CyberResilienceFAQs

Frequently Asked Questions about Cyber Resilience

View project on GitHub

Cyber Resilience Frequently Asked Questions

What is Cyber Resilience?

Cyber Resilience is achieved by making it costly and difficult for intruders to break into our environment and maintain presence in the systems, as well as strengthening the system-of-system’s ability to recover business functions after adversity. One of the first steps to kick-start a Cyber Resilience program is by identifying critical data, processes and systems that are high value assets and develop plans to address gaps in resiliency. Once identified, those key assets can be designed, implemented and maintained appropriately by leveraging existing cyber resilience best practices. This perspective is particularly relevant to address Advanced Persistent Threats (APT) which may execute a coordinated, destructive long-lasting attack towards an organization. APT actors aim to compromise not only the most vulnerable or less protected assets in order to carry out their mission. In fact, they may specifically decide to attack assets that can provide them maximum gain towards the achievement of their objectives. These assets are referred to as High Value Targets.

The ultimate definition of Cyber Resilience in different domains may be stated as follows:

Business world - Cyber Resilience is an outcome of Cyber Security and Operational Resilience and is defined as “the ability of an organization to transcend any stresses, failures, hazards and threats to its cyber resources within the organization and its ecosystem, such that the organization can confidently pursue its mission, enable its culture and maintain its desired way of operating” (WEF, 2022).

Technical world - Cyber Resilience is an extension of Cyber Security and is defined as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.” (NIST 800-160 v2 r1). Cyber Resilience is grounded on NIST 800-160 v2 r1 and MITRE CREF (the most authoritative industry resources known nowadays).

“the ability to continuously deliver the intended outcome despite adverse events” reference “Cyber Resilience - fundamentals for a definition” Bjorck et al, https://www.researchgate.net/publication/283102782Cyber_Resilience-_Fundamentals_for_a_Definition

“the ability to prepare and plan for, to absorb, recover from, and more successfully adapt to adverse events” reference NAS via hausken https://www.researchgate.net/publication/283102782Cyber_Resilience-_Fundamentals_for_a_Definition

“the ability of a system, person, or organization to recover from, defy or resist from any shock, insult, or disturbance” ref kishor via hausken

“Cyber resilience is the ability of an actor to resist, respond, and recover from cyber incidents to ensure the actor’s operational continuity” ref Hausken

“assuming two equally performing systems A and B subjected to an impact (resulting from a cyber-attack) that left both systems with an equal performance degradation, the resiliency of system A is greater if after a given period T it recovers to a higher level of performance than that of system B.” ref linkov

“The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Source(s): NIST SP 800-172

“The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.” Source(s): NIST SP 800-160 Vol. 2 Rev. 1 NIST SP 800-172A from NIST SP 800-160 Vol. 2 Rev. 1

“Cyber resilience is the ability of an organization to transcend any stresses, failures, hazards and threats to its cyber resources within the organization and its ecosystem, such that the organization can confidently pursue its mission, enable its culture and maintain its desired way of operating.” https://www3.weforum.org/docs/WEF_Cyber_Resilience_Index_2022.pdf

“Cyber resilience refers to the ability to protect electronic data and systems from cyberattacks, as well as to resume business operations quickly in case of a successful attack.” https://www.ecb.europa.eu/paym/cyber-resilience/html/index.en.html

“‘Cyber resilience’ is the ability for organizations to prepare for, respond to and recover from cyber attacks and security breaches.” https://www.gov.uk/government/collections/cyber-resilience

“The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” https://csrc.nist.gov/glossary/term/cyber_resiliency

“‘Cyber resiliency (also referred to as cyber resilience) is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.” https://www.mitre.org/sites/default/files/PR_17-1434.pdf

Collated from various sources (mainly MITRE and ISF). “While mission assurance defines engineering practices to secure enterprises from advanced threats, cyber resilience is part of mission assurance, focused on advanced cyber threats.”

What is the relationship between Cyber Resilience and Business Resilience?

Business Resilience is the ability for a business or organization to continue to move forward with its business purpose while reacting and recovering to unknown challenges. It is generally a key driver for any risk program. Business Resilience, and the policies and tolerances that are agreed upon by the risk office should be the drivers for a Cyber Resilience program. In other words, a Cyber Resilience program should fufill the goals of a Business Resilience plan or program, where technology is concerned.

Where can I find out more about Cyber Resilience?

  • Blogs
    • World Economic Forum: https://www.weforum.org/agenda/2021/11/why-move-cyber-security-to-cyber-resilience/
    • Cisco: https://www.cisco.com/c/en/us/solutions/hybrid-work/what-is-cyber-resilience.html
    • Accenture: https://www.accenture.com/_acnmedia/accenture/conversion-assets/dotcom/documents/local/en/accenture-shifting-from-cybersecurity-to-cyber-resilience-pov.pdf
  • Videos
  • Intro Material
    • CMU Software Engineering Institute: https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=294094
    • NIST: https://csrc.nist.gov/glossary/term/cyber_resiliency
    • IBM: https://www.ibm.com/topics/cyber-resilience

How is NIST SP800-160 relevant for cyber resilience?

