From the Fall 2025 Issue

Unified Linkage Models: Recontextualizing Cybersecurity

Henry J. Sienkiewicz
Faculty | Georgetown University

      
Unified Linkage Models

I. Introduction

Cybersecurity frameworks have traditionally relied on a hierarchical approach to map assets, threats, and controls, mappings often done in a static, linear fashion.  While enormously useful and highly effective for baseline security posture, these models often fail to account for the dynamic and evolving relationships between system components. This is in part because organizations are inherently more comfortable with order, pretending people and things follow rules.  In reality, though, cyberspace is inherently the opposite of order.  It is messy, disordered; sometimes this is on purpose, often not.

Unlike checkers or chess, cybersecurity is more analogous to a three-dimensional game of Go, concurrently played physically and virtually.

Figure 1: Three-dimensional Game of Go

In today’s distributed, adaptive  environments, risk does not reside solely in individual assets but in the changing nature of how those assets interact. These relationships are frequently the true vectors of vulnerability. Without explicitly modeling these relationships, the traditional frameworks may overlook the emergence of conditions that lead to system risks. Unlike checkers or chess, cybersecurity is more analogous to a three-dimensional game of Go (see figure 1), concurrently played physically and virtually. With unwritten rules, the game is constantly evolving and changing. Similar to cyberspace, this game demands continuous adaptation and pattern recognition. Players must anticipate visible moves, hidden strategies, shifting alliances, and the emergence of new pieces. In such an environment, mastery does not come from memorizing fixed plays, but rather from recognizing linkages and developing the agility to respond to threats and opportunities in real time.

As cyber environments have become complex and hyperconnected, risks now emerge from linkages—such as inherited access, decaying trust, or adjacent systems—not just from isolated components. Unified Linkage Modeling (ULM) shifts the perspective by recontextualizing cybersecurity around these fluid, relational patterns. In the ULM, hierarchy, rhizomatic and chaos-centric are not just descriptive metaphors, but are structural paradigms or network archetypes that shape how linkages (adjacency, trustworthiness, inheritance) manifest and behave. The ULM’s hierarchical, rhizomatic, and chaos-aware lens—coupled with an understanding of linkages—is not optional but essential for achieving resilient, adaptive, and responsive cyber governance in complex systems.

II. Linkages and Network Archetypes

In this digital landscape, the concept of linkages—structural and functional connections between components in a system — is a foundational element in understanding, securing, and governing cyber environments. Across disciplines from systems theory to strategic design and network architecture, linkages define how entities relate, communicate, and influence one another. They serve as the conduits of value, the vectors of risk, and the basis for trust in both technical systems and human governance models. This article serves as part of a non-sequential series of articles and whitepapers that reframe and analyzes cybersecurity through the ULM lens, while establishing foundational distinctions between technical connections and the broader, strategic idea of linkages.

Linkages are not mere technical connectivity, not just routes, nor lines on a network diagram. Linkages are commitments, commitments that bind actors, systems, or processes to shared purpose.[1] [2] Yet, such commitments are seldom permanent; they are shaped by evolving operational needs, infrastructure upgrades, and the inherent pace of technological change. This impermanence demands ongoing scrutiny of how linkages are formed, maintained, and retired.

Connections describe the direct technical or physical pathways between systems—such as a network socket or API call—without context. Linkages, by contrast, encompass the social, operational, and historical commitments embedded in those connections, including trust relationships, inherited permissions, and proximity-driven risk.

Meaningful linkages are intentional, value-bound, and resilient. A linkage is a commitment to collaboration, trust, and accountability. It is not merely about connecting components, but about engineering relationships that are mission-aligned, resilient, and dynamically secure. A linkage is like a treaty between systems, not just a handshake on the wire.

In the context of the ULM, value is the utility, benefit, or operational significance exchanged or enabled through a linkage between system elements. This value may be tangible—such as data, processing capability, or access rights—or intangible, including trust, authorization, or reputational standing. Value is not static; the context, role, and function of the nodes involved define it.

Value flow is the movement or exchange of value across different connections. It reflects the purpose and utility of the connection, indicating why the linkage exists within the system. It can be transmitted in three different ways: between peer nodes, through hierarchical structures, or via intermediaries.

Within ULM, understanding value and value flow is essential to analyzing why linkages exist, how they are prioritized, and what protections they require. These concepts serve as the basis for identifying critical relationships and designing secure, purpose-driven, and resilient cyber-physical systems.

