Review of Cyber Resilience Assessment Framework and Methods

doi:10.3969/j.issn.1671-1122.2025.10.002

Abstract

Abstract:

Cyber resilience emphasizes the system’s ability of perception, resistance, recovery, and adaptation when facing disasters or attacks. Constructing a resilient cyberspace can reduce security collapses and meanwhile mitigate the damage caused by security collapses and recover quickly from them, thereby enhancing the security resilience of cyberspace. The primary task in developing cyber resilience is to assess cyber resilience. This paper first briefly introduced the concept of cyber resilience and the need for resilience assessment. Subsequently, we reviewed the existing research from two aspects: cyber resilience assessment frameworks and assessment methods. For assessment frameworks, a classification method for existing frameworks from the perspective of process-oriented and result-oriented was proposed. For assessment methods, an introduction to existing methods from qualitative and quantitative perspective was provided. Moreover, this paper furthermore discussed the advantages and challenges associated with each type of framework and method. This analysis was important for guiding the application of existing frameworks and methods, as well as for researching new assessment frameworks and methods. Finally, we summarized and discuss the future directions of cyber resilience assessment.

Key words: cyber resilience assessment, process-oriented assessment, result-oriented assessment, area under the curve, network topology

CLC Number:

TP309

ZHANG Dalong, DING Shuguang, HAN Zhilong, FU Shouli, TANG Zhiqing, SHI Lei. Review of Cyber Resilience Assessment Framework and Methods[J]. Netinfo Security, 2025, 25(10): 1493-1505.

