Call for standardised national cybersecurity metrics

Zurich Insurance Group (Zurich), together with the Cyber Threat Alliance and CyberGreen Institute, has published Enhancing cyber security: Key metrics for policymakers, a report urging the adoption of standardised national cybersecurity metrics. The report notes the global cyber risk protection gap of US$0.9 T*, with insured losses covering only 1% of economic losses from cyber incidents.

The measures proposed in Zurich’s 2024 white paper, Closing the Cyber Risk Protection Gap, rely on robust quantitative data to enhance standards and best practices. While organisations like ENISA and CISA provide corporate-level frameworks, national metrics for policy decision-making are largely absent. 

Zurich’s new report introduces six key metrics and an institutional framework for governments to help clarify national cyber risk, strengthen resilience, and enable informed policy decisions:

- Percentage of organisations with cyber insurance or audit certification: measures preparedness and understanding of cybersecurity. 

- Proportion of exploited vulnerabilities older than one year: indicates ecosystem defense and remediation speed. 

- Number of significant cyber incidents: reflects national detection and analysis capabilities. 

- Average time to containment of cyber incidents: demonstrates ability to halt the spread of threats. 

- Mean time to restore operations: assesses speed of recovery after incidents. 

- Percentage of unfilled cybersecurity positions: gauges workforce capacity to manage risks. 

Establishing National Cyber Statistics Bureaus – dedicated institutions for collecting these metrics – would ensure consistent incident reporting, track threats and resilience, publish key analyses, and assess security regulation effectiveness. These bureaus could also support a supra-national body to aggregate findings, enabling deeper global comparisons and insights into evolving threats, Zurich Insurance said.

To move from currently fragmented, reactive approaches to a unified, data-driven strategy, Zurich calls on policymakers to:

- Collaborate on data collection: move from reactive incident reporting to proactive, cross-sector data-sharing 

- Establish dedicated entities: create or empower national and global institutions to collect, analyse, and report cyber statistics across industries and borders 

- Harmonise standards and frameworks: align definitions, benchmarks, and reporting protocols

Details 

Download Enhancing cyber security: Key metrics for policymakers at https://www.zurich.com/knowledge/topics/digital-data-and-cyber/cyber-metrics-for-key-decision-makers

Read Closing the Cyber Risk Protection Gap at https://www.zurich.com/knowledge/topics/digital-data-and-cyber/the-great-cyber-security-challenge

*Global Federation of Insurance Associations