The National Cybersecurity Index
Excellent formatting inspired by Merconitonitopia's Happiness Index.
In an increasingly globalized world, cybersecurity — the integrity of your nation's Internet, computer systems, and electronic data — is now more important than ever. What was at one point an afterthought for many sovereign states today has major implications for quality of life, free and fair elections, and even national security.
Consider this: how many of your citizens are having their information sold without their consent? What would happen to your nation if the power grid were knocked out in an untraceable terrorist attack? And particularly relevant to democracies — what if a hacker, a disgruntled political party, or even a foreign government disrupted, and possibly influenced, your elections?
That's why our cybersecurity team at Vienna Consulting have developed an index with a secure methodology to analyze the security of your nation's information technology. All you have to do is implement a simple contract between your government and our firm, and we'll produce a full report on the state of cybersecurity in your jurisdiction. That's responsible leadership, and that's what we strive for.
Survey
Once you've ordered the promulgation of our contract, just help us access the following data.
- Code: Select all
[b]Name of nation:[/b]
[b]Population:[/b]
[size=150]1. Legal measures[/size]
[b]Do you have substantive law on...[/b]
[i]Substantive law refers to public and private law, including the law of contracts, real property, tort, wills, and criminal law that creates, defines and regulates rights.[/i]
[ ] unauthorized access of computers, systems and data?
[ ] unauthorized interference, interception, modification, and destruction of computers, systems and data?
[ ] data and privacy protection?
[b]Do you have procedural law on...[/b]
[i]Procedural law refers to the rules by which a court determines what happens in civil lawsuits, criminal or administrative proceedings and designed to ensure a fair and consistent application of due process or fundamental justice to all cases that come before a court.[/i]
[ ] articles on expedited preservation of stored computer data?
[ ] production orders?
[ ] search and seizure of stored computer data?
[ ] real-time collection of computer data?
[ ] extradition of cyber perpetrators?
[ ] mutual assistance?
[ ] confidentiality and limitation of use?
[b]Is there any cybersecurity regulation related to...[/b]
[i]Regulation: rules based on, and meant to carry out, a specific piece of legislation. Regulations are enforced by a regulatory agency mandated to carry out the purpose or provisions of a legislation. Cybersecurity regulation would thus designate principles abided by stakeholders, emanating from and being part of the implementation of laws dealing with.[/i]
[ ] data protection?
[ ] breach notification?
[ ] cybersecurity audit requirements and cybersecurity certification/standardization
[ ] privacy protection,
[ ] digital signatures and e-transactions?
[ ] liability of Internet service providers?
[ ] system and network protection?
[b]Is there a legislation or regulation related to the containment or curbing of spam?[/b]
[i]This refers to legislation or regulations related to the protection against unwanted emails as a result of internet use.[/i]
[ ] Yes
[ ] No
[size=150]2. Technical measures[/size]
[b]Does your nation have a CIRT, CSIRT or CERT?[/b]
[i]A national CSIRT/CIRT/CERT refers to an entity which has been mandated with the national responsibility to monitor, manage and handle cybersecurity incidents with its local constituencies including academia, law enforcement, civil society, private sector (in economic groups or criticality groups, critical information infrastructures (energy, health, transport, finance etc.) and government. It also interacts with national CIRTs of other countries as well as regional and international players for relevant and effective.
coordination in case of attacks.[/i]
[ ] Yes, a national CIRT, CSIRT or CERT
[ ] Yes, a government CIRT, CSIRT or CERT
[ ] Yes, a sectoral CIRT, CSIRT or CERT
[ ] None of the above
[b]Does the CIRT, CSIRT or CERT conduct continuous cybersecurity exercises?[/b]
[i]A planned event during which an organization simulates a cyber disruption to develop or test capabilities such as preventing, detecting, mitigating, responding to or recovering from the disruption. Is the exercise organized periodically or repeatedly?[/i]
[ ] Yes
[ ] No
[ ] Not Applicable
[b]Is there any framework for the implementation of cybersecurity standards?[/b]
[i]Existence of a government-approved (or endorsed) framework (or frameworks) for the implementation of internationally recognized cybersecurity standards within the public sector (government agencies) and within the critical infrastructure (even if operated by the private sector). These standards include, but are not limited to, those developed by the following agencies: ISO, ITU, IETF, IEEE, ATIS, OASIS, 3GPP, 3GPP2, IAB, ISOC, ISG, ISI, ETSI, ISF, RFC, ISA, IEC, NERC, NIST, FIPS, PCI DSS, etc.[/i]
[ ] Yes, in the public sector
[ ] Yes, in the private sector
[ ] No
[b]Do you have a standardization body within the country that...[/b]
[ ] provides its own standard on cybersecurity?
