Textbook Cyber Resilience of Systems and Networks Alexander Kott Ebook All Chapter PDF

Cyber Resilience of Systems and
Networks Alexander Kott

Visit to download the full and correct content document:
https://textbookfull.com/product/cyber-resilience-of-systems-and-networks-alexander-
kott/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Cyber Resilience Fundamentals 1st Edition Tjoa
https://textbookfull.com/product/cyber-resilience-
fundamentals-1st-edition-tjoa/
Handbook of System Safety and Security Cyber Risk and

Risk Management Cyber Security Threat Analysis
Functional Safety Software Systems and Cyber Physical
Systems 1st Edition Edward Griffor
https://textbookfull.com/product/handbook-of-system-safety-and-
security-cyber-risk-and-risk-management-cyber-security-threat-
analysis-functional-safety-software-systems-and-cyber-physical-
systems-1st-edition-edward-griffor/
Cyber Operations Building, Defending, and Attacking

Modern Computer Networks O'Leary
https://textbookfull.com/product/cyber-operations-building-
defending-and-attacking-modern-computer-networks-oleary/
Cyber Physical Systems for Next Generation Networks

Advances in Computer and Electrical Engineering ACEE
1st Edition Amjad Gawanmeh (Editor)
https://textbookfull.com/product/cyber-physical-systems-for-next-
generation-networks-advances-in-computer-and-electrical-
engineering-acee-1st-edition-amjad-gawanmeh-editor/
Security of Cyber Physical Systems Vulnerability and
Impact Hadis Karimipour
https://textbookfull.com/product/security-of-cyber-physical-
systems-vulnerability-and-impact-hadis-karimipour/
Cyber Security for Cyber Physical Systems 1st Edition

Saqib Ali
https://textbookfull.com/product/cyber-security-for-cyber-
physical-systems-1st-edition-saqib-ali/
Embedded System Design : Embedded Systems, Foundations

of Cyber-Physical Systems, and the Internet of Things
Marwedel
https://textbookfull.com/product/embedded-system-design-embedded-
systems-foundations-of-cyber-physical-systems-and-the-internet-
of-things-marwedel/
Natural Gas Installations and Networks in Buildings 1st

Edition Alexander V. Dimitrov
https://textbookfull.com/product/natural-gas-installations-and-
networks-in-buildings-1st-edition-alexander-v-dimitrov/
Power Systems Resilience Modeling Analysis and Practice

Naser Mahdavi Tabatabaei
https://textbookfull.com/product/power-systems-resilience-
modeling-analysis-and-practice-naser-mahdavi-tabatabaei/
Risk, Systems and Decisions
Alexander Kott
Igor Linkov Editors
Cyber Resilience
of Systems and
Networks
Series Editors
Igor Linkov
Engineer Research and Development Center
US Army Corps of Engineers, Concord, MA, USA
Jeffrey Keisler
University of Massachusetts
Boston, Massachusetts, USA
James H. Lambert
University of Virginia
Charlottesville, Virginia, USA
Jose Figueira
University of Lisbon, Lisbon, Portugal
More information about this series at http://www.springer.com/series/13439

Alexander Kott • Igor Linkov
Editors
Cyber Resilience of Systems

and Networks
Editors
Alexander Kott Igor Linkov
U.S. Army Research Laboratory Engineer Research and Development Center
Adelphi, MD, USA US Army Corps of Engineers
Concord, MA, USA

ISBN 978-3-319-77491-6 ISBN 978-3-319-77492-3 (eBook)
https://doi.org/10.1007/978-3-319-77492-3
Library of Congress Control Number: 2018940877
© Springer International Publishing AG, part of Springer Nature 2019

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part
of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations,
recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or
information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar
methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this
publication does not imply, even in the absence of a specific statement, that such names are exempt
from the relevant protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, express or implied, with respect to the material contained herein or for any errors
or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims
in published maps and institutional affiliations.
Printed on acid-free paper
This Springer imprint is published by the registered company Springer International Publishing AG part
of Springer Nature.
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Contents
1 Fundamental Concepts of Cyber Resilience: Introduction

and Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Igor Linkov and Alexander Kott
Part I Quantifying Cyber Resilience

2 Metrics Based on the System Performance Perspective . . . . . . . . . . 29
George Cybenko
3 Metrics Based on the Mission Risk Perspective . . . . . . . . . . . . . . . . 41
Scott Musman, Seli Agbolosu-Amison, and Kenneth Crowther
Part II Assessment and Analysis of Cyber Resilience

4 Frameworks and Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Brianna Keys and Stuart Shapiro
5 Analysis of Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Nathaniel Evans and William Horsthemke
6 Applying Percolation Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Terrence J. Moore and Jin-Hee Cho
7 Modeling the Impact of Cyber Attacks . . . . . . . . . . . . . . . . . . . . . . 135
Igor Kotenko, Igor Saenko, and Oleg Lauta
8 Modeling and Simulation Approaches . . . . . . . . . . . . . . . . . . . . . . . 171
David Ormrod and Benjamin Turnbull
Part III Enhancing Cyber Resilience

9 Systems Engineering Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Deborah J. Bodeau and Richard D. Graubart
v
vi Contents
10 Active Defense Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

11 Managing Human Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Giampiero Giacomello and Gianluca Pescaroli
12 Rulemaking for Insider Threat Mitigation . . . . . . . . . . . . . . . . . . . 265
Igor Linkov, Kelsey Poinsatte-Jones, Benjamin D. Trump,
Alexander A. Ganin, and Jeremy Kepner
13 Biologically Inspired Artificial Intelligence Techniques . . . . . . . . . . 287
Nistha Tandiya, Edward J. M. Colbert, Vuk Marojevic,
and Jeffrey H. Reed
14 Economic Effectiveness of Mitigation and Resilience . . . . . . . . . . . . 315
Adam Rose, Noah Miller, Jonathan Eyer, and Joshua Banks
Part IV Cyber Resilience in Selected Classes of Systems and Networks

15 Regional Critical Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
16 Internet of Things . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Marilia Curado, Henrique Madeira, Paulo Rupino da Cunha,
Bruno Cabral, David Perez Abreu, João Barata, Licínio Roque,
and Roger Immich
17 Smart Cities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Jesus Pacheco, Cihan Tunc, and Salim Hariri
18 Transportation Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Gabor Karsai, Xenofon Koutsoukos, Himanshu Neema,
Peter Volgyesi, and Janos Sztipanovits
19 Supply Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Zachary A. Collier, Madison L. Hassler, James H. Lambert,
Daniel DiMase, and Igor Linkov
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Contributors
David Perez Abreu Centre for Informatics and Systems, Department of Informat-
ics Engineering, University of Coimbra, Coimbra, Portugal
Seli Agbolosu-Amison The MITRE Corp, McLean, VA, USA
Joshua Banks Center for Risk and Economic Analysis of Terrorism Events,
University of Southern California, Los Angeles, CA, USA
João Barata Centre for Informatics and Systems, Department of Informatics
Engineering, University of Coimbra, Coimbra, Portugal
Deborah J. Bodeau The MITRE Corporation, Bedford, MA, USA
Bruno Cabral Centre for Informatics and Systems, Department of Informatics
Jin-Hee Cho U.S. Army Research Laboratory, Adelphi, MD, USA
Edward J. M. Colbert U.S. Army Research Laboratory (ARL), Adelphi, MD,
USA
Zachary A. Collier University of Virginia, Charlottesville, VA, USA
Kenneth Crowther The MITRE Corp, McLean, VA, USA
Paulo Rupino da Cunha Centre for Informatics and Systems, Department of
Informatics Engineering, University of Coimbra, Coimbra, Portugal
Marilia Curado Centre for Informatics and Systems, Department of Informatics
George Cybenko Thayer School of Engineering, Dartmouth College, Hanover,
NH, USA
Daniel DiMase SAE G-19A Chairman Emeritus, East Greenwich, RI, USA
Nathaniel Evans Argonne National Laboratory, Lemont, IL, USA
vii
viii Contributors
Jonathan Eyer Center for Risk and Economic Analysis of Terrorism Events,
University of Southern California, Los Angeles, CA, USA
Alexander A. Ganin U.S. Army Corps of Engineers, Engineering Research and
Development Center, Concord, MA, USA
Department of Systems and Information Engineering, University of Virginia,
Charlottesville, VA, USA
Giampiero Giacomello Universita’ di Bologna, Bologna, Italy
Richard D. Graubart The MITRE Corporation, Bedford, MA, USA
Salim Hariri NSF Center for Cloud and Autonomic Computing, The University of
Arizona, Tucson, AZ, USA
Madison L. Hassler University of Virginia, Charlottesville, VA, USA
William Horsthemke Argonne National Laboratory, Lemont, IL, USA
Roger Immich Centre for Informatics and Systems, Department of Informatics
Gabor Karsai Institute for Software Integrated Systems, Vanderbilt University,
Nashville, TN, USA
Jeremy Kepner MIT Lincoln Laboratory, Cambridge, MA, USA
Brianna Keys Center for Research on Lifelong STEM Learning, Oregon State
University, Corvallis, OR, USA
Igor Kotenko Laboratory of Computer Security Problems, St. Petersburg Institute
for Informatics and Automation of Russian Academy of Sciences (SPIIRAS),
Saint-Petersburg, Russia
Laboratory of Computer Security Problems, St. Petersburg National Research
University of Information Technologies, Mechanics and Optics (ITMO University),
Alexander Kott U.S. Army Research Laboratory, Adelphi, MD, USA
Xenofon Koutsoukos Institute for Software Integrated Systems, Vanderbilt
University, Nashville, TN, USA
James H. Lambert University of Virginia, Charlottesville, VA, USA
Oleg Lauta Laboratory of Computer Security Problems, St. Petersburg Institute
for Informatics and Automation of Russian Academy of Sciences (SPIIRAS),
Igor Linkov Engineer Research and Development Center, US Army Corps of
Engineers, Concord, MA, USA
Contributors ix
Henrique Madeira Centre for Informatics and Systems, Department of Informatics

