Return to > Information security and privacy
Short address for this page:
Better policies in the area of information security and privacy should be based on evidence.
The OECD is working on analysing the statistical data available in this area and exploring how to improve it. This includes the two following projects.
Improving the Evidence Base for Information Security and Privacy Policies
This report explores the potential for the development of better indicators to inform the policy making process in the areas of information security, privacy and the protection of children online. It shows in particular that there is an underexploited wealth of empirical data that, if mined and made comparable, will enrich the current evidence base for policy making. Such indicators would help identify areas where policy interventions are most clearly warranted, and can provide guidance on designing policy interventions and determining their effectiveness.
Download the report on
"Improving the Evidence Base for Information Security and Privacy Policies".
Improving the International comparability of CSIRT statistics
Building on the findings of the above mentioned report, the OECD has launched a project with the community of Computer Incidents Emergency Response Teams (CSIRTs) to enhance the comparability of the statistics they generate with a view to better inform the policy making process.
Computer Security Incident Response Teams (CSIRTs) generate statistics based on their daily activities (e.g. issuing alerts and warnings, handling incidents, etc.). They also collect data that could be used for statistical purposes (e.g. about spam activity). However, the international comparability of such existing or potential statistics raises many challenges for “cybersecurity” policy making. This project seeks to understand these challenges and explore how they may be overcome.
The aim of the project is to deliver a statistical guide or manual that CSIRTs could follow to ensure quality and international comparability of their statistics. It would include guidance on taxonomy, granularity, frequency and the format of these statistics as well as on the creation of indicators for supporting policy making.
The project involves a joint effort of communities in three complementary areas of expertise:
- Computer emergency and incident response: the CSIRT community is a key partner to the project.
- Cybersecurity risk policy making: the project was initiated at the OECD ICCP WPISP and the APEC Telecommunications and Information Working Group, Security and Prosperity Steering Group (APEC TEL SPSG) has agreed to participate.
- Internationally comparable statistics for better policies: the OECD is the international forum for developing internationally recognised statistical guides and manuals. Examples in other areas include the OECD Guide to Measuring the Information Society, the OECD Patent Statistics Manual, the OECD Oslo Manual (on measuring innovation), and the OECD Frascati Manual (on measuring research and development).
The work with CSIRTs is being undertaken in two phases.
- The first phase aims to understand the specific challenges and opportunities related to CSIRT statistics. This includes understanding how CSIRTs work and the impact on the generation of data and statistics, as well as the use of standards for the classification of incidents and other aspects of their daily routines.
- The second phase aims to develop a statistical guide or manual to facilitate the production of internationally comparable CSIRT indicators.
For more information, please contact laurent dot bernat at oecd dot org.