Cyber-Resilience Metrics

Mansfeld-Südharz, Germany - November 12, 2025

The open KPI set that turns resilience into an annual figure every auditor can sign

Ask a hundred CIOs what cyber resilience means and you will receive a hundred mission statements that all sound convincing but dissolve the moment someone demands a number. We faced the same fog when the county council requested a budget line for the Cyber Resilience Alliance. Politicians were happy to champion “more security,” but the finance committee wanted a denominator it could defend to constituents and to Brussels auditors alike. The result is a compact set of fifteen indicators that will be published every January starting in 2026, each designed to be countable by a trainee accountant, comparable across EU regions, and meaningful to an SME that has never employed a security manager. The list is not proprietary; it is being released under Creative Commons so that any cluster, chamber or insurer can fold it into its own reporting without paying a licence fee. What follows is a walk-through of the logic, the maths and the early baseline we captured during the pilot year, so that next year’s figures can be debated in public instead of whispered in corridors.

The first family of indicators tracks exposure reduction. Indicator one is Mean Patch Latency: the average number of hours between public disclosure of a critical CVE and the moment the last production asset in the county is either patched or isolated. We chose hours instead of days because chemical plants run 24-hour shifts and because the EU CSIRT network already timestamps disclosure at the hour level, giving us an objective starting gun. During 2025 the county baseline averaged 72 hours, roughly half the German national median recorded by BSI but still above the 24-hour aspiration written into the forthcoming NIS2 executive order. The figure is collected automatically via a read-only API that pulls version strings from Windows WSUS, Linux apt caches and Schneider Electric firmware gateways; no manual survey is required, which keeps the audit cost below 0.02 € per endpoint per year. Because the metric is published township by township, a valve manufacturer in Sandersdorf can see that its own 38-hour performance pulls the county average downward, while a packaging firm in Zerbst that still needs 190 hours becomes visible to insurers without anyone naming names. The resulting peer pressure is not coercion; it is transparency monetised.

Indicator two moves from patch speed to architectural depth: Percentage of Critical Assets Under Zero-Trust Segmentation. We define critical not by balance-sheet value but by shutdown consequence: if stopping the asset would halt the main production line for more than four hours, it enters the numerator. Segmentation means that the asset’s control plane is only reachable through an authenticated proxy that enforces least-privilege per session. The measurement is performed once per quarter using a five-packet probe sent from the Alliance’s federated identity gateway; if the probe reaches the asset without presenting a valid JSON Web Token signed by the gateway, the asset is marked unsegmented. Pilot data shows 61 % compliance across 312 production lines, but the scatter is wide: automotive suppliers score 88 %, food processors 42 %. The spread tells the regional development bank which sectors need subsidised hardware tokens first, allowing grant money to be directed before a mandatory audit rather than after a breach.

The third headline number is Human Latency to Phish, effectively a live-fire test of security culture rather than of technology. Every member organisation receives four carefully calibrated phishing emails per year, timed to avoid holiday seasons and crafted to match current threat intelligence. The metric is the median time between email delivery and the first employee reporting the message via the “Report Phish” button. We do not count clicks; we count reports, because we want to reward detection rather than punish failure. County-wide median in 2025 was 3 hours 12 minutes, better than the 4-hour target recommended by ENISA but worse than the 45-minute gold standard achieved by Nordic financials. The raw data is anonymised at source; only the median is published, so no individual worker can be singled out, satisfying both works-council rules and GDPR minimisation. Over the next two years we expect the curve to bend downward as the same training content is delivered in German, Turkish and Russian, covering 87 % of the industrial workforce without resorting to English-only modules that historically depress engagement in rural plants.

"What gets measured gets funded—and what gets funded gets done twice as fast when the spreadsheet is public."

Operational continuity is captured by a single composite indicator we call the Resilience Half-Life: the average number of minutes it takes for a service to be restored to at least 80 % throughput after a controlled incident. The incidents are not table-top fantasies; they are real events that occur during the quarterly red-team exercise, ranging from ransomware detonation in a DMZ VM to the complete loss of a 110 kV feed at the industrial park substation. The measurement stops the moment production packets flow again, not when root cause is found, because county councillors care about business interruption, not about forensic elegance. During 2025 the half-life averaged 92 minutes, with the best-performing site—a dairy—back online in 11 minutes thanks to an air-gapped failover cluster, and the worst—a speciality chemical reactor—taking 4 hours 38 minutes because safety legislation requires manual purging before restart. Publishing both extremes prevents the metric from collapsing into a feel-good average while still giving planners a single figure to defend when they request budget for uninterruptible power upgrades.

Financial resilience is quantified through Cyber Insurance Premium Delta: the year-on-year percentage change in the average premium paid by county SMEs for a standard 5-million-euro cyber policy. The delta is calculated via anonymised submissions from two local brokers who underwrite 78 % of the regional market. A negative delta implies that insurers perceive reduced risk; a positive delta waves a red flag. Between 2024 and 2025 the delta was –8 %, the first negative figure recorded in Germany since 2021, suggesting that the collective mitigation measures are visible to underwriters. The insurers themselves emphasise that the drop is modest and conditional—premium reductions are retracted if patch latency rises above 96 hours or if phishing-report rates fall below 25 %—but even a small reversal demonstrates that resilience investments can be monetised within twelve months, a pay-back window that finance directors understand without further translation.

The final published figure is the Sovereignty Index, a percentage that expresses how much of the county’s critical telemetry is processed inside German legal jurisdiction. The numerator covers logs, NetFlow, employee identity attributes and industrial OT alerts; the denominator is the same data set before the Alliance’s sovereign cloud went live. Starting at 42 % in January 2025, the index crossed 90 % in October and is expected to reach 96 % by mid-2026 when the last legacy SIEM contract expires. The index is audited by a Big-Four firm that issues a comfort letter suitable for EU CSIRT submissions, giving county officials a ready-made answer when citizens ask where their data sleeps at night. Because the measurement methodology is licensed under Creative Commons, any other region can copy the index and benchmark itself against Anhalt-Bitterfeld without paying a consultancy retainer, turning sovereignty from a marketing slogan into a comparable figure auditors can tick off.

Taken together, these fifteen indicators do not describe a perfect county; they describe a county that is measurably improving in public. The 2026 report will be released at the annual Cyber Resilience Fair each January, printed on recycled paper and simultaneously published as an open-data set in CSV and STIX format. If we meet every target, the average SME will patch within 24 hours, 90 % of critical assets will live behind zero-trust proxies, phishing reports will arrive within 60 minutes, the resilience half-life will drop below 45 minutes, insurance premiums will fall another 5 % and the sovereignty index will touch 96 %. More importantly, those numbers will belong to the public domain, not to a vendor, which means that success can be copied without permission and failure can be criticised without an NDA. In a continent that drafts strategies faster than it implements them, that single act of publishing might be the most resilient metric of all.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.