I. Introduction

II. Overview of Resilience and Security

III. Literature Review

A. Identifying Cyber Resilience Attributes in Existing Studies

With the complexity of securing cyberspace, some researchers have stated that cyber resilience is more important than cyber security (Linkov et al., 2018). Cyber resilience focuses not only on prevention (Babiceabu et al., 2019) and protection but also on reliability and the ability to recover from cyberattacks (Hutschenreuter et al., 2021; Linkov et al., 2019; Perrett et al., 2022; Ross et al., 2019), adaptability; and learning from adversity (Dupont, 2019; Hartmann et al., 2020). Scholars have also identified risk mitigation (Foale, 2018; Lykou et al., 2018), managing resources (Linkov et al.; Maziku, 2019), resilience culture (Harris, 2019), built-in security architecture and intelligence (Harris, 2019 Yogi, 2022) as a crucial aspect in cultivating cyber resilience. The methods investigated in this study aim to enhance the cyber resilience of businesses, thereby reducing the risk of significant financial loss, reputational damage, and legal consequences resulting from a cyberattack. Cyber resilience can enable organizations to continually adapt to new information and adversaries to remain relevant in the fight against cyber threats.

Table 1. Existing Research on Cyber Resilience.

Table 1. Existing Research on Cyber Resilience.

Research Title	Cyber Resilience Attributes / Objectives	Author	Year
Cyber Resilience of Systems and Networks	plan, absorb, recover, adapt, robust	Linkov et. al	2018
Resilience Reboot: Rethinking the Cyber Strategy	compulsory intrusion reporting, Bayesian risk assessment, improved risk communications, self-assessment, cyber standards, cyber insurance, risk assessment	E Foale	2018
Smart airport cybersecurity: Threat mitigation and cyber resilience controls	threats, assets infected, cascading effects, mitigation actions, resilience measures	Lykou et. al	2018
Fundamental Concepts of Cyber Resilience: Introduction and Overview	manage complexity, choose topology, add resources, design for reversibility, control propagation, provide buffering, prepare active agents, build agent capabilities, consider adversary, and conduct analysis.	Kott & Linkov	2018
Cyber resilience protection for industrial internet of things: A software-defined networking approach	preventive cybersecurity and equilibrium resilience	Babiceanu & Seker	2019
Security risk assessment for SDN-enabled smart grids.	resource monitoring, threat detector, map the security requirements to mitigate the risk.	Maziku et. al	2019
Exploring the Agile System Development Best Practices Cybersecurity Leaders Need to Establish A Cyber-Resilient System: A Phenomenological Study	a) conducting early involvement; (b) baking in cybersecurity; (c) reducing bureaucracy and organizational impediments; (d) addressing concerns with organizing, training, and equipping; (e) understanding Agile is not a panacea; (f) assessing, understanding, and managing risk; (g) driving acquisition with timely, relevant intelligence; and (h) understanding the need for a culture shift	AB Harris	2019
Developing Cyber Resilient Systems: A Systems Security Engineering Approach	anticipate, withstand, recover, and adapt; prevent / avoid, prepare, continue, constrain, reconstitute / understand, transform / rearchitect., safety, system resilience, survivability, reliability, and security.	Ross et al.	2019
Resilient Machine Learning for Networked Cyber Physical Systems: A Survey for Machine Learning Security to Securing Machine Learning for CPS	machine learning, adversarial attack	Olowononi et al.	2021
Ontology-based cybersecurity and Resilience Framework	identify, protect, detect, respond, recover, sustain, change management, continuous improvement, and centralized management.	Hutschenreuter et al.	2021
The Threat of Cyber-Terrorism & Security in Intelligent Transportation Systems Architecture	three-layer architecture, risk, and vulnerabilities management	Yogi Chakravarthy, 2022	2022
A Cyber Resilience Analysis Case Study of an Industrial Operational Technology Environment	preparedness, prevention, detection, and response.	Perrett & Wilson, 2022	2022

