infso risk execsum

8/3/2019 Infso Risk Execsum

1/20

Final Report

Executive Summary

Study on Risk

preparedness inBusiness in the field

of Network and

Information

Security


2/20

Preface

This report has been produced as a result of thestudy on Risk preparedness in Business in the fieldof Network and Information Security that wasconducted by Unisys Belgium in collaboration withRAND Europe.

UNISYS is a worldwide information technologyservices and solutions company.

RAND Europe is an independent think tank withoffices in Leiden, Cambridge and Berlin. RANDprovided expert consultancy services in the area ofIT security for the execution of this study and wasinvolved in designing the study framework,formulating the survey questionnaire as well asanalysing the results of the survey.

For more information about Unisys or thisdocument, please contact:

Unisys BelgiumAv. du Bourget / Bourgetlaan 201130 BrusselsTel: +32 (0)2 7280711Email: [email protected]

Brussels, June 2006

Disclaimer

This report is copyrighted European Community. Unisys Belgium is responsible for the content of this report. The

report does not necessarily reflect the view of the European Commission, nor does the Commission accept

responsibility for the accuracy or completeness of information contained herein. Readers of this report will use it under

their own responsibility. Neither the Commission, nor the authors may be liable for direct or indirect damages related

to the use of this report.


3/20

Study on Risk preparedness in

Business in the field of Network and

Information Security

Final Report - Executive Summary

Project team:

UNISYS

Patrice-Emmanuel Schmitz Senior Consultant and Project Director

Kamini Aisola Consultant and Survey Administrator

Marc Flammang Consultant

Michel Hoffmann Senior Security Expert

Jean-Michel Lamby Senior Security Expert

RAND EUROPE

Maarten Botterman Senior Security Expert

Neil Robinson Security Consultant

Lorenzo Valeri Senior Security Expert


4/20

Final Report 4/20

Executive Summary European Commission - DG Information Society and MediaRisk preparedness in Business in the field of Network and Information Security

Table of Contents

!"#

!"#

$ %&' $


5/20

Final Report 5/20


1. Executive Summary

1.1 The Context of Security

The importance of security of information systems and networks isstrongly growing, as most economic, a large part of governmentservices and social activities today rely on information andcommunication technology (ICT) and on the Internet in particular.Trust and security are among the key challenges to promoting ICTand economic growth. ICT had played a pivotal role in economicgrowth and productivity.ICT and e-business continue to spread, and access by enterprisesand individuals had steadily increased between 2001 and 2004,where real business use was still comparably low, and in 2005,when the first solid and even exponential growth in e-business wasexperienced.

Considering todays growing dependency towards open networksand information systems, weaknesses and vulnerabilities in thesenetworks and IT systems are posing serious threats to the goodfunctioning and stable economy and information society. Themagnitude of these threats is growing along with the number ofnetwork users and the value of their transactions that is growingexponentially.

Network and information security as a new Common

A British expert1 has compared modern ICT networks to thecommons tracts of community owned land in England. The

boundaries of this land were known, and security was based onmutual trust. Other types of commons included the high seaswhich had been considered a commons to support internationaltrade routes and fishing. To protect it, governments had developedInternational Conventions on the Law of the Sea. Air space wasanother commons, which had become increasingly regulated tofacilitate air travel. The Internet could be seen as the newcommons and like the English Commons, the High Seas, andinternational airspace, no one owned the Internet. However, like thecommons before it the Internet had attracted abusers: The mostadvanced e-business actors are facing the challenges of managingincreasing numbers of reported Internet security incidents. Cyber-crime and cyber-terrorism were very real threats, and there was a

clear emerging need for rules of behaviour in this new commons.