NIST’s SP 800-160 series focuses on systems security. Its first volume, released in 2018, was focused on secure systems engineering and used approaches from a range of engineering disciplines to inform its guidelines on the development of trustworthy secure systems. The second volume of SP 800-160, released in 2021, is however, exclusively focused on the topic of cyber resiliency. The focus of Vol. 2 is to work in conjunction with the earlier released guidelines on systems engineering in Vol. 1. Additionally, the CISA has published a Cyber Resiliency Review, which is a free, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. CISA has also made available a mapping framework linking the NIST’s Cyber Security Framework (CSF) to the CISA’s Cyber Resiliency Review (CRR).

The NIST SP 800-160 (Vol. 2 Revision 1, 2021) is focused on the development of cyber resilient systems. In the current landscape of still-evolving cyber resilience frameworks, the NIST SP 800-16 Vol. 2 is one of the major frameworks that comprehensively addresses cyber resilience. Some other frameworks for cyber-resilience that have been developed include those put forth in whitepapers by the MITRE and World Economic Forum. Adopting a systems-engineering foundation, this SP incorporate principles from systems engineering, security, resilience, and risk management. (Note: NIST SP 800-160- Vol.1 first published in 2016, is focused on the development of multidisciplinary approaches for engineering secure and trustworthy systems.)

Cyber resiliency is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.Consequently, cyber resilience engineering is defined as follows:

Engineering that intends to architect, design, develop, implement, maintain, and sustain the trustworthiness of systems with the capability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises that use or are enabled by cyber resources.

The NIST-SP 800-160 defines cyber resilience and offers a set of four goals (anticipate, withstand, recover, adapt) and eight objectives (prevent/avoid, prepare, continue, constrain, reconstitute, understand, transform, re-architect). In addition, this framework offers a set of fourteen techniques and approaches, strategic and structural design principles, and clarifies the relationship between various cyber resiliency constructs.

Notably, this SP emphasizes that cyber resiliency differs with the life cycle of a system and calls for the need for customized goals and objectives that benefit stakeholders at every stage of the system’s life cycle. Additionally, the document provides guidance for adapting cyber resiliency to different kinds of environments such as enterprise systems, cyber physical systems, and critical infrastructure systems, among others.

The interested reader is referred to the document here: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v2r1.pdf

What standards and official publications exist?

Cyber resilience in aviation

  1. Lykou, G., Anagnostopoulou, A., & Gritzalis, D. (2018, June). Implementing cyber-security measures in airports to improve cyber-resilience. In 2018 Global Internet of Things Summit (GIoTS) (pp. 1-6). IEEE.
  2. Lykou, G., Anagnostopoulou, A., & Gritzalis, D. (2018). Smart airport cybersecurity: Threat mitigation and cyber resilience controls. Sensors, 19(1), 19.
  3. Lykou, G., Iakovakis, G., & Gritzalis, D. (2019). Aviation cybersecurity and cyber-resilience: assessing risk in air traffic management. In Critical Infrastructure Security and Resilience (pp. 245-260). Springer, Cham.

Cyber resilience metrics

  1. Graubart, R., & Bodeau, D. (2016). Cyber resilience metrics: Key observations. MITRE CORP MCLEAN VA.
  2. Vugrin, E. D., & Turgeon, J. (2014). Advancing cyber resilience analysis with performance-based metrics from infrastructure assessments. In Cyber Behavior: Concepts, Methodologies, Tools, and Applications (pp. 2033-2055). IGI Global.
  3. Ford, R., Cavalho, M., Mayron, L., & Bishop, M. (2012). Toward metrics for cyber resilience. In 21st EICAR (European Institute for Computer Anti-Virus Research) annual conference proceedings.

Organizational perspectives for cyber resilience

1.Ferdinand, J. (2015). Building organisational cyber resilience: A strategic knowledge-based view of cyber security management. Journal of business continuity & emergency planning, 9(2), 185-195.

  1. Llansó, T., & McNeil, M. (2021, January). Towards an organizationally-relevant quantification of cyber resilience. In Proceedings of the 54th Hawaii International Conference on System Sciences (p. 7065).
  2. Kott, A., Blakely, B., Henshel, D., Wehner, G., Rowell, J., Evans, N., … & Møller, A. (2018). Approaches to enhancing cyber resilience: report of the North Atlantic Treaty Organization (NATO) workshop IST-153. arXiv preprint arXiv:1804.07651.
  3. Hausken, K. (2020). Cyber resilience in firms, organizations and societies. Internet of Things, 11, 100204.