Picture 1
Figure 2: ULM, hierarchical, rhizomatic, and chaos-informed environments

The concept of ULM is also a synthesized theory and framework designed to unify three key network archetypes of cyber systems: hierarchical architectures, rhizomatic networks, and chaos-informed environments. Each of these structural paradigms approaches connectivity and control differently—hierarchical systems emphasize centralized authority and structured flows, while rhizomatic systems reflect decentralized, nonlinear webs of influence; and chaos-based models account for emergent behavior and unpredictable transformations. ULM seeks to integrate these views by using specific linkage types (see figure 2)adjacency, trustworthiness, and inheritance—as diagnostic and prescriptive tools for system understanding and design, and as a single, cohesive framework.  The word “Unified” is used to distinguish it from fragmented or one-dimensional approaches and reflects its role in structuring systemic relationships. Further, many cybersecurity models lack dimensional depth, relying on rudimentary definitions that conflate terms like “connection” and “linkage.” This oversimplification obscures the structural,   behavioral, and inherited complexities ULM seeks to distinguish and model. [3] [4]

While ULM was not conceived with Ken Wilber’s integral theory in mind, an observational comparison is instructive. ULM’s synthesis of adjacency, trustworthiness, and inheritance across technical, organizational, and behavioral layers echoes Wilber’s quadrant and level integrations. Both emphasize the need to move beyond reductionist perspectives toward holistic, systems-level awareness in understanding complex relationships.[5]

To advance from conceptual promise to field application, the ULM framework (ULMF) must undergo maturation across two axes: operational deployment and scientific formalization. The framework introduces five core constructs— rhizomatic, chaos-based, adjacency, inheritance, and trustworthiness. However, additional work to define typologies, ontological mappings, and measurable outputs is required. Without this analysis, this framework is primarily conceptual.

On the operational front, implementation demands graph-compatible toolkits capable of parsing live system states and rendering dynamic linkage maps. Integration with log telemetry (e.g., token exchanges, certificate chains, BACnet object hierarchies) must support real-time trust scoring and anomaly detection. Trust-first deployment phases may offer the most practical entry point, allowing early value creation without complete system reengineering. Such approaches align with use-case scenarios already piloted in identity assurance and cyber-physical systems.

Simultaneously, academic rigor requires the formalization of the ULM framework as a structured graph model, grounded in systems theory and complex network science. Formal semantics, operational predicates, and mechanisms for decay, propagation, and inheritance of attributes should accompany each linkage type. These constructs should not only be visual but also computable. Comparative evaluations and integration with established frameworks—like MITRE ATT&CK’s focus on attacker Tactics, Techniques, and  Procedures (TTP) or the FAIR Institute’s probabilistic risk modeling—must be conducted in order to validate the ULM framework’s unique explanatory power.

Without this analysis, ULMF risks being interpreted as an aspirational philosophy rather than a practical or testable model. Additional and subsequent articles in this series develop and will outline a dual-path roadmap for ULM development, providing specific milestones for software prototypes, analytic metrics, academic submission, and standards integration. These elements are essential not just for adoption, but for enduring legitimacy.

III. Linkages: Adjacency, Trustworthiness, Inheritance

Linkages are conceptual and operational threads, that bind a system’s components together, representing the channels through which information, control, accountability, and value flow.

In cybersecurity, as well as in broader systems thinking, linkages are more than mere points of connection. Linkages are conceptual and operational threads, that bind a system’s components together, representing the channels through which information, control, accountability, and value flow.

Figure 3: ULM, Adjacency, trustworthiness, and inheritance integration

Conceptually, a linkage is a structural and strategic connection point that enables interaction, coordination, or mutual recognition between discrete elements of a system. These elements might be devices, processes, identities, nodes, or even organizational mandates.

A linkage is distinguished from mere connectivity in its functional role. While connections have a transmission role, linkages have a role in maintaining coherence, resilience, and purpose across dynamic, often distributed systems.

All linkages are not equal. Some exist by proximity, while others are deliberately configured; some arise from mutual trust, while others depend on hierarchical delegation or inherited access. To analyze linkages effectively, three primary modalities through which linkages manifest in cyber systems can be identified: adjacency, trustworthiness, and inheritance (see figure 3).[6][7]

Figure 4: Linkages across distributed cyber systems

Figure 4 illustrates how cybersecurity linkages—adjacency, trustworthiness, and inheritance—connect distributed systems (see figure 4). Each linkage type is represented with a distinct line style, showing how different relationships maintain coherence, resilience, and purpose across a network.

A. Adjacency: Proximity and Interaction

Adjacency refers to linkages formed through physical or logical proximity. In network terms, this could mean shared access domains, routing paths, or cloud tenancy. In operational environments, it might be co-located systems or departments with overlapping functions. Adjacency-based linkages are often the most vulnerable, as proximity does not imply intentionality or trust. For example, two unsegmented systems sharing the same network space may inadvertently expose each other to risk, despite having no shared purpose or governance. In rhizomatic systems—non-hierarchical, web-like structures—adjacency is foundational, as influence propagates through local, trust-agnostic proximities rather than centralized control, exposing systems to compliance drift and trust misalignments.[8] [9] Trust-agnostic proximities refer to relationships or interactions within a system where spatial, logical, or functional closeness does not imply any verified trust or authorization. These proximities often enable lateral movement, data leakage, or privilege escalation when systems assume adjacent entities are inherently trustworthy.

