Making Sense of Cyber. Part One.

I recently attended the Open Security Summit. While there, I met Dave Snowden, who introduced me to his Cynefin Framework, which has sparked a bit of a journey for me ever since.

Cynefin is an interesting welsh word with no real English translation but has been described by “It describes a relationship: the place of your birth and of your upbringing, the environment in which you live and to which you are naturally acclimatised”.

The Cynefin Framework provides a method for understanding the environment, or domain, that you are operating in. It also provides guidance on how to understand the problems you are faced within each type of environment and what types of decision making and actions are most likely to succeed.

The basis of the Cynefin Framework

The Cynefin framework breaks the situations you find in the world into five domains; Simple, Complicated, Complex, Chaotic and Disorder.

The Simple domain is when we fully understand the cause and effect of events and all we need to do is sense the event, categorise it according to known event types and then respond in a planned manner. The Simple domain is the domain of ‘best practice’, where we can learn what works, capture that knowledge and reuse it over and over again.

The Complicated domain is when we can fully understand the cause and effect of events but don’t by default. Here we need to sense the event, analyse it using structured frameworks and expert knowledge and then create an appropriate response. The Complicated domain is the domain of ‘good practice’ where experts can understand what works and capture the process of understanding to reuse again and again.

The Complex domain is when we can’t fully understand the relationship between cause and effect; there are events and behaviour that emerge that we cannot predict and even if we were able to explain in hindsight provides us with no framework for reusing that explanation. Here we need to probe the environment with experiments to find patterns that are beneficial or harmful and then encourage the former and suppress the latter. This is the domain of ’emergent’ practice, where we learn what works as we go.

The Chaotic domain is when we can’t fully understand the relationship between cause and effect, and there are no patterns to discover. Unpredictable events occur without a discernible pattern. The goal if you find yourself in a chaotic domain is to act first, see what happens and then respond. The goal is to get out of this domain as quickly as possible, including through changing the domain or environment to introduce more order if necessary.

The Disordered domain is when we apply the wrong approach to the domain we are in, either because we mistakenly believe we are in a different domain than we are or it is when we are transitioning from one domain to another.

Dave created the Cynefin framework as a ‘sense-making’ approach without reference to a particular scope of interest. As you can imagine, I am focused on cybersecurity as an area of interest, and I think that this provides an insightful lens for understanding the failures and the opportunities of cybersecurity risk management.

Having introduced the Cynefin Framework here in my next post, I’ll apply it to cybersecurity risk management.