When a digital system is developed or purchased, a primary consideration is how successfully the system accomplishes its desired function. Measuring it, however, does encompass the functional lifespan of the system, including its long-term efficiency. Efficiency is defined as the ability to do things well, successfully, and without waste. A short-term view of efficiency might not account for threats with a low probability of occurring in the next days or weeks. Achieving long-term efficiency with the system accomplishing its function even in the presence of disruptions requires consideration of several factors, including short-term efficiency and resilience. Resilience is defined as the ability of a system to absorb, respond, recover from, and adapt to disruptive events.9,14,20,22
Enhancing cyber resilience often requires investing in qualified labor, redundant equipment, and software. Such investment increases the cost per byte or user and therefore is detrimental to short-term efficiency. However, enhanced resilience reduces the impact of disruptions and speeds up recovery from them. While investing in resilience improves long-term efficiency, its optimization requires perfect knowledge of the system's short-term efficiency, the exact nature and impact of all future failures, and knowledge of the system's response to those failures (that is, resilience). As it is impossible to quantify the exact nature and impact of all future failures, it is also impossible to deterministically optimize a system's long-term efficiency. While risks can't be understood deterministically, the impact and nature of those risks can be estimated probabilistically. Ideally, the uncertainty introduced by using a probabilistic approach demands prioritizing the most effective solution based on the long-term goals. We need a framework that compares the tradeoffs between short-term efficiency and resilience to optimize the long-term efficiency goals and therefore the effectiveness of a proposed solution.