2. Home
  3. ARCHIVE
  4. 2023
  5. VOL 45, NO 4 (2023)
  6. pp. 88-110

RESILIENCE PARADIGM DEVELOPMENT IN THE SECURITY DOMAIN

F.О. Korobeynikov

Èlektron. model. 2023, 45(4):88-110

https://doi.org/10.15407/emodel.45.04.088

ABSTRACT

A review of scientific publications aimed at determining the basis for the formation of the resilience paradigm in the security sphere is provided. The main stages of the evolution of the resilience paradigm in the context of security are considered, including its origin, development and multifactorial impact on the security of critical systems and infrastructures at different levels. The definitions, concepts, and key ideas underlying the paradigm are examined in detail, highlighting the fundamental principles that contributed to its emergence. Special attention is paid to the constructs underlying the resilience paradigm in the security domain. Emphasis is placed on their practical implementation in frameworks and international legislation.

KEYWORDS

resilience, information security, risks, critical infrastructure.

REFERENCES

  1. Kuhn, T.S., & Schlegel, R. (1963). The Structure of Scientific Revolutions. Physics Today, 16(4), 69. 
    https://doi.org/10.1063/1.3050879
  2. Fluri, P., & Tagarev, T. (2020). The Concept of Resilience: Security Implications and Implementation Challenges. Connections: The Quarterly Journal, 19(3), 5-12. 
    https://doi.org/10.11610/Connections.19.3.00
  3. Linkov, I., Bridges, T., Creutzig, F., Decker, J., Fox-Lent, C., Kröger, W., Lambert, J.H., Levermann, A., Montreuil, B., Nathwani, J., Nyer, R., Renn, O., Scharte, B., Scheffler, A., Schreurs, M., & Thiel-Clemen, T. (2014). Changing the resilience paradigm. Nature Climate Change, 4(6), 407-409. 
    https://doi.org/10.1038/nclimate2227
  4. Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC
  5. Department of defense strategy for operating in cyberspace (2011) Department of Defense USA 
    https://doi.org/10.21236/ADA546341
  6. Cambridge Advanced Learner’s Dictionary & Thesaurus (2023) Cambridge University Press. https://dictionary.cambridge.org/
  7. Holling, C.S. (1973). Resilience and Stability of Ecological Systems. Annual Review of Ecology and Systematics, 4 (1), 1-23. 
    https://doi.org/10.1146/annurev.es.04.110173.000245
  8. Walker, B., Holling, C.S., Carpenter, S.R., & Kinzig, A.P. (2004) Resilience, Adaptability and Transformability in Social-ecological Systems. Ecology and Society, 9 (2). 
    https://doi.org/10.5751/ES-00650-090205
  9. Foucault, M. (1970). The archaeology of knowledge. Social Science Information, 9(1), 175-185.
    https://doi.org/10.1177/053901847000900108
  10. Woods, D.D., & Hollnagel, E. (2017). Prologue: Resilience engineering concepts. Resi­lience Engineering (p. 1-6). CRC Press.
    https://doi.org/10.1201/9781315605685-1
  11. Komatsubara, A. (2008). When Resilience Does Not Work. In: Nemeth, C.P. (2008). Resilience Engineering Perspectives, Volume 1: Remaining Sensitive to the Possibility of Failure (E. Hollnagel, Ed.) (1st ed.). CRC Press. 
    https://doi.org/10.4324/9781315244396
  12. Schaefer, D., Abdelhamid, T., Mitropoulos, P. & Howell, G. (2008). Resilience Engineering: A New Paradigm for Safety in Lean Construction Systems, 16th Annual Conference of the International Group for Lean Construction, 723-734, 16-18 July 2008.
  13. Han, S., Lee, S., & Peña-Mora, F. (2010). System Dynamics Modeling of a Safety Culture Based on Resilience Engineering. Construction Research Congress 2010, American Society of Civil Engineers.
