Capitalizing on this holistic view, the resulting analysis compares and contrasts various capabilities with different conditions, requirements, and operations. Working within this tradespace, analysis may lead to critical junctures: Capability vs. Cost, Improvements vs. New Development, or Research and Development Investments vs. Sustainment. Knowing the State of Resiliency of a system will lead to answers to: How can resiliency be improved? Where should the next dollar go? And when has a system reached its end of life? This information can lead to informed decisions and better capabilities.
Effective resiliency planning comes from understanding situational and mission needs before a disastrous event occurs. Developing a Resiliency Tier Matrix would capture this situational and mission awareness. Resiliency Tiers demonstrate acceptable tolerance for the system/capability to meet mission needs. A goal in this entire process is to create a true holistic Resiliency Index that reflects more than each functional component's contribution.
The holistic analysis of resiliency provides insight into a capability or system's resilient characteristics and provides a means for creating informed decisions regarding funding, development, deployment, and mission accomplishment.
This article presents resiliency as a concept that incorporates many other factors and elements and develops a Resiliency Tier Matrix for analysis purposes.
This article portrays resiliency as an overarching concept that affects capabilities and systems differently depending upon the situation. It develops a Resiliency Tier Matrix to provide a holistic view of what resilience means to that capability or system. The research was limited to recent articles on resiliency and various interpretations of resilience and its effects. The development of the Resiliency Tier Matrix involves the relationships between existing conditions and possible impacts to capabilities and systems. Use of the matrix provides decision makers with knowledge to make informed decisions. This article does not delve into resiliency associated with people or organizations because an abundance of literature already covers the many aspects of these two constructs.
The word resiliency has no universally accepted definition. Many organizations have coined more than one definition. One of the more accepted definitions is from the Office of the Secretary of Defense (Policy) (Department of Defense, 2012):
The ability of an architecture to support the functions necessary for mission success with higher probability, shorter periods of reduced capability, and across a wider range of scenarios, conditions, and threats, in spite of hostile action or adverse conditions. Resilience may leverage cross-domain or alternative government, commercial, or international capabilities. (p. 12)
Resilience is an overarching concept or an umbrella, which encompasses many other concepts, characteristics, or parameters. Each may have a major impact at any one time. This leads to the basic question of how the resiliency of a capability can be improved. Many synergies and forces play important roles. Turning to systems, resiliency incorporates many other metrics and variables. Figure 1 shows the various parameters and techniques associated with resiliency. As a concept, no single metric does resiliency sufficient justice. When defining a specific metric, another aspect of resiliency surfaces. The first metric no longer fits because the emphasis shifted to the next aspect or dimension.
Resiliency as a term applies to people, organizations, and items/systems. Information technology networks, ecological systems, social environments, and health conditions use the term. For each of these constructs, risks come from all directions: events, data operations, or even missions. Risks are generally more prevalent during events such as an adversarial attack or natural disaster or even from a series of minor incidents that add up. Preparation to meet these challenges would minimize exposure and provide faster reaction times. One means of minimizing effects would be to understand system vulnerabilities. Many of the ideas and concepts are taken from an IBM paper on Business Resilience (IBM, 2009, p. 5). Even though the IBM article focuses on business and business management, a variation or derivation of its resiliency framework can be extended to systems and their environment.
The success of any assessment/estimation is situational awareness of all aspects of resiliency. It helps define the level of protection and tolerance that is acceptable. Appendix A describes a Resiliency Black Box and the interactions of the various parameters in Figure 1 under the Resiliency Umbrella. A strategic plan is needed to meet mission resiliency requirements. The implementation of such a plan comes with challenges: (a) assessing risk vs. cost - what level of vulnerability is tolerable? (b) viewing resilience as a strategic enabler, (c) developing a resilience culture, (d) assessing return on investment for resilience strategies (IBM, 2009, p. 7), and (e) linking capabilities to mission requirements. However, done correctly, the implementation could lead to informed decisions about tradespace and alternative actions beyond the technical solution.
Open literature discusses resiliency techniques. These seem to fall into three categories. The first category is human behavioral practices, social and societal impacts (The State of New York, 2013, p. 3), and application to systems-of-systems (Bodeau, Brtis, Graubart, & Salwen, 2013, p. 1). This category is outside the scope of this article. The second category illustrates approaches through case studies on how some communities increased their resilience within their environment. The third category provides an engineering framework for mapping goals to objectives to techniques. Figure 1 depicts many of these techniques, which lead into this Resiliency Tier development. The desired outcome is then to develop innovative measures to enhance resiliency similar to what the communities did in the second category.