B. Trustworthiness: Verified Integrity and Accountability

Trustworthiness refers to the degree to which a relationship between systems or identities has been verified, validated, and remains consistent with intended policy or behavioral expectations. In practice, low trustworthiness can allow unauthorized access or lateral movement when identities or systems are implicitly assumed to be safe without current revalidation. Trustworthiness-based linkages are formed through demonstrated reliability, integrity, and adherence to standards. These linkages imply that one system or actor is trustworthy and reliable enough to interact with or rely upon by another. This approach is a foundational element in the design of numerous cybersecurity protocols, including zero-trust architectures, digital certificates, and federated identity schemes.  Trustworthiness is not static; it must be continuously evaluated. Systems that manage identity, authorization, and behavior analytics govern trust-based linkages. Importantly, these linkages embed value and accountability—they are formed because one party agrees to be bound by the norms or expectations of another.[10]

C. Inheritance: Delegation and Transitive Risk

Inheritance describes the residual transfer of configurations, permissions, systems, or access relationships over time without deliberate reevaluation. Inheritance-based linkages are those created through the transfer of authority, access rights, or system dependencies. This is least visible form but most strategic form of linkage. Inheritance linkage reflects historical, political, or architectural design decisions that have shaped the area’s development. In cloud environments, inheritance linkages may be seen in role-based access controls (RBAC) or trust relationships between domains. In operational technology (OT) environments, legacy systems may inherit exposure due to protocols or configurations established decades earlier. Inheritance carries with it both transitive trust and transitive risk. A single compromised linkage can cascade through an entire system if the inheritance paths are not tightly managed or constrained.[11]

Again, all linkages are not equal. Each one has its level of security, can be attacked in different ways, and requires a unique management approach. It is important to understand these differences when it comes to analyzing risk, deciding what controls to focus on, and creating strong cybersecurity systems that can adapt to and stay secure against complex threats in the real world.

IV. Network Archetypes Evolution

Figure 5: Intersection of hierarchical architectures, rhizomatic networks, and chaos-informed environments

As cyber systems became more interconnected and adaptive, the limitations of hierarchical models grew apparent. It has become evident that there is a need for alternatives or augmentations. To that end, resilience requires models that anticipate non-linear behaviors, accommodate distributed decision-making, and allow for rapid reconfiguration. This shift invites the integration of rhizomatic and chaos-informed network models—where systems are less reliant on command hierarchies and more on localized intelligence, adaptive trust, and emergent properties. The reality is that the cyber environment and its associated risks lies at the intersection of these three models (see figure 5). Unified linkage models can bridge traditional architectures with new structural paradigms of cybersecurity resilience.

A. Traditional Hierarchical Linkage Models

Cybersecurity architectures have traditionally relied on hierarchical models. These models establish clear authority structures, defined communication channels, and centrally governed policies. Hierarchical systems use linkages that cascade downward. They rely on authority, procedural inheritance, and layered adjacency to protect information assets. These principles underpin the established practices in the domains of network design, enterprise architecture, and compliance frameworks.[12] [13]

A1. Canonical Examples of Hierarchical Models

Hierarchical linkage models are best exemplified by three canonical frameworks: defense-in-depth, the Open Systems Interconnection (OSI) model, and top-down network design.

  • Defense-in-depth is a multilayered strategy that assumes that no single security control is sufficient to stop all attacks. It employs a series of layered defenses—firewalls, intrusion detection systems, endpoint protections, access controls, and monitoring—each linked vertically in a stack of preventive and reactive measures. Linkages in this model are tightly coupled with defined roles and zones of control.[14]
  • The OSI model conceptualizes network and system as a sequence of discrete layers, from physical transmission (Layer 1) up to application-level processes (Layer 7). Each layer serves a specific function and interfaces with the layer directly above and below it. The linkages here are adjacency-based (proximity between layers) and inheritance-based (where higher layers assume trust or state from lower ones).[15]
  • Top-down network design starts with business and security requirements and systematically flows downward into logical and physical configurations. The linkages are policy-driven and embedded in the system “blueprints,” reflecting command-and-control structures.

These architectures prioritize bounded control. The linkages are both traceable and enforceable. Access rights, information flows, and device relationships are explicitly defined, allowing security teams to implement policy-driven monitoring and audits. Bounded controls are cybersecurity or governance mechanisms that are confined in scope, effectiveness, or applicability due to organizational, technical, or contextual constraints. These controls often fail to address emergent risks or inherited weaknesses that fall outside their predefined operational boundaries.[16]

A2. Strengths of Hierarchical Linkage Models

Hierarchical models have a clarity of authority and a structural rigidity. Roles and responsibilities are known and well-defined. Administrators control the infrastructure. Users operate within permission boundaries. Firewalls and VLANs constrain data flows. This architecture:

  • Enables regulation and compliance: Hierarchical systems map cleanly to auditing standards (e.g., NIST, ISO 27001, HIPAA) because responsibilities and data paths are explicitly assigned.
  • Simplifies access control and identity management: Central directories (e.g., Active Directory) enforce group policies across assets.
  • Allows for consistent monitoring: Network traffic and system logs can be reliably collected and correlated due to predictable linkage patterns.

In environments with stable threat models and well-understood operational processes—such as traditional enterprise IT or regulated sectors—hierarchical linkage models provide robust, enforceable security postures.

A3. Weaknesses and Emerging Limitations

However, hierarchical systems suffer critical limitations in dynamic, distributed, or adversarial environments. Their rigidity, once a strength, becomes a liability when confronted with emergent or non-linear threats.

