Abstract
As federal agencies and businesses rely more on cyber infrastructure, they are increasingly vulnerable to cyber attacks that can cause damages disproportionate to the sophistication and cost to launch the attack. In response, regulatory authorities call for focusing attention on enhancing infrastructure resilience. For example, in the USA, President Obama issued an Executive Order and policy directives focusing on improving the resilience and security of cyber infrastructure to a wide range of cyber threats. Despite the national and international importance, resilience metrics to inform management decisions are still in the early stages of development. We apply the resilience matrix framework developed by Linkov et al. (Environ Sci Technol 47:10108–10110, 2013) to develop and organize effective resilience metrics for cyber systems. These metrics link national policy goals to specific system measures, such that resource allocation decisions can be translated into actionable interventions and investments. In this paper, a number of metrics have been identified and assessed using quantitative and qualitative measures found in the literature. We have proposed a generic approach and could integrate actual data, technical judgment, and literature-based measures to assess system resilience across physical, information, cognitive, and social domains.
Similar content being viewed by others
References
Abdelzaher T, Kott A (2013) Resiliency and robustness of complex systems and networks. Adaptive, dynamic and resilient systems. Auerbach Publications, Florida
Alberts D (2002) Information age transformation, getting to a 21st century military. DOD Command and Control Research Program. http://www.dtic.mil/get-tr-doc/pdf?AD=ADA457904. Accessed 20 Sept 2013
Alberts D, Hayes R (2005) Code of best practice for experimentation. CCRP Publication Series, Washington
Allen J, Curtis P (2011) Measures for managing operational resilience. CMU/SEI-2011-TR-019. http://www.sei.cmu.edu/reports/11tr019.pdf. Accessed 4 Sept 2013
Bartol N, Bates B, Goertzel K, Winograd T (2009) Measuring cyber security and information assurance: a state of the art report. https://www.thecsiac.com/sites/default/files/cybersecurity.pdf. Accessed 17 Oct 2013
Bodeau D, Graubart R (2011) Cyber resiliency engineering framework. MTR110237. http://www.mitre.org/sites/default/files/pdf/11_4436.pdf. Accessed 4 Sept 2013
Chandrasekharan PC (1996) Robust control of linear dynamical systems. Academic Press, Missouri
Defense Science Board (2013) Task force report: resilient military systems and the advanced cyber threat. http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf. Accessed 4 Sept 2013
Department of Defense (2011) Department of defense strategy for operating in cyberspace. http://www.defense.gov/news/d20110714cyber.pdf. Accessed 11 Sept 2013
Executive Order 13636—Improving Critical Infrastructure Cyber Security (2013) http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf. Accessed 18 Sept 2013
Halvin S, Kenett DY, Ben-Jacob E, Bunde A, Choen R, Hermann H, Kantelhardt JW, Kertesz J, Kirkpatrick S, Kurths J, Portugali J, Solomon S (2012) Challenges in network science: applications to infrastructures, climate, social systems, and economics. Eur Phys J Spec Top 214:273–293
Hollnagel E, Paries J, Woods D, Wreathall J (2011) Resilience engineering in practice: a guidebook. Ashgate, United Kingdom
Jansen W (2009) Directions in security metrics research. The National Institute of Standards and Technology. NISTIR 7564 http://csrc.nist.gov/publications/nistir/ir7564/nistir-7564_metrics-research.pdf. Accessed 1 Nov 2013
Kaplan S, Garrick J (1981) On the quantitative definition of risk. Risk Anal 1(1):11–27
Kott A, Arnold C (2013) The promises and challenges of continuous monitoring and risk scoring. Secur Priv 11(1):90–93
Linkov I, Eisenberg D, Bates M, Chang D, Convertino M, Allen J, Flynn S, Seager T (2013) Measurable resilience for actionable policy. Environ Sci Technol 47:10108–10110
National Academy of Sciences (2012) Disaster resilience: a national imperative. Washington DC, United States. http://www.nap.edu/catalog.php?record_id=13457. Accessed 11 Sept 2
Park J, Seager TP, Rao PS, Convertino M, Linkov I (2012) Integrating risk and resilience approaches to catastrophe management in engineering systems. Risk Anal 33(3):356–367
Presidential Policy Directive—Critical Infrastructure Security and Resilience (PPD-21) (2013) http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil. Accessed 17 Oct 2013
“Resilience.” Merriam-Webster.com. Merriam-Webster, n.d. Web. http://www.merriam-webster.com/dictionary/resilience. Accessed 9 Oct 2013
Acknowledgments
Special thanks to Zachary Collier for his comments and suggestions. Permission was granted by the USACE Chief of Engineers to publish this material. The views and opinions expressed in this paper are those of the individual authors and not those of the US Army, or other sponsor organizations.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Linkov, I., Eisenberg, D.A., Plourde, K. et al. Resilience metrics for cyber systems. Environ Syst Decis 33, 471–476 (2013). https://doi.org/10.1007/s10669-013-9485-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10669-013-9485-y