National Information Security Index in Korea

1. Global Standards Collaboration (GSC) 14 National Information Security Index in Korea Heung Youl YOUM Chairman of Korea ITU-T SG17 Committee, TTA

2. What is information security index? • Numerous efforts to measure the ICT performance and track progress and evaluate the ICT effect and use for governments, operators, researchers, and industries; • For example, ITU DI (Development Index), WEF NRI (Network Readiness Index); • However, there is only one Index in the information security area: Internet secure server. • Only deals with specific vendor’s SSL certificates, that is, lack of completeness. • The IS (Information Security) index can be regarded as metric to evaluate the current level of a country’s information security.

3. ITU-ICT Development Index • ITU ICT DI [March 2009] • Compares developments in ICT over a five-year period from 2002-2007. • Based on 11 ICT indicators, grouped in 3 dimensions: • For ICT access potion; • Fixed telephone lines per 100 inhabitants; Mobile cellular telephones per 100 inhabitants; International Internet bandwidth per Internet user; Proportion of households with a computer; Proportion of households with Internet access at home. • For ICT use portion; • Internet users per 100 inhabitants; Fixed broadband Internet subscriber per 1000 inhabitants; Mobile broadband subscriber per 100 inhabitants. • For ICT skill portion; • Adult literacy rate; Second gross enrolment ratio; Tertiary enrolment rate.

4. WEF NRI • WEF NRI (Network Readiness Index)-2009 • Measure the degree of preparation of a country to participate in and benefit from ICT developments, released in March, 2009. • 48 indicators grouped into three dimensions; • For the environment portion; • Market environment; Political and regulatory environment; Infrastructure environment. • For readiness portion; • Individual readiness; Business readiness; Government readiness. • For the usage portion; • Individual usage; business usage; government usage.

5. Korea National Information Security Index • National Information Security Index-2008 • to evaluate the current status of the performance of IS and help policy makers in developing the further IS policies. • Twelve indicators, grouped into three categories: • For Infrastructure; • Firewall; IDS; Antivirus; Security Patch deployment; Internet secure server; • For Environment; • Awareness/training; IS Staff or manager; IS Budget; • For Negative impacts; • Security breaches; PI leakage; SPAM;

6. Challenges- What should we do? • No globally agreed Indices or Indicators in information security area; • Difficult to develop the indicators taking fast changing IS services and technologies into account; • No globally agreed IS indicators or IS index that can be used for comparison by many economies or countries; • No guarantee of accuracy of data collected by the economies for the indicators; • Necessary to develop the indices or indicators to help in measuring the performance of Information Security policy and track progress in Information Security.

7. Next Steps/Actions • An IS index • a key toolkit for evaluating the performance of IS Policy and figure out the current status. • Proposed steps for developing the global IS index; • Identify the fundamental indicators for construction of the index; • Converting from absolute value to relative value; • Converting the indicators to index value; • Aggregate the index value; • ITU-T could be a suitable place to develop the globally agreed indicators for the IS index. • TTA plans to develop a domestic standards for this IS index, contribute to the globally agreed IS index or indicators in ITU-T.

8. Proposed Resolution • Proposed to modify Resolution GSC13/11: Cyber Security (revised) as follows; • In recognizing clause, add one item: “that the globally agreed IS indicators or indices play an critical role in measuring IS performance;” • In Resolves clause, add one item; “work with the ITU and others to develop the IS indices or indicators;”