Most countries are still making national cyber policy decisions without reliable numbers. Regulations often focus on incident reporting after damage is done, but they fail to give governments a forward-looking picture of resilience. A new report from Zurich Insurance Group argues that this gap leaves economies exposed and slows the ability to respond to systemic threats.
Why metrics matter
Cybersecurity is measured mostly through compliance or incident counts. While useful, this data does not show how well-prepared a country is to absorb and recover from attacks. Policymakers lack the equivalent of a Richter scale for cyber events. Without agreed benchmarks, governments cannot compare resilience across industries or track progress over time.
The absence of standardized measures also makes it difficult to size the cyber risk protection gap. Only about 1% of total economic losses from cyber incidents are currently insured, a figure that underlines how much remains unmanaged.
Six core indicators
The report proposes six indicators that governments can track to understand how resilient their countries are to cyberattacks. These metrics are meant to be broad indicators, not perfect, but enough to show whether things are getting better or worse. Each aligns with functions in the NIST Cybersecurity Framework, making them recognizable to security leaders.
Cyber insurance or audit certification coverage: The percentage of organizations with cyber insurance or a recognized security audit. This shows how many companies are managing cyber risk through either financial protection or compliance with standards. A higher number suggests greater awareness and readiness across the economy.
Aging vulnerabilities: The proportion of exploited vulnerabilities older than one year. When attackers can still use old weaknesses, it points to poor patching habits and slow remediation. Tracking this number helps policymakers see how quickly organizations are closing known security gaps.
Significant incidents: The number of major breaches or attacks within a reporting period. Governments would need to define what “significant” means, whether by financial loss, number of people affected, or disruption to critical services. Monitoring this helps identify trends in how often breaches occur and how severe they are.
Containment time: The average time to isolate threats once detected. Containment means stopping the threat from spreading once detected. Shorter containment times reflect stronger detection, coordination, and response capabilities across both public and private sectors.
Restoration time: The mean time required to return to normal operations. This measures how long it takes to return to normal once a breach is contained. Faster recovery shows higher resilience and a lower overall impact on the economy and society.
Workforce gap: The percentage of unfilled cybersecurity roles is a barrier to governance and response. A large number of vacancies limits a country’s ability to prevent, detect, and respond to cyber threats.
These indicators are not meant to be exhaustive. They are designed to be simple enough for policymakers to interpret, while providing a national view of strengths and weaknesses.
Data gaps
At present, no country collects all six data points in a consistent way. Even in the European Union, where incident reporting is mandatory under rules like NIS2 and DORA, requirements fall short. Of the six proposed indicators, only detection is fully covered by EU regulations. Containment and recovery are partially tracked, while insurance coverage, vulnerability age, and workforce vacancies are not gathered at the aggregate level.
Fragmented collection also creates blind spots. For example, multiple agencies across Europe receive reports, but they rarely share data with one another. This makes it hard to see sector-wide trends or align national responses with regional ones.
Data gaps in the EU’s cyber incident reporting regulations.
Institutional fixes
The report recommends creating National Cyber Statistics Bureaus to standardize and centralize data collection. Such bureaus would continuously track incidents, workforce capacity, and resilience measures, publishing findings in ways that policymakers can act upon. Over time, an international body could aggregate this data, issue global alerts, and help align standards across borders.
Without these institutions, national strategies will continue to rely on incomplete information. By contrast, a structured bureau could produce scorecards showing the state of national cyber health at a glance. An illustrative example in the report uses color-coded metrics to track progress against targets, much like public dashboards used in other areas of policy.
