Page 134 of 139           Clédel et al. J Surveill Secur Saf 2020;1:119­39  I http://dx.doi.org/10.20517/jsss.2020.08


               considers the system’s abilities to change “with respect to its surroundings”. Thus, by taking into account these
               two notions, a new notion, called anti-fragility, can be developed. Anti-fragility encompasses both resilience
               and elasticity.




               6. CONCLUSION
               6.1. Gaps and limitations
               Most definitions and metrics described in this paper have one thing in common: they derive from risk analysis.
               According to risk analysis, possible threats can be identified, evaluated, and, even if they are uncertain, their
               probabilities of occurrence can be estimated. Thereby, resilience is calculated from the results of this risk
               analysis. Nonetheless, if one tries to assess the resilience of critical infrastructures nowadays, cyber-physical
               systems and their specific vulnerabilities must be considered. Adversary models must be studied as threats
               are not only accidental but also come from cyber-criminals, disgruntled employees, and terrorism [68] . These
               threats from malicious origin are difficult to evaluate. Their probabilities of occurrence are unknown because
               of the varied nature of the attackers and because of a lack of historical data. Besides, their consequences on
               the targeted system are hardly predictable.

               In addition, several definitions and metrics delegate the evaluation of resilience to an evaluation of service
               delivery or to an evaluation of system performance. Some articles describe resilience in domain specific terms
               and provide accurate metrics that match the chosen definition. For example, network resilience is not only
               concerned with network connectivity [59,69]  but also focuses on latency and route stability [58] . However, more
               generic approaches do not always clearly describe what are system services and system performance. Only a
               few models (see, e.g., [51] ) provide a framework that makes the description of system services possible.

               Another noteworthy remark is the usefulness of the binary assessment of the resilience of a system. It is still
               critical to predict the behavior of a system when it is challenged by a determined event. This assessment makes
               it possible to determine if the system is resilient to this event. However, this kind of approach could be less
               pertinent if the threat is not well defined: its probability of occurrence is vague, its detection is uncertain, and
               its dynamic behavior, as well as the system response to this threat, are unclear. The authors of [48–51]  suggested
               that assessing the resilience potential of a system could be more relevant than determining whether a system
               is resilient. Fuzzy logic is used by all four groups to describe this potential for resilience, but other approaches
               may be considered to assess resilience in a non-binary way.


               6.2. Concluding remarks
               Many definitions and metrics of resilience are addressed in this paper, from the original definition given by
               Holling about the resilience in ecological system to more recent and less domain specific ones. Definitions
               are classified according to their focus: Is resilience defined as the expected behavior when facing attacks and
               failures or as the combination of systems capacities that allow the mitigation of unexpected events? In addition
               to the intrinsic system characteristics, is resilience also specific to a determined perturbation? Some of these
               questions can be used again to classify metrics for resilience. Some metrics are event specific, which implies
               that resilience of a system must be evaluated separately for every threat or that resilience of a system is the sum
               of its resilience values for determined threats. Others do not consider possible events and evaluate resilience
               only from internal characteristics and properties of a system. While the results produced by some metrics
               determine a timely dependent likelihood of a system to be resilient, others give a resilient score or provide
               guidelines that ensure the maintenance and the enhancement of system resilience.


               To conclude, resilience is compared to some other concepts or paradigms, such as robustness and risk assess-
               ment. While it is agreed that resilience is distinct from risk assessment and can be implemented and studied
               as a complement for traditional design and management approaches, the distinction with other notions is