Monitoring cyber security

/ Author: Gert Jan Wijma
© Hollandse Hoogte / Westend61 GmbH
Statistics Netherlands (CBS) has recently published its second annual Cyber Security Monitor. This monitor offers an insight into the range and number of existing cyber security issues, and what businesses and individuals are doing to counter them. Using a variety of sources including 20 different indicators, the report provides an outline of the cyber crimes and incidents faced by people and companies.

Modern societies are increasingly dependent on information and communication technology (ICT). Citizens, institutions and businesses have begun to share large amounts of data – often including privacy-sensitive information – and both governments and businesses are making greater use of big data to gain new insights and to improve their decision-making processes. This is increasingly opening them up to the dark side of ICT, such as malfunctions, data leaks, privacy violations and even cyber crime. CBS’ Cyber Security Monitor 2018 uses approximately 20 indicators to build a picture of the number of cyber crimes, incidents and problems and the measures citizens, businesses and governments are taking to combat those issues.

Why a Cyber Security Monitor is useful

As the project leader, statistical researcher Andries Kuipers at CBS is responsible for the development of the Cyber Security Monitor. ‘We have noticed a need among policy makers and organisations that regularly deal with cyber security for statistical insights on this topic. What threats are we facing? How are we working to neutralise those threats? How serious is it?’ By bringing together existing indicators in the Cyber Security Monitor, we get an idea of what information is available and the issues about which we have little or no information. According to Kuipers, ‘The objective is to build up this monitor into a fully-fledged monitor that provides a balanced overview of the cyber security situation in the Netherlands.’

Classic values

The first two editions have been produced in cooperation with the Ministry of Economic Affairs and Climate Policy (EZK). According to Kuipers, it is not only the ministry that sees an important role for CBS in improving our knowledge of this issue; other actors are also taking note: ‘The reasons why the outside world looks to CBS for statistical information about cyber security have to do with the classic values and qualities, such as independence, sound methodology, access to public administrations with relevant data, possibilities of linking the data to other datasets within CBS, and eventually – under strict conditions – making the datasets available for further research.’

What is cyber security?

Not only is there a need for insight into cyber security based on indicators (e.g. the use of paid cloud services), there is also a need to improve our definition of this phenomenon. ‘We also need conceptual understanding and frameworks as well as definitions and classifications,’ Kuipers says. ‘In the world of cyber security, not everyone speaks a common language yet. For example, some don’t think we should categorise cyber bullying under cyber security while others find it really important that we do. In addition, there is no such thing as ‘cyber security as a whole’, which means it’s a big challenge to get a full and balanced picture of the situation.’

Conceptual framework

In addition to using existing indicators and adding to the conceptual framework, CBS is also seeking out new sources and new data. This is a key feature of the Cyber Security Monitor 2018, which is more extensive than the 2017 edition in a number of areas. According to Kuipers, ‘Like last year, this year’s edition has around 20 indicators, but it includes a lot of new features. For example, we have used extra cyber security questions in our company survey to find out how businesses use ICT, to draw out figures about ICT incidents within companies, and the financial damage caused by these incidents.’ With developments moving as swiftly as they are, there is no guarantee that any indicators defined today will still be usable or comparable a few years from now. ‘The form cyber crime will take, as well as the measures available to combat cyber crime, change every year,’ says Kuipers. ‘Not long ago, no one had heard of ransomware (a program that blocks a computer and demands money from the user to release it, ed.), but now it’s become a serious problem for both businesses and individuals.’

Working with other parties

The plan for the coming years is – in addition to expanding CBS’ own surveys with questions about cyber security – to incorporate new data sources and information from external parties. Other parties can also contribute their expertise on the cyber security phenomenon, which is still a relatively new field. Kuipers: ‘CBS definitely sees the appeal – very much in cooperation with other parties – of contributing to reliable and transparent statistical information on cyber security. We hope this will enable us to offer more data and more sources drawn from external organisations. After all, there are limits to what surveys can ask people and businesses about their cyber security.’

Are you interested in working with CBS on cyber security? For more information, please e-mail: samenwerken@cbs.nl