Toxic Combinations in Cybersecurity Controls

This document is a technical report discussing the concept of toxic combinations within cybersecurity controls. It defines toxic combinations as control gaps related to the same asset that, while individually minor, can collectively pose significant risks. The report outlines the operational challenges faced by security teams in identifying these combinations, as they typically prioritize based on individual tool severity rather than across multiple security domains. The document introduces compound risk metrics as a solution, which allow users to analyze data from various security domains to identify and prioritize toxic combinations for remediation. It also details use cases for these metrics, including measuring compensating controls and enhancing security dashboards. The report emphasizes the automation of these metrics to reduce manual effort and improve the efficiency of security teams in addressing vulnerabilities and risks associated with critical business applications.