  • Vulnerability to insider threats: Since authority and access rights cascade downward, a single compromised user or credential can bypass multiple layers of defense. This makes hierarchical linkages brittle when insider risk is not continuously assessed and managed.
  • Lateral movement blind spots: Once attackers gain a foothold, they often exploit adjacent systems horizontally—an attack vector that hierarchical systems struggle to contain. The linkages within a layer (e.g., peer-to-peer server trust) often lack scrutiny.
  • Poor adaptability to novel attacks: Hierarchical architectures struggle with polymorphic malware, supply chain attacks, and AI-based exploits that do not follow predictable attack paths. These threats evolve faster than the policy and configuration updates typical of top-down designs.

Moreover, inherent trust assumptions pose systemic risks. Linkages often depend on bounded adjacency (e.g., trust everything on the same subnet) or explicit inheritance (e.g., a child process inherits the parent’s privileges). If those boundaries or assumptions are breached, cascading failure can result.

B. Rhizomatic Networks and Linkage Decentralization

Deleuze and Guattari’s philosophical notion of the rhizome, developed in A Thousand Plateaus, offers a compelling theoretical framework for understanding decentralized, non-hierarchical systems. Unlike the traditional arboreal or tree-like model of knowledge and power (which is centralized and bounded), but to similar to the bad actor group Anonymous, rhizomes operate through multiplicity, emergence, and connection without a central point of control. In cyber systems, rhizomatic structures provide a conceptual model for analyzing complex, adaptive networks such as botnets, disinformation campaigns, or decentralized identity fraud rings (see figure 6).[17]

Figure 6: Hierarchical vs. Rhizomatic Threat Structures (conceptual illustration)

In cybersecurity, rhizomatic networks pose a particularly challenging threat due to their flat topology, persistence, and self-replicating nature. These systems feature a distributed and decentralized architecture. Instead of relying on one source of authority or access, they disseminate information through a network of interconnected nodes, driven by recursive logic. Disinformation networks, for instance, operate without central coordination yet achieve coherence through mutual reinforcement, virality, and algorithmic amplification. Similarly, modern identity fraud rings—enabled by synthetic identity creation, token reuse, and credential stuffing—mimic a rhizomatic spread: they persist by exploiting and mutating through weak linkages, rather than by compromising a central authority.[18]

One of the most significant dangers posed by rhizomatic structures is their ability to obfuscate centerlines—the directional pathways of influence, control, or value that traditional cyber defense models assume exist. Rhizomatic systems exploit this by hiding their root systems, blending into legitimate traffic, or fracturing themselves across jurisdictions and digital platforms. In so doing, they evade perimeter-based defenses and exploit the fragile trust assumptions embedded in hierarchical architectures.[19]

Within these environments, emergent linkages arise organically rather than through prescribed architectures. These linkages include influence pathways—how one compromised or persuasive node can shift sentiment or behavior across a wider system—as well as identity fraud propagation networks, in which compromised credentials or behavioral data are used to spawn synthetic identities that further expand the web.

These emergent patterns are not evident through traditional asset-based or topology-based mapping. Patterns are only apparent through an understanding of behavior, timing, and probabilistic connections.

The ULM addresses this complexity by enabling cyber defenders to identify and respond to latent and nonlinear linkages within rhizomatic systems. Rather than mapping only explicit hierarchies or network architectures, ULM overlays behavioral linkage graphs—structures that detect linkages based on co-occurrence, temporal correlation, or behavioral similarity. This shift allows defenders to identify the presence of rhizomatic behaviors such as repeated identity spoofing across platforms, shared language and timing in disinformation narratives, or token inheritance anomalies in federated access systems.

The rhizomatic framework is designed to model decentralized, adaptive networks. Its strength is in providing an understanding of dynamic environments such as Internet-of-Things (IoT) ecosystems or countering bad actor groups such as Anonymous. However, rhizomatic systems often have a lack of clear lines of authority or accountability, which makes governance and enforcement challenging. The unpredictability and opacity can also obscure risk propagation paths, which makes monitoring and incident response more difficult.

Rhizomatic networks thus become not impenetrable chaos but observable, interpretable systems—albeit ones that require novel tools and conceptual models to govern them.

By integrating behavioral linkage analysis, ULM provides a strategy for detecting, modeling, and intervening within cyber environments that defy static mapping. Nodes are no longer assessed solely by their location or authority but by their interaction patterns and the density of emergent trust indicators or anomalies. Rhizomatic networks thus become not impenetrable chaos but observable, interpretable systems—albeit ones that require novel tools and conceptual models to govern them.

In an era where cyber adversaries increasingly rely on decentralization, deception, and adaptive replication, the ULM framework’s rhizomatic-aware lens is not optional—it is essential for achieving resilient, responsive cyber governance.[20]

C. Chaos Theory and Linkage Bifurcations

With roots in nonlinear dynamics and mathematical sensitivity analysis, chaos theory provides a third lens for interpreting and mapping modern cybersecurity environments. At its core, chaos theory explains how slight variations in initial conditions can lead to outcomes that diverge exponentially. In cybersecurity, this principle manifests in the propagation of threats, erosion of trust, and decision-making under uncertainty. As systems grow more interconnected and decentralized—especially across cloud, information/operational technology integrations, and identity infrastructures—their behavior increasingly mirrors chaotic systems: bounded yet unpredictable, deterministic yet unreproducible.