Figures/Tables 11

References 58

[1]	KOTT A, LINKOV I. To Improve Cyber Resilience, Measure It[J]. Computer, 2021, 54(2): 80-85.
[2]	LINKOV I, EISENBERG D A, PLOURDE K, et al. Resilience Metrics for Cyber Systems[J]. Environment Systems and Decisions, 2013, 33: 471-476. doi: 10.1007/s10669-013-9485-y URL
[3]	LIU Xueming, LI Daqing, MA Manqing, et al. Network Resilience[J]. Physics Reports, 2022, 971: 1-108. doi: 10.1016/j.physrep.2022.04.002 URL
[4]	TZAVARA V, VASSILIADIS S. Tracing the Evolution of Cyber Resilience: A Historical and Conceptual Review[J]. International Journal of Information Security, 2024, 23(3): 1695-1719. doi: 10.1007/s10207-023-00811-x
[5]	NAJJAR W, GAUDIOT J L. Network Resilience: A Measure of Network Fault Tolerance[J]. IEEE Transactions on Computers, 1990, 39(2): 174-181. doi: 10.1109/12.45203 URL
[6]	ROSS R S, PILLITTERI V Y, GRAUBART R, et al. Developing Cyber Resilient Systems: A Systems Security Engineering Approach[EB/OL]. (2021-12-08)[2025-05-01]. https://www.nist.gov/publications/developing-cyber-resilient-systems-systems-security-engineering-approach-0.
[7]	WU Zenan, TIAN Liqin, CHEN Nan. Research on Quantitative Analysis of System Security Based on Stochastic Petri Net[J]. Netinfo Security, 2020, 20(9): 27-31.
	毋泽南, 田立勤, 陈楠. 基于随机 Petri 网的系统安全性量化分析研究[J]. 信息网络安全, 2020, 20(9):27-31.
[8]	SUN Chengcheng. Research on Countermeasures for Network Security Governance[J]. Netinfo Security, 2023, 23(6): 104-110.
	孙珵珵. 网络安全治理对策研究[J]. 信息网络安全, 2023, 23(6):104-110.
[9]	FENG Dengguo. Accurately Grasp the New Features of Cybersecurity Technology Development and Fully Promote the Modernization of National Security System and Capabilities[J]. Bulletin of Chinese Academy of Sciences, 2022, 37(11): 1539-1542.
	冯登国. 准确把握网络空间安全技术发展的新特征全力助推国家安全体系和能力现代化[J]. 中国科学院院刊, 2022, 37(11):1539-1542.
[10]	WU Jiangxing, JI Xinsheng, HE Lei, et al. Development Status, Trends, and Prospects of Cybersecurity Strategies and Methods[J]. Strategic Study of CAE, 2025, 27(1): 14-27. doi: 10.15302/J-SSCAE-2024.10.052
	邬江兴, 季新生, 贺磊, 等. 网络安全战略与方法发展现状、趋势及展望[J]. 中国工程科学, 2025, 27(1):14-27. doi: 10.15302/J-SSCAE-2024.10.052
[11]	ALRUMAIH T N I, ALENAZI M J F, ALSOWAYGH N A, et al. Cyber Resilience in Industrial Networks: A State of the Art, Challenges, and Future Directions[EB/OL]. (2023-10-11)[2025-05-01]. https://doi.org/10.1016/j.csa.2023.100031.
[12]	LEZZI M, CORALLO A, LAZOI M, et al. Measuring Cyber Resilience in Industrial IoT: A Systematic Literature Review[EB/OL]. (2025-04-11)[2025-05-01]. https://doi.org/10.1007/s11301-025-00495-8.
[13]	GASSER P, LUSTENBERGER P, CINELLI M, et al. A Review on Resilience Assessment of Energy Systems[J]. Sustainable and Resilient Infrastructure, 2019, 6(5): 273-299. doi: 10.1080/23789689.2019.1610600 URL
[14]	AHMADI S, SABOOHI Y, VAKILI A. Frameworks, Quantitative Indicators, Characters, and Modeling Approaches to Analysis of Energy System Resilience: A Review[EB/OL]. (2021-03-30)[2025-05-01]. https://doi.org/10.1016/j.rser.2021.110988.
[15]	GUO Dan, SHAN Ming, OWUSU E K. Resilience Assessment Frameworks of Critical Infrastructures: State-of-the-Art Review[EB/OL]. (2021-10-09)[2025-05-01]. https://doi.org/10.3390/buildings11100464.
[16]	BI Wei, MACASKILL K, SCHOOLING J. Old Wine in New Bottles? Understanding Infrastructure Resilience: Foundations, Assessment, and Limitations[EB/OL]. (2023-05-30)[2025-05-01]. https://doi.org/10.1016/j.trd.2023.103793.
[17]	UMUNNAKWE A, HUANG H, OIKONOMOU K, et al. Quantitative Analysis of Power Systems Resilience: Standardization, Categorizations, and Challenges[EB/OL]. (2021-06-17)[2025-05-01]. https://doi.org/10.1016/j.rser.2021.111252.
[18]	LIGO A K, KOTT A, LINKOV I. How to Measure Cyber-Resilience of a System with Autonomous Agents: Approaches and Challenges[J]. IEEE Engineering Management Review, 2021, 49(2): 89-97. doi: 10.1109/EMR.2021.3074288 URL
