Acting in the unknown: the cynefin framework for managing cybersecurity risk in dynamic decision making

Abstract

Researchers have shown that human decision making in complex environments like cyber is a significant risk factor. Unfortunately, much work on cyber situational awareness has been technology-focused, despite the ultimate importance of human decisions, especially in crisis situations like real-time cyber-attacks and data breaches. Cybersecurity practitioners and leaders require an appropriate framework to help decision makers at all levels guide and act while managing risk in unexpected and dynamic situations. Without such a framework, failure to enlighten the unknown leads to heightened risk, uncertainty, and insecurity. The ability to establish context, adapt, and apply the most appropriate decision-making style to unique situations increases the likelihood of security. We offer an application of the Cynefin Framework, a sensemaking solution, to cybersecurity which allows practitioners and leaders to identify the context and appropriate response type in complex situations using the cause-and-effect relationship. We also illustrate how orienting oneself in the five Cynefin domains – disorder, obvious, complicated, complex, and chaotic – can help manage risk. By comparing Cynefin to other decision-making frameworks, we show how this framework is uniquely appropriate for acting through complexity and risk in cyber.