Managing Cyber Security Debt: Strategies for Identification, Prioritisation, and Mitigation


  • Christo Coetzer -
  • Louise Leenen



Cyber security, Cyber security debt, Cyber security debt management


This paper explores cyber security debt, a technical debt arising from unaddressed security vulnerabilities in an organisation's IT systems. These vulnerabilities accumulate due to resource limitations, time constraints, and expertise gaps, potentially leading to security breaches and data compromises. The paper outlines the cyber security debt management process involving identification, prioritisation, and mitigation strategies. Drawing parallels to financial debt, the authors emphasise the escalating risks of delaying cyber security debt repayment. The paper underscores the significance of diligent debt management in maintaining digital resilience and mitigating cyber threats. The increasing interconnectedness of systems and rapid software development has given rise to a hidden challenge known as cyber security debt. Cyber security debt is posed as a subset of technical debt, encompassing the accumulation of security vulnerabilities within an organisation's IT infrastructure and applications. Drawing a parallel between cyber security debt and its financial counterpart, the authors underscore the grave risks of deferring debt repayment. Just as financial debt accrues interest, unresolved security vulnerabilities compound over time, elevating the likelihood of breaches and data exposure. A poignant case study of the Equifax breach exemplifies the real-world consequences of neglecting security debt management. The failure to patch a well-known vulnerability led to a colossal data breach, highlighting the urgency of addressing security weaknesses promptly. Complex in nature, cyber security debt materialises when organisations fail to address vulnerabilities during various operational life cycles. These vulnerabilities might remain concealed within IT architecture, legacy code, or third-party libraries, posing a formidable challenge to detection and resolution. By understanding the parallels between financial and cyber security debt and proactively managing the latter, organisations can enhance their ability to safeguard against evolving cyber threats and maintain a robust security posture.