Vuk Marojevic Bradley Department of Electrical and Computer Engineering,
Virginia Tech, Blacksburg, VA, USA
Noah Miller Center for Risk and Economic Analysis of Terrorism Events, Univer-
sity of Southern California, Los Angeles, CA, USA
Terrence J. Moore U.S. Army Research Laboratory, Adelphi, MD, USA
Scott Musman The MITRE Corp, McLean, VA, USA
Himanshu Neema Institute for Software Integrated Systems, Vanderbilt Univer-
sity, Nashville, TN, USA
David Ormrod Australian Centre for Cyber-Security, University of New South
Wales at the Australian Defence Force Academy, Canberra, ACT, Australia
Jesus Pacheco NSF Center for Cloud and Autonomic Computing, The University
of Arizona, Tucson, AZ, USA
Gianluca Pescaroli Institute for Risk and Disaster Reduction, University College
London, London, UK
Kelsey Poinsatte-Jones U.S. Army Corps of Engineers, Engineering Research and
Jeffrey H. Reed Bradley Department of Electrical and Computer Engineering,
Licínio Roque Centre for Informatics and Systems, Department of Informatics
Adam Rose Center for Risk and Economic Analysis of Terrorism Events, Univer-
sity of Southern California, Los Angeles, CA, USA
Igor Saenko Laboratory of Computer Security Problems, St. Petersburg Institute
for Informatics and Automation of Russian Academy of Sciences (SPIIRAS), Saint-
Petersburg, Russia
Laboratory of Computer Security Problems, St. Petersburg National Research
University of Information Technologies, Mechanics and Optics (ITMO University),
Stuart Shapiro Edward J. Bloustein School of Planning and Public Policy,
Rutgers, The State University of New Jersey, New Brunswick, NJ, USA
Janos Sztipanovits Institute for Software Integrated Systems, Vanderbilt Univer-
sity, Nashville, TN, USA
Nistha Tandiya Bradley Department of Electrical and Computer Engineering,
x Contributors
Benjamin D. Trump U.S. Army Corps of Engineers, Engineering Research and

Cihan Tunc NSF Center for Cloud and Autonomic Computing, The University of
Arizona, Tucson, AZ, USA
Benjamin Turnbull Australian Centre for Cyber-Security, University of New
South Wales at the Australian Defence Force Academy, Canberra, ACT, Australia
Peter Volgyesi Institute for Software Integrated Systems, Vanderbilt University,
Nashville, TN, USA
Chapter 1
Fundamental Concepts of Cyber Resilience:
Introduction and Overview
Igor Linkov and Alexander Kott
1 Motivation: Why Cyber Resilience?
Society is increasingly reliant upon complex and interconnected cyber systems to

conduct daily life activities. From personal finance to managing defense capabilities
to controlling a vast web of aircraft traffic, digitized information systems and
software packages have become integrated at virtually all levels of individual and
collective activity. While such integration has been met with immense increases in
efficiency of service delivery, it has also been subject to a diverse body of threats
from nefarious hackers, groups, and even state government bodies. Such cyber
threats have shifted over time to affect various cyber functionalities, such as with
direct denial of service (DDoS), data theft, changes to data code, infection via
computer virus, and many others.
Attack targets have become equally diverse, ranging from individuals to interna-
tional companies and national government agencies. At the individual level, thou-
sands of personal data records including credit card information and government
identification are stolen on a daily basis – disrupting the lives of many persons and
generating billions of dollars in fraud or other losses. At the corporate level, hacking
attempts targeted at the Sony Corporation, Equifax, and other similarly sized orga-
nizations demonstrate the potential for hackers to gain entry to sensitive information
stored in company databases and potentially impact the security of millions of users.
Ransomware attacks are also on the rise, where a user’s computer or files are locked
I. Linkov (*)
Engineer Research and Development Center, US Army Corps of Engineers,
Concord, MA, USA
e-mail: igor.linkov@usace.army.mil
A. Kott
U.S. Army Research Laboratory, Adelphi, MD, USA
e-mail: alexander.kott1@us.army.mil
© Springer International Publishing AG, part of Springer Nature 2019 1

A. Kott, I. Linkov (eds.), Cyber Resilience of Systems and Networks, Risk, Systems
and Decisions, https://doi.org/10.1007/978-3-319-77492-3_1
2 I. Linkov and A. Kott
until a payment is received. Lastly, state-based cyber threats arise from individual
hackers and other large states alike, such as with daily intrusion attempts that occur
within the Department of Defense. While many cyber threats are thwarted, many are
able to exact lasting and widespread damage in terms of security, financial losses,
social disorder, and other concerns. In warfare, cyber threats may soon become one of
the main factors that decide whether a war is won or lost (Kott et al. 2015).
Whereas traditional risk assessment comprises a calculation of product of threats,
vulnerabilities, and consequences for hazards and their subsequent exposures
(Kaplan and Garrick 1981), risk assessment becomes limited in the cybersecurity
field as approaches are needed to address threats and vulnerabilities that become
integrated within a wide variety of interdependent computing systems and accom-
panying architecture (Collier et al. 2014a; DiMase et al. 2015; Ganin et al. 2017a).
For highly complex and interconnected systems, it becomes prohibitively difficult to
conduct a risk assessment that adequately accounts for the potential cascading
effects that could occur through an outage or loss spilling over into other systems.
Given the rapid evolution of threats to cyber systems, new management approaches
are needed that address risk across all interdependent domains (i.e., physical,
information, cognitive, and social) of cyber systems (Linkov et al. 2013a, b).
Further, the unpredictability, extreme uncertainty, and rapid evolution of poten-
tial cyber threats leave risk assessment efforts all the more unable to adequately
address cybersecurity concerns for critical infrastructural systems. For this reason,
the traditional approach of hardening of cyber systems against identified threats has
proven to be only partially effective. The only true defense that cybersecurity pro-
fessionals could take to harden systems from the multitude of potential cyber threats
would include the disallowance of cyber systems from accessing the Internet.
Therefore, in the same way that biological systems develop immunity as a way to
respond to infections and other attacks, so too must cyber systems adapt to ever-
changing threats that continue to attack vital system functions and to bounce back
from the effects of the attacks (Linkov et al. 2014).
For these reasons, cyber resilience refers to the ability of the system to prepare,
absorb, recover, and adapt to adverse effects, especially those associated with cyber-
attacks. (We will go into more detail about the exact definition later.) Here,
depending on the context, we use the term cyber resilience to refer mainly to the
resilience property of a system or network; sometimes we also use the term as
referring to the features or components of the system that enable cyber resilience.
2 Resilience and Systems
Cyber resilience should be considered in the context of complex systems that

comprise not only physical and information but also cognitive and social domains
(Smith 2005). Cyber resilience ensures that system recovery occurs by considering
the interconnected hardware, software, and sensing components of cyber
1 Fundamental Concepts of Cyber Resilience: Introduction and Overview 3
Fig. 1.1 The cyber

resilience domains comprise
sensing, hardware, and
software components that
collectively contribute to
sustaining system
operations
infrastructure (Fig. 1.1). Cyber resilience thus constitutes a bridge between sustain-
ing operations of the system while ensuring mission execution.
Resilience has roots in many disciplines and integrates ecological, social, psy-
chological, organizational, and engineering perspectives and definitions (Florin &
Linkov 2016). Resilience engineering, for example, has been defined as “the ability
of systems to anticipate and adapt to the potential for surprise and failure” and has
been associated with a shift in safety paradigm acknowledging that system coping is
important when prevention is impossible (Hollnagel et al. 2006). Ecological resil-
ience, on the other hand, refers to the ability of the system to absorb and withstand
shocks, with an emphasis on persistence (Holling 1996). Resilience is often used as a
metaphor to describe the way in which systems react to stressors; however, resilience
needs to be discussed less abstractly, separating the metaphor from the science.
Across the many diverse lines of inquiry, there are weak linkages between concepts
and methods for resilience. Useful ideas and results accumulate and partially over-
lap; however, it is often difficult to find common areas. In addition, technical
languages hamper communication of ideas about resilience across the different
contributing disciplines and application domains.
Despite the multidisciplinary nature of resilience and the multiple definitions that
currently exist, common themes and resilience features can be distinguished among
the disciplines (Connelly et al. 2017). Resilience defined by the National Academies
of Science (NAS) as “the ability to prepare and plan for, absorb, recover from, and
more successfully adapt to adverse events” is emerging as one of the most widely
used by various organizations and governance agencies (Larkin et al. 2015).
Common resilience features include critical functions (services), thresholds, cross-

scale (both space and time) interactions, and memory and adaptive management. The
concept of critical functionality is important to understand the purpose and outputs
of the system that are valued and guide planning for resilience to some shock or
disturbance. Thresholds play a role in whether a system is able to absorb a shock and
whether recovery time or alternative stable states are most salient. Recovery time is
essential in assessing system resilience after a disturbance where a threshold is not
exceeded. Finally, the concepts of memory describe the degree of self-organization
in the system, and adaptive management provides an approach to managing and
learning about a system’s resilience opportunities and limits, in a safe-to-fail manner.
Connelly et al. (2017) relate these features to the National Academy of Sciences
definition of resilience (Table 1.1), including the emphasis of incorporating time into
all conceptualizations of resilience.
3 Resilience and Related Properties of Systems
Similar to other fields, cyber resilience refers to the system’s ability to recover or
regenerate its performance after a cyber-attack produces a degradation to its perfor-
mance (Fig. 1.2). For now, until we delve further into metrics of cyber resilience, we
can say the following: assuming two equally performing systems, A and B, are
subjected to an impact (resulting from a cyber-attack) that leave both systems with
equal levels of performance degradation, the resilience of system A is greater if after
a given period T it recovers to a higher level of performance than that of system B.
Resilience is often confused or conflated with several related but different
concepts. These include risk, robustness, and security. Oxford dictionary clearly
defines these concepts. Risk is “a situation involving exposure to [a] danger
[or threat].” If risk is managed appropriately, the system reaches a state of security
(i.e., “the state of being free from danger or threat”) or robustness (i.e., “the ability to
withstand or overcome adverse conditions or rigorous testing”). Security, robust-
ness, and risks are connected, as they are focused on preventing a system from
degrading and keeping functionality within acceptable levels before and after
adverse events. Resilience differs from these concepts. For example, Oxford defines
resilience as “the capacity to recover quickly from difficulties.” Thus, resilience
assessment starts with an assumption that the system is affected and functionality
impaired, with emphasis placed on speed of system recovery.
The literature on cyber risk (including here what some call “IT risk”) most
commonly defines cyber risk in terms of likelihood of an undesirable event, as
well as measure of event impact. Although several approaches to risk assessment
exist, the methods adopted by US regulatory agencies are largely based on the
traditional “risk ¼ threat x vulnerability x consequence” model. For example,
NIST’s description from NIST Publication SP 800–30 (NIST 2012) states: “Risk
is a function of the likelihood of a given threat-source's exercising a particular
potential vulnerability, and the resulting impact of that adverse event on the
Table 1.1 Resilience features common to socio-ecology, psychology, organizations, and engi-
neering and infrastructure, which are related to the temporal phases from the National Academy of
Sciences definition of resilience (after Connelly et al. 2017).
Description by application domain
NAS Engineering
phase of Resilience Socio- and
resilience feature ecological Psychological Organizational infrastructure
Plan Critical A system function identified by stakeholders as an important dimen-
functions sion by which to assess system performance
(services) Ecosystem ser- Human psy- Goods and ser- Services pro-
vices provided chological vices provided vided by
to society well-being to society physical and
technical
engineered
systems
Absorb Thresholds Intrinsic tolerance to stress or changes in conditions where exceeding
a threshold perpetuates a regime shift
Used to iden- Based on sense Linked to orga- Based on
tify natural of community nizational sensitivity of
breaks in scale and personal adaptive capac- system func-
attributes ity and to brit- tioning to
tleness when changes in
close to input
threshold variables
Recover Time (and Duration of degraded system performance
scale) Emphasis on Emphasis on Emphasis on Emphasis on
dynamics over time of disrup- time until time until
time tion (i.e., recovery recovery
developmental
stage: child-
hood vs
adulthood)
Adapt Memory/ Change in management approach or other responses in anticipation of
adaptive or enabled by learning from previous disruptions, events, or
management experiences
Ecological Human and Corporate Redesigning
memory guides social memory memory of of engineer-
how ecosystem can enhance challenges ing systems
reorganizes (through learn- posed to the designs
after a disrup- ing) or diminish organization based on past
tion, which is (e.g., post- and manage- and potential
maintained if traumatic ment that future
the system has stress) psycho- enable modifi- stressors
high logical cation and
modularity resilience building of
responsiveness
to events
Fig. 1.2 Notional resilience profile, plotting a system’s critical functionality over time
organization. To determine the likelihood of a future adverse event, threats to an IT

