Nigel Inkster, Director of Transnational Threats and Political Risk at the International Institute for Strategic Studies, offers a scientific definition of cyber resilience: "The ability of a system or domain to withstand attacks or failures, and in such events, to re-establish itself quickly."
But other definitions of resilience vary widely. In 2010, the US Department of Homeland Security commissioned a study on how institutions were implementing resilience principles. Its analysts came up with 119 different definitions, and concluded that a broader, more cohesive definition of resilience should include flexibility and adaptability.
Professor James P G Sterbenz, from the Communications and Networking Systems Laboratory at Kansas University, has been working on clarifying the concept of resilience for governments and organizations. The principles he and his colleagues have developed as part of the university's ResiliNets data network architecture project have been adopted by the European Union's government security agency, ENISA, and are in the process of being adopted by the US Department of Homeland Security.
Professor Sterbenz points out that notions of resilience can include several concepts that mean different things to different people. "Reliability and availability are very different," he explains. "A reliable system is one that operates for a specified period of time, and you say what the probability is. Availability, on the other hand, is the probability that something will be there when you need it."
Resilience means something entirely different to companies that are closely integrated into a nation's critical infrastructure—be it the stock market, electric rail networks, or nuclear power stations. "We talk to our customers about what we call continuous service delivery," says Garry Sidaway, Director of Security Strategy for Integralis, a global security consulting firm. "Whilst components might fail or you might have an incident, it's about ensuring that service is still being delivered and the integrity of that service is still there."
The new attitude in achieving resilience is to plan for acceptable levels of data loss, unit failures, and compromise. This may seem alien to executives who have historically maintained a “zero-tolerance” policy toward failures. But new cloud hardware architectures are demonstrating that everyday events like storage-device failures and data loss can be tolerated when redundancies are built into the system.
The US Department of Homeland Security concluded in recent studies that “zero-tolerance” policies led to the perception that every unit of the business, whether digital or human, was critically important. When everything is critical, nothing is critical. When organizations enact more flexible tolerance principles, failures that would have shut down processes or even entire networks in an earlier era, will not even be noticed by customers.