1Keith Besgrove, Vice-Chair of the Working Party on Information Security and Privacy (WPISP) at the APEC-

OECD workshop on security of information systems and networks (Seoul - Korea, 5-6 September, 2005)


6/20

Final Report 6/20


The 2005 uptake of e-business could be going down because offear of security risks. This perception of market failure is seen as aconsequence of laissez-faire public policy, absence of regulationof the ICT industry and low demand for security features from ICTpurchasers. While widely used microprocessor technology hadbeen designed with basic security in mind, these basic featureswere not used in commodity operating systems or middlewareproducts. Instead, simplistic structures had been invoked,

associated with high security risks. As a result, the personalcomputer and the server systems based around it, were notsuitable for safe and secure business transactions or e-governmentusage without substantial security enhancements, including add-inhardware components.

Potential measures must not be directed only at end-users but alsoat manufacturers, service providers, vendors and some securityspecialists since it is a shared liability. Security instructions oftenwere just too demanding and complicated for users, especiallythose not having a technical background, to be able or expected tofollow them. There is a number of further challenges for thedevelopment of security of information systems and networks

posed in the areas of research and development, as well as ineducation, training and certification of IT security professionals.Security in mobile devices, and more generally, security ofembedded devices (including household items, once these wouldbe connected to networks), would develop as an important furtherissue. International security standards are also needed in this field,and hardening existing operating systems is another importantstep to take.

A world wide and regional issue

Information security may be the greatest challenge to be facedbefore the real potential of the information society in the 21stcentury would be realized. Unless the Internet is safe, economicprosperity, quality of life, safety and security could not beguaranteed. E-business demand had been held back by a lack ofsecurity and trust. Therefore, fostering trust and security is amongthe six world wide OECD priorities for international co-operation inICT areas.It is important to assess risk awareness and the current level ofprevention measures implemented in enterprises to definecompetent bodies policy in this area, and guide further action.

Security and trust had been a constant strategic priority on theworld agenda since the OECD Turku Conference in 1997. After the9/11 events, the OECD adopted the "2002 Guidelines for theSecurity of Information Systems and Networks: Towards a Cultureof Security". The Security Guidelines had had an impact at theregional (e.g. European Union) and global levels, as well as at thenational level in many countries.


7/20

Final Report 7/20


European high level picture

The reliance on and use of information and communicationstechnology (ICT) is now a fact of life for business, government andthe citizen across the 25 Member States of the European Union.ICTs have become an indispensable tool for businesses in thedelivery of products and services via new channels, efficiency gains

via the streamlining of back-office processes and increasedcompetitiveness via more effective management of customer andclient relationships.

42% of European households and 89% of European companies areconnected to the Internet in 2004. However, as this reliance uponICT infrastructures grows, so do the levels of risk. Nowhere is thismore apparent than with users and small businesses, which arevery often the first to take advantage of exciting new technologicaldevelopments, but often are the most vulnerable. In 2002 already,the Eurobarometer survey indicated that on average 44% ofEuropean citizens had encountered security problems. Reportshighlighted that 70 to 80% of the respondents where concerned

about the lack of security and privacy while interacting online.

Risk Preparedness

Threats had been arising from both the outside (hackers), the inside(employees) and partners as organisations have opened their ITinfrastructures to a wide group of remote Internet users.

Vulnerabilities have grown with the complexity and virtuality ofinfrastructures and assets.

Facing these threats and vulnerabilities, Risk Preparedness is anindication of how organisations are able to deal with unexpecteddamages arising from their reliance on complex, interconnected ICTinfrastructures. It involves the periodical analysis of therequirements for security (What business processes are critical forenterprise continuity), the risk assessment (Identifying andanalysing each process risks) and treatment (in particular reductionmeasures to prevent, detect and react to damages).

Although many aspects related to information risks have beenexplored, (risk assessment, prevention, detection, reaction) there is

limited understanding of the levels of risks preparedness amongEuropean private organisations, in particular small and mediumenterprises.


8/20

Final Report 8/20


1.2 An area for European initiatives

Actions at European level must be considered as a contribution toworld wide international co-operation that is essential for realising atruly global culture of security for information systems andnetworks, as the systems and networks to be secured were globalby nature.

