Anomaly Detection as a Key Driver of Digital Forensic Resilience: Empirical Evidence from Critical Infrastructure Experts

Abstract

Ensuring strategic resilience in critical infrastructures supported with a machine learning approach requires moving beyond compliance checklists and post-incident analysis toward proactive, intelligence-based approaches. This study introduces the Forensic Resilience Operational Model (FROM), a systems thinking framework designed to embed forensic intelligence into the resilience cycle of complex socio-technical systems. To quantify this integration, the study investigates the determinants of the extent to which four operational pillars (forensic readiness, anomaly detection, governance and privacy safeguards, and structured intelligence integration) affect forensic resilience, using empirical survey data from 212 cybersecurity professionals across critical infrastructure sectors. We deploy Partial Least Squares Structural Equation Modelling (PLS-SEM) to investigate these relationships, and the results confirm that anomaly detection is the strongest contributor to forensic resilience, followed by structured intelligence integration and forensic readiness. Governance safeguards, while comparatively weaker, provide the necessary legitimacy and assurance of compliance. Supported with sector-specific case studies in the maritime, financial, and CERT domains, the findings highlight both the adaptability of the proposed FROM and the operational constraints encountered in real-world contexts. The study contributes to the field of systems-oriented strategic management by demonstrating that, when systematically embedded, forensic intelligence enhances adaptive capacity, supports predictive decision-making, and strengthens resilience in environments characterized by uncertainty and high complexity.

1. Introduction

Critical infrastructure (CI) forms the backbone of national and international security, ensuring the continuity of essential services such as energy, transport, healthcare, and communication [1,2,3]. In a digitized environment, its resilience has become a strategic priority, as disruptions can cascade across interconnected systems.

Digital forensic resilience entails not only recovery but also the ability to anticipate, absorb, and adapt to complex cyber threats [4]. Despite significant advances in digital resilience frameworks, their integration with digital forensic resilience remains underdeveloped. Traditionally viewed as a post-incident discipline, digital forensic resilience can expose vulnerabilities, identify attack vectors, and detect behavioral anomalies. However, its proactive role in supporting detection, prevention, and continuous learning has rarely been operationalized within resilience models [5,6]. This is particularly relevant in cyber-physical environments such as maritime infrastructure, where safety depends on both robust security protocols and actionable forensic intelligence. This study introduces the concept of forensic resilience, defined as the ability to integrate digital forensic capabilities into resilience operations for proactive detection, continuous learning, and adaptive response. Forensic resilience should be seen as an subsystem of security, that enables anticipation of threats, reconstruction of incidents, and systemic adaptation. In critical infrastructure contexts, its role becomes particularly salient as it supports predictive resilience by transforming forensic traces into actionable knowledge before, during, and after disruptions. This dynamic capability aligns with frameworks that view digital forensics as a foundation for real-time adaptation and security intelligence [7], and complements predictive cyber resilience models that emphasize the proactive use of incident evidence to shape learning-based mitigation strategies [8].

At the policy level, digital forensic resilience is increasingly recognized as a strategic obligation. The European Union Agency for Cybersecurity (ENISA) identifies CI resilience as central to protecting essential services [9]. At the same time, national legislation, such as Croatia’s Critical Infrastructure Act, mandates that operators implement resilience-enhancing measures [10]. However, resilience and forensics are still treated as parallel domains, overlooking their potential synergy.

To address this gap, the paper investigates:

• RQ1: How can digital forensic resilience be systematically integrated into cyber-resilience models for critical infrastructure?
• RQ2: Which indicators and metrics enable the quantification of forensic contributions to systemic digital forensic resilience?
• RQ3: How do the four operational dimensions, forensic readiness, anomaly detection, governance and privacy safeguards, and structured intelligence integration, individually contribute to the overall level of forensic resilience?

To address these questions, the study develops the Digital Forensic-Resilience Operational Model (FROM). This structured, system-oriented framework embeds digital forensic processes directly into the resilience cycle of critical infrastructures. FROM is grounded in four key operational pillars: forensic readiness, anomaly detection, governance and privacy safeguards, and structured intelligence integration, each reflecting a distinct function within the resilience process.

To enable empirical assessment and practical application, the study introduces the Forensic Resilience Score (FRS), conceptualized as a second-order latent variable that reflects the combined influence of these four dimensions. The Forensic Resilience Score (FRS) operationalizes this integration as a measurable index.

The paper is organized into five sections. Following the Introduction, the Related Work and Background section reviews the regulatory context, technical challenges, and theoretical basis for integrating forensics into resilience frameworks. The third section presents the FROM and operationalizes its structure through four core dimensions. The Materials and Methods section outlines the instrument development, research design, applied methodology (PLS-SEM), and the case study approach. The Results section reports the empirical findings from the survey and accompanying case studies. Finally, the Discussion and Conclusions interpret the results, highlight the theoretical and practical implications of the Forensic Resilience Score, and suggest directions for future research.

