Resilience Metrics can Beat Threats

Monday, November 25, 2013 @ 01:11 PM gHale

Cyber threats are a primary security concern not only for the United States, but the world as focused attacks can cause dire costs to the critical infrastructure and to economies across the board.

President Obama’s Executive Orders 13636 and Presidential Policy Directive 21, have brought the concept of “resilience” to the forefront.

RELATED STORIES
Attackers Dig in to Mining Companies
Management Seeing the Security Light
Data Breaches Go Undisclosed
Security: A Strategic Voice

There is now a framework out, led by Dr. Igor Linkov and his team, to understand the concept of cyber resilience, and lay out a systematic method to generate resilience metrics for cyber systems. Linkov is the risk and decision science focus area lead with the U.S. Army Engineer Research and Development Center, and adjunct professor of engineering and public policy at Carnegie Mellon University.

Resilience is the capacity of a system to withstand and recover quickly from both known and unknown threats, according to Linkov. The study describes managing for resilience has been difficult because the concepts of resilience and risk ended up combined and have focused on narrowly defined system components or on specific networks.

The definition of cyber systems must expand to include rich and varied physical, information, cognitive and social networks or domains that form an integrated whole.

The discussion of resilience should recognize the role of cross-domain communication before, during and after adverse events such as cyber attacks or natural events that may disrupt the functionality of cyber systems.

The study suggests combining the military concept of network-centric operations and the U.S. National Academies’ definition of resilience response stages to quantify and manage the resilience of a cyber system. Together, these factors form a matrix where a system’s resilience may end up quantified using tools of multi-criteria decision.

Regarding cyber resilience, the study describes, “Transition from risk-based approaches focusing on identifying individual vulnerability and fixing them one-at-a-time, to building a whole system for resilience, is required to deal with interconnected global risks and sophisticated adversaries. The resilience matrix approach is just the first step in the process which will lead us to formulating and quantifying resilience as a network property of the system.”



Leave a Reply

You must be logged in to post a comment.