The environment of cybersecurity is complex and uncertain, but it is at times framed in the context of a game that is predictable and defined by rules. This approach can lead to an overreliance on advanced cybersecurity tools to predict and prevent incidents. It may also result in placing too much pressure on IT experts to succeed 100% of the time in an asymmetric environment where cybercriminals dictate the terms and only have to succeed once to cripple an organization.
It is helpful to use tools and models based on available empirical data to guide our actions . . .