Priorities

To meet this challenge, the European Commission has given highpriority to the strengthening of information and network security inthe eEurope 2002 and the new eEurope 2005 Action Plans. InJanuary 2002, the European Union (EU) Council of Ministersadopted a Resolution on a common approach and specific actionsin the area of network and information security which defines acommon European strategy and identifies a number of targetsassociated with clear deadlines. In January 2003 a further step onthis strategy was taken through the Council Resolution on aEuropean approach towards a culture of network and information

security. Information security knows no boundaries; it crossesborders and has effects for all user groups. This is why theEuropean Union Council asked the Commission to present aproposal to set up a Cyber Security Task Force that should buildon national efforts to both enhance network and informationsecurity and to enhance Member States ability, individually andcollectively, to respond to major network and information securityproblems. In February 2003 the European Commission adopted aproposal for a regulation establishing a European Network andInformation Security Agency (ENISA). Established in Greece(Heraklion) since the summer 2005, this agency intends to helpincreasing information exchange and co-operation betweendifferent stakeholders in Europe in order to ensure a high and

effective level of network and information security within theCommunity and in order to develop a culture of network andinformation security.

The gathering of best practices and assessments of the level ofpreparedness of the SME sector to meet ICT risks was highlightedas an action in the MODINIS 2004 plan, which outlined areas ofstudy to fulfil the security requirements of the eEurope 2005 and2010 Strategies. Additionally, the need to address the RiskPreparedness gap has also been identified in the 2005 workprogramme of ENISA. This work plan states that as part of Task2.2, the collection of existing practices, particularly in the SMEsector, should be accomplished as a precursor to the sharing of

best practice.2

The thorough implementation of this strategy as set out in theCouncil Resolutions by EU Member States and the Commissionwill, together with the establishment and work of ENISA play adeterminant role in increasing the level of network and informationsecurity in Europe.

2 Ref MB/2005/02 ENISA Work Programme 2005 Information Sharing is Protecting, Brussels, 25th

February

2005 Task 2.2


9/20

Final Report 9/20


Pan-European Study on Risk Preparedness ofEnterprises in the field of Network and InformationSecurity

This study was contracted by the European commission Directorate General Information Society, in order to provide

information on the level of risk preparedness of enterprises acrossthe 25 EU Member States.

The objectives of the study were threefold:

To provide information on the level of awareness of the risks offailure in ICT networks.

To provide indications on the motivations to conduct riskassessment.

To provide insight into the attitudes towards network andinformation security in businesses throughout the EuropeanUnion, allowing the Commission to prepare a holistic approachof the question

In order to achieve these objectives the activities listed hereunderwere completed:

1. Risk Awareness and framework definition defining the studyframework, research issues and focus for the data gathering;development of a risk awareness folder (to be distributed on aCD)

2. Survey of methods/models elaboration of a list of methods;data gathering about the state of risk preparedness using theenterprise surveyand the expert consultation

3. Holistic Recommendations drafted following the analysis ofthe results of the survey

4. Workshop Carried out in March 2006 for the validation andverification of our recommendations

1.3 European questionnaires

The Risk Preparedness study has attempted to examine the usageof common standards for risk management in information andcommunication security. Organisations adopt a wide variety ofmeasures for being prepared for dealing with these sorts of risks:senior management involvement, education programmes, adoption

of standards etc.

The study has seen risk preparedness as a combination ofundertaking risk management, including awareness and businesscontinuity measures, to ensure the organisation is able to effectivelydeal with risks should they be realised and evolve into incidents.

To assess risk preparedness, UNISYS (in collaboration with RANDEurope) developed a comprehensive enterprise survey for


10/20

Final Report 10/20


dissemination amongst the industrial sector in Europe, in early2005. This 80 question strong questionnaire (attached in appendixto the study) was distributed online, on paper via post and during anumber of information security events, to thousands of potentialrespondents. The questionnaire was translated in five of the mostused European languages: English, French, German, Spanish andItalian.

