Bridging the Gap from Cyber Security to Resilience

  • Paul E. RoegeEmail author
  • Zachary A. Collier
  • Vladyslav Chevardin
  • Paul Chouinard
  • Marie-Valentine Florin
  • James H. Lambert
  • Kirstjen Nielsen
  • Maria Nogal
  • Branislav Todorovic
Conference paper
Part of the NATO Science for Peace and Security Series C: Environmental Security book series (NAPSC)


This chapter describes an evolution of practices in community and business assurance from protective programs based upon risk management to the emerging strategy of resilience. The chapter compares and contrasts these two basic approaches, identifying notable gaps where cyber security lags in the larger transformation. Recommendations address concepts, techniques, and strategies for integration of the cyber world with the physical and human worlds, and opportunities for future research.


Cyber security Resilience Risk management Protection Enterprise Critical infrastructure Digital word 



The authors are grateful for discussion with members of the Cyber Working Group in the NATO Advanced Research Workshop “Resilience-Based Approaches to Critical Infrastructure Safeguarding”, convened in Ponta Delgada, Azores, Portugal, 26–29 June, 2016. The organizers of the workshop were Igor Linkov, Bojan Srdjevic, and José Palma-Oliveira.

Further Suggested Readings

  1. Ablong L, Libicki MC, Galay AA (2014) Markets for cybercrime tools and stolen data: hackers’ bazaar. RAND Corporation Report RR-610-JNI.
  2. Abramovici M, Bradley P (2009) Integrated circuit security: new threats and solutions. In: Proceedings of the 5th annual workshop on cyber security and information intelligence research: cyber security and information intelligence challenges and strategies. ACM, p 55Google Scholar
  3. Alberts D (2002) Information age transformation: getting to a 21st century military. DOD Command and Control Research Program, Washington, DCGoogle Scholar
  4. Bell DE, LaPadula LJ (1973) Secure computer systems: Mathematical foundations (No MTR-2547-VOL-1). MITRE Corporation, BedfordGoogle Scholar
  5. Bodeau D, Graubart R (2016) Cyber resilience metrics: key observations. Case No. 16–0779. The MITRE CorporationGoogle Scholar
  6. Branlat M, Morison A, Woods DD (2011) Challenges in managing uncertainty during cyber events: lessons from the staged-world study of a large-scale adversarial cyber security exercise. Human Systems Integration Symposium, Vienna VA, 10–25 to 10–27, 2011Google Scholar
  7. Caralli RA, Allen JH, Curtis PD, White DW, Young LR (2010) CERT resilience management model, Version 1.0: Improving Operational Resilience Processes.
  8. Cimellaro GP, Reinhorn AM, Bruneauc M (2010) Framework for analytical quantification of disaster resilience. J Eng Struct 32(2010):3639–3649CrossRefGoogle Scholar
  9. Clark D, Berson T, Lin H (2015) At the Nexus of cybersecurity and public policy, some basic concepts and issues. National Research Council, The National Academies Press, Washington, DC.
  10. Collier ZA, Linkov I, DiMase D, Walters S, Tehranipoor M, Lambert JH (2014) Cybersecurity standards: managing risk and creating resilience. Computer 47(9):70–76CrossRefGoogle Scholar
  11. Collier ZA, Panwar M, Ganin AA, Kott A, Linkov I (2016) Security metrics in industrial control systems. In: Colbert EJM, Kott A (eds) Cyber-security of SCADA and other industrial control systems. Springer, Cham, pp 167–185CrossRefGoogle Scholar
  12. Dessavreand DG, Ramirez-Marquez JE (2015) Computational techniques for the approximation of total system resilience. In: Podofillini L, Sudret B, Stojadinovic B, Zio E, Kröger W (eds) Safety and reliability of complex engineered systems. CRC Press, Boca Raton, pp 145–150CrossRefGoogle Scholar
