Page 128 of 139           Clédel et al. J Surveill Secur Saf 2020;1:119­39  I http://dx.doi.org/10.20517/jsss.2020.08


               at a given time    by an operational state that consists in a    ×    matrix of    operational metrics and    possible
               values, and a service state that consists in another    ×    matrix of    service parameters and    possible values.
               Layers are overlapping such that the service state of a layer at time    becomes the operational state of the layer
               above at time    + 1. According to this model, the system resilience is evaluated at the boundary between two
               layers as the transition trajectory to move from the state of a layer to the state of the layer above.

               ClarkandSonouz [24] usedalineartime-invariantmodeltorepresentasystemanditsadversarialimpacts. They
               considered a set of safe states and a basin of attraction that is a set of states allowing the system to return to a
               safe state under certain conditions. From these definitions, a system is considered resilient to an adversarial
               event as long as it remains in a safe state or in a state included in a basin of attraction. Since attackers can either
               physically attack the system or compromise input signals or inject false data, impacts of an attack are modeled
               as modified input and state matrices. Once a system and an attack are modeled, it can be determined if the
               system is resilient to this attack. Nonetheless, resilience can be evaluated as the amplitude of adversarial event
               that must impact the system to pull it out of safe states and basins of attraction. This idea of an attraction basin
               can be found in the original article of Holling [11] , as described in Section 4.2.

               4.1.1. Semi-quantitative approach
               Shiralietal. [43]  usedsixpreviouslydescribedresilientfactors [18] : managementcommitment, reportingculture,
               learning culture, awareness, preparedness, and flexibility. Employees of an industry are divided into several
               groups corresponding to process units and are given a questionnaire. After gathering the questionnaires, a
               score from one to five is given for each resilient factor and for each group of employees. From these scores,
               managers can identify weaknesses in some resilient factors for some specific groups of employees. Despite this,
               interconnections between the six resilient factors or between groups of employees are not considered in this
               approach.


               4.2.Quantitative probabilistic
               Probabilistic approaches relate resilience with uncertainties and thus they add a stochastic component to the
               resilience evaluation. For several of them, denoted as event specific, this is the resilience of a system to a
               determined event that is evaluated. Generally, the probabilities considered in a resilience evaluation come
               from the stochasticity of occurrence of undesired events.

               Originally, Holling did not provide metrics and methods to evaluate resilience in his article about resilience
               and stability of ecological systems [11] . According to Holling, resilience is only concerned with populations
               extinctions and resilience is the ability of a population to move from a stable population state to another one.
               Thus two parameters must be considered to evaluate resilience: the probability that an incident moves the pop-
               ulation outside a stable state and the distance between stable states that determines how harmful the incident
               must be to lead to extinction. However, Holling explained that such measures require an immense amount of
               knowledge about the system.


               4.2.1. Event Specific
               Haimes claimed that resilience of a system can be determined only once a threat scenario is determined [28,44] :
               “the question ‘What is the resilience of cyberinfrastructure X ?’ is unanswerable”. According to other articles,
               resiliencecanbeevaluatedonlyonceallpossibleundesiredeventsaredetermined [34] . Forexample, inaddition
               to a quantitative deterministic evaluation of resilience, Babiceanu and Seker [41]  provided two probabilistic
               metrics. The first extra metric is the probability of occurrence of a disruptive event that is the product of
               three other probabilities, the probability of a system to be vulnerable, the probability to be attacked, and the
               conditional probability of security to be bypassed (the attack is successful). The second extra metric is the
               probability of the system to recover from this event. It depends on the availability of a resilience solution for