ITU-T X.1208 PDF

This Recommendation provides a guideline to assist organizations in the development, selection and identification of the data to be captured (based on selected indicators) and shows how this information can be used to compute a cybersecurity indicator of risk (CSIR). Note that an organization may generate a cybersecurity indicator of risk with respect to a specific set of cybersecurity indicators (CSI) while departments within an organization may also generate a cybersecurity indicator of risk with respect to their specific set of cybersecurity indicators (CSI). The purpose of the cybersecurity indicator is to allow for the evaluation of the level of cybersecurity competency at a particular point in time of an organization and, when this process is repeated at other points in time, it allows the status of an organization's cybersecurity programme's progress over time to be determined.

This Recommendation also provides a list of potential indicators and describes a methodology to be used when these cybersecurity indicators are used to compute a cybersecurity indicator of risk.

This Recommendation is intended to help organizations that implement or operate a portion of the global infrastructure of information and communication technologies to evaluate their own cybersecurity capabilities and calculate their cybersecurity indicator of risk. These guidelines are intended to facilitate the decision-making process within organizations on how to improve cybersecurity and how to lower their cybersecurity risks. Furthermore, these guidelines provide an indication of where organizations could/should invest resources to improve their cybersecurity.

This Recommendation is not to be used to generate a cybersecurity indicator of risk on a country-level basis. Furthermore, this Recommendation does not propose the use of an index or a single indicator to express the cybersecurity capabilities of an organization

NOTE 1 - Comparisons of the calculated cybersecurity indicator of risk between organizations should not be made. This is because each organization or community is supposed to select what they deem to be an appropriate set of cybersecurity indicators for their organization. Furthermore, they are expected to develop their own measurement methodology and criteria to address their risks and concerns. In some cases subjective information, as opposed to objective data, may be used. Consequently, it is recommended that a cybersecurity indicator of risk for one organization should never be compared to that of another organization, as it is highly context dependent.

NOTE 2 - The indicators described in this Recommendation may not be compatible with those developed by other industry sectors due to the different purposes of those industries.