C. Existing Cyber Security Models and Resilience Frameworks

1)

Organization Resilience Frameworks – ISO22316

The International Organization for Standardization (ISO) established the ISO 22316 Security and Resilience standard emphasized no universally applicable approach to attaining resilience (ISO, 2017). The standard included nine attributes, as depicted in Table 2, where the activities focus on four primary areas: management, organization, develop guided by fundamental principles for fostering organizational resilience strategically. A key aspect of these activities is empowering individuals at all levels through effective leadership. Additionally, allocating resources to strengthen organizational resilience, promoting continuous improvement, and fostering resilient practices by learning from experiences and encouraging knowledge sharing are highlighted as important components. The ISO standards emphasize the importance of these activities and shed light on resource allocation strategies like diversification, replication, and redundancy. The implementation minimizes the risk of relying solely on a single point of failure. In conclusion, the ISO standards provide valuable guidance for developing resilience within an organization, thereby improving its capacity to withstand and recover from adversarial in a dynamic environment.

2)

Information Security Management System (ISMS) - ISO27001:2013 and ISO27001:2022

ISO 27001 is a globally recognized standard for information security management systems (ISMS) that helps organizations manage and protect their information assets (Dupont, 2019). The standard was first introduced in 2005 and was revised multiple times to keep up with the changing technology landscape and evolving cyber threats. The recent update was in 2021, known as ISO27001:2022. One of the key differences between ISO 27001:2013 and ISO 27001:2022 is the structure of the standard. ISO 27001:2022 version of the standard includes updated terminology, enhanced guidance on risk management, and a greater emphasis on the importance of leadership and commitment to information security. While ISO 27001:2013 contains 114 controls categorized under 14 control domains, as depicted in Figure 2, the latest version of ISO 27001:2022 maintains similarities to those in the previous standard but reduced to a total of 93 controls categorized into four distinct themes: people, organizational, technological, and physical as shown in Figure 3. Some controls from the earlier versions were merged, and newer controls were introduced mainly to safeguard cloud computing services (Malatji, 2023). Although ISO27001 is a renowned standard for information security, implementing it can be challenging due to the generic guidelines (Culot G. et al., 2021). Numerous researchers have noted that ISO27001 lacks a precise indication of scope (Alshar’e, 2023), an explicitly defined acceptable level of risk. Instead, the organization’s management is responsible for determining the type and extent of security (Dupont, 2019). Consequently, inadequate awareness of risks within the organization can lead to a suboptimal implementation of the cybersecurity program based on ISO27001.

Figure 2. ISO27001:2013 Domains.

Figure 2. ISO27001:2013 Domains.

Figure 3. ISO27001: 2022 Domains.

Figure 3. ISO27001: 2022 Domains.

3)

NIST

The NIST framework is a widely adopted approach to managing and enhancing cybersecurity within organizations providing high-level standards, guidelines, and practices for managing and improving critical infrastructure cybersecurity. The NIST framework does not enforce or mandate controls, unlike the ISO 27001 Standard (NIST, 2020). It incorporates a risk-based approach, enabling organizations to adopt a risk management methodology akin to the approach taken by ISO 27001. Nevertheless, this method has faced criticism; embracing a voluntary stance towards cybersecurity guidelines might reduce investments in securing cyberspace, mainly when implementation costs are significant or additional resources are required (Dupont, 2019; Gyenes, 2014). It is worth noting that the primary design of the NIST framework focuses on addressing cyber-attacks rather than explicitly aiming to achieve resilience. Additionally, successful implementation of the NIST framework necessitates supporting and aligning relevant stakeholders, particularly decision-makers, in the pursuit of cyber resilience.

Figure 4. NIST Framework.

Figure 4. NIST Framework.

