{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,17]],"date-time":"2026-02-17T14:16:18Z","timestamp":1771337778822,"version":"3.50.1"},"reference-count":55,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2026,2,17]],"date-time":"2026-02-17T00:00:00Z","timestamp":1771286400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Systems"],"abstract":"<jats:p>Ensuring strategic resilience in critical infrastructures supported with a machine learning approach requires moving beyond compliance checklists and post-incident analysis toward proactive, intelligence-based approaches. This study introduces the Forensic Resilience Operational Model (FROM), a systems thinking framework designed to embed forensic intelligence into the resilience cycle of complex socio-technical systems. To quantify this integration, the study investigates the determinants of the extent to which four operational pillars (forensic readiness, anomaly detection, governance and privacy safeguards, and structured intelligence integration) affect forensic resilience, using empirical survey data from 212 cybersecurity professionals across critical infrastructure sectors. We deploy Partial Least Squares Structural Equation Modelling (PLS-SEM) to investigate these relationships, and the results confirm that anomaly detection is the strongest contributor to forensic resilience, followed by structured intelligence integration and forensic readiness. Governance safeguards, while comparatively weaker, provide the necessary legitimacy and assurance of compliance. Supported with sector-specific case studies in the maritime, financial, and CERT domains, the findings highlight both the adaptability of the proposed FROM and the operational constraints encountered in real-world contexts. The study contributes to the field of systems-oriented strategic management by demonstrating that, when systematically embedded, forensic intelligence enhances adaptive capacity, supports predictive decision-making, and strengthens resilience in environments characterized by uncertainty and high complexity.<\/jats:p>","DOI":"10.3390\/systems14020213","type":"journal-article","created":{"date-parts":[[2026,2,17]],"date-time":"2026-02-17T13:15:35Z","timestamp":1771334135000},"page":"213","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Anomaly Detection as a Key Driver of Digital Forensic Resilience: Empirical Evidence from Critical Infrastructure Experts"],"prefix":"10.3390","volume":"14","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-8621-4007","authenticated-orcid":false,"given":"Marija","family":"Gombar","sequence":"first","affiliation":[{"name":"General Staff of the Armed Forces of the Republic of Croatia, 10000 Zagreb, Croatia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Darko","family":"Mo\u017enik","sequence":"additional","affiliation":[{"name":"University of Applied Sciences, 10000 Zagreb, Croatia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3899-6707","authenticated-orcid":false,"given":"Mirjana","family":"Peji\u0107 Bach","sequence":"additional","affiliation":[{"name":"Faculty of Economics and Business, University of Zagreb, 10000 Zagreb, Croatia"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2026,2,17]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Baylis, J., and Wirtz, J. (2017). Strategy in the Contemporary World, Oxford University Press.","DOI":"10.1093\/hepl\/9780198807100.001.0001"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Buzan, B., and W\u00e6ver, O. (2003). Regions and Powers: The Structure of International Security, Cambridge University Press.","DOI":"10.1017\/CBO9780511491252"},{"key":"ref_3","unstructured":"Croft, S., and Terriff, T. (2000). Critical Reflections on Security and Change, Frank Cass."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Linkov, I., and Palma-Oliveira, J.M. (2017). Resilience and Risk: Methods and Application in Environment, Cyber and Social Domains, Springer.","DOI":"10.1007\/978-94-024-1123-2"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"19540","DOI":"10.1038\/srep19540","article-title":"Operational resilience: Concepts, design and analysis","volume":"6","author":"Ganin","year":"2016","journal-title":"Sci. Rep."