CYBER RESILIENCE ASSESSMENT METRICS (ANALYTICAL AND REVIEW RESEARCH)
DOI:
https://doi.org/10.32689/maup.it.2023.2.3Keywords:
cyber resilience, NIST, MITRE, resilience matrix, CERT-RMMAbstract
Recent events in Ukraine and the world have raised the acute issue of the ability of facilities and organizations to maintain an adequate level of functioning despite external cyber influences and limited resources. That is why, in today's realities, ensuring cyber resilience plays an extremely important role for entire sectors of industry, IT systems, and, as the modern hybrid war has shown, for the vital activity of entire states. In particular, cyberattacks in the energy sector or on other critical infrastructure can affect not only the sector itself, but also the economy as a whole and the entire structure of the state, both social and organizational. The purpose of the article is to formulate the conceptual apparatus of cyber resilience and analyze metrics for assessing cyber resilience. The subject of the analysis and review of the material for writing the article were the leading methodologies for assessing cyber resilience, namely: the Linkov Group methodology, the CERT Resilience Management Methodology (CERT-RMM) and the MITRE Cyber Resilience Engineering Framework. The scientific novelty of this article is the introduction of the conceptual apparatus and a comprehensive analysis of cyber resilience metrics to the scientific field in Ukraine. The article compares and contrasts the leading metrics for assessing cyber resilience. Conclusions. The article interprets the conceptual apparatus of the term cyber resilience, examines the difference between cybersecurity and cyber resilience. In the course of the study, it was found that the main systems and metrics for assessing cyber resilience have a fairly similar general structure (goals and domains), but are not derived from each other. The engineering structure of cyber resilience was analyzed and the general resilience matrix was interpreted for the Ukrainian version. It is proposed to conduct research in the direction of comparing cyber resilience assessment systems and developing frameworks for real IT objects in Ukraine.
References
Про затвердження Загальних вимог до кіберзахисту об'єктів критичної інфраструктури. URL: https://zakon.rada.gov.ua/laws/show/518-2019-%D0%BF.
Hausken, K. (2020). Cyber resilience in firms, organizations and societies. Internet Things, 11, 100204.
Park, J., T.P. Seager, P.S.C. Rao, M. Convertino, and I. Linkov. 2013. Integrating risk and resilience approaches to catastrophe management in engineering systems. Risk Analysis 33(3): 356–367.
Bodeau, D.J., Graubart, R.D., McQuaid, R., & Woodill, J. (2019). Cyber Resiliency Metrics and Scoring in Practice-Use Case Methodology and Examples.
Scottish Public Sector Action Plan On Cyber Resilience. Cyber Resilience Framework: self-assessment tool user guide. URL: https://www.gov.scot/binaries/content/documents/govscot/publications/adviceand guidance/2019/10/cyber-resilience-framework/documents/cyber-resilience-framework.
Харламова, К., & Гальчинський, Л. (2022). ОЦІНЮВАННЯ КІБЕРСТІЙКОСТІ ОБ’ЄКТІВ КРИТИЧНОЇ ІНФРАСТРУКТУРИ УКРАЇНИ. Collection of scientific papers «SCIENTIA», (November 11, 2022; Vilnius, Lithuania), 118-120.
Linkov, I.; Eisenberg, D.A.; Bates, M.E.; Chang, D.; Convertino, M.; Allen, J.H.; Flynn, S.E.; Seager, T.P. Measurable Resilience forActionable Policy. Environ. Sci. Technol. 2013, 47, 10108–10110.
National Academy of Sciences (2012) Disaster resilience: a national imperative. Washington DC, United States. URL: http://www.nap.edu/catalog.php?record_id=13457.
Alberts D (2002) Information age transformation, getting to a 21st century military. DOD Command and Control Research Program. URL: http://www.dtic.mil/get-tr-doc/pdf?AD=ADA457904.
Resilience metrics for cyber systems / I. Linkov, D. A. Eisenberg, K. Plourde, T.P. Seager, J. Allen, A. Kott 2013. URL: https://link.springer.com/article/10.1007/s10669-013-9485-y.
Caralli R, Allen J, White D, et al. CERT Resilience Management Model,Version 1.2. Pittsburgh: Carnegie Mellon University, 2016.
DHS. Cyber Resilience Review (CRR): Self-Assessment Package.Washington DC: Department of Homeland Security, 2016.