4)

NIAC

The NIAC Resilience Model, by the National Infrastructure Advisory Council of the United States, is specifically designed to address the critical need for resilience in critical infrastructure. The framework’s strength lies in its flexibility, allowing organizations to implement resilience constructs (as depicted in Table 3) that align with their specific needs and operational context. However, this broad approach is also open to interpretation, which may pose challenges in its proper execution. While the NIAC Resilience Model shares a common goal with cyber resilience - enhancing an organization’s ability to withstand and recover from disruptions - it differs in its approach. The model focuses on identifying sector-specific resilience goals; meanwhile, cyber resilience aims to build a holistic and adaptive cybersecurity framework capable of mitigating and responding to diverse cyber threats across all sectors.

D. Cyber resiliency engineering framework - CREF

MITRE developed the "Cyber Resiliency Engineering Framework," also known as CREF, a decade ago with the intent to evolve as the discipline of cyber resilience matures (MITRE, 2013). The framework was developed comprehensively, mainly focussing on survivability, dependability, fault tolerance, business continuity, and contingency resulting in a large and complex model. Though the CREF Model is comprehensive, it is narrowed towards "defending" against adversaries. It highlights the goals, objectives, practices, costs, and metrics for resilience and to protect organizations against cyber threats using resilience engineering, mission assurance engineering, and cybersecurity concepts. One of the drawbacks of CREF is that it assumes existing conventional cyber security exists and focuses on actions to ensure business continuity in an attack (MITRE, 2013). CREF provides a structure for understanding the interrelated aspects of cyber resiliency rather than defining the attributes. Furthermore, recent studies have indicated that cyber resiliency requires consideration of various aspects of adversaries within cyberspace (Dupont, 2019) and multiple processes (Harmann, 2020) for which the CREF framework lacks sufficient coverage.

Table 4. Cyber Resiliency Engineering Framework Objectives (CREF).

Table 4. Cyber Resiliency Engineering Framework Objectives (CREF).

Objectives	Description
Understand	Maintain useful representations of mission dependencies and the status of resources with respect to possible adversity
Prepare	Maintain a set of realistic courses of action that address predicted or anticipated adversity
Prevent / Avoid	Preclude the successful execution of an attack or the realization of adverse condition
Continue	Maximize the duration and viability of essential mission / business functions during adversity
Constrain	Limit damage from adversity
Reconstitute	Restore as much mission / business functions and supporting processes to handle adversity more effectively
Transform	Modify mission/ business functions and supporting process to handle adversity more effectively
Re-architect	Modify architectures to handle adversity more effectively

IV. The Research Framework

A. The Proposed Framework

Cybersecurity continually evolves, with previous studies focusing on prevention and detection mechanisms proven insufficient in effectively addressing the dynamic landscape of cyber threats. Given the widely acknowledged potential of the resilience approach to bridge the gaps in traditional cybersecurity methods, it becomes imperative to explore the specific requirements for implementing a business-oriented resilience strategy to tackle the challenges posed by evolving cybersecurity threats. Nevertheless, resilience in cybersecurity needs clear and widely agreed-upon definitions and characteristics. This lack of consensus hampers the development of a cohesive understanding of the attributes that contribute to cybersecurity resilience. By drawing insights from existing security research, models, and frameworks, the literature review aids in identifying crucial attributes that lays the foundation for a comprehensive conceptual model organizations can use to enhance cyber resilience.

This research examines various common cybersecurity frameworks and models to discern the essential attributes contributing to the establishment of resilience. Subsequently, an integrated model for cyber resiliency is proposed.

The suggested model incorporates key resilience objectives drawn from ISO’s Security and Resilience (ISO22316) and CREF’s cyber security management, resulting in a comprehensive approach to cyber resilience, as outlined in Table 5. Core resilience variables are identified based on their significance in achieving resilience. CREF is built on concepts related to systems security engineering, security operations and management, and systems engineering for performance and management, primarily centred on addressing cyber threats. Contrarily, ISO22316 places significant emphasis on management’s pivotal role in fostering a resilient culture within the organization. As a standard designed explicitly for organizational resilience, ISO22316 complements MITRE’s Cyber Resilience Engineering Framework (CREF) and provides an ideal foundation for identifying key factors towards cyber resilience. These selected factors are strategically chosen to bridge the gaps in CREF and lay the groundwork for constructing an enhanced framework for cyber resilience. Furthermore, the key factors are extended to encompass the physical, logical, and social cyber domains, thus offering a comprehensive approach to achieving resilience.

