NCSI :: Compare

RANKING TIMELINE

United States Jordan Brazil Kuwait Saint Kitts and Nevis

Rank	Country	National Cyber Security IndexNCSI	Digital developmentISD	DifferenceDif

12.	United States	84.17	85.46	-1.29
21.	Jordan	73.33	57.77	15.56
25.	Brazil	71.67	69.62	2.05
56.	Kuwait	37.50	63.71	-26.21
76.	Saint Kitts and Nevis	12.50	31.53	-19.03

STRATEGIC CYBERSECURITY INDICATORS

1. CYBERSECURITY POLICY

15
15

12
15

9
15

6
15

0
15
- 1.1. High-level cybersecurity leadership
  
  3
  3
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  Criteria
  The country has appointed governmental leadership responsible for cybersecurity at the national level.
  Accepted references
  Legal act, national strategy, official statutes or terms of reference, or official website
- 1.2. Cybersecurity policy development
  
  3
  3
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  Criteria
  There is a competent entity in the central government to whom responsibility is assigned for national cybersecurity strategy and policy development.
  Accepted references
  Legal act, official statute or terms of reference, or official website
- 1.3. Cybersecurity policy coordination
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  0
  3
  
  Criteria
  The country has a regular official format for cybersecurity policy coordination at the national level.
  Accepted references
  Legal act, official statute or terms of reference, or official website
- 1.4. National cybersecurity strategy
  
  3
  3
  
  3
  3
  
  0
  3
  
  0
  3
  
  0
  3
  
  Criteria
  The central government has established a national-level cybersecurity strategy defining strategic cybersecurity objectives and measures to improve cybersecurity across society.
  Accepted references
  Valid official document
- 1.5. National cybersecurity strategy action plan
  
  3
  3
  
  0
  3
  
  0
  3
  
  0
  3
  
  0
  3
  
  Criteria
  The central government has established an action plan to implement the national cybersecurity strategy.
  Accepted references
  Current official document, legal act, or official statement
2. GLOBAL CYBERSECURITY CONTRIBUTION

6
6

6
6

4
6

3
6

0
6
- 2.1. Cyber diplomacy engagements
  
  3
  3
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  Criteria
  The government contributes to international or regional cooperation formats dedicated to cybersecurity and cyber stability. (The indicator is limited to strategic-level cooperation; operational-level incident response cooperation and cross-border law enforcement cooperation are addressed separately under other indicators.)
  Accepted references
  Official website of the organisation or cooperation format, official statement or contribution
- 2.2. Commitment to international law in cyberspace
  
  1
  1
  
  1
  1
  
  1
  1
  
  0
  1
  
  0
  1
  
  Criteria
  The country has an official position on the application of international law, including human rights, in the context of cyber operations.
  Accepted references
  Official document or statement, international indexes
- 2.3. Contribution to international capacity building in cybersecurity
  
  2
  2
  
  2
  2
  
  0
  2
  
  0
  2
  
  0
  2
  
  Criteria
  The country has led or supported cybersecurity capacity building for another country in the past three years.
  Accepted references
  Official website or project document
3. EDUCATION AND PROFESSIONAL DEVELOPMENT

6
10

10
10

6
10

6
10

0
10
- 3.1. Cyber safety competencies in primary education
  
  0
  2
  
  2
  2
  
  0
  2
  
  0
  2
  
  0
  2
  
  Criteria
  Primary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
  Accepted references
  Official curriculum or official report
- 3.2. Cyber safety competencies in secondary education
  
  0
  2
  
  2
  2
  
  0
  2
  
  0
  2
  
  0
  2
  
  Criteria
  Secondary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
  Accepted references
  Official curriculum or official report
- 3.3. Undergraduate cybersecurity education
  
  2
  2
  
  2
  2
  
  2
  2
  
  2
  2
  
  0
  2
  
  Criteria
  At least one undergraduate education programme is available in the country to train students in cybersecurity.
  Accepted references
  Accredited study programme
- 3.4. Graduate cybersecurity education
  
