Internet economy

Security and privacy indicators

 

Return to > Information security and privacy

Short address for this page:
http://oe.cd/security-indicators

 Improving the
international comparability of
CSIRT statistics

Download the report on
"Measuring the evidence base
for security and privacy
"
© Thinkstock

Better policies in the area of information security and privacy should be based on evidence. However, the collection of quantitative data and the development of robust statistical indicators related to trust is extremely challenging.

In 2012, the OECD released a  report exploring the potential for the development of better indicators to inform the policy making process in the areas of security and privacy risk management, as well as the protection of children online. The work shows that there is an underexploited wealth of empirical data that, if mined and made comparable, will enrich the current evidence base for policy making.

Building on the findings of this report, the OECD is running a project with the community of Computer Security Incident Response Teams (CSIRTs) to enhance the international comparability of the statistics they generate with a view to better inform the “cybersecurity” policy making process.

Aim

CSIRTs generate statistics based on their daily activities: issuing alerts and warnings, handling incidents, etc.. However such statistics are generally not internationally comparable. CSIRTs also collect data or potentially have access to data that could be used to generate statistics on other relevant phenomena if appropriate guidance was available. This project seeks to understand these challenges and identify how to overcome them.

The aim is to deliver a statistical guide or manual that CSIRTs could follow to ensure quality and international comparability of their statistics. It would include guidance on taxonomy, granularity, frequency and the format of these statistics as well as on the creation of statistical indicators for supporting policy making.

The project involves a joint effort of communities in three complementary areas of expertise:

  • Computer emergency and incident response: the CSIRT community is a key partner to the project;
  • Cybersecurity risk policy making: the project was initiated at OECD Committee on Digital Economy Policy (CDEP) Working Party on Security and Privacy in the Digital Economy (SPDE) and the APEC Telecommunications and Information Working Group, Security and Prosperity Steering Group (APEC TEL SPSG) has agreed to participate.
  • Internationally comparable statistics for better policies: the OECD is the international forum for developing internationally recognised statistical guides and manuals. Examples in other areas include the OECD Guide to Measuring the Information Society, the OECD Patent Statistics Manual, the OECD Oslo Manual (on measuring innovation), and the OECD Frascati Manual (on measuring research and development).

Methodology

The work with CSIRTs is being undertaken in two phases:

  • The first phase aimed to understand the specific challenges and opportunities related to CSIRT statistics. This includes understanding how CSIRTs work and the impact on the generation of data and statistics, as well as the use of standards for the classification of incidents and other aspects of their daily routines. The OECD worked with CSIRT experts and discussed the project at various international CSIRT events during this phase. An expert working meeting took place in August 2013.
  • The second phase aims to develop a statistical guide or manual to facilitate the production of internationally comparable CSIRT statistical indicators. It includes a feasibility study to test the statistical indicators drafted in the first phase.

Other OECD work on security and privacy measurement

See:

For more information

Please contact laurent dot bernat at oecd dot org.

 

 

 

Countries list

  • Afghanistan
  • Albania
  • Algeria
  • Andorra
  • Angola
  • Anguilla
  • Antigua and Barbuda
  • Argentina
  • Armenia
  • Aruba
  • Australia
  • Austria
  • Azerbaijan
  • Bahamas
  • Bahrain
  • Bangladesh
  • Barbados
  • Belarus
  • Belgium
  • Belize
  • Benin
  • Bermuda
  • Bhutan
  • Bolivia
  • Bosnia and Herzegovina
  • Botswana
  • Brazil
  • Brunei Darussalam
  • Bulgaria
  • Burkina Faso
  • Burundi
  • Cambodia
  • Cameroon
  • Canada
  • Cape Verde
  • Cayman Islands
  • Central African Republic
  • Chad
  • Chile
  • China (People’s Republic of)
  • Chinese Taipei
  • Colombia
  • Comoros
  • Congo
  • Cook Islands
  • Costa Rica
  • Croatia
  • Cuba
  • Cyprus
  • Czech Republic
  • Côte d'Ivoire
  • Democratic People's Republic of Korea
  • Democratic Republic of the Congo
  • Denmark
  • Djibouti
  • Dominica
  • Dominican Republic
  • Ecuador
  • Egypt
  • El Salvador
  • Equatorial Guinea
  • Eritrea
  • Estonia
  • Ethiopia
  • European Union
  • Faeroe Islands
  • Fiji
  • Finland
  • Former Yugoslav Republic of Macedonia (FYROM)
  • France
  • French Guiana
  • Gabon
  • Gambia
  • Georgia
  • Germany
  • Ghana
  • Gibraltar
  • Greece
  • Greenland
  • Grenada
  • Guatemala
  • Guernsey
  • Guinea
  • Guinea-Bissau
  • Guyana
  • Haiti
  • Honduras
  • Hong Kong, China
  • Hungary
  • Iceland
  • India
  • Indonesia
  • Iraq
  • Ireland
  • Islamic Republic of Iran
  • Isle of Man
  • Israel
  • Italy
  • Jamaica
  • Japan
  • Jersey
  • Jordan
  • Kazakhstan
  • Kenya
  • Kiribati
  • Korea
  • Kuwait
  • Kyrgyzstan
  • Lao People's Democratic Republic
  • Latvia
  • Lebanon
  • Lesotho
  • Liberia
  • Libya
  • Liechtenstein
  • Lithuania
  • Luxembourg
  • Macao (China)
  • Madagascar
  • Malawi
  • Malaysia
  • Maldives
  • Mali
  • Malta
  • Marshall Islands
  • Mauritania
  • Mauritius
  • Mayotte
  • Mexico
  • Micronesia (Federated States of)
  • Moldova
  • Monaco
  • Mongolia
  • Montenegro
  • Montserrat
  • Morocco
  • Mozambique
  • Myanmar
  • Namibia
  • Nauru
  • Nepal
  • Netherlands
  • Netherlands Antilles
  • New Zealand
  • Nicaragua
  • Niger
  • Nigeria
  • Niue
  • Norway
  • Oman
  • Pakistan
  • Palau
  • Palestinian Administered Areas
  • Panama
  • Papua New Guinea
  • Paraguay
  • Peru
  • Philippines
  • Poland
  • Portugal
  • Puerto Rico
  • Qatar
  • Romania
  • Russian Federation
  • Rwanda
  • Saint Helena
  • Saint Kitts and Nevis
  • Saint Lucia
  • Saint Vincent and the Grenadines
  • Samoa
  • San Marino
  • Sao Tome and Principe
  • Saudi Arabia
  • Senegal
  • Serbia
  • Serbia and Montenegro (pre-June 2006)
  • Seychelles
  • Sierra Leone
  • Singapore
  • Slovak Republic
  • Slovenia
  • Solomon Islands
  • Somalia
  • South Africa
  • South Sudan
  • Spain
  • Sri Lanka
  • Sudan
  • Suriname
  • Swaziland
  • Sweden
  • Switzerland
  • Syrian Arab Republic
  • Tajikistan
  • Tanzania
  • Thailand
  • Timor-Leste
  • Togo
  • Tokelau
  • Tonga
  • Trinidad and Tobago
  • Tunisia
  • Turkey
  • Turkmenistan
  • Turks and Caicos Islands
  • Tuvalu
  • Uganda
  • Ukraine
  • United Arab Emirates
  • United Kingdom
  • United States
  • United States Virgin Islands
  • Uruguay
  • Uzbekistan
  • Vanuatu
  • Venezuela
  • Vietnam
  • Virgin Islands (UK)
  • Wallis and Futuna Islands
  • Western Sahara
  • Yemen
  • Zambia
  • Zimbabwe
  • Topics list