P. 1
Incentives and Challenges for Information Sharing in the Context of Network and Information Security

Incentives and Challenges for Information Sharing in the Context of Network and Information Security

Ratings: (0)|Views: 21|Likes:
Published by InterSecuTech
Report by ENISA
Report by ENISA

More info:

Published by: InterSecuTech on Sep 13, 2010
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Resilient e-Communications Networks 
Incentives and Challenges forInformation Sharing in the Context of Network and Information Security
The European Network and Information Security Agency (ENISA) is an EU agency createdto advance the functioning of the internal market. ENISA is a centre of expertise for theEuropean Member States and European institutions in network and information security,giving advice and recommendations and acting as a switchboard of information for goodpractices. Moreover, the agency facilitates contacts between the European institutions, theMember States and private business and industry actors.
This report was prepared by Neil Robinson and Emma Disley from RAND Europe on behalf 
of ENISA. This study is part of ENISA‘s Resilience and CIIP Programme. The report sets
out findings from a research project into the incentives and barriers to information sharingin the field of Critical Information Infrastructure Protection (CIIP). The aim of this researchis to identify those barriers to and incentives for sharing information which are, in day-to-day practice, the most significant facilitators and inhibitors. Through starting to prioritisebarriers and incentives this project aims to indicate where policy-makers and otherstakeholders might act to facilitate greater information sharing in peer-to-peer groups,such as Information Exchanges (IE) and Information Sharing Analysis Centres (ISACs).ENISA would also like to thank the staff at RAND Europe for their professionalism anddedication that resulted in this report.
Contact details:
For contacting ENISA or for general enquiries on ENISA‘s Resilience and
CIIP Programme,please use the following details:Dr. Evangelos Ouzounis, Programme Manager, Resilience and CIIP Programme,Technical Competence Department, ENISA.Email:resilience@enisa.europa.euWeb:http://www.enisa.europa.eu/resilience
Legal notice
Notice must be taken that this publication represents the views and interpretations of the authors and editors,unless stated otherwise. This publication should not be construed to be an action of ENISA or the ENISA bodiesunless adopted pursuant to the ENISA Regulation (EC) No 460/2004. This publication does not necessarilyrepresent state-of the-art and it might be updated from time to time.Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sourcesincluding external websites referenced in this publication.This publication is intended for educational and information purposes only. Neither ENISA nor any person actingon its behalf is responsible for the use that might be made of the information contained in this publication.Reproduction is authorised provided the source is acknowledged. © European Network and Information Security Agency (ENISA), 2010
Executive Summary
The importance of information sharing to ensuring network and information security iswidely acknowledged by both policy-makers and by the technical and practitionercommunity
for example, in the European Programme on Critical Infrastructure Protection(EPCIP) and in the 2004 Availability and Robustness of Electronic CommunicationsInfrastructures (ARECI) study, which noted that formal means for sharing information
should be set up in order to ―improve the protection a
nd rapid restoration of infrastructure
critical to the reliability of communications within and throughout Europe‖. A 2009 gap
analysis conducted by ENISA of good practice in respect of telecommunication networkoperators identified information sharing as a set of useful best practice.Given the acknowledged importance of information sharing, this report sets out findingsfrom a research project into the barriers to and incentives for information sharing in thefield of network and information security, in the context of peer-to-peer groups such asInformation Exchanges (IE) and Information Sharing Analysis Centres (ISACs).
Methods and approach
The information in this report is drawn from three sources:
A review of available literature
both academic and non-academic publications,
Interviews with key informants working in the field of network and informationsecurity and in IEs,
A two-round Delphi exercise with network and information security professionals.The aim of this project is to identify those barriers and incentives which are mostimportant in day-to-day practice in IEs and ISACs. This research differs from other work inthis field in being firmly grounded in the experiences of practitioners and those involved inIE and Information Sharing activities. Nonetheless we only managed to speak to a limitednumber of experts from a handful of countries. Therefore, the findings of this research area first step to developing an evidence base in this field, but we do not claim they aregeneralisable to all kinds of IEs.
Incentives and challenges for information sharing
Our findings indicate that many of the barriers and incentives commonly identified in theavailable literature are of relatively low importance to practitioners and security officialscurrently working in IEs. As part of this research we asked practitioners to rank a list of barriers and incentives in terms of their relative importance.Our findings indicate that the incentives which are most important are:
Economic incentives stemming from cost savings;
Incentives stemming from the quality, value, and use of information shared.While the barriers which are the most important are:
Poor quality information;
Misaligned economic incentives stemming from reputational risks;
Poor management.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->