Bounded Propagation Modelling
Cyber exposure is determined by how compromise can propagate — not simply by whether controls exist.
WHY THIS MATTERS
Most organisations assess security in isolation:
- Firewall configured
- Endpoint protection deployed
- MFA enabled
- Patches applied
Each control is evaluated independently.
But attacks do not operate independently.
They move.
- Across systems
- Through identities
- Between environments
- Along trust relationships
The real question is not:
“Do we have controls?”
It is:
“If compromise occurs, what happens next?”
THE CORE IDEA
DSCR models exposure as a propagation problem.
Compromise is not binary.
It is a process:
- Initial foothold
- Movement across the environment
- Escalation of privilege
- Persistence and control
- Eventual impact
The speed, reach, and containment of this process are shaped by structure.
PROPAGATION MODEL
Once an organisation is represented as a structural state:
x = (S, P, M, I, B)Exposure can be expressed as a function of that structure:
Exposure = F(x)This reflects:
- How easily movement can occur
- How quickly detection can happen
- How effectively spread can be contained
This is not a checklist.
It is a system behaviour model.
WHAT ORGANISATIONS GET WRONG
Organisations often assume that more controls reduce risk linearly.
This leads to:
- Isolated control optimisation
- Overconfidence in individual safeguards
- Lack of understanding of system-wide behaviour
In reality:
- Weak segmentation amplifies spread
- Poor identity control accelerates escalation
- Limited monitoring delays detection
- Lack of boundedness enables full compromise
The interaction between these factors determines outcome — not their individual existence.
OUR POSITION
DSCR treats ransomware and cyber compromise as bounded propagation phenomena.
This means:
- Exposure is shaped by structural conditions
- Propagation can be constrained, slowed, or amplified
- Containment capability is as important as prevention
Rather than asking:
“Can we stop an attack?”
DSCR asks:
“If an attack occurs, how far can it spread — and how quickly?”
This shift changes everything:
- From prevention to containment
- From controls to interaction
- From static posture to dynamic behaviour
PRACTICAL CONSEQUENCE
With propagation modelling:
- Organisations understand real exposure pathways
- Boards see impact potential, not just control status
- Technical teams identify structural weaknesses, not just gaps
- Insurers receive credible signals of containment capability
Without it:
- Risk is underestimated
- Spread is misunderstood
- Resilience is assumed rather than demonstrated
TRANSITION
Once exposure is understood, it must be translated into meaning that organisations can act on:
- Governance decisions
- Regulatory positioning
- Insurer expectations