1 Introduction

In order to promote worldwide government strategies for improving cyber security, the Global cybersecurity index (GCI) was created (GCI 2020a and 2020b). Many detailed sub-indicators were defined in such a way that they can be quantified, freeing the relevant stakeholders from the need for unduly complicated analysis (GCI 2020a). Based on this subset of detailed indicators, five indicators, “pillars”, were defined in a further aggregation step (for details, see GCI 2020a):

  • Legal (L) measures

  • Technical (T) tools to defend against cyberattacks, including response teams

  • Organizational (O) aspects, i.e. national institutions to assure cybersecurity

  • Capacity-building (CB) framework for certification; accreditation on a national level (the pillar that is most closely related to scientific activities)

  • Cooperation (CP): “tackling cybercrime requires multi-stakeholder approaches” (GCI a)

The final GCI is defined by a weighted sum of the above five pillars (for details, see GCI 2020a).

We present more detail about the GCI data set, the selection principles, and the transformations applied in Sect. 2. The question for us concerns the role played by the pillars in the final ranking. To find a preliminary answer to this question, the eleven countries with the highest ranking according to GCI (GCI 2020a) were examined in more detail: it is clear that this selection involves some bias in the findings, as is presented hereafter. In order to define the question more precisely, it is restated below.

We are interested in what role the five individual pillars play in a ranking. As our focus is not on the numerical details of the pillars, we infer a coarse data set here based on a discretization process (see below): instead of the original values as given in (GCI 2020a), we classify the data in terms of five equidistant classes (for a discussion, see also Sect. 4.2). The class scores then form the basis for the subsequent discussion. As the main aim is to produce a ranking, we apply partial ordering based on the five pillars, namely {L, T, O, CB, CP}. The analysis will be performed using the following four steps:

  1. (1)

    Visualization of the partial order of the eleven countries based on the values of the five pillars (discretized), as shown in Sect. 3.1. We will identify subsets of countries that can be mutually compared, with the five pillars characterizing them with respect to ranking. Partial order can be represented by graphs and those graphs have a structure—for example, the set of isolated elements (see below).

  2. (2)

    Assessment of the impact of the pillars on the partial order, as described in Sect. 3.2: In other words, how we can understand the influence of the pillars on the structure of the above graphs.

  3. (3)

    Clarification of the special location of the countries as per (1), discussed in Sect. 3.3. As will be shown, it turns out that two countries out of eleven are isolated. Tripartite graphs will be used to clarify the role that the pillars play in this isolation.

  4. (4)

    Derivation of a synthetic indicator without the need to insert subjective knowledge in order to circumvent stakeholder concerns about how to find weights for the pillars. See Sect. 3.4.

Figure 1 shows a scheme, clarifying our main steps.

Fig. 1
figure 1

From ordering the countries (global scale) to the need for an analysis of small enterprises (local scale)

Full size image

In contrast to the global point of view expressed in the GCI, our approach is also concerned with local enterprises, at the other end, so to speak, of the cybercrime security concept. While large companies have implemented their own IT departments and recognized the importance of information security, small and medium-sized enterprises (SMEs) have insufficient or few resources to deploy in defending themselves against cyberattacks. This is where the complex project “Awareness Laboratory SME (ALARM) information security”—funded by the German Federal Ministry for Economic Affairs and Energy (BMWi)—comes in. Therefore, the discussion also includes an application of the mathematical method for enterprises, with some more details about the project in Sect. 4. An outlook is given in Sect. 5.

2 Material and Methods

This section presents details about the GCI data set, the selection principles based on (GCI 2020a), and the resulting transformations. Some basics of partial order are outlined below for the convenience of the reader; there are many introductory texts available in the literature.

2.1 Data

In (GCI 2020a), eleven highly committed countries are selected that have good values in the legal (0.179 < L ≤ 0.2) and organizational pillars (0.177 < O ≤ 0.2): for the sake of clarity, this data handling is referred to as “preselection”. Table 1 shows the data of all five pillars for the selected countries. Although the data in Table 1 is the result of a preselection based on the values of the two pillars L and O, we feel that the methodological aspects are still of interest (see also Sect. 4.2).

