National Cyber Resilience Index
The National Cyber Resilience Index is a measure that reflects the state of cyber resilience in Southeast Asia. It is operationalized as the capacity to lower the likelihood/probability of cyber attacks and the capacity to reduce the impact of cyber attacks.
Below is an executive summary in presentation format. Click for the next slides.
The full report will be available in May 2022.
The Findings: What is the state of cyber resilience in Southeast Asia?
Singapore is a considered a resilient state with the high capacity to lower the likelihood and high capacity to reduce the impact of attacks. This is no surprise as Singapore has been leading the region in cybersecurity efforts. Malaysia and Thailand are considered cyber resistant countries.
All other economies in the region fall under the vulnerable category. The Philippines, for example, is right at the threshold of the capacity to lower probability of an attack. With improvements in the capacity to protect, identify, and detect cyber threats, it can be considered as a cyber resistant country in the near future. Laos and Cambodia, on the other hand, are far behind their neighbors in terms of resiliency.
The position of the states in the NCRI plot also reveals a policy implication: regional initiatives should also focus on “responsiveness”. As of 2021, only Singapore has met the responsiveness threshold. Most Southeast Asian countries have invested some efforts towards protecting their systems, but to be able to withstand the growing cyber risks, responding, recovering and adapting should be given attention as well. It is time for the region to shift from mere cybersecurity to a mindset of cyber resilience.
Country specific scores
What is the state of cyber resilience in Southeast Asia?
Country scores per country are shown below. The larger the area in the radar chart reflects a more cyber resilient state.
The NCRI offers some insights on strategic priorities for each country.
The Index: What is the Structure of the NCRI?
For the NCRI, the capacity to reduce probability (Pillar 1) is further composed of two domains: 1) the ability to protect critical data and services, and 2) the ability to identify and detect intrusions. On the other hand, the capacity to reduce the impact (Pillar 2) is further defined as the: 1) ability to respond and recover from an attack, and 2) the ability to adapt or build back better.
Overall, the NCRI is composed of two (2) pillars, four (4) domains, and twelve (12) indicators, and thirty-six (36) questions.
How are countries categorized?
Vulnerable
low capacity to lower probability, low capacity to reduce impact
Resistant
high capacity to lower probability, but low capacity to reduce impact
Responsive
low capacity to lower probability, but high capacity to reduce impact
Resilient
high capacity to lower probability, high capacity to reduce impact
The Methodology
What are the sources for the indicators used in the NCRI?
Several indicators were selected for each domain, mainly coming from the ITU, e-Governance Academy, the Network Readiness Index, and the World Economic Forum’s Executive Opinion Survey 2018-2019. Indicators are given equal weightage and on a scale of 0-100, with simple average calculations done for each pillar.
How are the scores normalized?
All of the indicators selected are in a scale of 0-100, with higher scores indicating better outcomes for cyber resilience. For raw data that is not in the same 0-100 scale, a minimum-maximum normalization method is used to transform it to scale.
What is the threshold used for the NCRI?
The NCRI sets a high threshold (a score of 67 in each pillar) for a country to score “high”. This translates to a country meeting at least two-thirds of the indicator score before it can be considered “resistant”, “responsive”, or “resilient”.
As noted by the World Economic Forum, there is currently no benchmark for resilience. Thus there is an opportunity to set the bar high.
Conceptually, setting a high threshold is also due to the recognition that even those with an almost perfect score still get hacked and that being categorized as “resistant” or “responsive” is not easy to achieve. In terms of policy, a higher threshold also lends a sense of urgency and importance to cyber resilience—with the aim of pushing policymakers to make the necessary action as soon as possible.