2. Related Work and Background

2.1. Regulatory and Technical Foundations

Cyber resilience in CI has evolved from voluntary guidance to binding regulatory frameworks in many industries. For example, the International Maritime Organization (IMO) was among the first to formalize this link between cyber risk and safety management, through Resolution MSC.428 (98) and its revised guidelines MSC-FAL.1/Circ. 3/Rev.2 [11,12], which explicitly recognize the strategic importance of integrating cyber risk management into existing safety systems. The International Association of Classification Societies (IACS) followed with Recommendation No.166, embedding cyber-resilience requirements directly into vessel certification [13]. At the technical level, the IEC 61162-450 standard introduced Ethernet-based interoperability for navigation and communication systems [14], ensuring connectivity but also amplifying exposure to cascading failures. Complementary guidance by the European Maritime Safety Agency (EMSA) [15] and the European Union Agency for Cybersecurity (ENISA) [16,17] expanded this agenda at the EU level. However, ENISA’s analyses repeatedly underscore fragmentation of roles between private operators and national authorities, leaving the forensic dimension largely unaccounted for.

Industry and research contributions further reflect this gap. Kessler and Shepard [18] offer managerial guidance for maritime cybersecurity, while Longo et al. [19] expose vulnerabilities across ships and ports, highlighting how interdependence magnifies systemic risk. Tam and Jones [20,21] developed the MaCRA framework to quantify maritime cyber risks, and later studies demonstrated how adversarial attacks on maritime microgrids could compromise vessel safety [22]. From a broader security perspective, Europol’s Serious and Organized Crime Threat Assessment (SOCTA) [20] and the UNODC’s Global Cybercrime Trends [23] identify cyber-enabled attacks on CI as a growing transnational concern, echoed by Eurostat’s statistics showing a steady rise in ICT incidents across the EU [24]. While these initiatives diagnose the systemic nature of cyber threats, they stop short of providing operational mechanisms for embedding forensic intelligence into resilience practice.

Current frameworks prioritize compliance and incident response, prescribing what must be secured but not how infrastructures can learn from forensic evidence. They elevated cyber resilience from advisory to mandatory practice but remain predominantly compliance-driven, lacking adaptive or forensic readiness components. This reactive stance underscores the need for the proposed Forensic-Resilience Operational Model (FROM), which unifies digital forensic readiness, anomaly detection, and adaptive learning within a continuous resilience cycle.

2.2. Practical Challenges and Gaps

Regulatory and technical frameworks provide essential baselines, yet several challenges hinder the operationalization of resilience CI across sectors, including the maritime sector. A central issue is that digital forensic readiness is rarely built into systems by design. A structured ten-step process for forensic readiness was proposed in [25], but its adoption in real-world infrastructures remains limited. Likewise, systematic collection and retention of security events are emphasized in [26], though many operators still lack the capacity to ensure data completeness and integrity. Even when forensic data are available, their practical use is constrained by methodological and organizational gaps. Studies indicate that forensic readiness practices are often fragmented, reactive, or confined to isolated security operations rather than embedded within resilience cycles [27]. This limits the ability of forensic traces to inform proactive defense and system adaptation. In parallel, the growing volume and heterogeneity of logs and events continue to challenge existing analytical capacities. Classical anomaly detection methods provide solid foundations [28], but often struggle to separate benign irregularities from actual compromises in complex cyber-physical systems.

Integrating forensic readiness into resilience requires a shift from detection toward systemic learning. Structured analytic techniques for crime data mining [29] and broader knowledge-discovery frameworks [30] emphasize iterative modelling and pattern recognition, yet adoption within maritime and critical-infrastructure domains remains slow. Finally, advances in machine learning and deep learning open new opportunities for anomaly detection and predictive resilience [31], but raise unresolved issues of explainability, trust, and computational cost. These gaps demonstrate that current frameworks stop short of positioning forensics as a core enabler of resilience. Without systematic forensic readiness, scalable anomaly detection, and evidence-based learning, infrastructures remain bound to compliance-driven safeguards that cannot keep pace with adaptive adversaries. This motivates the Forensic-Resilience Operational Model (FROM), designed to embed forensic intelligence directly into resilience architectures.

2.3. The Forensic-Resilience Operational Model (FROM)

Unlike existing approaches that codify security requirements, FROM embeds digital forensics as an active enabler, transforming incident traces into predictive and adaptive resources within critical infrastructure cycles. At its core, FROM integrates four mutually reinforcing pillars: forensic readiness, advanced anomaly detection, governance and privacy safeguards, and structured intelligence integration. Together, these pillars provide a systemic pathway for converting forensic artefacts into resilience outcomes.

First, forensic readiness anchors the model. Building on the structured process in [25] and subsequent operational guidelines [26], as well as the maturity assessment proposed in [27], FROM requires infrastructures to implement proactive logging, evidence preservation, and cross-layer traceability as baseline capacities, unlike earlier guidelines that stop at evidence preservation. FROM embeds readiness directly into operational pipelines. This ensures that incident data are systematically available for analysis rather than emerging only after catastrophic failures.

Second, advanced anomaly detection translates raw traces into operational signals. Classical anomaly detection and crime-data-mining approaches provide an essential foundation [28,29], while broader knowledge-discovery methodologies deepen the analytical dimension [30]. Recent advances in deep learning extend these methods to high-dimensional and dynamic environments [31,32]. The novelty lies in coupling classical methods with the forensic signal scoring mechanism to generate adaptive risk indicators. By fusing statistical methods with machine learning, FROM strengthens the ability to distinguish genuine compromise indicators from benign irregularities.

