event like an attack, is not enough.

Myth: We Can and Should Prevent Failure

The traditional cybersecurity industry is focused on preventing failure from happening. The goal is to “thwart” threats, “stop” exploits, “block” attacks, and other aggressive verbiage to describe what ultimately is prevention of attackers performing any activity in your organization’s technological ecosystem. While illuminating incident reviews (sometimes called “postmortems”) on performance-related incidents are often made public, security incidents are treated as shameful affairs that should only be discussed behind closed doors or among fee-gated information-sharing groups. Failure is framed in moral terms of “the bad guys winning”—so it’s no wonder the infosec industry discourse often feels so doom-and-gloom. The goal is to somehow prevent all problems all the time, which, ironically, sets the security program up for failure (not to mention smothers a learning culture).

Related to this obsession with prevention is the more recent passion for prediction. The FAIR methodology, a quantitative risk analysis model designed for cybersecurity, is common in traditional security programs and requires assumptions about likelihood of “loss event frequency” as well as “loss magnitude.” The thinking goes that if you can predict the types of attacks you’ll experience, how often they’ll occur, and what the impact will be, you can determine the right amount to spend on security stuff and how it should be spent.

But accurate forecasting is impossible in complex systems; if you think security forecasting is hard, talk to a meteorologist. Our predilection for prediction may have helped Homo sapiens survive by solving linear problems, like how prey will navigate a forest, but it arguably hurts more than it helps in a modern world replete with a dizzying degree of interactivity. Since resilience is something a system does rather than has, it can’t be quantified by probabilities of disruptive events. As seismologist Susan Elizabeth Hough quipped in the context of natural disasters, “A building doesn’t care if an earthquake or shaking was predicted or not; it will withstand the shaking, or it won’t.”⁴⁷

Attempting to prevent or predict failure in our complex computer systems is a costly activity because it distracts us and takes away resources from actually preparing for failure. Treating failure as a learning opportunity and preparing for it are more productive and pragmatic endeavors. Instead of spending so much time predicting what amount of resources to spend and where, you can conduct experiments and learn from experience to continually refine your security program based on tangible evidence. (And this approach requires spending much less time in Excel, which is a plus for most.)

The “bad guys”⁴⁸ will sometimes win. That’s just a dissatisfying part of life, no matter where you look across humanity. But what we can control is how much we suffer as a result. Detecting failures in security controls early can mean the difference between an unexploited vulnerability and having to announce a data breach to your customers. Resilience and chaos engineering embrace the reality that models will be incomplete, controls will fail, mitigations will be disabled—in other words, things will fail and continue failing as the world revolves and evolves. If we architect our systems to expect failure, proactively challenge our assumptions through experimentation, and incorporate what we learn as feedback into our strategy, we can more fully understand how our systems actually work and how to improve and best secure them.

Instead of seeking to stop failure from ever occurring, the goal in resilience and chaos engineering is to handle failure gracefully.⁴⁹ Early detection of failure minimizes incident impact and also reduces post-incident cleanup costs. Engineers have learned that detecting service failures early—like plethoric latency on a payment API—reduces the cost of a fix, and security failure is no different.

Thus we arrive at two core guiding principles of SCE:

1. Expect security controls to fail and prepare accordingly.

2. Do not attempt to completely avoid incidents, but instead embrace the ability to quickly and effectively respond to them.

Under the first principle, systems must be designed under this assumption that security controls will fail and that users will not immediately understand (or care about) the security implications of their actions.⁵⁰ Under the second principle, as described by ecological economics scholar Peter Timmerman, resilience can be thought of as the building of “buffering capacity” into a system to continually strengthen its ability to cope in the future.⁵¹

It is essential to accept that compromise and mistakes will happen, and to maintain a focus on ensuring our systems can gracefully handle adverse events. Security must move away from defensive postures to resilient postures, letting go of the impossible standard of perfect prevention.

Myth: The Security of Each Component Adds Up to Resilience

Because resilience is an emergent property at the systems level, it can’t be measured by analyzing components. This is quite unfortunate since traditional cybersecurity is largely grounded in the component level, whether evaluating the security of components or protecting components. Tabulating vulnerabilities in individual components is seen as providing evidence of how secure the organization is against attacks. From a resilience engineering perspective, that notion is nonsense. If we connect a frontend receiving input to a database and verify each component is “secure” individually, we may miss the potential for SQL injection that arises from their interaction.

Mitigation and protection at the component level is partially due to this myth. Another belief, which practitioners are more reticent to acknowledge, is that addressing security issues one by one, component by component, is comparatively more convenient than working on the larger picture of systems security. Gravitating toward work that feels easier and justifying it with a more profound impetus (like this myth) is a natural human tendency. To wit, we see the same focus on process redesign and component-level safety engineering in healthcare too.⁵² The dearth of knowledge and understanding about how complex systems work spans industries.

The good news is we don’t really need precise measurement to assess resilience (as we’ll detail in Chapter 2). Evaluating both brittleness and resilience comes from observing the system in both adverse and healthy scenarios. This is the beauty of SCE: by conducting specific experiments, you can test hypotheses about your system’s resilience to different types of adverse conditions and observe how your systems respond to them. Like tiles in a mosaic, each experiment creates a richer picture of your system to help you understand it better. As we’ll explore in Chapter 7, we can even approach security as a product, applying the scientific rigor and experimentation that helps us achieve better product outcomes.

