Abstract
This chapter describes an evolution of practices in community and business assurance from protective programs based upon risk management to the emerging strategy of resilience. The chapter compares and contrasts these two basic approaches, identifying notable gaps where cyber security lags in the larger transformation. Recommendations address concepts, techniques, and strategies for integration of the cyber world with the physical and human worlds, and opportunities for future research.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsFurther Suggested Readings
Ablong L, Libicki MC, Galay AA (2014) Markets for cybercrime tools and stolen data: hackers’ bazaar. RAND Corporation Report RR-610-JNI. http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf
Abramovici M, Bradley P (2009) Integrated circuit security: new threats and solutions. In: Proceedings of the 5th annual workshop on cyber security and information intelligence research: cyber security and information intelligence challenges and strategies. ACM, p 55
Alberts D (2002) Information age transformation: getting to a 21st century military. DOD Command and Control Research Program, Washington, DC
Bell DE, LaPadula LJ (1973) Secure computer systems: Mathematical foundations (No MTR-2547-VOL-1). MITRE Corporation, Bedford
Bodeau D, Graubart R (2016) Cyber resilience metrics: key observations. Case No. 16–0779. The MITRE Corporation
Branlat M, Morison A, Woods DD (2011) Challenges in managing uncertainty during cyber events: lessons from the staged-world study of a large-scale adversarial cyber security exercise. Human Systems Integration Symposium, Vienna VA, 10–25 to 10–27, 2011
Caralli RA, Allen JH, Curtis PD, White DW, Young LR (2010) CERT resilience management model, Version 1.0: Improving Operational Resilience Processes. http://www.sei.cmu.edu/reports/10tr012.pdf
Cimellaro GP, Reinhorn AM, Bruneauc M (2010) Framework for analytical quantification of disaster resilience. J Eng Struct 32(2010):3639–3649
Clark D, Berson T, Lin H (2015) At the Nexus of cybersecurity and public policy, some basic concepts and issues. National Research Council, The National Academies Press, Washington, DC. http://www.nap.edu/catalog/18749/at-the-nexus-of-cybersecurity-and-public-policy-some-basic
Collier ZA, Linkov I, DiMase D, Walters S, Tehranipoor M, Lambert JH (2014) Cybersecurity standards: managing risk and creating resilience. Computer 47(9):70–76
Collier ZA, Panwar M, Ganin AA, Kott A, Linkov I (2016) Security metrics in industrial control systems. In: Colbert EJM, Kott A (eds) Cyber-security of SCADA and other industrial control systems. Springer, Cham, pp 167–185
Dessavreand DG, Ramirez-Marquez JE (2015) Computational techniques for the approximation of total system resilience. In: Podofillini L, Sudret B, Stojadinovic B, Zio E, Kröger W (eds) Safety and reliability of complex engineered systems. CRC Press, Boca Raton, pp 145–150
Diffie W, Hellman M (1976) New directions in cryptography. IEEE Trans Inf Theory 22(6):644–654
DiMase D, Collier ZA, Heffner K, Linkov I (2015) Systems engineering framework for cyber physical security and resilience. Environ Syst Decis 35(2):291–300
Ernst & Young (2014) The DNA of the CIO: opening the door to the C-suite. http://www.ey.com/Publication/vwLUAssets/ey-the-dna-of-the-cio/$FILE/ey-the-dna-of-the-cio.pdf
European Commission (2013) Cybersecurity strategy of the European Union: an open, safe and secure cyberspace. https://eeas.europa.eu/policies/eu-cyber-security/cybsec_comm_en.pdf
