What is Hybrid Risk?

Hybrid risk is the exposure that arises when multiple, distinct, and traditionally compartmentalized categories of risk, including cyber, legal, informational, financial, operational, reputational, and geopolitical, are synchronized to produce cumulative or systemic adverse effects on an organization and its operations.

Hybrid risk is characterized by:

1. Cross-domain interaction. It arises from the simultaneous and coordinated use of instruments across multiple domains. This means that an action in one sphere (a cyber intrusion) can amplify effects in another (financial instability, political unrest).

This multidimensionality complicates detection, attribution, and governance, because regulatory and legal frameworks are domain specific (cybersecurity law, competition law), but hybrid operations deliberately blur these boundaries.

In simple words, this risk emerges from interactions across domains that we are still managing separately.

2. Adversarial orchestration. Hybrid risk is strategically orchestrated by an adversary, often a state or state sponsored actor, seeking to achieve political or strategic objectives below the threshold of open conflict.

The adversary integrates multiple instruments of power (information, cyber, economic, legal) to create cumulative pressure without triggering a conventional military response.

This orchestration is deliberate, designed to exploit the vulnerabilities of open societies, democratic institutions, supply chains, and regulatory frameworks.

3. Ambiguity of attribution or jurisdiction. A defining feature of hybrid risk is ambiguity, in who is responsible (attribution), and which legal system has competence (jurisdiction).

Hybrid operations are concealed, deniable, or plausibly disowned. Adversaries use proxy groups, front organizations, digital obfuscation, and layered intermediaries to make it difficult to prove state involvement.

This prevents the activation of traditional response mechanisms (like Article 5 of the NATO Treaty) that require clear attribution.

Hybrid campaigns operate in legally grey zones. For example, a cyber intrusion through a chain of intermediaries across multiple jurisdictions is followed by a leak of stolen (and after that altered) documents that damage an organization’s reputation, but attribution is uncertain.

Hybrid risk is a condition of latent justiciability. What does it mean?

Legal scholars describe hybrid risk as a condition of latent justiciability. This is the condition of a legal matter that is not suitable for judicial review, because it lacks the necessary factual or legal circumstances for judicial determination.

A dispute is justiciable when there is a dispute between adverse parties concerning legal rights or obligations that the court can resolve through a binding decision.

Issues that are hypothetical are usually non-justiciable.

Why hybrid risk is often non-justiciable?

There are several reasons:

1. Absence of a concrete and legally framed dispute. Courts require a specific act, identifiable perpetrator, and clear harm to legal rights.

Hybrid threats are often diffuse (spread across sectors and time) and unattributable (no provable actor).

2. Evidentiary and attributional uncertainty. To be justiciable, a case must rely on verifiable evidence. Hybrid operations are intentionally ambiguous. Attribution to a state or entity is often classified or uncertain. Evidence may be intelligence based, unavailable, or unsuitable for open court.

3. Lack of enforceable legal standards. International and domestic law are still developing frameworks to govern hybrid threats. There are no settled legal thresholds for hybrid aggression, and no codified rights or remedies for hybrid influence campaigns.

Hybrid risk becomes capable of judicial review, when:

1. A specific hybrid operation leads to tangible damage (data breach, financial loss, unlawful surveillance).

2. Attribution to a state or entity can be established.

3. The matter falls under domestic or international law (cybercrime, breach of data protection law, violation of sovereignty).

---

The three foundational concepts of responsibility: Culpa, dolus, and casus fortuitus

1. Culpa (negligent fault). Culpa is a fault arising from a failure to exercise due diligence or care required by law, or by the nature of one’s function. It covers negligence, imprudence and omission, where harm results not from malicious intent but from a deviation from the standard of conduct expected of a prudent actor.

Culpa signifies a breach of a duty of foresight and prevention. The degree of culpa may range from slight to gross. Its essence lies in the existence of a duty breached through inattention, error, or systemic deficiency. In the context of hybrid risk, the term culpa describes the condition of institutional or regulatory neglect that enables adversarial exploitation.

2. Dolus (intentional wrongdoing). Dolus means intent, the deliberate and conscious will to cause an unlawful or harmful result. It implies the mental element (mens rea) that distinguishes intentional wrongdoing from mere fault.

