You are on page 1of 20

Final Report

Executive Summary


Study on Risk
preparedness in
Business in the field
of Network and
Information
Security





Preface

This report has been produced as a result of the
study on Risk preparedness in Business in the field
of Network and Information Security that was
conducted by Unisys Belgium in collaboration with
RAND Europe.

UNISYS is a worldwide information technology
services and solutions company.

RAND Europe is an independent think tank with
offices in Leiden, Cambridge and Berlin. RAND
provided expert consultancy services in the area of
IT security for the execution of this study and was
involved in designing the study framework,
formulating the survey questionnaire as well as
analysing the results of the survey.


For more information about Unisys or this
document, please contact:

Unisys Belgium
Av. du Bourget / Bourgetlaan 20
1130 Brussels
Tel: +32 (0)2 7280711
Email: risk-preparedness@unisys.com


Brussels, June 2006
Disclaimer
This report is copyrighted European Community. Unisys Belgium is responsible for the content of this report. The
report does not necessarily reflect the view of the European Commission, nor does the Commission accept
responsibility for the accuracy or completeness of information contained herein. Readers of this report will use it under
their own responsibility. Neither the Commission, nor the authors may be liable for direct or indirect damages related
to the use of this report.


Study on Risk preparedness in
Business in the field of Network and
Information Security

Final Report - Executive Summary
Project team:

UNISYS

Patrice-Emmanuel Schmitz Senior Consultant and Project Director

Kamini Aisola Consultant and Survey Administrator
Marc Flammang Consultant
Michel Hoffmann Senior Security Expert
Jean-Michel Lamby Senior Security Expert

RAND EUROPE

Maarten Botterman Senior Security Expert
Neil Robinson Security Consultant
Lorenzo Valeri Senior Security Expert


Final Report 4/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security
Table of Contents


:. Exvcu1:vv Summzvv.....................................................................................................,
1.1 The Conlexl ol Securily..................................................................................................................... 5
1.2 An area lor European inilialives....................................................................................................... 3
1.3 European queslionnaires................................................................................................................... 9
1.4 Experl Consullalion (Ouanlilalive Analysis................................................................................. 11
1.5 Experl Consullalion (Oualilalive Analysis ...................................................................................15
1.6 Foadnap..............................................................................................................................................16




Final Report 5/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security

1. Executive Summary



1.1 The Context of Security

The importance of security of information systems and networks is
strongly growing, as most economic, a large part of government
services and social activities today rely on information and
communication technology (ICT) and on the Internet in particular.
Trust and security are among the key challenges to promoting ICT
and economic growth. ICT had played a pivotal role in economic
growth and productivity.
ICT and e-business continue to spread, and access by enterprises
and individuals had steadily increased between 2001 and 2004,
where real business use was still comparably low, and in 2005,
when the first solid and even exponential growth in e-business was
experienced.
Considering todays growing dependency towards open networks
and information systems, weaknesses and vulnerabilities in these
networks and IT systems are posing serious threats to the good
functioning and stable economy and information society. The
magnitude of these threats is growing along with the number of
network users and the value of their transactions that is growing
exponentially.


Network and information security as a new Common

A British expert
1
has compared modern ICT networks to the
commons tracts of community owned land in England. The
boundaries of this land were known, and security was based on
mutual trust. Other types of commons included the high seas
which had been considered a commons to support international
trade routes and fishing. To protect it, governments had developed
International Conventions on the Law of the Sea. Air space was
another commons, which had become increasingly regulated to
facilitate air travel. The Internet could be seen as the new
commons and like the English Commons, the High Seas, and
international airspace, no one owned the Internet. However, like the
commons before it the Internet had attracted abusers: The most
advanced e-business actors are facing the challenges of managing
increasing numbers of reported Internet security incidents. Cyber-
crime and cyber-terrorism were very real threats, and there was a
clear emerging need for rules of behaviour in this new commons.