Third, governance and privacy safeguards guarantee that forensic integration does not undermine legal or ethical boundaries. Privacy is both a regulatory requirement and a constitutive dimension of resilience [33,34]. Empirical studies confirm its role in shaping compliance and trust [35,36], while risks such as de-anonymization and manipulative interfaces demand accountability [37,38]. The EU’s emerging framework on algorithmic accountability reinforces this by requiring transparency in automated systems. FROM therefore treats governance not just as compliance but as an operational safeguard across all forensic processes. Foundational work on intrusion detection [39], recent deep-learning approaches for adaptive detection [38], and the use of machine learning in network forensics [39] highlight the technical layer of this integration, while GDPR-oriented readiness frameworks [40] stress organizational accountability. Recent research in intelligence further emphasizes how forensic data can inform systemic learning and adaptation.

Fourth, structured intelligence integration transforms forensic findings into a systemic learning process. Established intelligence tradecraft emphasizes structured analytic techniques to reduce bias and extract actionable patterns [41]. Applied to critical infrastructure, these techniques enable forensic data to inform resilience beyond detection—supporting predictive adaptation, cross-sectoral coordination, and evidence-based governance. The innovative step here is to treat forensic artefacts as continuous-learning assets rather than as post-event documentation.

These four pillars create a closed operational loop: forensic readiness generates data; anomaly detection interprets signals; governance safeguards legitimate use; and structured intelligence transforms findings into systemic adaptation. This cycle ensures that forensic capabilities are embedded not as peripheral add-ons but as central drivers of resilience. This closed loop enables adaptive response during incidents and adaptive recovery after disruptions, ensuring that forensic intelligence continuously informs both immediate action and long-term resilience enhancement. Each pillar maps to concrete indicators (

Table 1. Primary indicators for the Forensic-Resilience Operational Model (FROM).

Pillar	Pipeline Phase (Collection → Integrity → Analytics → Decision → Feedback)	Example Indicators (Meta-Level)
Forensic Readiness	Collection/Integrity	Proactive logging; Evidence preservation protocols; Cross-layer traceability
Advanced Anomaly Detection	Analytics	Hybrid statistical–ML methods; Forensic Signal Score (FSS); Adaptive risk thresholds
Governance and Privacy	Decision/Feedback	Embedded privacy safeguards; Compliance audit trails; Algorithmic accountability mechanisms
Structured Intelligence Integration	Feedback/Cross-phase	Structured analytic techniques; Evidence-to-intelligence pipelines; Predictive adaptation logs

Source: Authors’ work. Note. Table 1 maps the four pillars of FROM to measurable indicators across the operational pipeline. These indicators support quantifying FROM’s contribution to resilience.

) and pipelines (collection → integrity → analytics → decision → feedback). Figure 1 illustrates the conceptual flow; Table 1 lists the primary indicators used to quantify FROM’s contribution to resilience.

Building on prior work in resilience frameworks that emphasize adaptive system recovery and operational continuity [4,5,6]. On the tradition of digital forensic readiness, which stresses the systematic preparation of data and processes for potential investigations [23,24,25], this paper introduces the forensic resilience score as an original contribution. Forensic resilience is defined as the capacity of digital infrastructures to integrate forensic readiness with resilience mechanisms to ensure both anomaly detection and adaptive recovery. In this context, adaptive recovery refers to the capability of an infrastructure not only to restore functionality after disruption, but to iteratively improve recovery strategies based on forensic learning from prior incidents. Unlike static recovery mechanisms, adaptive recovery is evidence-informed and feeds back into detection thresholds, response prioritization, and resilience planning. Therefore, the adaptive aims to operationalize resilience through forensic capacities that directly support critical detection and recovery functions, as broader security concepts. The notion of adaptive recovery, as used here, draws on existing paradigms such as resilient recovery and cyber resiliency engineering, which emphasize dynamic, evidence-informed system restoration in complex environments [42,43]. By anchoring anomaly detection and adaptive response in forensic workflows, the model emphasizes their evidentiary and adaptive value—bridging the gap between reactive investigation and proactive resilience engineering.

In operational terms, this is articulated through the Forensic-Resilience Operational Model (FROM), shown in Figure 1. The empirical validation of the FROM and the development of the FRS are outlined in the following section.

Each pillar—Forensic Readiness (FR), Anomaly Detection (AD), Governance and Privacy (GP), and Structured Intelligence Integration (SII)—is hypothesized to positively contribute to the composite Forensic Resilience Index (FRS). The dashed boxes (FSS and FL) represent theoretical extensions of the model. Accordingly, the following hypotheses are proposed for empirical validation:

• H1: Forensic Readiness (FR) positively contributes to the Forensic Resilience Score (FRS).
• H2: Advanced Anomaly Detection (AD) positively contributes to the Forensic Resilience Score (FRS).
• H3: Governance and Privacy safeguards (GP) positively contribute to the Forensic Resilience Score (FRS).
• H4: Structured Intelligence Integration (SII) positively contributes to the Forensic Resilience Score (FRS).

These hypotheses directly reflect the theoretical logic of FROM and provide the foundation for the subsequent empirical analysis. Figure 2 presents the conceptual structure of the Forensic-Resilience Operational Model (FROM), highlighting the four hypothesized relationships (H1–H4) that form the basis for empirical validation.

3. Materials and Methods

3.1. PLS-SEM Aproach

3.1.1. Indicators and Instrument

The Forensic-Resilience Operational Model (FROM) is translated into a measurable framework through a structured set of indicators. Indicators for each FROM pillar were transformed into survey-based assessment items, as outlined in Table 1. By linking each pillar to concrete signals, the table enables systematic measurement of forensic contribution to resilience.

