An Endogenous Security-Oriented Framework for Cyber Resilience Assessment in Critical Infrastructures

Abstract

In the face of escalating cyber threats to critical infrastructures, achieving robust cyber resilience has become paramount. This paper proposes an endogenous security-oriented framework for cyber resilience assessment, specifically tailored for critical infrastructures. Drawing on the principles of endogenous security, our framework integrates dynamic heterogeneous redundancy (DHR) and adaptive defense mechanisms to address both known and unknown threats. We model resilience across four key dimensions—Prevention, Destruction Resistance, Adaptive Recovery, and Evolutionary Learning—using a novel mathematical formulation that captures nonlinear interactions and temporal dynamics. The framework incorporates environmental threat entropy to dynamically adjust resilience scores, ensuring relevance in evolving attack landscapes. Through empirical validation on simulated critical infrastructure scenarios, we demonstrate the framework’s ability to quantify resilience trajectories and trigger timely defensive adaptations. Empiricalvalidation on a real-world critical infrastructure system yielded an overall resilience score of 82.75, revealing a critical imbalance between strong preventive capabilities (90/100) and weak Adaptive Recovery (66/100). Our approach offers a significant advancement over static risk assessment models by providing actionable metrics for strategic resilience investments. This work contributes to the field by bridging endogenous security theory with practical resilience engineering, paving the way for more robust protection of critical systems against sophisticated cyber threats.

1. Introduction

In the rapidly evolving landscape of cybersecurity, organizations confront an escalating array of threats, including advanced persistent threats (APTs), zero-day exploits, and large-scale distributed denial-of-service (DDoS) attacks. These threats are dynamic, adaptive, and increasingly sophisticated, exposing the limitations of traditional risk assessment methods in ensuring system security and operational continuity. Conventional approaches, such as point-in-time risk scoring and mean time between failures (MTBF), focus on static snapshots of system vulnerabilities. This means they cannot quantify critical dynamic processes like recovery and learning, nor can they measure intrinsic capabilities such as Destruction Resistance and adaptability. This gap leaves systems susceptible to cascading failures, prolonged downtimes, and inadequate responses to evolving adversarial tactics. Consequently, there is an urgent need for a new paradigm that not only evaluates a system’s ability to withstand and recover from attacks but also captures its capacity for continuous adaptation and improvement in the face of persistent and unpredictable threats. Indeed, the ultimate goal of such resilience is to ensure that these digital infrastructures can continue to function as reliable enablers of innovation, entrepreneurship, and societal progress [1].

To address these challenges, cybersecurity resilience has emerged as a pivotal concept. Unlike traditional security metrics that emphasize Prevention or risk mitigation, resilience focuses on a system’s ability to sustain core functions under adversarial pressure, recover swiftly from disruptions, and evolve through learning from past incidents. A resilient system anticipates threats, absorbs damage, restores functionality, and adapts its defenses over time. However, it remains challenging to quantify resilience in a dynamic, measurable, and actionable way. This difficulty arises from the complex interplay between preventive, defensive, recovery, and evolutionary capabilities, which is further complicated by unpredictable adversarial behavior and environmental changes.

This paper proposes a novel theoretical model for assessing Cybersecurity Resilience Capacity (RC), accompanied by a practical, operational four-dimensional evaluation framework named P-R-A-L, which stands for Prevention (P), Destruction Resistance (R), Adaptive Recovery (A), and Evolutionary Learning (L). Unlike static risk models, the RC model transforms resilience into a time-evolving trajectory, capturing the nonlinear interactions between defensive and evolutionary capabilities while accounting for real-time variations in environmental threat entropy. The complementary P-R-A-L framework (as shown in Figure 1) is designed to achieve actionable implementation, leveraging mature technologies to ensure feasibility and practicality in real-world systems. By aligning with established cybersecurity standards such as the NIST Cybersecurity Framework 2.0 [2], NIST SP 800-37 [3], GB/T 44862-2024 [4], and the MITRE ATT&CK threat taxonomy [5], our approach integrates seamlessly with existing practices while offering a forward-looking perspective on resilience measurement.

The primary contributions of this work are as follows. First, we introduce a mathematical model for cybersecurity resilience that quantifies system capabilities across the threat response continuum using a closed-loop structure for continuous assessment and adaptation. Second, we develop a dynamic constraint mechanism to incorporate environmental threat entropy variation, reflecting the real-time complexity of adversarial environments. Third, and equally significant, we propose a hierarchical evaluation system (model-dimension-indicator) through the P-R-A-L framework, which offers the following practical advantages:

• Measurability and Technical Maturity: Indicators are designed with a focus on quantifiable metrics and rely on mature, widely available technologies for ease of implementation.
• Reusability: Many indicators leverage existing security operations tools and data, reducing the need for bespoke solutions.
• Flexibility: The framework allows for multiple technical approaches to measure the same indicator, accommodating diverse organizational contexts and resource constraints.
• Alignment with Endogenous Security Principles: The design of the R (Destruction Resistance) and L (Evolutionary Learning) dimensions embeds endogenous security concepts, emphasizing intrinsic system capabilities and self-evolution to counter threats.