In treating resiliency as a multidimensional concept, there needs to be a way to characterize it and still have some quantitative assessment. An analogy would be the status of a person's health, which is multidimensional. Numerous medical indices cover all aspects of health: temperature, weight, disease conditions, muscle tone, aging, etc. But when asked how healthy a person is, a general concept of what all the indices or parameters indicate is the appropriate answer. Resiliency can adopt the same construct. If resiliency of a system equates to the health of a person, then maybe there should be resiliency indices similar to health indices. Just like the health hazards that people experience, systems experience multiple attacks on their configurations. A specific health index addresses a specific health condition or set of related conditions. Depending upon the value and importance of the index, patients will spend their last dollar on a remedy. To obtain a cure, patients need to learn the overall concept of their health. This is where assessment of the myriad of available health indices is invaluable in determining their state of health. Indeed, the decision may impact where patients choose to spend their health dollars. A similar analytical process can apply to systems or capabilities and their resiliency. The assessment of these various parameters or dimensions can determine a State of Resiliency and would lead to a holistic view of the system. This type of assessment informs budget, development, and/or deployment decisions.
There can be many indices describing resiliency, each emphasizing a different aspect. However, when asked how resilient a system or capability is, the answer should encompass the varied indications from the set of resiliency indices. If done correctly, this Resiliency Index would allow for comparisons of capabilities or systems within a tradespace. For purposes of this discussion, since the relationship between systems and capabilities is close, the rest of the article will concentrate on systems.
In reviewing literature, we found many articles that discussed metrics for resiliency. The Defense Science Board Task Force built a notional dashboard-metric collection system (DoD, 2013, p. 13). This system, having maturity levels and designed metrics, supported cyber systems at a very detailed level. In contrast, IBM developed a Resilience Tier Framework (IBM, 2009, p. 14). This framework defines levels of resilience to match business-driven requirements. It spans all business units, services, and technologies. It provides the client a streamlined direction for building a resilient architecture. Ultimately, a true resilience measure is holistic, encompassing the operations, technology, and culture of an organization. In a variation of the IBM model, the Resiliency Tier Matrix in this article has five Resiliency Tiers ranging from Tier I, which is a total disaster, to Tier V, which is the gold standard. In this case, 12 different indices are spread across the five tiers to assess the overall resiliency of a system.
Any military capability encounters numerous hazards or risks from all directions. Examples of sources for these risks are events, system failures, or human error. These risks can be minor or major depending upon the conditions. To minimize the effects, system users need to be aware of vulnerabilities and have mitigating actions in place. Effective preparations and actions involve a holistic approach with proactive processes and vigilant situational awareness for the unknown (IBM, 2009, p. 5). When system users develop this holistic view, an extensive analysis compares and contrasts various capabilities, different conditions, environments, mission requirements, and operations. Armed with this view, decision makers can make informed decisions regarding better capabilities and their use.
The tool to help determine a system's State of Resiliency is the Resiliency Tier Matrix or Framework, with varying tiers of resiliency. Before proceeding further, an explanation of a Resiliency Tier Matrix or Framework and how it is built is appropriate. Consider the spectrum of resiliency divided into five states. This spectrum ranges from the worst state of resiliency-exposed-through the states of confused, aware, and operational to the best state: capable (Table 1). Appendix B, Table B1, presents further descriptions equating these states to mission accomplishment and operations.
The question now arises: How is a system placed in one of these states? Measurable criteria (parameters, techniques, or metrics) help in constructing the matrix. The key criteria are those that help define this multidimensional concept. This set of criteria includes system characterization, operator confidence in the system, effectiveness of the security precautions, continuity of operations, and preparedness. Appendix B, Table B2, further explains these criteria. Each of these can further be subdivided depending on the interest and the importance of any parameter in Figure 1, Resiliency Umbrella. The matrix begins to take shape in Table 2.
The intent of this framework is to produce a more complete picture of the system and the forces pulling on resiliency. As mentioned earlier, what may be important one day may not be important the next. This is a way to set up a score card and evaluate the resiliency of a system. The weighting of the criteria would be set according to the priorities of those criteria. In addition this framework also provides a means of analyzing vulnerabilities, evaluating tradespace, and comparing various courses of action. Some benefits (IBM, 2009, p. 11) for constructing such a framework are:
* Aligning capability directly to mission;
* Projecting potential resiliency investments;
* Improving risk mitigation and planning; and
* Enhancing preemptive vs. reactive management.
Some key challenges (IBM, 2009, p. 7) for constructing such a framework are:
* Viewing resiliency as a strategic enabler. Resiliency has strategic importance. A resiliency strategy would be a single, integrated plan embraced and executed by all parts of the organization. It would focus on delivering mission capability. It would be the catalyst to higher levels of performance. Drawing together the different components, the overall result would be greater than the parts alone. Senior leadership should be committed to a single resiliency strategy. This strategy aligns with organizational goals to provide a holistic approach over mission-wide systems (McLaren, 2009).