One area of application of chaos theory in cybersecurity is the concept of bifurcation points, popularly known as the “butterfly effect.” These are instances of system behavior in which slight alterations—for example, a missed patch, a zero-day exploited vulnerability, or a misrouted credential—can have significant consequences, including outcomes that differ from the intended results. One path may preserve integrity. The other path may allow for compromise. For example, in the case of malware propagation, a single unpatched device can facilitate lateral movement and data exfiltration.  These nonlinear trajectories compromise the efficacy of static risk models, necessitating a more dynamic and adaptable framework (see figure 7).[21]

Figure 7
Figure 7: Depiction of a Cyber Bifurcation Cascade

Chaotic linkage structures—connections formed within or across systems that behave unpredictably—complicate the management of digital trust. Unlike stable linkages governed by hierarchy or policy, chaotic linkages often emerge in identity federations, supply chains, or API integrations where implicit trust, rather than verified control, drives interaction. A federated identity token, once granted access to a resource, may cascade through lateral paths—both legitimate and exploited—creating an unstable web of inherited permissions. Over time, trust decay sets in: the original basis for trust (e.g., multi-factor authentication or access review) weakens or expires, but the linkages remain intact. The misalignment between perceived and actual trustworthiness creates an opportunity for adversarial exploitation.[22]

Additionally, the attack surface expands in chaotic environments through emergent node behaviors. Endpoints, applications, or third-party services may interact in ways not anticipated in their initial configurations. This unpredictability renders traditional perimeter defenses insufficient.

Chaotic linkages emerge when these unpredictable connections are reinforced by legacy inheritance, unmonitored adjacency, or false-positive trust signals. This results in a system that superficially appears secure but is, in fact, inherently vulnerable.

Chaos-centric frameworks highlight the importance of initial conditions and feedback loops, making them ideal for understanding threat evolution, trust decay, and emergent vulnerabilities. They offer valuable insight into complex behaviors that arise from seemingly simple inputs, supporting adaptive defense strategies. These models present operational challenges due to their resistance to deterministic control and their ability to circumvent precise forecasting, which is characteristic of the traditional hierarchical frameworks. Their abstract nature routinely exceeds the expectations and capacity of traditional governance models, necessitating new metrics and mental models to manage uncertainty effectively.

The ULM is at the intersection of order and unpredictability. By integrating the structural certainty of hierarchy, the adaptive flexibility of rhizomes, and the responsive modeling of chaos theory, ULM allows cybersecurity professionals to map, monitor, and anticipate bifurcation dynamics. ULM introduces tools for identifying attractor zones—regions within the cyber environment where system states cluster despite variability—and instability boundaries, where small changes are most likely to produce systemic divergence.

Chaos theory reframes cybersecurity modeling not as a problem of defense, but rather as a problem of resilience. It reframes cybersecurity as an ongoing practice of observing, interpreting, and adapting to emergent dynamics. ULM’s incorporation of linkage theory into chaos-aware modeling provides a practical and theoretical approach for building resilient cyber systems.

V. Unified Linkage Model (ULM) Framework (ULMF)

The ULM is an integrative cybersecurity framework that synthesizes hierarchical, rhizomatic, and chaos-aware system theories to better address the evolving nature of modern threat landscapes. Traditional cybersecurity approaches have often emphasized boundary-based defense (e.g., firewalls, segmentation, perimeter control). These strategies alone have proven inadequate against distributed threats, identity compromise, insider risk, and the unpredictability introduced by artificial intelligence and software-defined networks. ULM shifts focus from static architecture to linkage governance, modeling how systems connect, propagate trust, and bifurcate under pressure.

ULM posits that it is not the nodes (devices, systems, users) alone that determine system resilience, but the linkages between them—how trust and adjacency are established, inherited, and manipulated. By combining the rigidity of hierarchical architectures with the flexibility of rhizomatic structures and the unpredictability captured in chaos theory, ULM offers a multi-layered lens and map of cyber ecosystems.

A. ULM Key Characteristics

  1. Dynamic Topology: The ULM is designed for topological fluidity. Topological fluidity refers to the ability of a system’s structure—such as networks or relationships—to shift, reconfigure, or adapt in response to changing conditions or pressures.[23] In contrast to the static architecture of the OSI model or fixed zoning schemas, ULM adapts its structure in response to evolving threats. For example, in the event of anomalous behavior emergence within a federated identity network, ULM can facilitate the real-time recalibration of access linkages without necessitating the comprehensive re-architecting of the system.
  1. Linkage Triad: At the core of ULM are three primary types of linkage. This triadenables modeling of cyber interactions beyond the binary logic of “allowed vs. denied.”
  • Adjacency refers to physical or digital proximity, where systems that share networks, databases, or processing zones (see figure 8).
  • Trustworthiness is an evaluative concept that reflects the behavior, integrity, and verified credibility of a system component (see figure 8).
  • Inheritance concerns the transfer of authority, privilege, or structure—such as token chaining, identity delegation, or access propagation (see figure 8).
    Figure 8: Intersection of adjacency, trustworthiness, and inheritance linkage modalities
  1. Rhizome Detection Overlays: ULM is founded, in part, on Deleuzian philosophy.[24] It incorporates rhizomatic overlays to detect and visualize non-linear, organic patterns in the cyber domain. This is particularly valuable in identifying advanced persistent threats (APTs), lateral movement, and identity fraud networks that thrive in the gray zones of adjacency and indirect influence. The process of rhizome detection is capable of identifying structures that do not conform to a hierarchical structure; however, these structures are nevertheless organized, often in an invisible manner.[25]