Table 1 The eleven highest-ranked countries and their data for the five pillars (abbreviations: ISO-3166 ALPH-2 code, international standard), with the data oriented such that higher values are better than lower values
Full size table

To create class scores, the coarsening is performed as follows, in line with Bruggemann and Patil (2011):

For each pillar, qj, and object, labelled by i, the minimum value minj: = min{qj(i): i = 1, …, 11} and the maximum value maxj: = max{qj(i); i = 1, …, 11} are identified (Table 1), and thus the respective data range I(qj) is found.

Selection of the number of subintervals Ik(qj), k = 1, …, K. Here we arbitrarily select K = 5. A score s(qj), for the ith object, is defined as follows:

s(qj)(i) = k − 1 if and only if \(q_{j} \left( i \right) \in I_k\left( {q_{j} } \right)\) with:

Ik(qj): = minj + [k − 1, k) * ([maxj − minj]/K), k = 1, …, K

[k − 1, k) is a half-open interval for k < K and a closed interval for k = K, i.e. [K − 1, K].

In order to make the operating mechanism of the formula given above more understandable for readers, we offer a few didactic comments at this point:

  • With the arbitrary definition of K = 5, the possible scores are 0, 1, 2, 3, and 4.

  • The minimum (min) value of the scores in each column (Table 2) of a single pillar is 0.

  • The maximum (max) value of the scores in each column (Table 2) of a single pillar is 4.

  • For K = 5, the interval on the right is closed.

  • If the data from column j is in the interval lk, the value is given the score k − 1.

Table 2 Class scores of the eleven countries for the five-pillar data matrix
Full size table

Creating class scores using such a procedure leads to a coarsening of the original data, making it easier to recognize specific features. Table 2 shows the results of the new data matrix.

From Table 2, one can immediately see that the pillars L and O do not show much differentiation in this highly ranked set of eleven countries (eight instances of the score of 4 for the pillars L and O). This is clearly in line with the preselection explained above, because instead of the variety of data over the range from 0–1, the preselection restricts the range to 0.179 and 0.177 or rather to 0.2. Nevertheless, some differences are evident, e.g. Malaysia (MY) and Norway (NO) in the Legal pillar (L), and Estonia (EE) and Norway (NO) in the Organization pillar (O).

The ordered sequence of the data for a certain object—for example, for Malaysia (row MY in Table 2)—is called a data profile, for example MY: (0, 4, 4, 4, 0).

In line with Backhaus et al. (2000), the Spearman correlation matrix shows—when applied to the discretized data—that there is not much correlation between the five pillars (Table 3). The two pillars Legal (L) and Cooperation (CP) reveal the highest correlation. However, the maximal correlation value between L and CP is 0.614: Hence—from a statistical point of view—all five pillars can justifiably contribute to the GCI. Even L and O, which, on the basis of the preselection, have high values, are less strongly correlated, with a correlation value of 0.482. All in all, we argue that Table 1, and consequently the data in Table 2, could be one of the bases for the methodological approach that we want to present.

Table 3 Spearman correlation
Full size table

2.2 Methods and Hasse Diagrams

As mentioned above, we want to examine the role the five pillars play in the ranking. Any single pillar may induce a weak order (i.e. ties are allowed). In order to understand the effect of a multi-pillar system, it is natural to check what happens when an intersection of all five weak orders (corresponding to the five pillars) is performed. This task is better understood if we change our point of view, namely from a focus on the role of data to the role of relations.

Suppose one pillar qj1 induces for the set.


{a, b, c, d}.

an order.

a < c < d < b.

based on the values of


qj1(a), qj1(b), qj1(c), qj1(d).

Note, the labels a, b, c, and d may stand for any four of the countries considered in the GCI study.

From the point of view of relations, it is now necessary to look at pairs that are consistent with the ordering above: if, based on the values of a pillar, it is found that x is less than y (x < y), then we denote this by a pair (x, y) and call x and y comparable.

Applying this “rule”, the ordering effect of qj1 is to generate a set of pairs (we denote “generate” with an arrow):

qj1→{(a, c), (a, d), (a, b), (c, d), (c, b), (d, b)},

Omitting the pairs such as (a, a), (b, b).

Let us now suppose a second pillar qj2 which induces an order


c < a < b < d.

and leads to:


qj2 →{(c, a), (c, b), (c, d), (a, b), (a, d), (b, d)}.

What is the order the two pillars have in common?


{(a, c), (a, d), (a, b), (c, d), (c, b), (d, b)} ∩ {(c, a), (c, b), (c, d), (a, b), (a, d), (b, d)}.