system must be analyzed in conjunction with the potential vulnerabilities and the
controls in place for the IT system.” ISO’s definition of IT risk is similar: “the
potential that a given threat will exploit vulnerabilities of an asset or group of assets
and thereby cause harm to the organization. It is measured in terms of a combination
of the probability of occurrence of an event and its consequence” (ISO/IEC 2008).
The key components of cyber risk are relatively well understood. The likelihood
of a successful cyber-attack can be empirically measured and estimated a priori with
a degree of accuracy from known characteristics of a system or network (Leslie et al.
2017; Gil et al. 2014). The cyber impact on a system is a topic in which assessment
methods are being developed (Kott et al. 2017). Because cyber threats are difficult to
quantify, current efforts shift from quantifying risk in specific units (like probability
of failure) toward risk-based decision-making using multi-criteria decision analysis
(Ganin et al. 2017a; Collier et al. 2014b). Unlike the concept of resilience, the
concept of risk does not answer the questions of how well the system is able to
absorb a cyber-attack or how quickly and how completely the system is able to
recover from a cyber-attack. Even when individual risks are identified and actions
taken to reduce risk, residual risk still remains. As such, resilience assessment and
management is, in part, an effort to improve the overall ability of a system to mitigate
remaining residual risk, as well as address unknown or emerging threats.
Robustness is another concept often confused with resilience. Robustness is
closely related to risk. Robustness denotes the degree to which a system is able to
withstand an unexpected internal or external threat or change without degradation in
system performance. To put it differently, assuming two systems – A and B – of
equal performance, the robustness of system A is greater than that of system B if the
same unexpected impact on both systems leaves system A with greater performance
than system B. We stress the word unexpected because the concept of robustness
focuses specifically on performance not only under ordinary, anticipated conditions
(which a well-designed system should be prepared to withstand) but also under
unusual conditions that stress its designers’ assumptions. For example, in IEEE
Standard 610.12.1990, “[r]obustness is defined as the degree to which a system
operates correctly in the presence of exceptional inputs or stressful environmental
conditions.” Similarly, “robust control refers to the control of unknown plants with
unknown dynamics subject to unknown disturbances” (Chandrasekharan 1996).
Note that the length of recovery typically depends on the extent of damage. There
may also be a point beyond which recovery is impossible. Hence, there is a relation
between robustness (which determines how much damage is incurred in response to
an unexpected disturbance) and resilience (which determines how quickly the
system can recover from such damage). In particular, a system that lacks robustness
will often fail beyond recovery, hence offering little resilience. Both robustness and
resilience, therefore, must be understood together.
4 Costs of Cyber Resilience and Cyber Risk Management
Traditional risk assessment is appealing for cyber risk governance due to the
quantitative nature and the single risk value that is output. These characteristics
make risk thresholds easy to formalize in policy documents and to regulate in a
consistent manner at the Federal level. However, quantitative risk assessment typ-
ically involves quantification of the likelihood of an event’s occurrence, the vulner-
ability to the event, and the consequences of the event. Emerging cyber realities and
technologies are presenting new threats with uncertain intensity and frequency, and
the vulnerabilities and consequences in terms of the extent of casualties, economic
losses, time delays, or other damages are not yet fully understood or modeled. As a
result, risk calculations become more uncertain and generate costly solutions
because multiple, often hypothetical, threat scenarios could point to many vulnera-
bilities and catastrophic system failures that are unaffordable to mitigate, absorb, or
recover. Furthermore, users and other stakeholders may have preferences for
accepting some loss in performance of one part of the system over any degradation
in another part (Bostick et al. 2017). One outcome can be significant funding spent in
ways that do not align with stakeholder values, resulting in dissatisfaction with
performance, despite the expense, or even litigation that interferes with the risk
reduction efforts.
A key risk management strategy is to identify critical components of a system that
are vulnerable to failure and subsequently to harden them (Roege et al. 2014). This
approach can be appropriate for many isolated cyber systems, but when the nature of
the threat is unknown, as discussed above, it is difficult to identify all of the critical
components, and it becomes increasingly expensive to act conservatively to harden
or protect all parts of the system against all types of threats (Fig. 1.3). The result has
been stagnation in investment. As risk mitigation plans become more expensive and
Fig. 1.3 Conceptual diagram of the cost of buying down risk in cyber systems (after Bostick et al.
2018)
Fig. 1.4 Existential threat

and mega-cost avoided
when resources are
reallocated to resilience –
e.g., accepting risk level (a)
instead of risk level
(b) (after Bostick et al.
2018)
are delayed while funding is sought, infrastructure and societal systems are left
largely unprepared for emerging and uncertain threats (Meyer 2011). Furthermore,
there are fewer and fewer isolated systems in our world, and the degree of
interdependency and interconnectedness can be difficult to characterize and
quantify.
In exchange for accepting the current levels of risk rather than demanding greater
preventative and protective measures, funding can be reallocated toward resilience
enhancement efforts. For systems that have already completed cost-effective risk
reduction measures, Fig. 1.4 shows the funding that can be reallocated toward
resilience by accepting risk level (a) over risk level (b). In parallel to these public
changes, the academic community should be called on to develop decision models
that identify the optimal investment in risk reduction versus resilience and recovery
improvement.
5 Assessment of Cyber Resilience
Resilience assessment builds upon the more qualitative methods of risk assessment
to include consideration of the interaction between physical, information, and social
systems and, more importantly, the form and speed of system recovery and adapta-
tion after the initial response and continuing until the system returns to “business as
usual.” Resilience assessment should offer an approach that acknowledges the
uncertainty around emerging threats and guides mitigation of the consequences by
enhancing the ability of a system to recover from any interruption, whether predict-
able or not. The best resilience assessment methods should engage users and
stakeholders in determining acceptable trade-offs in performance, prioritizing recov-
ery efforts, and tracking any changing values within the user community in order to
develop adaptive management plans.
Myriad tools and methods marketed as resilience assessments now exist but take
very different formats (Florin and Linkov 2016; Nordgren et al. 2016). Some are as
simple as a checklist, others are geo-spatial visualizations of quantifiable metrics,
while still others are network modeling methods but with no generalized form
custom built for each application. The outputs of these tools are similarly varied,
including maps, scores, and process time graphs. Developers of the tools span a wide
range of entities including academic; private (e.g., consulting); program sponsors
(e.g., foundations and agencies); boundary organizations that bridge across research,
policy, and practitioner realms; and potential users themselves. Potential users
include state and city managers, industry process administrators, and utility opera-
tors, many lacking the expertise to choose among the rapidly accumulating products
in this emerging field.
Figure 1.5 shows two primary approaches currently described in the literature to
address resilience, including metric-based and model-based approaches. Metric-
based approaches use measures of individual properties of system components or
functions to assess overall system performance, while model-based approaches use
system configuration modeling and scenario analysis to predict system evolution. In
Fig. 1.5 Metric-based and

model-based approaches for
resilience assessment.
Multiple tools have been
developed to address
resilience in systems in both
methodological groups
general, metrics are defined as measurable properties of the system that quantify the
degree to which the objectives of the system are achieved. Metrics provide vital
information pertaining to a given system and are generally acquired by way of
analyzing relevant attributes of that system. Some researchers and practitioners
make a distinction between a measure and a metric, whereas others may refer to
metrics as performance measures (Collier et al. 2016). A number of efforts have been
focused on developing metrics that are applicable to a variety of systems, including
social, ecological, and technical (Eisenberg et al. 2014). The current lack of univer-
sally applicable resilience metrics and the inability to formalize value systems
relevant to the problems at hand have been barriers to wide implementation of
metric-based methodologies. Advances in decision analysis and social and economic
valuation of benefits offer ways to address these challenges, with methods to assess
the impact of trading off resilience attributes (e.g., flexibility, redundancy) with
values currently considered in the decision-making process (e.g., cost, environmen-
tal impact, risk reduction) for diverse investment alternatives. Further research on
this topic can greatly benefit both management and investment decisions for system
resilience. Resilience metrics are discussed in detail in Linkov et al. (2013b), and two
chapters of this book are dedicated to exploring alternative approaches to defining
cyber resilience metrics.
Model-based approaches focus on a representation of the real world and a
definition of resilience using mathematical or physical concepts. Modeling requires
knowledge of the critical functions of a system, mission, temporal patterns of
systems, thresholds, and system memory and adaptation. Process models require a
detailed understanding of the physical approaches within a system to simulate event
impacts and system recovery and are difficult to construct and are information
consuming. Statistical approaches alternatively require a lot of data on system
performance. Bayesian models combine features of process and statistical models.
Network models require a presentation of the system as interconnected networks
whose structure is dependent on the function of the system. Alternatively, the game
theoretical/agent-based approach focuses on the model performance of the system
based on a limited set of rules defined by modelers (Kelic et al. 2013). Using these
approaches, resilience can be defined, but the utility of many advanced models is
limited because of the data-intensive requirements. Network science is emerging as
an important tool to allow quantitative framing for the future of resilience as a
scientific discipline. In network science, the system is represented as an
interconnected network of links and nodes that exhibit behavior in space and time.
These methods have been demonstrated, though only for limited case studies where
network recovery was explicitly modeled (Ganin et al. 2016, 2017b; Gao et al. 2016;
Cohen et al. 2000). The challenge is to frame resilience as characteristic of several
major network properties that would provide a universal foundation to the field with
cross-domain applications, similar to the threat-vulnerability-consequence frame-
work used in the field of risk analysis. The four parameters of resilience (critical
function, thresholds, time, and memory) will be the basis of identifying and describ-
ing the relevant network properties. This shift in thinking and novel network-based
assessment tools are needed to encourage adaptability and flexibility in addition to
Fig. 1.6 Overview of tiered approach to resilience assessment (after Linkov et al., in press)
adequately assessing the trade-offs between redundancy and efficiency that charac-
terize a useful resilience assessment.
Linkov et al. (in press) proposed combining multiple tools for resilience assess-
ment in a tiered framework (Fig. 1.6). The goal of each tier is to describe the
performance and relationship of critical systems in order to identify management
options that enhance performance in parallel with activities that reduce risk. The
methods of tier I quickly and inexpensively identify the broad functions that a
system provides to human society or the environment and prioritize the performance
of the critical functions both during and in the time following a disruptive event.
Analytically, this framing and characterization analysis makes use of existing data,
expert judgment, and conceptual models. The methods of tier II describe the general
organization and relationships of the system in a simple form such as a process
model or critical path model. Identifying sequential and parallel events in a distur-
bance can reveal feedback processes and dependencies that are the root of cascading
system failures. The methods of tier III build a detailed model of important functions
and related subsystems where each process and each component of the system is
parameterized. The process can be halted at any tier when enough information has
been synthesized such that actionable system investments or projects to improve
system resilience, given available resources, have been identified by the decision
makers.
6 Approaches to Improving Cyber Resilience
Resilience of a system, a network, or an organization is influenced by a number of

