Eliciting Metrics and Evaluating Cyber Resilience of a Capability in the Context of a Multilayer Enterprise Architecture
摘要
Cyber resilience requirements may be implemented either to comply with regulatory obligations or to align with industry best practices. They enable organizations to demonstrate that they are capable of anticipating, withstanding, recovering from, and adapting to difficult situations and stresses. In this context, metrics can be used in a structured way to demonstrate these capabilities. These are conceptual data repositories that define and standardize information. They must be clearly defined, effectively implemented, and continuously monitored. According to [30] metrics are measures and assessment results intended to track progress, support decision-making, and enhance performance against defined targets. In this paper, we propose an approach for eliciting and selecting cyber resilience metrics that considers the enterprise architecture layers defined by TOGAF. Once selected, we propose a quantitative approach to evaluate the cyber-resilience level of a capability and a Petri net model to represent the interdependencies between cyber-resilience across the enterprise architecture layers.