Clédel et al. J Surveill Secur Saf 2020;1:119­39  I http://dx.doi.org/10.20517/jsss.2020.08  Page 125 of 139


               magnet field is used to control spacecraft stability [37] , and the used sensors are reliable and redundant enough
               so that the safe mode system is considered “fail safe”. By definition, safe mode is designed to limit the impact
               of a perturbation but not to mitigate it. It ensures a minimal system function.


               3.3. Recoverability
               Recoverability is determined by internal and external entities and their capacity to easily restore the system to
               its original state or a better one. It consists in dynamic mechanisms such as repairing or replacing damaged
               components, reinitializing components to a proper state, etc. While adaptability can alter the system structure
               to preserve or restore system performance, recoverability aims at “returning a system to near its original struc-
               ture” [26] . Moreover, adaptive changes are in general temporary, whereas restorative changes are expected to
               be as permanent as possible.


               3.4. Other capacities and descriptions
               While the works [22,36]  described absorbability (with diversity) and adaptability (evolvability) as resilience ca-
               pacities, restorability is not considered. In place of it, it is claimed that a resilient system has “assessability”
               and usability. Assessability is the ability to verify and evaluate if a system behaves properly and if the quality
               of service is delivered. This verification and evaluation can be performed during design and pre-deployment
               phases but should also be an ongoing process as systems are supposed to evolve. Usability describes how er-
               gonomic user interfaces are. It consists in measuring how easy it is to learn basic tasks, memorize them, and
               avoid errors; how quickly tasks can be performed; and how pleasant the interface is to use. Usability is needed
               as systems are more and more complex and errors can lead to critical failures.

               Some works [29,34]  describe a resilient system as one that can anticipate and handle unexpected events. They
               describe capacities that such systems have: security (minimization of the incidence of undesirable events),
               mitigation/minimization capacity, and recovery ability. This description of resilience differs from the others
               for two reasons. Firstly, security is taken into account while resilience is generally considered only when
               an incident occurs, in other words, after security has failed. The second reason is the absence of adaptability
               amongstresiliencecapacities, eveniftheauthorsofboth articlesgaveanexampleofminimizationcapacity that
               could be interpreted as adaptability. Indeed, minimization capacity includes an ability to detect disruptions
               and faults as soon as possible and to enable mitigation measures.


               Resilience has been decomposed into three capacities [33] . First, a system must recognize and identify security
               breaches, which is a detection ability. A second capacity, containment, is the ability of a system to absorb
               and limit the impact of security breaches. The third capacity is resolution and consists in eradicating security
               breaches and restoring the system. Even if those capacities are not explicitly the three traditional ones, they
               are not unrelated. Recoverability is included in the resolution capacity. Detection and containment capacities
               have the same objectives as absorbability and adaptability: to maintain an acceptable level of service while
               facing and eradicating the security breaches. Although the authors did not describe how a system could face a
               security breach when detected, they pointed out that two resilience mechanisms come into play: survivability
               and impact limitation.



               4.HOW TO MEASURE RESILIENCE
               4.1 Quantitative deterministic
               The articles described in this section use different measures for system performances or about some charac-
               teristics of an undesired event to build a metric of resilience. While most of these metrics provide a resilience
               value for a system, others consist in providing a score for different factors that compose resilience. They are
               denoted semi-quantitative approaches. The provided scores give clues concerning the resilience of a system
               but do not precisely result in a measure of it.