OR
[ ] adopts international standards?
[ ] No
[b]Are there any technical mechanisms and capabilities deployed to address spam?[/b]
[i]Are there certain tools and technical measures related to providing cybersecurity, such as anti-virus or anti-spam software?[/i]
[ ] Yes
[ ] No
[b]Does your government use the cloud for cybersecurity in the public sector?[/b]
[i]A Software to ensure data backup in case of unwanted internet or computer interference apart from the use of antivirus software, Internet Security Software suites, anti-malware and encryption to improve on government’s cybersecurity systems. The cloud system allows one to use and access their documents/data or any saved materials anywhere and at any time without the damages caused by computer interference on one end.[/i]
[ ] Yes
[ ] No
[size=150]3. Organizational measures[/size]
[b]Is there a national strategy for cybersecurity?[/b]
[i]Policies on national cybersecurity strategies or national plans for the protection of information infrastructures are those officially defined and endorsed by a nation state, and can include the following commitments: establishing clear responsibility for cybersecurity at all levels of government (local, regional and federal or national), with clearly defined roles and responsibilities; making a clear commitment to cybersecurity, which is public and transparent; encouraging private sector involvement and partnership in government-led initiatives to promote cybersecurity; a roadmap for governance that identifies key stakeholders.[/i]
[ ] Yes
[ ] No
[b]Is your national strategy...[/b]
[ ] standalone?
OR
[ ] included as part of another broader national strategy?
[ ] Not Applicable
[b]Does it address...[/b]
[ ] the private sector?
[ ] the public sector?
[ ] Not Applicable
[b]Is there a section on...[/b]
[i]A national resiliency plan ensures that the country recovers from the effects of any disaster (natural or man-made) in a timely and efficient manner, including through the preservation and restoration of its essential basic structures and functions.[/i]
[ ] the protection of critical information infrastructure?
[ ] a national resiliency plan?
[b]Is there a clear action plan for government implementation on cybersecurity governance?[/b]
[i]The strategy includes a roadmap with milestones for the achievement and completion of the strategy.[/i]
[ ] Yes
[ ] No
[b]Is the strategy...[/b]
[i]The strategy is updated according to national, technological, social, economic and political developments that may affect it ad the strategy is open for consultation by all relevant stakeholders, including operators of infrastructure, ISPs, academia, etc.[/i]
[ ] revised on a continuous basis?
[ ] open to public consultation?
[b]Is there a national body or agency responsible for...[/b]
[ ] cybersecurity and critical information infrastructure protection?
[ ] initiatives in combating spam related issues?
[b]Are there any metrics used to measure cybersecurity development at a national level?[/b]
[i]Existence of any officially recognized national or sector-specific benchmarking exercises or referential used to measure cybersecurity development, risk-assessment strategies, cybersecurity audits, and other tools and activities for rating or evaluating resulting performance for future improvements. For example, based on ISO/IEC 27004 which is concerned with measurements relating to information security management.[/i]
[ ] Yes
[ ] No
[b]Are cybersecurity risk assessments performed periodically?[b]
[i]A systematic process comprising risk identification, risk analysis and risk evaluation.[/i]
[ ] Yes
[ ] No
[b]Is there a cybersecurity benchmark for assessing risk?[/b]
[ ] Yes
[ ] No
[b]Are general cybersecurity audits performed?[/b]
[i]A security audit is a systematic evaluation of the security of an information system by measuring how well it conforms to a set of established criteria. A thorough audit typically assesses the security of the system's physical configuration and environment, software, information handling processes, and user practices.[/i]
[ ] Yes
[ ] No
[size=150]4. Capacity Building Activities[/size]
[b]Are public awareness campaigns in cybersecurity developed and implemented?[/b]
[i]Public awareness includes efforts to promote widespread publicity campaigns to reach as many people as possible as well as making use of NGOs, institutions, organizations, ISPs, libraries, local trade organizations, community centers, computer stores, community colleges and adult education programs, schools and parent-teacher organizations to get the message across about safe cyber-behavior online. This includes actions such as setting up portals and websites to promote awareness, disseminating support material and establishing cybersecurity adoption.[/i]
[ ] Yes
[ ] No
[b]Do public awareness campaigns target...[/b]
[ ] organizations?