B. ULM in Practice

While Zero Trust Architecture (ZTA) and traditional hierarchical models have advanced cybersecurity governance by emphasizing access control and perimeter dissolution, they fall short in modeling the complex relationships that define today’s distributed systems. The ULM addresses these limitations by introducing a tripartite structure of linkages—adjacency, trustworthiness, and inheritance—each accounting for different relational dynamics, time dimensions, and governance implications. The following comparison chart illustrates how ULM fills key conceptual and operational gaps left by ZTA and hierarchical approaches (see figure 9). This distinction becomes particularly important when applying the ULM framework to real-world environments, where the nature of linkages often determines the system’s coherence, adaptability, and resilience.

Figure 9: Comparison Chart

Practitioners can employ the ULM in several ways to address real-world challenges:

  • Digital Twin Simulation of Attack Surfaces: Using digital twins, defenders can simulate bifurcation cascades, test mitigation paths, and evaluate resilience thresholds. These simulations highlight attractor regions—where cyber activity repeatedly clusters—and instability zones that act as risk amplifiers.[26]
  • Trust-Based and Zero Trust Overlays: ULM supports ZTA through real-time evaluation of linkage integrity. Instead of solely authenticating a user or device once, ULM continually validates adjacency, behavior, and inherited roles through continuous policy enforcement and contextual signals.
  • Comply-to-Connect / Comply-to-Contract: ULM maintains a secure posture as a prerequisite for interaction. In Comply-to-Connect (C2C), endpoints are scanned for configuration adherence before connection. In Comply-to-Contract (C2Ct), the organization verifies upstream/downstream compliance with agreed-upon cyber standards before exposing data or operations. ULM enables both via its linkage modeling logic.

VI. Application to Modern Cybersecurity Challenges

The ULM provide a lens for confronting some of the most complex and persistent challenges in modern cybersecurity. By framing systems through intentional, value-bound linkages – such as adjacency, trustworthiness, and inheritance – ULM enables defenders to detect and disrupt threat activity not just at the perimeter but at its point of origin.

A. USE CASE: SUPPLY CHAIN ATTACK (E.G., SOLARWINDS, MOVEit)

The SolarWinds and MOVEit breaches revealed systemic vulnerabilities in software supply chains—namely, that a trusted update or integration can become a Trojan horse. ULM reorients the analysis away from isolated components and toward the misuse of linkages. In the SolarWinds scenario, the adversary exploited inherited trust—code signing certificates, upstream distribution, and privileged lateral access—to bypass detection and escalate rapidly. ULM helps visualize these inheritance pathways, mapping how trust was propagated without re-evaluation. Similarly, MOVEit’s exploitation of zero-day vulnerabilities emphasized adjacency and lateral data flows, which ULM captures through dynamic topology overlays and bifurcation risk points.

B. Use Case: Identity Compromise and Token Drift

Modern enterprise environments rely on federated identity, session tokens, and role-based access. These constructs, when abused, lead to the subtle and persistent propagation of identity compromise. ULM supports real-time mapping of identity graph drift, tracking how legitimate identities become compromised through session hijacking, misconfigured inheritance, or over-privileged trust tokens. Using ULM, analysts can trace not just the compromised endpoint but the entire chain of linked identities—surfacing bifurcation nodes where privilege escalates or diverges from normal behavioral baselines.

C. Use Case: Cyber Fraud Webs and Money Mules

Fraud detection often suffers from its static modeling of user behavior. Cyber fraud webs—frequently involving coordinated mule accounts, synthetic identities, and multi-platform laundering—thrive in environments where linkages are opaque. ULM enables structural analysis of fraud linkages, revealing rhizomatic behavior patterns. Inheritance trails (e.g., reused KYC data or compromised credentials) and adjacency signals (e.g., shared IP infrastructure or device IDs) are charted into a dynamic threat topology that enables earlier detection and fraud interdiction.

D. Use Case: Detection and Enforcement Engine

ULM functions as more than a descriptive model—it becomes a proactive enforcement architecture. By encoding linkage logic, organizations can automate decisions such as revoking access upon drift, re-verifying trust before inheritance-based escalations, and containing threat bifurcations. This aligns with dynamic identity governance and behavior-based policy engines. For example, when a user’s identity graph undergoes a significant shift (e.g., a geographic anomaly or uncharacteristic access), ULM flags it as a potential chaotic bifurcation, prompting policy enforcement or containment.