  13. Diffie W, Hellman M (1976) New directions in cryptography. IEEE Trans Inf Theory 22(6):644–654MathSciNetCrossRefzbMATHGoogle Scholar
  14. DiMase D, Collier ZA, Heffner K, Linkov I (2015) Systems engineering framework for cyber physical security and resilience. Environ Syst Decis 35(2):291–300CrossRefGoogle Scholar
  15. Ernst & Young (2014) The DNA of the CIO: opening the door to the C-suite.$FILE/ey-the-dna-of-the-cio.pdf
  16. European Commission (2013) Cybersecurity strategy of the European Union: an open, safe and secure cyberspace.
  17. European Union Agency for Network and Information Security (2014) An evaluation framework for National Cyber Security Strategies. ISBN: 978-92-9204-109-0, DOI: 10.2824/3903Google Scholar
  18. FIRST (2015) Common vulnerability scoring system v3.0: specification document. CVSS v3.0 specification (v1.7).
  19. FORBES (2014) Why cyber security is not enough: you need cyber resilience. Retrieved 7 November, 2016
  20. Ford R, Cavalho M, Mayron L, Bishop M (2012) Toward metrics for cyber resilience. In: 21st EICAR (European Institute for Computer Anti-Virus Research) annual conference proceedingsGoogle Scholar
  21. Garcia A, Horowitz B (2007) The potential for underinvestment in internet security: implications for regulatory policy. J Regul Econ 31(1):37–51CrossRefGoogle Scholar
  22. Haimes YY (1991) Total risk management. Risk Anal 11(2):169–171CrossRefGoogle Scholar
  23. Horowitz B, Crawford J (2007) Application of collaborative risk analysis to cyber security investment decisions. Fin Ser Technol Consorti Innov J 2(1):2–5Google Scholar
  24. Husdal J (2010) A conceptual framework for risk and vulnerability in virtual enterprise networks. In: Ponis S (ed) Managing risk in virtual enterprise networks: implementing supply chain principle. IGI Global, Hershey, pp 1–27. doi: 10.4018/978-1-61520-607-0.ch001 Google Scholar
  25. Identity Theft Resource Center (2016) Data breach reports. May 31, 2016.
  26. IRGC (2010) Emerging risks: sources, drivers, and governance issues. International Risk Governance Council, Geneva.
  27. IRGC (2015a) Comparing methods for terrorism risk assessment with methods in cyber security. Workshop report, International Risk Governance Council, Lausanne.
  28. IRGC (2015b) Cyber-security risk governance, workshop report, International Risk Governance Council, Lausanne
  29. Kaplan S, Garrick BJ (1981) On the quantitative definition of risk. Risk Anal 1(1):11–27CrossRefGoogle Scholar
  30. Karvetski CW, Lambert JH (2012) Evaluating deep uncertainties in strategic priority-setting with an application to facility energy investments. Syst Eng 15(4):483–493CrossRefGoogle Scholar
  31. Kaspersky Lab (2015) Kaspersky security bulletin 2015: overall statistics for 2015.
  32. Kelic A, Collier ZA, Brown C, Beyeler WE, Outkin AV, Vargas VN, Ehlen MA, Judson C, Zaidi A, Leung B, Linkov I (2013) Decision framework for evaluating the macroeconomic risks and policy impacts of cyber attacks. Environ Syst Decis 33(4):544–560CrossRefGoogle Scholar
  33. Lambert JH, Keisler JM, Wheeler WE, Collier ZA, Linkov I (2013a) Multiscale approach to the security of hardware supply chains for energy systems. Environ Syst Decis 33(3):326–334CrossRefGoogle Scholar
  34. Lambert JH, Parlak AI, Zhou Q, Miller JS, Fontaine MD, Guterbock TM, Clements JL, Thekdi SA (2013b) Understanding and managing disaster evacuation on a transportation network. Accid Anal Prev 50(1):645–659CrossRefGoogle Scholar
