State-level Cyber Resilience: A Conceptual Framework

There is currently a gap in our academic and practical understanding of the concept of resilience in cyber space at the level of the state, hampering research and policy- making due to the lack of a rigorously constructed, shared terminology. This article contributes to this area by providing a comprehensive capacities-based conceptualisation of state-level cyber resilience. After establishing that cyber resilience is necessary and that it should be developed at the state level, we perform a rigorous exploration of the concept of resilience as it pertains to the different areas involved in state-level cyber resilience. Seeking the most salient characteristics of each one, we identify from the general concept of resilience that it is a non-static process requiring an availability of assets; from state resilience, we identify that resilience capacities are harboured at multiple levels and across actors within the polity; and from cyber resilience, we identify that there is a plethora of different potential damages. Taking all this into consideration, our resulting concept of state-level cyber resilience is the following: the ability of a state, which (a) is made up of multiple layers, to (b) harness a set of key assets in order to (c) confront a particular type of damage to its cyber space, by (d) going through the stages of coping and eventually recovering to its normal state. Having constructed this conceptual framework, this work aids researchers and decision-makers by providing a common terminology and fostering a systematic, multidimensional approach to states’ capacity for resilience in cyber-space.