National Cyber Security Index
Evolving threats and a lack of cybersecurity awareness often leave governments, researchers and citizens with little information on how cyber-resilient a state is. However, knowing the level of cybersecurity of a country, its preparedness to prevent cyber threats and its readiness to manage cyber incidents and criminal activities in cyberspace is an important element of that country’s needs analysis.
This information, in turn, is used during the design and implementation of cyber capacity building programmes. Policymakers can also rely on such data to assess the success of their cybersecurity policies, or to understand how to use limited resources in the most efficient way. Having accessible and transparent information means that researchers can conduct comparative studies and advance the knowledge on cybersecurity matters. Also, the level of cybersecurity in a country impacts the day-to-day decisions of investors, companies and ordinary citizens.
Great amounts of data on cybersecurity are openly available nowadays. However, this does not mean that this information can be easily processed, interpreted and used to make grounded decisions. Furthermore, in the absence of an agreed framework for assessment and a systematic methodology, comparing results can be difficult. If assessment frameworks and methodologies are not transparent, individuals may question the validity of related conclusions.
In a nutshell, measuring cybersecurity requires transparency and a clearly defined framework that everybody can consult. Although several cybersecurity indexes have been launched, many of these did not reveal publicly the whole methodology used, or the criteria and the evidence used in their assessments.
Since 2016, with the support of Estonian Development Cooperation and Humanitarian Aid, managed by the Ministry of Foreign Affairs of Estonia programme, the e-Governance Academy has developed the National Cyber Security Index (NCSI), which provides an assessment of a country’s cybersecurity and also offers an opportunity to see the criteria and sources on which the assessment is based. Thus, the NCSI is a database with publicly available evidence materials and a tool for national cybersecurity capacity building.
The NCSI measures a country’s level of cybersecurity, its preparedness to prevent cyber threats and its readiness to manage cyber incidents, crime and large-scale crises. The NCSI vision is to develop a comprehensive cybersecurity measurement tool that provides accurate and up-to-date public information about national cybersecurity.
The NCSI focuses on measurable cybersecurity aspects that are implemented by the central government, and aims to identify which gaps in policies and strategies should be filled to improve the cybersecurity of a specific country.
The NCSI is based on a transparent methodology. On the NCSI’s webpage, every country has a page that provides a detailed description of all indicators, along with the evidence on which the country’s score is based (e.g. a link to a law or strategy, a website of a competent authority, a news article about a training activity or another relevant document). Of course, a high ranking does not mean that cyberattacks and other cyber-related incidents will not take place. However, a high NCSI score means that the probability of cyber incidents having significant impacts is low.
The NCSI website also represents a large database of references to cybersecurity documents and activities around the world.
You can learn more about this project here.
There are several examples of countries that have used NCSI in national cybersecurity policy planning. It is also used to justify the spending inside the country. In Finland, Georgia and Belgium, relevant authorities responsible for cybersecurity on a national level have used the NCSI index as an official benchmark to assess their existing activities and create milestones for improving their national cybersecurity. Reliance on the internationally recognised benchmark is beneficial for governments when preparing or implementing their cybersecurity strategy implementation plans. Thus, the index helps governments to justify their planned activities, ground the need for additional human resources and base their allocations from the state budget or from other sources.
In its 2017 comparison of cybersecurity indices, the International Telecommunication Union found the NCSI to be one of the most detailed. Its advantage over others is the opportunity it provides for countries to identify areas of cybersecurity in need of improvement. In recent years, the NCSI has gained international recognition and rapidly increased the number of countries it covers. At the beginning of 2020, the index contained data on around 160 countries.
Which aspects of this project have contributed to its success? And which, according to the implementing organisations, might play an important role in launching similar initiatives in other parts of the world? The project DNA profiling on the basis of the Good Cyber Stories framework highlighted the importance of three success genes in particular:
D – Diversity
As with every assessment exercise, diversity of inputs guarantees scientifically grounded results and a ranking that is as objective as possible. In the case of the NCSI, several ways are used to collect data for the index: country’s government officials provide the data, together with organisations and experts. The NCSI team also conducts a public data collection, and the information provided is reviewed by at least two NCSI experts. This diversity of inputs and perspectives contributes positively to the quality of the Index.
O – Local ownership
NCSI would not be possible without strong local ownership. The index relies on data that is mainly provided by the country’s government officials or a public data collection conducted by the NCSI team. This is why the NCSI is established in cooperation with representatives of governments and experts. In some cases, a relevant organisation or individual provides the data. Local ownership is crucial also in the process of maintaining and updating the information: as data collection, review and publication is a continuous process and there are no annual iterations, national policymakers, institutions and local experts are best placed to provide fast and precise updates.
The local ownership ‘gene’ is reinforced by the project’s commitment to transparency and accountability. On the NCSI’s website, every country has a page that provides a detailed description of all indicators along with the evidence on which the country’s score in the index is based. The authors consider evidence to be, for example, a link to a law or strategy, to a website of a competent authority, to a news article about a training activity or to another relevant document. Therefore, the NCSI website is one large database of references to cybersecurity documents and activities around the world. Maintaining such a public database and presenting the evidence transparently on the web distinguishes the NCSI from other methodologies in the same field.
F – Legal and institutional framework
Legal and institutional frameworks are essential for the quality and completeness of the index. Country ratings are based on public evidence: in particular on the country’s legal acts, official documents and official websites. The availability of these data in English, the proactiveness of government bodies and institutions in submitting them to the NCSI experts for review, and clarity on the strategies and the competencies of each institution are crucial for the creation and maintenance of the index.
NCSI has a fully scalable setting. The implementers maintain continuously the NCSI database, collection and update of data about countries and development of the contact network of collaborators in up to 180 countries. Building on the assessments, the e-Governance Academy provides assistance on an ongoing basis in partner countries.