Good Cyber Story
Country: Estonia
Dominant Genes: Diversity, Local Ownership, Political Importance
DNA sequence Info

National Cyber Security Index

Nsci 1

The challenge

Evolving threats and a lack of cybersecurity awareness often leave governments, researchers and citizens with little information on how cyber-resilient a state is. However, knowing the level of cybersecurity of a country, its preparedness to prevent cyber threats and its readiness to manage cyber incidents and criminal activities in cyberspace is an important element of that country’s needs analysis.

This information, in turn, is used during the design and implementation of cyber capacity building programmes. Policymakers can also rely on such data to assess the success of their cybersecurity policies, or to understand how to use limited resources in the most efficient way. Having accessible and transparent information means that researchers can conduct comparative studies and advance the knowledge on cybersecurity matters. Also, the level of cybersecurity in a country impacts the day-to-day decisions of investors, companies and ordinary citizens.

Great amounts of data on cybersecurity are openly available nowadays. However, this does not mean that this information can be easily processed, interpreted and used to make grounded decisions. Furthermore, in the absence of an agreed framework for assessment and a systematic methodology, comparing results can be difficult. If assessment frameworks and methodologies are not transparent, individuals may question the validity of related conclusions.

In a nutshell, measuring cybersecurity requires transparency and a clearly defined framework that everybody can consult. Although several cybersecurity indexes have been launched, many of these did not reveal publicly the whole methodology used, or the criteria and the evidence used in their assessments.

A response

Since 2016, with the support of Estonian Development Cooperation and Humanitarian Aid, managed by the Ministry of Foreign Affairs of Estonia programme, the e-Governance Academy has developed the National Cyber Security Index (NCSI), which provides an assessment of a country’s cybersecurity and also offers an opportunity to see the criteria and sources on which the assessment is based. Thus, the NCSI is a database with publicly available evidence materials and a tool for national cybersecurity capacity building.

The NCSI measures a country’s level of cybersecurity, its preparedness to prevent cyber threats and its readiness to manage cyber incidents, crime and large-scale crises. The NCSI vision is to develop a comprehensive cybersecurity measurement tool that provides accurate and up-to-date public information about national cybersecurity.

The NCSI focuses on measurable cybersecurity aspects that are implemented by the central government, and aims to identify which gaps in policies and strategies should be filled to improve the cybersecurity of a specific country.

The NCSI is based on a transparent methodology. On the NCSI’s webpage, every country has a page that provides a detailed description of all indicators, along with the evidence on which the country’s score is based (e.g. a link to a law or strategy, a website of a competent authority, a news article about a training activity or another relevant document). Of course, a high ranking does not mean that cyberattacks and other cyber-related incidents will not take place. However, a high NCSI score means that the probability of cyber incidents having significant impacts is low.

The NCSI website also represents a large database of references to cybersecurity documents and activities around the world.

You can learn more about this project here.

The Impact

There are several examples of countries that have used NCSI in national cybersecurity policy planning. It is also used to justify the spending inside the country. In Finland, Georgia and Belgium, relevant authorities responsible for cybersecurity on a national level have used the NCSI index as an official benchmark to assess their existing activities and create milestones for improving their national cybersecurity. Reliance on the internationally recognised benchmark is beneficial for governments when preparing or implementing their cybersecurity strategy implementation plans. Thus, the index helps governments to justify their planned activities, ground the need for additional human resources and base their allocations from the state budget or from other sources.

In its 2017 comparison of cybersecurity indices, the International Telecommunication Union found the NCSI to be one of the most detailed. Its advantage over others is the opportunity it provides for countries to identify areas of cybersecurity in need of improvement. In recent years, the NCSI has gained international recognition and rapidly increased the number of countries it covers. At the beginning of 2020, the index contained data on around 160 countries.

Project DNA

Which aspects of this project have contributed to its success? And which, according to the implementing organisations, might play an important role in launching similar initiatives in other parts of the world? The project DNA profiling on the basis of the Good Cyber Stories framework highlighted the importance of three success genes in particular:

D - Diversity

Legal and Institutional Framework

O - Local Ownership

Local Ownership

I - Political Importance


National Cyber Security Index

Project DNA

Multi-Stakeholder Participation
Local Ownership
Organisational Capacity
Transparency and Accountability
Legal and Institutional Framework
Political Importance
Societal Awareness

Join the EU Cyber Direct Network

Subscribe to the EU Cyber Direct newsletter and receive updates on our latest research, news, and events