The Latin term mens rea literally means guilty mind. It refers to the mental state of a person at the time they commit an actus reus (guilty act).

In very simple words, for most crimes, the prosecution must prove that the defendant committed a prohibited act, and that they did so with a culpable mental state. Without mens rea, there may be a harmful act, but not necessarily a crime (perhaps an accident).

Dolus exists when there is knowledge of an act’s unlawfulness, and free determination of the actor that performs it, either directly (dolus directus), or indirectly through acceptance of the likely consequences (dolus eventualis).

Within the framework of hybrid risk, dolus is the calculated orchestration of actions designed to destabilize or coerce another actor while maintaining plausible deniability. It captures the adversarial design that transforms systemic vulnerabilities into instruments of influence or disruption.

3. Casus Fortuitus (a fortuitous event, an accidental occurrence beyond human control). It describes an event or an occurrence beyond human control, that is unforeseeable and unavoidable, exempting the actor from liability due to the absence of both intent and negligence.

Certain harms arise not from human omission, but from the inherent unpredictability of complex systems, natural phenomena, or interactions. In hybrid risk analysis, casus fortuitus describes the uncontrollable dimensions of interdependent domains, where deliberate actions generate unforeseen results. Here causality dissolves into complexity, challenging the attribution of legal responsibility and the applicability of traditional doctrines of fault.

Hybrid Risk, and its connection with Culpa, Dolus, and Casus Fortuitus

Hybrid risk cannot fit in the classical legal taxonomy of human conduct and responsibility. Traditionally, the law distinguishes between culpa (negligent fault), dolus (intentional wrongdoing) and casus fortuitus (fortuitous or accidental events beyond human control). These categories serve to allocate responsibility, determine liability, and guide judicial reasoning about causation and fault. Hybrid risk does not fit within any single one of these categories. It exists at a space where negligence, intent, and chance coexist and interact.

Hybrid adversaries actively seek culpa (negligent fault), vulnerabilities born of institutional inattention, regulatory gaps, and systemic negligence. States and organizations that fail to foresee or mitigate known interdependencies between digital infrastructures, supply chains, and cognitive environments create the permissive environment within which hybrid threats operate. This negligence is a clear failure of anticipatory governance and strategic foresight.

Culpa is the fertile ground on which adversaries act. Dolus is the adversarial intent that defines hybrid operations. Hybrid threats are designed, coordinated, and executed with a purpose. The hybrid actor orchestrates diverse instruments of power, including cyberattacks, disinformation, economic coercion, legal manipulation, to produce cumulative strategic effects. This deliberate orchestration embodies the dolus element.

The complexity of the systems through which hybrid operations unfold introduces a further dimension, the casus fortuitus. Once initiated, hybrid dynamics generate effects that neither the perpetrator nor the victim can predict or control. Networked interdependence, algorithmic amplification, and social volatility introduce unpredictability. These outcomes arise from the behavior of complex systems, erode causality, and make precise attribution (moral, legal, or technical) very difficult.

The interplay of these three dimensions (negligence, intent, and fortuity) explains why hybrid risk resists juridical classification. It is the product of negligent vulnerability (culpa), exploited through intentional design (dolus), and amplified by systemic contingency (casus fortuitus). This interaction destabilizes traditional doctrines of liability and causation. No single actor bears exclusive responsibility, and no single legal framework can capture the totality of the event. In hybrid attacks, the law deals with phenomena that are human and systemic, deliberate and accidental, foreseeable and emergent, all the same time.

Hybrid risk remains beyond the reach of courts. Only some of the building blocks of hybrid risk are acts capable of legal characterization, such as a data breach, and an act of sabotage. But this is only a small part of a hybrid campaign. So, what is beyond the reach of courts, demands better corporate governance, counterintelligence, and exchange of information.

---

You may visit:

Frontier Risk

Emerging Risk

Hybrid Risk

Cognitive Risk

Political Risk

Strategic Risk

Systemic Risk

Climate Risk

Conduct Risk

Reputation Risk

Liquidity Risk

Cyber Risk

Credit Risk

Market Risk

Operational Risk

---