Evolving threats and a lack of cybersecurity awareness often leave governments, researchers and citizens with little information on how cyber-resilient a state is. However, knowing the level of cybersecurity of a country, its preparedness to prevent cyber threats and its readiness to manage cyber incidents and criminal activities in cyberspace is an important element of that country’s needs analysis.
This information, in turn, is used during the design and implementation of cyber capacity building programmes. Policymakers can also rely on such data to assess the success of their cybersecurity policies, or to understand how to use limited resources in the most efficient way. Having accessible and transparent information means that researchers can conduct comparative studies and advance the knowledge on cybersecurity matters. Also, the level of cybersecurity in a country impacts the day-to-day decisions of investors, companies and ordinary citizens.
Great amounts of data on cybersecurity are openly available nowadays. However, this does not mean that this information can be easily processed, interpreted and used to make grounded decisions. Furthermore, in the absence of an agreed framework for assessment and a systematic methodology, comparing results can be difficult. If assessment frameworks and methodologies are not transparent, individuals may question the validity of related conclusions.
In a nutshell, measuring cybersecurity requires transparency and a clearly defined framework that everybody can consult. Although several cybersecurity indexes have been launched, many of these did not reveal publicly the whole methodology used, or the criteria and the evidence used in their assessments.
Since 2016, with the support of Estonian Development Cooperation and Humanitarian Aid, managed by the Ministry of Foreign Affairs of Estonia programme, the e-Governance Academy has developed the National Cyber Security Index (NCSI), which provides an assessment of a country’s cybersecurity and also offers an opportunity to see the criteria and sources on which the assessment is based. Thus, the NCSI is a database with publicly available evidence materials and a tool for national cybersecurity capacity building.
The NCSI measures a country’s level of cybersecurity, its preparedness to prevent cyber threats and its readiness to manage cyber incidents, crime and large-scale crises. The NCSI vision is to develop a comprehensive cybersecurity measurement tool that provides accurate and up-to-date public information about national cybersecurity.
The NCSI focuses on measurable cybersecurity aspects that are implemented by the central government, and aims to identify which gaps in policies and strategies should be filled to improve the cybersecurity of a specific country.
The NCSI is based on a transparent methodology. On the NCSI’s webpage, every country has a page that provides a detailed description of all indicators, along with the evidence on which the country’s score is based (e.g. a link to a law or strategy, a website of a competent authority, a news article about a training activity or another relevant document). Of course, a high ranking does not mean that cyberattacks and other cyber-related incidents will not take place. However, a high NCSI score means that the probability of cyber incidents having significant impacts is low.
The NCSI website also represents a large database of references to cybersecurity documents and activities around the world.
You can learn more about this project here.