The remainder of this paper is organized as follows. Section 2 reviews related work in cybersecurity resilience and dynamic risk modeling, highlighting the gaps addressed by our approach. Section 3 presents the overall RC model architecture, detailing its theoretical foundation and mathematical formulation. Section 4 elaborates on the P-R-A-L framework, providing operational definitions and indicator design principles. Section 5 presents an empirical validation of the framework through a case study on a real-world critical infrastructure system. Section 6 discusses the findings and future research directions. Finally, Section 7 concludes with a summary of key findings and contributions. Through this work, we aim to deliver a robust, actionable framework for enhancing cybersecurity resilience in an era of persistent and evolving threats.

2. Related Work

This section reviews the existing literature on cyber resilience assessment, focusing on three key areas: cyber resilience frameworks, endogenous security concepts, and quantitative models. We compare these works with our proposed approach, highlighting the unique contributions of our Cybersecurity Resilience Capacity (RC) model and the P-R-A-L framework.

2.1. Cyber Resilience Frameworks

Numerous frameworks have been developed to assess and enhance cyber resilience across critical infrastructures and organizations. The Cybersecurity and Infrastructure Security Agency (CISA) offers the Cyber Resilience Review (CRR), an interview-based assessment to evaluate operational resilience and cybersecurity practices [6]. The National Institute of Standards and Technology (NIST) provides SP 800-160 Volume 2 Revision 1, focusing on engineering survivable systems through systematic security methods [7]. The European Union’s Network and Information Security (NIS) Directive promotes risk assessments and security measures across member states [8]. Canada’s Regional Resilience Assessment Program (RRAP) evaluates vulnerabilities in critical facilities [9], while the UK’s National Cyber Security Centre (NCSC) provides the Cyber Assessment Framework (CAF) for critical national infrastructure [10]. The EU’s Cyber Resilience Act (CRA) [11] sets cybersecurity standards for digital products, and Australia’s 2023 Critical Infrastructure Resilience Strategy outlines a national approach to security and resilience [12]. In China, the GB/T 44862-2024 standard offers criteria for evaluating cyber resilience, focusing on prevention, endurance, recovery, and adaptation [13]. Additionally, frameworks like the NIST Cybersecurity Framework 2.0 [2] provide a de facto industry baseline. Standards such as ISO/IEC 27035-1:2023 [14] on incident management directly inform the processes within our Adaptive Recovery (A) dimension. Foundational texts on Resilience Engineering by Hollnagel, Woods, and Leveson [15] help ground our model in established systems-engineering theory. Finally, frameworks like ISO/IEC 27001 emphasize information security management [16], and the MITRE ATT&CK framework maps adversary tactics for resilience planning [17].

While these frameworks provide valuable guidance on “what” to do to enhance resilience, they often lack specificity in “how” to quantitatively measure the effectiveness of implemented measures.

2.2. Endogenous Security Concepts

Endogenous security focuses on embedding safety mechanisms within system architectures to address vulnerabilities at their core, providing a robust defense against unpredictable threats. A foundational concept in this domain is Cyberspace Mimic Defense (CMD) based on Dynamic Heterogeneous Redundancy (DHR), which employs diverse component instances and dynamic switching to deter attackers [18]. Recent studies have connected structural security to resilience engineering [19] and elaborated on CMD’s theoretical foundations and applications [20]. Other works have explored endogenous security in contexts such as cryptography for routers and cloud services [21], wireless communications [22], AI-driven cybersecurity [23], and industrial control systems [24]. Applications to IoT [25], blockchain [26], and Security-as-a-Service models in cloud environments [27] further demonstrate its potential.

While endogenous security concepts show promise, challenges in scalability and implementation costs persist, especially for large-scale infrastructures. Our P-R-A-L framework builds on these ideas by translating endogenous security principles into measurable indicators. Specifically, the Destruction Resistance (R) dimension incorporates concepts like “heterogeneous redundancy architecture” and “mimicry-based fault tolerance”, while the Evolutionary Learning (L) dimension includes indicators for “dynamic reconfiguration” and “node-level endogenous adaptation”. By grounding these concepts in quantifiable metrics, our framework bridges the gap between theoretical endogenous security and practical resilience assessment.

2.3. Quantitative Models for Cyber Resilience

Quantitative models provide data-driven approaches to measure cyber resilience, often focusing on resistance and recovery capabilities. Recent advancements include mathematical models validated through testbeds to quantify resilience under adversarial conditions [28]. Other studies propose models accounting for multiple defense objectives and resource criticality [29,30], while reviews highlight limited integration of adaptive mechanisms in existing frameworks [31]. The Cyber Resilience Quantification Framework (CRQF) targets dynamic IT environments [32], and various resilience metrics and scoring practices have been documented [33,34,35]. Additional models include resilience matrices [36], stochastic approaches [37], and game-theoretic models for adversarial interactions [38]. Metrics for IT and OT environments [39] and key resilience indicators [40] have also been proposed. Indispensable sources like the ENISA Threat Landscape report [41] are crucial for calibrating the threat entropy term ($\sigma$) in our model. Furthermore, the work of Cantelli-Forti et al. [42] provides a concrete application context for our framework within critical infrastructure protection, serving as a target implementation example.

Despite these advances, many quantitative models prioritize traditional risk metrics over dynamic adaptability and endogenous security principles. Our approach addresses these gaps by offering a structured, dynamic, and practical solution through the RC model and P-R-A-L framework. The advantages of our model include the following:

• Structured Design: Based on four clearly defined dimensions—Prevention (P), Destruction Resistance (R), Adaptive Recovery (A), and Evolutionary Learning (L)—providing a comprehensive view of resilience.
• Practical Implementation: Each dimension is supported by a clear, measurable set of indicators designed for real-world applicability using mature technologies.
• Dynamic Nature: The RC model is time-varying, capturing evolving threat landscapes, while the indicators within the P-R-A-L framework support continuous updates to reflect real-time conditions.