The resulting intersection set is:


qj1∩qj2→{(a, b), (a, d), (c, b), (c, d)}.

The pair (b, d) is not an element of qj1∩qj2. The objects b and d are mutually incomparable (shorthand notion: b || d). Such an intersection can also be graphically displayed, wherein the objects a, b, c, d are drawn as little circles and a line goes from x to y if and only if (x, y) is an element of the intersection set.

In the example, we could draw a graph as follows (Fig. 2):

Fig. 2
figure 2

The Hasse diagram, drawn as per the conventions of the software package PyHasse (see Bruggemann et al., 2014)

Full size image

The graph shown in Fig. 2 represents a partial order of a set of objects. The concept “partial order” becomes clear because it is a generalization of orders in which, most evidently, there is no longer mutual comparability between all the objects. For example, there is no connecting line from a to c. This is an incomparability, and the appearance of incomparability, e.g. for a and c, becomes clear when the single orders (i.e. the orders based on exactly one pillar) are considered. For pillar qj1, a is less than c (a < c), while for pillar qj2, a is greater than c (a > c). There is a conflict between these two pillars, and this is shown by the graph or by the intersection set, which no longer consists of six possible pairs but only of four.

A partial order is conveniently visualized by a Hasse diagram (see Fig. 2) and there is plentiful literature explaining how a partial order can be visualized in this manner (see, for instance, Annoni et al., 2017; Bruggemann & Patil, 2011; Newlin & Patil, 2010; Carlsen, 2005; Voigt et al., 2004). However, here might be the right place to define some important notions based on the visualization in the Hasse diagram:

  • Maximal element: An object that has no connected upper neighbours in the Hasse diagram. In Fig. 2, d and b are maximal elements.

  • Minimal elements: An object that has no connected lower neighbours in the Hasse diagram. In Fig. 2, a and c are minimal elements.

  • Isolated elements: Objects which are at the same time maximal and minimal elements. In Fig. 3, the vertices MY and SG indicate isolated elements, thus displaying a special data profile.

  • Chain: A subset of objects that are mutually comparable. In Fig. 2 {a, d} is a chain. The subset {a, c, d} is not a chain, because a and c are incomparable.

  • Anti-chain: A subset of objects that are mutually incomparable. In Fig. 2 {a, c} is an anti-chain, denoted by a || c. A subset {a, b, c} would be neither an anti-chain nor a chain, because a < b and c < b, however a || c.

Fig. 3
figure 3

Left: Hasse diagram based on the data in Table 2. Right: Hasse diagram based on the reduced multi-pillar system {L, O, CB, CP}, meaning that the T pillar is left out. Note that in this case GB also represents US, i.e. they are equivalent

Full size image

What are the advantages of looking at data sets relationally, as in Fig. 2?

  • It allows us to see basic structures in the data.

  • It allows us to see how far a ranking is possible taking all the indicators into account. The tool of interest is the concept of chains, because each chain allows a ranking restricted to a subset of objects.

  • Possible conflicts in data are evident, because an incomparability implies that there is no co-monotony, as explained in detail above.

It should be pointed out that the relational aspect has the disadvantage that if the data have a metric, then the role of numerical distances is lost. Independently of how much the value of one indicator for one object is less than that for another object, the relation “ < ” is kept. Recently, based on the discussion of the role of noise, some aspects of metrics are retained (Bruggemann & Carlsen, 2016).

3 Results

We follow the logic, trying to rank as much as possible, based on Table 2. This is performed by the construction of a Hasse diagram. As the Hasse diagram is the result of five pillars, it is of interest how the single pillars influence the structure of the Hasse diagram. Isolated elements as a striking feature of the structure of the Hasse diagram are considered more closely. Here, the tool “Tripartite Graphs” was applied for three countries (GB, SG, and MY).

The Hasse diagram does not allow a complete comparison of the countries. Therefore, a method is applied that does not need to find weights for the pillars and nevertheless arrives at a weak order. Such an order facilitates a decision based on rankings.

3.1 Ranking by Hasse Diagrams

A Hasse diagram can be constructed on the basis of the data in Table 2. Here, the intersection must be applied to five sets of country pairs. The result is shown in Fig. 3 (left).