factors, in a complex and often contradictory manner. In this section, we consider
some of these factors and how they can be managed or exploited in order to enhance
the resilience. In addition to this section, further in this book, the chapter by Keys
et al. discusses general practices, and the chapter by Bodeau and Graubart describes
a set of frameworks, analytic methods, and technologies that can be used to improve
system and mission cyber resilience.
Manage Complexity Resilience of a system or network depends greatly on com-
plexity of links within the system (Kott and Abdelzaher 2014; Ganin et al. 2016). In
his pioneering work, Perrow (1984) explains that catastrophic failures of systems
emerge from high complexity of links which lead to interactions that the system’s
designer cannot anticipate and guard against. System’s resilience precautions can be
defeated by hidden paths, incomprehensible to the designer because the links are so
numerous, heterogeneous, and often implicit.
This issue is particularly important in multi-genre networks, which are networks
that combine several distinct genres – networks of physical resources, communica-
tion networks, information networks, and social and cognitive networks. When we
consider an entire multi-genre network — and not merely one of the heterogeneous,
single-genre sub-networks that comprise the whole – we see far more complexity of
the paths connecting the network’s elements.
Of particular importance are those paths within the system that are not recognized
or comprehended by the designer. Indeed, the designer can usually devise a mech-
anism to prevent a propagation of failure through the links that are obvious. Many,
however, are not obvious, either because there are simply too many paths to consider
– and the numbers rapidly increase once we realize that the paths between elements
of a communication system, for example, may also pass through a social or an
information network — or because the links are implicit and subtle. Subtle feedback
links may lead to a failure in organizational decision-making (Kott 2006).
To enhance resilience, in some cases, the designer of the system can use greater
complexity of connections between two elements of the systems by increasing
redundancy of its functions. Also, as the number and heterogeneity of links grow,
they offer the agents (or other active mechanisms) within the network more oppor-
tunities to regenerate the network’s performance. These agents may be able to use
additional links to more elements in order to reconnect the network, to find replace-
ment resources, and ultimately to restore its functions.
On the other hand, greater complexity of the network may also reduce the
resilience of the network. For example, active agents may be more likely to be
confused by the complexity of the network or to be defeated in their restoration work
by unanticipated side effects induced by hidden paths within the network. The
increase in complexity may also lead to lower resilience by increasing – and hiding
from the designer – the number of ways in which one failed component may cause
the failure of another. Therefore, in most cases greater complexity should be avoided
when possible, unless it directly supports resilience functions. In this book, the
chapter by Evans and Horsthemke explains the role of dependencies in complex
systems and how to analyze and characterize the impact of dependencies; in another
chapter they provide an example of analysis of a large-scale, highly complex web of
systems called regional critical infrastructure. The chapter by Bodeau and Graubart
describes the techniques of segmentation and isolation that can be used to manage
the complexity in order to enhance resilience.
Choose Topology Quite apart from complexity, the choice of appropriate topology
of the system or network can improve resilience. Much prior research addressed the
fundamental vulnerabilities of different networks as a function of their topological
properties. Of particular interest has been the classification of properties of networks
according to their node degree distribution. While some networks (such as wireless
and mesh networks) are fairly homogeneous and follow an exponential node degree
distribution, others, called scale-free networks (such as the web or the power grid),
offer significant skew in node degrees, described by a power law. It is well known
that scale-free graphs are much more robust to random node failures (errors) than
graphs with an exponential degree distribution, but that these scale-free graphs are
increasingly more vulnerable to targeted attacks (namely, removal of high-degree
nodes). In this book, the chapter by Moore and Cho explores the role of topology and
methods to analyze the influence of topology on resilience; and the chapter by
Kotenko et al. presents topology-based methods in analysis of cyber-attack propa-
gation and the impact on resilience.
Add Resources Additional resources in a network can help improve resilience. For
example, adding capacity to nodes in a power generation and distribution network
may reduce likelihood of cascading failures and speed up the service restoration.
Adding local storage and influencing the distribution of nodes of different functions
in a network also lead to improved resilience at the expense of additional resources.
Resilience may be improved by adding multiple functional capacities to each node
(usually implying the need for additional resources), by processing more input
sources (requiring more resources for acquisition of inputs and for processing), or
by combination of multiple parallel processing mechanisms. Yet the same measures
tend to increase complexity and might cause greater difficulties in restoring the
network’s capability if degraded by an unexpected – and probably harder to under-
stand – failure.
Providing redundant resources can help both to absorb and to restore the system.
Redundancy, however, should be used with caution. If the designer adds identical
redundant software or hardware, the same malware would be able to compromise
multiple redundant resources. If diversity is introduced, and the redundant resources
are significantly different, the complexity grows with its potential negative impact on
resilience. In this book, the chapter by Musman offers an example of estimating
mission resilience in comparing two options of adding resources: (a) adding a
replicate server or (2) adding a fast recovery resource. The chapter by Bodeau and
Graubart discusses how technologies and processes for contingency planning and
COOP, including diversity and redundancy, support resilience. The chapter by
Curado et al. describes the fog services concept in which functions are widely
distributed over a large number of resources.
Design for Reversibility Components of the system should be designed in a
manner that allows them to revert to a safe mode when failed or compromised.
This means several things: (1) the component in the failed mode should not cause
any further harm to itself or other components of system or environment; (2) it
should be possible to reverse the state of the component in the process of recovering
the system. This is because some failures, such as physical breakage and human
losses, are often irreversible or expensive to remedy (e.g., once there is a reactor
meltdown, it is hard to “rollback”). This characteristic is unlike purely logical
systems (e.g., databases), where rollback from failure is more feasible and cheaper.
Note, however, that conventional fail-safe design practice could be incompatible
with need for the system to absorb the failure and therefore may reduce resilience.
For example, the operator of a system notices that a computer is compromised by
malware. A reasonable fail-safe action might be to disconnect the computer. How-
ever, this might be detrimental to the overall resilience of the system if the computer
is needed to support other components that execute damage absorbing actions.
Control Propagation To enhance the system’s ability to absorb the impact of a
cyber-compromise, the designer should guard against cascaded failures. Such fail-
ures are non-independent in that one triggers another. A network that is prone to
large “domino effects” will likely sustain severe damage in response to even modest
disturbances, which significantly limits the scope within which efficient absorption
and recovery (and hence resilient operation) remains possible. Therefore, the depen-
dencies or links between nodes should be designed, whenever possible, in a way that
minimizes the likelihood that a failure propagates easily from one node to another.
Ideally, links should both passively and actively filter out the propagation of failure.
One possible form of such filtering is buffering, discussed next in this section.
Further in this book, the chapter by Moore and Cho investigates propagation of
failures and cascading failures. The chapter by Giacomello and Pescaroli discusses
cascading failures and the role of human factors in propagation of failure.
Provide Buffering In data and commodity flow networks, the function of the
network is to offer its clients access to a set of delivered items. In such networks,
buffers (e.g., caching, local storage) constitute a resilience mechanism that obviates
the need for continued access to the original source. Should the original source
become unreachable, one can switch to a local supplier. Hence, local access can be
ensured despite interruption of the global supply network as long as access to a local
cache (buffer) is available. Local access is an especially valuable solution in the case
of a data flow network, where the commodity (namely, the data content) is not
consumed by user access, in the sense that a local distributor can continue to serve a
content item to new users irrespective of its use by others. Much work on network
buffering has been done to increase the resilience of data access to fluctuations in
resource availability. For example, buffering (or caching) has been used to restore
connectivity and performance upon topology changes in ad hoc networks, as well as
to reduce access latency in disruption-tolerant network.
Prepare Active Agents Active agents – human or artificial — should be available
to take active measures in order to absorb, recover, and adapt. In order to be effective
in doing so, the agents must have plans, processes, and preparation. Where
appropriate and necessary, human operators or users of the system should play the
role of active resilience agents. Wherever possible, however, the designer of the
system should consider introducing into the system a set of artificial partly autono-
mous intelligent agents that are able to conduct the absorption and recovery actions,
in an autonomous manner (Kott et al. 2018).
In order to perform the absorb and recover actions in presence of the adversary
malware deployed on the friendly system, the artificial agent often has to take
destructive actions, such as deleting or quarantining certain software. Such destruc-
tive actions are carefully controlled by the appropriate rules of engagement. Devel-
opers of the agent should attempt to design its actions and planning capability to
minimize the associated risk. This risk has to be balanced against the destruction
caused by the adversary if the agent’s action is not taken. Because the adversary and
its malware know that the agent exists and is likely to be present on the system, the
malware seeks to find and destroy the agent. Therefore, the agent possesses tech-
niques and mechanisms for maintaining a degree of stealth, camouflage, and con-
cealment. More generally, the agent takes measures that reduce the probability that
the malware will detect the agent. The agent is mindful of the need to exercise self-
preservation and self-defense.
When humans are the active resilience agents, in order to be effective, these
human agents must be appropriately trained, prepared, and motivated. They should
have skills, resources, and processes available to them, to perform the functions of
absorb, recover, and adapt. The human organization should be properly structured,
roles and responsibilities clearly defined, collective skills developed, and team
training and rehearsals conducted.
In this book, a number of chapters focus on various related aspects. The chapter
by Key et al. discusses organizational measures and human resource practices. The
chapter by Bodeau and Graubart mention non-persistence, realignment, and adaptive
responses. The chapter by Evans talks about active measures including MTD and
cyber deception. The chapter by Giacomello and Pescaroli explores human factors
and organizational culture. And the chapter by Tandiya et al. presents and compares
AI techniques that might be considered for implementing response strategies.
Build Agent Capabilities Ideally, agents should be able to perform one of the
multiple functions depending on context, and the same function could be performed
by one of several agents. For example, storage agents (buffers, caches) in a network
can use their space to store any of a set of possible items. Also, the same item can be
stored by any of multiple agents. For example, individuals in an organization can
allocate their time to any of a set of possible projects. Similarly, the same project can
be performed by any of multiple individuals. The combination of versatility and
redundancy of agents significantly improves resilience of network functions by
facilitating reconfiguration to adapt to perturbations. Intuitively, the higher the
versatility of the individual agents and the higher the degree to which they are
interchangeable, the more resilient is the system to perturbation because it can
reallocate functions to agents more flexibly to restore its performance upon resource
loss. Another useful dimension is agent’s capacity; that is, the number of different
functions that an agent can simultaneously perform. Capacity quantifies, for exam-
ple, the number of items a storage node can simultaneously hold, or the number of
projects a given individual can simultaneously work on. On a related note, in this
book, Curado et al. describe a distributed decision mechanism supported by multiple
SDN controllers intended to enhance recovery mechanisms.
Consider Adversary If the adversary specifically tailors his or her techniques and
procedures – and possesses the necessary capabilities – in order to defeat specifically
the absorption and recovery efforts, the system’s resilience will suffer accordingly.
The designer of the system should consider the likely adversary’s capabilities, intent,
tactics, techniques and procedures, and design the mechanisms and processes of
absorption and recovery in a manner that are more likely to withstand the adversary
actions. Game-theoretic analysis and war gaming – manual or computerized –
should be conducted in order to optimize the proposed measures (Colbert et al.
2017). In this book, the chapter by Kotenko et al. considers explicit modeling of
adversaries attack methods. The chapter by Bodeau and Graubart discusses how
resilience-enhancing measures may need to be adapted in case of an adversary that
constitutes an advanced persistent threats.
Conduct Analysis As noted in several places in this section, all resilience-
enhancing measures and actions can also cause unanticipated effects leading to
overall reduction in resilience. Therefore, rigorous, high-fidelity analysis is a must.
A resilience-enhancing measure should not be designed or introduced without an
appropriate analysis that is capable of revealing potential negative impacts and
systemic effects (Kott et al. 2017). Comparative analytical studies should be
conducted with and without the proposed measure. High-fidelity, simulation-based
analysis is particularly appropriate. The fidelity of the simulation should be sufficient
to replicate multiple modes of propagation, modes of interactions, feedback chan-
nels, and second and third-order effects. Because adversary actions and counterac-
tions play a great role in cyber resilience, the analysis must include the adversary as
well. In this book, the chapter by Musman offers recommendations for conducting
analysis that leads to estimating a mission resilience metrics. The chapter by Ormrod
and Turnbull reviews topics related to simulation of complex systems for analysis of
resilience. The chapter by Rose et al. addresses economic aspects in comparative
analysis of different resilience-enhancing techniques. The chapter by Karsai et al.
describes an example of a toolkit for simulation-based resilience analysis.
7 Preview of the Book
Reflecting on the key themes, we have covered in the introduction, the first three
parts of the book cover, the topics of quantification, assessment and analysis, and
enhancement of cyber resilience. The fourth, final, part is dedicated to cases studies
of selected classes of systems and networks.
The first part presents two alternative – but not incompatible – views on how to
quantify cyber resilience via suitable metrics. It opens with a chapter by Cybenko
that takes the perspective in which system performance is central to the metrics. As
discussed in the Introduction chapter of this book, cyber resilience has become an
increasingly important, relevant and timely research and operational concept in
cybersecurity. Although multiple metrics have been proposed for quantifying
cyber resilience, a connection remains to be made between those metrics and
operationally measurable and meaningful resilience concepts that can be empirically
determined in an objective manner. This chapter describes a concrete quantitative
notion of cyber resilience that can be tailored to meet specific needs of organizations
seeking to introduce resilience into their assessment of their cybersecurity posture.
If the previous chapter showed how to quantify cyber resilience from the per-
spective of system performance, the chapter by Musman et al. takes an alternative
view – the perspective of mission risk. The chapter describes the features that any
definition of resilience should consider to enable measurable assessment and com-
parison. It proposes a definition of resilience that supports those considerations.
Then, it reviews and discusses in detail the terminology and definitions that have
been proposed in the context of these considerations. Ultimately, the chapter chooses
a definition of resilience that relates to “mission risk.” When based on risk, the
authors of this chapter argue, a resilience definition is clearly defined and measurable
and has a sound theoretical grounding. Since risk relies on both the likelihood of
events occurring as well as changes in value (i.e., damage) when these events occur,
we are provided with a computable metric that enables assessment and comparison.
This allows us to tailor metrics to specific systems.
The second part of the book focuses on approaches to assessment and analysis of
cyber resilience. Having discussed, in the previous two chapters, perspectives on
quantifying cyber resilience, we now present several chapters that assemble quali-
tative and quantitative inputs for a broad range of metrics that might apply to cyber
resilience. Some of these approaches (e.g., most of this chapter and the next one) are
largely qualitative and based on human review and judgment of pertinent aspects of
systems, organization, and processes. Others are based on quantitative and often
theoretically rigorous modeling and simulation of systems, networks, and processes.
The purpose of the chapter by Keys and Shapiro is to outline best practices in an
array of areas related to cyber resilience. While by no means offering an exhaustive
list of best practices, the chapter provides an organization with means to “see what
works” at other organizations. It offers these best practices within existing frame-
works related to dimensions of cyber resilience. The chapter begins with a discussion
of several existing frameworks and guidelines that can be utilized to think about
cyber resilience. Then, the chapter describes a set of “best practices” based on a
selection of metrics from these frameworks. These best practices can help an
organization as a guide to implementing specific policies that would improve their
cyber resilience.
The general overview of frameworks and best practices of cyber resilience
assessments provided in the previous chapter is followed by the chapter by Evans
and Horsthemke that focuses more specifically on methodologies that use the
concept of cyber dependencies. A cyber dependency is a connection between two

