Independent Research · Six Papers · Controlled Public Summaries

Independent Research on Cyber Risk, Governance, and Defensibility

John Mackenzie’s independent research explores why serious cyber failures continue to occur despite frameworks, audits, compliance activity, executive reporting, and increased cybersecurity investment.

The work focuses on cyber defensibility, organisational cyber risk, board accountability, assurance weakness, catastrophic cyber events, intervention sequencing, and the structural conditions that allow small weaknesses to become material harm.

Public summaries are intentionally limited. They explain the direction and value of the research without disclosing full intellectual property, proprietary models, equations, or unpublished implementation methods.

Research Papers

A controlled public body of work.

JMacTech includes a growing body of independent research by John Mackenzie across organisational cyber risk, governance failure, board accountability, assurance weakness, cyber defensibility, cyber risk mathematics, internal audit, and the structural causes of major cyber harm.

These papers are not written as generic cybersecurity commentary. They develop original models, doctrines, and analytical frames for understanding why organisations continue to experience serious cyber failure despite frameworks, controls, certifications, audits, dashboards, and formal governance activity.

Six Independent Papers

Research Papers

A controlled preview of John Mackenzie’s independent research into organisational cyber risk, governance failure, assurance weakness, defensibility, cyber risk mathematics, and the causal pathways that turn small weaknesses into material cyber harm.

Open research library
Paper 01Public Summary Only

Cyber Cube Theory and the Failure of Cyber Governance

Cyber Cube Theory reframes serious cyber incidents as organisational governance failures, not just technical failures. It examines how board oversight, executive management, control reality, assurance quality, privacy, AI, suppliers, and evidence combine to shape cyber defensibility.

What this research is really about

  • Board and executive accountability
  • Cyber risk as an organisational state
  • Compliance theatre
  • Reasonable and proportionate cybersecurity
  • Evidence-based defensibility
  • Cyber risk configuration and governance failure
Paper 02Public Summary Only

Advocatus: Institutionalising Evidentiary Governance in Cyber Defensibility

Advocatus introduces a board-level challenge architecture for cyber defensibility. It examines how high-consequence cyber claims should be tested through structured dissent, proportional proof, evidence quality, and traceable governance decisions.

What this research is really about

  • Board-level cyber challenge
  • Evidentiary governance
  • Proportional proof
  • Structured dissent
  • Defensibility exposure
  • Weakness in unchallenged cyber claims
  • Moving from compliance comfort to proof discipline
Paper 03Public Summary Only

Black Snow–Informed Internal Audit

Black Snow–Informed Internal Audit examines why compliant organisations still fail. It reframes internal audit around catastrophic cyber risk, weak signals, sequencing, culture, resource allocation, assurance distortion, and structural proximity to severe cyber harm.

What this research is really about

  • Internal audit and cyber assurance
  • Why standards-compliant organisations still fail
  • Black Snow events
  • Weak signals and escalation failure
  • Cybersecurity DNA
  • Structural proximity to catastrophic cyber loss
  • Audit beyond checklist compliance
Paper 04Public Summary Only

The Cyber Butterfly Effect

The Cyber Butterfly Effect explains how small tolerated weaknesses can move through an organisation’s cyber DNA and eventually create disproportionate harm. It focuses on micro-causation, hidden weakness, supplier opacity, behavioural adaptation, and assurance failure.

What this research is really about

  • Small tolerated cyber weakness
  • Organisational cyber DNA
  • Micro-causation
  • Hidden digital estate
  • Ghost assets
  • Supplier and software trust
  • Sequence of cyber deterioration
  • How minor issues become major harm
Paper 05Public Summary Only

Sequence Matters: Non-Commutative Operators in Organisational Cyber Risk

Sequence Matters argues that the order of cyber interventions changes the risk outcome. It examines how controls act on technical, behavioural, and symbolic organisational states, making cybersecurity sequencing a first-class governance variable.

What this research is really about

  • Intervention sequencing
  • Non-commutative cyber risk
  • Technical, behavioural, and symbolic organisational state
  • Trust before surveillance
  • Metrics and the certainty paradox
  • Path dependence and lock-in
  • Designing cyber programmes in the right order
Paper 06Public Summary Only

A General Theory of Organisational Cyber Risk

A General Theory of Organisational Cyber Risk reframes cyber risk as a survivability problem in a tail-dominant environment. It challenges expected-loss thinking, compliance proxies, averaging, and weak board-level assumptions about cyber defensibility.

What this research is really about

  • Cyber risk as survivability
  • Tail-dominant loss
  • Non-ergodic organisational risk
  • Weakest-link dynamics
  • Defensibility evidence
  • Operational resilience
  • Board-level cyber risk mathematics
  • Why compliance does not equal survivability

IP Protection Note

The research summaries on this page are intentionally limited. They are designed to show the direction, substance, and relevance of the work without publishing full intellectual property, detailed models, equations, proprietary methods, or unpublished research materials.

For collaboration, review, publication, training, or commercial discussion, access to deeper material may be provided selectively and under appropriate conditions.

Research Signals

Terms the research naturally speaks to.

organisational cyber riskcyber governanceboard cyber riskcyber defensibilitycybersecurity governance failurecyber risk theoryinternal audit cyber riskcyber assurancecyber risk researchindependent cyber researchercyber risk mathematicsnon-ergodic cyber riskcyber resiliencecyber compliance theatrecyber board accountabilityAI governance and cyber riskcyber risk sequencingcyber butterfly effectBlack Snow cyber riskcyber cube theory