The digitisation of information and network connectivity are creating new challenges for the protection of sensitive data and network communications, affecting the trust of businesses and individuals in online activities.

Having a formal ICT security policy is a sign that an enterprise is aware of digital risks. In 2015, about 32% of European enterprises had a formally defined ICT security policy. However, this proportion varied widely across countries and by firm size. While 27% of European small firms had a formal ICT security policy in 2015, the proportion was lower in the United States at 23% (US National Cyber Security Alliance and Symantec, 2011).

Evidence from the Canadian Survey on Cyber Security and Cybercrime shows that, in 2017, only 13% of Canadian businesses had a written policy in place to manage or report digital security incidents. Meanwhile 21% businesses, almost twice as many, reported that they were involved in a digital security incident, which affected their operations. Large businesses (41%) were more than twice as likely as small businesses (19%) to have identified such an incident.

On average, 23% of Internet users in the OECD area reported experiencing a digital security incident in 2015, with notable differences across countries. In Hungary and Mexico, this share was nearly 40%, as opposed to less than 10% in the Czech Republic, the Netherlands and New Zealand.

The share of Internet users affected by a computer virus or other computer infection, with a resulting impact in terms of loss of information or time, has decreased since 2010 in most countries. This is possibly due to the integration of anti-virus software into operating systems and increased general awareness around the issue. In 2016, only 21% of Internet users in the OECD area experienced a security breach; however, the proportion was much higher in Japan at 65%.

National digital security strategies describe how countries prepare and respond to attacks against their digital networks. They can be considered an important dimension of national readiness in terms of digital security risk management. Across all countries covered globally in the ITU’s Global Cybersecurity Index 2017, only 38% reported having a published digital security strategy, with 11% having a dedicated standalone strategy. Another 12% of countries had a cybersecurity strategy under development.

Despite half of countries not having a digital security strategy, 61% do have national emergency response team (i.e. CIRT, CSRIT or CERT). However, only 21% publish metrics on cybersecurity incidents. This makes it difficult to objectively assess incidents based on evidence in most countries and therefore to determine the efficiency of protection measures.

ICT security refers to measures, controls and procedures applied to ICT systems to ensure the integrity, authenticity, availability and confidentiality of data and systems.

SMEs contracting out digital security services refers to the share of SMEs that have a formal ICT security policy where the security and data protection are mainly performed by external suppliers.

The impact of a computer virus or other computer infection refers to loss of information or time.

The Global Cybersecurity Index is computed on the basis of the following pillars: legal (legal institutions and frameworks dealing with cybersecurity and cybercrime); technical (technical institutions and frameworks dealing with cybersecurity); organisational (policy co-ordination institutions and strategies for cybersecurity development at the national level); capacity building (the existence of research and development, education and training programmes, as well as; certified professionals and public sector agencies fostering capacity building), and co-operation (refers to partnerships, co-operative frameworks, and information-sharing networks).

Official data on digital security in firms and digital security incidents experienced by individuals are traditionally collected through ICT usage surveys. Countries within the European Statistical System cover these topics through special modules administered every few years. However, given the increasing policy relevance of digital security and trust, both from the perspectives of businesses and individuals, there is a need for additional and more timely metrics. The recently developed OECD measurement framework on Digital Security Risk Management in Firms (see page 8.6) is expected to provide more detailed information in the future.

In 2014, UN Member States committed to support ITU initiatives on cybersecurity, including the Global Cybersecurity Index (GCI), in order to promote government strategies and the sharing of information on efforts across industries and sectors. Data used to compute the 2017 GCI originate from an online survey, administered between January and September 2016, in the 193 ITU countries and the Palestinian Authority. Due to a lack of internationally comparable statistics on digital security from the perspective of governments, qualitative data from the 2017 GCI data collection are presented here to provide a general picture of national initiatives on digital security.