Abstract
The previous chapter described how to quantify cyber resilience from the perspective of system performance. This chapter presents an alternative view – the perspective of mission risk – that goes beyond performance, making it possible to incorporate cyber effects such as loss of confidentiality that are less performance focused. This chapter enumerates the features that any definition of resilience should include to support measurable assessment and comparison, and it proposes a definition of resilience that incorporates those considerations. It then reviews and discusses in detail the terminology and definitions that have been proposed in the context of the identified considerations. Ultimately, the chapter chooses a definition of resilience that relates to “mission risk.” Being based on risk, the authors of this chapter argue, their resilience definition is clearly defined, measurable, and has a sound theoretical grounding. Since risk relies on both the likelihood of events occurring as well as changes in mission value (i.e., damage) when these events occur, it provides a computable metric that can be tailored to specific systems and that enables assessment and comparison.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
When dealing with deliberate attacks against a system rather than random failures, the ability of an adversary to subvert a cyber component usually implies that other instances of the same type of component in the system are also susceptible to the same act.
References
Alberts, D., & Hayes, R. (2003). Power to the Edge: Command…Control… in the Information Age. Office of the Assistant Secretary of Defense Washington DC Command and Control Research Program (CCRP). Retrieved from http://www.dodccrp.org/files/Alberts_Power.pdf
Ayyub, B. (2013). Systems resilience for multihazard environments: Definition, metrics, and valuation for decision making. Risk Analysis, 34(2), 340–355.
Bishop, M., Carvalho, M., Ford, R., & Mayon, L. (2011, September 12–15). Resilience is more than availability. In Proceedings of the new security paradigms workshop (NSPW) (pp. 95–104). Marin County, CA, USA.
Bodeau D., & Graubart R. (2011). Cyber resiliency engineering framework (MTR110237, PR 11-4436), September 2011. [Online]. Available: http://www.mitre.org/sites/default/files/pdf/11_4436.pdf
Bodeau, D., Graubart, R., LaPadula, L., Kertzner, P., Rosenthal, A., & Brennan, J. (2012). Cyber resiliency metrics, version 1.0, rev. 1 (MITRE technical report MP12-0053). Bedford: MITRE Corporation.
Committee on Increasing National Resilience to Hazards and Disasters, Committee on Science, Engineering, and Public Policy, and The National Academies. (2012). Disaster resilience: A national imperative. Washington: National Academies Press.
Ford, R., Carvalho, M., Mayron, L., & Bishop, M. (2012, May 7–8). Towards metrics for cyber resilience. 21st EICAR annual conference proceedings (pp. 151–159). Lisbon Portugal.
Ganin, A., Massaro, E., Gutfraind, A., Steen, N., Keisler, J., Kott, A., Mangoubi, R., & Linkov, I. (2016). Operational resilience: concepts, design and analysis. Scientific Reports 19540, January 2016. http://www.nature.com/articles/srep19540
Gates, R. (2011). Science and technology (S&T) priorities for fiscal years 2013–17 planning. Washington, DC: Memorandum from the Secretary of Defense.
Gilbert, S. (2010). Disaster resilience: A guide to the literature. NIST Special Publication 1117. Gaithersburg, MD: U.S. Department of Commerce, National Institute of Standards and Technology.
Goldman, H. (2010). Building secure, resilient architectures for cyber mission assurance. (MITRE technical report 10–3301). Bedford: MITRE Corporation.
Gopalakrishnan, K., & Peeta, S. (Eds.). (2010). Sustainable and resilient critical infrastructure systems: Simulation, modeling, and intelligent engineering (pp. 77–116). Berlin: Springer.
Haimes, Y. (1991). Total risk management. Risk Analysis, 11(2), 169–171.
Haimes, Y. (2009). On the definition of resilience systems. Risk Analysis, 29(4), 498–501.
Hamilton, M., Lambert, J., Connelly, E., & Barker, K. (2016). Resilience analytics with disruption of preferences and lifecycle cost analysis for energy microgrids. Reliability Engineering and System Safety, 150(2016), 11–21.
Henry, D., & Ramirez-Marquez, J. (2012). Generic metrics and quantitative approaches for system resilience as a function of time. Reliability Engineering & System Safety, 99(2012), 114–122.
Holling, C. (1993). Resilience and stability of ecological systems. Annual Review of Ecology and Systematics, 4(1), 1–23.
INCOSE. (2015). Resilience engineering. In INCOSE systems engineering handbook: A guide for system life cycle processes and activities (4th ed., pp. 229–231). Hoboken: Wiley.
Karvetski, C., Lambert, J., & Linkov, I. (2010). Scenario and multiple criteria decision analysis for energy and environmental security of military and industrial installations. Integrated Environmental Assessment and Management, 7(2), 228–236.
Linkov, I., Eisenberg, D., Bates, M., Chang, D., Convertino, M., Allen, J., & Seager, T. (2013). Measurable resilience for actionable policy. Environmental Science & Technology, 47(18), 10108–10110.
Musman, S., & Temin A. (2015). A cyber mission impact assessment tool. IEEE homeland security technologies conference. Boston
Musman, S., & Turner, A. (2017). A game theoretic approach to cyber security risk management. Journal of Defense Modeling and Simulation, 15(2), 127–146. First Published online March, 2017. http://journals.sagepub.com/doi/abs/10.1177/1548512917699724
NIST. (2016). Systems security engineering: A multidisciplinary approach to building trustworthy secure systems (NIST SP 800-160, Second Public Draft). Retrieved from http://csrc.nist.gov/publications/drafts/800-160/sp800_160_second-draft.pdf
Pant, R., Barker, K., Ramirez-Marquez, J., & Rocco, C. (2014). Stochastic measures of resilience and their application to container terminals. Computers & Industrial Engineering, 70(2014), 183–194.
Park, J., Seager, T., Suresh, P., & Rao, C. (2011). Lessons in risk-versus resilience-based design and management. Available from: https://www.researchgate.net/publication/51161499_Lessons_in_Risk-_Versus_Resilience-Based_Design_and_Management. Accessed 21 Dec 2016.
Sheard, S., & Mostashari, A. (2008). A framework for system resilience discussions. 18th annual international symposium of INCOSE, Utrecht.
Soo Hoo, K. (2000). How much is enough? A risk management approach to computer security. In 2000 workshop on the economics of information security. Stanford.
Temin A., & Musman S. (2010). A language for capturing cyber impact effects. MITRE technical report MTR-10344. Washington DC: MITRE Corporation.
Woods, D. (2005). Creating foresight: Lessons for resilience from Columbia. In M. Farjoun & W. H. Starbuck (Eds.), Organization at the limit: NASA and the Columbia disaster (pp. 289–308). Malden: Wiley-Blackwell.
Vugrin, E., Warren, D., Ehlen, M., & Camphouse, R. (2010). A framework for assessing the resilience of infrastructure and economic systems. In K. Gopalakrishnan & S. Peeta (Eds.), Sustainable and resilient critical infrastructure systems (pp. 77–116). Berlin: Springer.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Musman, S., Agbolosu-Amison, S., Crowther, K. (2019). Metrics Based on the Mission Risk Perspective. In: Kott, A., Linkov, I. (eds) Cyber Resilience of Systems and Networks. Risk, Systems and Decisions. Springer, Cham. https://doi.org/10.1007/978-3-319-77492-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-77492-3_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-77491-6
Online ISBN: 978-3-319-77492-3
eBook Packages: EngineeringEngineering (R0)