Magda On Cyber
Published in

Magda On Cyber

What is the Cynefin Framework, and how does it help Cyber Awareness ?

The Cynefin Framework is a conceptual framework used to help make decisions in complex, uncertain, and turbulent environments. It was developed by David J. Snowden and jointly published by him and Mandy Lyne in the article “A Leader’s Framework for Decision Making” in 2007.

There are five domains in the Cynefin Framework: Simple, Complicated, Complex, Chaotic, and Disorder.

Simple problems are those with a clear cause and effect relationship. They can be solved through best practices and standard procedures.

Complicated problems are those that require knowledge and expertise to solve. They often have multiple causes and effects and may require custom solutions.

Complex problems are those that lack a clear cause and effect relationship. They emergent and adaptive, requiring trial-and-error to find a solution.

Chaotic situations are high urgency/high uncertainty situations where anything could happen. There is no time for analysis or planning in these cases — you just

The Cynefin Framework is not new, some of you may have heard of it prior to today or used it in a different context. As a standalone, it is merely a conceptual framework. When it is applied to cybersecurity, it provides a structure, and it especially allows you to think if your current way to discuss cybersecurity topics is the right one by understanding the domain you operate in.

Are we considering Cybersecurity as a Simple Domain?

The framework defines the Simple domain as the domain of best practices. Within which, problems are well understood, and solutions are evident.

The right answer is self-evident and undisputed.

The simple domain is the domain of events that are unambiguous and have one correct response. In this domain, the cause-and-effect relationships between events are clear and direct, and there is a single best way to respond to any event.

The simple domain corresponds to environments where there is a high degree of certainty and predictability, and where cause-and-effect relationships can be easily identified and acted upon. In this domain, decision making is relatively straightforward, because everything is black and white — there is right and wrong, good and bad, etc. This makes the simple domain an ideal place for tasks that require a high degree of certainty (e.g., lab work) or that need a single specific answer.

My grandma knows that she needs to lock her door before going to bed.

This is the realm of “known knowns”, where all parties share an understanding.

If something goes wrong, you can usually identify the problem (when, say, your door is left open), categorize it (risk of a robbery), and respond appropriately (close your door).

Basically, Sense — Categorise — Respond then apply best practice, by locking your door.

Yet, the vast majority of 5 billion Internet users worldwide do not have a good “sense” of what cyber-crime looks like.

For instance, when I say beware of phishing, you might wonder, what does phishing mean or even look like? Or at least, — you — may have hard time to recognize one?

Even cybersecurity professionals do, sometimes.

Cybersecurity concepts, crimes and techniques are not within the realm of “known knowns”. We — all — struggle to Sense — Categorise — Respond to ALL scenarios, including advanced scenarios where even cybersecurity professionals have challenges.

Thus, we need to stop talking about cybersecurity concepts and awareness as part of the Simple domain or the domain of best practices ONLY.

The world is changing at a high pace, and we do not know how the future will look like … We do not have an idea how this may play out either. The future is always difficult to predict, but one thing seems certain — technology will continue to play a major role. With the accelerating pace of technological change, we can expect new and innovative technologies to emerge that will impact every aspect of our lives. Some of the key areas where technology is likely to have a significant impact include education, healthcare, transportation, and workplace productivity. In particular, advancements in artificial intelligence and machine learning are likely to have a profound effect on how we live and work. And it’s the combination of all the things we’ve talked about technology and its transformational effect on our individual and communal security that push us to consider that we simply cannot apply best practices with many unknowns for us and for our audience.

Those more difficult contexts in which we currently operate should be considered as Complex and even Chaotic in certain scenarios.

The complex domain is used to help categorize different types of problems. It is characterized by a high degree of uncertainty and unpredictability, and solutions to problems in this domain are often emergent and not fully known in advance. Problems in the complex domain typically require flexible and adaptive responses, as traditional cause-and-effect thinking does not always apply. Typically, people working on problems in the complex domain will use approaches such as trial and error, questing to find solutions.

There are many reasons why cybersecurity can be difficult to understand, and thus considered part of the Complex Domain. First and foremost, it is a highly technical field with a lot of specialized jargon. This can make it hard for non-experts to know what is going on or even where to start when trying to learn about it. Additionally, the threat landscape is constantly shifting and evolving, which makes it tough to keep up with the latest threats and cybersecurity solutions. Finally, as cyber-attacks become more sophisticated and targeted, they can be very difficult to detect and thwart.

All of these factors combine to make cybersecurity a complex and ever-changing challenge. However, that doesn’t mean that it’s impossible to learn about or stay protected from cyber threats with the right communication.

So, what does it mean?

There are a few key reasons why everyone should understand basic cybersecurity. First, as we become increasingly reliant on technology, we become more vulnerable to cyberattacks. Second, even if you’re not a tech-savvy person, you may still be targets of phishing attacks and other scams. Finally, understanding basic cybersecurity can help you protect your own personal information as well as the information of others.

While it’s true that we can’t all be experts in cybersecurity, it’s important for everyone to have a basic understanding of how to protect themselves online.

Here are some tips on how to help facilitate cybersecurity discussions. Start your discussions about cybersecurity today with anyone, with an understating of Roles, Tools, and Approaches for the Complex Domain, shift away from the Simple Domain and best practices and:

1. First — Build Relationships and work with patterns of interaction: There are many different patterns of interaction that people often engage in. Some common ones include surface level interactions, which are typically small talk and don’t involve much depth or substance. Social grooming behaviors, which involve things like complimenting and flirting, are another type of common interaction. Deep conversation, in which people discuss personal beliefs and feelings, is another popular way to interact with others. Ultimately, the key is to find a pattern of interaction that feels comfortable and familiar to you, and that allows you to connect with others in a meaningful way and share about cybersecurity topics.