* Defining the value of mission resiliency. "Mission resiliency encompasses a proactive approach that systematically prepares for potential disruption as opposed to waiting for a disruptive event to occur" (Peake, Underbrink, & Potter, 2012, p. 31). Understanding resiliency in the mission environment is a significant step in system development and security. A resilient mission system is more capable and more adaptable than the tools used against it. Its value is in less complexity and cost of securing mission systems. "The focus on mission resilience extends the scope of past security practices while simultaneously honing in on mission-critical systems, networks, and processes" (Peake et al., 2012, p. 29).
* Working with advanced technologies. This provides the opportunity to assist in developing and integrating state-ofthe-art solutions to meet time-critical needs. As an added benefit, it provides opportunities for proactive and independent research, analysis, testing, and prototype development to mission requirements.
* Maintaining continuous availability of mission systems.
This type of system visibility leads to assuring uninterrupted availability of critical mission systems, without need for failover mechanisms or recovery operations.
* Linking capabilities to mission requirements. Building resilience into a system from the start requires an understanding of the mission, the environment, and potential risks. These systems are the capabilities that satisfy the mission requirements. Linking the capabilities and mission requirements and evaluating their effectiveness in a hostile environment should be done early in the life cycle of a program.
Using Resiliency Tiers in Defining an Architectural Approach
Resiliency Tiers define levels of resiliency to match mission requirements. Resiliency Tiers span all domains, services, or technologies and provide insight for building a resilient architecture. The intent is that this Resiliency Tier Framework provides an objective scale for the classification of mission requirements. This scale is a set of consistent concepts, measurements, or criteria applied to mission systems or capabilities. This set links technical resiliency requirements to capabilities. Mission resiliency requires an architectural approach spanning the breadth of military and government capabilities. Resiliency Tiers (IBM, 2009, p. 10) help to classify mission requirements by:
* Defining a broad continuum of mission resiliency requirements that apply to all processes, services, development, and missions;
* Linking those requirements to a set of technology criteria that address all capabilities and resources in the mission environment; and
* Providing technical characteristics, criteria, and metrics to measure mission resiliency expectations, and to monitor and manage ongoing operations.
This process develops an effective holistic Resiliency Index. The whole is greater than the sum of each functional component's contribution. This index may also help in identifying how to maximize the architecture and optimize investment.
Benefits of Resiliency Tiers
Defining, developing, and maintaining Resiliency Tiers and associated resilient capabilities have a number of benefits (IBM, 2009, p. 11), such as:
* Better mission-to-technology alignment;
* Clear rationalization of investments in resilient capabilities;
* Greater opportunities for improvements to risk planning, strategy, and architecture;
* More prescriptive management of the mission environment to achieve system-wide resiliency;
* Assistance in gap analysis across mission, service, and technology domains;
* Help in bridging the communications and planning gaps for mission continuity resiliency and planning; and
* Integration of mission requirements with a system-wide approach to achieve greater affordability.
As a management tool, the Resiliency Tier Framework offers a way to compare various programs, systems, and capabilities in terms of potential tradespace, cost savings, or capability optimization.
How Resiliency Tiers Are Used
The Resiliency Tier Framework supports every aspect of the mission system. In an analysis, this framework can address alignment of resiliency strategies with mission needs, can guide the mitigation of adverse actions, and can address all mission and system components.
These tiers are able to help conceptualize and align mission resiliency needs in multiple scenarios. Resiliency Tiers lead to a comprehensive picture of systems and vulnerabilities, and eventually an understanding of specific levels of service. Using this objective and quantitative approach, requirements definition and prioritization ensure that the resiliency objectives and acceptable costs are integral to the overall mission capability.
An organization can also use Resiliency Tiers for guidance to mitigate the potential or existing chaos caused by external forces. These tiers provide a framework for understanding the overall health of the mission area and systems. Similar to the IBM analysis, Resiliency Tiers can help reconcile mission resiliency requirements and guide the infrastructure requirements, architectural design decisions, and major initiatives that will be implemented to achieve the desired future resilient environment (IBM, 2009, p. 12).
Lastly, a tiered resiliency approach enables the warfighter to define a replicable and measurable framework that can address all mission components including weapon systems, force capabilities, and/or government actions (IBM, 2009, p. 13). It can provide a range of resiliency requirements as well as mitigating actions. In addition, the tiered resiliency approach may also apply to a wide range of government actions and resiliency mitigations such as diplomacy, technical redundancy, force structures, and economic measures.