[19]	SHAFIEI K, ZADEH S G, HAGH M T. Robustness and Resilience of Energy Systems to Extreme Events: A Review of Assessment Methods and Strategies[EB/OL]. (2025-03-01)[2025-05-01]. https://doi.org/10.1016/j.esr.2025.101660.
[20]	OSEI-KYEI R, AMPRATWUM G, KOMAC U, et al. Critical Analysis of the Emerging Flood Disaster Resilience Assessment Indicators[J]. International Journal of Disaster Resilience in the Built Environment, 2025, 16(3): 417-436. doi: 10.1108/IJDRBE-02-2024-0029 URL
[21]	BRUCKLER M, WIETSCHEL L, MESSMANN L, et al. Review of Metrics to Assess Resilience Capacities and Actions for Supply Chain Resilience[EB/OL]. (2024-04-30)[2025-05-01]. https://opus.bibliothek.uni-augsburg.de/opus4/112770.
[22]	WAN Zelin, MAHAJAN Y, KANG B W, et al. A Survey on Centrality Metrics and Their Network Resilience Analysis[J]. IEEE Access, 2021, 9: 104773-104819. doi: 10.1109/ACCESS.2021.3094196 URL
[23]	QI Xiaoyu, MEI Gang. Network Resilience: Definitions, Approaches, and Applications[EB/OL]. (2024-01-01)[2025-05-01]. https://doi.org/10.1016/j.jksuci.2023.101882.
[24]	ESTAY D A S, SAHAY R, BARFOD M B, et al. A Systematic Review of Cyber-Resilience Assessment Frameworks[EB/OL]. (2020-10-01)[2025-05-01]. https://doi.org/10.1016/j.cose.2020.101996.
[25]	SHEN Lijuan, CASSOTTANA B, HEINIMANN H R, et al. Large-Scale Systems Resilience: A Survey and Unifying Framework[J]. Quality and Reliability Engineering International, 2020, 36(4): 1386-1401. doi: 10.1002/qre.2634
[26]	CASSOTTANA B, ROOMI M M, MASHIMA D, et al. Resilience Analysis of Cyber-Physical Systems: A Review of Models and Methods[J]. Risk Analysis, 2023, 43(11): 2359-2379. doi: 10.1111/risa.v43.11 URL
[27]	BODEAU D J, GRAUBART R D, MCQUAID R M, et al. Cyber Resiliency Metrics Catalog[EB/OL]. (2018-09-03)[2025-05-01]. https://www.mitre.org/news-insights/publication/cyber-resiliency-metrics-catalog.
[28]	GRAUBART R D, MCQUAID R, WOODILL J. Cyber Resiliency Metrics and Scoring in Practice[EB/OL]. (2018-11-04)[2025-05-01]. https://www.mitre.org/news-insights/publication/cyber-resiliency-metrics-and-scoring-practice-use-case-methodology.
[29]	YANG Zhuyu, BARROCA B, LAFFRÉCHINE K, et al. A Multi-Criteria Framework for Critical Infrastructure Systems Resilience[EB/OL]. (2023-06-21)[2025-05-01]. https://hal.science/hal-04135558.
[30]	ALHIDAIFI S M, ASGHAR M R, ANSARI I S. Towards a Cyber Resilience Quantification Framework (CRQF) for IT Infrastructure[EB/OL]. (2024-04-20)[2025-05-01]. https://eprints.gla.ac.uk/324835/.
[31]	WU Bei, TAN Zhizhong, CHE A, et al. A Novel Resilience Assessment Framework for Multi-Component Critical Infrastructure[J]. IEEE Transactions on Engineering Management, 2024, 71: 14011-14031. doi: 10.1109/TEM.2024.3438157 URL
[32]	JASON G. Cyber Assessment Framework 3.2[EB/OL]. (2024-04-18)[2025-05-01]. https://isocomplianceregister.co.uk/iso_article/cyber-assessment-framework-3-2/.
[33]	VUGRIN E D, WARREN D E, EHLEN M A. A Resilience Assessment Framework for Infrastructure and Economic Systems: Quantitative and Qualitative Resilience Analysis of Petrochemical Supply Chains to a Hurricane[J]. Process Safety Progress, 2011, 30(3): 280-290. doi: 10.1002/prs.v30.3 URL
[34]	COLLIER Z A, LINKOV I, LAMBERT J H. Four Domains of Cybersecurity: A Risk-Based Systems Approach to Cyber Decisions[J]. Environment Systems and Decisions, 2013, 33: 469-470. doi: 10.1007/s10669-013-9484-z URL
[35]	LIGO A, KOTT A, LINKOV I. How to Measure Cyber Resilience of an Autonomous Agent: Approaches and Challenges[J]. IEEE Engineering Management Review, 2021, 49(2): 89-97. doi: 10.1109/EMR.2021.3074288 URL
[36]	ANTHONY C J L. What’s Wrong with Risk Matrices?[J]. Risk Analysis: An International Journal, 2008, 28(2): 497-512. doi: 10.1111/risk.2008.28.issue-2 URL
[37]	ANTHONY C J L. What’s Wrong with Hazard-Ranking Systems? An Expository Note[J]. Risk Analysis: An International Journal, 2009, 29(7): 940-948. doi: 10.1111/risk.2009.29.issue-7 URL
[38]	BAYBUTT P. Designing Risk Matrices to Avoid Risk Ranking Reversal Errors[J]. Process Safety Progress, 2016, 35(1): 41-46. doi: 10.1002/prs.v35.1 URL