The questionnaire was perceived by specialists as a very usefulassessment tool (even as a self assessment tool, if used byenterprises) and it is therefore an important asset of the study.However, most attendees to the organised workshops were securityspecialists (independent consultants or security managers, mostlyin large enterprises). The set of completed responses to theEnterprise questionnaires produced valuable information,although still partial and incomplete: the initial target of 2000answers was not reached, and some Member States were overrepresented (or not represented at all). The percentage of SMEs(90% of European companies) was not representative, and thestatistical value of the collected information was thereforequestionable3

This initial set was therefore complemented with extendedinterviews with 54 European IT security experts from all the 25European countries (hereafter the Expert Consultation). By bringingtheir long experience of the real situation in their country, theseexperts were representing the European diversity better than thereturned questionnaires could have done and produced finally amore trustworthy image of the reality, helping us to formulateadequate recommendations.

The expert interviews were conducted using a second survey tool(the expert questionnaire - also available as an annex), whichinvolved two separate sections:

a series of quantitative questions covering the perception of ITsecurity, management, processes, planning and understandingof legal and regulatory framework

a set of open-ended questions tailored to allow experts toprovide suggestions for public policy initiatives to beundertaken by European institutions and national governments.

The survey of experts was successfully completed by the end ofJanuary 2006. In addition, and to limit the impact of country bias,the findings of other previous independent surveys (mainly done atnational level, in Belgium by the federation of enterprises, in Franceby the security club CLUSIF, in UK by the ISBS and in the

Netherlands) were considered, allowing the team to finally developa pan-European picture.

The overall picture originating from these experts interviewsconcludes that awareness of ICT risks amongst the Europeanbusiness community is still poor, even if organisations have started

3 Even achieved, the target of 2000 answers (50 per country) would not provide a very trustworthy statistical

basis, due to the variety of business sectors and enterprise sizes in each country.


11/20

Final Report 11/20


to implement technical and procedural measures. Therefore, awindow of opportunity still exists for policy initiatives by bothEuropean and national bodies to address these shortcomings. Inthis context, particular attention needs to be directed towardsfostering awareness among small and medium enterprises.

1.4 Expert Consultation (Quantitative Analysis)

Global awareness of IT Security importance

Regarding large companies 76% considered IT security as a criticalelement for economic and operational success.This compares unfavourably with responses concerning thesituation within SMEs, where less than 50% have the same generalperception.

Translating awareness in measures: 10% of SMEs

When enterprises perceive the pivotal business role of information

security, this situation does not translate itself in the establishmentof appropriate technical and management processes.Here again the majority (67%) of the experts estimate that onlyaround half of the large organisations in their country haveestablished appropriate security measures.Regarding SMEs, comprehensive IT security technical andorganisational measures are only in place in 10% of the cases.

Real risk perception: 10% of SMEs

Similarly, even when there is a global perception of the need forinformation security, enterprises are not aware of the overarching

breadth of IT risks to be faced. The majority of experts (82%)considered that only half of large organisations within their countrywere aware of IT security risks.Regarding SMEs, the percentage falls again to 10%!

Preparedness in case of risk

Still, even if organisations were aware of the risks, this does notlead to appropriate information security measures. The panelconcluded that only half of the large organisations within theircountry were well prepared to face IT risks. At the contrary, only

10% of SMEs are perceived by experts as fully or at least quiteseriously prepared.


12/20

Final Report 12/20


0%

10%

20%30%

40%

50%

60%

70%

80%

90%

100%

Large SME

Size of organisation

100% of the

organisations

50% of the organisations

10% of the organisations

True for a small number

of companies


13/20

Final Report 13/20


When it occurs, IT auditing (that plays an important role in thetechnical and management implementation of information security)is rarely undertaken at management initiative (10 % of the cases). Itoccurs, by order:

on a bottom-up initiative of the IT department

due to legal obligations

because of contractual obligations

What are those Risks?

Inappropriate web-browsing (or e-mail checking) and incidents ofdue to malicious software or malware (viruses, worms etc) areperceived as the main ICT risks.These two major risks are followed - by order by system failure,unauthorised access by employees and hardware theft.

Likelihoodofoccu

Occurrence of risks in each country

Is there a motivation for Risk Assessment?

