Short address for this page: https://oe.cd/security-indicators
This 2019 report synthesises an OECD project to develop a framework and a set of statistical indicators that can be used to assess the digital security (cybersecurity) risk management practices of businesses. A survey instrument aligned with the framework was developed and piloted. The conclusion provides recommendations for future efforts building on this project.
Computer security incident response teams (CSIRTs) generate statistics based on their daily activities: issuing alerts and warnings, handling incidents, etc. However, such statistics are generally not internationally comparable.
Between 2013 and 2015, the OECD worked with the CSIRT community to explore how to improve the international comparability of the statistics they produce. The outcome is a guidance document that they can use to develop more comparable statistics. It should be considered as a first step in this area.
Better policies in the area of information security and privacy should be based on evidence. However, the collection of quantitative data and the development of robust statistical indicators related to trust is extremely challenging.
In 2012, the OECD released a report exploring the potential for the development of better indicators to inform the policy making process in the areas of security and privacy risk management, as well as the protection of children online. The work shows that there is an underexploited wealth of empirical data that, if mined and made comparable, will enrich the current evidence base for policy making.