Given the continuous flux of cyber environments, let alone the tactics and techniques of threat actors, organizations struggle to make timely risk-based decisions in the selection of control strategies. At times, some controls can inhibit the performance of an organization by adding complexity to the environment. This presentation proposes and explores a novel means to measure cyber environment complexity. This presentation will define "Cyber Complexity" in terms of technical debt, interfaces, and organizational capability. The audience will gain a better appreciation for risk-based decision and the demonstrable need for better measurement of cyber environments to driver those decisions.

Learning Objectives:

• Define the elements of cybersecurity complexity and appreciate its utility as a risk proxy metric
• Quantitatively and qualitatively describe the factors that influence cybersecurity complexity to include potential controls to influence it
• Appreciate the need for complexity in a system to mitigate and slow attackers as much as balance the need for complexity to maintain system efficacy