The main motivation for undertaking risk assessment comes from

legal requirements (e.g. data protection laws), followed unfortunately by the fact that an information security incident hasalready occurred and it is therefore not desirable that it occur again.This mean that businesses are not anticipating risks and that ITsecurity investments are based on mandatory legal obligations oron the impact of the last disaster

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Denialo

fServic

e

Una

uthorise

dacces

sbysta

ff

Misuse

ofema

iland

/orweb

browsing

Malw

are

Syste

mfailu

res

Theft

/disc

losure

ofc

onfidentia

linform

ation

The

ftof

comp

uterh

ardw

are

0% chance of occuring


14/20

Final Report 14/20


Risk Assessment methodologies

When applied, Risk assessment methodologies are, by order:1) ISO 1779942) CRAMM3) EBIOS4) Other Methods

In Other methods, the French MEHARI and the German BSI IT-BPM are to be mentioned, although perceived as owned bynational governments.

Technology and processes

By order, the top-two implemented technologies are:- Antivirus (92%)- Firewall (62%)

Virtual private networks and offline backups are already much lessfrequent in Europe (around 10% of enterprises).The use of all other tools appears really limited (less than 5%concerning intrusion detection, content filtering, encryption,certificates, biometrics, two-factor authentication and penetrationtesting).

Business Continuity Planning

Business Continuity Planning (BCP) that is considered as anessential part of being prepared to deal with ICT risks, are rarelycoordinated by senior management. When a BCP exists (thathappens in about 25% of the cases), it belongs to some linemanager according to 67% of our panel.In addition, only half of enterprises that have a BCP regularly test it.

4 The results of the survey show that a majority of companies tend to consider ISO 17799 as an RA

methodology, which is not the case: ISO 17799 provides a framework which many companies try to comply

with.


15/20

Final Report 15/20


Legislative Awareness

Considering the awareness of legal frameworks related toinformation security within the business community in theirrespective countries, several domains where investigated:

Regulations on computer crime

Regulations on electronic commerce

Regulations on consumer protection

Regulations on data protection (privacy)There was an almost even split regarding legal awarenessconcerning these matters (about 50% ignorance in all cases),which is surprising, in particular in relation to data protection giventhe time that the European directive has been transposed innational legislations.This lack of awareness demonstrates the need for better and moreregular information, especially concerning specific domains as thepreservation of digital evidence.

1.5 Expert Consultation (Qualitative Analysis)

European security experts are generally aware of their nationalgovernments initiatives in the information security arena. Whileawareness was widespread, a number of respondents observedthat these policies lack consistency or strength. They felt thatawareness-activities targeted towards SMEs were inadequate, andrequire more vigorous awareness campaigns for citizens andSMEs, insisting on the role of four main channels:

The general public media: TV, radio, newspapers (not justspecialized media outlets).

Education channels (schools, universities)

The contribution of private sector that is not leveragedenough, as it could be through public-private partnerships orthrough the development and establishment of commonstandards and best practice for each business sector.

NGOs as consumers associations.

However, European security experts have too limited awareness ofthe activities of the European Union in the areas of informationsecurity. Only a few of them made reference to the tangible effect ofthese activities in their own Member State.They identified several priorities for ENISA.

Promoting awareness of information security policies andregulations

Implement an information sharing platform across Europe

Develop and promote best practice and standards forinformation security in the public and private sectors.

Prise or award educational tools or campaigns, focused inparticular to SMEs

Support selected R&D activities


16/20

Final Report 16/20


As main areas that would benefit from increased R&D funding,European experts mentioned:

Risk analysis and management

Issue of security vs. usability

Security of personal data (and the related issue of citizenstrust)

Research into ways of fostering information securityamongst citizens and SMEs

Critical information infrastructure protection

1.6 Roadmap

In the perspective of tracing the way for a better risk preparednesspolicy, there could be several tracks, depending on the sponsoringbody.The study recommendations are addressed primarily to the

European Commission and the recently established EuropeanNetwork and Information Security Agency (ENISA).