components, such that these components’ functions depend on one another and loss
of any one of them degrades the performance of the system as a whole. Such
dependencies must be identified and understood as part of a cyber resilience assess-
ment. This chapter describes two related methodologies that help identify and
quantify the impact of the loss of cyber dependencies. One relies on a facilitated
survey and dependency curve analysis and helps an organization understand its
resilience to the loss of a dependency. That methodology incorporates the ability
of an organization to withstand a loss through backup (recovery) methods and assess
its resilience over time. Another methodology helps an organization consider the
indirect dependencies that can cause cascading failures if not sufficiently addressed
through protective measures. However, that methodology does not incorporate
protective measures such as redundancy or consider the possibility that the loss of
a dependency might not have an immediate impact.
Unlike the previous chapter where propagation of failures along the dependency
links was studied in a qualitative, human-judgment fashion, the chapter by Moore
and Cho offers an approach to analyzing resilience to failure propagation via a
rigorous use of percolation theory. In percolation theory, the basic idea is that a node
failure or an edge failure (reverse) percolates throughout a network, and, accord-
ingly, the failure affects the connectivity among nodes. The degree of network
resilience can be measured by the size of a largest component (or cluster) after a
fraction of nodes or edges are removed in the network. In many cybersecurity
applications, the underlying ideas of percolation theory have not been much
explored. In this chapter, it is explained how percolation theory can be used to
measure network resilience in the process of dealing with different types of network
failures. It introduces the measurement of adaptability and recoverability in addition
to that of fault-tolerance as new contributions to measuring network resilience by
applying percolation theory.
The chapter by Kotenko and co-workers continues exploring how resilient a
network is to a failure propagating through it; however, now we also include an
explicit treatment of specific causes of failure – malicious activities of the cyber-
attacker. This chapter considers cyber-attacks and the ability to counteract their
implementation as the key factors determining the resilience of computer networks
and systems. Indeed, cyber-attacks are the most important among destabilizing
forces impacting a network. Moreover, the term cyber resilience can be interpreted
as the stability of computer networks or systems operating under impact of cyber-
attacks. The approach in this chapter involves the construction of analytical models
to implement the most well-known types of attacks. The result of the modeling is the
distribution function of time and average time of implementation of cyber-attacks.
These estimates are then used to find the indicators of cyber resilience. To construct
analytical models of cyber-attacks, this chapter introduces an approach based on the
stochastic networks conversion, which works well for modeling multi-stage stochas-
tic processes of different nature.
So far, the discussion was limited to relatively narrow abstractions of systems and
networks. Such narrow abstractions allow effective assessment and analysis
methodologies, but do not cover the richness and diversity of realistic organizations,
systems, and processes. Therefore, the chapter by Ormrod and Turnbull explains
how to build a multidimensional simulation model of an organization’s business
processes. This multidimensional view incorporates physical objects, human factors,
and time and cyberspace aspects. Not all systems, the components within a system,
or the connections and interfaces between systems and domains are equally resilient
to attack. It is important to test complex systems under load in a variety of
circumstances to both understand the risks inherent in the systems, but also to test
the effectiveness of redundant and degenerate systems. There is a growing need to
test and compare the limitations and consequences of potential mitigation strategies
before implementation. Simulation is a valuable tool because it can explore and
demonstrate relationships between environmental variables in a controlled and
repeatable manner. This chapter introduces the integrated cyber-physical effects
(ICPE) model as a means of describing the synergistic results obtained through the
simultaneous, parallel, or sequential prosecution of attacking and defensive mea-
sures in both the physical and cyber domains.
Suppose you assessed or analyzed the resilience of a system using approaches
described in Part 2 of this book or similar approaches. Chances are, you determined
that the resilience of the system is inadequate, at least in part. What should you do to
improve it? This is the theme of Part 3 of this book: methods, techniques, and
approaches to enhancing cyber resilience of a system, either via an appropriate initial
design, or by adding mitigation measures, or by defensive actions during a cyber-
attack.
The chapter by Bodeau and Graubart opens the theme with a broad overview of
approaches to enhancing systems resilience in the spirit of systems engineering. It
starts by providing background on the state of the practice for cyber resilience. Next,
the chapter describes how a growing set of frameworks, analytic methods, and
technologies can be used to improve system and mission cyber resilience. For
example, technologies and processes created for contingency planning and COOP
can be adapted to address advanced cyber threats. These include diversity and
redundancy. Cybersecurity technologies and best practices can be extended to
consider advanced cyber threats. These include analytic monitoring, coordinated
defense, privilege restriction, segmentation, and substantiated integrity.
In the previous chapter, we were introduced to active defense among numerous
other approaches. Now, in the chapter by Evans, we explore active defense tech-
niques in detail. These are automated and human-directed activities that attempt to
thwart cyber-attacks by increasing the diversity, complexity, or variability of the
systems and networks. These limit the attacker’s ability to gather intelligence or
reduce the usable lifespan of the intelligence. Other approaches focus on gathering
intelligence on the attackers, either by attracting attackers to instrumented honeypots
or by patrolling the systems and networks to hunt for attackers. The intelligence
gathering approaches rely upon cybersecurity personnel using semiautomated tech-
niques to respond to and repel attackers. Widely available commercial solutions for
active defense so far are lacking. Although general-purpose products may emerge, in
the meantime organizations need to tailor their applications for available solutions or
Another random document with
no related content on Scribd:
CHAPTER XV
DEATH'S KINDLY VEIL
Robespierre has thus been vanquished for the second time!
Where will they take him? To the Tuileries, to the Convention, into the
very midst of the victorious National Assembly, where the dying despot is
to be exposed to the raillery of the populace, before being carried to the
scaffold. Robespierre is laid down in the courtyard of the Hôtel de Ville,
and placed with infinite care on a litter. They lift his head and bind up his
wound, for he must live long enough to receive the final retribution. The
bullet has but half robbed the scaffold of its prey.
Artillerymen now come forward, and take him up again, but

