ArticlePDF Available

Abstract and Figures

This short paper examines the concept of cyber resilience from an organizational perspective. Cyber resilience is defined as “the ability to continuously deliver the intended outcome despite adverse cyber events”, and this definition is systematically described and justified. The fundamental building blocks of cyber resilience are identified and analyzed through the contrasting of cyber resilience against cybersecurity with regards to five central characteristics.
Content may be subject to copyright.
A preview of the PDF is not available
... Cyber resilience compared to cyber law, cyber law seeks to establish laws and rules to obtain efforts to prevent crimes with electronic means against cyberspace [5]. Cyber resilience pertains to the capacity to maintain expected outcomes even in the face of unfavorable cyber incidents [6]. Hence, the capability to sustain desirable outcomes may be applicable not only to governments but also to various organizations and even specific information technology systems. ...
... Despite the widespread use of cybersecurity terminology, it is still in the nascent phase in academic investigations. For example, there are only 402 articles in the Google Scholar index that include "cybersecurity," and only 21 of those articles include it as the article title [6]. ...
... It refers to an organization's ability to continue delivering desired outcomes even in the face of challenging cyber events such as cyber attacks, natural disasters, or economic downturns. Successful cyber resilience is a strategy based on risk that necessitates a cooperative approach led by both executives and personnel [6]. It is essential to take a proactive stance in managing risks, threats, vulnerabilities, and impacts on vital information and related assets. ...
Conference Paper
Full-text available
Cyber attacks are considered the most dangerous threat to the world today. Cyber resilience involves multiple factors including industry, government, research institutions, and society. A new area of expertise, known as cyber resilience, has surfaced to tackle cyber issues that are beyond the scope of traditional cybersecurity. To control physical processes, attacks on these systems can have real-world consequences that can be detrimental. Therefore, cyber resilience is a fundamental attribute to ensure controlled human, environmental, and physical process security. By utilizing a thorough investigation and a cyber resilience matrix, this research examines the existing literature to seize the fundamental concepts of cyber resilience. The assessment focuses on measuring the capacity to recuperate from cyber threats and emphasizes the significance of offerings like reacting to unforeseen events, collecting information, and safeguarding strategies. As cyber resilience is closely associated with the internet, it plays a crucial role in shaping the future and revolutionizing our lives through technology. Cyber resilience will always be present alongside the increasing use and development of technology. However, at the level of either good or bad, it depends on several factors, cyber resilience begins with the awareness that it will become a culture, then cyber resilience is born. With that, cybersecurity and cyber resilience need to be continually updated. This study found a lack of research on cyber resilience as well as discussions that approached this science, and received less attention compared to other disciplines.
... This can be achieved through cyber-resilience, which constitutes a concept that is gaining increased momentum, not only among academic researchers but also in sociotechnical systems. Björck et al. (2015). The ability to identify any breaches that affect the business operation, respond quickly and effectively by taking the appropriate measures to resist the destructive effect of the cyber incident and avoid the interruption of activity, recover within a short period, and learn from experiences of this kind to anticipate any future adverse events, constitute the main pillar of cyber resilience according to the definition of The National Institute of Standards and Technology (NIST). ...
... The limited number of scholarly publications on organisational cyber resilience demonstrates that academic research into organisational cyber resilience is still at an early stage (Björck et al., 2015). ...
Article
Full-text available
As cyberthreats pose strategic risk, both IT and business management awareness are critical for effective organisational decision making. Many cyber system failures arise from organisational, and not technical issues. This study investigates senior manager awareness of organisational cyber resilience, using case study method. The Cyber Resilience Matrix is used as a theoretical framework to communicate the multifaceted meaning of cyber resilience. This study examines whether the multilayered nature of cyber resilience is understood by both managerial levels to include the periods before and after cyber incidents. As the higher education sector faces complex cyber challenges, research data were gathered from two Australian universities. Analysis found the two management groups differed in their resilience approach. The authors posit that principles-based cyber policies contribute to an organisational view of cyber resilience. The engineering resilience approach, accompanied by a non-bureaucratic organisational structure, was preferred by IT managers. Business managers favoured an ecological approach with a vertical organisational structure. Both managerial groups emphasised the period before cyber crisis when compared to after cyber incidents. This research contributes to the limited theoretical development in the field and attempts to shift the focus from cyber security to cyber resilience.