European Union Agency for Network and Information Security (2014) An evaluation framework for National Cyber Security Strategies. ISBN: 978-92-9204-109-0, DOI: 10.2824/3903
FIRST (2015) Common vulnerability scoring system v3.0: specification document. CVSS v3.0 specification (v1.7). https://www.first.org/cvss/cvss-v30-specification-v1.7.pdf
FORBES (2014) Why cyber security is not enough: you need cyber resilience. http://www.forbes.com/sites/sungardas/2014/01/15/why-cyber-security-is-not-enough-you-need-cyber-resilience/#461e9a695799. Retrieved 7 November, 2016
Ford R, Cavalho M, Mayron L, Bishop M (2012) Toward metrics for cyber resilience. In: 21st EICAR (European Institute for Computer Anti-Virus Research) annual conference proceedings
Garcia A, Horowitz B (2007) The potential for underinvestment in internet security: implications for regulatory policy. J Regul Econ 31(1):37–51
Haimes YY (1991) Total risk management. Risk Anal 11(2):169–171
Horowitz B, Crawford J (2007) Application of collaborative risk analysis to cyber security investment decisions. Fin Ser Technol Consorti Innov J 2(1):2–5
Husdal J (2010) A conceptual framework for risk and vulnerability in virtual enterprise networks. In: Ponis S (ed) Managing risk in virtual enterprise networks: implementing supply chain principle. IGI Global, Hershey, pp 1–27. doi:10.4018/978-1-61520-607-0.ch001
Identity Theft Resource Center (2016) Data breach reports. May 31, 2016. http://www.idtheftcenter.org/images/breach/DataBreachReports_2016.pdf
IRGC (2010) Emerging risks: sources, drivers, and governance issues. International Risk Governance Council, Geneva. https://www.irgc.org/risk-governance/emerging-risk/irgc-concept-of-contributing-factors-to-risk-emergence/sources-drivers-and-governance-issues/
IRGC (2015a) Comparing methods for terrorism risk assessment with methods in cyber security. Workshop report, International Risk Governance Council, Lausanne. https://www.irgc.org/wp-content/uploads/2016/01/Terrorism-Cyber-Security-28-29-May-2015-Workshop-Report.pdf
IRGC (2015b) Cyber-security risk governance, workshop report, International Risk Governance Council, Lausanne https://www.irgc.org/wp-content/uploads/2016/01/Cyber-Security-Risk-Governance-29-30-October-2015-Workshop-Report.pdf
Kaplan S, Garrick BJ (1981) On the quantitative definition of risk. Risk Anal 1(1):11–27
Karvetski CW, Lambert JH (2012) Evaluating deep uncertainties in strategic priority-setting with an application to facility energy investments. Syst Eng 15(4):483–493
Kaspersky Lab (2015) Kaspersky security bulletin 2015: overall statistics for 2015. https://securelist.com/analysis/kaspersky-security-bulletin/73038/kaspersky-security-bulletin-2015-overall-statistics-for-2015/
Kelic A, Collier ZA, Brown C, Beyeler WE, Outkin AV, Vargas VN, Ehlen MA, Judson C, Zaidi A, Leung B, Linkov I (2013) Decision framework for evaluating the macroeconomic risks and policy impacts of cyber attacks. Environ Syst Decis 33(4):544–560
Lambert JH, Keisler JM, Wheeler WE, Collier ZA, Linkov I (2013a) Multiscale approach to the security of hardware supply chains for energy systems. Environ Syst Decis 33(3):326–334
Lambert JH, Parlak AI, Zhou Q, Miller JS, Fontaine MD, Guterbock TM, Clements JL, Thekdi SA (2013b) Understanding and managing disaster evacuation on a transportation network. Accid Anal Prev 50(1):645–659
Lambert, J.H., C.W. Karvetski, D.K. Spencer, B.J Sotirin, D.M. Liberi, H.H. Zaghloul, J.B. Koogler, S.L. Hunter, W.D. Goran, R.D. Ditmer, and I. Linkov 2012. Prioritizing infrastructure investments in Afghanistan with multiagency stakeholders and deep uncertainty of emergent conditions. ASCE J Infrastruct Syst 18(2): 155–166.