Others

  1. Groenendaal, J., & Helsloot, I. (2021). Cyber resilience during the COVID‐19 pandemic crisis: A case study. Journal of Contingencies and Crisis Management, 29(4), 439-444.
  2. Galinec, D., & Steingartner, W. (2017, November). Combining cybersecurity and cyber defense to achieve cyber resilience. In 2017 IEEE 14th International Scientific Conference on Informatics (pp. 87-93). IEEE.
  3. Peter, A. S. (2017). Cyber resilience preparedness of Africa’s top-12 emerging economies. International Journal of Critical Infrastructure Protection, 17, 49-59.
  4. Brennan, G., Joiner, K., & Sitnikova, E. (2019). Architectural choices for cyber resilience. Australian Journal of Multi-Disciplinary Engineering, 15(1), 68-74.
  5. Carayannis, E. G., Grigoroudis, E., Rehman, S. S., & Samarakoon, N. (2019). Ambidextrous cybersecurity: The seven pillars (7Ps) of cyber resilience. IEEE Transactions on Engineering Management, 68(1), 223-234.
  6. Kott, A., & Theron, P. (2020). Doers, not watchers: Intelligent autonomous agents are a path to cyber resilience. IEEE Security & Privacy, 18(3), 62-66.
  7. Tran, H., Campos-Nanez, E., Fomin, P., & Wasek, J. (2016). Cyber resilience recovery model to combat zero-day malware attacks. computers & security, 61, 19-31.
  8. Bellini, E., & Marrone, S. (2020, October). Towards a novel conceptualization of Cyber Resilience. In 2020 IEEE World Congress on Services (SERVICES) (pp. 189-196). IEEE.
  9. Choudhury, S., Rodriguez, L., Curtis, D., Oler, K., Nordquist, P., Chen, P. Y., & Ray, I. (2015, October). Action recommendation for cyber resilience. In Proceedings of the 2015 Workshop on Automated Decision Making for Active Cyber Defense (pp. 3-8).
  10. Abraham, C., & Sims, R. R. (2021). A comprehensive approach to cyber resilience. MIT Sloan Management Review.
  11. Conklin, W. A., Shoemaker, D., & Kohnke, A. (2017, March). Cyber resilience: Rethinking cybersecurity strategy to build a cyber resilient architecture. In ICMLG2017 5th International Conference on Management Leadership and Governance (p. 105).
  12. Alexeev, A., Henshel, D. S., Levitt, K., McDaniel, P., Rivera, B., Templeton, S., & Weisman, M. (2017, October). Constructing a science of cyber-resilience for military systems. In NATO IST-153 Workshop on Cyber Resilience (pp. 23-25).
  13. Fink, G. A., Griswold, R. L., & Beech, Z. W. (2014, August). Quantifying cyber-resilience against resource-exhaustion attacks. In 2014 7th International Symposium on Resilient Control Systems (ISRCS) (pp. 1-8). IEEE.
  14. Dickson, F., & Goodwin, P. (2019). Five key technologies for enabling a Cyber-resilience framework. US45455119, IBM.
  15. Zou, B., Choobchian, P., & Rozenberg, J. (2020). Cyber Resilience of Autonomous Mobility Systems: Cyber Attacks and Resilience-Enhancing Strategies. World Bank Policy Research Working Paper, (9135).
  16. Kleij, R. V. D., & Leukfeldt, R. (2019, July). Cyber resilient behavior: Integrating human behavioral models and resilience engineering capabilities into cyber security. In International conference on applied human factors and ergonomics (pp. 16-27). Springer, Cham.
  17. Hammer, A. E., Miller, T. H., & Uribe, E. (2020). Cyber Resilience as a Deterrence Strategy (No. SAND-2020-9589; SAND-2020-5016). Sandia National Lab.(SNL-CA), Livermore, CA (United States); Sandia National Laboratories, Minneapolis, MN.
  18. Škanata, D. (2020). Improving Cyber Security with Resilience. Annals of Disaster Risk Sciences: ADRS, 3(1), 0-0.

What is MITRE Cyber Resilience Analysis (SCRAM)?

See: MITRE Cyber Resilience Analysis (SCRAM)- (https://www.mitre.org/publications/technical-papers/structured-cyber-resiliency-analysis-methodology)

What is the CERT Resilience Management Model?

See: CERT Resilience Management Model (RMM)- (https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=9881)

What are the MITRE Cyber Resiliency Design Principles?

See: MITRE Cyber Resiliency Design Principles- (https://www.mitre.org/sites/default/files/publications/PR%2017-0103%20Cyber%20Resiliency%20Design%20Principles%20MTR17001.pdf)

What is the Cyber Resilience Review (CRR) tool?

See: Cyber ResilienceReview (CRR) tool - (www.us-cert.gov/ccubedvp/assessments)

What is the business justification for increasing Cyber Resilience?

Similar to cybersecurity spending, cyber-resilience spending can be justified using quantitative risk analysis such as in How to Measure Anything in Cybersecurity Risk.