FRS is modeled as a second-order latent construct composed of four reflective first-order dimensions: Forensic Readiness, Anomaly Detection, Governance and Privacy, and Structured Intelligence Integration. In the structural model, these first-order constructs are also treated as independent latent variables, with direct paths estimated to the second-order construct (FRS). This hierarchical component model (HCM) approach enables the assessment of individual contributions while preserving the integrity of the multidimensional construct. As such, the four pillars function both as dimensions of FRS and as predictors in the reflective-reflective modeling logic applied in PLS-SEM. Operationally, the Forensic Resilience Score (FRS) is computed by aggregating the latent scores of the four first-order dimensions within a reflective–reflective hierarchical component model. Each dimension contributes equally to the composite FRS, ensuring that the score represents an integrated measure of forensic resilience rather than a dominance of any single operational pillar.

The indicators from Table 1 were translated into survey items representing the four pillars of FROM, as presented in Appendix A. Each pillar was grounded in validated or widely adopted sources: forensic readiness drew on established guidelines for logging and evidence preservation, including adapted from the ten-step process [24] and resilience metrics [6]; anomaly detection relied on NIST intrusion-detection standards [41,44] and critical assessments of machine-learning explainability [45]; governance and privacy drew on GDPR readiness instruments [46] and analyses of transparency in automated decision-making [47]; and structured intelligence integration was informed by the target-centric intelligence approach [48] and CTI adoption guidelines [49].

All items were formulated as statements evaluated on a five-point Likert scale (1 = strongly disagree, 5 = strongly agree). The novelty of the instrument lies not in the individual items themselves, but in their integration across forensic, technical, governance, and intelligence dimensions into a single measurable construct, the Forensic Resilience Score (FRS). To ensure comparability across pillars, all items were harmonized and subsequently aggregated into the composite FRS using equal-weighted latent scores. This approach enables the forensic resilience construct to be assessed empirically as a unified, multi-dimensional score, ensuring both conceptual innovation and empirical measurability, with the complete list of adapted items provided in Appendix A. While many individual items draw on validated guidelines and prior research, the novelty of the instrument lies in their integration into a coherent, multi-pillar framework. The innovation is primarily methodological: it resides in modeling forensic resilience as a measurable second-order construct, rather than in inventing entirely new indicators.

Having established the operational indicators, the following section outlines the empirical design for validating this construct using survey data and a case study.

3.1.2. Data

This study applied a quantitative, cross-sectional research design, complemented by qualitative case study evidence, to operationalize and validate the proposed Forensic Resilience Score (FRS). The central aim of the design is to evaluate whether the integrated dimensions of forensic readiness, anomaly detection, governance and privacy, and structured intelligence integration can be empirically measured and meaningfully combined into a single index.

The survey data were collected from 212 information technology and cybersecurity professionals employed in critical infrastructure sectors, including energy, finance, maritime, and governmental services. Data were collected through an online survey distributed via professional networks, mailing lists, and organizational contacts in the last quarter of 2024. Respondents were recruited using purposive sampling to ensure they had direct expertise in digital forensic practices and resilience management. The sample size (n = 212) is consistent with statistical standards for PLS-SEM, ensuring sufficient power to evaluate the model. The survey represents a preliminary validation of the FRS, with sector-specific generalization left for future research. Participation in the study was voluntary, and all respondents were assured of anonymity and confidentiality in line with institutional ethical standards. These safeguards ensured compliance with ethical research practice, including informed consent.

3.1.3. Analytical Approach

For data analysis, the study employed confirmatory factor analysis (CFA) to assess construct validity, followed by PLS-SEM (Partial Least Squares Structural Equation Modelling) to evaluate hypothesized relationships between the four dimensions. Reliability was assessed through Cronbach’s alpha and composite reliability, while convergent and discriminant validity were examined using the average variance extracted (AVE) and heterotrait–monotrait (HTMT) ratios.

To assess the proposed model, we employed Partial Least Squares Structural Equation Modelling (PLS-SEM). This technique was chosen because it is suitable for exploratory models with latent constructs, where predictive accuracy is prioritized over strict model fit. This orientation towards predictive validity distinguishes the present study from confirmatory approaches such as CB-SEM and aligns with the FRS construct’s developmental stage. The sample of 212 IT professionals is considered adequate for PLS-SEM, which has been shown to perform reliably even with medium-sized datasets. The dependent variable in the model is the Forensic Resilience Score (FRS). In this configuration, FRS is modeled as a second-order reflective construct, with its four dimensions serving as both reflective indicators and explanatory constructs in a path model. A formative specification was considered but ultimately rejected. Formative models imply that the latent construct is a composite of its indicators, which may not correlate. However, in the case of FRS, the four dimensions—Forensic Readiness, Anomaly Detection, Governance and Privacy, and Structured Intelligence Integration—are not interchangeable components but manifestations of an underlying capacity. Empirical analysis confirmed that the dimensions were moderately to strongly correlated and conceptually reflect a unified resilience capability rather than a mere aggregation of distinct factors. A reflective–reflective hierarchical component model (HCM) was adopted to capture the common variance among pillars and validate FRS as an integrated latent construct. This allows us to test each pillar’s unique contribution while validating the coherence of the higher-order construct. At the same time, the independent latent constructs are Forensic Readiness (FR), Anomaly Detection (AD), Governance and Privacy (GP), and Structured Intelligence Integration (SII). The PLS-SEM approach allows simultaneous testing of the measurement and structural models, ensuring both construct validity and the explanatory power of the hypothesized relationships.