Five Tiers of Resiliency
This framework has five tiers for resiliency estimation (Table 2). Each tier serves as a set of guidelines that specifies the characteristics commensurate with each tier condition for each of five criteria: System, Confidence, Security, Continuity of Operations, and Preparedness. These criteria span the five Resiliency Tiers (defined as Capable [V], Operational [IV], Aware [III], Confusion [II], and Exposed [I]). When taken as a range, the Resiliency Tiers translate into a conceptual view of the resiliency status of the overall mission system.
The criteria may be any number of parameters or techniques, which are important at the time. Table 3 is a representative example of a populated Table. (Appendix B, Table B3 has more details in developing this matrix.) For instance, Preparedness is one of those criteria. The Capable Resiliency Tier defines Preparedness as having a holistic approach to resiliency; whereas the Operational Resiliency Tier classifies this as having specific plans in place to address resiliency. Depending on the mission resiliency requirements, either level might provide adequate preparedness; however, the Capable Resiliency Tier provides a complete strategy for addressing resiliency. The holistic strategy for the Capable Resiliency Tier reduces the effects of outside forces to planned courses of action and continuous vigilance, whereas the Exposed Resiliency Tier provides no indication of preparedness for a hostile environment. Again, depending on mission requirements, any level may provide adequate resiliency; however, the Capable Resiliency Tier provides for the most complete level of Preparedness for mission-critical functions. A similar analysis is possible with each Criteria or row.
The outcome of this assessment defines a set of immediate actions to improve the resiliency of mission systems. Some actions would result in the development of a longer term, strategic roadmap of major initiatives that would help meet mission expectations for future applications.
Guidance on Scoring
When undertaking a resiliency assessment, the "how good" or "how bad" analysis addresses each criteria individually (National Patient Safety Agency, 2008, p. 14). This is a consequence of the mission environment. Consequence, in this context, means the condition or outcome of a mission capability in reaction to an outside force (National Patient Safety Agency, 2008, p. 4). Clearly, there may be more than one consequence for a single capability.
Qualitative and quantitative techniques assess and score the consequences. Wherever possible, consequences should use objective definitions across different criteria within each tier to ensure consistency in the process. Despite defining each condition as objectively as possible, scoring the consequences will inevitably involve a degree of subjectivity. Figure 2 contains the flow diagram for the Resiliency Tier assessment.
Table 3, Table of Resiliency Tiers, provides the framework to obtain an assessment of the State of Resiliency of a specific mission system. The process is:
* Select the mission system to review.
* Define explicitly the conditions (internally or externally) of the adverse consequences that are either encountered or might be encountered.
* Go to each row (criteria) in the table and identify the appropriate description, or tier, under the adverse condition. Appendix B contains further details for each term and description. Record the scale number at the top of each column. If a weighted value exists, multiply the scale number by the weighted value.
* Once all 12 rows are characterized, add all the scores based on the scale value (with or without weighted values) for each row.
The total is the Resiliency Index.
* A variation to this table would be to change to another or different set of criteria or parameters. Add or delete a row. If one is added, establish the corresponding tier structure based on the new criteria. Keep modifications to a minimum. One of the benefits to having a set of criteria is the aspect of consistency in application.
This provides an overall resiliency assessment of the system: the greater the score, the lower the resiliency. The scores for this Resiliency Tier Framework (no weighting) would range from 12 (the best) to 60 (the worst). Putting these scores into perspective, compare them to the Chairman of the Joint Chiefs of Staff (CJCS) risk scale as part of the CJCS Resiliency Risk Spectrum (Figure 3).
The following is an example of how this Resiliency Tier Matrix is applied to a specific situation and system. Assume a large satellite terminal is located on foreign soil. The Status of Forces Agreement states physical protection is the responsibility of the host nation. Further, this terminal is vintage equipment nearing end of life. A local protest breaks out and the satellite signal is lost for the first time. After working with higher headquarters and taking approved mitigating actions, the maintenance crew restores the system to full operational status within appropriate restoration time frames. Once all activities return to normal, the resiliency assessment (Figure 4) uses Table 3, highlighting the applicable tiers for each criteria within the Resiliency Tier Framework. Refer to Table 3 for the cell descriptions.
The sum of the respective scale numbers is 37. This number is displayed above the scale in Figure 5. An interpretation of this State of Resiliency would indicate:
* Increased system protection is imperative.
* Better planning for such events is necessary.
* Known vulnerabilities need more attention.
* The system is getting old.
These four items would lead to a cost analysis of whether to upgrade or replace the system. They may also lead to a political discussion on the Status of Forces Agreement or whether or not the site should remain in its current location. Looking at a variation of the situation above where the terminal never goes down, discussions would be much different. Many of the cell evaluations in Figure 4 would move to the left.