    https://doi.org/10.1061/41109(373)39
  14. Chialastri, A., Pozzi, S. (2008). Resilience in the Aviation System. In: Harrison, M.D., Sujan, MA. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2008. Lecture Notes in Computer Science, vol. 5219. Springer, Berlin, Heidelberg.
    https://doi.org/10.1007/978-3-540-87698-4_10
  15. Malakis, S. and Kontogiannis, T. (2008). Cognitive Strategies in Emergency and Abnormal Situations Training: Implications for Resilience in Air Traffic Control. Third Symposium on Resilience Engineering, Jaun-les-Pins, 28-30 June 2008, Ashgate.
  16. Mallak, Larry. (1998). Measuring Resilience in Health Care Provider Organizations. Health manpower management. 24. 148-52.
    https://doi.org/10.1108/09552069810215755
  17. Haimes, Y.Y. (2009). On the Definition of Resilience in Systems. Risk Analysis, 29(4), 498-501. 
    https://doi.org/10.1111/j.1539-6924.2009.01216.x
  18. Hale, AR., & Heijer, H. (2006). Defining resilience. In E. Hollnagel, D.D. Woods, & N. Leveson (Eds.), Resilience Engineering (pp. 35-40). Ashgate. ISBN 075464641 6
    https://doi.org/10.1201/9781315605685-5
  19. Stephenson, A., Seville, E., Vargo, J. and Roger, D. (2010) Benchmark Resilience: A Study of the Resilience of Organisations in the Auckland Region. In: Resilient Organisations Research Report 2010/03b, Resilient Organisations Research, Auckland. http://hdl.handle.net/10092/4275
  20. McDonald, N. (2017). Organisational Resilience and Industrial Risk. In: Resilience Engineering by David D. Woods, Erik Hollnagel, (pp. 155-180), CRC Press. ISBN: 9781317065289
    https://doi.org/10.1201/9781315605685-16
  21. Grote, G. (2008). Rules Management as a Source of Loose Coupling in High-Risk Systems. In: Hollnagel, E., Nemeth, C.P. and Dekker, S.W.A., Eds., Resilience Engineering Perspectives Volume 1: Remaining Sensitive to the Possibility of Failure, Ashgate, Aldershot. ISBN 9780754671275
  22. Westrum, R. (2006). A Typology of Resilience Situations. In: Hollnagel, E., Woods, D.D. and Leveson, N., Eds., Resilience Engineerng: Concepts and Precepts, Ashgate, Aldershot, 55-66. ISBN 9780754649045
    https://doi.org/10.1201/9781315605685-8
  23. Patterson, Emily & Woods, David & Cook, Richard & Render, Marta. (2007). Collaborative Cross-Checking to Enhance Resilience. Cognition, Technology & Work. 9. 155-162. 
    https://doi.org/10.1007/s10111-006-0054-8
  24. Vogus, Timothy & Sutcliffe, Kathleen. (2007). Organizational Resilience: Towards a Theory and Research Agenda. Conference Proceedings - IEEE International Conference on Systems, Man and Cybernetics. 3418-3422. 
    https://doi.org/10.1109/ICSMC.2007.4414160
  25. Bracco, F., Gianatti, R., Pisano, L. and Savona, I. (2008). Cognitive Resilience in Emergency Room Operations: A Theoretical Framework. Third Resilience Engineering Symposium, 28-30 November 2008, Antibes Juan-les-Pins, MINES ParisTech.
  26. Hollnagel, E., Woods, D. (2006). Epilogue: resilience engineering precepts. Resilience engineering-concepts and precepts. Aldershot: Ashgate; pp. 347-58. ISBN 9780754649045
    https://doi.org/10.1201/9781315605685-30
  27. Woods, D. (2006) Resilience engineering: redefining the culture of safety and risk management. Hum Factors Ergon Soc Bull. ISBN 9780754649045
    https://doi.org/10.1037/e721002011-002
  28. Carmeli, A., Friedman, Y., & Tishler, A. (2013). Cultivating a resilient top management team: The importance of relational connections and strategic decision comprehensiveness. Safety Science, 51(1), 148-159. 