[ ] civil society?
[ ] adults?
[ ] youth & children?
[ ] other related bodies?
[ ] Not Applicable
[b]Is there a framework for the certification and accreditation of cybersecurity professionals?[/b]
[i]Existence of a government-approved (or endorsed) framework (or frameworks) for the certification and accreditation of professionals by internationally recognized cybersecurity standards. These certifications, accreditations and standards include, but are not limited to, the following: Cloud Security knowledge (Cloud Security Alliance), CISSP, SSCP, CSSLP CBK, Cybersecurity Forensic Analyst (ISC²), GIAC, GIAC GSSP (SANS), CISM, CISA, CRISC (ISACA), CompTIA, C|CISO, CEH, ECSA, CHFI (EC Council), OSSTMM (ISECOM), PCIP/CCISP (Critical Infrastructure Institute), , Q/ISP, Software Security Engineering Certification (Security University), CPP, PSP, PCI (ASIS), LPQ, LPC (Loss Prevention Institute), CFE (Association of Certified Fraud Examiners), CERT-Certified Computer Security Incident Handler (SEI), CITRMS (Institute of Consumer Financial Education), CSFA (Cybersecurity Institute), CIPP (IAPP), ABCP, CBCP, MBCP (DRI), BCCP, BCCS, BCCE, DRCS, DRCE (BCM), CIA, CCSA (Institute of Internal Auditors), (Professional Risk Managers International Association), PMP (Project Management Institute), etc.[/i]
[ ] In the public sector
[ ] In the private sector
[ ] No
[b]Does your government develop or support any professional training courses in cybersecurity...[/b]
[i]Existence of national or sector-specific educational and professional training programs, promoting cybersecurity courses in the workforce (technical, social sciences, etc.) and promoting certification of professionals in either the public or the private sector.[/i]
[ ] for law enforcement (police officers and enforcement agents)?
[ ] for judicial and other legal actors (judges, solicitors, barristers, attorneys, lawyers, paralegals, etc.)?
[ ] for organizations?
[ ] for the public sector?
[ ] for civil society?
[b]Does your government develop or support any educational programs or academic curricula in cybersecurity?[/b]
[i]Existence and the promotion of national education courses and programs to train the younger generation in cybersecurity-related skills and professions in schools, colleges, universities and other learning institutes. Cybersecurity-related skills include, but are not limited to, setting strong passwords and not revealing personal information on line. Cybersecurity-related professions include, but are not limited to, cryptanalysts, digital forensics experts, incident responders, security architects and penetration testers.[/i]
[ ] In primary school
[ ] In secondary school
[ ] In higher education
[ ] No
[b]Is there investment in cybersecurity research and development programs?[/b]
[i]Cybersecurity research programs include, but are not limited to, malware analysis, cryptography research and research into system vulnerabilities and security models and concepts. Cybersecurity development programs refer to the development of hardware or software solutions that include but are not limited to firewalls, intrusion prevention systems, honey-pots and hardware security modules. The presence of an overarching national body will increase coordination among the various institutions and sharing of resources.[/i]
[ ] In the public sector
[ ] In the private sector
[ ] In higher education institutions and academia
[ ] In a nationally recognized institutional body overseeing cybersecurity research and development activity
[ ] In a recognized institutional body overseeing cybersecurity capacity building activities
[ ] No
[b]Are there any government incentive mechanisms to encourage capacity building in the field of cybersecurity?[/b]
[i]Any incentive efforts by government to encourage capacity building in the field of cybersecurity, whether through tax breaks, grants, funding, loans, disposal of facilities, and other economic and financial motivators, including dedicated and nationally recognized institutional body overseeing cybersecurity capacity-building activities. Incentives increase the demand for cybersecurity-related services and products, which improves defenses against cyberthreats.[/i]
[ ] Yes
[ ] No
[b]Is there a homegrown cybersecurity industry?[/b]
[i]A favorable economic, political and social environment supporting cybersecurity development will incentivize the growth of a private sector around cybersecurity. The existence of public awareness campaigns, manpower development, capacity building and government incentives will drive a market for cybersecurity products and services. The existence of a home-grown cybersecurity industry is testament to such a favorable environment and will drive the growth of cybersecurity start-ups and associated cyber insurance markets.[/i]
[ ] Yes
[ ] No
[b]Is there a cyber insurance market?[/b]
[i]Cyber-insurance is an insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.[/i]
[ ] Yes
[ ] No
[b]Is there any support provided to cybersecurity startups and development?[/b]
[i]Mechanisms in place to support development of cybersecurity start-ups (tax incentives, technology parks, free trade zones etc.) and for SMEs (Small and Medium Size Enterprises).[i]
[ ] Yes
[ ] No
[size=150]5. Cooperative measures[/size]
[b]Are there any bilateral agreements for cybersecurity cooperation with...[/b]
[i]Bilateral agreements (one-to-one agreements) refer to any officially recognized national or sector-specific partnerships for sharing cybersecurity information or assets across borders by the government with one other foreign government, regional entity or an international organization (i.e. the cooperation or exchange of information, expertise, technology and other resources).[/i]
[ ] nation states or member states?