[39]	HUBBARD D W, SEIERSEN R. How to Measure Anything in Cybersecurity Risk[M]. New York: John Wiley & Sons, 2023.
[40]	HOSSEINI S, BARKER K, RAMIREZ-MARQUEZ J E. A Review of Definitions and Measures of System Resilience[J]. Reliability Engineering & System Safety, 2016, 145: 47-61. doi: 10.1016/j.ress.2015.08.006 URL
[41]	BODEAU D J, GRAUBART R D, MCQUAID R M, et al. Cyber Resiliency Metrics, Measures of Effectiveness, and Scoring[EB/OL]. (2020-10-07)[2025-05-01]. https://www.mitre.org/publications/technical-papers/cyber-resiliency-metrics-and-scoring-in-practice-use-case-methodology.
[42]	FEKEDULEGN D B, ANDREW M E, BURCHFIEET C M, et al. Area under the Curve and Other Summary Indicators of Repeated Waking Cortisol Measurements[J]. Psychosomatic Medicine, 2007, 69(7): 651-659. pmid: 17766693
[43]	KOTT A, THERON P. Doers, not Watchers: Intelligent Autonomous Agents are a Path to Cyber Resilience[J]. IEEE Security & Privacy, 2020, 18(3): 62-66.
[44]	GANIN A A, MASSARO E, GUTFRAIND A, et al. Operational Resilience: Concepts, Design and Analysis[J]. Scientific Reports, 2016, 6(1): 1-12. doi: 10.1038/s41598-016-0001-8
[45]	LINKOV I, TRUMP B D. The Science and Practice of Resilience[M]. Heidelberg: Springer, 2019.
[46]	BRUNEAU M, CHANG S E, EGUCHI R T, et al. A Framework to Quantitatively Assess and Enhance the Seismic Resilience of Communities[J]. Earthquake Spectra, 2003, 19(4): 733-752. doi: 10.1193/1.1623497 URL
[47]	REED D A, KAPUR K C, CHRISTIE R D. Methodology for Assessing the Resilience of Networked Infrastructure[J]. IEEE Systems Journal, 2009, 3(2): 174-180. doi: 10.1109/JSYST.2009.2017396 URL
[48]	HENRY D, RAMIREZ-MARQUEZ J E. Generic Metrics and Quantitative Approaches for System Resilience as a Function of Time[J]. Reliability Engineering & System Safety, 2012, 99: 114-122. doi: 10.1016/j.ress.2011.09.002 URL
[49]	OUYANG Min, WANG Zhenghua. Resilience Assessment of Interdependent Infrastructure Systems: With a Focus on Joint Restoration Modeling and Analysis[J]. Reliability Engineering & System Safety, 2015, 141: 74-82. doi: 10.1016/j.ress.2015.03.011 URL
[50]	OUYANG Min, DUEÑAS-OSORIO L, MIN Xing. A Three-Stage Resilience Analysis Framework for Urban Infrastructure Systems[J]. Structural Safety, 2012, 36: 23-31.
[51]	LIU Tao, BAI Guanghan, TAO Junyong, et al. Mission-Oriented Resilience Evaluation Method for Complex System[J]. Systems Engineering and Electronics, 2021, 43(4): 1003-1011. doi: 10.12305/j.issn.1001-506X.2021.04.17
[52]	HADDADI H, RIO M, IANNACCONE G, et al. Network Topologies: Inference, Modeling, and Generation[J]. IEEE Communications Surveys & Tutorials, 2008, 10(2): 48-69.
[53]	ZHANG Yongtao, SHAO Cunqi, HE Shibo, et al. Resilience Centrality in Complex Networks[EB/OL]. (2022-02-11)[2025-05-01]. https://doi.org/10.1103/PhysRevE.101.022304.
[54]	OSEI-ASAMOAH A, LOWNES N E. Complex Network Method of Evaluating Resilience in Surface Transportation Networks[J]. Transportation Research Record, 2014(1): 120-128.
[55]	XIAO Fang, YANG Shuyan, WEN Bo, et al. Resilience Characterization and Evaluation Model of Field Area Network for the Power Distribution Network[J]. Chinese Journal on Internet of Things, 2022, 6(3): 71-81.
	肖芳, 杨淑艳, 文博, 等. 面向配电网的场域网弹性表征和评估模型[J]. 物联网学报, 2022, 6(3):71-81. doi: 10.11959/j.issn.2096-3750.2022.00287
[56]	JIANG Shanqing, YANG Lin, CHENG Guang, et al. A Quantitative Framework for Network Resilience Evaluation Using Dynamic Bayesian Network[J]. Computer Communications, 2022, 194: 387-398. doi: 10.1016/j.comcom.2022.07.042 URL
[57]	ROSENKRANTZ D J, GOEL S, RAVI S S, et al. Resilience Metrics for Service-Oriented Networks: A Service Allocation Approach[J]. IEEE Transactions on Services Computing, 2009, 2(3): 183-196. doi: 10.1109/TSC.2009.18 URL
[58]	ZHAO Hongli, YANG Haitao, FU Yun. Analysis Method of Resilience in Networked Command and Control Information System[J]. Journal of Command and Control, 2015, 1(1):14-18.
	赵洪利, 杨海涛, 付芸. 网络化指控信息系统弹性分析方法研究[J]. 指挥与控制学报, 2015, 1(1):14-18.