The Hasse diagram in Fig. 3 (left) shows six minimal elements, Lithuania (LT), Spain (ES), Canada (CA), and Australia (AU). They are located at the lowest level. Furthermore, there are two minimal elements, Estonia (EE), and Norway (NO), on a higher level. There is one maximal element, namely the United Kingdom (GB). In Fig. 3 (right) based on only four pillars (pillar T is left out) The UK (GB) is still a maximal element, but now it is equivalent with the United States of America (US). In Fig. 3 (right), under the reduced system of pillars, there are only three minimal elements, namely Canada (CA), Estonia (EE), and Norway (NO). Furthermore, there are two countries, Singapore (SG) and Malaysia (MY), that are isolated. It is striking that the isolation of these two countries is invariant relative to the change of the system of pillars. The question of why SG and MY are isolated is explored in Sect. 3.3.

In detail, the following can be read from Fig. 3 (left) (note the orientation: the higher, the better):

  • According to the chains ES < US < GB and LT < US < GB, the security control increases from Spain and Lithuania to the United States of America and the United Kingdom. This means that, with respect to this three-element subset, we arrive at a ranking, without the need to find an aggregation.

  • There are other three-element chains, and they differ from each other in the data profiles that lead to incomparability, such as CA < FR < GB, where four incomparabilities (FR || US, FR || ES, CA || US, and CA || ES) separate this chain from the first one.

  • There are different anti-chains, such as US, FR, EE, NO or GB, SG, MY, indicating specific deficits. This can only be explained at the level of the five pillars. A sample analysis is given in Sect. 3.3.

  • When the T pillar, technology, is left out, the length of the chains increases because one pillar, pillar T, which might cause conflicts, is no longer present (Fig. 3, right).

  • By the T pillar, the countries US and GB are discriminated. In Fig. 3 (left) (presence of T) US < GB, whereas without T, it is found US ≅ GB (Fig. 3, right).

3.2 Impacts of Each Pillar on the Partial Order

3.2.1 Idea

As discussed in Sect. 3.1, the five pillars lead to a partial order among the eleven countries that has a certain structure (the location of countries, chains, anti-chains). What happens if one pillar is left out? How is the structure of the partially ordered set affected?

3.2.2 Procedure

The adjacency matrices (see, for example, Clark & Holton, 1994) of the partially ordered set are checked: once with all five pillars (matrix AD5) and five times with only four (matrices AD4(j), j = 1, …, 5), omitting one pillar. For example, AD4(1) is the adjacency resulting from the pillars q2, q3, q4, q5, where pillar q1 is disregarded. The influence of each pillar (“sensitivity measure of pillars”) is measured by the Euclidean distance (squared) between AD5 and AD4(j), j = 1, …, 5.

3.2.3 Result

When testing each pillar by leaving it out and checking the partial order as described above, it turned out that the T pillar is most important. The sensitivity measures are shown in Fig. 4, while the Hasse diagram obtained without including technology is shown in Fig. 3 (right). As can be seen from a comparison of the two Hasse diagrams in Fig. 3, Singapore (SG) and Malaysia (MY) are still isolated. The inclusion of the technology pillar within the multi-pillar system increases the number of proper minimal elements from 3–6. Hence, the Technology pillar is fairly crucial for a ranking.

Fig. 4
figure 4

Impact of the five pillars on the partial order (measured by squared Euclidean distances between the corresponding matrix representations of the partial order—for details, see Bruggemann & Patil, 2011)

Full size image

As can be expected, the preselection led to less numerical diversity among the eleven countries, which is amplified by the coarsening process. Consequently, the bars for L and O in Fig. 4 are low. This indicates that omitting these two indicators has little influence on the partial order. A high impact on the partial orders is indicated by those bars in Fig. 4 that have high values. If one of these indicators—for example, the T or CB pillar—is omitted from the multi-pillar system, then the partial order will drastically change, i.e. the Hasse diagram would be significantly enriched by new comparability (see, for example, in Fig. 3 the effect of leaving out the T pillar).

3.3 Why are the Data of Malaysia (My) and Singapore (Sg) Incomparable with Each Other and with those of the United Kingdom (GB)?

In Sect. 3.1, we showed that Singapore (SG) and Malaysia (MY) are isolated in the Hasse diagram. The question “Why are they isolated?” leads us back from the relational point of view (visualized by the Hasse diagrams in Fig. 3) to the data point of view.

