Cyber Resiliency is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.[1] In essence, it is the effectiveness of an entity's cybersecurity. Cyber resiliency differs from Cybersecurity in that it emphasizes the need to minimize mission impacts rather than the need to minimize losses of information, information systems, or other assets. Cyber resiliency differs from other concerns of resilience in that it focused on adversarial disruptions.[2]

Standards[edit | edit source]

  • Security of Information, ISO 27001[3]
  • Business Continuity, ISO 22301
  • Risk Management framework, ISO 31000
  • Organization of resilience, ISO 22316[4]

Metrics[edit | edit source]

There are two different approaches to measuring cybersecurity effectiveness: Dashboards and benchmarking.

Dashboards[edit | edit source]

Dashboards visualize and make assessable metrics quantified in terms of cost, risk level, and time. Key Performance Indicators (KPIs):[5]

  1. Mean-Time-to-Detect and Mean-Time-to-Respond
  2. Number of systems with known vulnerabilities
  3. Number of incorrectly configured SSL certificates
  4. Volume of data transferred using the corporate network
  5. Number of users with “super user” access level
  6. Number of days to deactivate former employee credentials
  7. Number of communication ports open during a period of time
  8. Frequency of review of third party accesses
  9. Frequency of third-party accesses to critical enterprise systems
  10. Percentage of business partners with effective cybersecurity policies

Benchmarking[edit | edit source]

Benchmarking refers to the gathering of data from similar organizations for comparison with one's own organization’s cybersecurity measures.[6] They compare their metrics with others, focusing in particular on:[7]

  1. Speed: how fast entities can detect a security breach, mobilize a response, and return to business as normal
  2. Resiliency: the number of systems that were compromised or stopped and for how long
  3. Accuracy: how well they pinpointed cyber incidents
  4. Impact: How long attacks last, how much disruption, and how high the costs are for an organization
  5. Automation: How much reliance on humans/how automated is the detection/stopping of attacks
  6. Data Privacy Regulation: How many violations and how many fines
  7. Collaboration: How often and how well does the entity work with law enforcement or other security sectors

Assessments[edit | edit source]

Cyber Resilience Review[edit | edit source]

The CRR is a free, voluntary, non-technical assessment developed by the CISA to evaluate an organization’s operational resilience and cybersecurity practices.[8] The CISA partnered with the Computer Emergency Response Team (CERT) Division of Carnegie Mellon University’s Software Engineering Institute to create the CRR, which was derived from the CERT Resilience Management Model.[9]


References[edit | edit source]