Darja Rihla

Category: Systemen & Discipline

  • What Is a Complex System?

    What Is a Complex System?

    Darja Rihla Systems Thinking

    What Is a Complex System?

    The systems that shape the modern world do not move in straight lines. They evolve through interaction, feedback, emergence, and hidden dependencies that make simple explanations increasingly unreliable.

    Article Type Foundational systems essay
    Core Concepts Non-linearity, feedback, emergence
    Applies To Markets, cities, platforms, cybersecurity
    Reading Time 10 min read
    Core property Interdependence Many connected parts influence one another continuously.
    Behavior Non-linearity Small inputs can create large effects and large efforts can fail.
    Mechanism Feedback loops Outputs return to shape what the system does next.
    Outcome Emergence Patterns appear that no single part fully controls.

    Opening observation

    The world we live in is not simple. Markets move unpredictably. Ecosystems evolve over time. Digital systems interact in unexpected ways. Societies change through millions of local decisions that no central planner fully controls.

    Many of the forces that shape modern life operate as complex systems. They are not governed by one actor, one rule, or one clean chain of cause and effect. They are shaped by many interacting parts whose behavior changes the system itself.

    To understand the modern world more clearly, you must understand what a complex system is.

    01 · Foundation

    From Simple Systems to Complex Systems

    To understand what a complex system is, it helps to begin with the opposite. A simple system behaves in relatively predictable ways. If you know the components and the rules that govern them, you can usually anticipate the result.

    A mechanical clock, a basic electrical circuit, or a calculator may contain multiple parts, but they still follow stable relationships. When something breaks, the problem can often be traced to one specific component.

    Complex systems are different. They contain many interacting elements whose behavior changes one another. That interaction makes the whole increasingly difficult to predict from the parts alone.

    Simple system
    • Clear rules
    • Direct causality
    • Predictable outcomes
    • Failures are usually localized
    • One part often explains the malfunction
    Complex system
    • Many interacting parts
    • Distributed causality
    • Unstable or delayed outcomes
    • Failures propagate across connections
    • Patterns emerge from interaction

    The global economy, ecosystems, cities, the internet, financial markets, and social networks all belong in this second category. In each case, no single component determines the outcome. What matters is the web of relationships.

    A system becomes complex when interaction matters more than isolated parts.
    02 · Core traits

    The Key Characteristics of Complex Systems

    Complex systems differ from simple ones through a few recurring traits. These traits do not belong only to science or mathematics. They are visible in markets, institutions, digital platforms, infrastructure, and everyday social life.

    Interconnected elements

    Everything influences something else

    A complex system contains many components linked together through relationships. In the global economy that means governments, firms, consumers, finance, logistics, and regulation. A decision in one zone ripples into others.

    Adaptation

    The system changes while you observe it

    Actors inside the system respond to incentives, pressure, and one another. This means the system is not static. It evolves while people try to understand or control it.

    These connections mean that even local actions can have distant effects. The more connected the system becomes, the harder it is to isolate consequences inside one box.

    Complexity grows when dependency chains become dense enough that local change stops staying local.
    03 · Behavior

    Non-Linear Behavior

    In simple systems, small causes tend to produce small effects. In complex systems, that assumption breaks down. A small change can produce a large outcome, while large interventions can produce surprisingly little.

    This is what non-linearity means. The relationship between input and outcome is unstable, disproportional, or delayed. That is one reason prediction becomes difficult.

    Cybersecurity

    One vulnerability, massive exposure

    A single software weakness can expose millions of dependent systems when the architecture is interconnected.

    Platforms

    One post, global reaction

    A single viral signal can spill into international discourse when network effects and amplification are already present.

    Finance

    Small shock, broad instability

    A limited disruption can travel through leverage, expectation, and market correlation until it becomes systemic.

    Key implication In a complex system, scale does not map cleanly from effort to outcome.
    Non-linearity is what makes systems feel surprising even when their structure is visible.
    04 · Mechanism

    Feedback Loops

    Another defining feature of complex systems is the presence of feedback loops. A feedback loop appears when the output of a system influences its future behavior.