Firstly, inspection of Table 2 shows that the low-class score for the Cooperation pillar (CP) is common for the countries MY and SG. Because no other country has such low scores in the CP pillar, the two countries do not have any connections downwards.

Secondly, as shown in the previous section, the Technology pillar (T) has the most influence on the relational structure, i.e. on the partial order. However, the three countries GB, SG, and MY remain incomparable independently of whether or not the T pillar is regarded as a member of the system of pillars. Hence, the T pillar cannot cause the incomparability shown by GB, MY, and SG. Which pillars and which values cause the anti-chain {GB, MY, SG}? Here the concept of the tripartite graph can be helpful (see Fig. 5). It is explained and applied in several publications (see, for example, Bruggemann & Voigt, 2011). Nevertheless, some further explanations may be convenient here.

Fig. 5
figure 5

Tripartite graph of the three countries GB, SG, and MY

Full size image

3.3.1 Basic Construction

The graph, shown in Fig. 5, consists of three parts. At left and right, the labels of the pillars are listed as a column. In the middle of the graph, the pairs of countries are located that can be formed from the set {GB, SG, MY}. We want to know: 1) Why are MY and SG mutually incomparable? and 2) Why are these two countries not connected with one of the other countries? Here we selected GB as a representant. Note, that the order of the two countries within the pair (middle part of the graph) is irrelevant and is defined by convention.

3.3.2 Connection by Lines

A line from one of the pillars on the right to a pair (x, y) indicates that, with respect to this pillar, x < y. A line from the pillars on the left indicates that, for this pillar, x > y. Therefore, the same pillar cannot be connected with an object pair (x, y) from both sides.

3.3.3 Why SG || MY?

Checking, for example, the Legal pillar (L), one can see that this line is connected from the left with the pair (SG, MY), whereas the Technology pillar (T) is connected with the same pair from the right. That means that the L pillar in Fig. 5 causes SG > MY, whereas the T pillar, as well as the Organization (O) pillar, causes SG < MY—this leads to conflicts. Therefore, the pillars L and T (or O) explain the incomparability of MY with SG (and vice versa).

3.3.4 Role of CB and CP

In Fig. 5, the pillars CB and CP are striking, because CP has no lines corresponding to the relation x > y, whereas CB has no lines corresponding to x < y. In particular, we can see from Fig. 5 that for the pair (SG, MY) no line can be drawn to the Capacity-Building pillar (CB) or the Cooperation pillar (CP). Checking Table 2 makes clear that for both countries CB = 4.0 and CP = 0.0.

3.3.5 No Connection Between MY and SG and the Nine Other Countries

GB is selected as an example, as it has the most comparabilities to other countries (Fig. 3, left).

In addition, those pillars which cause conflicts for the pairs (SG, GB) and (MY, GB) also explain why SG and MY are in the peculiar location they occupy in the Hasse diagram (Fig. 3, left and right). In both cases, the CB pillar (lines on the left in Fig. 5) and the CP pillar (lines on the right in Fig. 5) are responsible for the incomparability of SG and MY with GB. Moreover, for the pair (SG, GB) the T pillar and the O pillar are also connected on the right side in Fig. 5; for the pair (MY, GB), the same is true of the L pillar.

As Fig. 3 (left) shows, the United Kingdom, GB, is the optimal case based on the GCI data on worldwide government strategies for improving cybersecurity. This is true regardless of whether we compare the original eleven countries (left) or—by ignoring the Technology pillar—the remaining eight countries (in Fig. 3, right). In combination with Fig. 5 and the introductory explanation of the five pillars, it can be seen that the indicators Cooperation (CP) and the scientific background of Capacity Building (CB), in particular, seem to cause Singapore, SG, and Malaysia, MY, to be isolated.

3.3.6 Summary

Summarizing the explanations above, Hasse diagrams allow insights into the data structure, as exemplified by the isolation of the countries SG and MY on the basis of the GCI data. The additional question “How do indicators and their values create this structure?” can be answered by using the tool Tripartite graph, which shows that CP and CB are the two indicators causing this structural feature. It should be clear that this tool can also be applied to investigate why SG or MY are incomparable with the other nine countries. The Tripartite graph may then be more complex and reveal its analytical potential, albeit at the sake of clarity.