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"114","DOI":"10.1016\/j.ress.2011.09.002","article-title":"Generic metrics and quantitative approaches for system resilience as a function of time","volume":"99","author":"Henry","year":"2012","journal-title":"Reliab. Eng. Syst. Saf."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1109\/MCC.2016.5","article-title":"Forensic-by-Design Framework for Cyber-Physical Cloud Systems","volume":"3","author":"Rahman","year":"2016","journal-title":"IEEE Cloud Comput."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Dehghantanha, A., and Choo, K.-K.R. (2019). Private Cloud Storage Forensics: Seafile as a Case Study. Handbook of Big Data and IoT Security, Springer.","DOI":"10.1007\/978-3-030-10543-3"},{"key":"ref_9","unstructured":"Republic of Croatia (2025, December 15). Zakon o Kriti\u010dnoj Infrastrukturi (Narodne Novine, NN 89\/2025). Available online: https:\/\/narodne-novine.nn.hr\/clanci\/sluzbeni\/2025_06_89_1232.html."},{"key":"ref_10","unstructured":"IMO (2025, December 01). Resolution MSC.428(98)\u2014Maritime Cyber Risk Management in Safety Management Systems. Available online: https:\/\/wwwcdn.imo.org\/localresources\/en\/OurWork\/Security\/Documents\/Resolution%20MSC.428(98).pdf."},{"key":"ref_11","unstructured":"IMO (2025, November 23). MSC-FAL.1\/Circ 3\/Rev.2\u2014Guidelines on Maritime Cyber Risk Management. Available online: https:\/\/wwwcdn.imo.org\/localresources\/en\/OurWork\/Security\/Documents\/MSC-FAL.1-Circ.3-Rev.2%20-%20Guidelines%20On%20Maritime%20Cyber%20Risk%20Management%20(Secretariat).pdf."},{"key":"ref_12","unstructured":"IACS (2025, November 28). Recommendation No.166\u2014Cyber Resilience. Available online: https:\/\/www.steamshipmutual.com\/sites\/default\/files\/downloads\/articles\/2020\/IACS-Recommendation-on-Cyber-resilience-No-166-2020_04.pdf."},{"key":"ref_13","unstructured":"(2018). Maritime Navigation and Radiocommunication Equipment and Systems\u2014Ethernet Interconnection (Standard No. IEC 61162-450)."},{"key":"ref_14","unstructured":"EMSA (2020). Guidelines on Cyber Security Onboard Ships, European Maritime Safety Agency."},{"key":"ref_15","unstructured":"ENISA (2019). Port Cybersecurity\u2014Good Practices for Cybersecurity in the Maritime Sector, European Union Agency for Cybersecurity."},{"key":"ref_16","unstructured":"ENISA (2020). Maritime Cybersecurity Challenges, European Union Agency for Cybersecurity."},{"key":"ref_17","unstructured":"Kessler, G.C., and Shepard, S. (2022). Maritime Cybersecurity: A Guide for Leaders and Managers, Rowman & Littlefield."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"184","DOI":"10.1080\/20464177.2023.2298521","article-title":"Adversarial waypoint injection attacks on Maritime Autonomous Surface Ships (MASS) collision avoidance systems","volume":"23","author":"Longo","year":"2024","journal-title":"J. Mar. Eng. Technol."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"129","DOI":"10.1007\/s13437-019-00162-2","article-title":"MaCRA: A model-based framework for maritime cyber-risk assessment","volume":"18","author":"Tam","year":"2019","journal-title":"WMU J. Marit. Aff."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Tam, K., and Jones, K. (2018, January 11\u201312). Cyber-Risk Assessment for Autonomous Ships. Proceedings of the 2018 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), Glasgow, UK.","DOI":"10.1109\/CyberSecPODS.2018.8560690"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"547","DOI":"10.3166\/ejc.17.547-567","article-title":"Smart grid: Overview, issues and opportunities. Advances and challenges in sensing, modeling, simulation, optimization, and control","volume":"17","author":"Amin","year":"2011","journal-title":"Eur. J. Control"},{"key":"ref_22","unstructured":"Europol (2022). Serious and Organised Crime Threat Assessment (SOCTA), Europol."},{"key":"ref_23","unstructured":"United Nations Office on Drugs and Crime (UNODC) (2023). Annual Report 2023, UNODC. Available online: https:\/\/www.unodc.org\/documents\/AnnualReport\/UNODC_REPORT_2023-WEB.pdf."