Uncertainty in security: managing cyber senescence
Martijn Dekker
TL;DR
The paper argues that cybersecurity is aging due to complexity, interdependencies, and a proliferation of uncertain controls, a phenomenon it terms cyber senescence. It links regulatory progress (NIS2, DORA) and the limits of risk quantification to the challenge, while highlighting the unfalsifiability of security claims and the resulting waste accumulation. Through a three-part research agenda—improving local decision-making under uncertainty, shaping regulation to foster resilience, and managing security waste—the work outlines a path toward sustainable, governance-aware cyber defense. The findings stress the need for systemic, long-horizon thinking to prevent systemic decay in the digital infrastructure that underpins modern society.
Abstract
My main worry, and the core of my research, is that our cybersecurity ecosystem is slowly but surely aging and getting old and that aging is becoming an operational risk. This is happening not only because of growing complexity, but more importantly because of accumulation of controls and measures whose effectiveness are uncertain. I introduce a new term for this aging phenomenon: cyber senescence. I will begin my lecture with a short historical overview in which I sketch a development over time that led to this worry for the future of cybersecurity. It is this worry that determined my research agenda and its central theme of the role of uncertainty in cybersecurity. My worry is that waste is accumulating in cyberspace. This waste consists of a multitude of overlapping controls whose risk reductions are uncertain. Unless we start pruning these control frameworks, this waste accumulation causes aging of cyberspace and could ultimately lead to a system collapse.