By integrating endogenous security concepts, dynamic quantification, and actionable metrics, our framework offers a significant advancement over existing models, ensuring both theoretical robustness and operational feasibility.

3. Model Architecture

This section presents the architecture of our proposed Cybersecurity Resilience Capacity (RC) model, which serves as the theoretical foundation for quantifying a system’s ability to sustain core functions, recover rapidly, and adapt continuously under adversarial threats. The model integrates four core dimensions—Prevention (P), Destruction Resistance (R), Adaptive Recovery (A), and Evolutionary Learning (L)—forming a closed-loop structure that captures the defense-endurance-recovery-evolution continuum. We detail the mathematical formulation of the RC model, explain the interactions between dimensions, and highlight its alignment with established cybersecurity frameworks. Importantly, this section bridges the theoretical model with the practical P-R-A-L framework (elaborated in Section 4), ensuring that the model’s outputs are grounded in measurable, actionable indicators.

3.1. Cybersecurity Resilience Capacity (RC) Model

The RC model quantifies cybersecurity resilience as a dynamic, time-varying metric, translating static risk assessments into continuous resilience trajectories. The model is formulated as follows:

$$RC\left(t\right)={\displaystyle \frac{P\left(t\right)·R^{1.2}\left(t\right)+A\left(t\right)·L^{0.8}\left(t\right)}{1+\sigma ·\Delta T}}$$

(1)

where $RC\left(t\right)$ represents the overall resilience capacity at time t, and the variables $P\left(t\right)$, $R\left(t\right)$, $A\left(t\right)$, and $L\left(t\right)$ denote the quantified capability scores of the system in the four dimensions: Prevention, Destruction Resistance, Adaptive Recovery, and Evolutionary Learning, respectively. These scores are not arbitrary values but are derived through a comprehensive aggregation of specific, measurable indicators within the P-R-A-L framework, as detailed in Section 4. For instance,

-

$P\left(t\right)$ is computed as a weighted aggregation of sub-indicators such as threat intelligence accuracy, risk prediction coverage, situational awareness latency, proactive defense effectiveness, and supply chain security maturity.

-

$R\left(t\right)$ is derived from indicators like redundancy robustness, fault tolerance under attack, and heterogeneous architecture diversity.

-

$A\left(t\right)$ aggregates metrics such as mean time to recovery (MTTR), recovery automation rate, and post-incident functionality restoration ratio.

-

$L\left(t\right)$ combines indicators like incident learning rate, policy adaptation frequency, and autonomous strategy optimization effectiveness.

This structured approach ensures that the theoretical model is directly tied to practical, quantifiable assessments, facilitating real-world implementation.

3.2. Nonlinear Coupling and Dimensional Interactions

The numerator of the RC formula, $P\left(t\right)·R^{1.2}\left(t\right)+A\left(t\right)·L^{0.8}\left(t\right)$, incorporates nonlinear coupling mechanisms to reflect the synergistic interactions between defensive (P, A) and evolutionary (R, L) capabilities. The superlinear exponent of $R^{1.2}$ captures the qualitative leap in Destruction Resistance when key thresholds are met. For example, in the P-R-A-L framework, indicators such as “redundancy robustness” and “failure recovery capacity” (aligned with Dynamic Heterogeneous Redundancy (DHR) principles) demonstrate that once a system achieves sufficient redundancy and fault tolerance, its ability to withstand attacks increases disproportionately, reflecting a significant boost in resilience.

Conversely, the sublinear exponent of $L^{0.8}$ models the diminishing marginal returns in Evolutionary Learning. Indicators in the L dimension, such as “automation in repair processes” and “autonomous policy response capabilities”, show rapid improvements in early stages of learning (e.g., initial automation of incident response). However, as the system matures, further gains become incrementally harder to achieve due to complexity and resource constraints, a reality reflected in the sublinear growth.

These nonlinear factors ensure that the model mirrors empirical observations of system behavior, balancing the impact of investments across dimensions and guiding strategic prioritization (e.g., emphasizing redundancy in R for immediate resilience gains versus long-term learning in L).

3.3. Environmental Threat Entropy Variation ($\sigma$)

The denominator term $1+\sigma ·\Delta T$ introduces a dynamic constraint on resilience capacity, accounting for environmental threat entropy variation rate ($\sigma$) over a specified evaluation time window ($\Delta T$). The threat entropy variation rate is computed as follows:

$$\sigma ={\displaystyle \frac{\Delta H}{\Delta t}}·{\displaystyle \frac{1}{k_B}}ln\Omega$$

(2)

where $\Delta H$ represents the incremental entropy of system vulnerability information acquired by the attacker, $\Omega$ denotes the number of states in the system’s attack surface (e.g., open ports, services, permission combinations), and $k_B$ is a normalization factor (Boltzmann constant). This formulation leverages Shannon entropy ($H=-\sum p_{i}ln{p}_i$) to assess the uncertainty of attack paths and models the attacker’s behavior using a Boltzmann distribution.

