EU Agency Presents the First Report Ever on how to Measure IT Resilience

By Enisa - European Network And Information Security Agency, PRNE
Sunday, March 27, 2011

"If you Cannot Measure it, you Cannot Improve it!" - Lord Kelvin

BRUSSELS and HERAKLION, Greece, March 28, 2011 - Business and governments are all reliant on secure networks,
but how do you measure the resilience of these networks? The European Network
and Information Security Agency (ENISA) has published the 'Main Challenges
and Recommendations on Network and Service Resilience Metrics' report, as
well as a technical report. These are the first ever reports in Europe to
address this area's lack of holistic review.

To view the Multimedia News Release, please click:

Metrics and a measurement framework are essential to the
assessment of practices and policies to improve network and service
resilience. The desktop research done by ENISA shows that a) there are very
few existing frameworks and not one is globally acceptable; b) there are no
standard practices, as different organisations use diverse sets of baseline
metrics and frameworks; and c) it is difficult to combine or aggregate
diverse frameworks in a high-level assessment.

The main resilience metrics challenges include:

- A lack of standard practices across the industry and public sectors

- Organisations using own-specific approaches and means to measure
resilience, if at all;

- Resilience metrics being difficult to deploy, due to lack of knowledge
and awareness;

- A lack of analysis, long and active co-operation towards a common
understanding and approach;

- The usefulness and value of resilience metrics declining when
complexity increases; and

- A lack of tools and solutions.

The key consensus recommendations are:

- To create a common understanding and practice or standard of resilience
metrics (Taxonomy, Description and set of baseline metrics, Impact factors);

- To undertake further research on open issues in resilience metrics
(Aggregation, Composition, Thresholds, Data Analysis);

- To develop tools and software to automate the deployment of resilience

- To collect and analyse data;

- To promote good practices and information sharing; and

- To deploy a conservative approach to introducing metrics (i.e. to start
with a small set of metrics).

The technical report is a first step towards building a common
understanding, good practices and standards for resilience metrics. It
holistically reviews the existing frameworks, models, classification of
metrics, and baseline metrics.

"It is imperative for Critical Information Infrastructures Protection to
be able to accurately measure the security and resilience in Europe, " says
Prof. Udo Helmbrecht, Executive Director of ENISA.

A new video clip on resilience metrics is available here (

For background EU framework:

Critical Information Infrastructure Protection (CIIP) Action Plan

(Due to the length of this URL, it may be necessary to copy and paste
this hyperlink into your Internet browser's URL address field. Remove the
space if one exists.)

Digital Agenda (

For full papers:

For interviews, or further details: Ulf Bergstrom, Spokesman, ENISA,
press at, Mobile: +30-6948-460-143, or Panagiotis Trimintzios,
Expert, ENISA, panagiotis.trimintzios at

will not be displayed