3.4 Ranking Without Weighting the Single Pillars—the Construction of a Synthetic Indicator

3.4.1 Idea

As mentioned above, the GCI is a composite indicator, based on pillars qj, j = 1, …, 5.

GCI(x)=Σw(j)*qj(x)j=1…, 5;\(x \in X\), the set of countries.

Weighting by w(j) reflects stakeholder opinions and corresponds to a global point of view. In general, weighting is difficult and a great deal of information based on the single pillars is lost, as in any averaging process, and is obviously subjective. Nevertheless, a ranking that does not depend on weighting the pillars can be important as some kind of standard.

3.4.2 Procedure

Here the mathematical tools of partial order theory help to find a ranking without the need to define weightings of the pillars. We now apply one of the simplest methods, because a possible interpretation is easier to obtain than with more sophisticated methods. So, we use the method called Local partial order model (LPOM), discussed and explained in more detail in Bruggemann et al. (2004) and Bruggemann and Annoni (2014).

The steps for using this method are as follows:

  1. (i)

    Derive a quantity called average height (hav), which is obtained by an approximation of a combinatorial technique (see Trotter, 1992; Davey & Priestley, 1990; Trotter, 1992).

  2. (ii)

    Then based on the average height hav(i) (see Winkler, 1982), the objects i = 1, …, 11 (for eleven countries) can be weakly ordered.

3.4.3 Results

The sequence of eleven countries based on the selection from GCI is shown in Table 4.

Table 4 Ranking according to the local partial order method, variant 0 (LPOM0)
Full size table

Based on Table 4, the following weak order is found:

AU < CA ≅ ES ≅ LT < NO ≅ EE < SG ≅ MY < FR < US < GB.

The GCI itself induces the following order (note: this is based on the data in Table 1):

AU < CA < NO < MY < ES < SG < EE < LT < FR < US < GB.

There is some coincidence in the two orders, which can also be verified by the value of 0.76 provided by the Spearman correlation. However, please note that there are.

  1. (a)

    Different databases (Table 1 vs. the data in Table 2), and

  2. (b)

    Many ties within the partial order method (for example NO ≅ EE, MY ≅ SG), which actually shows a weak order.

3.4.4 Discussion

Although the partial order is a convenient tool for analysing multi-pillar systems on a relational basis, decision makers often want to see a complete order, i.e. a ranking that encompasses all objects of interest. However, in this paper, we have constructed a synthetic indicator, whose values serve as a ranking scalar. This simple method can lead to many ties, which could be considered a disadvantage from the point of view of decision makers.

In the following sections, the point of view of a decision maker will be discussed in a broader sense. In particular, we are interested in the question of how we should proceed when dealing not with countries (the global view) but with SMEs that are aware of cybercrime and want to promote strategies to improve their company’s information security.

4 General Discussion

After a brief summary of the results, we discuss some crucial points that would be relevant if the methodology were not the main focus but rather real decision-making. This includes the fact that a preselection was made (as found in GCI a). In addition to this, we changed the data (see Sect. 2.1), which needs some attention. Both, the preselection and our discretization of data have an influence on the sensitivity measures. We discuss the stakeholder’s point of view before we point out that a ranking position of a country is not only a matter of political decisions related to the country but also the consequence of the behaviour of particular companies.

4.1 Summary of Section 3

Using the partial order methodology in Sect. 3, it was shown that three of the five pillars in the GCI play a special role in the ranking of the data of the eleven countries, which were preselected by virtue of the high values in the Legal (L) and Organization (O) pillars:

  • The Technology (T) pillar has the most impact on the ranking, as it determines the positions of the countries in the Hasse diagrams, which can be understood as a pre-stage for a ranking.

  • The Capacity-Building (CB) and Cooperation (CP) pillars, which are responsible for the isolated positions MY and SG, shed light on the possible role of scientific development and the extent of stakeholder networking.

  • Finally, a ranking is possible without weighting the pillars, using a synthetic scalar provided by partial order methods. This avoids the difficult problem of finding weightings, w(j).

A ranking should help to adjust the behaviour of the ranked objects, meaning that it should motivate changes in the response to cybercrime, i.e. changes that ultimately result in new values in the pillars. A composite indicator like the GCI is, in our opinion, too intertwingled, because direct feedback resulting in management action is not possible or is difficult to obtain. A more nuanced picture can be gained using methods of partial order theory. Nevertheless, there are many critical points that should not be overlooked: These are discussed in Sect. 4.2.

