How is the security of your organization evolving? How does it compare with other companies? With the proliferation of security threats and attacks, it can be challenging for companies to assess how many resources should be spent on mitigating potential problems. Risk assessments do not exist in vacuum, and in a competitive environment such as the Icelandic marketplace, companies often look to one another for comparison and advice on how much risk is deemed acceptable. To encourage companies to better monitor their security readiness and to facilitate comparison of security readiness between companies, Syndis has defined a security index, ÖRVÍS, that captures the absolute and relative standing of Icelandic companies when it comes to susceptibility to common attacks.
Syndis conducts numerous security assessments in Iceland every year. The outcomes of these assessments are statistics that we can combine and use as a stable metric for the responsiveness to security threats. In particular, we measure the proportion of a company who fall for phishing attacks and the severity of the response, the attack surface of the web browsers at the company, weighing more serious problems more aggressively than relatively minor concerns. The resulting measure is normalized to range between 0 and 100, where 0 denotes perfect security as measured by the assessment, and 100 suggests deplorable security practices. We track the values of the assessments for each industry sector, allowing for longitudinal and categorical comparisons.