Reliability and validity were assessed using standard SEM criteria (Cronbach’s alpha, CR, AVE, HTMT). Structural relationships between the four pillars and the FRS were estimated using PLS-SEM with bootstrapping (5000 resamples). Predictive power was evaluated through R², complemented by effect size (f²) and predictive relevance (Q²). This analytical approach ensures that the model not only demonstrates conceptual robustness but also provides empirical evidence of how the four operational pillars contribute to measurable outcomes in forensic resilience. Standard validity and predictive relevance checks (e.g., Cronbach’s alpha, AVE, HTMT) were applied to ensure robustness, with detailed results provided in Appendix A.

All statistical analyses, including reliability and validity assessment and PLS-SEM estimation, were performed using custom scripts in Python 3.11.2 (Python Software Foundation, Wilmington, DE, USA).

3.2. Case Study Analysis

Alongside the survey, three in-depth case studies were conducted with a maritime operator, a financial institution, and a national CERT expert. These case studies provided contextual validation of the survey findings, enabling the integration of quantitative and qualitative evidence.

The case studies were selected strategically to maximize sectoral diversity and serve as qualitative anchors rather than statistical generalizations. Case study interviews followed a semi-structured protocol aligned with the exact dimensions, enabling thematic comparison between the quantitative and qualitative strands. Each case study was based on one in-depth semi-structured interview, conducted with a lead sectoral expert in four critical infrastructure sectors: a cybersecurity officer in a maritime operator, a CERT analyst, a compliance manager in a financial institution, and a sectoral expert in the energy domain. Interviews lasted between 45 and 60 min and were conducted using a structured protocol aligned with the FROM. Participants were selected using purposive sampling based on their operational involvement in forensic processes. Interviews were transcribed and thematically analyzed using a hybrid coding approach. Deductive codes were drawn from the four FROM pillars, while inductive codes reflected sector-specific concerns. These were then mapped onto the FROM framework to evaluate the alignment between the model and real-world operational narratives.

Case study material was subjected to thematic coding, which provided explanatory insights that contextualized the statistical results. The main novelty of this design is the integration of validated elements into a single, coherent instrument that systematically and quantifiably captures forensic resilience. By combining survey evidence with targeted case studies, the research design not only ensures robustness but also reflects the applied relevance of the FRS across diverse organizational environments.

4. Results

4.1. Empirical Research Results Using PLS-SEM

This section first outlines the sample characteristics, followed by the assessment of the measurement model and structural relationships between the FROM pillars and the Forensic Resilience Score (FRS).

Table 2. Sample Characteristics (n = 212).

Sector	% of Respondents
Energy and Utilities	26%
Finance and Banking	25%
Maritime and Transport	21%
Government and Public Services	28%
Years of professional experience	% of respondents
0–4 years	7%
5–10 years	33%
11–15 years	36%
16+ years	24%
Organizational role	% of respondents
Operational/technical staff	38%
Middle management	35%
Senior/executive level	27%
Primary domain expertise	% of respondents
Cybersecurity operations	35%
Digital forensics	28%
Resilience and continuity management	22%
Governance and compliance	15%
Professional certification (multiple possible)	% of respondents
CISSP/CISM/ISO 27001 Lead Auditor	42%
Vendor-specific (Cisco, Microsoft, etc.)	31%
No formal certification	27%

Source: Authors’ work.

reports the characteristics of the respondents, including sectoral distribution, professional experience, organizational roles, areas of expertise, and certification levels. Respondents were evenly distributed across critical infrastructure sectors, with the most significant shares in government (28%) and energy (26%). More than two-thirds had over five years of professional experience, and nearly half held advanced professional certifications (CISSP, CISM, ISO 27001) [50]. This profile indicates that the sample comprised highly qualified experts, providing a solid basis for the reliability of the results.

Table 3. Descriptive Statistics and Reliability Metrics (n = 212).

Construct	Mean	SD	Cronbach’s α	CR	AVE
Forensic Readiness (FR)	3.82	0.71	0.84	0.87	0.58
Anomaly Detection (AD)	3.76	0.68	0.81	0.85	0.56
Governance and Privacy (GP)	3.65	0.74	0.83	0.86	0.57
Structured Intelligence Integration (SII)	3.70	0.69	0.85	0.88	0.60
Forensic Resilience Score (FRS)	3.73	0.70	0.88	0.91	0.62

Source: Authors’ work.

presents descriptive statistics and measurement properties of the constructs. All latent variables met the recommended Cronbach’s alpha and composite reliability thresholds of 0.80, confirming internal consistency. Average variance extracted (AVE) values exceeded 0.50, demonstrating convergent validity. The outer loadings of all individual indicators were above 0.60. Together, these results confirm the adequacy of the measurement model.

Table 4. Structural Model Results: Path Coefficients and Predictive Validity (PLS-SEM).