1
Keith Besgrove, Vice-Chair of the Working Party on Information Security and Privacy (WPISP) at the APEC-
OECD workshop on security of information systems and networks (Seoul - Korea, 5-6 September, 2005)




Final Report 6/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security

The 2005 uptake of e-business could be going down because of
fear of security risks. This perception of market failure is seen as a
consequence of laissez-faire public policy, absence of regulation
of the ICT industry and low demand for security features from ICT
purchasers. While widely used microprocessor technology had
been designed with basic security in mind, these basic features
were not used in commodity operating systems or middleware
products. Instead, simplistic structures had been invoked,
associated with high security risks. As a result, the personal
computer and the server systems based around it, were not
suitable for safe and secure business transactions or e-government
usage without substantial security enhancements, including add-in
hardware components.

Potential measures must not be directed only at end-users but also
at manufacturers, service providers, vendors and some security
specialists since it is a shared liability. Security instructions often
were just too demanding and complicated for users, especially
those not having a technical background, to be able or expected to
follow them. There is a number of further challenges for the
development of security of information systems and networks
posed in the areas of research and development, as well as in
education, training and certification of IT security professionals.
Security in mobile devices, and more generally, security of
embedded devices (including household items, once these would
be connected to networks), would develop as an important further
issue. International security standards are also needed in this field,
and hardening existing operating systems is another important
step to take.



A world wide and regional issue

Information security may be the greatest challenge to be faced
before the real potential of the information society in the 21
st

century would be realized. Unless the Internet is safe, economic
prosperity, quality of life, safety and security could not be
guaranteed. E-business demand had been held back by a lack of
security and trust. Therefore, fostering trust and security is among
the six world wide OECD priorities for international co-operation in
ICT areas.
It is important to assess risk awareness and the current level of
prevention measures implemented in enterprises to define
competent bodies policy in this area, and guide further action.

Security and trust had been a constant strategic priority on the
world agenda since the OECD Turku Conference in 1997. After the
9/11 events, the OECD adopted the "2002 Guidelines for the
Security of Information Systems and Networks: Towards a Culture
of Security". The Security Guidelines had had an impact at the
regional (e.g. European Union) and global levels, as well as at the
national level in many countries.





Final Report 7/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security

European high level picture

The reliance on and use of information and communications
technology (ICT) is now a fact of life for business, government and
the citizen across the 25 Member States of the European Union.
ICTs have become an indispensable tool for businesses in the
delivery of products and services via new channels, efficiency gains
via the streamlining of back-office processes and increased
competitiveness via more effective management of customer and
client relationships.

42% of European households and 89% of European companies are
connected to the Internet in 2004. However, as this reliance upon
ICT infrastructures grows, so do the levels of risk. Nowhere is this
more apparent than with users and small businesses, which are
very often the first to take advantage of exciting new technological
developments, but often are the most vulnerable. In 2002 already,
the Eurobarometer survey indicated that on average 44% of
European citizens had encountered security problems. Reports
highlighted that 70 to 80% of the respondents where concerned
about the lack of security and privacy while interacting online.



Risk Preparedness

Threats had been arising from both the outside (hackers), the inside
(employees) and partners as organisations have opened their IT
infrastructures to a wide group of remote Internet users.
Vulnerabilities have grown with the complexity and virtuality of
infrastructures and assets.

Facing these threats and vulnerabilities, Risk Preparedness is an
indication of how organisations are able to deal with unexpected
damages arising from their reliance on complex, interconnected ICT
infrastructures. It involves the periodical analysis of the
requirements for security (What business processes are critical for
enterprise continuity), the risk assessment (Identifying and
analysing each process risks) and treatment (in particular reduction
measures to prevent, detect and react to damages).


Although many aspects related to information risks have been
explored, (risk assessment, prevention, detection, reaction) there is
limited understanding of the levels of risks preparedness among
European private organisations, in particular small and medium
enterprises.







Final Report 8/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security

1.2 An area for European initiatives

Actions at European level must be considered as a contribution to
world wide international co-operation that is essential for realising a
truly global culture of security for information systems and
networks, as the systems and networks to be secured were global
by nature.