... Thus, reducing risk at all levels is crucial in such critical environments. As a result, there is a demand for methods that minimize the damage caused by ransomware in terms of cyber resilience [18], even in situations where the malware has already been executed and real-time detection is not available. ...
Article
Full-text available
Ransomware is a growing threat and is building ecosystems in the form of ransomware as a service (RaaS). While there have been diverse efforts to detect and mitigate such threats, techniques to bypass such countermeasures have advanced considerably. Since detecting all evolving threats has become challenging, there is a growing interest in developing proactive countermeasures that can minimize the damage even in environments where ransomware has already been executed. In this study, we gained insights from an attacker’s perspective by analyzing ransomware such as LockBit and derived a generic counterstrategy against features that are common in ransomware attacks. Our proposed method protects critical files from existing ransomware by applying a hiding strategy that poses a challenge to attackers in finding the target files. We also present best practices for implementing the strategy while considering both in terms of security and usability using the link file and improving the method through the addition of a linker and encrypted database to reduce the attack surface. By using real-world ransomware samples, our experiments show that the proposed method successfully protects valuable files against ransomware in a cost-effective manner.
... The idea of using technical or human defenses, such as a firewall, to halt the negative chain of events is also present (Al-Shaer andHamed, 2004, Mosteiro-Sanchez et al., 2020). For example, NIST's Computer Security Incident Handling Guide conceptualizes incidents as "a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices" (Cichonski The view of people as an adaptive cyber capability is incorporated into Cyber Resilience (Björck et al., 2015), Cyber Resilient Behavior (Kleij and Leukfeldt, 2020), Systems (Ross et al., 2021), and Management (Christine and Thinyane, 2022) ...
Article
In the aftermath of cybersecurity incidents within organizations, explanations of their causes often revolve around isolated technical or human events such as an Advanced Persistent Threat or a “bad click by an employee.” These explanations serve to identify the responsible parties and inform efforts to improve security measures. However, safety science researchers have long been aware that explaining incidents in socio-technical systems and determining the role of humans and technology in incidents is not an objective procedure but rather an act of social constructivism: what you look for is what you find, and what you find is what you fix. For example, the search for a technical “root cause” of an incident might likely result in a technical fix, while from a sociological perspective, cultural issues might be blamed for the same incident and subsequently lead to the improvement of the security culture. Starting from the insights of safety science, this paper aims to extract lessons on what general explanations for cybersecurity incidents can be identified and what methods can be used to study causes of cybersecurity incidents in organizations. We provide a framework that allows researchers and practitioners to proactively select models and methods for the investigation of cybersecurity incidents.
... For some authors, it implies that cyber-resilience differs from cybersecurity, which focuses on the capacity of an organization to predict, prevent and avert the occurrence of cyber-risks. They also claim that whereas cybersecurity focuses on information technologies, cyberresilience reflects a broader perspective to consider how cyberrisks that can threaten the survival of the entire organization impact a diverse range of business processes ( Björk et al., 2015 ). This broader perspective also invokes a more holistic approach, where security cannot be reduced to the sum of all the technical tools deployed within an organization but results from the constant interactions of humans, devices and algorithms enmeshed in a dense web of internal and external networks ( Linkov et al., 2013 ;Dupont, 2019 ;Bellini et al., 2021 ). ...