Path (H)	β Coefficient	t-Value	p-Value	95% CI (Lower–Upper)	f2 (Effect Size)	R2/R2 Adj.	Q2	SRMR
H1: FR → FRS	0.28	4.12	<0.001	0.15–0.41	0.08 (small)	0.62/0.61	0.39	0.057
H2: AD → FRS	0.34	5.25	<0.001	0.22–0.46	0.12 (medium)	—	—	—
H3: GP → FRS	0.19	2.87	0.004	0.06–0.32	0.05 (small)	—	—	—
H4: SII → FRS	0.31	4.78	<0.001	0.18–0.44	0.10 (medium)	—	—	—

Source: Authors’ work.

reports the results of the structural model. The model explains 62% of the variance in the Forensic Resilience Score (FRS), indicating substantial explanatory power (R² = 0.62). Predictive relevance is supported by Q² = 0.39, well above the minimum threshold. All four hypotheses (H1–H4) are supported. Anomaly Detection (β = 0.34, p < 0.001) exerts the most decisive influence on FRS, followed by Structured Intelligence Integration (β = 0.31, p < 0.001) and Forensic Readiness (β = 0.28, p < 0.001). Governance and Privacy safeguards also have a significant, though smaller, effect (β = 0.19, p = 0.004). Effect sizes (f²) confirm that AD and SII represent medium contributions, while FR and GP exert small but significant effects. The model fit is satisfactory (SRMR = 0.057 < 0.08). The PLS-SEM technique was particularly suited due to the model’s exploratory nature, moderate sample size, and the use of second-order constructs.

These results validate the conceptual design of FROM, with anomaly detection exerting the strongest impact. Anomaly Detection has the most substantial impact on forensic resilience, underscoring the importance of timely detection of irregularities in complex infrastructures. Structured Intelligence Integration and Forensic Readiness also show substantial contributions, indicating that both systematic preparation and the ability to transform data into learning assets are essential drivers of resilience. Governance and Privacy safeguards exert the weakest, though still significant, effect, suggesting that compliance-oriented measures provide a necessary foundation but are less decisive than technical and analytical capacities. The findings demonstrate that resilience emerges most strongly where infrastructures can both detect anomalies and integrate forensic insights into continuous learning.

Figure 3 presents the structural model results of the PLS-SEM analysis, with standardized path coefficients and significance levels.

4.2. Extended Case Study: Maritime Sector

To enhance interpretive depth, case study interviews were conducted in parallel. They confirmed key patterns observed in the SEM analysis, particularly in the maritime and CERT sectors, where anomaly detection practices and structured-intelligence integration were repeatedly highlighted as critical. This integration strengthens the explanatory relevance of the FRS model across distinct organizational contexts. To complement the survey-based validation, sector-specific case study interviews were analyzed. They corroborated the key patterns observed in the SEM analysis and highlighted current ‘pressure points’ in the resilience of critical infrastructure.

The cases were selected for their systemic criticality, representing high-stakes environments where resilience failures carry disproportionate consequences. As

Table 5. Case Study Insights: Sector-Specific Challenges in Forensic Resilience.

Sector	Key Issue Identified	Illustrative Quote/Observation	Relevance to FROM Pillars
Maritime	Fragmented data flows in multi-jurisdiction incidents.	“We lose critical hours because evidence handling differs across ports.”	SII, FR
CERTs	Alert fatigue and limited anomaly explainability	“False positives drown analysts, making it hard to prioritize.”	AD
Finance	GDPR–resilience trade-offs	“Compliance slows down forensic response, yet we cannot ignore privacy.”	GP
Energy	Supply-chain visibility gaps	“Third-party log data often arrives too late for forensic learning.”	SII, AD

Source: Authors’ work.

indicates, they reveal recurring challenges at the intersection of compliance, detection, and operational readiness. These sector-specific pressure points illustrate how FROM’s pillars map onto real-world resilience problems, reinforcing the survey-based findings with applied evidence. Rather than offering exhaustive qualitative analysis, the case studies provide exploratory validation and integration of the model across different operational and regulatory contexts.

At the same time, the cases also expose essential limitations. Maritime stakeholders emphasized fragmented evidence handling across jurisdictions, suggesting that FROM’s effectiveness may hinge on harmonization mechanisms outside its immediate scope. CERT analysts underlined alert fatigue and anomaly explainability issues, which raise the risk of false positives and signal overload, areas where FROM cannot guarantee efficiency without additional calibration. Financial institutions highlighted GDPR–resilience trade-offs, in which compliance imperatives may delay operational responses, suggesting that FROM’s governance pillar might require costly adaptations to balance privacy and speed.

These case studies should be interpreted as illustrative examples rather than exhaustive inquiries. While they underscore the practical relevance and adaptability of FROM, the cases also reveal potential operational constraints related to cost, calibration, and regulatory trade-offs. A more in-depth qualitative exploration is beyond the scope of this paper and is identified as a priority for future research.

The maritime sector illustrates particularly acute challenges of forensic resilience, given its global interdependence and regulatory complexity. Cyber incidents in this domain often span multiple jurisdictions, where evidence-handling and disclosure rules vary significantly across ports and flag states. Stakeholders emphasize that fragmented data flows can delay forensic learning and slow operational response, thereby undermining resilience at scale [9,10,14]. ENISA has repeatedly identified the maritime sector as a high-risk environment, pointing to limited harmonization of log management, inconsistent anomaly reporting, and delayed availability of third-party data [15,16]. These systemic issues increase the risk of false positives and complicate the prioritization of forensic signals, echoing the problem of alert fatigue reported by CERT analysts [19].