Priorities
To meet this challenge, the European Commission has given high
priority to the strengthening of information and network security in
the eEurope 2002 and the new eEurope 2005 Action Plans. In
January 2002, the European Union (EU) Council of Ministers
adopted a Resolution on a common approach and specific actions
in the area of network and information security which defines a
common European strategy and identifies a number of targets
associated with clear deadlines. In January 2003 a further step on
this strategy was taken through the Council Resolution on a
European approach towards a culture of network and information
security. Information security knows no boundaries; it crosses
borders and has effects for all user groups. This is why the
European Union Council asked the Commission to present a
proposal to set up a Cyber Security Task Force that should build
on national efforts to both enhance network and information
security and to enhance Member States ability, individually and
collectively, to respond to major network and information security
problems. In February 2003 the European Commission adopted a
proposal for a regulation establishing a European Network and
Information Security Agency (ENISA). Established in Greece
(Heraklion) since the summer 2005, this agency intends to help
increasing information exchange and co-operation between
different stakeholders in Europe in order to ensure a high and
effective level of network and information security within the
Community and in order to develop a culture of network and
information security.

The gathering of best practices and assessments of the level of
preparedness of the SME sector to meet ICT risks was highlighted
as an action in the MODINIS 2004 plan, which outlined areas of
study to fulfil the security requirements of the eEurope 2005 and
2010 Strategies. Additionally, the need to address the Risk
Preparedness gap has also been identified in the 2005 work
programme of ENISA. This work plan states that as part of Task
2.2, the collection of existing practices, particularly in the SME
sector, should be accomplished as a precursor to the sharing of
best practice.
2


The thorough implementation of this strategy as set out in the
Council Resolutions by EU Member States and the Commission
will, together with the establishment and work of ENISA play a
determinant role in increasing the level of network and information
security in Europe.

2
Ref MB/2005/02 ENISA Work Programme 2005 Information Sharing is Protecting, Brussels, 25
th
February
2005 Task 2.2



Final Report 9/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security


Pan-European Study on Risk Preparedness of
Enterprises in the field of Network and Information
Security

This study was contracted by the European commission
Directorate General Information Society, in order to provide
information on the level of risk preparedness of enterprises across
the 25 EU Member States.

The objectives of the study were threefold:
To provide information on the level of awareness of the risks of
failure in ICT networks.
To provide indications on the motivations to conduct risk
assessment.
To provide insight into the attitudes towards network and
information security in businesses throughout the European
Union, allowing the Commission to prepare a holistic approach
of the question

In order to achieve these objectives the activities listed hereunder
were completed:
1. Risk Awareness and framework definition defining the study
framework, research issues and focus for the data gathering;
development of a risk awareness folder (to be distributed on a
CD)
2. Survey of methods/models elaboration of a list of methods;
data gathering about the state of risk preparedness using the
enterprise survey and the expert consultation
3. Holistic Recommendations drafted following the analysis of
the results of the survey
4. Workshop Carried out in March 2006 for the validation and
verification of our recommendations



1.3 European questionnaires

The Risk Preparedness study has attempted to examine the usage
of common standards for risk management in information and
communication security. Organisations adopt a wide variety of
measures for being prepared for dealing with these sorts of risks:
senior management involvement, education programmes, adoption
of standards etc.

The study has seen risk preparedness as a combination of
undertaking risk management, including awareness and business
continuity measures, to ensure the organisation is able to effectively
deal with risks should they be realised and evolve into incidents.

To assess risk preparedness, UNISYS (in collaboration with RAND
Europe) developed a comprehensive enterprise survey for



Final Report 10/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security

dissemination amongst the industrial sector in Europe, in early
2005. This 80 question strong questionnaire (attached in appendix
to the study) was distributed online, on paper via post and during a
number of information security events, to thousands of potential
respondents. The questionnaire was translated in five of the most
used European languages: English, French, German, Spanish and
Italian.