4.2 Some Critical Points

4.2.1 Object Selection

In this paper we present results relating to countries that in general are highly ranked within a set of more than 190 countries, with preselection of the values in the L and O pillars. As we wanted to investigate the role of the individual pillars, we assumed that the bias caused by the preselection could be tolerated. The low correlation between the five pillars of the Spearman correlation shown in Table 3 confirms this assumption. In addition, it should be noted that—despite the preselection for high values in L and O—the countries are still quite nuanced in relation to the Legal and Organization pillars. However, further research is necessary to clarify the role of these two preselections.

4.2.2 Data Handling

We performed a coarsening of the numerical values for two reasons:

a) We wanted to avoid to be distracted by numerical details, and.

b) The Hasse diagram based on the original raw data (Table 1) delivers scant information: two levels and some few comparabilities (not shown).

Two aspects seem to be especially important:

  1. (i)

    The role of minimum and maximum values for each pillar, which needs some discussion, and

  2. (ii)

    The arbitrary selection of five intervals (K = 5)

When data are noisy and when outliers cannot be excluded, then the selection of a minimum and maximum directly from the observed data is not robust from a statistical point of view. More robust measures could be applied too as a means to find scores. However, within the context of this paper such a discussion would be more distracting than helpful.

Similarly, the role of K should be more closely examined: For example, by varying K. Indeed, partial order methodology is helpful in clarifying the role of K, indicating the number of intervals (see, for example, Bruggemann & Bartel, 1999). However, there is no space here to examine this point in further detail.

4.2.3 Sensitivity Measure

The impact of the five pillars for the graph—represented by the Hasse diagram—was found to be.

T >  > CB > CP >  > O > L (see Fig. 4).

This is not a measure of the importance of the pillars, expressed by weightings within the aggregation formula to obtain GCI, but it could be a basis for an aggregation driven by partial order.

4.2.4 Stakeholder Knowledge

The decision to construct a synthetic indicator without the need for weighting pillars does not mean that we claim that this “parameter-free indicator” is the best. Here it may be the right place to remind the reader that the pillars are already the results of an aggregation process, in which subjective knowledge was already applied. It is merely the final step, where we demonstrate how to proceed when weightings should be avoided.

Stakeholder knowledge is important, even if this knowledge is only qualitative. Many highly sophisticated aggregation methods like PROMETHEE or the ELECTRE family (see, for instance, Figueira et al., 2005) can be regarded as models for the inclusion of stakeholder knowledge. A simple but transparent method involves the weighted sum of normalized indicators. The problem is how to find weightings, especially when the number of indicators is large. The qualitative knowledge of stakeholders, as useful as it might be, leads most often to uncertainties in the weightings. In Bruggemann and Carlsen (2021) an attempt is made to remedy this disadvantage, while maintaining partial order as a methodological framework.

4.2.5 Scenario

Even if we discuss the GCI and its pillars only for the eleven countries, the scenario is a global one and the GCI ranking should be considered as a means of triggering new actions in each country. In this context we suggest that the partial order methodology should be the instrument for better management feedback, because the role of the single pillars is immediately evident. We think that all the critical points mentioned above are important and need further research. More attention also needs to be given to the aspect of scale—in this case, macro or global. An improvement regarding cybersecurity should not merely be performed nationwide but must also start with large enterprises on a local scale moving down to individuals (“units”). We will discuss this “micro end” of the scale, especially the small or medium-sized enterprises, in the next section.

4.3 The Project Awareness Laboratory SMEs (ALARM) Information Security

4.3.1 Overview

So far the paper has focused on the global view, i.e. the national perspective. However, cybercrime in a country is the product of such crime practised against the different elements making up the country, i.e. individual, small, medium, and large institutions, and the society as a whole. The Awareness Laboratory SMEs Enterprises (ALARM) Information Security—funded by the German Federal Ministry for Economic Affairs and Energy for the period 1 October 2020 to 20 September 2023—focuses on some of these constituent elements. It creates an overall security scenario for suitable awareness-raising measures and provides support for SMEs to enable them to generally raise the level of information security in Germany.