Figure 5. Proposed Cyber Resilience Management Framework.

Figure 5. Proposed Cyber Resilience Management Framework.

V. The Research Findings

Figure 6. Factor Model Analysis Result.

Figure 6. Factor Model Analysis Result.

VI. Conclusion

References

1. Annarelli, A.; Battistella, C.; Nonino, F. A framework to evaluate the effects of organizational resilience on Service Quality. Sustainability 2020, 12, 958. [Google Scholar] [CrossRef]
2. Babiceanu, R.F. ; Seker, R. Cyber resilience protection for industrial internet of things: A software-defined networking approach. Computers in Industry 2019, 104, 47–58. [Google Scholar] [CrossRef]
3. Chartered Institute of IT, (Bcs,2020). Available online: https://www.bcs.org/content-hub/why-iso-27001-is-not-enough/ (accessed on 28 March 2020).
4. Collier, Z.; Linkov, I.; Lambert, J. Four domains of cybersecurity: a risk-based systems approach to cyber decisions. Environment Systems and Decisions 2013, 33, 469–470. [Google Scholar] [CrossRef]
5. Culot, G.; et al. The ISO/IEC 27001 information security management standard: Literature review and theory-based Research Agenda. The TQM Journal 2021, 33, 76–105. [Google Scholar] [CrossRef]
6. Cyber Resiliency Design Principles. (2017). [Ebook]. MITRE.
7. Cybersecurity and Infrastructure Security Agency. Critical Infrastructure Security and Resilience. Available online: https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience (accessed on 12 February 2022).
8. Dupont, B. The cyber-resilience of financial institutions: significance and applicability. Journal of Cybersecurity 2019, 5. [Google Scholar] [CrossRef]
9. Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. 2018. [CrossRef]
10. Disterer, G. ISO/IEC 27000, 27001 and 27002 for Information Security Management. Journal of Information Security 2013, 4, 99–100. [Google Scholar] [CrossRef]
11. Gyenes, R. A Voluntary Cybersecurity Framework Is Unworkable- Government Must Crack the Whip. Pittsburgh Journal Of Technology Law And Policy 2014, 14, 293–314. [Google Scholar] [CrossRef]
12. Harvard Business Review. A Comprehensive Approach to Cyber Resilience. Harvard Business Review. 2020. Available online: https://hbr.org/2020/06/a-comprehensive-approach-to-cyber-resilience.
13. Hoegl, M.; Hartmann, S. Bouncing back, if not beyond: Challenges for research on resilience. Asian Business & Management 2020, 20, 456–464. [Google Scholar] [CrossRef]
14. Ikwu, R. Identifying Data And Information Streams In Cyberspace: A Multi-Dimensional Perspective. arXiv 2019. [Google Scholar]
15. International Organization for Standardization. ISO 22316:2017 Security and resilience - Organizational resilience - Principles and attributes. 2017. Available online: https://www.iso.org/standard/60815.html.
16. Khan, Y.I.; Al-shaer, E.; Rauf, U. “Cyber resilience-by-construction,” Proceedings of the 2015 Workshop on Automated Decision Making for Active Cyber Defense [Preprint]. 2015. [Google Scholar] [CrossRef]
17. Koziolek, A.; Koziolek, H.; Reussner, R. H. Toward Resilience Assessment in Business Process Architectures. IEEE Transactions on Systems, Man, and Cybernetics, Part A: Systems and Humans 2011, 41, 464–477. [Google Scholar] [CrossRef]
18. Mallak, L.A. Toward a theory of organizational resilience. In Proceedings of the PICMET ’99: Portland International Conference on Management of Engineering and Technology, Proceedings Vol-1: Book of Summaries (IEEE Cat. No.99CH36310). Portland, OR, USA; 1999; Volume 1, p. 223. [Google Scholar] [CrossRef]
