c y b e r r e s i l i e n c em a n i f e s t o
Cyber resilience is an extension of information security and an evolution of operational resilience. It is “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Developing Cyber-Resilient Systems [1] is a NIST [2] Special Publication which is considered the most authoritative resource available today.
An organization’s cyber resilience efforts primarily aim to implement strategies and tactics that ensure the survivability of mission-critical functions before, during, or after a coordinated, destructive cyber-attack. Such cyber resilience strategies and tactics require capabilities to address the continuously evolving risks from advanced and unpredictable adversaries. This implies expanding threat scenario definition and modeling beyond “severe but plausible” and focusing on capable and motivated adversaries introducing “extreme but plausible” threat scenarios. The defender's goal should be to make it costly and difficult for these advanced adversaries to break into the organization’s environment and execute such an attack.
A fundamental step to achieving cyber resilience is identifying and understanding the organization’s critical assets, i.e., critical information assets (data) and information systems (applications), processes, roles, and third parties that are high-value assets, and developing plans to become resilient-by-design. For such identification to be effective, it must focus on the assets’ inherent impact and consider both the business objectives (Voice of the Customer) and the adversary’s (Voice of the Adversary).
Business resilience is the outcome of well-executed information security, operational resilience, and cyber resilience and is defined by the World Economic Forum [3] as “the ability of an organization to transcend any stresses, failures, hazards, and threats to its cyber resources within the organization and its ecosystem, such that the organization can confidently pursue its mission, enable its culture, and maintain its desired way of operating.”
References:
[1] Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, NIST SP 800-160 Vol. 2
[2] National Institute of Standards and Technology
[3] The Cyber Resilience Index: Advancing Organizational Cyber Resilience
An organization’s cyber resilience efforts primarily aim to implement strategies and tactics that ensure the survivability of mission-critical functions before, during, or after a coordinated, destructive cyber-attack. Such cyber resilience strategies and tactics require capabilities to address the continuously evolving risks from advanced and unpredictable adversaries. This implies expanding threat scenario definition and modeling beyond “severe but plausible” and focusing on capable and motivated adversaries introducing “extreme but plausible” threat scenarios. The defender's goal should be to make it costly and difficult for these advanced adversaries to break into the organization’s environment and execute such an attack.
A fundamental step to achieving cyber resilience is identifying and understanding the organization’s critical assets, i.e., critical information assets (data) and information systems (applications), processes, roles, and third parties that are high-value assets, and developing plans to become resilient-by-design. For such identification to be effective, it must focus on the assets’ inherent impact and consider both the business objectives (Voice of the Customer) and the adversary’s (Voice of the Adversary).
Business resilience is the outcome of well-executed information security, operational resilience, and cyber resilience and is defined by the World Economic Forum [3] as “the ability of an organization to transcend any stresses, failures, hazards, and threats to its cyber resources within the organization and its ecosystem, such that the organization can confidently pursue its mission, enable its culture, and maintain its desired way of operating.”
References:
[1] Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, NIST SP 800-160 Vol. 2
[2] National Institute of Standards and Technology
[3] The Cyber Resilience Index: Advancing Organizational Cyber Resilience
call to action for the global cyber resilience community
join the cyber resilience manifesto
0% PRODUCTS - 0% MARKETING - 100% real cyber resilience
key differences between operational resilience, information security and cyber resilience
key differences
Cyber resilience is a
- (1) extension of information security and a
- (2) evolution of operational resilience.
Dimension | Information Security | Cyber Resilience | |
---|---|---|---|
1 | Assets | Information security focuses on protecting all assets, with a focus on high-value assets (business view) and their availability loss. | Cyber resilience focuses on protecting primarily high-value targets (adversary view) and is concerned with CIA loss. |
2 | Threats | Information security focuses on “severe but plausible” threat scenarios involving adversaries who target the less protected and the most vulnerable. | Cyber resilience focuses on “extreme but plausible” threat scenarios against adversaries who may cause unknown harm to the whole organization. |
3 | Risks | Information security focuses on reducing the likelihood of occurrence and the likelihood of impact, limiting the adversary's ability to execute against their objectives. | Cyber resilience focuses on reducing the magnitude of impact, which specific security architecture and engineering practices can achieve. Resiliency recognizes that harm may occur and how to maximize mission achievement despite that. |
4 | Controls | Information security encompasses a comprehensive set of controls from NIST 800-53, around 1100 controls. | Cyber resilience extends the depth at which a smaller set of these controls from NIST 800-160 and 800-172, which count around 200 controls. |
Differences...
Cyber resilience addresses primarily the risk reduction of the magnitude of impact, i.e., restricting the blast-radius under assume-breach conditions.
...explained
While operational resilience and information security prepare you against severe but plausible threat scenarios, cyber resilience prepares you for the tail-risk, black swan extreme but plausible.
Dimension | Operational Resilience | Cyber Resilience | |
---|---|---|---|
1 | Purpose | Operational resilience ensures the continuous functioning of all business operations during any type of disruption, focusing on the organization's ability to deliver essential services. | Cyber resilience focuses on maintaining and rapidly restoring digital operations during and after cyber-attacks, explicitly targeting the security and availability of essential IT systems and services. |
2 | Preparedness | Operational resilience involves broad strategies that coordinate across departments to manage risks from any source, ensuring resilience in physical, personnel, and process aspects. | Cyber resilience employs information security measures outlined in NIST SP 800-160 and SP 800-172 to defend IT assets against specific cyber threats, focusing on a narrower, more technical scope of preparedness. |
3 | Recovery | Operational resilience targets overall business continuity, focusing on recovering full-service delivery, not just IT services. This includes ensuring that alternative business processes are ready and viable as outlined in NIST SP 800-34 [4] or ISO22300 [5]. | Cyber resilience concentrates on technical recovery solutions, primarily from technology disruptions. It uses advanced response and recovery controls and goes beyond the traditional assumption that secondary arrangements (like backup systems or failovers) will operate effectively when primary systems fail. |
4 | Impact | Operational resilience evaluates broader business impacts, assessing the effects of potential and actual disruptions on the business's overall viability and its ability to serve its stakeholders and customers effectively. | Cyber resilience measures impact, focusing not just on the loss of availability (A) of data and systems but also on confidentiality (C) and integrity (I), crucial where these losses pose the greatest risk to the organization. |
References:
[4] Contingency Planning Guide for Federal Information Systems
[5] Security and Resilience – Business Continuity Management Systems
g o t t i m e o n y o u r h a n d s a n d k n o w l e d g e t o s h a r e ?
Contribute to collective knowledge, battle-tested capabilities and solutions for increased cyber resilience.
Agree or disagree - contact us!