Dissertation Defense by Sander Zeijlemaker

Sander Zeijlemaker will defend his dissertation “Unravelling the dynamic complexity of cybersecurity investment decision-making: The delineation of the security dynamics domain” at the Radboud University. Supervisor: prof. dr. E.A.J.A. Rouwette. The presentation is open to the public.

Several recent security incidents show that decision-making on cyber-security can have consequences reaching far into the future. In a world of further digitalization, interconnectedness, and increasing activities of cyber-criminals, the question is how the decision-making needs to adapt to ensure security. The dynamic complex nature of cyber risk is not always fully captured in the current, often static, decision support tools (such as risk assessment, standards, frameworks, benchmark, etc.). This dynamic nature can be found amongst others in changing organizations, evolving adversary tactics, changing priorities, shortage of staff and budget. Consequently 56% of experienced managers and security professionals make suboptimal decisions may yield up to 200% higher cost levels.

Our research following a system dynamics approach identified 14 systemic structures that capture these complex dynamics in cyber security. Supplemented with simulation techniques we were able to mimic real-life decision-making cyber-security eco-system and forecasted future strategic performance of intended strategies. Simulations allow managers to see and follow how their cyber- security decisions will evolve in real-life before making the investments.

We advocate future research to explore how current support tools can be augmented by these simulation techniques.