    There are two broad types. Reinforcing loops amplify movement. Balancing loops constrain it. Together, they shape whether a system accelerates, stabilizes, or oscillates.

    Technological innovation offers an example of reinforcement. New capabilities attract investment. Investment accelerates further development. Development then increases perceived opportunity, drawing in still more capital.

    Markets also contain balancing loops. If prices rise too far, demand can fall, which may eventually slow or reverse the trend. But even balancing loops do not produce perfect stability. They operate inside larger structures that are themselves moving.

    signal response output feedback new behavior
    Feedback loops are what make systems historical. What happened before changes what happens next.
    05 · Emergence

    When the Whole Becomes Something Else

    Perhaps the most fascinating feature of complex systems is emergence. Emergent behavior appears when the interactions between many components generate outcomes that cannot be understood by looking at the parts in isolation.

    Traffic jams can arise without a single central coordinator. Ant colonies construct intricate systems without a leader issuing detailed plans. Social media trends spread across populations without anyone controlling the pattern as a whole.

    These are not random accidents. They are the result of repeated local interactions that produce higher-order behavior. The system becomes something more than a sum of components.

    That is why systems thinking focuses on relationships, not just objects. The pattern often lives between the parts.

    Emergence begins when interaction produces patterns no single actor explicitly designed.
    06 · Limits

    Why Complex Systems Are Difficult to Control

    Because complex systems contain many interacting elements, they often resist centralized control. Policies, strategies, or interventions that seem logical in isolation can create surprising consequences once they enter a living system.

    Economic regulation can create new market incentives. Urban planning can reshape migration patterns. Cybersecurity defenses can push attackers toward different techniques rather than ending the conflict entirely.

    This does not mean complex systems cannot be influenced. It means influence must begin with structure. If you do not understand the internal dynamics of the system, interventions often move the problem rather than solve it.

    Control weakens when the system keeps adapting faster than the intervention model assumes.
    07 · Modern world

    Complex Systems in the Twenty-First Century

    In the modern world, complex systems matter more than ever because digital technology has connected infrastructure, markets, information, and social behavior at global scale. Networks that were once separate now overlap continuously.

    A cyberattack on critical infrastructure can affect energy systems, transportation, finance, and public trust in one sequence. A technological breakthrough can restructure industries and labor markets far beyond its original field. A social platform can spread information, and misinformation, across continents in minutes.

    These are not separate stories. They are examples of interconnected systems interacting with one another. The twenty-first century is not just faster. It is more tightly coupled.

    The more connected modern systems become, the more valuable systems thinking becomes.
    08 · Practice

    Learning to Think in Systems

    Understanding complex systems requires a shift in perspective. Instead of asking only what caused one visible event, systems thinking asks what structure made that event possible.

    That means asking better questions:

    What structures produced this behavior?
    How do different parts interact?
    Which feedback loops are shaping outcomes?
    Where are the hidden dependencies?

    This approach does not eliminate uncertainty. It does something more useful. It makes uncertainty intelligible by locating it inside a structure.

    Systems thinking replaces isolated explanation with structural pattern recognition.
    09 · FAQ

    Frequently Asked Questions

    What makes a system complex?

    A system becomes complex when it contains many interacting components whose relationships produce outcomes that cannot be easily predicted from the parts alone.

    What is non-linearity in a complex system?

    Non-linearity means the relationship between cause and effect is disproportional. Small changes can create large outcomes, and large interventions can have weak or delayed effects.

    What is emergence?

    Emergence is the appearance of larger patterns that arise from interaction. The pattern exists at the level of the whole and cannot be fully explained by one component in isolation.

    10 · Final position

    Complexity as a Reality of Modern Life

    Complex systems are not an abstract concept reserved for scientists. They shape everyday life. From supply chains to social media, from financial markets to cybersecurity networks, the systems that govern the modern world are increasingly interconnected, adaptive, and difficult to reduce to one cause. Understanding complexity does not eliminate uncertainty, but it provides a framework for navigating it. In a world defined by interconnection and rapid change, learning to recognize complex systems may be one of the most valuable intellectual skills of our time.