The questionnaire was perceived by specialists as a very useful
assessment tool (even as a self assessment tool, if used by
enterprises) and it is therefore an important asset of the study.
However, most attendees to the organised workshops were security
specialists (independent consultants or security managers, mostly
in large enterprises). The set of completed responses to the
Enterprise questionnaires produced valuable information,
although still partial and incomplete: the initial target of 2000
answers was not reached, and some Member States were over
represented (or not represented at all). The percentage of SMEs
(90% of European companies) was not representative, and the
statistical value of the collected information was therefore
questionable
3


This initial set was therefore complemented with extended
interviews with 54 European IT security experts from all the 25
European countries (hereafter the Expert Consultation). By bringing
their long experience of the real situation in their country, these
experts were representing the European diversity better than the
returned questionnaires could have done and produced finally a
more trustworthy image of the reality, helping us to formulate
adequate recommendations.

The expert interviews were conducted using a second survey tool
(the expert questionnaire - also available as an annex), which
involved two separate sections:
a series of quantitative questions covering the perception of IT
security, management, processes, planning and understanding
of legal and regulatory framework
a set of open-ended questions tailored to allow experts to
provide suggestions for public policy initiatives to be
undertaken by European institutions and national governments.

The survey of experts was successfully completed by the end of
January 2006. In addition, and to limit the impact of country bias,
the findings of other previous independent surveys (mainly done at
national level, in Belgium by the federation of enterprises, in France
by the security club CLUSIF, in UK by the ISBS and in the
Netherlands) were considered, allowing the team to finally develop
a pan-European picture.

The overall picture originating from these experts interviews
concludes that awareness of ICT risks amongst the European
business community is still poor, even if organisations have started

3
Even achieved, the target of 2000 answers (50 per country) would not provide a very trustworthy statistical
basis, due to the variety of business sectors and enterprise sizes in each country.



Final Report 11/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security

to implement technical and procedural measures. Therefore, a
window of opportunity still exists for policy initiatives by both
European and national bodies to address these shortcomings. In
this context, particular attention needs to be directed towards
fostering awareness among small and medium enterprises.


1.4 Expert Consultation (Quantitative Analysis)

Global awareness of IT Security importance

Regarding large companies 76% considered IT security as a critical
element for economic and operational success.
This compares unfavourably with responses concerning the
situation within SMEs, where less than 50% have the same general
perception.

Translating awareness in measures: 10% of SMEs
When enterprises perceive the pivotal business role of information
security, this situation does not translate itself in the establishment
of appropriate technical and management processes.
Here again the majority (67%) of the experts estimate that only
around half of the large organisations in their country have
established appropriate security measures.
Regarding SMEs, comprehensive IT security technical and
organisational measures are only in place in 10% of the cases.


Real risk perception: 10% of SMEs
Similarly, even when there is a global perception of the need for
information security, enterprises are not aware of the overarching
breadth of IT risks to be faced. The majority of experts (82%)
considered that only half of large organisations within their country
were aware of IT security risks.
Regarding SMEs, the percentage falls again to 10%!


Preparedness in case of risk

Still, even if organisations were aware of the risks, this does not
lead to appropriate information security measures. The panel
concluded that only half of the large organisations within their
country were well prepared to face IT risks. At the contrary, only
10% of SMEs are perceived by experts as fully or at least quite
seriously prepared.




Final Report 12/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security

0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Large SME
Size of organisation
100% of the
organisations
50% of the organisations
10% of the organisations
True for a small number
of companies <1
No organisations


Percentage or organisations seen as well prepared




Unequal involvement of senior management

Too often, security measures if any are due to the leadership of
enthusiastic individuals, especially in SMEs, where the panel
estimates that senior management is involved in little more than
50% of the cases, where it is more generally involved in large
enterprises (80%).

In particular, information security is not taken as seriously as
physical security: Most experts (76%) believed that amongst large
companies, at least half took information security as seriously as
physical security. Nevertheless, as probably expected, half of the
experts thought that less than 10% of their country's SMEs
approached information security as seriously as the physical one.

Security arrangements are never ending tasks. They need to be
regularly revised and improved. Here also, the support and
commitment of senior management is a key indicator. Enquiry
results are largely similar in regard to active interest in information
security issues by senior management of both large companies and
SMEs: 50% of the panel considered that strong senior management
interest in reviewing information security arrangements existed in
merely 10% of companies in their country. Just over a third thought
that the desire to review measures existed in a very small number
of SMEs (less than 1%). Across all organisations only 2% of
experts believed that senior management had an active interest in
daily improvement of information security.