    https://doi.org/10.1016/j.ssci.2012.06.002
  29. Sheridan B. (2008). Risk, human error, and system resilience: fundamental ideas. Hum Factors. 2008 Jun; 50(3):418-26.
    https://doi.org/10.1518/001872008X250773
  30. Costella M.F., Saurin T.A., de Macedo Guimarães L.B. (2009). A method for assessing health and safety management systems from the resilience engineering perspective. Safety Science, 47. 
    https://doi.org/10.1016/j.ssci.2008.11.006
  31. NIST Special Publication 800–160, Volume 2, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800–160v2r1.pdf
  32. Oxford Learnerʼs Dictionary. Online Dictionary. Oxford University Press. https://www.oxfordlearnersdictionaries.com/definition/academic
  33. NIST Special Publication 800-30 Rev. 1, Guide for Conducting Risk Assessments. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800–30r1.pdf
  34. Dekker, S.W.A., Hollnagel, E., Woods, D.D. and Cook, R. (2008). Resilience Engineering: New Directions for Maintaining Safety in Complex Systems. Final Report, November 2008. 1-6. Lund University School of Aviation, Sweden. https://d1wqtxts1xzle7.cloudfront.net/50094116/Resilience_Engineering_New_directions_fo20161103-7568-aymfze-libre.pdf
  35. Deborah J. Bodeau & Richard Graubart (2011). Cyber Resiliency Engineering Framework. The MITRE Corporation. https://www.mitre.org/sites/default/files/media/publication/pdf
  36. Cyber Resiliency Engineering Framework (CREF) Navigator. The MITRE Corporation. Online framework. https://crefnavigator.mitre.org/navigator
  37. Stefan H. Verstappen (1999). The Thirty-Six Strategies of Ancient China, China Books & Periodicals. ISBN ‏ 0835126420https://www.academia.edu/43976682/Zhuge_Liang_The_ Thirty_Six_Strategies
  38. ISO 22316:2017, Security and resilience ― Organizational resilience ― Principles and attributes. https://www.iso.org/standard/50053.html
  39. ISO/TS 22318:2021 Security and resilience ― Business continuity management systems ― Guidelines for supply chain continuity management. https://www.iso.org/standard/79001.html
  40. Jason Hay, Patrick Craven, Benjamin Merrel, PhillipWilliams, Grace Wusk (2022) Resiliency in future cislunar space architectures. NASA Resiliency Framework. https://ntrs.gov/api/citations/20220018492/downloads/2022-12-1%20NASA%20Resiliency%20 Framework.pdf
  41. Marc Berkowitz (2013). Space Mission Resilience, AIAA SPACE 2013 Conference and Exposition September 10-12, 2013. San Diego, CA. 
    https://doi.org/10.2514/6.2013-5407
  42. Hulse, D., Walsh, H., Dong, A., Hoyle, C., Tumer, I., Kulkarni, C., & Goebel, K. (2021). FMDTOOLS: A Fault propagation Toolkit for Resilience Assessment in Early Design. International Journal of Prognostics and Health Management, 12(3). 
    https://doi.org/10.36001/ijphm.2021.v12i3.2954
  43. Analytical framework on risk and resilience (2017). UN System Chief Executives Board for Coordination. https://unsceb.org/sites/default/files/imported_files/RnR_0.pdf
  44. Wang, , Miao, S., Tang, J. Vulnerability and Resilience Analysis of the Air Traffic Control Sector Network in China. Sustainability 2020, 12, 3749, 
    https://doi.org/10.3390/su12093749
  45. Shafieezadeh, A., Ivey Burden, L. Scenario‐Based Resilience Assessment Framework for Critical Infrastructure Systems: Case Study for Seismic Resilience of Seaports. Reliabi­lity Engineering & System Safety 2014, 132, 207-219, 
    https://doi.org/10.1016/j.ress.2014.07.021
  46. Lu, Q. Modeling Network Resilience of Rail Transit under Operational Incidents. Transportation Research Part A: Policy and Practice Volume 117, November 2018, Pages 227-237,
