The 10 laws of Cyber Reality (Jelle's version)
#1: The paradox of Control
The more control you seek, the less security you achieve.
Security theatre is born from the illusion that complex systems can be controlled through policy and procedure. True security emerges from designing for chaos, not order.
#2: The conservation of Risk
Risk cannot be eliminated, only transformed and relocated.
Every security measure that reduces one type of risk inevitably creates new risks elsewhere in the system. The art lies in conscious risk redistribution, not risk elimination.
#3: The principle of the path of Least Resistance
People will always find the easiest path to their goal - truly secure systems make the easiest path the secure path.
Security that fights human nature will always lose to human ingenuity. Like water flowing around obstacles, people will find workarounds for poorly designed security - and those workarounds are usually less secure than the original problem. Design with desire trails, not against them.
#4: The Oosterschelde principle
The most sophisticated defences know when to yield.
Like the Oosterschelde barrier that opens to allow normal tidal flow, but closes during storms, resilient security architectures are adaptive rather than rigid. They absorb regular operational "floods" of user behaviour, system failures, and minor incidents whilst activating strong defences only when truly threatened. Rigid barriers create brittle systems; intelligent barriers create antifragile ones.
#5: The Capacity-Outcome paradox
Security is a capacity to handle risk, not an outcome of avoiding risk.
Organisations that measure security by incident counts optimise for the wrong variable. Like physical fitness, security cannot be measured by the absence of challenge but by the presence of capability when challenged. Focus on building adaptive capacity - the ability to detect, respond, learn, and evolve - rather than chasing the impossible goal of zero incidents.
#6: The entropy of Complexity
Security complexity increases to the maximum sustainable by organisational culture.
Organisations will continue adding security layers until the friction becomes unbearable, at which point workarounds emerge that make the system less secure than before any controls existed. This is the security equivalent of technical debt - and it compounds just as dangerously. Remove and simplify before even thinking about adding new measures.
#7: The Evolution-Emergence principle
System security emerges from complex interactions and must continuously evolve - or be evolved by external forces.
Security cannot be designed like an assembly line or conveyor belt - it emerges like an ecosystem and must adapt like one. Like consciousness or culture, security arises from complex interactions between components and cannot be architected, only nurtured.
Organisations that don't consciously evolve their security models will have evolution imposed upon them by attackers, regulators, or market forces. Evolution is not optional - only the direction is choosable.
#8: The unity of Trust and Security
Security is measured by trust earned, not incidents prevented.
The ultimate measure of security is not the absence of successful attacks, but the presence of warranted trust in system behaviour under adversarial conditions.
Trust evolves from confidence - whilst confidence comes from knowing individual components work correctly, trust emerges from faith that the entire system will behave appropriately under pressure. This leap from component confidence to systemic trust is where true security lives.
#9: The Security Dividend principle
Organisations that master security constraints gain disproportionate competitive advantages.
When security becomes a capability rather than a constraint, it generates compounding returns: faster innovation cycles, higher customer trust, superior resilience under pressure, and the courage to experiment that compliance-caring competitors cannot match. Security mastery is not the absence of risk - it is the presence of capability.
#10: The Totaalvoetbal principle
In resilient systems, every component can defend, deflect, or attack back when needed, and collective intelligence emerges from individual adaptability.
Like the Dutch totaalvoetbal philosophy where any player can move into any position as the game demands, truly secure organisations don't rely on specialised security roles alone. Every system component can adapt to changing conditions, responding to threats by defending, deflecting attacks, or striking back when appropriate.
Security is everyone's responsibility and no one's exclusive domain - rigid security roles create brittle systems, whilst fluid security capabilities create antifragile ones.
These ten laws describe my depictions of cyber reality. They cannot be violated, only ignored - at great cost. Understanding them is the first step towards evolving from our current security paradigm and building truly antifragile organisations.