Linkov I, Eisenberg DA, Plourde K, Seager TP, Allen J, Kott A (2013) Resilience metrics for cyber systems. Environ Syst Decis 33(4):471–476
Linkov I, Bridges T, Creutzig F, Decker J, Fox-Lent C, Kröger W et al (2014) Changing the resilience paradigm. Nat Clim Chang 4(6):407–409
Lowrance WW (1976) Of acceptable risk: science and the determination of safety. William Kaufman Inc.
Maitra AK (2015) Offensive cyber-weapons: technical, legal, and strategic aspects. Environ Syst Decis 35(1):169–182
McIntyre A, Becker B, Halbgewachs R (2007) Security metrics for process control systems. SAND2007-2070P. Sandia National Laboratories, U.S. Department of Energy, Albuquerque
National Infrastructure Advisory Council (2013) Strengthening regional resilience through national, regional, and sector partnerships: DRAFT report and recommendations. November 21, 2013. http://www.dhs.gov/sites/default/files/publications/niac-rrwg-report-final-review-draft-for-qbm.pdf
NIST (2011) Managing information security risk: organization, mission, and information system view. NIST Special Publication 800–39. National Institute of Standards and Technology, US Department of Commerce, Gaithersburg
NIST (2014) Framework for improving critical infrastructure cybersecurity, version 1.0. National Institute of Standards and Technology, US Department of Commerce, Gaithersburg
Panda Security (2010) The cyber-crime black market: uncovered. http://www.pandasecurity.com/mediacenter/src/uploads/2014/07/The-Cyber-Crime-Black-Market.pdf
Parlak A, Lambert JH, Guterbock T, Clements J (2012) Population behavioral scenarios influencing radiological disaster preparedness and planning. Accid Anal Prev 48:353–362
Pfleeger SL, Cunningham RK (2010) Why measuring security is hard. IEEE Secur Privacy 8(4):46–54
Pollet, J. (2002, November 19–21) Developing a solid SCADA strategy. Sicon/02 – sensors for industry conference. Houston, Texas, USA
Ponemon Institute (2016) 2016 cost of data breach study: global analysis. Ponemon Institute Research Report, Published June 2016
PwC (2016) Global economic crime survey 2016. http://www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf. Accessed 29 June 2016
Rinaldi S, Peerenboom J, Kelly T (2001) Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Syst Mag 21(6):11–25
Roege P, Hope T, Delaney P (2014) Resilience: modeling for conditions of uncertainty and change. MODSIM World 2014, Newport News, VA, 15–17 April 2014, paper no. MS1476. http://daviescon.com/wp-content/uploads/2012/08/Final-Energy-Resilience-MODSIM-2014-Paper_14-Mar-14.pdf
Savage K, Coogan P, Lau H (2015) The evolution of ransomware. Symantec. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf
Shannon CE (1948). A mathematical theory of communication. Bell Syst Tech J 27(3):379–423
Shannon CE (1949) Communication theory of secrecy systems. Bell Syst Tech J 28(4):656–715
Shakarian P, Lei H, Lindelauf R (2014) Power grid defense against malicious cascading failure. Presented at 13th international conference of autonomous agnets and multiagent systems, Paris, France, 5–9 May 2014, arXiv:1401.1086
Simmons GJ (1985, April). The practice of authentication. In: Workshop on the theory and application of of cryptographic techniques (pp. 261–272). Springer, Berlin/Heidelberg
Smirnov A, Kashevnik A, Shilov N, Makklya A, Gusikhin O (2013, November) Context-aware service composition in cyber physical human system for transportation safety. In: ITS Telecommunications (ITST), 2013 13th international conference on (pp 139–144). IEEE
Sridhar S, Hahn A, Govindarasu M (2012) Cyber–physical system security for the electric power grid. Proc IEEE 100(1):210–224
Stouffer K, Falco J, Scarfone K (2011) Guide to Industrial Control Systems (ICS) security. Special Publication 800–82. National Institute of Standards, Gaithersburg. http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
