Security is not a feeling but a measurable state. Although there are global and European comparisons of cybersecurity, Slovakia lacks a unified, domestically usable metric. The goal is to create an index that will show the level of resilience of the state, sectors, and individual organizations.
Why we need to measure security
International indices assess countries based on available data and rules, but they do not distinguish the specifics of Slovak sectors. The European framework focuses mainly on regulation, criminal law requirements, and selected capacities. That is important, but it is not sufficient for practical planning of improvements in specific sectors or companies.
For decision-making we need numbers, not impressions. A manager should be able to ask "where are we today" and "where do we want to get to" and receive a clear answer. Such a perspective will make it possible to track trends, compare across sectors, and invest purposefully in what brings the greatest benefit to resilience.
Where the data will come from and how they will be processed
The main sources will be anonymized audit results, data from self-assessments, surveys among unregulated entities, and information collected from educational institutions. In surveys, bias needs to be minimized, so for the general public telephone data collection will be preferred over exclusively online questionnaires. All data will be processed in such a way that individual organizations cannot be identified.
Technical, organizational, and human aspects are to be measured. These include, for example, vulnerabilities and their remediation, incidents and the time to detect them, the degree of compliance with rules, process maturity, certifications, people’s qualifications, and relationships with third parties. Subjective assessments will be converted into numbers using proven semi-quantitative methods.
From numbers to capability and an index
The target parameter is capability—the ability of an organization to achieve the required level of security and resilience. Various attributes affect it differently: some increase capability as their value grows, while others decrease it as incidents or data leaks accumulate. Therefore, weights will be introduced to reflect these influences and make it possible to compose the result into a single comprehensible number.
The output will be an index normalized on a 0 to 100 scale, publishable for the state, sectors, and businesses. The weights may change over time to reflect new threats and priorities, such as a greater emphasis on human resources. Before publication, a professional discussion with the community will take place so that the index is practical, comparable, and accepted in practice.