    https://doi.org/10.1016/j.tra.2018.08.015
  47. Rehak, D., Senovsky, P., Slivkova, S. Resilience of Critical Infrastructure Elements and Its Main Factors. Systems 2018, 6, 21. 
    https://doi.org/10.3390/systems6020021
  48. Ouyang, M., & Fang, Y. (2017). A Mathematical Framework to Optimize Critical Infrastructure Resilience against Intentional Attacks. Computer-Aided Civil and Infrastructure Engineering, 32(11), 909-929.
    https://doi.org/10.1111/mice.12252
  49. Rød, B., Barabadi, A., Gudmestad, O. (2016) Characteristics of Arctic Infrastructure Resilience: Application of Expert Judgement. International Society of Offshore and Polar Engineers: Rhodes, Greece. ISBN 978-1-880653-88-3; ISSN 1098-6189
  50. Mottahedi, A., Sereshki, F., Ataei, M., Nouri Qarahasanlou, A., Barabadi, A. The Resilience of Critical Infrastructure Systems: A Systematic Literature Review. Energies 2021, 14, 1571. 
    https://doi.org/10.3390/en14061571
  51. Mohanty, S.K., Chatterjee, R., Shaw, R. Building Resilience of Critical Infrastructure: A Case of Impacts of Cyclones on the Power Sector in Odisha. Climate 2020, 8, 73. 
    https://doi.org/10.3390/cli8060073
  52. Carlson, J.L., Haffenden, R.A., Bassett, G.W., Buehring, W.A., Collins, III, M.J., Folga, S.M., Petit, F.D., Phillips, J.A., Verner, D.R., and Whitfield, R.G. (2012). Resilience: Theory and Application. Technical Report. Argonne National Lab. (ANL), 
    https://doi.org/10.2172/1044521
  53. Petit, F., Verner, D., Phillips, J., & Lewis, L.P. (2018). Critical Infrastructure Protection and Resilience—Integrating Interdependencies. У Advanced Sciences and Technologies for Security Applications (с. 193-219). Springer International Publishing. 
    https://doi.org/10.1007/978-3-319-78021-4_10
  54. Linkov, I., Eisenberg, D.A., Bates, M.E., Chang, D., Convertino, M., Allen, J.H., Flynn, S.E., & Seager, T.P. (2013). Measurable resilience for actionable policy. Environmental science & technology, 47(18), 10108-10110. 
    https://doi.org/10.1021/es403443n
  55. Petit, F.D.P., Bassett, G.W., Black, R., Buehring, W.A., Collins, M.J., Dickinson, D.C., Fisher, R.E., Haffenden, R.A., Huttenga, A.A., Klett, M.S., Phillips, J.A., Thomas, M., Veselka, S.N., Wallace, K.E., Whitfield, R.G., & Peerenboom, J.P. (2013). Resilience Measurement Index: An Indicator of Critical Infrastructure Resilience. Office of Scientific and Technical Information (OSTI). 
    https://doi.org/10.2172/1087819
  56. Kott, A., & Linkov, I. (2021). To Improve Cyber Resilience, Measure It. Computer, 54(2), 80-85. 
    https://doi.org/10.1109/MC.2020.3038411
  57. Erik Hollnagel (2008). From protection to resilience: Changingviews on how to achieve safety. Ecole des Mines de Paris, CRC, Sophia Antipolis, France. https://www.academia. edu/22733335/From_protection_to_resilience_Changing_views_on_how_to_achieve_safety?source=swp_share
  58. Fisher, Ronald & Norman, Michael. (2010). Developing measurement indices to enhance protection and resilience of critical infrastructure and key resources. Journal of business continuity & emergency planning. 4 (3). 191-206. PMID: 20826384
  59. Brown, C., Seville, E., & Vargo, J. (2017). Measuring the organizational resilience of critical infrastructure providers: A New Zealand case study. International Journal of Critical Infrastructure Protection, 18, 37-49. 
    https://doi.org/10.1016/j.ijcip.2017.05.002
  60. Deborah Bodeau, Richard Graubart, Rosalie Mcquaid, John Woodill, Jr. (2018). Cyber Resiliency Metrics Catalog. The MITRE Corporation. https://apps.dtic.mil/sti/pdfs/pdf
