European Union Study Security Economics and The Internal Market
- By Grey McKenzie
- Published 06/27/2008
Grey McKenzie
National Cyber Security Founder
Cyber security watchdog & one of the nation's leading cyber security experts, Grey McKenzie is also the Founder of SpyCop Security Software.
His clients include members of the Department of Homeland Security, FBI, CIA, State & Local Law Enforcement.
He is regularly consulted by industry leaders regarding cyber security issues.
To schedule a procedural, technical and non-technical network security audit of your company call 902-467-0200
Here is a seemingly unbiased study the European Union made regarding cyber security in all its multifaceted glory...
Security Economics and The Internal Market
1 Executive Summary
Network and information security are of significant and growing economic importance.
The direct cost to Europe of protective measures and electronic fraud is measured in billions of euros; and growing public concerns about information security hinder the development of both markets and public services, giving rise to even greater indirect costs.
For example, while we were writing this report, the UK government confessed to the loss of child-benefit records affecting 25 million citizens.
Further revelations about losses of electronic medical information and of data on children have called into question plans for the development of e-health and other systems.
Information security is now a mainstream political issue, and can no longer be considered the sole purview of technologists.
Fortunately, information security economics has recently become a live research topic: as well as collecting data on what fails and how, security economists have discovered that systems often fail not for some technical reason, but because the incentives were wrong.
An appropriate regulatory framework is just as important for protecting economic and other activity online as it is offline.
This report sets out to draw, from both economic principles and empirical data, a set of recommendations about what information security issues should be handled at the
Member State level and what issues may require harmonisation – or at least coordination.
In this executive summary, we draw together fifteen key policy proposals.
We held a consultative meeting in December 2007 which established that almost all of these proposals have wide stakeholder support.
We believe they will provide a sound basis for future action by ENISA and the European Commission. Recommendations
1: There has long been a shortage of hard data about information security failures, as many of the available statistics are not only poor but are collected by parties such as security vendors or law enforcement agencies that have a vested interest in under- or over-reporting.
Crime statistics are problematic enough in the traditional world, but things are harder still online because of the novelty and the lack of transparency.
For example, citizens who are the victims of fraud often have difficulty finding out who is to blame because the incidents that compromised their personal data may have been covered up by the responsible data controllers.
These problems are now being tackled with some success in many US states with security-breach reporting laws, and Europe needs one too.
We recommend that the EU introduce a comprehensive security-breach notification law.
2: Our survey of the available statistics has led us to conclude that there are two particularly problematic ‘black holes’ where data are fragmentary or simply unavailable.
These are banks and ISPs. On the banking side, only the UK publishes detailed figures for elec-
Full PDF
Security Economics and The Internal Market
1 Executive Summary
Network and information security are of significant and growing economic importance.
The direct cost to Europe of protective measures and electronic fraud is measured in billions of euros; and growing public concerns about information security hinder the development of both markets and public services, giving rise to even greater indirect costs.
For example, while we were writing this report, the UK government confessed to the loss of child-benefit records affecting 25 million citizens.
Further revelations about losses of electronic medical information and of data on children have called into question plans for the development of e-health and other systems.
Information security is now a mainstream political issue, and can no longer be considered the sole purview of technologists.
Fortunately, information security economics has recently become a live research topic: as well as collecting data on what fails and how, security economists have discovered that systems often fail not for some technical reason, but because the incentives were wrong.
An appropriate regulatory framework is just as important for protecting economic and other activity online as it is offline.
This report sets out to draw, from both economic principles and empirical data, a set of recommendations about what information security issues should be handled at the
In this executive summary, we draw together fifteen key policy proposals.
We held a consultative meeting in December 2007 which established that almost all of these proposals have wide stakeholder support.
We believe they will provide a sound basis for future action by ENISA and the European Commission. Recommendations
1: There has long been a shortage of hard data about information security failures, as many of the available statistics are not only poor but are collected by parties such as security vendors or law enforcement agencies that have a vested interest in under- or over-reporting.
Crime statistics are problematic enough in the traditional world, but things are harder still online because of the novelty and the lack of transparency.
For example, citizens who are the victims of fraud often have difficulty finding out who is to blame because the incidents that compromised their personal data may have been covered up by the responsible data controllers.
These problems are now being tackled with some success in many US states with security-breach reporting laws, and Europe needs one too.
We recommend that the EU introduce a comprehensive security-breach notification law.
2: Our survey of the available statistics has led us to conclude that there are two particularly problematic ‘black holes’ where data are fragmentary or simply unavailable.
These are banks and ISPs. On the banking side, only the UK publishes detailed figures for elec-
Full PDF