An innovative process scenario with game-based analogue and digital experience-oriented learning sequences as well as “on-site attacks” will be developed within the next three years. This security process scenario is combined with awareness measurements and aims to develop a security maturity model for SMEs. It should lead to the urgently needed sensitization of managers and employees and to targeted human resource (HR) development in the individual SMEs of a kind that is currently not yet widely available. The ranking model described in the previous sections should be transferred to the process of raising awareness in SMEs across a country.

4.3.2 Specificities Based on the Focus on SMEs

SMEs must be aware of cyber criminality and react properly. Putting the focus on these micro units confronted with cybercrime not only implies that a highly intertwingled scalar—such as the GCI at the national level—is useful but also supplies indicators that directly reflect management activities. To be more precise, this means, for example, focusing on the CB pillar. The CB pillar should be composed of easily understandable indicators reflecting measures at the level of the units (learning process, methods of awareness). When these indicators are defined and quantified, then the next logical step is to return to a ranking. However, this brings us back to the question of how the indicators should be weighted. It is suggested that the qualitative nature of weights is reflected by sets of weightings. These, in turn, should be defined so as to reflect the specific situation of certain units, leading to an “individualized ranking”.

The ALARM Information Security project will create the readiness model as a self-help instrument for SMEs. In addition, information and IT security will be tangibly connected to increasingly digital work processes and given an emotional dimension to actively involve employees in the development of measures. However, building an information security management system in an SME should not be reduced to technical measures. Instead, a sustainable, company-wide information security culture based on lived experience is to be established (see Scholl, 2018, 2020 as well as Scholl & Ehrlich, 2020).

In the project, deficient areas of information security in important business processes are systematically investigated in conjunction with pilot SMEs and handicraft enterprises. On the basis of specific task activities, security and competence profiles are deduced in order to achieve sustainability on a broad scale. Best-practice guidelines with success stories from the companies involved are promulgated nationwide via associated transfer partners in a bid to appeal to other companies. Innovative operational awareness measurements generate maturity statements for an SME. Quality and result assurance combined with risk management and an accompanying evaluation are components of the impact analyses (Fig. 6).

Fig. 6
figure 6

source: Public domain, via Wikimedia Commons. Retrieved from: https://commons.wikimedia.org/wiki/File:The_Earth_seen_from_Apollo_17.jpg

Transference of the GCI partial order method presented here to the “ALARM Information Security” project showing the importance of “security awareness”, especially for SMEs with significant risk potential: the vulnerabilities of small suppliers can also endanger the production chains of larger companies.Picture Accessed: 29 December 2020.

Full size image

4.3.3 Toward a Mathematical Model

A typical problem arises when the focus of discussion shifts from countries to small or medium-sized enterprises. Usually, there is no separate department responsible for IT issues: hence it is very important to find efficient methods for educating employees. Here, the idea of a matching based on graph theory comes into play. This can be seen as a variant of optimization algorithms: a matching can be found between employees and different kinds of cyber or on-site attacks. The assignment process expressed by a matching graph (see Clark & Holton, 1994; Voß, 2010) should be optimized, i.e. an optimal matching should connect the most suitable pair (employee, cyberattack). Algorithms for such optimizations are well known, especially the Hungarian or Kuhn-Munkres algorithm in line with Clark and Holton (1994).

A discrete project like ALARM Information Security cannot disregard scientific approaches like the theory of knowledge spaces pioneered by Doignon and Falmagne (1999). This theory found broad interest (see, for example, Spoto et al., 2010). Therein a relationship to partial order theory is established, i.e. Formal Concept Analysis in line with Ganter and Wille (1996). Nevertheless, it is clear that a broad database will not be available in the project for the first few years. Therefore, a compromise must be found between sophisticated theories (which usually rely on large amounts of data) and practicability for SMEs.

5 Outlook

The partial order methodology shown in this paper using the Global cybersecurity index will be transferred to security problems in SMEs in order to support the effectiveness of awareness-raising measures and to improve the security behaviour of company employees. One of the first steps is to perform a “zoom”: shifting from the national scale—shown in this paper—down to the level of single companies and individuals.

Different approaches to raising awareness are innovatively combined in the ALARM Information Security project. Moreover, the project is a “practice laboratory” and offers space for personal experimentation. This is coupled with the facilitation of employee risk assessments and security analyses in SMEs, enabling companies to make competent, independent decisions on IT security. At the end of the project, the materials that have been developed will be made available free of charge to all companies as downloads or online resources, so that an improvement in Germany's level of information security can be achieved nationwide.