19. Lykou, G.; Anagnostopoulou, A.; Gritzalis, D. Smart airport cybersecurity: Threat mitigation and cyber resilience controls. Sensors 2018, 19, 19. [Google Scholar] [CrossRef]
20. Ma, Z.; Xiao, L.; Yin, J. Toward a dynamic model of organizational resilience. Nankai Business Review International 2018, 9, 246–263. [Google Scholar] [CrossRef]
21. Malatji, M. Management of enterprise cyber security: A review of ISO/IEC 27001:2022. In Proceedings of the 2023 International Conference On Cyber Management And Engineering (CyMaEn); 2023; pp. 117–122. [Google Scholar] [CrossRef]
22. Maziku, H.; Shetty, S.; Nicol, D.M. Security risk assessment for SDN-enabled Smart Grids. Computer Communications 2019, 133, 1–11. [Google Scholar] [CrossRef]
23. McKinsey & Company. Cybersecurity in a digital era. McKinsey & Company. Available online: https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity-in-a-digital-era.
24. NIST, Voluntary Product Standards Program. 2020. Available online: https://www.nist.gov/standardsgov/voluntary-product-standards-program (accessed on 23 March 2020).
25. Stuermer, K.; Kandt, J.; Rebstock, M. Resilience - A New Research Field in Business Information Systems? In Proceedings of the 43rd Hawaii International Conference on System Sciences; 2010; pp. 1–10. [Google Scholar] [CrossRef]
26. Techopedia. Cyberspace. Available online: https://www.techopedia.com/definition/2493/cyberspace.
27. The Difference Between Cyberspace & The Internet. 2020. Available online: https://www.cybersecurityintelligence.com/blog/the-difference-between-cyberspace-and-the-internet-2412.html (accessed on 4 May 2020).
28. The Star Online. Universiti Malaya E-Pay Portal is down after being defaced, The Star. 2019. Available online: https://www.thestar.com.my/tech/tech-news/2019/10/18/universiti-malaya-e-pay-portal-is-down-after-being-defaced (accessed on 29 April 2023).
29. The Star Online. Websites hacked after Flag Blunder, The Star. 2019. Available online: https://www.thestar.com.my/news/nation/2017/08/22/websites-hacked-after-flag-blunder/ (accessed on 29 April 2023).
30. The Star Online. The Star Online: In Need of Cybersecurity Experts. Available online: https://www.thestar.com.my/news/focus/2020/03/22/in-need-of-cybersecurity-experts (accessed on 22 March 2020).
31. The U.S. Army Concept Capability Plan for Cyberspace Operations 2016-2028. 2020. Available online: https://www.army.mil/article/37870/the_u_s_army_concept_capability_plan_for_cyberspace_operations_2016_2028 (accessed on 4 May 2020).
32. U.S. Army Concept Capability Plan for Cyberspace Operations 2016-2028. 2020. Available online: https://www.army.mil/article/37870/the_u_s_army_concept_capability_plan_for_cyberspace_operations_2016_2028 (accessed on 4 May 2020).
33. Von Solms, R.; Van Niekerk, J. From information security to cyber security. Computers & Security 2013, 38, 97–102. [Google Scholar] [CrossRef]
34. World Economic Forum. The Global Risks Report 2021. 2021. Available online: https://www.weforum.org/reports/the-global-risks-report-2021.
35. Xiao, L.; Cao, H. Organizational Resilience: The Theoretical Model and Research Implication. ITM Web Of Conferences 2017, 12, 04021. [Google Scholar] [CrossRef]
36. Yogi, M.K.; Chakravarthy, A.S. Application of temporal logic for construction of threat models for intelligent Cyber-Physical Systems. In Intelligent Cyber-Physical Systems Security for Industry 4.0; 2022; pp. 159–176. [Google Scholar] [CrossRef]