This was widely verified with the question concerning the number of
annual review of security measures: It is processed regularly (once
a quarter) in a very little percentage of cases (3%). One small third
of interviewed experts acknowledge a yearly review, and two thirds
of them considered that a review of the measures outlined would
only take place after an incident!




Final Report 13/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security

When it occurs, IT auditing (that plays an important role in the
technical and management implementation of information security)
is rarely undertaken at management initiative (10 % of the cases). It
occurs, by order:
on a bottom-up initiative of the IT department
due to legal obligations
because of contractual obligations



What are those Risks?
Inappropriate web-browsing (or e-mail checking) and incidents of
due to malicious software or malware (viruses, worms etc) are
perceived as the main ICT risks.
These two major risks are followed - by order by system failure,
unauthorised access by employees and hardware theft.




L
i
k
e
l
i
h
o
o
d

o
f

o
c
c
u

Occurrence of risks in each country



Is there a motivation for Risk Assessment?

The main motivation for undertaking risk assessment comes from
legal requirements (e.g. data protection laws), followed
unfortunately by the fact that an information security incident has
already occurred and it is therefore not desirable that it occur again.
This mean that businesses are not anticipating risks and that IT
security investments are based on mandatory legal obligations or
on the impact of the last disaster

0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
D
e
n
ia
l
o
f
S
e
r
v
ic
e
U
n
a
u
t
h
o
r
is
e
d

a
c
c
e
s
s
b
y

s
t
a
f
f
M
is
u
s
e

o
f
e
m
a
il
a
n
d
/o
r

w
e
b

b
r
o
w
s
in
g
M
a
lw
a
r
e
S
y
s
te
m

f
a
ilu
r
e
s
T
h
e
f
t
/d
is
c
lo
s
u
r
e

o
f
c
o
n
f
id
e
n
t
ia
l
in
fo
r
m
a
t
io
n
T
h
e
f
t
o
f
c
o
m
p
u
t
e
r

h
a
r
d
w
a
r
e
0% chance of occuring
<1%
10%
50%
100%



Final Report 14/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security





Risk Assessment methodologies
When applied, Risk assessment methodologies are, by order:
1) ISO 17799
4

2) CRAMM
3) EBIOS
4) Other Methods

In Other methods, the French MEHARI and the German BSI IT-
BPM are to be mentioned, although perceived as owned by
national governments.


Technology and processes
By order, the top-two implemented technologies are:
- Antivirus (92%)
- Firewall (62%)
Virtual private networks and offline backups are already much less
frequent in Europe (around 10% of enterprises).
The use of all other tools appears really limited (less than 5%
concerning intrusion detection, content filtering, encryption,
certificates, biometrics, two-factor authentication and penetration
testing).


Business Continuity Planning
Business Continuity Planning (BCP) that is considered as an
essential part of being prepared to deal with ICT risks, are rarely
coordinated by senior management. When a BCP exists (that
happens in about 25% of the cases), it belongs to some line
manager according to 67% of our panel.
In addition, only half of enterprises that have a BCP regularly test it.



4
The results of the survey show that a majority of companies tend to consider ISO 17799 as an RA
methodology, which is not the case: ISO 17799 provides a framework which many companies try to comply
with.



Final Report 15/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security

Legislative Awareness

Considering the awareness of legal frameworks related to
information security within the business community in their
respective countries, several domains where investigated:
Regulations on computer crime
Regulations on electronic commerce
Regulations on consumer protection
Regulations on data protection (privacy)
There was an almost even split regarding legal awareness
concerning these matters (about 50% ignorance in all cases),
which is surprising, in particular in relation to data protection given
the time that the European directive has been transposed in
national legislations.
This lack of awareness demonstrates the need for better and more
regular information, especially concerning specific domains as the
preservation of digital evidence.