Robespierre, still unconscious, knows nothing of what is passing round him.
They lift the wreck of what was once the Incorruptible and continue their
way. Saint-Just walks in the rear between two gendarmes, his hands bound
behind him, very pale, with head erect, and perfectly indifferent to the
insults hurled at him—the only one of his allies who is with Robespierre in
the hour of defeat. The others are either dead, hidden or fled. But their turn
will come, for hot search is afoot for the cowards and fugitives.
The gloomy cortège crosses the Place de la Grêve, and moves in the
direction of the quay, on its way to the Tuileries, beneath a cloudless sky
that smiles after the rain, as the stars are gradually effaced by the first
gleams of dawn. It is three o'clock. The cortège is followed by a curious
and gaping crowd. Passers-by stop and ask, "What is it?"
"Robespierre, who is wounded. They are taking him to the Convention."
Then the inquirers' faces light up with joy.

"It is all over, then! ... The tyrant is going to die! ... There will be no
more scaffold!"
And the passers-by joined the crowd.
But at the Convention the order had been given that the "monster" was
not to be received. Even a captive and almost a corpse, they will not allow
Robespierre again to cross the threshold, once he has been banished from
their midst. The Incorruptible, as an outlaw, belongs to justice only. So the
wounded man is taken up and laid at the foot of the grand staircase leading
to the Committee of Public Safety.
There, on the very spot where, two days before, Robespierre, returning
from the Conciergerie, hurled defiance at Billaud-Varennes, he now lies on
a litter, vanquished, ruined, gasping out his life!
A peremptory order is given, and flies from mouth to mouth.

Robespierre is to be transported to the Committee's waiting-room. Saint-
Just walks in front now, with Dumas, President of the Revolutionary
Tribunal, who has been discovered hidden in a corner of the Hôtel de Ville,
and several others whose arrest and arrival is also announced.
The litter is carried into the room. Robespierre still unconscious is lifted
out and laid on a table, and his head is pillowed on a deal box, containing
samples of munition bread. His shirt, loosened at the neck, and leaving the
throat bare, is covered with blood which still flows freely from the
mutilated jaw. The sky-blue coat is soiled and torn, the nankeen breeches,
the white stockings, washed and ironed by Cornélie Duplay, are now all
stained and disfigured.
The Incorruptible is a mutilated mass, but a living mass, still breathing

and still suffering.
Robespierre has opened his eyes; he raises his right hand, groping
instinctively for his handkerchief, wishing to wipe his mouth. His trembling
fingers come in contact with a white leather pistol-case, which he lifts to his
lips to staunch the blood. By an irony of fate the case bears the inscription
—"The Great Monarch; Lecourt, manufacturer to the King."
Robespierre appears to revive. He looks round, and his eyes fall on
Saint-Just and Dumas, side by side in the recess of one of the windows,
shrugging their shoulders at the rudeness of the people who pass through
the room and stare at them as if they were curiosities. The insults are now
directed against Robespierre, who turns away:—"There is fallen majesty for
you!" exclaims one.... "Majesty laid low," says another.... "With his
bandages he looks like a mummy or a nun!" ... "Yes, a nun with her head-
gear awry!" ... "He is thinking of his Supreme Being! It's just the right
moment!"
But Robespierre, under this railing clamour and abuse, does not stir.
There he lies, stretched out motionless, his eyes fixed on the ceiling, the
very embodiment of silent scorn. Slowly and without a word, he drinks the
cup of bitterness; he will drink it so, to the very dregs. A conqueror, he
would have been to them a god; vanquished, they nail him to the pillory.
Such is the constant perfidy of human nature! And yet he had been so near
success, so near! If the Convention had not proved so cowardly at the
sitting, had not succumbed directly before Tallien's attack! ... If they had but
let him speak! If they had allowed him to defend himself! But the plot had
been too well laid. Then Robespierre's thoughts wander to the other
wretches, the Communes, the cowards on whom he had counted, the vile
traitors and base deserters!
His bitter meditations are suddenly cut short by a shooting pain in the
knee, which runs through him like a knife. It is his garter, which is too
tightly drawn. He raises himself and stretches out his hand to undo it, but
his strength fails, and he falls back again. Suddenly he feels some one
gently loosening it. He lifts himself again and bends forward. Can he be
dreaming? That young man ... yes, it is Olivier! ... Olivier, himself!
"Oh, thank you, my ... thank you, my ... thank you, monsieur!" he says
hastily.
He is on the point of saying, "my son!" but has strength enough left to
recollect himself. No! Olivier must never know the secret of his birth,
never, never!
Robespierre falls back again. The emotion is too much for him, and he
faints away.
Yes, it is Olivier, who has just obtained from the Committee a passport
for his mother, his fiancée, and himself. Crossing the waiting-room he had
seen Robespierre stretched out on the table in front of him. Touched with
pity at his vain and painful attempts to undo the garter, he had come to his
assistance.
Olivier now leaves the Committee of Public Safety to rejoin Clarisse

and Thérèse, who are waiting for him in the Tuileries Gardens, and
overcome with fatigue have sat down on a bench, and seeing them in the
distance hastens his steps.
"I have the passport!" he exclaims.
"Then let us go, and lose no time!" Clarisse answers; "let us return to
Montmorency, at once! I long to leave the city of woe and misery."
"We cannot go yet," replies Olivier. "The passport must bear the stamp
of the Committee of General Security to be of any use, and I must present
myself before the Committee at three o'clock."
"Then, what are we to do? Where shall we go?" asks Clarisse wearily.
"We can only go to the Rue du Rocher, to Leonard's landlady. She will
receive me with open arms, you will see, now she has no longer
Robespierre to fear."
It is five o'clock, and day has just dawned. The air is soft and fresh, the
sky above of sapphire blue; the trees, the streets, the very houses, seem
smiling with renewed life, after the refreshing shower.
In this brightening dawn Robespierre is being taken to the Conciergerie,

for the Committee of Public Safety have altered their decision. Robespierre
and his accomplices, now found and arrested, are to be confined in the
Conciergerie in order to undergo the formality of identification. From
thence they are to be taken to the scaffold without trial or judgment, as
outlaws.
So Robespierre is replaced on the litter, followed by the gaping crowd.

He sleeps the whole way, lulled by the measured tread of the men who carry
him, and only awakes to find himself in a narrow cell, in charge of a
gendarme.
"Can I write?" he asks.
"No!"
"Where am I?"
"At the Conciergerie."
His eyes flash for a second. He looks round uneasily and repeats—"At
the Conciergerie! In what part of the Conciergerie?"
"Between the Queen's cell and the Girondins' Chapel."
Between his victims! He is between his victims! The fearful warning on

the prison walls passes again before his eyes: "Robespierre, your hour will
come!..." The dead were right! If he had done away with the guillotine in
time, he would perhaps not be there, himself a victim of the Terror he had
let loose! But he could not! No, he could not, it was too soon.... He would
have been engulfed in the turmoil, just the same! ... In continuing the
Revolutionary Tribunal, in keeping the executioner at his post, he was
merely protecting his own head!
His mind is flooded with ideas.... He is, dreaming vaguely, his dim eyes
fixed on the low ceiling of his cell.... His youth smiles at him through the
mist of years, every detail of the past comes back to him in clear and lucid
vision.
He sees Clarisse seated at her harpsichord, he is turning over the leaves

of her music ... but the vision trembles, and then fades away. Fever
gradually rises to his brain, takes entire possession of him, and deadens his
senses, so that he is completely unconscious, and when Fouquier-Tinville,
his creature of the Revolutionary Tribunal, his accomplice in the days of
bloodshed, comes forward to identify him, he does not recognise his voice.
The end is now approaching. At five in the afternoon the gendarmes

come to conduct Robespierre to the scaffold. The Convention has decreed
that for this occasion the guillotine shall be erected at the Place de la
Révolution. Robespierre is borne on the litter through the crowd of
prisoners, the victims of his hatred and his laws, and when the dying man
has passed the threshold they breathe again. With him death departs and
new life comes in.
The tumbril is waiting in the courtyard, surrounded by a crowd of sans-

culottes and Mænads, and hundreds of spectators eager to witness the
startling spectacle, are swarming in the streets to hoot and abuse
Robespierre as heartily as they had cheered and applauded him at the Fête
of the Supreme Being! To effect this startling change one sitting of the
Convention has sufficed!
Robespierre is now in sight. This is the signal for the wildest uproar. He
is seated on a bench in the first tumbril, and fastened against the bars of the
cart to keep him from falling. The fresh air has revived him; he allows them
to do as they please, looking on in silent scorn. Others of the condemned
are placed in the same tumbril: Augustin Robespierre, Saint-Just, Dumas
the president, Hauriot, and Couthon. The two last are seated right and left of
Robespierre. Four other carts follow, equally loaded. The condemned
number twenty-two in all.
Now Robespierre's via dolorosa begins.
Abuse and insults rain down on them in torrents, covering Robespierre

and his accomplices with ignominy.
The ghastly procession crosses the Pont-au-Change, the Quay de la