  35. Lambert, J.H., C.W. Karvetski, D.K. Spencer, B.J Sotirin, D.M. Liberi, H.H. Zaghloul, J.B. Koogler, S.L. Hunter, W.D. Goran, R.D. Ditmer, and I. Linkov 2012. Prioritizing infrastructure investments in Afghanistan with multiagency stakeholders and deep uncertainty of emergent conditions. ASCE J Infrastruct Syst 18(2): 155–166.Google Scholar
  36. Linkov I, Eisenberg DA, Plourde K, Seager TP, Allen J, Kott A (2013) Resilience metrics for cyber systems. Environ Syst Decis 33(4):471–476CrossRefGoogle Scholar
  37. Linkov I, Bridges T, Creutzig F, Decker J, Fox-Lent C, Kröger W et al (2014) Changing the resilience paradigm. Nat Clim Chang 4(6):407–409CrossRefGoogle Scholar
  38. Lowrance WW (1976) Of acceptable risk: science and the determination of safety. William Kaufman Inc.Google Scholar
  39. Maitra AK (2015) Offensive cyber-weapons: technical, legal, and strategic aspects. Environ Syst Decis 35(1):169–182CrossRefGoogle Scholar
  40. McIntyre A, Becker B, Halbgewachs R (2007) Security metrics for process control systems. SAND2007-2070P. Sandia National Laboratories, U.S. Department of Energy, AlbuquerqueGoogle Scholar
  41. National Infrastructure Advisory Council (2013) Strengthening regional resilience through national, regional, and sector partnerships: DRAFT report and recommendations. November 21, 2013.
  42. NIST (2011) Managing information security risk: organization, mission, and information system view. NIST Special Publication 800–39. National Institute of Standards and Technology, US Department of Commerce, GaithersburgGoogle Scholar
  43. NIST (2014) Framework for improving critical infrastructure cybersecurity, version 1.0. National Institute of Standards and Technology, US Department of Commerce, GaithersburgGoogle Scholar
  44. Panda Security (2010) The cyber-crime black market: uncovered.
  45. Parlak A, Lambert JH, Guterbock T, Clements J (2012) Population behavioral scenarios influencing radiological disaster preparedness and planning. Accid Anal Prev 48:353–362CrossRefGoogle Scholar
  46. Pfleeger SL, Cunningham RK (2010) Why measuring security is hard. IEEE Secur Privacy 8(4):46–54CrossRefGoogle Scholar
  47. Pollet, J. (2002, November 19–21) Developing a solid SCADA strategy. Sicon/02 – sensors for industry conference. Houston, Texas, USAGoogle Scholar
  48. Ponemon Institute (2016) 2016 cost of data breach study: global analysis. Ponemon Institute Research Report, Published June 2016Google Scholar
  49. PwC (2016) Global economic crime survey 2016. Accessed 29 June 2016
  50. Rinaldi S, Peerenboom J, Kelly T (2001) Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Syst Mag 21(6):11–25CrossRefGoogle Scholar
  51. Roege P, Hope T, Delaney P (2014) Resilience: modeling for conditions of uncertainty and change. MODSIM World 2014, Newport News, VA, 15–17 April 2014, paper no. MS1476.
  52. Shannon CE (1948). A mathematical theory of communication. Bell Syst Tech J 27(3):379–423Google Scholar
  53. Shannon CE (1949) Communication theory of secrecy systems. Bell Syst Tech J 28(4):656–715MathSciNetCrossRefzbMATHGoogle Scholar
  54. Shakarian P, Lei H, Lindelauf R (2014) Power grid defense against malicious cascading failure. Presented at 13th international conference of autonomous agnets and multiagent systems, Paris, France, 5–9 May 2014, arXiv:1401.1086Google Scholar
  55. Simmons GJ (1985, April). The practice of authentication. In: Workshop on the theory and application of of cryptographic techniques (pp. 261–272). Springer, Berlin/HeidelbergGoogle Scholar
  56. Smirnov A, Kashevnik A, Shilov N, Makklya A, Gusikhin O (2013, November) Context-aware service composition in cyber physical human system for transportation safety. In: ITS Telecommunications (ITST), 2013 13th international conference on (pp 139–144). IEEEGoogle Scholar
