Measuring cybersecurity

Event report

[Read more session reports from WSIS Forum 2017]

The moderator, Kemal Huseinovic (Chief of the Infrastructure, Enabling Environment and e-Applications Department at ITU), opened the session mentioning the concern that despite its growing importance, the issue of cybersecurity is still not well-structured. He underlined that although several indexes proposing different metrics to assess cybersecurity have been published, the community is still very far from universally agreed indicators.

Mr Raul Rikk (Head of National Cyber Security Domain, e-Governance Academy, Estonia) said that the Estonian 2016 initiative proposing cybersecurity indicators focuses on legislation, organisational capacities, official cooperation, formats, and outcomes. He explained that everything is based on publically available information, on objective Yes/No questions, with public evidenced materials to avoid mere opinions. Rikk stressed that some subjective aspects such as political motivation are not measurable, although they influence the performance of countries. He said that the index measures countries’ preparedness to prevent threats, and readiness to manage cyber incidents, and it can be used as a cybersecurity database, a global ranking index or a capacity building checklist. Rikk concluded by explaining that the index is an ongoing work, with no formal publication. He said that as new data is received and validated, the website is immediately updated.

Mr Bjarte Malmedal (Norsis) introduced the initiative, on which he worked in Norway, to measure the culture of cybersecurity. He said that they broke down cybersecurity culture into various dimensions, namely, collectivism, responsibility for the group, governance and control, trust, risk perception, optimism towards technology, competence, interest, and behaviour. From these dimensions the indicators were extracted. Malmedal said that one of the key findings was that only businesses provide education in cybersecurity in Norway. He expressed concern over that fact, since the younger and older people who are out of the job market are not educated in the issue, although they are vulnerable. He announced a new report for October 2017 which will reflect the collection of new data, plus another report on youth and their cybersecurity culture, and encouraged other nations to conduct similar studies to broaden the understanding of what cybersecurity culture is and how it develops over time.

Mr David Satola (Lead ICT Counsel, World Bank) presented a World Bank project focusing on cybercrime metrics. He said the three project deliverables (a toolkit with an overview of good practices, an assessment tool, and a virtual library) will be available for public use, primarily designed for countries, but also available to individuals and civil society. Satola explained that the assessment tool is based on indicators that are objective and that weighting is attributed to different criteria. He stressed that it is an auto-assessment tool that is being validated in pilot national experiences, and that results are confidential to each country. He emphasised that there is no attempt to rank countries, since public display may disclose vulnerabilities that could affect the ratings and public profile of the countries, and weaknesses they may want to identify but not necessarily share. He underlined that the tool can be used for capacity building, due diligence, and also as a checklist to build cybercrime law.

Ms Lara Pace (Director of Strategy and External Engagement, Global Cyber Security Capacity Centre) presented the Cybersecurity Capacity Maturity Model for Nations (CMM), whose objectives are to understand global cybersecurity, to overcome the problem of the capacity building environment being controlled by political mandates, and to provide national institutions with a resource that can be easily understood and used as a capacity building tool. According to Pace, the model looks at the dimensions of policy, cyberculture, education and training, legislative, and technical capacity, and proposes levels of country maturity concerning national cybersecurity strategies. She commented that conversations with countries in an initial stage of cybersecurity capacity are different from conversations with countries where cybersecurity infrastructure is more advanced. Pace said that after every review they produce a detailed country report, which is sent to the government, which chooses whether to publish it or not.

Mr Brahima Sanou (Director of the ITU Telecommunication Development Bureau) joined the session at the end for the official launch of ITU’s own proposal of indicators to measure cybersecurity – the Global Cybersecurity Index (GSI). He announced that the report would be available on the ITU website following the session.

by Claudio Lucena