This is a single application for illustration purposes; however, other options could be to maximize architectural designs, optimize investments, and differentiate resiliency between two systems supporting the same mission or among analysis of alternatives solutions. The analysis can be as rigorous as necessary with all details, a subset of details, or limited details depending on the purpose and desired outcome.
The tiered approach to resiliency can aid in planning for adverse or intrusive events proactively. This helps maximize return on investment from assets, technology, and people at the time when needed most. Using Resiliency Tiers to develop effective long-term strategies ensures that shorter term tactical actions are properly aligned and supports a military capability progress along the resiliency maturity continuum. Investing in resiliency measures at the program start will help make sure that long-term resiliency investments preserve value over time.
Black Box Model. (n.d.). Investopedia [Online Investment dictionary]. Retrieved from http://www.lnvestopedla.eom/terms/b/blackbox.asp
Bodeau, D., Brtis, J., Graubart, R., & Salwen, J. (2013). Resiliency techniques for systems-of-systems (Report No. 13-3513). Bedford, MA: The MITRE Corporation.
Confidence, (n.d.). In Oxford dictionaries [Online dictionary].
Department of Defense. (2012). Space policy (DoDD 3100.10). Washington, DC: Office of the Secretary of Defense (Policy).
Department of Defense. (2013). Task force report: Resilient military systems and the advanced cyber threat. Washington, DC: Office of the Under Secretary of Defense for Acquisition, Technology and Logistics.
Holistic Strategy Approach. (n.d.). In BusinessDictionary.com [Online business dictionary]. Retrieved from http://www.businessdictionary.com/definition/
IBM Business Continuity and Resiliency Services. (2009). Business resilience: The best defense is a good offense: Develop a best practices strategy using a tiered approach. Somers, NY: Author.
Joint Chiefs of Staff. (2010). Department of Defense dictionary of military and associated terms (Joint Publication 1-02). Washington, DC: Author.
Joint Chiefs of Staff. (2011). Joint operations (Joint Publication 3-0). Washington, DC: Author.
McLaren, S. (2009). EPMO: A strategic enabler? [Discussion paper]. St. Kilda, Victoria, Australia: Dignus Group.
National Patient Safety Agency. (2008). A risk matrix for risk managers. National Health Service. London, England: Author.
Peake, C., Underbrink, A., & Potter, A. (2012, September/October). Cyber mission resilience mission assurance in the cyber ecosystem. CrossTalk, 25(5), 29-34.
Preparedness. (n.d.) In Oxford dictionaries [Online dictionary].
The State of New York. (2013). Community resilience techniques. New York: My Rising Communities.
The White House, Office of the Press Secretary. (2007). Directive on national continuity policy (Reports No. NSPD-51 & HSPD-20). Retrieved from http://policy. defense.gov/portals/11/Documents/hdasa/references/HSPD-20.pdf
Wang, W. (2009). A hierarchical analysis of terrestrial ecosystem model Biome-BGC: Equilibrium analysis and model calibration (Manuscript draft). Elsevier Editorial System(tm) for Ecological Modeling. Retrieved from http://ecocast.arc.nasa.gov/ pubs/pdfs/2009/ECOMOD-S-08-00413.fdf
Zolli, A., & Healy, A. M. (2012). Resilience: Why things bounce back. New York, NY: Simon & Schuster.
Resiliency Black Box
In viewing the various parameters of Figure 1, Resiliency Umbrella, resiliency as a concept has many moving parts, elements, and metrics or components. At any one time, any of these can be a driving force for change. The result of that change could be a new equilibrium of interaction and collaboration. One way to visualize this interaction is to see resiliency as a black box. It has inputs (data, resources, and feedback) and has an output. In a more strict sense, a "black box" analysis "of [a] system contains formulas and calculations that the user does not see ... to use the system. Black box systems are often used to determine optimal trading practices [in investments]" (Black Box Model, n.d.). In this case, the Resiliency Black Box Model depicted in Figure A-1 illustrates how the various inputsAdjustments, Mitigation Actions, and As Designed or Modified (internally) and Environment (externally)-when altered, can reach a new system equilibrium or resiliency state. Putting it another way, equilibrium ... refers to a steady status in which model state variables reach a dynamical balance (Wang, 2009, p. 9). This dynamic balance could result in a system achieving a reasonable, acceptable, or tolerable resiliency state. All the parameters contribute to the system equilibrium, whether new or a return to the previous state. The mission planner must assess the new resiliency state. If the resiliency state is unacceptable, a resiliency analysis needs to be accomplished to determine the best course of action that has a holistic effect on the system.
