The EU ‘cyber security’ Agency
ENISA, i.e. the European Network and Information Security Agency, launched a new
report on barriers to and incentives for cyber security information sharing. The
report shows e.g. that the economic incentives are much more important for
practitioners than what academic literature indicate.
The importance of information sharing for the Critical Information
Infrastructure Protection –CIIP-is widely acknowledged by policy-makers,
technical and practitioner communities alike. The Agency has researched
peer-to-peer groups, e.g. Information Exchanges (IEs) and Information Sharing
Analysis Centres (ISACs). The report
identifies the most important barriers and incentives in day-to-day practice
in IEs and ISACs for CIIP. This research differs from other reports by being
focused on the practitioners’ experiences. The material stems from three
sources, literature analysis, interviews, and a two-round ‘Delphi’ exercise with
security professionals. The report is launched in conjunction with the NIS Summer
School, taking place 13-17 September, in Crete.
Many of the barriers and incentives identified in literature are of low
importance to practitioners and security officials working in IEs. The ‘real’
list of incentives for practitioners is instead: economic incentives (i.e. cost
savings), incentives of quality, value, and use of information shared. Main
barriers to sharing information are poor quality information, poor management,
and/or reputational risks.
The Agency has produced 20 recommendations to different
target audiences, e.g.:
- Member States should establish a national information sharing
platform and co-operate with other Member States.
- Private sector should be more transparent in sharing information,
improve preparedness measures based on information exchanged
- Research and Academia should quantify the benefits and costs of
participating in platforms; undertaking case-study research into where attacks
might have been prevented, or their impact lessened.
- The EU Institutions and ENISA should establish a pan European
information sharing platform for Member States and private stakeholders. The EU
Commission’s European Public Private Partnership for Resilience (EP3R) is the
main policy initiative in this area.
The Executive Director of ENISA, Dr Udo Helmbrecht, comments:
“Information sharing is a corner stone to improve the protection of critical information infrastructure-CIIP, which is vital for Europe’s economy and communications within Europe”.
Background: For full report, including all recommendations