Computing in Compromised Environments: Beyond the Castle Model of Cyber-Security

  • David Skillicorn
  • Christian LeuprechtEmail author
  • Victoria Tait
Part of the Advanced Sciences and Technologies for Security Applications book series (ASTSA)


The predominant metaphor for secure computing today is defence in depth: higher, better layers of walls. This article explains why that approach is as outmoded for cybersecurity today as it became for physical security centuries ago. Three forces are undermining the castle model as a practical security solution. First, organizations themselves tear down their walls and make their gateways more porous because it pays off in terms of better agility and responsiveness—they can do more, faster and better. Second, technological developments increasingly destroy walls from the outside as computation becomes cheaper for attackers, and the implementation of virtual walls and gateways becomes more complex, and so contains more vulnerabilities to be exploited by the clever and unscrupulous. Third, changes in the way humans and technology interact, exemplified (but not limited to) the Millennial generation, blur and dissolve the concepts of inside and outside, so that distinctions become invisible, or even unwanted, and boundaries become annoyances to be circumvented. A new approach to cybersecurity is needed: Organizations and individuals need to get used to operating in compromised environments. The article’s conclusion operationalize this strategy in terms of a paradigm shift away from a Castle Model and towards a more nuanced form of computation and data assurance.


Cyberdefense Security Organizational boundaries Millennials Generational differences Compromised environments 


