Clédel et al. J Surveill Secur Saf 2020;1:119­39  I http://dx.doi.org/10.20517/jsss.2020.08  Page 129 of 139


               this event, the conditional probability of this solution to be activated and the conditional probability of the
               system to recover once resilience mechanisms are engaged.

               Once all undesired events are determined, resilience of a system is the sum, for all these events, of the probabil-
               ity of occurrence of each event multiplied by a resilience factor [15] . The resilience factor is system specific and
               event specific, as described in Section 4.1. For this metric, resilience factors are weighted with a fragility func-
               tion that corresponds to a probability function of system failure. This fragility function is also event specific.
               On top of that, probabilities of the occurrence of events is combined with an entropy factor that represents the
               uncertainty of these probability distributions.

               Thompsonetal. [33] presentedresilienceasthemaintenanceofasecuritylevelandresilienceisachievedinthree
               steps: detection, containment, and resolution. According to this description, a metric based on these three
               capacitiesisproposed  [45] . Foradeterminedsecuritybreach, aprobabilityisassignedtoeachofthesecapacities
               and represents the probability that the breach is detected, contained, or resolved. The authors argued that three
               events can lead to the restoration of the expected security state: (1) the breach is detected, then contained, and
               finally resolved; (2) the breach is detected and resolved without containment; and (3) the breach is resolved
               without detection or containment. As these events are independent, resilience is the probability that one of
               these events occurs.


               Dynamic Bayesian networks are used [46]  to represent a system. The resilience of a system to a disruption
               is expressed as the joint probability of the occurrence of the disruption and of the three resilient capacities:
               the probability to absorb, adapt to, and recover from the disruption. The authors described a nuclear plant,
               Fukushima Daiichi, as a set of eleven components such as Process Control System, Cooling System, Sea Wall,
               etc. These components contribute to at least one of the three resilience capacities, and the contribution of
               a component to one capacity is represented by a failure probability. Thus, 1–3 failure probabilities can be
               associatedtoeachcomponent. Nevertheless,ascomponentscanbeinvolvedinmorethanoneresilientcapacity,
               thethreeresilientcapacitiesarenotindependentandBayesianNetworksareusedtomodelthesedependencies.
               The result of the application of this model is the time-dependent probability function of the resilience of a
               system to a determined disruption.

               4.3. Fuzzy models
               Fuzzy sets are a generalization of conventional set theory that were introduced by Zadeh [47]  as a mathematical
               aswellasnaturalwaytodealwithproblemsinwhichthesourceofimprecisionistheabsenceofsharplydefined
               criteria. They play an important role in human thinking such as determining if someone is tall or if something
               belongs to the class of animals. For example, while dogs are clearly classified as animals, it is more ambiguous
               concerning bacteria, plankton, etc. The articles given in this section use fuzzy sets and membership functions
               to build metrics for resilience.


               According to Francis and Bekera [15] , resilience is a designed and engineered property of a system. More-
               over, Muller [48]  proposed to separately evaluate system architectures through attributes such as redundancy,
               adaptivity, robustness, etc, for which numerous metrics already exist. To accommodate differences amongst
               metrics, system architectures are thus represented with fuzzy membership functions associated with evaluated
               resilience attributes. Using these membership functions, resilience attributes are combined using fuzzy rules
               to obtain a measure of resilience from a resilience membership function. An example of fuzzy rule is:

                                  IF adaptability is moderate AND robustness is high THEN resilience is high

               Toevaluateorganizationalresilience, Aleksic etal. [49] proposedtoconsiderasystemasanetworkofprocesses.
               Processes have many resilience potentials, divided into three categories: (1) internal factors such as quality,
               human factors, or planning strategies; (2) external factors that are external capacities and capabilities; and (3)