Based on Storch’s (2002) patterns of interaction Four patterns were identified: collaborative, cooperative, facilitative/cooperative and dominant/passive. The comparison between the patterns and the participants’ performance revealed that collaborative patterns were associated with better learning outcomes.

Use it for cybersecurity discussions.

2. Second- Understand collective interpretation with sensemaking: We cannot discuss best practices of applying MFA, if our audience does not know what MFA stands for. We cannot talk about phishing protection unless people know how to sense a phishing attack.

Collective interpretation involves the sharing of meaning between people in order to create a shared understanding. It’s a process of sensemaking that allows for the exchange of information and ideas, and it’s critical for effective communication. When people are able to effectively share meaning, it leads to better group performance and increased creativity. In fact, collective interpretation is thought to be one of the primary drivers of innovation. By working together to make sense of the world around them, people can come up with new ideas and solutions that wouldn’t be possible if they were working individually.

Statistics show us that “standard” users do not recognize cyber-crime, but also do not have an understanding of common security controls, like Multi-Factor Authentication or MFA. Terms like MFA (The code that you know, you commonly, receive on your phone either through an app or SMS, after you enter your password) remain a mystery.

According to a report from the National Cybersecurity Alliance and CybSafe, nearly half (48%) of respondents across the U.S. and UK say they have “never heard of MFA”.

How many of you heard best practice to implement MFA? But, if your audience doesn't know what MFA is, will they apply best practices?

3. Third- Support communities of practice and add more degrees of freedom: A community of practice is a group of people who share a common concern, a set of problems, or an interest in a topic and who come together to fulfill both individual and group goals. The concept of communities of practice is perceived to make a valuable contribution to the sharing and diffusion of knowledge by connecting people together. There’s no doubt that online communities of practice can be extremely helpful, providing a space for people with shared interests to come together and learn from one another. But there’s also a danger in creating too many overly-specific communities of practice, which can lead to confusion and loss of interest.

The sweet spot is probably somewhere in between, where you have enough specific communities of practice to allow for deep specialization and expertise, but not so many that people lose sight of the big picture. For example, you might have separate communities of practice for software developers working on different platforms (e.g., Windows, Linux), but you wouldn’t want a separate community for every single niche tool or programming language.

Perfect for cyber .. right? Well, not that simple…

If your social circle is concerned about implementing Facebook privacy settings, let it be.. It will facilitate further discussions about other topics. Create that community then, and focus on personal online security. Do not close out opportunities for learning in the cyber space building a separation between professional and personal cybersecurity concepts.

4. Fourth- Act/learn/plan at the same time: We cybersecurity professionals should learn from you too — yes you ! You are the ones experiencing new online scams and attacks. You are the ones who can share with us what is happening around you, and You — yes you the audience — you have likely already implemented security controls without even knowing it, protecting your phone from theft, theft of data.

We need to act, learn and plan continuously ensuring we are in a constructive feedback loop, and not in our cyber silo world of experts.

5. Fifth- Notice emergent directions and build on what works. If you have seen that one approach works, go forward with it: The best way to notice emergent directions and build on what works is to always be aware of your surroundings and possible opportunities. Constantly ask yourself “what if” questions and try to think of new ways to improve upon existing ideas. When you see something that could be improved upon, take action! However, don’t forget to also keep an eye on what is already working well — build upon existing successes as well! Figure out what makes them successful and replicate that in other areas. By paying attention to both what is working and what isn’t, you’ll be able to create tailored solutions that are bound to be successful.

In October 2016, I ran a presentation for seniors in Singapore. I’d prepared with a presentation on best practices but was surprised by different questions coming forth. The aunties and uncles — our seniors in my audience were most curious about the state of security of their phones, and their Facebook accounts, and WhatsApp messengers. Understandably, I did not present on what I prepared but focused on addressing their concerns and practically showing them, and sitting near by to help them with those settings. It was an emerging direction and it worked.

If I would continue my presentation addressing my topics, it would have been a failure.

Ultimately, you or your audience might not care directly about cybersecurity complicated terms and concepts. Period.

Facts don’t change people’s mind. Emotions do. And, the Cynefin Framework can help you too.

The Cynefin Framework is not new, some of you may have heard of it prior to today or used it in a different context. As a standalone, it is merely a conceptual framework. When it is applied to cybersecurity, it provides a structure, and it especially allows you to think if your current way to discuss cybersecurity topics is the right one by understanding the domain you operate in.

It’s high time we started DISCUSSING cybersecurity TOGETHER; it should no longer be a one-way conversation where we speak and you listen.

Use the Cynefin framework to change the way to engage in cybersecurity discussions.

So, go-ahead, “Build cyber-intuition”.

Follow Magda on Twitter:

By Magda Chelly

Chief Security Officer | TEDx Speaker | Author & Keynote Speaker | IFSEC Global Top 20 Cybersecurity Influencer | Entrepreneur | PhD, S-CISO, CISSP, Cert SCI (General Insurance)

Find out on


Follow Magda on her Social Media Accounts:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Cyberfeminist | Entrepreneur | Former CISO | PhD, CISSP, S-CISO | CoFounder @R3sp_Cyb3r | @womenoncyber | Documentary The Dark Web on @myCanal