  3
  3
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  Criteria
  At least one cybersecurity education programme is available in the country at the graduate level.
  Accepted references
  Accredited study programme
- 3.5. Association of cybersecurity professionals
  
  1
  1
  
  1
  1
  
  1
  1
  
  1
  1
  
  0
  1
  
  Criteria
  A professional association of cybersecurity specialists, managers, or auditors exists in the country.
  Accepted references
  Official website
4. CYBERSECURITY RESEARCH AND DEVELOPMENT

4
4

0
4

2
4

0
4

0
4
- 4.1. Cybersecurity research and development programmes
  
  2
  2
  
  0
  2
  
  2
  2
  
  0
  2
  
  0
  2
  
  Criteria
  A cybersecurity research and development (R&D) programme or institute exists and is recognised and/or supported by the government.
  Accepted references
  Official programme or official website
- 4.2. Cybersecurity doctoral studies
  
  2
  2
  
  0
  2
  
  0
  2
  
  0
  2
  
  0
  2
  
  Criteria
  An officially recognised PhD programme exists accommodating research in cybersecurity.
  Accepted references
  Official programme or official website

PREVENTIVE CYBERSECURITY INDICATORS

5. CYBERSECURITY OF CRITICAL INFORMATION INFRASTRUCTURE

9
12

9
12

9
12

0
12

0
12
- 5.1. Identification of critical information infrastructure
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  0
  3
  
  Criteria
  There is a framework or a mechanism to identify operators of critical information infrastructure.
  Accepted references
  Legal or administrative act
- 5.2. Cybersecurity requirements for operators of critical information infrastructure
  
  0
  3
  
  0
  3
  
  3
  3
  
  0
  3
  
  0
  3
  
  Criteria
  Operators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
  Accepted references
  Legal act, or mandatory cybersecurity framework or standard
- 5.3. Cybersecurity requirements for public sector organisations
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  0
  3
  
  Criteria
  Public sector organisations are required to assess and manage cyber risks and/or implement cybersecurity measures.
  Accepted references
  Legal or administrative act, mandatory cybersecurity framework or standard
- 5.4. Competent supervisory authority
  
  3
  3
  
  3
  3
  
  0
  3
  
  0
  3
  
  0
  3
  
  Criteria
  A competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.
  Accepted references
  Legal act or official website
6. CYBERSECURITY OF DIGITAL ENABLERS

6
12

6
12

10
12

4
12

2
12
- 6.1. Secure electronic identification
  
  0
  2
  
  2
  2
  
  2
  2
  
  2
  2
  
  0
  2
  
  Criteria
  A national electronic identification solution exists that allows for officially recognised and secure electronic identification of natural and/or legal persons.
  Accepted references
  Legal act, nationally recognised identification scheme, or official website
- 6.2. Electronic signature
  
  2
  2
  
  2
  2
  
  2
  2
  
  2
  2
  
  2
  2
  
  Criteria
  A nationally recognised and publicly available solution exists to issue secure and legally binding electronic signatures.
  Accepted references
  Legal act or official website
- 6.3. Trust services
  
  0
  2
  
  0
  2
  
  2
  2
  
  0
  2
  
  0
  2
  
  Criteria
  Trust services (e.g. digital certificates, timestamps, private key management service) are regulated, at least for use in the public sector.
  Accepted references
  Legal act or official website
- 6.4. Supervisory authority for trust services
  
  0
  2
  
  0
  2
  
  2
  2
  
  0
  2
  
  0
  2
  
  Criteria
  An independent authority has been designated and given the power to supervise trust services and trust service providers.
  Accepted references
  Legal act or official website
- 6.5. Cybersecurity requirements for cloud services
  
