A system dynamics, epidemiological approach for high-level cyber-resilience to zero-day vulnerabilities

Cyber-attacks are serious threats to operations in most industries, enabled by a growing dependence on Information Technology (IT). To minimise disruptive effects on operations, organisations with complex system derive value both from preventing cyber-attacks and from responding promptly and coherently when cyber-attacks happen, capacity is known as cyber-resilience. Frameworks have been presented in literature to promote cyber-resilient response, yet little is known about the structures that result in a cyber-resilient behaviour. This paper explores an approach to modelling the structure of a system that is subject to an infection an eventual recovery from zero-day malware cyber-attacks, based on mechanisms derived from epidemiology. By analysing the relationship between the system vulnerabilities and the incidence of malware infections in a population of systems, this paper derives structural recommendations for resilience response, and policy requirements based on the claim that cyber-threats are a public-cyber-health issue instead of merely a competitive factor.