Economie de l'Internet

Security and privacy indicators

Improving the international comparability of Computer Security Incident Response Teams statistics

Better policies in the area of information security and privacy should be based on evidence. However, the collection of quantitative data and the development of robust statistical indicators related to trust is extremely challenging.

In 2012, the OECD released a report exploring the potential for the development of better indicators to inform the policy making process in the areas of security and privacy risk management, as well as the protection of children online. The work shows that there is an underexploited wealth of empirical data that, if mined and made comparable, will enrich the current evidence base for policy making.

Building on the findings of this report, the OECD is running a project with the community of Computer Security Incident Response Teams (CSIRTs) to enhance the international comparability of the statistics they generate with a view to better inform the “cybersecurity” policy making process.



CSIRTs generate statistics based on their daily activities: issuing alerts and warnings, handling incidents, etc.. However, such statistics are generally not internationally comparable. CSIRTs also collect data or potentially have access to data that could be used to generate statistics on other relevant phenomena if appropriate guidance was available. This project seeks to understand these challenges and identify how to overcome them.

The aim is to deliver a statistical guide or manual that CSIRTs could follow to ensure quality and international comparability of their statistics. It would include guidance on taxonomy, granularity, frequency and the format of these statistics as well as on the creation of statistical indicators for supporting policy making.

The project involves a joint effort of communities in three complementary areas of expertise:

  • Computer emergency and incident response: the CSIRT community is a key partner to the project;

  • Cybersecurity risk policy making: the project was initiated at OECD Committee on Digital Economy Policy (CDEP) Working Party on Security and Privacy in the Digital Economy (SPDE) and the APEC Telecommunications and Information Working Group, Security and Prosperity Steering Group (APEC TEL SPSG) has agreed to participate.

  • Internationally comparable statistics for better policies: the OECD is the international forum for developing internationally recognised statistical guides and manuals. Examples in other areas include the OECD Guide to Measuring the Information Society, the OECD Patent Statistics Manual, the OECD Oslo Manual (on measuring innovation), and the OECD Frascati Manual (on measuring research and development).



The work with CSIRTs is being undertaken in two phases:

  • The first phase aimed to understand the specific challenges and opportunities related to CSIRT statistics. This includes understanding how CSIRTs work and the impact on the generation of data and statistics, as well as the use of standards for the classification of incidents and other aspects of their daily routines. The OECD worked with CSIRT experts and discussed the project at various international CSIRT events during this phase. An expert working meeting took place in August 2013.
  • The second phase aims to develop a statistical guide or manual to facilitate the production of internationally comparable CSIRT statistical indicators. It includes a feasibility study to test the statistical indicators drafted in the first phase.


Other OECD work on security and privacy measurement

For more information

Please contact




Also Available