    Explore the full Systems Thinking pillar

    Continue through Darja Rihla’s growing archive on feedback loops, emergence, institutions, systemic risk, and structural analysis.

    Darja Rihla · Systems Thinking · Premium Editorial Layout

  • Zero Trust Identity Security: The Modern Defense Framework for Access Control

    Why identity has become the control plane of modern cybersecurity.

    Book a Zero Trust Review

    There was a time when cybersecurity was built around borders.

    The network was the fortress.
    The firewall was the gate.
    The assumption was simple: once a user entered the perimeter, trust followed almost automatically.

    That model no longer reflects reality.

    Modern organizations no longer operate inside a single physical boundary. Users authenticate from home networks, mobile devices, cloud applications, unmanaged endpoints, contractor systems, and third-party platforms. Data moves across SaaS ecosystems, APIs, collaboration tools, and identity providers. The perimeter has dissolved.

    What remains is identity.

    Identity is no longer one security control among many. It has become the control plane through which access to systems, applications, and data is granted, limited, or denied. This is why Zero Trust, at its core, is not simply a network philosophy. It is an identity philosophy.

    NIST’s Zero Trust framework formalizes this shift by rejecting implicit trust based on network location or asset ownership and replacing it with continuous verification of every access request.

    The modern question is no longer:

    “Are you inside the network?”

    The modern question is:

    “Can you continuously prove that you should still be trusted right now?”

    That is the real foundation of zero trust identity security.

    The Collapse of the Traditional Trust Model

    Traditional security models were built around permanence.

    A user logged in once.
    A session was created.
    Trust persisted.

    This persistence was convenient for operations, but it created a structural weakness: attackers no longer need to break in through hardened infrastructure if they can simply inherit trust.

    A stolen password.
    A phished MFA approval.
    A hijacked session cookie.
    A replayed access token.

    In each case, the attacker is not breaking the wall.

    They are borrowing legitimacy.

    This is why modern attacks increasingly target identity workflows rather than raw infrastructure exposure.

    The shift from perimeter compromise to identity compromise is one of the defining cybersecurity realities of 2026.

    Microsoft now explicitly treats identity protection and phishing-resistant authentication as foundational Zero Trust controls, not optional hardening layers.

    That shift matters.

    Because once identity becomes the new perimeter, every weakness in human trust, device assurance, session continuity, and policy design becomes part of the attack surface.

    How Zero Trust identity security actually works

    At a technical level, Zero Trust identity security is a continuously evaluated trust system.

    It is not a login screen.

    It is a sequence of trust decisions.

    1. Identity Claim

    A user, administrator, service account, or workload initiates an access request.

    This begins with a claim:

    “I am this identity.”

    That claim may be represented by:

    • username and password
    • passkey
    • certificate
    • smart card
    • workload identity
    • managed identity

    The claim itself is not trust.

    It is only the start of a validation process.

    2. Authentication Strength Validation

    Modern systems increasingly separate weak trust from resilient trust.

    Not all MFA is equal.

    SMS codes, email OTPs, and push prompts are all forms of MFA, but they remain vulnerable to phishing, fatigue attacks, SIM swaps, and social engineering.

    This is why Microsoft and CISA emphasize phishing-resistant MFA as the modern baseline for privileged access and sensitive environments.

    Passkeys and FIDO2 change the trust model entirely.

    Instead of transmitting a reusable secret, they rely on origin-bound public key cryptography.

    This means the credential is cryptographically tied to the legitimate relying party.

    A fake phishing domain cannot replay the same proof in the same way.

    That is not merely stronger MFA.

    That is a fundamentally different authentication mechanism.

    The Real Shift: From Credential Theft to Trust Theft

    Attackers are no longer focused only on credentials.

    They increasingly target trust itself.

    This includes:

    • password theft
    • session token theft
    • MFA fatigue
    • helpdesk impersonation
    • recovery workflow abuse
    • device trust bypass
    • browser session replay

    This is the real battlefield.

    An attacker who steals a valid session token may not need to reauthenticate at all.

    This is why strong login security alone is insufficient.

    The modern access chain looks like this:

    identity → authentication → token issuance → session continuity → authorization

    A weakness anywhere in that chain creates a usable trust artifact.

