Most organisations invest heavily in cyber security tools, compliance frameworks, and awareness programmes. Yet one fundamental question often remains unanswered:

Cyber resilience is widely discussed but rarely measured in a structured, quantitative way. This gap leaves leadership teams relying on compliance checklists and technical reports that provide little clarity about real defensive readiness.

Dr Speffle Cyber Resilience (DSCR) exists to address that gap.

Cyber Security has a Measurement Problem

Most cyber security programmes rely on a mixture of:

• Compliance frameworks
• Technical control audits
• Vulnerability scanning
• Training completion metrics

These artefacts demonstrate that activities occur, but they rarely measure defensive effectiveness.

A security programme may be compliant and still remain structurally vulnerable to ransomware propagation.

Without measurable indicators of resilience, organisations struggle to answer critical questions:

• How quickly could ransomware spread internally?
• How exposed is the organisation to entry points?
• Which structural conditions amplify cyber risk?
• What evidence can demonstrate cyber readiness to insurers or regulators?

This measurement gap sits at the centre of modern cyber risk governance.

Quantitative Cyber Resilience

DSCR focuses on measuring cyber resilience rather than simply describing it.

The work combines:

• Academic security research
• Enterprise architecture analysis
• Governance and regulatory interpretation

to develop structured metrics capable of quantifying defensive readiness.

Rather than focusing on individual technologies, DSCR analyses how organisational structure influences cyber risk propagation.

Key areas examined include:

• Governance structures
• Identity architecture
• Operational technology dependencies
• Detection capability
• Backup and recovery resilience

These structural variables interact to determine how quickly ransomware can spread and how effectively organisations can respond.

Research Foundations

The analytical models used by DSCR originate from academic research into cyber resilience metrics.

Recent work includes:

• Phishing Resilience Metrics | Measuring human-layer susceptibility and reporting agility
• Operational Spread Window | Modelling potential ransomware propagation speed

These frameworks aim to translate complex security behaviour into clear, measurable indicators that can be interpreted by both technical and executive audiences.

Why Measurement Matters

Security teams already generate large volumes of operational data.

However, without meaningful transformation, this data rarely answers the most important governance question:

Are we becoming more resilient over time?

Quantitative metrics enable organisations to:

• Track defensive improvement
• Demonstrate readiness to insurers
• Support regulatory assurance
• Prioritise security investment
• Identify structural weaknesses before incidents occur

Measurement turns cyber resilience from a narrative into evidence.

Summary

Cyber security programmes have matured dramatically over the past decade.

Yet organisations still lack a clear way to measure defensive readiness before incidents occur.

The goal of DSCR is simple:

To transform cyber resilience from a qualitative concept into a measurable organisational capability.