  2
  2
  
  2
  2
  
  2
  2
  
  0
  2
  
  0
  2
  
  Criteria
  Requirements are established for the secure use of cloud services in government and/or public sector organisations.
  Accepted references
  Legal or administrative act, cybersecurity framework or standard
- 6.6. Supply chain cybersecurity
  
  2
  2
  
  0
  2
  
  0
  2
  
  0
  2
  
  0
  2
  
  Criteria
  Requirements are established to identify and manage cybersecurity risks through the ICT supply chain.
  Accepted references
  Legal act or official website
7. CYBER THREAT ANALYSIS AND AWARENESS RAISING

9
12

12
12

9
12

6
12

3
12
- 7.1. Cyber threat analysis
  
  3
  3
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  Criteria
  A government entity has been assigned the responsibility for national-level cybersecurity and/or cyber threat assessments.
  Accepted references
  Legal act, statute, or official website
- 7.2. Public cyber threat reports
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  0
  3
  
  Criteria
  Public cyber threat reports and notifications are issued at least once a year.
  Accepted references
  Official website, official social media channel, or public report
- 7.3. Public cybersecurity awareness resources
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  3
  3
  
  Criteria
  Public authorities provide publicly available cybersecurity advisories, tools, and resources for users, organisations, and ICT and cybersecurity professionals.
  Accepted references
  Official website, public advisories
- 7.4. Cybersecurity awareness raising coordination
  
  0
  3
  
  3
  3
  
  0
  3
  
  3
  3
  
  0
  3
  
  Criteria
  There is an entity with the clearly assigned responsibility to lead and/or coordinate national cybersecurity awareness activities.
  Accepted references
  Legal act, official document, or official website
8. PROTECTION OF PERSONAL DATA

4
4

2
4

4
4

4
4

4
4
- 8.1. Personal data protection legislation
  
  2
  2
  
  2
  2
  
  2
  2
  
  2
  2
  
  2
  2
  
  Criteria
  There is a legal act for personal data protection that is applicable to the protection of data online or in digital form.
  Accepted references
  Legal act
- 8.2. Personal data protection authority
  
  2
  2
  
  0
  2
  
  2
  2
  
  2
  2
  
  2
  2
  
  Criteria
  An independent public supervisory authority has been designated and allocated powers to supervise personal data protection.
  Accepted references
  Legal act or official website

RESPONSIVE CYBERSECURITY INDICATORS

9. CYBER INCIDENT RESPONSE

14
14

11
14

9
14

6
14

0
14
- 9.1. National incident response capacity
  
  3
  3
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  Criteria
  There is a CERT designated with nationwide responsibilities for cyber incident detection and response.
  Accepted references
  Legal act or official website
- 9.2. Incident reporting obligations
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  0
  3
  
  Criteria
  Operators of critical information infrastructure and/or government institutions are obliged to notify the designated competent authorities about cyber incidents.
  Accepted references
  Legal act or official website
- 9.3. Cyber incident reporting tool
  
  2
  2
  
  2
  2
  
  0
  2
  
  0
  2
  
  0
  2
  
  Criteria
  A publicly available official resource is provided for notifying competent authorities about cyber incidents.
  Accepted references
  Official website
- 9.4. Single point of contact for international cooperation
  
  3
  3
  
  0
  3
  
  0
  3
  
  0
  3
  
  0
  3
  
  Criteria
  The government has designated a single point of contact for international cybersecurity cooperation.
  Accepted references
  Legal act or official website
- 9.5. Participation in international incident response cooperation
  
  3
  3
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  Criteria
  The national cyber incident response team (CSIRT/CERT/CIRT) participates in international or regional cyber incident response formats.
  Accepted references
  Official website or official document
10. CYBER CRISIS MANAGEMENT

9
9

5
9

5
9

0
9

0
9
- 10.1. Cyber crisis management plan
  
  2
  2
  
  0
  2
  
  0
  2
  
  0
  2
  
  0
  2
  
  Criteria
  The government has established a crisis management plan for large-scale cyber incidents.
  Accepted references
  Legal act or official website
- 10.2. National cyber crisis management exercises
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  0
  3
  