  61. Watson, J.-P., Guttromson, R., Silva-Monroy, C., Jeffers, R., Jones, K., Ellison, J., Rath, C., Gearhart, J., Jones, D., Corbet, T., Hanley, C., & Walker, L.T. (2014). Conceptual Framework for Developing Resilience Metrics for the Electricity, Oil, and Gas Sectors in the United States. Office of Scientific and Technical Information (OSTI). 
    https://doi.org/10.2172/1177743
  62. Panagiotis Trimintzios (2010). Measurement Frameworks and Metrics for Resilient Networks and Services: Challenges and Recommendations. The European Network and Information Security Agency (ENISA). https://www.enisa.europa.eu/ publications/metrics-tech-report/at_download/fullReport
  63. Linkov, I., Eisenberg, D.A., Plourde, K., Seager, T.P., Allen, J., & Kott, A. (2013). Resilience metrics for cyber systems. Environment Systems and Decisions, 33(4), 471-476. 
    https://doi.org/10.1007/s10669-013-9485-y
  64. Deborah Bodeau, Richard Graubart, (2016). Cyber Resilience Metrics: Key Observations. MITRE Corporation. https://apps.dtic.mil/sti/trecms/pdf/AD1107819.pdf
  65. Hosseini, S., Barker, K., Ramirez‐Marquez, J.E. A Review of Definitions and Measures of System Resilience. Reliability Engineering & System Safety 2016, 145, 47-61, 
    https://doi.org/10.1016/j.ress.2015.08.006
  66. Francis, R., & Bekera, B. (2014). A metric and frameworks for resilience analysis of engineered and infrastructure systems. Reliability Engineering & System Safety, 121, 90-103. 
    https://doi.org/10.1016/j.ress.2013.07.004
  67. Pant, R., Barker, K., & Zobel, C.W. (2014). Static and dynamic metrics of economic resilience for interdependent infrastructure and industry sectors. Reliability Engineering & System Safety, 125, 92-102. 
    https://doi.org/10.1016/j.ress.2013.09.007
  68. Cheng, C., Bai, G., Zhang, Y.-A., & Tao, J. (2020). Improved integrated metric for quantitative assessment of resilience. Advances in Mechanical Engineering, 12(2), 168781402090606. 
    https://doi.org/10.1177/1687814020906065
  69. Council Recommendation of 8 December 2022 on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure (Text with EEA relevance) 2023/C 20/01 ST/15623/2022/INIT OJ C20, 20.1.2023, p. 1-11 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023H0120(01)
  70. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (Text with EEA relevance) OJ L 345, 23.12.2008, p. 75-82 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32008L0114
  71. UK Cyber Resilience Strategy for Defence, (2022). Ministry of Defence UK. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1073315/20220425-Cyber_Resilience_Strategy_for_Defence.pdf
  72. Presidential Policy Directive — Critical Infrastructure Security and Resilience. (PPD-21) https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive- critical-infrastructure-security-and-resil
  73. A Guide to Critical Infrastructure Security and Resilience (2019) USA. CISA https://www.cisa.gov/sites/default/files/publications/Guide-Critical-Infrastructure-Security-Resilience-110819-508v2.pdf
  74. Critical Infrastructure Security and Resilience Research, Development, Test, and Evaluation Spend Plan (2022) Science and Technology Directorate USA. https://www.dhs.gov/publication/2022-dhs-congressional-appropriations-reports
  75. ISO/IEC 27000:2018 Information technology — Security techniques — Information security management systems — Overview and vocabulary https://www.iso.org/standard/73906.html

Full text: PDF