评估框架分类	特点	代表性框架
面向过程的评估框架	关注测试过程中系统内部组件的变化，以及这些组件如何影响系统整体的性能和稳定性。通常涉及对系统遭受外界干扰等不利条件时的过程分析，对系统架构、干扰因素等需要详细分析调研	美国NIST的评估框架、 CASSOTTANA^[26]等人提出的韧性评估框架
面向结果的评估框架	关注系统所遭受的不利条件对最终系统功能的影响，或对任务完成度的影响，而无需分析系统受损的具体细节。通过对系统的性能表现指标分析建模，对系统的韧性能力进行量化评估	英国NCSC的网络评估框架、基于内生安全的评估框架

评估方法分类	特点	代表性方法
定性评估	对影响系统韧性的因素进行定性分析，依赖专家经验，结果较主观	NIST定性评估法、VUGRIN^[33]等人提出的定性评估方法
半定量评估	专家评估和量化计算方法相结合，具有一定的主观性	网络韧性矩阵、专家概率估计方法、情景评分法
定量评估	通过采集仿真或实际应用中的数据，使用量化计算方法进行评估，结果较为客观	基于性能曲线的评估方法、基于网络拓扑的评估方法

计划和准备	吸收	恢复	适应
为关键资产配置控制器/传感器	识别资产或服务的泄露	调查和修复故障控制器或传感器	根据最近的事件审查资产和服务配置
为关键服务配置控制器/传感器	使用冗余资产继续服务	评估服务/资产损坏情况	逐步淘汰过时资产并引入新资产
评估网络结构和与系统组件及环境的互连性	专门投入网络资源以防御攻击	评估功能恢复的时间	—
关键物理基础设施的冗余性	—	安全处置无法修复的资产	—
数据冗余在物理或逻辑上与网络分离	—	—	—

影响	可能性
影响	较低	中等	较高	非常高
较低	风险1	—	风险3	—
中等	—	—	—	风险4
较高	—	风险2	—	—
非常高	—	—	—	—