Approaches to Enhancing Cyber Resilience: Report of the North Atlantic Treaty Organization (NATO) Workshop IST-153

This report summarizes the discussions and findings of the 2017 North Atlantic Treaty Organization (NATO) Workshop, IST-153, on Cyber Resilience, held in Munich, Germany, on 23-25 October 2017, at the University of Bundeswehr. Despite continual progress in managing risks in the cyber domain, anticipation and prevention of all possible attacks and malfunctions are not feasible for the current or future systems comprising the cyber infrastructure. Therefore, interest in cyber resilience (as opposed to merely risk-based approaches) is increasing rapidly, in literature and in practice. Unlike concepts of risk or robustness - which are often and incorrectly conflated with resilience - resiliency refers to the system’s ability to recover or regenerate its performance to a sufficient level after an unexpected impact produces a degradation of its performance. The exact relation among resilience, risk, and robustness has not been well articulated technically. The presentations and discussions at the workshop yielded this report. It focuses on the following topics that the participants of the workshop saw as particularly important: fundamental properties of cyber resilience; approaches to measuring and modeling cyber resilience; mission modeling for cyber resilience; systems engineering for cyber resilience, and dynamic defense as a path toward cyber resilience.

💡 Research Summary

The NATO IST‑153 workshop held in Munich in October 2017 brought together researchers, military practitioners, and industry experts to examine the emerging concept of cyber resilience and to identify concrete steps for embedding it into modern information systems. The report summarises the five thematic pillars that dominated the discussions: (1) the fundamental properties of resilience, (2) measurement and modelling approaches, (3) mission‑oriented modelling, (4) systems‑engineering integration, and (5) dynamic defence as a pathway to resilient operations.

Resilience is distinguished from risk and robustness. While risk quantifies the probability and impact of adverse events, and robustness describes a system’s ability to withstand disturbances without performance loss, resilience explicitly incorporates the temporal dimension of recovery. It is defined as the capacity of a system to regain an acceptable level of performance after an unexpected degradation, encompassing recovery speed, adaptability, elasticity, and self‑organisation. These four attributes were identified as the core building blocks for any resilient architecture.

Measurement techniques discussed combine quantitative key performance indicators—such as Mean Time to Recovery (MTTR), Performance Degradation Ratio (PDR), and recovery cost metrics—with qualitative assessment matrices that map threat scenarios, impact levels, and organisational response capabilities. The participants advocated for hybrid approaches that blend scenario‑based simulations, time‑series analytics, and dynamic system models (e.g., agent‑based and system‑dynamics models) to capture the non‑linear nature of recovery processes. Standardised data formats and metadata schemas were highlighted as prerequisites for cross‑organisation data sharing and model interoperability.

Mission‑oriented modelling was presented as a way to translate technical resilience into operational relevance. By constructing mission flow graphs that represent the sequence of tasks required to achieve a strategic objective, analysts can assign resilience thresholds to each node, compute the mission impact of a cyber incident, and prioritise defensive resources accordingly. This approach shifts the focus from protecting individual assets to safeguarding the continuity of critical missions, whether they are military operations or essential civilian services.

In the systems‑engineering domain, the workshop proposed extending the traditional V‑model to embed resilience requirements early in the design phase. This “security‑resilience co‑design” mandates that recovery objectives be specified alongside functional and security requirements, that design artefacts include redundancy, checkpointing, and automated rollback mechanisms, and that verification activities incorporate recovery scenario testing. Continuous monitoring of recovery performance during operation feeds back into design refinements, creating a closed‑loop improvement process.

Dynamic defence was identified as the most promising practical pathway to operational resilience. Static perimeter controls are insufficient against sophisticated, adaptive adversaries. The participants described an autonomous cyber‑defence cycle that integrates AI‑driven threat intelligence, automated containment and remediation scripts, multi‑layered defence mechanisms, and self‑learning components that update detection models in real time. This cycle—detect, analyse, respond, recover, learn—reduces human reaction time, limits damage propagation, and accelerates the return to normal service levels.

The report also highlighted current gaps: the lack of internationally accepted resilience metrics, limited access to realistic testbeds and shared incident data, and the difficulty of modelling socio‑technical interactions that influence recovery. To address these challenges, the authors recommend establishing NATO‑wide collaborative experimentation platforms, developing common standards for resilience assessment, and fostering a community of practice that exchanges best‑practice case studies.

Overall, the NATO IST‑153 workshop report provides a comprehensive, technically grounded framework for advancing cyber resilience from a theoretical concept to an actionable capability across the full system life‑cycle. It underscores the necessity of integrating measurement, mission relevance, engineering processes, and dynamic defence to build systems that can not only survive attacks but also recover swiftly and continue to fulfil their intended missions.