Domains outside software don’t have this luxury. We don’t want to inject cyclones onto the Great Barrier Reef as an experiment to evaluate its resilience, nor would we want to inject adverse conditions into a national economy, a human body on the operating table, an urban water system, an airplane mid-flight, or really any other real, live system on which humans depend. Since (as far as we know) computers aren’t sentient, and as long as we gain consent from human stakeholders in our computer systems, then this domain possesses a huge advantage relative to other domains in understanding systems resilience because we can conduct security chaos experiments.

Myth: Creating a “Security Culture” Fixes Human Error

The cybersecurity industry thinks and talks a lot about “security culture,” but this term means different things depending on whom you ask. Infosec isn’t alone in this focus; other domains, especially healthcare,⁵³ have paid a lot of attention to fostering a “safety culture.” But at the bedrock of this focus on “culture”—no matter the industry—is its bellicose insistence that the humans intertwined with systems must focus more on security (or “safety” in other domains). In cybersecurity, especially, this is an attempt to distribute the burden of security to the rest of the organization—including accountability for incidents. Hence, we see an obsession with preventing users from clicking on things, despite the need in their work to click on many things many times a day. One might characterize the cynosure of infosec “security culture” as preventing people from clicking things on the thing-clicking machine—the modern monomania of subduing the internet era’s indomitable white whale.

Discussions about culture offer little impact without being grounded in the reality of the dynamic, complex systems in which humans operate. It is easy to suggest that all would be ameliorated if humans simply paid more attention to security concerns in the course of their work, but such recommendations are unlikely to stick. More fruitful is understanding why security concerns are overlooked—whether due to competing priorities, production pressures, attention pulled in multiple ways, confusing alert messages, and beyond. And then, which work do we mean? Paying attention to security means something quite different to a procurement professional, who is frequently interacting with external parties, than it does to a developer building APIs operating in production environments.

Any fruitful discussion in this vein is often stifled by poorly chosen health metrics and other “security vanity” metrics. They simply don’t provide the full picture of organizational security, but rather lure practitioners into thinking they understand because quantification feels like real science—just as shamanism, humoralism, and astrology felt in prior eras. The percentage of users clicking on phishing links in your organization does not tell you whether your organization will experience a horrific incident if a user ends up clicking something they shouldn’t. If the number of vulnerabilities you find goes up, is that good or bad? Perhaps the number of vulnerabilities found in applications matters less than whether these vulnerabilities are being found earlier in the software delivery lifecycle, if they are being remediated more quickly or, even better, if the production environment is architected so that their exploitation doesn’t result in any material impact. Needless to say, a metric like the percent of “risk coverage” (the goal being 100% coverage of this phantasmal ectoplasm) is little more than filler to feed to executives and boards of directors who lack technical expertise.

The other distressing byproduct of traditional attempts to foster a “security culture” is the focus on punishing humans or treating them as enemies labeled “insider threats.” Status quo security programs may buy tools with machine learning systems and natural language processing capabilities to figure out which employees sound sad or angry to detect “insider threats” early.⁵⁴ Or security teams may install spyware⁵⁵ on employee equipment to detect if they are looking for other jobs or exhibit other arbitrary symptoms of being upset with the organization. In the security status quo, we would rather treat humans like Schrödinger’s attacker than dissect the organizational factors that could lead to this form of vulnerability in the first place. This may placate those in charge, but it represents our failure in fostering organizational security.

Cybersecurity isn’t the only problem domain displaying this tendency. Yale sociologist Charles Perrow observed across complex systems that:

Virtually every system we will examine places “operator error” high on its list of causal factors — generally about 60 to 80 percent of accidents are attributed to this factor. But if, as we shall see time and time again, the operator is confronted by unexpected and usually mysterious interactions among failures, saying that he or she should have zigged instead of zagged is possible only after the fact.⁵⁶

Remarkably, the cybersecurity industry ascribes about the same proportion of failures to “human error” too. The precise contribution of purported “human error” in data breaches depends on which source you view: the 2022 Verizon Data Breach Investigations Report says that 82% of breaches “involved a human element,” while another study from 2021 reported human error as the cause of 88% of data breaches. Of the breaches reported to the Information Commissioner’s Office (ICO) between 2017 and 2018, 90% cited human error as the cause too. But if you dig into what those human errors were, they often represent actions that are entirely benign in other contexts, like clicking links, pushing code, updating configurations, sharing data, or entering credentials into login pages.

SCE emphasizes the importance of outside perspectives. We should consider our adversaries’ perspectives (as we’ll discuss in Chapter 2) and conduct user research (as we’ll discuss in Chapter 7), developing an understanding of the perspectives of those who are building, maintaining, and using systems so that the security program is not based on a fantasy. Adopting a systems perspective is the first step in better coping with security failure, as it allows you to see how a combination of chronic stressors and acute stressors leads to failure.

With SCE, the security program can provide immense value to its organization by narrowing the gap between work-as-imagined and work-as-performed.⁵⁷ Systems will encroach upon their safety thresholds when policies and procedures are designed based on ideal operational behaviors (by humans and machines alike). Expecting humans to perform multiple steps sequentially without any reminders or visual aids is a recipe for mistakes and omissions.

Security programs in SCE are also curious about workarounds rather than forbidding them. Workarounds can actually support resilience. Humans can be quite adept at responding to competing pressures and goals, creating workarounds that allow the system to sustain performance of its critical functions. When the workarounds are eliminated, it’s harder for humans interacting with the system to use a variety of strategies in response to the variety of behaviors they may encounter during their work. And that erodes resilience. Unlike traditional infosec wisdom, SCE sees workarounds for what they are: adaptations in response to evolving conditions that are natural in complex systems.⁵⁸ Workarounds are worth understanding in devising the right procedures for humans to operate flexibly and safely.