Cyber security: Wicked problems, messes and metaphors

Cyber security: Wicked problems, messes and metaphors

Summary: A wicked problem such as cyber security requires a holistic/system oriented solution as opposed to the “point solutions” that currently pervade cyber security industry thinking.

TOPICS: Security

Commentary - Cyber security is an incredibly complex, problem that might be dubbed a “wicked problem” or “mess”, both literally as well as figuratively. In fact, the field of Morphological Analysis (‘MA’) is a field of study specifically “designed for multi-dimensional, non-quantifiable problems with seemingly non-reducible complexity” and defines different classes of challenges as follows:

Problem = Well formulated/defined issue, but with no single solution

Puzzle = Well defined problem with a specific solution

Mess = Complex issue which is not well formulated or defined (“Wicked Problem”)

From MA’s perspective, a mess or a wicked problem such as cyber security requires a holistic/system oriented solution as opposed to the “point solutions” that currently pervade cyber security industry thinking. In other words, problem and puzzle contexts cannot be used to solve messes. As noted by Michael Pidd in his book, Tools for Thinking, “One of the greatest mistakes that can be made when dealing with a mess is to carve off part of the mess, treat it as a problem and then solve it as a puzzle -- ignoring its links with other aspects of the mess.”

Another potent thinking aid or tool that can help characterize the context of the challenges facing cyber security is the use of metaphors. According to an extremely thoughtful and creative report by Sandia National Laboratories, ‘fortress’ and ‘cops and robbers’ are the two most prevalent metaphors used in cyber security today. The embodiment of these metaphors can be easily discerned in today’s security implementation stack of firewalls, anti-virus, intrusion prevention and detection systems and forensic analysis toolkits. Much has been written about the shortcomings of the fortress metaphor due to its static embodiment in an increasingly dynamic and mobile digital world, as well as the futility of the cops and robbers model against low-cost, dynamically changing malware, whose attribution is proving difficult to say the least. Suffice it so say, the exploration of new metaphors and models would be both intuitively appealing and empirically justified.

The Sandia report articulates other potential metaphoric models that seem to resonate more vigorously with cyber security, such as “warfare” (enemies, weapons tactics etc.) and biology/healthcare (importance of heterogeneity, programmed cell suicide/apoptosis, the role of disease enumeration in medicinal development and the importance of a system/ecosystem oriented approach). We strongly believe that the warfare and healthcare/biology metaphors both accurately reflect or model cyber security’s actual problem dynamics. However, we will focus on the warfare metaphor for purposes of this discourse for sake of expediency, as well as to directly address and dispel the currently popular notion that attackers have a natural asymmetric advantage over defender’s,.

It is true that attackers can choose where, when, how and how often to attack, they only need to find one weakness to be successful, while defenders need to protect against all and that to make matters worse, attackers possess potent, automated technologies for the distribution, morphing and attack payloads of cyber weapons, having simply ‘out innovated’ defenders, out maneuvered, out strategized and by default out generalled the software security industry. That’s the bad news. The good news is that although attackers have been winning battles, we are still at war and the history of warfare has historically been a see-saw of alternating advantage between attackers and defenders. Here’s a few ways that defenders can not only even the odds and win a few battles, but also potentially win the war:

  • The defense not only knows the terrain, it created the terrain and can change the terrain.
  • Message: Time to retake the high ground and redefine the battle.
  • The defense can dig in and “mine the easy path”.
  • Message: Materially reduce attack surfaces and remove automation as an attack tool
  • The defense can invent new technologies to revert the balance of power back to defenders.
  • Message: In war as in IT, you need to innovate to win.

The simple truth is that if you ask the wrong questions, think the wrong thoughts or develop the wrong metaphors, it’s easy to get lost and lost we clearly seem to be. But we are not lost without hope or a compass, for metaphor and systems-oriented thinking has much to add to the way in which we think about the problem of cyber security.

David Lowenstein is the CEO and co-founder of Federated Networks, an IT security company. He has successfully led corporations in the business process outsourcing, education and environmental services industries. He is currently the Chairman of the Board of Princeton Review.

Risu Na is the CTO and co-founder of Federated Networks. He has led development teams to create e-learning systems and co-founded iSoftech, a cloud-based knowledge management software manufacturer.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Cyber security: Wicked problems, messes and metaphors

    Guys,<br><br>Please acknowledge intellectual debt with appropriate references as follows:<br><br>1. Wicked problem - coined by Rittel and Webber in 1973<br>2. Mess/Problem/Puzzle - Michael Pidd in the mid 90's<br>3. Morphological analysis - Fritz Zwicky (1930s) and Tom Ritchey (from the 90s), particularly the computerised, facilitated version.<br><br>Regards,<br>Nasir Hussain<br>
    • RE: Cyber security: Wicked problems, messes and metaphors


      Tx. Nasir for the comment. We agree the intellectual debt is huge and to clarify we do quote Pidd above. As an aside, i have had some recent correspondence with Tom Ritchey personally thanking him for his seminal work as it has had a material impact on our thought processes and resultant solutions. Candidly, this article and several others are excerpts of a white a
      paper that more fulsomely references all of the individuals noted, and this article and several others are excerpts and we simply missed re-including the full references in each of these smaller, editorialzed pieces. Point well taken and our bad, as this article should have referenced more that just Pidd, as noted.

      David Lowenstein
      CEO, Federated Networks