... Digital and physical assets should have built-in multiple protection layers (Björck, 2015) and support the monitoring and analysis of all components. The systems should also utilize techniques such as dynamic positioning (ability to relocate system assets), diversity (using a heterogeneous set of technologies), non-persistent design (time-limited retention policy), privilege restriction (fine-grained access control), and segmentation (logical and physical separation of components) (Bodeau and Graubart, 2011). ...
Conference Paper
Full-text available
Tadbir No. 15 of the document of the Iranian Islamic model of progress is dedicated to the security and resilience of the virtual space and the need to use indigenous knowledge and global partnerships in it. An issue that seems to have been left aside in many policies and practical decisions related to virtual space in favor of a non-specialist security view. By examining some of the most important challenges of virtual space and its security and resilience in Iran, this article tries to provide suggestions for policy making regarding virtual space in Iran. Keeping a distance from the security discourse in everyday life issues, reducing criminalizations, improving the conditions and attracting foreign companies in the field of cyber space instead of repelling them, improving the economic and cultural conditions for the non-immigration of experts in this field, leaving space for popular regulation of cyber space away from Government interventions and attention to upstream documents, including the Iranian Islamic Model document, are the progress of some of the solutions and policy proposals presented in this article.
Article
Full-text available
As federal agencies and businesses rely more on cyber infrastructure, they are increasingly vulnerable to cyber attacks that can cause damages disproportionate to the sophistication and cost to launch the attack. In response, regulatory authorities call for focusing attention on enhancing infrastructure resilience. For example, in the USA, President Obama issued an Executive Order and policy directives focusing on improving the resilience and security of cyber infrastructure to a wide range of cyber threats. Despite the national and international importance, resilience metrics to inform management decisions are still in the early stages of development. We apply the resilience matrix framework developed by Linkov et al. (Environ Sci Technol 47:10108–10110, 2013) to develop and organize effective resilience metrics for cyber systems. These metrics link national policy goals to specific system measures, such that resource allocation decisions can be translated into actionable interventions and investments. In this paper, a number of metrics have been identified and assessed using quantitative and qualitative measures found in the literature. We have proposed a generic approach and could integrate actual data, technical judgment, and literature-based measures to assess system resilience across physical, information, cognitive, and social domains.
Article
Full-text available
The European Union-sponsored project Vital Infrastructure Threats and Assurance (VITA) has the objective of exploring and showing new paths in Critical Infrastructure Protection (CIP) R&D. This paper describes one of VITA's results: the idea and the development of a novel extensible and generic threat taxonomy for Critical Infrastructures (CIs). Over 300 threats have been categorised. The threat taxonomy makes a sharp distinction between threats, threat cause categories (nature, human or both) and human intent. It is shown that activism, sabotage and terror threats should be regarded as an expression of human intent combined with other existing threats. The taxonomy helps to select in a balanced way all the all-hazard threats which may threaten existing CIs.
Article
Full-text available
Small business in Australia comprise 95% of businesses. As a group this means that they contain increasing volumes of personal and business data. This creates escalating vulnerabilities as information is aggregated by various agencies. These vulnerabilities include identity theft and fraud. The threat environment of small business is extensive with both technical and human vulnerabilities. The problem is that the small business environment is being encouraged to adopt e-commerce by the government yet lacks resources in securing its cyber activity. This paper analysed the threats to this situation and found that questions of responsibility by individual businesses and the government are fundamental to the protection of small businesses information. Ultimately this raises the possibility of an undefined and unrecognised major vulnerability for Australia.
Article
The idea of resilience is increasingly prominent across a wide range of policy areas. This contribution looks at the emergence of resilience in UK security discourse and compares this with the situation in France. It argues that although the term is being debated in France, it is considered to be an Anglo-Saxon import. This article suggests that use of the idea of resilience has more to do with particular forms of governance than with security. It develops this argument through the idea of neoliberal governmentality.
