To Improve Cyber Resilience, Measure It

We are not very good at measuring -- rigorously and quantitatively -- the cyber security of systems. Our ability to measure cyber resilience is even worse. And without measuring cyber resilience, we can neither improve it nor trust its efficacy. It is difficult to know if we are improving or degrading cyber resilience when we add another control, or a mix of controls, to harden the system. The only way to know is to specifically measure cyber resilience with and without a particular set of controls. What needs to be measured are temporal patterns of recovery and adaptation, and not time-independent failure probabilities. In this paper, we offer a set of criteria that would ensure decision-maker confidence in the reliability of the methodology used in obtaining a meaningful measurement.