Generally, systems operate under two states: benign and hostile. The evaluation of these states occurs in the "Situation Assessment" block. Use the parameters, conditions, and/or metrics from Figure 1 to define and evaluate effectiveness. Pulling all of these together helps develop a Resiliency Index.
TABLE A2. DESCRIPTION OF THE DOMAINS Criteria Description Scale The measure of "how good" or "how bad" a system is relative to the Resiliency Tiers. System A functionally, physically, and/or behaviorally related group of regularly interacting or interdependent elements. (Joints Chiefs of Staff, 2011, p. GL-17) Confidence The feeling or belief that one can rely on someone or something; firm trust. (Oxford Dictionary, online reference) Security Measures taken by a military unit, activity, or installation to protect itself against all acts designed to, or which may, impair its effectiveness. (JP 1-02, page 226, 8 November 2010). Continuity of Operations The degree or state of being continuous in the conduct of functions, tasks, or duties necessary to accomplish a military action or mission in carrying out the national military strategy. (Joint Chiefs of Staff, 2010, p. 54) Preparedness A state of readiness, especially for war. (Oxford Dictionary, online reference) TABLE A3. DESCRIPTION OF TABLE ELEMENTS Criteria Tier Tier Description Scale 1-5 SYSTEM Overview V Highly capable IV Effective III Minimum mission accomplished II Problems meeting any mission needs I Ineffective SYSTEM Normal V Full capabilities on-line Operations IV Maintains normal operations, reaches new equilibrium III Struggles to stay ahead of problems II Experiencing outages, delays, "blackouts," etc. -confused with anomalies I System failure, it crashes SYSTEM Protection V Protected IV Protection measures in place III Some protection available II 'Band-Aid' protection I No protection SYSTEM Corrective V Cohesive actions among all players Actions IV Synergy of actions among most actors III Collaboration of effort to address issues II Attempting to resolve from within-disjointed actions I No clue what to do SYSTEM Vulnerabilities V Potential vulnerabilities identified IV Know of most vulnerabilities III Vulnerabilities exist II Few vulnerabilities known I Unaware of vulnerabilities SYSTEM Planning V Holistic resilience strategy IV Resiliency measures III Realistic impact assessment II Minimal resiliency actions available I No resiliency designed in system SYSTEM Mitigation V Attacks have little or no effect on operations IV Successful in mitigating or avoiding most attacks III Some proactive measures in place II Reactive measures taken I No measures available SYSTEM Vigilance V Method to identify new vulnerabilities IV Addresses obvious vulnerabilities III Aware of attacks II Can spell resiliency [surprised by attacks] I Clueless [does not know what to do] V High Confidence IV Moderate III Medium II Low I Nonexistent V High Security IV Effective III Appears to be adequate II Minimal with breaches I None Criteria Tier Tier Explanation Scale This is an attempt to quantify the current condition of a system or capability. The lower the score the more resilient a system or capability is. SYSTEM System is highly capable of completing the Overview V mission. IV System experiences some minor problems but effectively accomplishes the mission. III System is struggling to meet mission minimum requirements. II System can't meet most mission requirements, is distracted by problems, and cannot keep up with mitigating actions. I System cannot meet mission requirements. Problems have the system on the verge of collapsing. SYSTEM System is running all subsystems, processes Normal V and applications with no problems. Operations IV System is running normal operations; however, it is continuously adjusting for disruptions. Each adjustment allows the system to reach a new equilibrium of operations. III System cannot maintain mission accomplishment. It is struggling to stay ahead of the disruptions. Subsystems, processes, and applications are failing. II System is spending more time addressing disruptions than accomplishing the mission. The outages, delays, and disruptions are a distraction to the mission. Anomalies present no easy problems. I System crashes or is near to crashing under the weight of disruptions. SYSTEM Protection V System-wide protection has proactive processes in identifying and mitigating disruptions. System is alert to new disruptions and puts corrective measures in place immediately. IV System has many protective measures in place. It is not totally proactive in its corrective action. However, it is able to identify problems and react appropriately and swiftly. III System has elementary protection measures. Primary mode of correction is reactionary to disruptions. Little time is available to be proactive. II No system-wide protection in place. Disruptions circumvent any protection measures attempted. Fixes turn out to be band-aids addressing symptoms and not causes. I System has little or no protection at all. SYSTEM Corrective V When disruptions occur, there is a single focused team across the organization addressing any disruptions. Actions IV Pockets of excellence pop up throughout the organization to address any disruptions. There is a coordinated synergy among all actions taken. The effectiveness of these actions is greater than the sum of the individual actions. III There is a collaborative effort to address disruptions. This effort is initiated by the most affected subsystem or process or application. Coordination is not readily obtained. It takes time to address issues. II Individual offices work independent of each other in attempting to solve any issues. In some cases it is counterproductive. I Little or no effort is put forward to address disruptions. SYSTEM Vulnerabilities V System is aware of all vulnerabilities, has a means of identifying new vulnerabilities, and is able to project vulnerabilities that result from new technology development. IV System knows of its primary vulnerabilities