  Criteria
  Regular interagency cyber crisis management exercises or crisis management exercises with a cyber component are arranged at the national level at least every other year.
  Accepted references
  Exercise document, official website, or press release
- 10.3. Participation in international cyber crisis exercises
  
  2
  2
  
  2
  2
  
  2
  2
  
  0
  2
  
  0
  2
  
  Criteria
  The country participates in an international cyber crisis management exercise at least every other year.
  Accepted references
  Exercise document/website or press release
- 10.4. Operational crisis reserve
  
  2
  2
  
  0
  2
  
  0
  2
  
  0
  2
  
  0
  2
  
  Criteria
  A mechanism for engaging reserve support has been established to reinforce government bodies in managing cyber crises.
  Accepted references
  Legal act or official website
11. FIGHT AGAINST CYBERCRIME

13
16

11
16

13
16

6
16

6
16
- 11.1. Cybercrime offences in national law
  
  3
  3
  
  3
  3
  
  3
  3
  
  3
  3
  
  3
  3
  
  Criteria
  Cybercrime offences are defined in national legislation.
  Accepted references
  Legal act
- 11.2. Procedural law provisions
  
  0
  3
  
  3
  3
  
  0
  3
  
  0
  3
  
  3
  3
  
  Criteria
  Legislation defines the powers and procedures for cybercrime investigations and proceedings and for the collection of electronic evidence.
  Accepted references
  Legal act
- 11.3. Ratification of or accession to the Convention on Cybercrime
  
  2
  2
  
  0
  2
  
  2
  2
  
  0
  2
  
  0
  2
  
  Criteria
  The country has ratified or acceded to the Council of Europe (CoE) Convention on Cybercrime.
  Accepted references
  Legal act on Convention ratification or accession, website of the CoE Treaty Office
- 11.4. Cybercrime investigation capacity
  
  3
  3
  
  3
  3
  
  3
  3
  
  3
  3
  
  0
  3
  
  Criteria
  Law enforcement has a specialised function and capacity to prevent and investigate cybercrime offences.
  Accepted references
  Legal act or official website
- 11.5. Digital forensics capacity
  
  2
  2
  
  2
  2
  
  2
  2
  
  0
  2
  
  0
  2
  
  Criteria
  Law enforcement has a specialised function and capacity for digital forensics.
  Accepted references
  Legal act, statute, official document, or official website
- 11.6. 24/7 contact point for international cybercrime
  
  3
  3
  
  0
  3
  
  3
  3
  
  0
  3
  
  0
  3
  
  Criteria
  The government has designated an international 24/7 point of contact for assistance on cybercrime and electronic evidence.
  Accepted references
  Official website, legal act or statute
12. MILITARY CYBER DEFENCE

6
6

4
6

6
6

4
6

0
6
- 12.1. Military cyber defence capacity
  
  2
  2
  
  2
  2
  
  2
  2
  
  2
  2
  
  0
  2
  
  Criteria
  Armed forces have designated units responsible for the cybersecurity of military operations and/or for cyber operations.
  Accepted references
  Legal act, statute, other official document or official website
- 12.2. Military cyber doctrine
  
  2
  2
  
  0
  2
  
  2
  2
  
  0
  2
  
  0
  2
  
  Criteria
  The tasks, principles, and oversight of armed forces for military cyber operations are established by official doctrine or legislation.
  Accepted references
  Legal act, official doctrine, or official website
- 12.3. Military cyber defence exercises
  
  2
  2
  
  2
  2
  
  2
  2
  
  2
  2
  
  0
  2
  
  Criteria
  Armed forces have conducted or participated in a cyber defence exercise or an exercise with a cyber defence component in the past three years.
  Accepted references
  Official website or official document