Context in the measurement of cyberresilience indicators at the national level

Posted date 27/10/2022
Context in the measurement of cyberresilience at the national level

Context in the measurement of cyberresilience Indicators at the national level

All organizations, regardless of their size or infrastructure, are exposed to suffer the consequences of cyberthreats. In fact, as noted by the National Cybersecurity Institute (INCIBE, Instituto Nacional de Ciberseguridad), 109,126 cybersecurity incidents were managed during 2021.

Among those affected, 90,168 corresponded to citizens and companies and 680 to critical and essential strategic operators. Within the typology of incidents, almost 30% involved incidents related to malware and malicious software, followed by 28,6% fraud and 18,89% attacks on vulnerable systems. These data confirm the trends in cybersecurity incidents in recent years. The increase in the volume of information that organizations must manage results in a higher risk of security breaches, so investing in the development of strategies based on cyberresilience, with which to protect these assets, becomes a priority today.

Unfortunately, companies are poorly prepared to deal with and manage cyberincidents, whether provoked or unprovoked. This is mainly due to the lack of technical measures and procedures to mitigate them, lack of information or resources to deal with them or the lack of evidence with which to assess the real capacity of the organization to continue with the development of its activity after a cyberattack

Based on this situation, the National Institute of Cybersecurity launched in 2014 its model of Cyberresilience Indicators Improvement (CII), with the purpose of improving and knowing the state of cyberresilience in organizations.

This model allows organizations to measure their capabilities to anticipate, resist, recover and evolve in the face of cyberincidents that may affect the provision of their services. It consists of 4 targets, corresponding to the aforementioned cyberresilience capabilities, and 9 functional domains: cybersecurity policy, risk management and training; vulnerability management and continuous monitoring; incident management and continuity management; configuration and change management; and communication

IMC 4 goals

- CII goals: anticipate, resist, recover and evolve. -

Since its inception, and after successfully performing numerous measurements on a wide range of organizations, the model has continued to evolve to adapt as best as possible to the needs and circumstances of the entities. This 2022, INCIBE, together with the Cybersecurity Coordination Office (OCC, Oficina de Coordinación de Ciberseguridad), is once again disseminating this initiative, which is already considered the reference model for measuring cyberresilience at the national level.

Why are these types of projects important?

Traditional security measures are not enough. Advances in social engineering, as well as in malware and the detection of system vulnerabilities allow attackers to quickly infiltrate organizations' computer systems, so detecting security breaches in advance and having procedures in place for better response and recovery after an incident is essential.

This type of projects and initiatives for the measurement of Cyberresilience Indicators Improvement provide a global vision of the state of resilience of the Spanish business fabric, over a wide range of organizations, essential services (OSE, Operadores de Servicios Esenciales) and other strategic entities, as well as numerous sectors (tourism, industry, associations...).

They also provide numerous benefits:

  • Improvements in system security. These "queries" or measurements on the different operators allow organizations to identify their strengths and weaknesses within the strategic-institutional framework of network security, information systems and other assets, as well as in the management of risks and security incidents. In addition, the analysis of the data collected during the measurement, as well as the sharing of these analyses with the organizations by means of individual anonymized reports, provides security managers with a reliable status of their organization and an annual comparison of its evolution and with respect to the other operators belonging to their sector and environment.
  • Reputational protection. A cyberresilient organization will have greater control over security breaches and the leakage of sensitive information that could affect its image. In turn, it allows maintaining the trust of suppliers, customers and the public.

  • Competitive advantage: by allowing an organization to have a shorter recovery time with which to guarantee the continuous provision of its services.

  • Reduced economic losses: assuming that no organization is immune to cyberattacks, it is estimated that the average cost of a successful cyberattack increased by 30% in the last year to €15,300. However, there are cases where this cost amounted to more than €25,000 or even several million euros. In the case of a cyberresilient organization, the effect of the attack, as well as the financial losses, will be reduced.

  • Finally, it allows a roadmap of improvements to be drawn up within organizations, while providing a starting point with which to continue to enrich the National Security Scheme (ENS, Esquema Nacional de Seguridad), in its cybersecurity aspect, when applying specific standards and requirements for the measurement of cyberresilience within organizations.


Understanding the cybersecurity challenges facing the Spanish business community is a necessity. All organizations are equally exposed to suffer cyberincidents, both external and internal, but the most important thing is to be able to give them the tools with which to analyze their defences and vulnerabilities, as well as the necessary recommendations to implement effective protection measures in a proactive way.