and can sense new vulnerabilities as they manifest themselves. System has an excellent means of assessing new technologies for possible impacts. III System knows vulnerabilities exist; however, it is not aware of most of them. It reacts to disruptions. Has no ability to project vulnerabilities from new technology. II System has the basic understanding of vulnerabilities and is aware of most. Has no effort in place to address new vulnerabilities ahead of disruptions. I System's awareness of vulnerabilities is no more than elementary and probably much less. SYSTEM System has a resilience strategy or Plan in Planning V place that is supported by the entire organization. It is ingrained in the architecture of the system and culture of the organization. It covers current conditions and future projected environments. It has provisions for training and education. IV System has a coherent set of resiliency measures that apply to any and every subsystem, capability or process. The concept is accepted organization wide; however, emphasis is different in different work centers or offices. III Realistic risk and operational assessments provide focused courses of action and necessary organizational involvement for current conditions. No long-term plan. II Any resiliency actions available are reactive and localized to specific subsystems, capabilities or processes. There is no effort to address issues at a system level. I Resiliency is taken for granted. There is no underlying theme or approach to Resiliency. SYSTEM Mitigation V Attacks are generally insignificant. System is able to tolerate and mitigate them and continue operations as normal. IV Attacks are annoying. Specific actions need to be taken; however, they are successful in mitigating any effects. III Attacks are serious and cannot be ignored. More reactive than proactive measures are necessary. Many consequences of attacks are unexpected. II Attacks are critical to the system operation and mission accomplishment. The reactive measures do not handle all of the attacks. I Attacks are catastrophic and result in system shutdown. SYSTEM System has means to research and assess new Vigilance V sources of disruptions and the vulnerabilities. It is generally expected that the system is prepared for new technology attacks. IV System is in place to address all known vulnerabilities. The ability to address the surfacing of new vulnerabilities is a reactive, but effective, process. III System is aware of new vulnerabilities as they are attacked. It has no means of identifying the new vulnerabilities prior to an attack. II System needs to take time to study an attack and the symptoms before it can generate the awareness of a new vulnerability. It may not be able to correct or mitigate the new vulnerability. I System seeks outside help because it does not understand the new vulnerability or the extent it affects the mission. V System confidence is high, fully confident that the system or capability will perform the mission with little or no disruptions affecting operations. Confidence IV System has moderate confidence that it will accomplish the mission in spite of potential disruptions. III Medium confidence illustrates concern over mission accomplishment and integrity of the system. II Low confidence lacks any belief that the system can be counted on to do the mission. I No confidence means that the system is not acceptable. V There are no acts that can bypass or contravene security policies, practices, or procedures. Security IV In an environment of minor security breaches, security policies, practices, or procedures are able to protect the system effectively for mission accomplishment. III On the surface, security policies, practices, or procedures appear to be effective; however, security problems exist and often prevail. II Security breaches dominate the system and create an environment of mistrust. This leads to minimal to no mission accomplishment I There are no security policies, practices, or procedures in place to prevent breaches.
Resiliency Tier Descriptions
TABLE B1. DESCRIPTION OF THE FIVE TIERS Tier Description V Fully Capable May result in a slight perturbation in operations; however, the system/capability continues operating with nothing more than a "hiccup." Any disruption is an exceptional circumstance. (Insignificant disruptions) VI Operational May experience a disruption resulting in possible resets or reboots; however, mission is accomplished and the disruptions are immediately isolated and mitigated. Disruptions can occur at any time; however, they are not showstoppers. (Negligible disruptions) III Aware Is cognizant of operating environment, hazards therein, and vulnerabilities. Disruptions have a reasonable likelihood of occurring at any time. Mitigating actions are not always effective. Capability tolerates disruptions, but also does not handle the consequences well. (Moderate disruptions) II Confusion Disruptions result in permanent partial disability or operational incapacity. Likelihood of disruptions happening is high. There is no requisite understanding of the problems. (Extensive disruptions) I Exposed Disruptions are inevitable and greatly impact the system/capability. The capability is unprotected, totally exposed to hazardous environment. Damage may be irreversible. (Catastrophic disruptions)
Col Dennis J. Rensel, USAF (Ret.), is currently a senior space analyst with Booz Allen Hamilton, Inc., supporting the Office of the Secretary of Defense Cost Analysis Performance Evaluation (CAPE) Simulation Analysis Center (SAC). Prior to joining Booz Allen 12 years ago, he retired from the U.S. Air Force as a colonel following 25 years of military service. Col Rensel holds a JD from The Catholic University of America's Columbus School of Law; an MS in Electrical Engineering with a concentration in Electrical Engineering and Digital Systems from the Air Force Institute of Technology; and a BS in Electrical Engineering with a minor in Computer S cience from the United States Air Force Academy.
