A study exploring whether, how, and under what conditions the cyber resilience of organisations in the Netherlands can be measured in a broadly applicable way to support evidence‑based cybersecurity policy
Photo by your123/Adobe Stock
Governments increasingly recognise that not all cyber incidents can be prevented. As organisations grow more dependent on digital technologies, the concept of cyber or digital resilience – the ability to anticipate, withstand, absorb, recover from, and adapt to cyber incidents – has become central in Dutch cybersecurity policy.
However, no standard, validated method exists to measure the level of cyber resilience of organisations in the Netherlands. Existing indicators (e.g. national statistics on cyber incidents) do not operate at the organisational level, and the government lacks systematic insight into whether resilience is improving or where interventions are most effective.
The lack of measurement hampers strategic policymaking and obscures where vulnerabilities and strengths lie across sectors.
This study examines whether the cyber resilience of Dutch organisations can be made measurable, and if so, how and under what conditions.
To answer this, the research team:
The study adopted the Dutch National Coordinator for Counterterrorism and Security’s (NCTV’s) definition of digital resilience and analysed how existing tools address various phases of resilience (identify, protect, detect, respond, recover) as well as types of measures (technical, procedural, and organisational measures).
The existing frameworks and tools for assessing digital resilience identified focus largely on qualitative evaluation and lack empirical validation. Nevertheless, we found that several of these frameworks could serve as useful foundations for future measurement methods, depending on whether the goal is benchmarking basic cyber resilience, assessing readiness across resilience phases, or compiling sector-specific data for deeper policy analysis.
Rather than attempting to develop a fully-fledged method that captures all aspects determining an organisation’s resilience, an iterative approach should be adopted, beginning with the development of indicators for one or two components (e.g. on post-incident recovery) before gradually expanding to other domains.
To enhance insights into cyber resilience while avoiding organisational burdens, new reporting requirements, e.g. introduced under the NIS2 Directive, could potentially be leveraged to obtain relevant data that was not available to public authorities before. Participation and data sharing can be further encouraged by providing practical feedback or support based on collected information.