The computation of $\sigma$ is closely tied to indicators in the P dimension of the P-R-A-L framework. For instance, $\Delta H$ is influenced by the update frequency and quality of “threat intelligence” and changes in “vulnerability knowledge base coverage”. Similarly, $\Omega$ correlates with indicators such as “asset vulnerability scanning coverage rate” and “dynamic attack surface assessment capability”. A spike in $\Delta H$ (e.g., due to a new vulnerability disclosure) increases $\sigma$, reducing $RC\left(t\right)$ and signaling the need for immediate defensive action. The time window $\Delta T$ balances short-term responsiveness (e.g., hourly assessments for real-time threats) with long-term trends (e.g., monthly evaluations for Evolutionary Learning), ensuring that the model adapts to both acute and chronic threat dynamics.

3.4. Alignment with Cybersecurity Standards

The RC model and P-R-A-L framework are designed to align with global and national cybersecurity standards, ensuring compatibility and enhancing practical adoption. Specific mappings include the following:

• NIST SP 800-37 PDR Cycles: The P dimension corresponds to the Prepare and Protect phases, focusing on preemptive threat mitigation. R aligns with the Detect and Respond phases, emphasizing system endurance under attack. A maps to Respond and Recover, prioritizing rapid restoration, while L connects to Identify and Prepare for long-term adaptation through learning.
• GB/T 44862-2024: The four dimensions (P, R, A, L) directly map to the standard’s capability domains of Prevention, endurance, recovery, and adaptation. Indicators within the P-R-A-L framework serve as evidence and quantifiable means to meet the standard’s requirements for dynamic risk control and resilience assessment.
• MITRE ATT&CK Threat Taxonomy: Indicators in the P dimension, such as “threat hunting behavior library” and “attacker intent inference”, and in the R dimension, such as “dynamic attack containment”, directly leverage MITRE’s tactics and techniques for mapping and quantification. Additionally, the computation of $\sigma$ incorporates attack cost ($C_{attack}$) metrics aligned with ATT&CK’s adversarial behavior models to quantify real-time threat entropy.

3.5. Dynamic Resilience Portrait

To effectively operationalize the concept of cybersecurity resilience, the proposed framework decomposes system capabilities into four interdependent dimensions that form a closed-loop threat response continuum. These dimensions—Preventive Capacity (P), Destruction Resistance (R), Adaptive Recovery (A), and Learning Evolution (L)—are carefully designed to address adversarial threats across their lifecycle, from pre-attack interception to post-incident adaptation. Each dimension encapsulates specific aspects of resilience, reflecting its unique contribution while accounting for nonlinear interactions and environmental dynamics. Preventive Capacity (P) and Adaptive Recovery (A) represent proactive and reactive defense mechanisms, respectively, whereas Destruction Resistance (R) and Learning Evolution (L) serve as stabilizing and evolutionary forces. Collectively, these dimensions create a spatiotemporally adaptive system that balances immediate threat mitigation with long-term strategic improvement. Resilience is thus measured not as a static value but as an evolving trajectory influenced by both defensive investments and adversarial pressures. The following subsections provide detailed conceptual foundations, measurable indicators, and practical quantification methods for each dimension, ensuring the framework’s utility, measurability, and reliance on mature technologies.

4. Framework Dimensions and Measurement

To comprehensively capture the dynamic nature of cybersecurity resilience, the proposed framework decomposes system capabilities into four interdependent dimensions that collectively form a closed-loop threat response continuum. These dimensions—Preventive Capacity (P), Destruction Resistance (R), Adaptive Recovery (A), and Learning Evolution (L)—are designed to address adversarial threats across their entire continuum: from pre-attack interception to post-incident adaptation. Each dimension is parameterized to reflect its unique contribution to resilience while accounting for nonlinear interactions and environmental dynamics. The Prevention and recovery capabilities (P, A) represent proactive and reactive defense mechanisms, respectively, while resistance (R) and learning (L) act as stabilizing and evolutionary forces. Together, they form a spatiotemporally adaptive system that balances immediate threat mitigation with long-term strategic improvement, ensuring resilience is measured not as a static score but as an evolving trajectory shaped by both defensive investments and adversarial pressures. The following subsections detail the mathematical and operational foundations of each dimension.

4.1. Preventive Capacity Index (P)

The Preventive Capacity Index (P) quantifies a system’s ability to proactively intercept threats before they materialize into incidents, serving as a foundational component of the Resilience Capacity (RC) model. It emphasizes anticipating and mitigating risks through architectural design, defense mechanisms, and threat intelligence to minimize the attack surface and disrupt adversarial tactics early.

The index, denoted as $P\left(t\right)$, integrates sub-dimensions into a cohesive metric reflecting proactive defense capabilities, capturing both static structural properties and dynamic operational conditions. It is expressed as follows:

$$P\left(t\right)={\displaystyle \frac{1}{1+e^{-\lambda AD\left(t\right)}}}·\prod _{i=1}^n(1-p_i^{k_i})·{log}_2\left(1+{\displaystyle \frac{TIQ\left(t\right)}{VW\left(t\right)}}\right)$$

(3)

Here, $\lambda$ is the learning rate for architectural diversity $AD\left(t\right)$ (values in $(0,1)$), $k_i$ is the number of variant components in the i-th defense layer, $p_i$ is the failure probability of components in that layer, $TIQ\left(t\right)$ is the threat intelligence quality index, and $VW\left(t\right)$ represents the vulnerability window exposure volume. The multiplicative structure ensures balanced system improvement.

