66Some researchers note that in the last few years “the emphasis has changed from a focus on transnational, terrorist threat actors to a framing of cyber security in terms of defense and increasingly offensive capabilities against cyber criminals, state actors and their proxies.”67
60ASSESSING CYBER SECURITYFinally, one consideration that emerges from the analysis of the existing strategies as well as from OECD consultation with non-governmental stakeholders is that cyber security policy should be much more evidence-based and rely more on data and indicators rather than subjective perceptions.68CYBER THREATS TO:COUNTRYCRITICAL INFRASTRUCTUREDEFENSE CAPABILITIESECONOMIC PROSPERITYGLOBALIZATIONNATIONAL SECURITYPUBLIC CONFIDENCE IN ICTSOCIAL LIFEAUS●●●●●CAN●●●●●CZE●●●○DEU●●●○ESP●●●○EST●●○●FRA●○●●GBR●●●●●IND●●○JPN○●●●●LTU●○○●LUX●●○NLD●○●○●●NZL●●●○ROU●●○●UGA●●●USA○●●●ZAF●●○●Count1851831597NOTE: ●– EXPLICITLY DEFINED; ○– IMPLICITLY REFERENCEDTABLE 2. CYBER THREATS IN NCSSSOURCE: LUIIJF, E., K. BESSELING, AND P. DE GRAAF.
HCSS REPORT61CYBER THREATS FROM:COUNTRYACTIVISM/ EXTREMISTSCRIMINALS/ ORGANIZED CRIMEESPIONAGEFOREIGN NATIONS/ CYBER WARTERRORISTSLARGE-SCALE ATTACKSMISMATCH OF TECHNOLOGY AND SECURITYAUS●●●CAN●●●●○CZE●●●DEU●●●●●●ESP○●●●●○EST●●●FRA●●●●GBR●●●●●●IND●●○JPN○○●●●LTU●●LUX●NLD●●●●●NZL●●●●ROU●●●●●UGA●●●○USA○●●●○ZAF●Count51811131392NOTE: ●– EXPLICITLY DEFINED; ○– IMPLICITLY REFERENCEDTABLE 3. CYBER THREAT ACTORS IN NCSSSOURCE: LUIIJF, E., K. BESSELING, AND P. DE GRAAF.4.2 Responses by EU firms and citizensA national cyber security strategy is a high-level approach demonstrating the attention to cyber security issues on the part of national governments. Still, the overall level of national cyber security is largely determined by the actions of millions of organizations and individual users of ICT. In this section we will briefly review existing data on cyber security awareness and preparedness of the EU organizations and citizens.69
62ASSESSING CYBER SECURITY4.2.1 Size mattersOne way to judge the cyber security preparedness of an individual enterprise is to see whether it has a formally defined cyber security policy70, which can be viewed as an analogue of an NCSS at an enterprise level. A Eurostat survey shows that an answer to this question strongly depends on a company’s size: 65% of large enterprises (defined as having more than 250 employees) had such a policy, while this percentage drops to 43% for medium enterprises (between 50 and 250 employees) and further to 22% for small enterprises (less than 50 employees).