We are not very good at measuring — rigorously and quantitatively — the
cyber security of systems. Our ability to measure cyber resilience is even
worse. And without measuring cyber resilience, we can neither improve it nor
trust its efficacy. It is difficult to know if we are improving or degrading
cyber resilience when we add another control, or a mix of controls, to harden
the system. The only way to know is to specifically measure cyber resilience
with and without a particular set of controls. What needs to be measured are
temporal patterns of recovery and adaptation, and not time-independent failure
probabilities. In this paper, we offer a set of criteria that would ensure
decision-maker confidence in the reliability of the methodology used in
obtaining a meaningful measurement.

By admin