1.5 Expert Consultation (Qualitative Analysis)

European security experts are generally aware of their national
governments initiatives in the information security arena. While
awareness was widespread, a number of respondents observed
that these policies lack consistency or strength. They felt that
awareness-activities targeted towards SMEs were inadequate, and
require more vigorous awareness campaigns for citizens and
SMEs, insisting on the role of four main channels:
The general public media: TV, radio, newspapers (not just
specialized media outlets).
Education channels (schools, universities)
The contribution of private sector that is not leveraged
enough, as it could be through public-private partnerships or
through the development and establishment of common
standards and best practice for each business sector.
NGOs as consumers associations.

However, European security experts have too limited awareness of
the activities of the European Union in the areas of information
security. Only a few of them made reference to the tangible effect of
these activities in their own Member State.
They identified several priorities for ENISA.
Promoting awareness of information security policies and
regulations
Implement an information sharing platform across Europe
Develop and promote best practice and standards for
information security in the public and private sectors.
Prise or award educational tools or campaigns, focused in
particular to SMEs
Support selected R&D activities



Final Report 16/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security


As main areas that would benefit from increased R&D funding,
European experts mentioned:
Risk analysis and management
Issue of security vs. usability
Security of personal data (and the related issue of citizens
trust)
Research into ways of fostering information security
amongst citizens and SMEs
Critical information infrastructure protection


1.6 Roadmap

In the perspective of tracing the way for a better risk preparedness
policy, there could be several tracks, depending on the sponsoring
body.
The study recommendations are addressed primarily to the
European Commission and the recently established European
Network and Information Security Agency (ENISA).

The objective of an EU policy could be to guide the development of
consistent national policies to help address security threats and
vulnerabilities in a global interconnected society, while preserving
important societal values such as privacy and individual freedom.
Such policy or guidelines would be aimed at developing a Culture
of Security across society, so that security became an integral part
of the way individuals, businesses, and public administration used
ICT and conducted online activities. For enterprise in particular, ICT
security should become a real value a positive asset.



European Commission


Awareness

In defining and communicating its vision of information security (as
part of its i2020 initiative) the European Commission action has to
be targeted on enterprise management (media and publication read
by managers) and to be both simple and repetitive. Perseverance is
one of the key of success.

The comprehensive vision of information security should have a
specific section addressing the needs of small and medium
enterprises, which are significantly trailing beyond other
organisations.

This vision should have a theoretical approach that states that
information security not just a technological issue but it involves
human resources and management. It should lead to the



Final Report 17/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security

development of benchmarks so that organisations around Europe
can assess were they stand in implementing information security
technologies and management structure.

The communication methods should be more innovative: thinking of
cyber attacks as the disease, protection measures would resemble
medicine. As with health, prevention should also in the cyber sector
be preferred to cures after the event.
As it is the case for road traffic (where campaigns have tangible
objectives to reduce the number of victims) European authorities
and Member States could initiate a cyber security awareness
week (or month), including radio / TV spots and cyber security
workshops for small businesses.



Research and Development

In supporting and funding research projects (e.g. FP7) the
Commission should define priorities for R&D. It should be focused
at identifying future security challenges brought by new IT services
and applications like RFID, Voice over IP, mobile computing and
WIMAX, as well large and more complex IT infrastructures.

Due to the lack of in-house technical knowledge, R&D should pay a
specific attention to the usability of information security solutions for
non experts, especially in SMEs.

One of these areas is the development of automated tools for
undertaking risk-assessment and security audits, making risk
assessment a simple task.

From an economic point of view, R&D should demonstrate the
return on investment of security solutions, and the benefit of better
insurance.

R&D should be aimed at the development for artefact analysis, i.e.
the study of Internet attack tools and malicious code, detailing the
roles of malicious code analysis in different contexts, such as
incident response, and following attack technology trends, but also
for law enforcement and forensics. Malicious code analysis, among
other things, could contribute to an accurate view of attack systems
and evolving capabilities, and an accurate insight into assets
targeted and resources used by attackers.

Improving networks and information sharing between skilled
experts, with regard to goals for R&D: e.g. how to reduce analysis
time, as the time between an attack and possible legal
consequences. The focus of R&D needed to be expanded beyond
the attack vectors of the day, and instead follow a long-term social
approach, looking ahead 5-10 years. R&D investment should also
be focused on decreasing the value of assets criminals could
access.




