Better policies in the area of information security and privacy should be based on evidence. However, the collection of quantitative data and the development of robust statistical indicators related to trust is extremely challenging.
In 2012, the OECD released a report exploring the potential for the development of better indicators to inform the policy making process in the areas of security and privacy risk management, as well as the protection of children online. The work shows that there is an underexploited wealth of empirical data that, if mined and made comparable, will enrich the current evidence base for policy making.
Building on the findings of this report, the OECD is running a project with the community of Computer Security Incident Response Teams (CSIRTs) to enhance the international comparability of the statistics they generate with a view to better inform the “cybersecurity” policy making process.
CSIRTs generate statistics based on their daily activities: issuing alerts and warnings, handling incidents, etc.. However, such statistics are generally not internationally comparable. CSIRTs also collect data or potentially have access to data that could be used to generate statistics on other relevant phenomena if appropriate guidance was available. This project seeks to understand these challenges and identify how to overcome them.
The aim is to deliver a statistical guide or manual that CSIRTs could follow to ensure quality and international comparability of their statistics. It would include guidance on taxonomy, granularity, frequency and the format of these statistics as well as on the creation of statistical indicators for supporting policy making.
The project involves a joint effort of communities in three complementary areas of expertise:
The work with CSIRTs is being undertaken in two phases:
Other OECD work on security and privacy measurement
For more information
Please contact firstname.lastname@example.org