  1. Accenture (2008) Millennials at the Gates: results from Accenture’s High Performance IT Research. Accenture Research USA, New YorkGoogle Scholar
  2. Agamben G (1999) Potentialities. Stanford University Press, StanfordGoogle Scholar
  3. Bauman Z, Lyon D (2013) Liquid surveillance: a conversation. Polity Press, CambridgeGoogle Scholar
  4. Bauman Z, Bigo D, Esteves P, Guild E, Jabri V, Lyon D, Walker RBJ (2014) After snowden: rethinking the impact of surveillance. Int Polit Sociol 8(2):121–144CrossRefGoogle Scholar
  5. Beer D (2009) Power through the algorithm? Participatory web cultures and the technological unconscious. New Media Soc 11(6):985–1002CrossRefGoogle Scholar
  6. Bloomberg Business (2011) Human errors fuel hacking as test shows nothing stops idiocy. Accessed 30 June 2011
  7. Castells M (2001) The internet galaxy: reflections on the internet, business, and society. Oxford University Press, OxfordCrossRefGoogle Scholar
  8. Common Vulnerabilities and Exposures, MITRE (2013) Heartbleed. Accessed 1 April 2013
  9. Deloitte (2012) Tech Trends 2012: elevate IT for digital business; a federal perspective. Deloitte LLP Services, London. Accessed 1 April 2015
  10. Drapeau M, Wells L II (2009) Social software and national security: and initial net assessment. Center for Technology and National Security Policy. National Defense University, Washington, DCGoogle Scholar
  11. Fritzson A., Howell LW, Zakheim DS (2007) Military of Millennials. Strategy + Business 49.
  12. Foucault M (1991) Discipline and punish: the birth of a prison. Penguin, LondonGoogle Scholar
  13. Foucault M (1998) The history of sexuality: the will to knowledge. Penguin, LondonGoogle Scholar
  14. Frincke DA, Bishop M (2004) Guarding the castle keep: teaching with the fortress metaphor. IEEE Secur Priv 2(3):69–72CrossRefGoogle Scholar
  15. Gill M (2006) The handbook of security. Palgrave Macmillan, New YorkGoogle Scholar
  16. Goldsmith A, Brewer R (2015) Digital drift and the criminal interaction order. Theoretical criminology. ForthcomingGoogle Scholar
  17. Harris Michael (2014) The end of absence: reclaiming what we’ve lost in a world of constant connection. Current, TorontoGoogle Scholar
  18. Harknett RJ, Stever JA (2011) The new policy world of cybersecurity. Public Adm Rev 71(3):455–460CrossRefGoogle Scholar
  19. Hershatter A, Epstein M (2010) Millenials and the world of work: an organization and management perspective. J Bus Psychol 25(2):211–223CrossRefGoogle Scholar
  20. Hibbard L (2011) Communicating with the net generation. U.S. Army War College, Carlisle Barracks, PAGoogle Scholar
  21. Jacobs J, Diefenbach V (2012) The use of social media in public affairs—a German perspective. North Atlantic Treaty Organization RTO-MP-HFM-201, BrusselsGoogle Scholar
  22. Johnson TJ, Kaye BK (2010) Believing the blogs of war? How blog users compare on credibility and characteristics in 2003 and 2007. Media War Confl 3(3):315–333CrossRefGoogle Scholar
  23. Karas TH, Moore JH, Parrott LK (2008) Metaphors for cyber security. SANDIA report SAND2008-5381. Sandia National Laboratories, AlbuquerqueGoogle Scholar
  24. Lee CKC, Conroy DM (2003) Teenager’s consumption on the internet. Australas Mark J 13(1):8–19Google Scholar
  25. Leydesdorff L (2010) The communication of meaning and the structuration of exceptions: Giddens’ ‘structuration theory’ and Luhmann’s ‘self-organization’. J Am Soc Inform Sci Technol 61(10):2138–2150CrossRefGoogle Scholar
  26. Lu M (2001) Digital divide in developing countries. J Global Inf Technol Manage 4(3):1–4CrossRefGoogle Scholar
  27. McDougal M (2009) Castle warrior: redefining 21st century Network defence. In: CSIIRW ‘09 proceedings of the 5th annual workshop on cyber security and information intelligence research: cyber security and information intelligence challenges and strategies. Accessed 25 May 2015
  28. Myers KK, Sadaghiani K (2010) Millennials in the workplace: a communication perspective on millennials’ organizational relationships and performance. J Bus Psychol 25(2):225–238CrossRefGoogle Scholar
  29. National Telecommunications and Information Administration (1995) Falling through the net: a survey of the have nots in rural and urban America. U.S. Department of Commerce, Washington, DCGoogle Scholar
  30. Norris P (2001) Digital divide: civic engagement, information poverty, and the internet worldwide. Cambridge University Press, CambridgeCrossRefGoogle Scholar
  31. Pariser E (2012) The filter bubble: how the new personalized web is changing what we read and how we think. Penguin Books, New YorkCrossRefGoogle Scholar
  32. Pew Research Center (2010) The future of the internet.
  33. Quigley K, Roy J (2012) Cyber-security and risk management in an interoperable world: an examination of governmental action in North America. Soc Sci Comput Rev 30(1):83–94CrossRefGoogle Scholar
  34. Resnyansky L, Falzon L, Agostino K (2012) From transaction to meaning: internet-mediated communication as an object of modeling. In: 8th International Conference on Social Science Methodology. Sydney, 9–13 July, Conference Proceedings Vol II. Accessed 3 May 2015
  35. Sassen S (2002) Towards a sociology of information technology. Curr Sociol 50(3):365–388CrossRefGoogle Scholar
  36. Shirky C (2008) Here comes everybody: the power of organizing without organizations. Penguin Press, New YorkGoogle Scholar
  37. Statistics Canada (2008) Canada′s Ethnocultural Mosaic, 2006 Census.  Ottawa.
  38. Tufekci Z (2008) Can you see me now? Audience and disclosure regulation in online social network sites. Bull Sci Technol Soc 28(1):20–36CrossRefGoogle Scholar
  39. Verdon J (2012) The wealth of people: how social media re-frames the future of knowledge and work. North Atlantic Treaty Organization RTO-MP-HFM-201, Brussels (April)Google Scholar
  40. Zedner L (2009) Security. Routledge, Abingdon, chapter 5Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • David Skillicorn
    • 1
  • Christian Leuprecht
    • 2
    Email author
  • Victoria Tait
    • 3
  1. 1.Queens UniversityKingstonCanada
  2. 2.Royal Military College of CanadaKingstonCanada
  3. 3.Carleton UniversityOttawaCanada

Personalised recommendations