E. Integration with MITRE ATT&CK and NIST CSF

ULM can be directly integrated into operational frameworks. MITRE ATT&CK tactics, such as “Lateral Movement,” “Privilege Escalation,” and “Defense Evasion,” can be mapped to corresponding ULM linkage abuse patterns. Meanwhile, the NIST Cybersecurity Framework’s categories—Identify, Protect, Detect, Respond, Recover—can each be enriched with linkage intelligence. For instance, “Protect” shifts from endpoint hardening to resilience of inherited trust, while “Respond” includes forensic bifurcation tracing to prevent recurrence. Figure 10 provides a high-level overview of the alignment (see figure 10).[27] [28]

Figure 10: High-level depiction of the integration of ULM with MITRE ATT&CK and NIST CSF

Ultimately, ULM equips defenders not just to detect known patterns but to anticipate systemic linkage instability, empowering a more adaptive and resilient cybersecurity posture.

VII. Future Research and Standardization

The ULM represents a conceptual advancement in cybersecurity, but several open questions remain before it can be operationalized as a framework across industries. Chief among them is the challenge of standardizing linkages—can the ULM triad of adjacency, trustworthiness, and inheritance be encoded into formal digital trust standards? Doing so would require consensus on how these linkages are defined, measured, and enforced across diverse cyber-physical environments, especially those involving legacy systems, cloud-native platforms, and identity federation.

To guide implementation, a five-stage maturity model is proposed: (1) Observability, (2) Typing, (3) Evaluation, (4) Enforcement, and (5) Simulation.

To bridge the gap between concept and deployment, the ULMF requires more explicit operational semantics and a maturity model. Adjacency should be defined not just spatially, but as functional proximity in system communication or control—such as co-residency within a VLAN or sharing a federated IDP. Inheritance captures the transference of privilege or identity context across linkage paths, such as OAuth delegation or SSH key forwarding. Trustworthiness can be modeled as a composite function of identity strength, behavioral consistency, and context-specific risk. To guide implementation, a five-stage maturity model is proposed: (1) Observability, (2) Typing, (3) Evaluation, (4) Enforcement, and (5) Simulation. Sample metrics—such as Linkage Drift Detection Time (LDDT), Trust Inheritance Decay (TID), and Transitive Risk Exposure (TRE)—offer empirical anchors for validation and benchmarking. These refinements elevate ULMF from a theoretical structure to an enforceable, testable framework with measurable outcomes.

A pressing area for future research is the real-time visualization of linkage states. Current cybersecurity tools rarely depict trust or inheritance as dynamically evolving variables. Advances in data visualization, graph theory, and user behavior analytics (UBA) could enable interfaces that expose hidden dependencies, cascading permissions, and adjacency shifts—critical for preempting exploits at bifurcation points.

AI-driven linkage inference is another promising frontier. As machine learning models grow more capable of detecting anomalies in complex systems, their ability to recognize and predict linkage formations—particularly emergent ones in rhizomatic or chaotic structures—will become central to automated defense.

Scholarly work is needed to formalize a systematics of linkages—a structured vocabulary and typology for what linkages are, how they form, and what behaviors they enable. This would inform both academic research and operational tooling.

Simulation environments that model chaos-informed ULMs also warrant investment. Such tools could be used to test system resilience under random or adversarial stress, identify attractor zones, and benchmark linkage stability under simulated attack.

Collaboration between standard-setting bodies, such as NIST, and thought leadership organizations, like the FAIR Institute, could accelerate ULM development. Together, they can define measurable risk, establish trust baselines, and support the development of interoperable ULM-based architectures across sectors.

VIII. Conclusion

In an environment that is becoming increasingly complex, interdependent, and unpredictable, the concept of intentional, resilient linkages is emerging as a foundational paradigm for navigating these complexities. These linkages—whether physical, logical, or trust-based—form the connective tissue of modern cyber ecosystems.

The ULM reframes cybersecurity not as a static perimeter defense but as a dynamic interplay of trust, authority, and proximity. It synthesizes hierarchical structures with rhizomatic complexity and chaos-informed unpredictability, providing a descriptive model for how cyber systems behave and a prescriptive framework for designing systems that are resilient, transparent, and adaptive.

Through real-world use cases such as supply chain compromises, identity propagation, and fraud ecosystems, ULM demonstrates its applicability to the most pressing threats. It integrates with existing guidance, such as MITRE ATT&CK and the NIST Cybersecurity Framework, while offering a richer, more nuanced lens to anticipate and mitigate emerging risks.

But ULM is not just a theoretical contribution; it is a call to action. Governance frameworks, industry regulations, and cybersecurity standards of care must evolve to account for the nature of linkages—how they form, how they shift, and how they can be secured. Just as earlier generations of cyber doctrine recognized the importance of layered defenses or zero trust, the next frontier lies in linkage intelligence.

In a world increasingly defined by digital entropy and networked unpredictability, understanding and securing linkages is no longer optional—it is the new centerline for cyber resilience, risk governance, and system survivability.

Returning to 3D Go, the ULM can be seen as a map of a dynamic, living, three-dimensional battlespace. Just as Go players must perceive not only the immediate stones but also the evolving patterns across the board, security architects must visualize the shifting interplay between trust, adjacency, and inheritance within a constantly changing threat landscape.

