man looking at the screen

Cyber Metrics for Key Decision-Makers

Digital, data and cyberReportOctober 2, 2025

Zurich Insurance Group, in collaboration with the Cyber Threat Alliance and CyberGreen Institute, has released a new report, Cyber Metrics for Key Decision-Makers, calling for the adoption of standardized national cyber security metrics to address the growing global cyber risk protection gap.

Share this

The gap is currently estimated at USD 0.9 trillion, with insured losses covering only 1% of economic losses from cyber incidents.

The report highlights that while frameworks from organizations like ENISA and CISA exist at the corporate level, there is a critical lack of national-level metrics to inform policy decisions. To bridge this gap, the report introduces six actionable metrics for governments:

  1. Percentage of organizations with cyber insurance or audit certification – Gauges preparedness and awareness of cyber security risks.
  2. Proportion of exploited vulnerabilities older than one year – Indicates the speed and effectiveness of ecosystem defense and remediation.
  3. Number of significant cyber incidents – Reflects national detection and analysis capabilities.
  4. Average time to containment of cyber incidents – Demonstrates the ability to halt the spread of threats.
  5. Mean time to restore operations – Assesses the speed of recovery after incidents.
  6. Percentage of unfilled cyber security positions – Measures workforce capacity to manage risks.

The report advocates for the creation of national cyber statistics bureaus, dedicated institutions to collect, analyze and publish these metrics. Such bureaus would enable consistent incident reporting, track threats and resilience, and assess the effectiveness of security regulations. They could also support a supra-national body to aggregate findings, facilitating global comparisons and deeper insights into evolving threats.

Key recommendations for policymakers:

  • Collaborate on data collection: Shift from reactive incident reporting to proactive, cross-sector data sharing.
  • Establish dedicated entities: Create or empower national and global institutions to collect, analyze and report cyber statistics across industries and borders.
  • Harmonize standards and frameworks: Align definitions, benchmarks and reporting protocols to enable meaningful comparisons and informed decision-making.

By adopting these measures, policymakers can move from fragmented, reactive approaches to a unified, data-driven strategy, strengthening national cyber resilience and closing the cyber risk protection gap.

Read the full report here.

Downloads