Article
Our national security and critical infrastructure sectors have become increasingly dependent on commercial information systems and technologies whose pedigree is uncertain given the globalization of the supply chain. Furthermore, these system architectures are brittle and fail or are compromised when subjected to ever-increasingly advanced and adaptive cyber attacks, resulting in failed, disrupted or compromised mission operations. While we must continue to raise the bar to protect mission critical systems from these threats by implementing best security practices, the current philosophy of trying to keep the adversaries out, or the assumption that they will be detected if they get through the first line of defense, is no longer valid. Given the sophistication, adaptiveness, and persistence of cyber threats, we can no longer assume that we can completely defend against intruders and must change our mindset to assume some degree of adversary success and be prepared to “fight through” cyber attacks to ensure mission success even in a degraded or contested environment. This paper will focus on actionable architectural and operational recommendations to address the advanced cyber threat and to enable mission assurance for critical operations. These recommendations can create transformational improvements by helping to reverse adversary advantage, minimize exploit impact to essential operations, increase adversary cost and uncertainty, and act as a deterrent. These approaches go well beyond traditional information assurance, disaster recovery and survivability techniques. The approaches and strategies to be discussed include creative applications of trust technologies and advanced detection capabilities in conjunction with combination of techniques using diversity, redundancy, isolation and containment, least privilege, moving target defense, randomization and unpredictability, deception, and adaptive management and response.
Article
There is growing interest in the subject of resilience on the part of President Obama's Administration, as well as lively discussion regarding this issue in academic, business, and governmental circles. This article offers an operational framework that can prove useful to the Department of Homeland Security (DHS) and stakeholders at all levels, both public and private, as a basis for incorporating resilience into our infrastructure and society in order to make the nation safer.Three interrelated, mutually reinforcing objectives or end-states shape the approach to resilience: resistance, absorption, and restoration. If these objectives are realized as part of applying practical programs to critical systems and key functions, then these systems and functions will reflect resilience features appropriate to their individual needs.Resilience needs to be planned in advance—before systems are damaged and undesired consequences occur. Such planning can be challenging, given the different interpretations currently attached to “resilience," and the complexity inherent in the concept. Planners need to account for the fact that resilience is both broad and deep. It encompasses “hard" systems (such as infrastructure and assets) as well as “soft" systems (such as communities and individuals).A visually direct technique for assisting resilience planners is to establish a “resilience profile" for key functions within critical systems. Such a profile is delimited by three design parameters: function, latency limit, and minimum performance boundary. Investment strategies can be developed using these profiles to identify cost-effective ways and means to incorporate resilience capabilities across the homeland security mission spectrum for the system in question. Solutions need to be practiced and tested.Operationalizing the resilience framework presented in this article will not be easy. The potential payoff, however, in terms of the enhanced economic, individual, and societal security that such resilience provides can be immense.
Conference Paper
Undertaking a comprehensive cybersecurity risk assessment of the networks and systems of a single infrastructure, or even a single organization of moderate size, requires significant resources. Efforts to simplify the assessment instrument usually obscure the ultimate goal of the assessment and the motivations for the assessment questions. This can make it difficult for assessors to justify the questions and can undermine the credibility of the assessment in the eyes of the organizations assessed. This paper describes the use of assurance cases to help address these problems. Viewing an assessment approach in terms of an assurance case clarifies the underlying motivation for the assessment and supports more rigorous analysis. The paper also shows how the assurance case method has been used to guide the development of an assessment approach called the Cyber Resilience Review (CRR), developed for the U.S. Department of Homeland Security.
Cyber Resiliency Engineering Framework
  • B Deborah
  • R Graubart
Bodeau, Deborah, and Richard Graubart, "Cyber Resiliency Engineering Framework", MITRE Report (2011), page 37
  • Patricia Williams
  • Rachel J Manheke
Williams, Patricia AH, and Rachel J. Manheke.: Small Business-A Cyber Resilience Vulnerability. Proceedings of the 1st International Cyber Resilience Conference, Research Online, (2010).