Software Engineering Institute

This presentation was given at FloCon 2023, an annual conference that focuses on applying any and all collected data to defend enterprise networks.

Given the continuous flux of cyber environments, let alone the tactics and techniques of threat actors, organizations struggle to make timely risk-based decisions in the selection of control strategies. At times, some controls can inhibit the performance of an organization by adding complexity to the environment (e.g., new training needed, configuration challenges, and technical debt).

This presentation proposes and explores a novel means to measure cyber environment complexity. By measuring the complexity of any given network, organizations can gain an appreciation for the benefits and challenges each layer of defense adds to a security stack. This presentation will define "Cyber Complexity" in terms of technical debt, interfaces, and organizational capability. Each of these elements will also be decomposed and examined for possible means of quantification. The audience will gain a better appreciation for risk-based decisions and the demonstrable need for better measurement of cyber environments to drive those decisions.

Attendees will learn about a new approach to quantifying complexity in a cyber environment. Furthermore, the audience will learn how to utilize those measurements to make better risk-informed decisions.