Within the FROM, the Signal Identification and Integration (SII) and Forensic Readiness (FR) pillars directly address such fragmentation by standardizing how evidence is aggregated and ensuring readiness through consistent protocols. The International Association of Classification Societies (IACS) similarly underlines the need for cyber-resilient vessel design and unified incident reporting [10]. However, both FROM and industry frameworks presuppose a minimal baseline of interoperability across jurisdictions, which remains a structural constraint beyond the model’s scope. Finally, energy-sector respondents stressed supply-chain visibility gaps, showing that forensic learning is constrained when upstream data arrive too late for actionable use. Energy operators further emphasized that cross-border dependencies exacerbate these visibility gaps [4,21].

The maritime case thus reinforces the survey-based findings by showing how FROM maps onto a sector where resilience depends not only on technical detection capacity but also on regulatory convergence. As Tam and Jones argue, risk assessment in maritime environments requires explainability and cross-system calibration [19,20], dimensions which FROM can conceptually support but cannot fully enforce without coordinated governance.

Taken together, the mixed-method approach strengthens the empirical robustness of the FROM and demonstrates its applicability across real-world infrastructure settings.

5. Discussion and Conclusions

5.1. Summary of Findings

This study introduced the Forensic-Resilience Operational Model (FROM) to address persistent gaps between compliance-oriented frameworks and the operational use of forensic intelligence in critical infrastructures. The model integrates four mutually reinforcing pillars—forensic readiness, anomaly detection, governance and privacy safeguards, and structured intelligence integration—into a unified data-to-decision pipeline quantified by the Forensic Resilience Score (FRS). Empirical results confirmed that all four pillars significantly contribute to resilience outcomes. Anomaly Detection exerted the most decisive influence, underscoring the importance of advanced analytic capabilities for identifying compromise indicators. Structured Intelligence Integration and Forensic Readiness also showed substantial effects, highlighting the value of embedding systematic logging and intelligence tradecraft into resilience cycles. Although comparatively weaker, Governance and Privacy safeguards remain essential for maintaining compliance and institutional legitimacy. Collectively, these results demonstrate that resilience emerges not from isolated controls but from the systemic interplay of technical, organizational, and governance capacities.

5.2. Theoretical Contributions

The empirical confirmation of all four hypotheses reinforces the central proposition that forensic intelligence, as captured through the Forensic Resilience Score (FRS), is a core enabler of resilience in critical infrastructures. The structural model showed strong explanatory power, with all four operational pillars significantly shaping resilience outcomes, consistent with prior research that conceptualizes resilience as a time-dependent, system-level capability [4,5,6]. Anomaly Detection had the strongest effect, reflecting the ongoing relevance of machine-learning–based intrusion detection, and the persistent challenge of explainability and false positives [43]. FROM should therefore be seen as contingent on local detection quality, not as a guarantee of usable output without calibration. Conceptually, FRS is modeled as a second-order latent construct composed of four reflective dimensions: forensic readiness, anomaly detection, governance and privacy, and structured intelligence integration. This structure follows the logic of higher-order component models (HCM) in PLS-SEM. This configuration is empirically supported by the structural model results (Table 4), which show that all four pillars exhibit significant predictive power for FRS.

The contribution of Governance and Privacy safeguards, though weaker than the technical pillars, aligns with regulatory findings. Organizational readiness for GDPR remains uneven [44], while legal guidance on automated decision-making remains ambiguous [47]. FROM’s governance pillar thus supports both compliance and trust in resilience frameworks. However, tensions between data minimization and forensic retention, along with shifting interpretations of automation, may limit the portability of this pillar across jurisdictions. Structured Intelligence Integration also emerged as a key driver, aligned with principles of iterative, target-centric analysis [48]. The ability to convert forensic traces into actionable intelligence supports EU-wide calls for systematic cyber threat intelligence adoption [49] and shifts resilience discourse toward predictive and adaptive cycles. Intelligence-driven learning has been shown to enhance organizational performance [51]. The study also touches on the communicative dimension of resilience: as disinformation escalates during crises, infrastructures face not only technical but also narrative threats. Embedding forensic intelligence into resilience pipelines offers a conceptual path for addressing both, though FROM was not empirically tested in such scenarios, and claims on counter-disinformation remain theoretical.

The combination of survey analysis and sectoral case studies enhances the explanatory power of the findings by linking statistical results to operational realities in high-stakes CI environments. While limited in number, the case studies were selected to reflect distinct legal, technical, and regulatory challenges—illustrating evidence-handling complexity (maritime), governance–privacy trade-offs (finance), and the analytic burden of anomaly detection (CERTs). This diversity stress-tests the model against key resilience issues. The study also builds on prior domestic research into systemic vulnerabilities, advancing it through a structured model for operationalizing forensic intelligence. Still, FROM’s effectiveness depends on organizational maturity and cross-unit sharing, without which SII benefits may remain limited. As shown in earlier work, maturity frameworks like the Balanced Scorecard support capability development and alignment [52].

The predictive orientation of the FROM aligns with earlier work on forecasting in security and policing, such as RAND’s predictive policing trials [49,51]. While critical literature highlights risks of bias and unintended effects [53,54,55] FROM frames forensic intelligence as adaptive learning and adaptive recovery rather than deterministic prediction—providing signals to guide proactive yet accountable resilience strategies. Implementers must still ensure proportionality, transparency, and redress. Overall, the results support treating forensic intelligence as a driver of predictive and adaptive resilience. The model reconciles technical detection, regulatory safeguards, and strategic communication within a unified framework. The qualitative case studies reinforced survey findings: anomaly detection was dominant in maritime, governance took precedence in finance, and intelligence integration was central in the CERT context. These sector-specific insights validate FROM’s generalizability while illustrating the variable salience of its pillars. The strong effect of anomaly detection (β = 0.34, p < 0.001) confirms its role as the principal operational lever for resilience.

