Security system effectiveness¶
When a patching programme stalls at the same percentage every quarter, when response times improve in exercises but not in real events, when controls that passed audit are quietly bypassed, the usual reading is carelessness. SEM, developed by Gerald and Daniel Weinberg, reads it differently: an error is not an anomaly but evidence that the model used to design the thing does not match how the work happens. The fix is to correct the model, not to suppress the symptom.
It works across three elements. Systems, whose behaviour emerges from interactions rather than from the parts in isolation. Models, the mental representations people use to understand those systems, many of them incomplete or outdated. And errors, the mismatches between model and reality that keep recurring until the model is corrected.
This holds in security, because every tool, every control, and every policy encodes a set of assumptions. Those assumptions are a model. When they are wrong the tool produces false confidence, the control produces workarounds, and the policy produces compliance theatre. Fixing the symptom without questioning the model means the same class of failure returns in a slightly different form.
Understanding a security system well enough to improve it:
Last updated: 2 July 2026