The architectural diversity term, ${\displaystyle \frac{1}{1+e^{-\lambda AD\left(t\right)}}}$, uses a sigmoidal function for nonlinear scaling of defensive effectiveness with structural variation. $AD\left(t\right)$ is defined as follows:

$$AD\left(t\right)={\displaystyle \frac{1}{3}}\left[{\displaystyle \frac{N_v\left(t\right)}{N_{total}}}+{\displaystyle \frac{ln(1+f_{update})}{ln10}}+{\displaystyle \frac{1}{1+e^{-0.1\Delta t_{adjust}}}}\right]$$

(4)

where $N_v\left(t\right)$ is the number of variant components, $N_{total}$ is the total, $f_{update}$ is policy update frequency (updates/hour), and $\Delta t_{adjust}$ is system adjustment time (seconds). This aggregates component variation (measurable via system inventories or CMDBs by calculating variant-to-total component ratios), policy update velocity (logarithmic scaling for diminishing returns), and adjustment responsiveness (exponential decay rewarding rapid reconfiguration).

The defense mechanism multiplier, ${\prod }_{i=1}^n(1-p_i^{k_i})$, models layered defenses as probabilistic barriers, where diversified components exponentially decrease failure probability, grounded in reliability theory. Practically, efficacy is measured by indicators like virus signature database synchronization rates (from EDR/antivirus logs) and asset vulnerability scanning coverage (comparing reports from tools like Nessus or OpenVAS with CMDB asset counts).

The threat intelligence efficiency term, ${log}_2\left(1+{\displaystyle \frac{TIQ\left(t\right)}{VW\left(t\right)}}\right)$, reflects bounded growth of intelligence-driven defense, with logarithmic form for diminishing returns as vulnerability windows shrink, based on information theory. This is assessed via metrics like timeliness and accuracy of threat feeds (from SIEMs or threat intelligence platforms).

Operationalizing P relies on measurable indicators using mature, accessible technologies. This practical approach, leveraging common data sources (log management, security device reports) and allowing flexible tool implementation (e.g., Nessus or Qualys for scanning), ensures the index is actionable. The focus on easily collected metrics (update compliance, scan coverage) minimizes overhead while the multiplicative interaction in $P\left(t\right)$ promotes holistic improvement, aligning with observations that balanced preventive investments yield greater resilience.

4.2. Destruction Resistance Index (R)

The Destruction Resistance Index (R) evaluates a system’s ability to endure and maintain functionality under sustained adversarial pressure by focusing on absorbing damage through resource redundancy and defensive countermeasures. The index captures the dynamic tension between a system’s internal strengths and external threats. It evolves over time to reflect both sudden shocks and gradual erosion, allowing it to quantify endurance against both acute and chronic stressors.

Theoretically, R(t) is modeled as a nonlinear survival function integrating resource resilience and adversarial dynamics:

$$R\left(t\right)=R_0·e^{{\int }_0^t\left(\alpha ·{\displaystyle \frac{S_{\mathrm{redu}}}{S_{\mathrm{crit}}}}-\beta ·{\displaystyle \frac{C_{\mathrm{attack}}}{C_{\mathrm{defense}}}}\right)dt}$$

(5)

Here, $R_0$ is the baseline resilience coefficient (tied to initial redundancy/fault tolerance). The integral aggregates a growth factor from resource redundancy ($\alpha ·{\displaystyle \frac{S_{\mathrm{redu}}}{S_{\mathrm{crit}}}}$, where $S_{\mathrm{redu}}$ is excess capacity over critical threshold $S_{\mathrm{crit}}$, and $\alpha$ is calibrated by empirical data on distributed systems) and a decay factor from adversarial pressure ($\beta ·{\displaystyle \frac{C_{\mathrm{attack}}}{C_{\mathrm{defense}}}}$, where $C_{\mathrm{attack}}$ quantifies attack complexity (e.g., via MITRE ATT&CK tactics) and $C_{\mathrm{defense}}$ reflects defensive coverage (0–1), with $\beta$ balancing attack sophistication against defense breadth based on historical incident data). The exponential form captures nonlinear degradation when defensive gaps widen. The integral allows $R\left(t\right)$ to account for both instantaneous impacts and cumulative wear (e.g., DDoS resource exhaustion), offering a dynamic alternative to static metrics like MTBF by incorporating adversarial adaptation and system fatigue.

Practically, R is operationalized through measurable indicators for resource redundancy, defense coverage, and system availability under stress, using mature technologies. Resource redundancy is assessed by indicators like redundant component availability (percentage of critical systems with backups/failover, measured via tools like Zabbix, Prometheus, or Nagios using system logs/CMDBs) and dual-active system switchover success rate (from load balancer logs like F5/HAProxy or drill reports). Defense coverage is quantified by the MITRE ATT&CK coverage ratio, comparing implemented defenses to known tactics using data from SIEMs (e.g., Splunk, Elastic Stack) by mapping controls to attack patterns via security policies and audit logs. Flexibility in tooling is prioritized.

These indicators inform the computation of $S_{\mathrm{redu}}$, $S_{\mathrm{crit}}$, $C_{\mathrm{attack}}$, and $C_{\mathrm{defense}}$ for estimating $R\left(t\right)$. Raw metrics are collected, normalized (e.g., to a [0, 1] scale), and combined via weighted ratios aligned with the model. For instance, 90% redundant component availability and a 0.8 MITRE ATT&CK coverage normalize to 0.9 and 0.8, respectively, for integration. This methodology ensures practical, adaptable measurements leveraging existing systems.