(E-mail address: firstname.lastname@example.org)
TABLE 1. RESILIENCY STATES VS. MISSION AND OPERATIONS Exposed No mission accomplishment Ceases to function Confused Major mission impairment Highly impeded Aware Minimal mission success Minimal success Operational Effective mission success with Effective difficulties Capable Mission success with no Highly effective difficulties TABLE 2. INITIAL FRAMEWORK FOR RESILIENCE Criteria Tiers Priority V IV Weighting [Capable] [Operational] Scale 1 2 System Confidence Security Continuity of Operations Preparedness Criteria III II I [Aware] [Confusion] [Exposed] Scale 3 4 5 System Confidence Security Continuity of Operations Preparedness TABLE 3. TABLE OF RESILIENCY TIERS Tiers/ Priority V Criteria Weighting [Capable] Scale 1 SYSTEM Overview Highly capable Normal Operations Full capabilities on-line Protection Protected Corrective Actions Cohesive actions among all players Vulnerabilities Potential vulnerabilities identified Planning Holistic resilience strategy Mitigations Attacks have little or no effect on operations Vigilance Method to identify new vulnerabilities Confidence High Security High Continuity of Operations Maximum Preparedness Holistic strategy approach Tiers/ IV Criteria [Operational] Scale 2 SYSTEM Overview Effective Normal Operations Maintains normal operations, reached new equilibrium Protection Protection measures in place Corrective Actions Synergy of actions among most actors Vulnerabilities Know of most vulnerabilities Planning Resiliency measures Mitigations Successful in mitigating or avoiding most attacks Vigilance Addresses obvious vulnerabilities Confidence Moderate Security Effective Continuity of Operations Able to operate effectively Preparedness Specific plans in place Tiers/ III Criteria [Aware] Scale 3 SYSTEM Overview Minimum mission accomplished Normal Operations Struggles to stay ahead of problems Protection Some protection available Corrective Actions Collaboration of effort to address issues Vulnerabilities Vulnerabilities exist Planning Realistic impact assessment Mitigations Some proactive measures in place Vigilance Aware of attacks Confidence Medium Security Appears to be adequate Continuity of Operations Barely meeting requirements Preparedness Minimal to acceptable Tiers/ II Criteria [Confusion] Scale 4 SYSTEM Overview Problems meeting any mission needs Normal Operations Experiencing outages, delays, "blackouts," etc.-confused with anomalies Protection "Band-aid" protection Corrective Actions Attempting to resolve from within-disjointed actions Vulnerabilities Few vulnerabilities known Planning Minimal resiliency actions available Mitigations Reactive measures taken Vigilance Can spell resiliency Confidence Low Security Minimal with breaches Continuity of Operations Failing Preparedness Insufficient Tiers/ I Criteria [Exposed] Scale 5 SYSTEM Overview Ineffective Normal Operations System failure, it crashes Protection No protection Corrective Actions No clue what to do Vulnerabilities Unaware of vulnerabilities Planning No resiliency designed in system Mitigations No measures available Vigilance Clueless Confidence Nonexistent Security None Continuity of Operations Complete breakdown Preparedness None FIGURE 4. RESILIENCY ASSESSMENT EXAMPLE Domains Tiers V IV [Capable] [Operational] Scale 1 2 Overview Normal Operations SYSTEM Protection Corrective Actions Vulnerabilities Planning Mitigations Vigilance Confidence Security Continuity of Operations Preparedness Index = 37 [right arrow] 0 4 Domains III II I [Aware] [Confusion] [Exposed] Scale 3 4 5 Overview Normal Operations SYSTEM Protection Corrective Actions Vulnerabilities Planning Mitigations Vigilance Confidence Security Continuity of Operations Preparedness Index = 37 [right arrow] 21 12 0
|Printer friendly Cite/link Email Feedback|
|Author:||Rensel, Dennis J.|
|Publication:||Defense A R Journal|
|Date:||Jul 1, 2015|
|Previous Article:||Systemic fiscal optimism in defense planning.|
|Next Article:||Performance indexing: assessing the nonmonetized returns on investment in military equipment.|