The ULM does not promise a checkmate. Instead, it provides practitioners with a holistic understanding. An understanding of where defenses may be breached, and an understanding how to alter the cyber terrain to one’s advantage strategically by transforming complex interdependencies into a comprehensible strategic framework. The ULM is not a silver bullet. Rather it empowers leaders to anticipate and proactively navigate challenges, as opposed to merely responding to them. lock

Henry J. Sienkiewicz

[1] (Latour, 2005)

[2] (Granovetter, 1985)

[3] (Checkland, 1999)

[4] (von Bertalanffy, 1968)

[5] (Wilbur, 2000)

[6] (Latour, 2005)

[7] (Granovetter, 1985)

[8] (Sienkiewicz H. J., 2025)

[9] (Deleuze, 1987)

[10] (Sienkiewicz H. J., Establishing Trustworthiness: An Adaptive Governance Approach, 2025)

[11] (Sienkiewicz H. J., 2025)

[12] (International Organization for Standardization, 2013)

[13] (National Institute of Standards and Technology (NIST), 2020)

[14] (Pfleeger, 2012)

[15] (Zimmermann, 1980)

[16] (Levenson, 2011)

[17] (Deleuze, 1987)

[18] (Parsons, 2018)

[19] (Sienkiewicz H. J., Adaptive Adjacency: AI-Augmented Data Resilience in Rhizomatic Cyber Environments., 2025)

[20] (Sienkiewicz H. J., Adaptive Adjacency: AI-Augmented Data Resilience in Rhizomatic Cyber Environments., 2025)

[21] (Mulligan, 2011)

[22] (Microsoft, 2022)

[23] (Barabási, 2003)

[24] (Deleuze, 1987)

[25] (Deleuze, 1987)

[26] (Sienkiewicz H. J., Digital Twins: Mirroring Business, Mirroring Cybersecurity Risks, 2024)

[27] (MITRE (ATT&CK Framework), 2023)

[28] (National Institute of Standards and Technology (NIST), 2024)

References

Barabási, A.-L. (2003). Linked: How everything is connected to everything else and what it means. Plume.

Checkland, P. (1999). Systems Thinking, Systems Practice: Includes a 30-Year Retrospective. . John Wiley & Sons.

Deleuze, G. &. (1987). A Thousand Plateaus: Capitalism and Schizophrenia. Univeristy of Minnesota Press.

Granovetter, M. (1985). Economic action and social structure: The problem of embeddeness. American Journal of Sociology, 91(3), 481-510. doi:doi.org/10.1086/22831

International Organization for Standardization. (2013). ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements. ISO.

Latour, B. (2005). Reassembling the social: An introduction to actor-network-theory. Oxford: Oxford University Press.

Levenson, N. (2011). Engineering a safer world: Systems thinking applied to safety. Boston: MIT Press.

Microsoft. (2022). Zero Trust identity models and best practices. Retrieved from www.microsoft.com: https://learn.microsoft.com/en-us/security/zero-trust/deploy/identity

MITRE (ATT&CK Framework). (2023, June 15). https://attack.mitre.org/. Retrieved from ATT&CK: https://attack.mitre.org/

Mulligan, D. &. (2011). Doctrine for cybersecurity. Daedalus, 140(4), 70-92. doi:https://doi.org/10.1162/DAED_a_0012

National Institute of Standards and Technology (NIST). (2024). NIST Cybersecurity Framework (CSF) 2.0 . NIST .

National Institute of Standards and Technology (NIST). (2020). Security and privacy controls for informaiton systems and organization (NIST SP 800-53 Rev 5). doi:https://doi.org/10.6028/NIST.SP.800-53r5

Parsons, J. (2018). Rhizomatic learning: A model for cybersecurity education. Journal of Theoretical and Applied Information Technology, 96(6), 1710-1719.

Pfleeger, S. (2012). Security in computing (5th ed.). Prentice Hall.

Sienkiewicz, H. J. (2024). Digital Twins: Mirroring Business, Mirroring Cybersecurity Risks. United States Cybersecurity Magazine. Retrieved July 13, 2025, from https://www.uscybersecurity.net/csmag/digital-twins-mirroring-business-mirroring-cybersecurity-risks/

Sienkiewicz, H. J. (2025, July 16). Adaptive Adjacency: AI-Augmented Data Resilience in Rhizomatic Cyber Environments. Armed Forces Communications Electronics Association (AFCEA) Conference Whitepaper. Reston, VA .

Sienkiewicz, H. J. (2025). Establishing Trustworthiness: An Adaptive Governance Approach. United State Cybersecurity Magazine.

Sienkiewicz, H. J. (2025). Inherited Insecurity: Sunk Costs, Legacy Structures, and the Inheritance Construct in the Unified Linkage Model (ULM) . United States Cybersecurity Magazine.

von Bertalanffy, L. G. (1968). General System Theory: Foundations, Development, Applications. George Braziller.

Wilbur, K. (2000). A theory of everything: An integral vision for business, poltics, science, and spirituality. Shambhala Publications.

Zimmermann, H. (1980). OSI reference model – the ISO model of architecture for open systems interconnections. IEEE Transactions on Communications, 28(4), 425-432. doi:https://doi.org/10.1109/TCOM.1980.1094702

Leave a Comment