"Complexity Is the Worst Enemy of Security": Studying Cybersecurity Through the Lens of Organizational Complexity

Abstract

Writing about computer systems twenty-five years ago, Schneier wrote that “the worst enemy of security is complexity” (Schneier, 1999), because complex systems are both easier to attack and harder to secure than simpler ones. In this essay, we provide an overview of Schneier’s complexity principle and provide our observations of how two articles in this issue, Liang et al. (2025) and Tanriverdi et al. (2025), employed this principle in their research. We also offer our ideas for why complexity and cybersecurity are especially amenable for study in the field of information systems and where future research can go from here.