Cyber resilience strategy 2015-2020: progress report

Annex B

Measuring impact

Metrics from a number of sources show that progress to varying degrees has been made in Scotland. 

The analysis of the progress of the Strategy comes with a number of limitations:

• in the absence of a control group, any observed changes in the strategic outcomes cannot be conclusively attributed to the Strategy's and Action Plans' interventions
• the strategic outcomes are not as robust as we would want them to be, as limited measurement indicators were available initially
• some of the outcome measures were identified retrospectively and may only provide
  a partial picture of the Strategy's progress
• there are some gaps in consistent data collection, especially when it comes to allowing comparisons with 2015

For these reasons, and recognising that this was the first Cyber Resilience Strategy for Scotland, we decided to focus on measuring the success of the strategic outcomes alongside identifying metrics which could evidence the progress of the associated action plans.

We will continue to work with partners to improve our evidence base for the next Strategy. As we set out in Section 4.1: Lessons learned and continuing challenges, we will develop our future strategic direction using more established measurement indicators to support more defined outcomes. This approach will enable us to monitor progress effectively towards the achievement of our vision.