This study advances resilience research by conceptualizing forensic intelligence as a measurable, quantifiable construct and by introducing FROM, an index-based framework that unites the technical, regulatory, and communicative dimensions. In doing so, it extends resilience theory beyond compliance-oriented approaches and positions forensic intelligence as a core enabler of adaptive capacity. For practitioners, the model provides a structured method for benchmarking forensic readiness, assessing intelligence integration, and embedding forensic signals into operational decision-making across infrastructures. FROM demonstrates that resilience is not a static safeguard but a dynamic capacity shaped by forensic intelligence across technical, legal, and communicative domains. This integrated framing is supported by the empirical findings, where all four FROM pillars contributed significantly to the Forensic Resilience Score.

5.3. Practical Implications

The Forensic-Resilience Operational Model (FROM) offers direct operational utility for practitioners in critical infrastructure sectors, regulatory bodies, and cyber strategy development. Empirical results indicate that anomaly detection represents the most immediately actionable driver of forensic resilience within the model. For practitioners, this implies that investments in scalable and explainable anomaly detection capabilities provide the fastest and most measurable gains in overall resilience performance. By translating forensic artefacts into quantifiable indicators through the Forensic Resilience Score (FRS), the model provides a structured methodology for assessing and benchmarking resilience performance. This enables organizations to move beyond static compliance toward dynamic, intelligence-led resilience planning for the target user groups presented in Figure 4. These implications are grounded in the model’s empirical validation, where Anomaly Detection and Structured Intelligence Integration showed the strongest effects on FRS across both survey and case study findings (see Table 4 and Table 5). This reinforces the model’s applicability as a diagnostic and planning tool for diverse stakeholder groups.

First, for security and resilience teams, FROM offers a diagnostic framework that can be embedded into risk assessment workflows. The four pillars—Forensic Readiness, Anomaly Detection, Governance and Privacy, and Structured Intelligence Integration—can be operationalized as key performance indicators (KPIs) to guide investment in system monitoring, log management, and analytic capacity. The FRS enables continuous performance monitoring and cross-organizational comparison, identifying weak points in forensic capability that may be overlooked in compliance audits.

Second, for executive management and strategic planners, the composite FRS score functions as a resilience maturity indicator. Organizations can integrate the FRS into existing dashboards (e.g., Balanced Scorecard, ERM systems) to track improvements over time, justify budget allocations, and demonstrate accountability to stakeholders. The multidimensional design of FROM allows organizations to calibrate the weight of each pillar according to their sectoral risk profile and legal obligations.

Third, for regulators and national cyber-strategy planners, FROM offers a scalable, comparable metric to assess sectoral readiness across public and private operators. By aggregating FRS scores across institutions, agencies can identify systemic weaknesses (e.g., low anomaly detection capability in the maritime sector) and prioritize support or oversight efforts accordingly. Furthermore, FROM can be embedded into national resilience audits or capability assessments, complementing ENISA frameworks and NIS2 requirements.

Fourth, for certification bodies and auditors, the FROM indicators can support the development of audit criteria that go beyond documentation and focus on measurable forensic integration. Instead of assessing whether an organization has an incident response plan, FROM encourages evaluating how effectively forensic data is used to inform future resilience measures.

For academic and training institutions, FROM offers a pedagogical model that aligns technical, organizational, and governance domains into a single framework. The FRS structure provides a foundation for curriculum development in digital forensics, resilience engineering, and cyber policy, supporting capacity building across technical and managerial audiences. In sum, FROM positions forensic intelligence not merely as a technical capability, but as a strategic resource that enables infrastructures to adapt, learn, and respond to evolving threats. Its integration into operational, regulatory, and educational domains can significantly enhance societies’ ability to withstand cyber-physical disruptions in increasingly complex environments.

5.4. Limitations and Future Research Directions

The present validation of the FROM index is subject to several limitations. First, the survey relied on purposive sampling from professional networks, increasing the risk of self-selection bias and constraining the generalizability of the findings. Second, the use of self-reported survey items may introduce common-method bias, which can inflate observed relationships. Third, although the case studies provided valuable integration, they were illustrative rather than comprehensive and cannot substitute for an in-depth qualitative analysis. Ultimately, operational costs associated with managing false positives may offset the gains in resilience in specific contexts. Furthermore, FROM does not offer a turnkey solution; its effectiveness depends on organizational maturity, data availability, and continuous recalibration in evolving threat environments. These limitations were reflected in the case study interviews, where stakeholders highlighted gaps in data harmonization, alert explainability, and compliance-related delays—underscoring that FROM’s real-world deployment is contingent on broader socio-technical conditions beyond model design.

Future research should broaden the sample’s representativeness, apply the model in sector-specific contexts, and experiment with alternative weighting schemes for the FROM coefficients. Further testing of predictive accuracy in real-world infrastructure is needed to validate the model’s operational feasibility across diverse regulatory and organizational environments. FROM represents a shift from reactive forensics to proactive resilience, with anomaly detection functioning as the principal driver of adaptive learning and early response, offering a scalable pathway for infrastructures to learn, adapt, and withstand the systemic shocks of the digital age.