In this post, I want to summarize dimensions 7 through 10, focusing on their interactions and relationships and how they deliver Double Loop Learning. (See this post for the full list of dimensions.)
dynamic capabilities" of an organization to achieve agility and rapid innovation in the face of constant changes in the landscape. I mentioned this specifically in the context of dimension 8. Effective Agility & Learning, but the notion of dynamic capabilities extends to subsystem comprised of dimensions 7 -- 10, as well.
Working together, these performance dimensions help ensure that an organization's cyber security program keeps up with the pace of evolution throughout its environment in all aspects. Dimension 7. Effective External Engagement puts a spotlight on the external relationships that drive risk, either mutually or in one direction, and then challenges the organization to design and implement effective engagement processes with each. Dimension 8. Effective Agility & Learning calls for performance that manages the learning process at the focal organization and implements the second loop in Double Loop Learning. It also calls for performance that enables the focal organization to rapidly shift directions as the need arises. Dimension 9. Optimize Total Cost of Risk calls for the focal organization to measure and manage all costs in a probabilistic frame and to price the risk in a way that can guide management decisions regarding resource allocation, prioritization, and investment justification. Finally, dimension 10. Responsibility & Accountability focuses attention on personal leadership for cyber security in relation to all the organization's stakeholders, both in formal sense of governance and compliance and also in the informal senses.
Each of these dimensions is, in a sense, a summation of cyber security from a different perspective. Dimension 7 summarizes the focal organization's dependency relationships. Dimension 8 summarizes it's ability to reinvent itself regarding cyber security. Dimension 9 summarizes the financial and economic significance of cyber security. Finally, dimension 10 summarizes the organization's obligations and trust relationships with it's stakeholders, both formal and informal.
These four dimensions, together implement both the second loop and the integration with the first loop in the Double Loop Learning model, shown below.
In conclusion, I'm arguing that each of these dimensions can be measured and managed as a performance dimension, where results can be evaluated through evidence, either quantitative or qualitative, and that these evaluations do not require imponderable estimates of adversary behavior.
I'm also arguing that these four dimensions are essential for a cyber security framework that proposed to be "risk-based" and to promote "agility". Existing frameworks either omit them or give them inadequate attention.