Advancing Cyber Resilience Through Data-Driven Intelligence

Zurich Insurance Group (Zurich), together with the Cyber Threat Alliance and CyberGreen Institute, has published a new report "Enhancing cyber security: Key metrics for policymakers" urging the adoption of standardized national cyber security metrics. The report notes the global cyber risk protection gap of USD 0.9 trillion¹, with insured losses covering only 1% of economic losses from cyber incidents.

The measures proposed in Zurich's 2024 whitepaper, "Closing the Cyber Risk Protection Gap", rely on robust quantitative data to enhance standards and best practices. While organizations like ENISA and CISA provide corporate-level frameworks, national metrics for policy decision-making are largely absent. Zurich's new report introduces six key metrics and an institutional framework for governments to help clarify national cyber risk, strengthen resilience, and enable informed policy decisions:

1. Percentage of organizations with cyber insurance or audit certification: Measures preparedness and understanding of cyber security.
2. Proportion of exploited vulnerabilities older than one year: Indicates ecosystem defense and remediation speed.
3. Number of significant cyber incidents: Reflects national detection and analysis capabilities.
4. Average time to containment of cyber incidents: Demonstrates ability to halt the spread of threats.
5. Mean time to restore operations: Assesses speed of recovery after incidents.
6. Percentage of unfilled cyber security positions: Gauges workforce capacity to manage risks.

Establishing National Cyber Statistics Bureaus - dedicated institutions for collecting these metrics - would ensure consistent incident reporting, track threats and resilience, publish key analyses, and assess security regulation effectiveness. These bureaus could also support a supra-national body to aggregate findings, enabling deeper global comparisons and insights into evolving threats.

To move from currently fragmented, reactive approaches to a unified, data-driven strategy, Zurich calls on policymakers to:

• Collaborate on data collection: Move from reactive incident reporting to proactive, cross-sector data sharing
• Establish dedicated entities: Create or empower national and global institutions to collect, analyze, and report cyber statistics across industries and borders
• Harmonize standards and frameworks: Align definitions, benchmarks, and reporting protocols.

¹ GFIA - Global Federation of Insurance Associations

Further information

• The report "Enhancing cyber security: Key metrics for policymakers" is available for download at https://www.zurich.com/knowledge/topics/digital-data-and-cyber/cyber-metrics-for-key-decision-makers.
• Whitepaper 'Closing the Cyber Risk Protection Gap' (published in 2024)