Global cyber benchmarking study

Executive summary

Based on a survey with international cyber experts, the global cyber benchmarking study analyzes governments’ responses to cyberattacks and their holistic and hybrid approach to cyber resilience in eleven countries on four continents
Cyber security is increasingly embedded in national policy to drive economic growth and technological leadership, creating a strong foundation for broader cyber resilience
Public-private collaboration and international alignment are central to turning policy into holistic and hybrid cyber resilience across borders
Regulatory frameworks and capacity building – especially data privacy and information security laws – are essential to building cyber capacity
The evolving legal landscape, including cyber security policies, reinforces protection of individual rights and supports coordinated cyber governance in a rapidly changing threat environment

1 Introduction

Understanding global cyber threats and the path to cyber resilience

Cyber threats continue to grow globally and present key risks to organizations and society, both digitally as well as increasingly intertwined with the physical world. Countries worldwide consistently rank cyberattacks among the most severe risks they face, demonstrating the urgent need to strengthen cyber resilience.

Our global cyber benchmarking study evaluates strategies and actions governments are taking in response to these challenges, analyzing their holistic and hybrid approach to cyber resilience. We surveyed cyber experts on four continents to identify and assess cyber security policies in eleven countries: Canada, Germany, France, Hong Kong, Israel, Morocco, the Netherlands, Singapore, South Africa, Tunisia, and Ukraine.

We argue that only a holistic and hybrid approach to cyber resilience will suffice. A nation can only attain cyber resilience by leveraging the entire cyber toolkit across both the public and private sectors and by protecting all infrastructure in the digital, physical, and human spheres. With the Cyber Skyward Curve, we introduce a practical tool designed to improve holistic and hybrid cyber resilience.

2 Trends

Global cyber trends and shifts in cyber resilience

There are three fundamental trends shaping how countries approach cyber resilience:

1.
The growing integration of cyber security into broader national goals
Countries are increasingly embedding national cyber security strategies into broader national goals such as technological leadership, public safety, and economic prosperity. This interconnected approach enhances hybrid and holistic cyber resilience, ensuring that cyber security is not discussed and applied within a silo, but is always taken into account when making decisions on all national policy priorities and strategic goals.
2.
The commitment to public-private collaboration and international alignment
Across three dimensions – national standards, organizational capabilities, and legislation – the analyzed countries demonstrate a strong commitment to fostering public-private collaboration on holistic and hybrid cyber resilience. Moreover, countries increasingly seek international alignment on cyber security standards to spread cyber resilience initiatives through shared learning and collective action.
3.
Emphasis on the interaction between regulatory frameworks and capacity building
Countries are increasingly capitalizing on the interaction between regulatory frameworks and capacity building to transmit cyber security measures. Comprehensive laws on information security and data privacy help establish clear governance and compliance mechanisms. Once in place, these mechanisms incentivize investment in developing cyber security skills and capabilities.

3 Dimensions

Building cyber resilience across key dimensions

Our analysis reveals underlying patterns within three dimensions, showing how countries translate cyber security policies into action.

National standards

National cyber security strategies are being integrated into broader national priorities while incorporating international best practices, with an emphasis on adapting to rapid technological change.

Organizational capabilities

Countries are centralizing cyber capabilities within dedicated agencies responsible for policy enforcement, incident response, national coordination, and international collaboration, supported by investments in research, education, and skills development.

Legislation

More countries are putting in place comprehensive legal frameworks aimed at cyber risk management and information security. National data privacy legislation reflects a growing emphasis on the protection of individual rights.

4 Cyber Skyward Curve

Cyber Skyward Curve: A framework for advancing cyber resilience

Our Cyber Skyward Curve traces what each stage of holistic and hybrid cyber resilience signifies for a given country and is intended to serve as a framework that can be tailored for each nation.

The curve consists of four phases: Fragmentation and vulnerability, bureaucratic hurdles, policy maturation, as well as cultural integration and enforcement. This framework allows policymakers and their private sector counterparts to assess current progress and anticipate potential obstacles, while enhancing the general debate about cyber security policies that boost holistic and hybrid cyber resilience.

Phase 1: Fragmentation and vulnerability

In the first phase, the Cyber Skyward Curve exhibits a low level of resilience due to weak transmission of very early-stage cyber security policies. Undeveloped cyber policies leave states vulnerable to all types of cyber threats, with a fragmented national framework landscape resulting in gaps and inconsistencies in cyber security measures. Policymakers must build a unified understanding of cyber security challenges facing the country and boost collaboration between public and private sector organizations to identify weaknesses in the early-stage cyber security framework.
Phase 2: Bureaucratic hurdles

At this point, bureaucratic hurdles and inefficient enforcement of existing policies hinder more advanced and nationally uniform policies. This results in increasing regulatory complexity, slow decision-making, poor implementation, as well as additional gaps in an already weak protective system and further damage overall resilience. To overcome these challenges, policymakers must introduce streamlined processes, bolster coordination between all relevant actors, and allocate adequate resources and training for enforcement agencies.
Phase 3: Policy maturation

This phase comprises clear policies with a high level of maturity, equipped with effective enforcement mechanisms, resulting in significantly enhanced national resilience. Policymakers must maintain momentum by ensuring that new policies and processes respond and adapt to the evolving threat landscape. The main risks during this phase are potential complacency and misalignment between policy development and technological progress.
Phase 4: Cultural integration and enforcement

In the last stage of our framework, efficient enforcement policies and corresponding cultural change continue to improve hybrid and holistic cyber resilience. Cyber security has become a clear priority and is incorporated into core strategies. Policymakers must focus on fostering cyber security culture through education and public awareness initiatives on both national and international levels. Given the global nature of cyber security threats, only international cooperation on standards and policies can sustain the upward trend in resilience.

5 Conclusion

Building a lasting culture of cyber resilience

Countries are increasingly integrating cyber security into broader national goals, leveraging public-private collaboration and international alignment to achieve holistic and hybrid cyber resilience. Regulatory frameworks combined with capacity building are delivering robust and long-term resilience.

However, establishing national strategies, organizational structures, and legislation is only the beginning. To address emerging risks and prevent complacency, countries must cultivate a deep awareness and culture of cyber resilience across all levels of society.

Jonas Piduhn co-authored this report. The authors would like to thank Andreas M. Lang, André Glenzer, David Uhrig, Tobias Vosecky, Maximilian Friedmann, Carsten Hoffmann and Fabian Wick for their further contributions.

Global cyber benchmarking study

Methodology

Our survey consisted of 40 questions based on three core dimensions: national standards, organizational capabilities, and legislation. National standards examines cyber security strategy and cyber security standards covering organizational and technical methods, IT security products, and certifications. Organizational capabilities assesses the establishment and functions of dedicated cyber security agencies, public-private sector coordination, and capacity development measures including professional training, education programs, research and development, and industry support. The legislation dimension investigates information security laws and data privacy regulation covering data subject rights, organizational and technical measures, risk assessments, and data transfer requirements.