This is the sixth post defining each of the Ten Dimensions of Cyber Security Performance.
Unlike the five previous dimensions, the Effective Response, Recovery & Resilience dimension is concerned only with the stream of Events associated with cyber security. These Events include “incidents”, “breaches”, “leaks”, “compromises”, “violations”, “outages”, and the like. The dimension it is most closely associated is 5. Efficient/Effective Execution & Operations. Thus, it appears on the block diagram just below, and next to “Events”. There is a new interaction path with events, because its possible to have cascading events and processes after the initial incident. (See my recent paper on breach impact estimation.)
This performance dimensions includes processes of incident response, digital forensics, business and legal response and recovery (including regulatory processes), etc. It also includes processes and activities designed to promote resilience -- the ability to continue operating even in the face of cyber attacks or cyber-physical events.
These processes are covered in many existing cyber security frameworks so I won't dive into details here. But new issues arise when these are considered as a performance dimension and not just a loose collection.
The first key issue is that it is not enough to respond and recover at some minimum level of effort or cost, because this often has the opposite effect. Some of the most costly breach events have resulted from poor initial response, especially if it is accompanied by attempts by executives to down-play or coverup the incident. This is most likely to lead to class action lawsuits, regulatory sanctions, and punishment in stock markets. Therefore, response and recovery processes must aim for effective response, which often means early involvement of business and legal managers, external parties like law enforcement and even affected stakeholders. This is especially vital in any episode that might have homeland or national security implications. In summary, a critical performance driver in this dimension is knowing who to involve and when, and also having the capability to successfully engage with those parties.
Second, the costs of inadequate cyber security are often made visible during the processes of response and recovery, especially if the breach is severe. In news reports and public statements, you can frequently read statements like this: "We realized now that XYZ practices or ABC controls were not adequate and we are now revising our practices/controls/investments to fill those gaps." Therefore, measuring performance in the dimension of Effective Response, Recovery, & Resilience must include the effectiveness of this feedback loop.
Third, and maybe most salient, I am including resilience in this dimension. In many other cyber security frameworks, resilience is either a separate category or it is not included at all. In this era, I believe this separation is a big mistake, and I assert that it is a a mistake both for critical infrastructure organizations and ordinary organizations. Obviously, continuity of operations is most important in critical infrastructures and they spend a lot of resources to help make that happen. But in ordinary organizations, having a degree of resilience will go a long way to mitigate the costs of a breach or incident and certainly give your organization more flexibility in how and when you respond.