Mégisserie, and passing the Rue de la Monnaie it enters the Rue Saint-
Honoré.
Curses are heard mingling with the shrieks of the rabble, for among the
crowd there are many victims of the Terror, widows and orphans conjuring
up the memory of all their anguish, all the drama of the guillotine, the work
of the Incorruptible.
A woman clutches at the tumbril in which Robespierre sits, a woman

whose two children had been torn from her by the Prairial law.
"Monster!" she cries, "vile monster! in the name of all mothers, I curse
you to hell!"
The crowd following the cortège grows denser as it proceeds. It is

Decadi, the Republican Sunday. All Paris is out of doors. The windows and
balconies are thronged with men and women in festal attire, pressing
forward to see the procession file past, and showering down shouts of joy
and triumph, for the passing of those tumbrils means also the passing away
of the reign of Terror.
Robespierre continues his dreadful way, his eyes fixed and glassy, his
face wrapped in the bandage which holds his jaw together, and partly hides
it like some ghastly mask. By his side sits Hauriot, livid and terrified,
covered with the mud and filth of the sewer into which he had fallen.
Couthon and Augustin Robespierre, pitifully mutilated, are lying at the
bottom of the cart. Saint-Just alone stands erect, his hands bound, and
retains his scornful air.
The tumbrils enter the Rue Saint-Honoré near the Jacobin Club, where
two days before the Incorruptible reigned supreme. The martyrdom is not
over. They are before the house of the Duplays.
The cortège stops.
At a given signal a child dips a broom in a pail of blood, and sprinkles

the front door.
"Ha! Robespierre, here is your cavern branded with the blood of your
victims!" cries a voice.
A plaintive howl is heard from behind the blood-smeared door. It is
Blount, who has scented his master. Robespierre shuts his eyes but it is
useless, for he can hear!
People question each other in the crowd. Where are the Duplays? In
prison! The father at Plessis, the mother at Sainte-Pilagie with her young
son. Lebas has killed himself! His body is there in one of the carts. As to
the daughters, they have fled, most probably.
But now for the guillotine!
The cortège continues its way, while the heart-rending moans of Blount
can still be heard in the distance. That cry of the faithful dog, recognising
his master and calling to him, is the last adieu to Robespierre from his
recent home.
The first tumbril is already at the top of the Rue Saint-Florentin. A man
turns out of the street and runs in the direction of the Rue de la Révolution.
The crowd cry after him—
"Hallo, there! will you not see the Incorruptible's head cut off? Stop!
stop! Don't be so chicken-hearted!"
But the man is already far away. It is Olivier, returning from the
Committee of General Security, where he had at last succeeded in having
his passport countersigned, after endless trouble. He tries to cross the Rue
Saint-Honoré, but the crowd fills the street; so he retraces his steps,
followed the Jardin des Tuileries, and reaches the Rue Saint-Florentin, at
the very moment when the tumbrils are at hand.
Away from them he hurries, towards the Rue de Rocher, where Clarisse
and Thérèse are impatiently awaiting him in their room. The landlady,
anxious to be taken back to favour, has been worrying them with officious
attention since the morning.
Olivier bursts in upon them eagerly—

"It's done! Now we can start! Is the carriage ready?"
The widow Beaugrand is in despair.
"Then you have decided to go? Will you not wait until to-morrow? I
have such a nice supper prepared!"
Olivier grows impatient. Clarisse and Thérèse get ready to start.
"It's all right! Everything is arranged," says the landlady. "The carriage
has been ordered, and is just two steps from here."
She hastens downstairs, followed by Olivier and the two women, who
wait outside. The street is deserted. The day melts in a soft twilight. Stars
already twinkle in the cloudless sky. Light, happy laughter comes from a
balcony opposite, the echo of childish merriment, which soon ceases with
the closing of a door.
The carriage has arrived, an open char-à-banc with four seats. Olivier
helps his mother and his fiancée in, then climbs up on the box beside the
driver.
"To Montmorency! And take the shortest cut!"
The carriage rolls away amidst the farewells and good wishes of the
widow Beaugrand. However, at the end of the Rue du Rocher it stops
suddenly and draws up to the side of the road. Two carts are coming at full
gallop, driven by men in red nightcaps. Olivier asks impatiently—
"What is the matter now?"
"It's the dead bodies of the condemned, citoyen; they are taking them to
the Cemetery des Errancy. Ah! now, the Incorruptible can kill no more!"
The two women have heard!
Clarisse and Thérèse fall on their knees, their hands clapped, and their
eyes lifted in prayer. Olivier bares his head. The carts are passing. Clarisse
and Thérèse make the sign of the cross. Olivier, pale with emotion, follows
their example, turning towards Thérèse and his mother, whose eyes dwell
with strange emotion on his face. Her tear-dimmed gaze is full of mute
thanksgiving, the secret of which Olivier will never know.
*** END OF THE PROJECT GUTENBERG EBOOK ROBESPIERRE
***
Updated editions will replace the previous one—the old editions will
be renamed.
Creating the works from print editions not protected by U.S.

copyright law means that no one owns a United States copyright in
these works, so the Foundation (and you!) can copy and distribute it
in the United States without permission and without paying copyright
royalties. Special rules, set forth in the General Terms of Use part of
this license, apply to copying and distributing Project Gutenberg™
electronic works to protect the PROJECT GUTENBERG™ concept
and trademark. Project Gutenberg is a registered trademark, and
may not be used if you charge for an eBook, except by following the
terms of the trademark license, including paying royalties for use of
the Project Gutenberg trademark. If you do not charge anything for
copies of this eBook, complying with the trademark license is very
easy. You may use this eBook for nearly any purpose such as
creation of derivative works, reports, performances and research.
Project Gutenberg eBooks may be modified and printed and given
away—you may do practically ANYTHING in the United States with
eBooks not protected by U.S. copyright law. Redistribution is subject
to the trademark license, especially commercial redistribution.
START: FULL LICENSE

THE FULL PROJECT GUTENBERG LICENSE
PLEASE READ THIS BEFORE YOU DISTRIBUTE OR USE THIS WORK
To protect the Project Gutenberg™ mission of promoting the free

distribution of electronic works, by using or distributing this work (or
any other work associated in any way with the phrase “Project
Gutenberg”), you agree to comply with all the terms of the Full
Project Gutenberg™ License available with this file or online at
www.gutenberg.org/license.
Section 1. General Terms of Use and

Redistributing Project Gutenberg™
electronic works
1.A. By reading or using any part of this Project Gutenberg™
electronic work, you indicate that you have read, understand, agree
to and accept all the terms of this license and intellectual property
(trademark/copyright) agreement. If you do not agree to abide by all
the terms of this agreement, you must cease using and return or
destroy all copies of Project Gutenberg™ electronic works in your
possession. If you paid a fee for obtaining a copy of or access to a
Project Gutenberg™ electronic work and you do not agree to be
bound by the terms of this agreement, you may obtain a refund from
the person or entity to whom you paid the fee as set forth in
paragraph 1.E.8.
1.B. “Project Gutenberg” is a registered trademark. It may only be

used on or associated in any way with an electronic work by people
who agree to be bound by the terms of this agreement. There are a
few things that you can do with most Project Gutenberg™ electronic
works even without complying with the full terms of this agreement.
See paragraph 1.C below. There are a lot of things you can do with
Project Gutenberg™ electronic works if you follow the terms of this
agreement and help preserve free future access to Project
Gutenberg™ electronic works. See paragraph 1.E below.
1.C. The Project Gutenberg Literary Archive Foundation (“the
Foundation” or PGLAF), owns a compilation copyright in the
collection of Project Gutenberg™ electronic works. Nearly all the
individual works in the collection are in the public domain in the
United States. If an individual work is unprotected by copyright law in
the United States and you are located in the United States, we do
not claim a right to prevent you from copying, distributing,
performing, displaying or creating derivative works based on the
work as long as all references to Project Gutenberg are removed. Of
course, we hope that you will support the Project Gutenberg™
mission of promoting free access to electronic works by freely
sharing Project Gutenberg™ works in compliance with the terms of
this agreement for keeping the Project Gutenberg™ name
associated with the work. You can easily comply with the terms of
this agreement by keeping this work in the same format with its
attached full Project Gutenberg™ License when you share it without
charge with others.
1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside the
United States, check the laws of your country in addition to the terms
of this agreement before downloading, copying, displaying,
performing, distributing or creating derivative works based on this
work or any other Project Gutenberg™ work. The Foundation makes
no representations concerning the copyright status of any work in
any country other than the United States.
1.E. Unless you have removed all references to Project Gutenberg:
1.E.1. The following sentence, with active links to, or other

immediate access to, the full Project Gutenberg™ License must
appear prominently whenever any copy of a Project Gutenberg™
work (any work on which the phrase “Project Gutenberg” appears, or
with which the phrase “Project Gutenberg” is associated) is
accessed, displayed, performed, viewed, copied or distributed:
This eBook is for the use of anyone anywhere in the United
States and most other parts of the world at no cost and with
almost no restrictions whatsoever. You may copy it, give it away
or re-use it under the terms of the Project Gutenberg License
included with this eBook or online at www.gutenberg.org. If you
are not located in the United States, you will have to check the
laws of the country where you are located before using this
eBook.
1.E.2. If an individual Project Gutenberg™ electronic work is derived

from texts not protected by U.S. copyright law (does not contain a
notice indicating that it is posted with permission of the copyright
holder), the work can be copied and distributed to anyone in the
United States without paying any fees or charges. If you are
redistributing or providing access to a work with the phrase “Project
Gutenberg” associated with or appearing on the work, you must
comply either with the requirements of paragraphs 1.E.1 through
1.E.7 or obtain permission for the use of the work and the Project
Gutenberg™ trademark as set forth in paragraphs 1.E.8 or 1.E.9.
1.E.3. If an individual Project Gutenberg™ electronic work is posted

with the permission of the copyright holder, your use and distribution
must comply with both paragraphs 1.E.1 through 1.E.7 and any
additional terms imposed by the copyright holder. Additional terms
will be linked to the Project Gutenberg™ License for all works posted
with the permission of the copyright holder found at the beginning of
this work.
1.E.4. Do not unlink or detach or remove the full Project