4.3. Adaptive Recovery Index (A)

The Adaptive Recovery Index (A) quantifies a system’s capability to restore functionality post-disruption, evaluating the interplay between the diversity and effectiveness of adaptive strategies and the need for rapid restoration. It offers a dynamic, time-sensitive measure of recovery performance, balancing strategic adaptability with temporal efficiency to mitigate downtime.

Theoretically, $A\left(t\right)$ is rooted in systems recovery dynamics and diminishing returns, expressed as follows:

$$A\left(t\right)=A_{\max }·{\displaystyle \frac{ln(1+\omega ·N_{\mathrm{adapt}})}{ln(1+\omega ·N_{\max })}}·{\displaystyle \frac{1}{1+\tau ·t_{\mathrm{recovery}}}}$$

(6)

This formulation balances two principles: (1) recovery effectiveness grows sublinearly with the number of adaptive strategies ($N_{\mathrm{adapt}}$ out of a theoretical maximum $N_{\max }$) due to saturation, modeled by the logarithmic term with coefficient $\omega =0.1$ (derived from empirical recovery drill data showing diminishing returns); and (2) recovery latency ($t_{\mathrm{recovery}}$) imposes a hyperbolic penalty (calibrated by $\tau =0.05$ per second to reflect escalating downtime costs), reflecting the disproportionate impact of delays. The multiplicative structure ensures that neither adaptability nor speed alone dominates, reflecting real-world trade-offs.

Practically, $A\left(t\right)$ is operationalized through measurable indicators for adaptability scope and recovery latency, using mature technologies. Adaptability scope is measured by Recovery Strategy Coverage ($N_{\mathrm{adapt}}/N_{\max }$), using data from disaster recovery plans or tools like Ansible Tower or ServiceNow. Recovery latency is assessed via Actual Recovery Time against Recovery Time Objectives (RTO), sourced from drill logs or monitoring platforms (e.g., SolarWinds, Datadog). Supporting indicators include Backup Restoration Success Rate (from backup solutions like Veeam or Acronis) and Recovery Verification Compliance (via audit logs or ticketing systems like Jira). Data collection leverages existing infrastructure (backup systems, monitoring dashboards, ITSM platforms) with methodological flexibility (e.g., Commvault instead of Veeam). Aggregation involves collecting raw data, normalizing it (e.g., $t_{\mathrm{recovery}}$ inverted), and computing A(t) with theoretical weights, ensuring practical applicability while balancing strategy diversity and recovery speed.

4.4. Learning Evolution Index (L)

The Learning Evolution Index (L) quantifies a system’s capacity to enhance its security posture through iterative learning from past incidents and environmental changes. It focuses on the adaptive improvement phase, measuring how effectively a system transforms experiential data into actionable defensive capabilities by modeling the interplay of knowledge retention, temporal relevance, and organizational adaptability for evolutionary progress.

Theoretically, $L\left(t\right)$ captures knowledge accumulation and decay:

$$L\left(t\right)=L_0+\lambda \sum _{i=1}^n{e}^{-\gamma (t-t_i)}·\left[1-{\displaystyle \frac{1}{1+\eta ·\Delta E_i}}\right]$$

(7)

$L_0$ is the initial learning capacity. The summation reflects time-weighted learning from discrete events. The temporal decay $e^{-\gamma (t-t_i)}$ (decay rate $\gamma$, e.g., 0.01/hour, from ${\displaystyle \frac{d{K}_i}{dt}}=-\gamma K_i$ where $K_i$ is retained knowledge) models knowledge obsolescence, balancing historical lessons with recent insights. The experiential gain $1-{\displaystyle \frac{1}{1+\eta ·\Delta E_i}}$ uses a sigmoidal function for bounded learning benefits from event experience increment $\Delta E_i$, with sensitivity $\eta$; this approximates logistic growth (${\displaystyle \frac{d{G}_i}{d\Delta E_i}}=\eta G_i(1-G_i)$), reflecting diminishing returns. The learning efficiency $\lambda \in (0,1)$ scales accumulated knowledge based on organizational factors. This captures the dynamic tension between knowledge acquisition, retention, and obsolescence.

Practically, $L\left(t\right)$ is operationalized via indicators for system self-healing, policy adaptation, and knowledge integration, using existing enterprise tools. System self-healing is measured by the success rate of automated recovery actions (from logs of Ansible, Puppet, Nagios; or incident dashboards). Policy adaptation is assessed by metrics like update frequency of security configurations or credentials post-incident (from IAM audit trails or configuration management tools), reflecting adaptive responsiveness (e.g., time to update ACLs). Knowledge integration measures the translation of post-incident reviews (from ServiceNow or manual reports) into actionable system updates (frequency and impact of after-action reports leading to changes).

Implementation involves automated data collection (from SIEMs for incidents, CMDBs for changes, ticketing systems for reviews), normalization of raw metrics (e.g., self-healing success as a percentage, policy update cycles in days), and aggregation into a unified $L\left(t\right)$ score with customizable weighting. This adaptable framework, allowing tool substitution (e.g., Splunk for SIEM), ensures $L\left(t\right)$ is actionable and relevant by grounding measurements in mature technologies and existing workflows.

