Incorporating Systems Thinking into a Cyber Resilience Maturity Model

Achieving cyber resilient critical infrastructure poses a significant engineering management challenge. Society relies on infrastructure and services that extend beyond the managerial boundaries of a specific organizational entity, yet existing cybersecurity maturity models typically aim to assess a single organization. We offer a systems thinking approach to cyber resilience. Specifically, we relate to critical infrastructure and services in their sectoral system context, reimagining them as a system of systems. We then suggest exploring cyber resilience as a system property, with its expressions relating to the multiple dimensions of operation of the sector and to the different domains of practice. We discuss the dimensions of operation and domains of practice concepts that are embedded into a sectoral cyber resilience maturity model, which is under development. We demonstrate how these concepts frame a set of expressions that is designed to probe the sectoral design space; and propose how they may be further used as design considerations for improving the sector's cyber resilience.