Teng K, Thekdi SA, Lambert JH (2012) Identification and evaluation of priorities in the business process of a risk or safety organization. Reliab Eng Syst Saf 99:74–86
Teng K, Thekdi SA, Lambert JH (2013) Risk and safety program performance evaluation and business process modeling. IEEE Transac Syst Man Cybernetics Part A 42(6):1504–1513
Thorisson H, Lambert JH, Cardenas JJ, Linkov I (2016) Resilience analytics for power grid capacity expansion in a developing region. To appear in Risk Analysis
Tierney K, Bruneau M (2007) Conceptualizing and measuring resilience: A key to disaster loss reduction. TR News 250:14–17
Tversky A, Kahneman D (1973) Availability: a heuristic for judging frequency and probability. Cogn Psychol 5(2):207–232
US Department of Energy (2002) 21 steps to improve cyber security of SCADA networks. US Department of Energy, Washington, DC. http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_-_SCADA.pdf
US Department of Energy (2014) Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). Version 1.1. http://energy.gov/sites/prod/files/2014/02/f7/ES-C2M2-v1-1-Feb2014.pdf
US Department of Homeland Security (2016a) National Planning Frameworks web site: http://www.fema.gov/national-planning-frameworks
US Department of Homeland Security (2016b) Cyber Resilience Review (CRR): method description and self-assessment user guide. US Department of Homeland Security. https://www.us-cert.gov/sites/default/files/c3vp/csc-crr-method-description-and-user-guide.pdf
US White House (2013) Presidential Policy Directive 21 – critical infrastructure security and resilience. https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil
US White House (2016) Presidential Policy Direction 41 – United States cyber incident coordination. https://www.whitehouse.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident
Veitch CK, Henry JM, Richardson BT, Hart DH (2013) Microgrid cyber security reference architecture, Version 1.0. SAND2013-5472. Sandia National Laboratories, Albuquerque, New Mexico
Woods DD (2012) Chapter 9: Resilience and the ability to anticipate. In: Pariès MJ, Wreathall MJ, Woods DD, Hollnagel E (eds) Resilience engineering in practice: a guidebook. Ashgate Publishing Ltd, Farnham
World Economic Forum (2015) Partnering for cyber resilience: towards the quantification of cyber threats. http://www3.weforum.org/docs/WEFUSA_QuantificationofCyberThreats_Report2015.pdf
Xiong G, Zhu F, Liu X, Dong X, Huang W, Chen S, Zhao K (2015) Cyber-physical-social system in intelligent transportation. IEEE/CAA J Automat Sin 2(3):320–333
Young W, Leveson NG (2014) An integrated approach to safety and security based on systems theory. Commun ACM 57(2):31–35
Acknowledgements
The authors are grateful for discussion with members of the Cyber Working Group in the NATO Advanced Research Workshop “Resilience-Based Approaches to Critical Infrastructure Safeguarding”, convened in Ponta Delgada, Azores, Portugal, 26–29 June, 2016. The organizers of the workshop were Igor Linkov, Bojan Srdjevic, and José Palma-Oliveira.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Science+Business Media B.V.
About this paper
Cite this paper
Roege, P.E. et al. (2017). Bridging the Gap from Cyber Security to Resilience. In: Linkov, I., Palma-Oliveira, J. (eds) Resilience and Risk. NATO Science for Peace and Security Series C: Environmental Security. Springer, Dordrecht. https://doi.org/10.1007/978-94-024-1123-2_14
Download citation
DOI: https://doi.org/10.1007/978-94-024-1123-2_14
Published:
Publisher Name: Springer, Dordrecht
Print ISBN: 978-94-024-1122-5
Online ISBN: 978-94-024-1123-2
eBook Packages: Computer ScienceComputer Science (R0)