5. Empirical Validation: A Case Study

To validate the practical utility and effectiveness of the RC model and the P-R-A-L framework, a comprehensive resilience assessment was conducted on a real-world critical infrastructure system. This section details the case study methodology, presents the quantitative results, and discusses the actionable insights generated by the framework.

5.1. System Under Test and Methodology

The System Under Test (SUT) was a large-scale digital identity management platform developed for a municipal government, hosting sensitive data for approximately one million users. The platform is a critical piece of public infrastructure, hosted as a tenant on a major public cloud provider. Its multi-tier architecture consists of numerous servers for client-facing applications, transactions, and backend gateways, all running on CentOS 7.7, supported by MySQL and Redis databases, and serving mobile applications.

The assessment was operationalized using a hybrid methodology that combined non-technical document reviews (21 items) with technical testing and evaluation (18 items) to gather quantitative data for the P-R-A-L indicators. A suite of mature security tools was employed to measure specific indicators. For instance, capabilities in the Prevention (P) dimension, such as threat data monitoring, were assessed using tools like Retina and Spiderfoot to simulate malicious traffic and evaluate asset discovery. To quantify Destruction Resistance (R), tools like BloodHound and Nemesis were used to map attack paths and evaluate the system’s ability to discover and block attacks. Finally, indicators for Adaptive Recovery (A) were tested by probing for damage isolation and resource recovery mechanisms, while Evolutionary Learning (L) was evaluated by simulating attack scenarios to test the system’s intelligent control and decision-making capabilities.

5.2. Resilience Assessment Results and Analysis

The assessment yielded a holistic, quantitative view of the system’s resilience posture, with an overall Resilience Capacity (RC) score of 82.75. This score is derived from individual scores in four dimensions, as shown in Figure 2 and

Table 1. Detailed resilience assessment results from the case study.

Dimension	Key Indicator	Measurement Tool/Method	Finding (Raw Data)	Score
P: Prevention	Asset Identification	Document Review, Retina	10 critical services	90/100
	API Security	Log Analysis, Manual Review	Incomplete logging for some APIs
	Supply Chain Security	Component Scan (e.g., Black Duck)	Outdated third-party components found
R: Resistance	Attack Surface Mgmt	Port Scan (Nmap), Spiderfoot	10 of 113 ports exposed (9%)	91/100
	Log Integrity	Review of Cloud Config	5% of security logs incomplete
A: Recovery	Incident Response Process	Document Review, Interviews	No defined IR process	66/100
	Damage Isolation	Architectural Review	No effective module isolation
	Backup	System Config Review	No redundancy or backup mechanisms
L: Learning	Attack Traceability	Simulation (Nemesis)	Lacked comprehensive traceability	85/100
	System Adaptability	OS Version Check	Relies on end-of-life CentOS

, revealing highly unbalanced resilience characteristics:

• Preventive Capacity (P): 90/100. The system demonstrated strong capabilities in identifying its 10 critical business services and 32 key assets. It had automated threat warning mechanisms in place. However, the assessment also uncovered risks, including security blind spots in 10% of its infrastructure, incomplete API logging, and the use of outdated third-party components with known vulnerabilities.
• Destruction Resistance (R): 91/100. This was the system’s strongest dimension. The attack surface was well-managed, with only 10 out of 113 ports (9%) exposed to the internet. The system also had capabilities for threat intelligence collection and analysis. The primary weakness identified was that 5% of the cloud application’s security and access logs were not completely recorded, potentially impeding real-time attack analysis.
• Adaptive Recovery (A): 66/100. The framework identified a critical deficiency in this dimension. The assessment found that the system lacked defined processes for analyzing and responding to security incidents, had no effective isolation between its modular components to contain damage, and possessed no redundancy, backup, or self-recovery capabilities. This low score highlighted a significant risk of prolonged downtime and data loss in the event of a successful attack.
• Learning Evolution (L): 85/100. The system showed a good capacity for evolution, with some methods for upgrading functional components. However, it lacked comprehensive threat simulation, assessment, and attack traceability mechanisms. A key systemic risk was its reliance on an end-of-life operating system (CentOS), for which the cloud provider did not offer an automated upgrade path, severely limiting the system’s long-term adaptability and exposing it to unpatched vulnerabilities.

5.3. Actionable Insights and Framework Validation

This case study demonstrates that the P-R-A-L framework moves beyond a simple vulnerability checklist to provide a holistic, quantitative assessment that identifies both strengths and critical, systemic weaknesses. The dimensional scores pinpointed a severe imbalance, with strong proactive defenses (P and R) but a critically weak reactive posture (A). A good assessment tool should uncover precisely these kinds of critical, non-obvious imbalances. The framework worked as intended by diagnosing a severe weakness that might be overlooked by traditional assessments focused only on preventive controls.

The framework generated specific, prioritized recommendations directly tied to the findings. The most urgent recommendation was to address the critical deficiency in the Adaptive Recovery (A) dimension by establishing formal incident response procedures, implementing robust module isolation, and deploying automated, heterogeneous backup and recovery mechanisms. For the other dimensions, the framework recommended implementing a patch management process for third-party components (P), ensuring comprehensive and consistent log aggregation (R), and developing an automated defense framework and a clear migration strategy for the unsupported operating system (L).

In conclusion, this case study validates the practical utility of the RC model and P-R-A-L framework in a real-world critical infrastructure scenario. The framework successfully quantified the system’s resilience posture and delivered specific, data-driven insights to guide targeted strategic improvements. As demonstrated, the framework’s ability to identify non-obvious systemic weaknesses like a poor reactive posture, despite strong defenses, provides insights that would be difficult to identify using traditional risk assessment methods.