    And attackers only need one.

    Where the System Really Breaks: After Login

    Users often over-focus on the login moment.

    Psychologically, authentication is seen as the main security event.

    But modern attackers increasingly operate after successful authentication.

    After authentication, the system typically issues:

    • access tokens
    • refresh tokens
    • session cookies
    • device assertions
    • privilege claims

    These become the new trust objects.

    If these objects are stolen, replayed, or abused, the attacker can inherit the session without repeating the original challenge.

    This is why token protection and session control are no longer secondary features.

    They are core defense layers.

    Zero Trust becomes real not only by proving who the user is, but by continuously proving that the active session still deserves trust.sly proving that the current session still deserves trust.

    The Human Behaviour Layer: Why Users Still Misunderstand Identity Security

    The failure is not only technical.

    It is behavioural.

    People naturally think in doors.

    A door is either open or closed.

    Logged in or logged out.

    Allowed or denied.

    But Zero Trust does not work like a door.

    It works like a negotiation.

    Trust is dynamic.

    Trust decays.

    Trust must be re-earned.

    Once users successfully authenticate, many mentally conclude:

    “I am safe now.”

    That assumption is dangerous.

    Because security does not end at login.

    The actual high-risk layer often begins there.

    Security Theater and False Confidence

    People often mistake visible friction for actual strength.

    Examples include:

    • extra prompts
    • multiple codes
    • repeated push approvals
    • forced password resets

    These feel secure because they are visible.

    But visible friction is not the same as phishing resistance.

    A cryptographically bound passkey may be both faster and substantially stronger than a slower SMS-based MFA flow.

    This creates a psychological paradox:

    users trust what feels harder, not always what is architecturally stronger.

    Operational Psychology: The Helpdesk Problem

    Support teams are often rewarded for restoring access quickly.

    That incentive structure creates exploitable behaviour.

    An attacker who convincingly impersonates a user under time pressure can manipulate:

    • password resets
    • MFA re-enrollment
    • account recovery
    • device registration
    • emergency exceptions

    The weakness is not always the technology.

    It is the pressure environment around it.

    The system breaks where humans optimize for continuity over verification.

    That is a systems design flaw.

    Zero Trust as a Living Control Framework

    Zero Trust is not a product.

    It is not Microsoft Entra.
    It is not Okta.
    It is not passkeys.
    It is not Conditional Access.

    It is a living access philosophy.

    Every access decision must be:

    • explicitly verified
    • context-aware
    • least privileged
    • continuously re-evaluated

    Trust must be influenced by:

    • user risk
    • device compliance
    • geo anomalies
    • time-based patterns
    • impossible travel
    • privilege sensitivity
    • session anomalies

    This is why Continuous Access Evaluation is strategically important.

    The Deeper Truth

    Security is moving from:

    protecting places

    to

    validating claims

    That is a profound shift.

    The future of access control is not walls.

    It is trust economics.

    Who gets believed, for how long, under what conditions, and with what proof.

    That is the real Zero Trust question.

    Final Synthesis

    Zero Trust identity security recognizes a hard reality:

    trust is the most valuable asset inside any digital system.

    Attackers increasingly target people, sessions, tokens, recovery workflows, and mental assumptions rather than just infrastructure.

    The strongest organizations in 2026 are not the ones with the most prompts.

    They are the ones that understand how trust is created, abused, inherited, and continuously challenged.

    That is where security becomes strategy.

    FAQ BLOCK

    What is Zero Trust identity security?
    A framework where every access request is continuously verified based on identity, device, and risk context.

    Why is phishing-resistant MFA important?
    Because legacy MFA methods remain vulnerable to phishing and fatigue attacks.

    Can attackers bypass login security?
    Yes, through stolen session tokens and trust artifacts.

    Need a Zero Trust maturity review for your environment?

    Darja Rihla offers:

    • Conditional Access reviews
    • token protection scans
    • phishing-resistant MFA readiness
    • identity workflow audits
    • WordPress security hardening for SMEs

    Request a Zero Trust Quick Scan starting from €149.9.