Table of Contents
Fetching ...

Uncertainty in security: managing cyber senescence

Martijn Dekker

TL;DR

The paper argues that cybersecurity is aging due to complexity, interdependencies, and a proliferation of uncertain controls, a phenomenon it terms cyber senescence. It links regulatory progress (NIS2, DORA) and the limits of risk quantification to the challenge, while highlighting the unfalsifiability of security claims and the resulting waste accumulation. Through a three-part research agenda—improving local decision-making under uncertainty, shaping regulation to foster resilience, and managing security waste—the work outlines a path toward sustainable, governance-aware cyber defense. The findings stress the need for systemic, long-horizon thinking to prevent systemic decay in the digital infrastructure that underpins modern society.

Abstract

My main worry, and the core of my research, is that our cybersecurity ecosystem is slowly but surely aging and getting old and that aging is becoming an operational risk. This is happening not only because of growing complexity, but more importantly because of accumulation of controls and measures whose effectiveness are uncertain. I introduce a new term for this aging phenomenon: cyber senescence. I will begin my lecture with a short historical overview in which I sketch a development over time that led to this worry for the future of cybersecurity. It is this worry that determined my research agenda and its central theme of the role of uncertainty in cybersecurity. My worry is that waste is accumulating in cyberspace. This waste consists of a multitude of overlapping controls whose risk reductions are uncertain. Unless we start pruning these control frameworks, this waste accumulation causes aging of cyberspace and could ultimately lead to a system collapse.

Uncertainty in security: managing cyber senescence

TL;DR

The paper argues that cybersecurity is aging due to complexity, interdependencies, and a proliferation of uncertain controls, a phenomenon it terms cyber senescence. It links regulatory progress (NIS2, DORA) and the limits of risk quantification to the challenge, while highlighting the unfalsifiability of security claims and the resulting waste accumulation. Through a three-part research agenda—improving local decision-making under uncertainty, shaping regulation to foster resilience, and managing security waste—the work outlines a path toward sustainable, governance-aware cyber defense. The findings stress the need for systemic, long-horizon thinking to prevent systemic decay in the digital infrastructure that underpins modern society.

Abstract

My main worry, and the core of my research, is that our cybersecurity ecosystem is slowly but surely aging and getting old and that aging is becoming an operational risk. This is happening not only because of growing complexity, but more importantly because of accumulation of controls and measures whose effectiveness are uncertain. I introduce a new term for this aging phenomenon: cyber senescence. I will begin my lecture with a short historical overview in which I sketch a development over time that led to this worry for the future of cybersecurity. It is this worry that determined my research agenda and its central theme of the role of uncertainty in cybersecurity. My worry is that waste is accumulating in cyberspace. This waste consists of a multitude of overlapping controls whose risk reductions are uncertain. Unless we start pruning these control frameworks, this waste accumulation causes aging of cyberspace and could ultimately lead to a system collapse.
Paper Structure (10 sections, 2 equations, 6 figures)

This paper contains 10 sections, 2 equations, 6 figures.

Figures (6)

  • Figure 1: NIST CSF 2.0
  • Figure 2: wef
  • Figure 3:
  • Figure 4: uncertainty and risk
  • Figure 5: the mechanism of cyber senescence
  • ...and 1 more figures