Gutenberg™ License terms from this work, or any files containing a
part of this work or any other work associated with Project
Gutenberg™.
1.E.5. Do not copy, display, perform, distribute or redistribute this

electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1 with
active links or immediate access to the full terms of the Project
Gutenberg™ License.
1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if you
provide access to or distribute copies of a Project Gutenberg™ work
in a format other than “Plain Vanilla ASCII” or other format used in
the official version posted on the official Project Gutenberg™ website
(www.gutenberg.org), you must, at no additional cost, fee or expense
to the user, provide a copy, a means of exporting a copy, or a means
of obtaining a copy upon request, of the work in its original “Plain
Vanilla ASCII” or other form. Any alternate format must include the
full Project Gutenberg™ License as specified in paragraph 1.E.1.
1.E.7. Do not charge a fee for access to, viewing, displaying,

performing, copying or distributing any Project Gutenberg™ works
unless you comply with paragraph 1.E.8 or 1.E.9.
1.E.8. You may charge a reasonable fee for copies of or providing

access to or distributing Project Gutenberg™ electronic works
provided that:
• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”
• You provide a full refund of any money paid by a user who

notifies you in writing (or by e-mail) within 30 days of receipt that
s/he does not agree to the terms of the full Project Gutenberg™
License. You must require such a user to return or destroy all
copies of the works possessed in a physical medium and
discontinue all use of and all access to other copies of Project
Gutenberg™ works.
• You provide, in accordance with paragraph 1.F.3, a full refund of

any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.
• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.
1.E.9. If you wish to charge a fee or distribute a Project Gutenberg™

electronic work or group of works on different terms than are set
forth in this agreement, you must obtain permission in writing from
the Project Gutenberg Literary Archive Foundation, the manager of
the Project Gutenberg™ trademark. Contact the Foundation as set
forth in Section 3 below.
1.F.
1.F.1. Project Gutenberg volunteers and employees expend

considerable effort to identify, do copyright research on, transcribe
and proofread works not protected by U.S. copyright law in creating
the Project Gutenberg™ collection. Despite these efforts, Project
Gutenberg™ electronic works, and the medium on which they may
be stored, may contain “Defects,” such as, but not limited to,
incomplete, inaccurate or corrupt data, transcription errors, a
copyright or other intellectual property infringement, a defective or
damaged disk or other medium, a computer virus, or computer
codes that damage or cannot be read by your equipment.
1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES - Except

for the “Right of Replacement or Refund” described in paragraph
1.F.3, the Project Gutenberg Literary Archive Foundation, the owner
of the Project Gutenberg™ trademark, and any other party
distributing a Project Gutenberg™ electronic work under this
agreement, disclaim all liability to you for damages, costs and
expenses, including legal fees. YOU AGREE THAT YOU HAVE NO
REMEDIES FOR NEGLIGENCE, STRICT LIABILITY, BREACH OF
WARRANTY OR BREACH OF CONTRACT EXCEPT THOSE
PROVIDED IN PARAGRAPH 1.F.3. YOU AGREE THAT THE
FOUNDATION, THE TRADEMARK OWNER, AND ANY
DISTRIBUTOR UNDER THIS AGREEMENT WILL NOT BE LIABLE
TO YOU FOR ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL,
PUNITIVE OR INCIDENTAL DAMAGES EVEN IF YOU GIVE
NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.
1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you

discover a defect in this electronic work within 90 days of receiving it,
you can receive a refund of the money (if any) you paid for it by
sending a written explanation to the person you received the work
from. If you received the work on a physical medium, you must
return the medium with your written explanation. The person or entity
that provided you with the defective work may elect to provide a
replacement copy in lieu of a refund. If you received the work
electronically, the person or entity providing it to you may choose to
give you a second opportunity to receive the work electronically in
lieu of a refund. If the second copy is also defective, you may
demand a refund in writing without further opportunities to fix the
problem.
1.F.4. Except for the limited right of replacement or refund set forth in
paragraph 1.F.3, this work is provided to you ‘AS-IS’, WITH NO
OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.
1.F.5. Some states do not allow disclaimers of certain implied

warranties or the exclusion or limitation of certain types of damages.
If any disclaimer or limitation set forth in this agreement violates the
law of the state applicable to this agreement, the agreement shall be
interpreted to make the maximum disclaimer or limitation permitted
by the applicable state law. The invalidity or unenforceability of any
provision of this agreement shall not void the remaining provisions.
1.F.6. INDEMNITY - You agree to indemnify and hold the
Foundation, the trademark owner, any agent or employee of the
Foundation, anyone providing copies of Project Gutenberg™
electronic works in accordance with this agreement, and any
volunteers associated with the production, promotion and distribution
of Project Gutenberg™ electronic works, harmless from all liability,
costs and expenses, including legal fees, that arise directly or
indirectly from any of the following which you do or cause to occur:
(a) distribution of this or any Project Gutenberg™ work, (b)
alteration, modification, or additions or deletions to any Project
Gutenberg™ work, and (c) any Defect you cause.
Section 2. Information about the Mission of

Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new computers.
It exists because of the efforts of hundreds of volunteers and
donations from people in all walks of life.
Volunteers and financial support to provide volunteers with the

assistance they need are critical to reaching Project Gutenberg™’s
goals and ensuring that the Project Gutenberg™ collection will
remain freely available for generations to come. In 2001, the Project
Gutenberg Literary Archive Foundation was created to provide a
secure and permanent future for Project Gutenberg™ and future
generations. To learn more about the Project Gutenberg Literary
Archive Foundation and how your efforts and donations can help,
see Sections 3 and 4 and the Foundation information page at
www.gutenberg.org.
Section 3. Information about the Project

Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-profit
501(c)(3) educational corporation organized under the laws of the
state of Mississippi and granted tax exempt status by the Internal
Revenue Service. The Foundation’s EIN or federal tax identification
number is 64-6221541. Contributions to the Project Gutenberg
Literary Archive Foundation are tax deductible to the full extent
permitted by U.S. federal laws and your state’s laws.
The Foundation’s business office is located at 809 North 1500 West,

Salt Lake City, UT 84116, (801) 596-1887. Email contact links and up
to date contact information can be found at the Foundation’s website
and official page at www.gutenberg.org/contact
Section 4. Information about Donations to

the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission of
increasing the number of public domain and licensed works that can
be freely distributed in machine-readable form accessible by the
widest array of equipment including outdated equipment. Many small
donations ($1 to $5,000) are particularly important to maintaining tax
exempt status with the IRS.
The Foundation is committed to complying with the laws regulating

charities and charitable donations in all 50 states of the United
States. Compliance requirements are not uniform and it takes a
considerable effort, much paperwork and many fees to meet and
keep up with these requirements. We do not solicit donations in
locations where we have not received written confirmation of
compliance. To SEND DONATIONS or determine the status of
compliance for any particular state visit www.gutenberg.org/donate.
While we cannot and do not solicit contributions from states where

we have not met the solicitation requirements, we know of no

Textbook Cyber Resilience of Systems and Networks Alexander Kott Ebook All Chapter PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Textbook Cyber Resilience of Systems and Networks Alexander Kott Ebook All Chapter PDF

Uploaded by

Copyright:

Available Formats

Cyber Resilience of Systems and

Networks Alexander Kott

Cyber Resilience Fundamentals 1st Edition Tjoa

Handbook of System Safety and Security Cyber Risk and

Cyber Operations Building, Defending, and Attacking

Cyber Physical Systems for Next Generation Networks

Cyber Security for Cyber Physical Systems 1st Edition

Embedded System Design : Embedded Systems, Foundations

Natural Gas Installations and Networks in Buildings 1st

Power Systems Resilience Modeling Analysis and Practice

More information about this series at http://www.springer.com/series/13439

Cyber Resilience of Systems

Risk, Systems and Decisions

Library of Congress Control Number: 2018940877

© Springer International Publishing AG, part of Springer Nature 2019

Printed on acid-free paper

1 Fundamental Concepts of Cyber Resilience: Introduction

Part I Quantifying Cyber Resilience

Part II Assessment and Analysis of Cyber Resilience

Part III Enhancing Cyber Resilience

10 Active Defense Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Part IV Cyber Resilience in Selected Classes of Systems and Networks

Henrique Madeira Centre for Informatics and Systems, Department of Informatics

Benjamin D. Trump U.S. Army Corps of Engineers, Engineering Research and

Igor Linkov and Alexander Kott

1 Motivation: Why Cyber Resilience?

Society is increasingly reliant upon complex and interconnected cyber systems to

© Springer International Publishing AG, part of Springer Nature 2019 1

2 Resilience and Systems

Cyber resilience should be considered in the context of complex systems that

Fig. 1.1 The cyber

Common resilience features include critical functions (services), thresholds, cross-

3 Resilience and Related Properties of Systems

organization. To determine the likelihood of a future adverse event, threats to an IT

4 Costs of Cyber Resilience and Cyber Risk Management

Fig. 1.4 Existential threat

5 Assessment of Cyber Resilience

Fig. 1.5 Metric-based and

6 Approaches to Improving Cyber Resilience

Resilience of a system, a network, or an organization is inﬂuenced by a number of

7 Preview of the Book

concept of cyber dependencies. A cyber dependency is a connection between two

DEATH'S KINDLY VEIL

Robespierre has thus been vanquished for the second time!

Artillerymen now come forward, and take him up again, but

"Robespierre, who is wounded. They are taking him to the Convention."

Then the inquirers' faces light up with joy.

And the passers-by joined the crowd.

A peremptory order is given, and flies from mouth to mouth.

The Incorruptible is a mutilated mass, but a living mass, still breathing

Olivier now leaves the Committee of Public Safety to rejoin Clarisse

"I have the passport!" he exclaims.

In this brightening dawn Robespierre is being taken to the Conciergerie,

So Robespierre is replaced on the litter, followed by the gaping crowd.

"Can I write?" he asks.

"At the Conciergerie."

"Between the Queen's cell and the Girondins' Chapel."

Between his victims! He is between his victims! The fearful warning on

He sees Clarisse seated at her harpsichord, he is turning over the leaves

The end is now approaching. At five in the afternoon the gendarmes

The tumbril is waiting in the courtyard, surrounded by a crowd of sans-

Now Robespierre's via dolorosa begins.

Abuse and insults rain down on them in torrents, covering Robespierre