Resilience methodology - multinational experiment 7

Societies are becoming increasingly dependent on the cyber domain, a man-made domain where developments continue to take place at an extremely rapid pace. Historically, in the traditional warfighting domains, attacks on critical assets could be deterred through the display of credible offensive capabilities. In cyberspace, this is not the case. Often, one will not be aware of a threat until after an attack has taken place, and even then it will be arduous to prove its point of origination. When traditional deterrence is not an option, other preventive or protective measures must be considered. This report promotes resilience: accepting the risk that an attack will take place, and focusing on improving the ability to prevent, detect, absorb, and recover from it. There are in fact universal mitigating measures with “guaranteed effect” that make systems more resilient to cyber attacks. The report describes a generic methodology designed to support decision-makers in enhancing resilience through a better understanding of how their organization is dependent on the cyber domain, and how they can be better prepared to maintain essential capabilities and services in the event of cyber attacks on their critical assets. The main body of the report is a step-by-step guide to the practical application of the methodology. It takes a working group through the identification of an organization’s critical assets, analysis of its dependencies on cyber space and any associated vulnerabilities, and the need to maintain a current threat picture. Finally it introduces mitigating measures that will help make a system more resilient. As this methodology is generic, some parts of it will be more relevant than others for your organization and your specific level within that organization. While the methodology is presented as a whole, parts of it can also be standalone or used as separate methods as appropriate.