Final Report 18/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security

Software programmers and architects should be certified with
respect to secure coding and design.

R&D has also to focus on how to make security understandable, in
order that users would be able to determine and select the level
protection they required. The security technology should become
user-friendly and not make unrealistic assumptions about a users
prior knowledge.

In order to make visible the benefits of security, enabling users to
find the desired functionality, it is also important to avoid that some
security functions had undesirable side effects, e.g. a browser set
to a high security level would not be able to display commonly
used web sites, without an indication that this was caused by the
security settings chosen.


All of these activities need to be complemented by a set of research
initiatives in the areas of evaluation and certification of security
functionalities. As emphasised in the survey, SMEs may require
guidance in selecting the appropriate information security solutions.
The establishment of a more flexible independent security
evaluation scheme may be of significant assistance to SMEs. They
can refer to it when selecting between different IT security solutions
and providers.



Education, with focus on SMEs

Enterprises have little awareness of the overarching nature of the
issue of cyber-crime, and also little awareness of the risks from
accidental threats (fire, flood). Such awareness should be
developed via a set of campaigns with simple and clear messages
so that SMEs can understand the issues as well as possible
solutions and responses.

Particular attention should be directed to fostering education about
cyber crime legislation, in particular in the area of digital evidence
preservation.
Media campaigns should be complemented by schools and higher
education programs, with the objective to educate future employees
about their role and responsibility.

Small enterprises are more exposed to security risks than the other.
While many actions are undertaken to sensitise them to those risks,
few known initiatives help them implement tailored and easy-to-use
solutions. In addition to continuing to educate/raise awareness of
SMEs and individuals about security risks, it is essential to help
devise methods for risk analysis and security solutions tailored to
their needs.

Many SMEs are still unaware that they were a possible target for
attacks, and even convinced it could never happen to them
because their businesses were too insignificant. In parallel, there is



Final Report 19/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security

low awareness of the risk of assets loss, and even that their
information system contained assets that were valuable for their
business.

Education must overcome the phenomenon of fatalism, of de-
motivation or security fatigue, defined as desensitisation and risk
tolerance within a community or organisation leading to an
increased risk exposure. Drivers for such fatalism include
information overload (when information is too vague, not directly
understandable, not targeted to the right person), warnings without
actualisation, over-shooting risk assessments, and information in
the public domain inconsistent with the day to day experience of the
community.

Campaign could find inspiration in the health sector (avoiding
smokers continue to smoke), as well as with regards to security in
traffic (awareness of speed limits and consequences of trespassing
etc.). As security fatigue and doubt were propagating through an
organisations culture, it was key to ensure that new initiatives
would be taken seriously. Cultural recognition of the importance of
information security was necessary to avoid security fatigue.



Innovative Dissemination Channels

Today, Open Source software has been met with a growing support
from the European Commission and from governments, with the
aim to make public and private sector user free from the vendor
locking policies developed by the proprietary software industry.
The Commission will support an Open Source Repository (IDABC
programme) as a platform for collaborative software development
and a Web portal providing open source software and tools, based
on open standards, especially in the direction of SMEs. A series of
incentives should be provided to mobilise a wide developers
community around the common issue of cyber security and to
provide affordable tools, free of licensing costs, through this model,
which has proven efficiency concerning both the development
performance and the security (by transparency and peer revision).






Final Report 20/20
Executive Summary European Commission - DG Information Society and Media
Risk preparedness in Business in the field of Network and Information Security

European Network Information Security Agency (ENISA)

The Agency could focus on the validation of policies specifically in
regard to the implementation of EU policy, by monitoring the
efficiency of these policies.

ENISA should complete its Risk Roadmap, aimed to illustrate how
the Risk Management and Risk Assessment objectives will be met.
A common security language
Co-operation amongst the various European initiatives in the
area of Risk Management
A technological neutral reference framework for Risk
Preparedness, detailing requirements, key activities and
actions.
An education programme for senior business leaders that
seeks to promote security as not just an overhead but as
something that could add real value to the business.
A relationship programme with representative organisations, as
the Eurochambers, UNICE etc.

Whenever possible, these activities should be carried out using
local languages and according to local requirements.