A Measurable Definition of Resiliency Using "Mission Risk" as a MetricMarch 2014
Topics: Cybersecurity, Critical Infrastructure Protection, Risk Management, Performance of Systems, Computer Security
In the cyber world, there has been shift in mindset from trying to prevent attacks from occurring and succeeding to developing tools and techniques that can make systems resilient in the face of incidents. Unfortunately, progress in this area has been hampered by the fact that we lack concrete methods that allow us to evaluate when, and by how much, modifications to a system contribute to making it more resilient. Part of the problem is that the term "resilience" itself lacks a clear definition that supports measurable metrics that would allow two like systems to be compared against each other, or would enable the measurement of how different resiliency techniques can improve a system's resiliency when they are applied.
In this paper we will review and discuss the terminology and definitions that have been proposed and used for describing the terms "resilience" and "resiliency" with respect to cyber and other systems. Ultimately, we address the deficiencies of these previous definitions by choosing a definition for resilience that equates to the inverse of "mission risk" that is adequately qualified by the context in which it applies. In selecting a measurement (or estimated measurement) based on risk as our resilience metric, we have chosen a resilience definition that is clearly defined, measurable, and has a sound theoretical grounding. Our computable metric makes it possible to perform like-to-like systems comparisons that allow us to measure the resiliency of a system, and to use this measurement to evaluate how resiliency methods are able to improve the resiliency of a system.