To Improve Cyber Resilience, Measure It
This work tackles the challenge of improving cyber resilience for decision-makers in security systems, but it appears incremental as it focuses on methodological criteria without introducing new paradigms or data.
The paper addresses the problem of lacking rigorous quantitative measures for cyber resilience, proposing criteria to ensure reliable methodology for measuring recovery and adaptation patterns rather than static failure probabilities.
We are not very good at measuring -- rigorously and quantitatively -- the cyber security of systems. Our ability to measure cyber resilience is even worse. And without measuring cyber resilience, we can neither improve it nor trust its efficacy. It is difficult to know if we are improving or degrading cyber resilience when we add another control, or a mix of controls, to harden the system. The only way to know is to specifically measure cyber resilience with and without a particular set of controls. What needs to be measured are temporal patterns of recovery and adaptation, and not time-independent failure probabilities. In this paper, we offer a set of criteria that would ensure decision-maker confidence in the reliability of the methodology used in obtaining a meaningful measurement.