[ ] international organizations?
[ ] none of the above?
[b]Are the agreements...[/b]
[ ] legally binding?
[ ] for information sharing?
[ ] for asset sharing?
[ ] non-legally binding, informal?
[ ] pending ratification?
[ ] Not Applicable
[b]Are there any multilateral agreements on cybersecurity cooperation?[/b]
[i]Multilateral agreements (one to multiparty agreements) refers to any officially recognized national or sector-specific programs for sharing cybersecurity information or assets across borders by the government with multiple foreign governments or international organizations (i.e. the cooperation or exchange of information, expertise, technology and other resources). It may also include ratification of international agreements regarding cybersecurity, such as African Union Convention on Cyber Security and Personal Data Protection, Budapest Convention on Cybercrime and others.[/i]
[ ] Yes
[ ] No
[b]Are the agreements...[/b]
[ ] legally binding?
[ ] for information sharing?
[ ] for asset sharing?
[ ] non-legally binding, informal?
[ ] pending ratification?
[ ] Not Applicable
[b]Does your organization/government participate in international forums or associations dealing with cybersecurity?[/b]
[ ] Yes
[ ] No
[b]Are there any public-private partnerships in place?[/b]
[i]Public-private partnerships (PPP) refer to ventures between the public and private sector. This performance indicator can be measured by the number of officially recognized national or sector-specific PPPs for sharing cybersecurity information (threat intelligence) and assets (people, processes, tools) between the public and private sector (i.e. official partnerships for the cooperation or exchange of information, expertise, technology and/or resources), whether nationally or internationally.[/i]
[ ] With local companies
[ ] With foreign companies
[ ] No
[size=150]6. Child online protection[/size]
[b]Are there any measures protecting children online?[/b]
[ ] Yes
[ ] No
[b]Is there legislation related to child online protection?[/b]
[ ] Yes
[ ] No
[b]Is there an agency or entity responsible for child online protection?[/b]
[ ] Yes
[ ] No
[b]Is there an established public mechanism for reporting issues associated with child online protection?[/b]
[ ] Yes
[ ] No
[b]Are there any technical mechanisms and capabilities deployed to help protect children online?[/b]
[ ] Yes
[ ] No
[b]Has there been any activity by government or non-government institutions to provide knowledge and support to stakeholders on how to protect children online?[/b]
[ ] Yes
[ ] No
[b]Are there any child online protection education programs?[/b]
[ ] For parents
[ ] For educators
[ ] For children
[ ] No
[b]Is there a national strategy for child online protection?[/b]
[ ] Yes
[ ] No
[b]Are there public awareness campaigns on child online protection?[/b]
[ ] For adults
[ ] For youth
[ ] For children
[ ] No
[b]Signature of Primary Contact[/b]
[b]Signature of Head of Government[/b]
[b]Signature of Chief Record Keeper/Secretary of State[/b]
The Index
⬤ Leading states are those with scores in the 90th percentile that demonstrate high commitment in all six pillars of the index.
The Arthurian Isles — 0.8077
⬤ Maturing states score between the 50th and 89th percentiles and have developed complex commitments, engaging in cybersecurity programs and initiatives.
Devernia — 0.6943
Esbana — 0.6193
Coconut Palm Island — 0.5804
⬤ Initiating states refer to states under the 50th percentile that have started to make commitments in cybersecurity.
--