},{"key":"ref_24","unstructured":"Eurostat (2026, January 08). ICT Security in Enterprises. Statistics Explained. Available online: https:\/\/ec.europa.eu\/eurostat\/statistics-explained\/index.php\/ICT_security_in_enterprises."},{"key":"ref_25","first-page":"1","article-title":"A ten-step process for forensic readiness","volume":"2","author":"Rowlingson","year":"2004","journal-title":"Int. J. Digit. Evid."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Kent, K., and Souppaya, M. (2006). SP 800-92: Guide to Computer Security Log Management.","DOI":"10.6028\/NIST.SP.800-92"},{"key":"ref_27","first-page":"173","article-title":"Digital forensic readiness: Are we there yet?","volume":"9","author":"Mouhtaropoulos","year":"2014","journal-title":"J. Int. Commer. Law Technol."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"15","DOI":"10.1145\/1541880.1541882","article-title":"Anomaly detection: A survey","volume":"41","author":"Chandola","year":"2009","journal-title":"ACM Comput. Surv."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1109\/MC.2004.1297301","article-title":"Crime data mining: A general framework and some examples","volume":"37","author":"Chen","year":"2004","journal-title":"Computer"},{"key":"ref_30","first-page":"37","article-title":"From data mining to knowledge discovery in databases","volume":"17","author":"Fayyad","year":"1996","journal-title":"AI Mag."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Hastie, T., Tibshirani, R., and Friedman, J. (2009). The Elements of Statistical Learning: Data Mining, Inference, and Prediction, Springer. [2nd ed.].","DOI":"10.1007\/978-0-387-84858-7"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"436","DOI":"10.1038\/nature14539","article-title":"Deep learning","volume":"521","author":"LeCun","year":"2015","journal-title":"Nature"},{"key":"ref_33","unstructured":"Bennett, C.J., and Raab, C.D. (2006). The Governance of Privacy: Policy Instruments in Global Perspective, MIT Press."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Nissenbaum, H. (2010). Privacy in Context: Technology, Policy, and the Integrity of Social Life, Stanford University Press.","DOI":"10.1515\/9780804772891"},{"key":"ref_35","unstructured":"Boban, M. (2019). Za\u0161tita podataka i pravo na privatnost u informacijskom dru\u0161tvu, \u0160kolska Knjiga. (In Croatian)."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"509","DOI":"10.1126\/science.aaa1465","article-title":"Privacy and human behavior in the age of information","volume":"347","author":"Acquisti","year":"2015","journal-title":"Science"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Narayanan, A., and Shmatikov, V. (2008, January 18\u201322). Robust de-anonymization of large sparse datasets. Proceedings of the 2008 IEEE Symposium on Security and Privacy, Oakland, CA, USA.","DOI":"10.1109\/SP.2008.33"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Gray, C.M., Kou, Y., Battles, B., Hoggatt, J., and Toombs, A.L. (2018, January 21\u201326). The dark (patterns) side of UX design. Proceedings of the CHI Conference Human Factors in Computing Systems, Montreal, QC, Canada.","DOI":"10.1145\/3173574.3174108"},{"key":"ref_39","unstructured":"Scarfone, K., and Mell, P. (2025, November 13). Guide to Intrusion Detection and Prevention Systems (IDPS), Available online: https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-94.pdf."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Li, Z., Fang, W., Zhu, C., Song, G., and Zhang, W. (2024, January 24\u201326). Toward Deep Learning based Intrusion Detection System: A Survey. Proceedings of the 2024 6th International Conference on Big Data Engineering (BDE \u201824), Xining, China.","DOI":"10.1145\/3688574.3688578"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Sommer, R., and Paxson, V. (2010, January 16\u201319). Outside the closed world: On using machine learning for network intrusion detection. Proceedings of the 2010 IEEE Symposium on Security and Privacy, Oakland, CA, USA.","DOI":"10.1109\/SP.2010.25"},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"407","DOI":"10.1038\/nclimate2227","article-title":"Changing the resilience paradigm","volume":"4","author":"Linkov","year":"2014","journal-title":"Nat. Clim. Change"},{"key":"ref_43","unstructured":"Bodeau, D., and Graubart, R. (2025, September 26). Cyber Resiliency Design Principles. MITRE Corporation. Available online: https:\/\/www.mitre.org\/publications\/technical-papers\/cyber-resiliency-design-principles."