Cyber Resiliency Metrics, Measures of Effectiveness, and Scoring

This report is intended to serve as a general reference for systems engineers, program management staff,and others concerned with assessing or scoring cyber resiliency for systems and missions; selecting cyber resiliency metrics to support cyber resiliency assessment; and defining, evaluating, and using cyber resiliency measures of effectiveness (MOEs) for alternative cyber resiliency solutions. Background material is provided on how cyber resiliency scores, metrics, and MOEs can be characterized and derived. Based on that material, a wide range of potential cyber resiliency metrics are identified. Topics to address when specifying a cyber resiliency metric are identified so that evaluation can be repeatable and reproducible and the metric can be properly interpreted. A tailorable, extensible cyber resiliency scoring methodology is defined. A notional example is provided of how systems engineers and program management can use scoring, metrics, and MOEs to identify potential areas of cyber resiliency improvement and to evaluate the potential benefits of alternative solutions.