  57. Sridhar S, Hahn A, Govindarasu M (2012) Cyber–physical system security for the electric power grid. Proc IEEE 100(1):210–224CrossRefGoogle Scholar
  58. Stouffer K, Falco J, Scarfone K (2011) Guide to Industrial Control Systems (ICS) security. Special Publication 800–82. National Institute of Standards, Gaithersburg.
  59. Teng K, Thekdi SA, Lambert JH (2012) Identification and evaluation of priorities in the business process of a risk or safety organization. Reliab Eng Syst Saf 99:74–86CrossRefGoogle Scholar
  60. Teng K, Thekdi SA, Lambert JH (2013) Risk and safety program performance evaluation and business process modeling. IEEE Transac Syst Man Cybernetics Part A 42(6):1504–1513CrossRefGoogle Scholar
  61. Thorisson H, Lambert JH, Cardenas JJ, Linkov I (2016) Resilience analytics for power grid capacity expansion in a developing region. To appear in Risk AnalysisGoogle Scholar
  62. Tierney K, Bruneau M (2007) Conceptualizing and measuring resilience: A key to disaster loss reduction. TR News 250:14–17Google Scholar
  63. Tversky A, Kahneman D (1973) Availability: a heuristic for judging frequency and probability. Cogn Psychol 5(2):207–232Google Scholar
  64. US Department of Energy (2002) 21 steps to improve cyber security of SCADA networks. US Department of Energy, Washington, DC. Google Scholar
  65. US Department of Energy (2014) Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). Version 1.1.
  66. US Department of Homeland Security (2016a) National Planning Frameworks web site:
  67. US Department of Homeland Security (2016b) Cyber Resilience Review (CRR): method description and self-assessment user guide. US Department of Homeland Security.
  68. US White House (2013) Presidential Policy Directive 21 – critical infrastructure security and resilience.
  69. US White House (2016) Presidential Policy Direction 41 – United States cyber incident coordination.
  70. Veitch CK, Henry JM, Richardson BT, Hart DH (2013) Microgrid cyber security reference architecture, Version 1.0. SAND2013-5472. Sandia National Laboratories, Albuquerque, New MexicoGoogle Scholar
  71. Woods DD (2012) Chapter 9: Resilience and the ability to anticipate. In: Pariès MJ, Wreathall MJ, Woods DD, Hollnagel E (eds) Resilience engineering in practice: a guidebook. Ashgate Publishing Ltd, FarnhamGoogle Scholar
  72. World Economic Forum (2015) Partnering for cyber resilience: towards the quantification of cyber threats.
  73. Xiong G, Zhu F, Liu X, Dong X, Huang W, Chen S, Zhao K (2015) Cyber-physical-social system in intelligent transportation. IEEE/CAA J Automat Sin 2(3):320–333MathSciNetCrossRefGoogle Scholar
  74. Young W, Leveson NG (2014) An integrated approach to safety and security based on systems theory. Commun ACM 57(2):31–35CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media B.V. 2017

Authors and Affiliations

  • Paul E. Roege
    • 1
    Email author
  • Zachary A. Collier
    • 2
  • Vladyslav Chevardin
    • 3
  • Paul Chouinard
    • 4
  • Marie-Valentine Florin
    • 5
  • James H. Lambert
    • 2
  • Kirstjen Nielsen
    • 6
    • 7
  • Maria Nogal
    • 8
  • Branislav Todorovic
    • 9
  1. 1.Creative Erg, LLCCorvallisUSA
  2. 2.University of VirginiaCharlottesvilleUSA
  3. 3.Ministry of Defense of UkraineKievUkraine
  4. 4.Defence R&D Centre for Security ScienceOttawaCanada
  5. 5.EPFL International Risk Governance CenterLausanneSwitzerland
  6. 6.Sunesis Consulting, LLCAlexandriaUSA
  7. 7.George Washington University Center for Cyber and Homeland SecurityWashingtonUSA
  8. 8.Trinity College DublinDublinIreland
  9. 9.University of BelgradeBelgradeSerbia

Personalised recommendations