},{"key":"ref_44","unstructured":"Centre for Information Policy Leadership (CIPL) (2019). GDPR Implementation in Organisations: Readiness Survey Report, CIPL. Available online: https:\/\/informationpolicycentre.com\/uploads\/5\/7\/1\/0\/57104281\/cipl_avepoint_-_organisational_readiness_for_the_eu_gdpr__2nd_edition_.pdf."},{"key":"ref_45","doi-asserted-by":"crossref","first-page":"398","DOI":"10.1016\/j.clsr.2017.12.002","article-title":"Clarity, surprises, and further questions in the Article 29 Working Party draft guidance on automated decision-making and profiling","volume":"34","author":"Veale","year":"2018","journal-title":"Comput. Law Secur. Rev."},{"key":"ref_46","unstructured":"Clark, R.M. (2010). Intelligence Analysis: A Target-Centric Approach, CQ Press. [3rd ed.]."},{"key":"ref_47","unstructured":"European Union Agency for Cybersecurity (ENISA) (2021). Cyber Threat Intelligence (CTI) Adoption in the EU, ENISA. Available online: https:\/\/www.enisa.europa.eu\/publications\/cyberthreat-intelligence-overview."},{"key":"ref_48","doi-asserted-by":"crossref","unstructured":"Gombar, M., and Boban, M. (2025, January 2\u20136). Research on the impact of algorithmic echo chambers on perceptions and attitudes of social network users in a digital society. Proceedings of the MIPRO 48th ICT and Electronics Convention, Opatija, Croatia.","DOI":"10.1109\/MIPRO65660.2025.11131918"},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Perry, W.L., McInnis, B., Price, C.C., Smith, S.C., and Hollywood, J.S. (2013). Predictive Policing: The Role of Crime Forecasting in Law Enforcement Operations, RAND Corporation.","DOI":"10.7249\/RR233"},{"key":"ref_50","unstructured":"(2022). Information Security, Cybersecurity and Privacy Protection\u2014Information Security Management Systems\u2014Requirements (Standard No. ISO\/IEC 27001:2022)."},{"key":"ref_51","doi-asserted-by":"crossref","first-page":"1399","DOI":"10.1080\/01621459.2015.1077710","article-title":"Randomized controlled field trials of predictive policing","volume":"110","author":"Mohler","year":"2015","journal-title":"J. Am. Stat. Assoc."},{"key":"ref_52","first-page":"63","article-title":"Understanding impact of business intelligence to organizational performance using cluster analysis: Does culture matter?","volume":"6","author":"Bach","year":"2018","journal-title":"Int. J. Inf. Syst. Proj. Manag."},{"key":"ref_53","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1111\/j.1740-9713.2016.00960.x","article-title":"To predict and serve?","volume":"13","author":"Lum","year":"2016","journal-title":"Significance"},{"key":"ref_54","doi-asserted-by":"crossref","first-page":"42","DOI":"10.1177\/0002716203262548","article-title":"What can police do to reduce crime, disorder, and fear?","volume":"593","author":"Weisburd","year":"2004","journal-title":"Ann. Am. Acad. Political Soc. Sci."},{"key":"ref_55","doi-asserted-by":"crossref","unstructured":"Bach, M.P., Klin\u010dar, A., Aleksi\u0107, A., Jela\u010di\u0107, S.R., and Zeqiri, J. (2023). Supply chain management maturity and business performance: The balanced scorecard perspective. Appl. Sci., 13.","DOI":"10.3390\/app13042065"}],"container-title":["Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2079-8954\/14\/2\/213\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,17]],"date-time":"2026-02-17T13:28:01Z","timestamp":1771334881000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2079-8954\/14\/2\/213"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,17]]},"references-count":55,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2026,2]]}},"alternative-id":["systems14020213"],"URL":"https:\/\/doi.org\/10.3390\/systems14020213","relation":{},"ISSN":["2079-8954"],"issn-type":[{"value":"2079-8954","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,17]]}}}