6. Discussion, Limitations, and Future Work

The Cybersecurity Resilience Capacity (RC) model introduces a dynamic framework for evaluating critical infrastructure resilience by integrating four dimensions—Prevention (P), Destruction Resistance (R), Adaptive Recovery (A), and Evolutionary Learning (L). Unlike traditional static risk assessments, its time-evolving approach provides a continuous resilience trajectory. This aligns with established standards like NIST SP 800-37, GB/T 44862-2024, and the MITRE ATT&CK taxonomy. As demonstrated in our case study, the framework’s primary strength lies in its ability to uncover critical, non-obvious imbalances, such as a weak reactive posture, that traditional methods might miss. To enhance the framework’s applicability to legacy and resource-constrained systems, we suggest a phased implementation approach. An organization could begin by strengthening the Prevention (P) and Adaptive Recovery (A) dimensions, which rely more on established processes, before gradually incorporating the more architecturally demanding aspects of Destruction Resistance (R) and Evolutionary Learning (L). This makes the framework more inclusive and provides a practical adoption path for a wider range of organizations.

6.1. Limitations of the Current Study

Despite its potential, we acknowledge several limitations that frame the scope of our current findings and guide future work.

• Limited Validation Scope: We agree with the reviewer that the validation scope is a limitation of the current study. A single case study, while providing deep insights, does not permit broad generalizability. The conclusions drawn are specific to the system under test, though the methodological value of the framework is generalizable.
• Parameter Uncertainty: Accurate calibration of parameterized coefficients ($\lambda ,\alpha ,\beta ,\gamma ,\eta$) is crucial but complex due to diverse system architectures and threat profiles, risking distorted assessments if they are mis-tuned. This is a key challenge for practical implementation.
• Entropy Oversimplification: The current scalar definition of environmental threat entropy ($\sigma$) may oversimplify multi-vector or multi-stage attacks, potentially underrepresenting true resilience demands in complex scenarios.
• Implementation Burden: Calculating $RC\left(t\right)$ in real time for large, intricate infrastructures can be computationally intensive, posing scalability issues for some organizations.

6.2. Future Research Directions

Future research should aim to overcome these limitations and enhance the model’s impact. Most importantly, the model requires extensive real-world validation beyond simulations to confirm its operational effectiveness and build credibility. Promising avenues include the following:

• Broad-Spectrum Validation: Future research is needed to validate the model across different sectors and architectures and against comparative baselines. We plan on partnering with industry stakeholders for pilot programs in operational settings (e.g., transportation, healthcare) to generate empirical performance data and refine predictive accuracy.
• Automated Parameter Calibration: To address parameter uncertainty, future work should focus on employing machine learning techniques, such as reinforcement learning, to dynamically adjust coefficients based on historical data and system feedback, improving precision and adaptability.
• Advanced Threat Modeling: To overcome the simplification of threat entropy, we suggest developing more sophisticated threat models, such as using attack graph-based approaches or Bayesian networks to better account for complex attack scenarios and allow for disaggregation of $\sigma$ into subsystem-specific metrics.
• Scalability and Optimization: Research into optimizing the real-time calculation of RC(t) is needed to address the potential implementation burden and improve scalability for large-scale systems.
• Interdependency Analysis: Extending the model to include interdependencies between critical infrastructures (e.g., using network theory or system dynamics) to provide a more holistic, systemic resilience metric.
• Economic Dimension: Developing cost-benefit analyses for resilience investments to guide resource allocation and make the framework more actionable for budget-conscious operators.

In summary, the RC model provides a strong foundation for assessing cybersecurity resilience. Pursuing these directions can evolve the framework into a cornerstone of next-generation resilience engineering.

7. Conclusions

This paper introduces the Cybersecurity Resilience Capacity (RC) model, a novel framework designed to quantify a system’s dynamic ability to sustain core functions, recover from disruptions, and adapt to evolving threats. By integrating four interdependent dimensions—Prevention (P), Destruction Resistance (R), Adaptive Recovery (A), and Evolutionary Learning (L)—within a closed-loop structure, the model captures nonlinear interactions and temporal dynamics of resilience. The inclusion of an environmental threat entropy variation rate ($\sigma$) as a dynamic constraint ensures responsiveness to changing threat complexities, offering a “dynamic resilience portrait” that surpasses static risk scoring.

The primary contributions are a comprehensive, mathematically grounded framework that translates static security postures into time-evolving trajectories for real-time adaptation; alignment with key standards (NIST SP 800-37, GB/T 44862-2024, MITRE ATT&CK) for practical adoption; and an emphasis on mature technologies and flexible implementation for feasibility and accessibility.

Practically, the RC model provides actionable insights for optimizing resource allocation, prioritizing strategic investments, and triggering timely defensive adaptations. This enhances an organization’s ability to withstand and recover from cyber incidents, offering a versatile tool for navigating complex modern threat environments across various sectors.

While this work establishes a robust foundation, future efforts will focus on addressing limitations such as parameter tuning and multi-system dependencies, alongside exploring integrations with emerging technologies and broader applications. Continued refinement and validation through empirical studies and industry collaborations aim to develop next-generation cybersecurity strategies, empowering organizations to thrive amidst persistent and evolving threats.