The objective of an EU policy could be to guide the development ofconsistent national policies to help address security threats andvulnerabilities in a global interconnected society, while preservingimportant societal values such as privacy and individual freedom.Such policy or guidelines would be aimed at developing a Cultureof Security across society, so that security became an integral partof the way individuals, businesses, and public administration usedICT and conducted online activities. For enterprise in particular, ICTsecurity should become a real value a positive asset.

European Commission

Awareness

In defining and communicating its vision of information security (aspart of its i2020 initiative) the European Commission action has tobe targeted on enterprise management (media and publication readby managers) and to be both simple and repetitive. Perseverance isone of the key of success.

The comprehensive vision of information security should have aspecific section addressing the needs of small and mediumenterprises, which are significantly trailing beyond otherorganisations.

This vision should have a theoretical approach that states thatinformation security not just a technological issue but it involveshuman resources and management. It should lead to the


17/20

Final Report 17/20


development of benchmarks so that organisations around Europecan assess were they stand in implementing information securitytechnologies and management structure.

The communication methods should be more innovative: thinking ofcyber attacks as the disease, protection measures would resemblemedicine. As with health, prevention should also in the cyber sectorbe preferred to cures after the event.

As it is the case for road traffic (where campaigns have tangibleobjectives to reduce the number of victims) European authoritiesand Member States could initiate a cyber security awarenessweek (or month), including radio / TV spots and cyber securityworkshops for small businesses.

Research and Development

In supporting and funding research projects (e.g. FP7) theCommission should define priorities for R&D. It should be focusedat identifying future security challenges brought by new IT servicesand applications like RFID, Voice over IP, mobile computing andWIMAX, as well large and more complex IT infrastructures.

Due to the lack of in-house technical knowledge, R&D should pay aspecific attention to the usability of information security solutions fornon experts, especially in SMEs.

One of these areas is the development of automated tools forundertaking risk-assessment and security audits, making riskassessment a simple task.

From an economic point of view, R&D should demonstrate thereturn on investment of security solutions, and the benefit of betterinsurance.

R&D should be aimed at the development for artefact analysis, i.e.the study of Internet attack tools and malicious code, detailing theroles of malicious code analysis in different contexts, such asincident response, and following attack technology trends, but alsofor law enforcement and forensics. Malicious code analysis, amongother things, could contribute to an accurate view of attack systemsand evolving capabilities, and an accurate insight into assetstargeted and resources used by attackers.

Improving networks and information sharing between skilledexperts, with regard to goals for R&D: e.g. how to reduce analysistime, as the time between an attack and possible legalconsequences. The focus of R&D needed to be expanded beyondthe attack vectors of the day, and instead follow a long-term socialapproach, looking ahead 5-10 years. R&D investment should alsobe focused on decreasing the value of assets criminals couldaccess.


18/20

Final Report 18/20


Software programmers and architects should be certified withrespect to secure coding and design.

R&D has also to focus on how to make security understandable, inorder that users would be able to determine and select the levelprotection they required. The security technology should becomeuser-friendly and not make unrealistic assumptions about a usersprior knowledge.

In order to make visible the benefits of security, enabling users tofind the desired functionality, it is also important to avoid that somesecurity functions had undesirable side effects, e.g. a browser setto a high security level would not be able to display commonlyused web sites, without an indication that this was caused by thesecurity settings chosen.

All of these activities need to be complemented by a set of researchinitiatives in the areas of evaluation and certification of securityfunctionalities. As emphasised in the survey, SMEs may requireguidance in selecting the appropriate information security solutions.The establishment of a more flexible independent securityevaluation scheme may be of significant assistance to SMEs. Theycan refer to it when selecting between different IT security solutionsand providers.

Education, with focus on SMEs

Enterprises have little awareness of the overarching nature of theissue of cyber-crime, and also little awareness of the risks fromaccidental threats (fire, flood). Such awareness should be

developed via a set of campaigns with simple and clear messagesso that SMEs can understand the issues as well as possiblesolutions and responses.

Particular attention should be directed to fostering education aboutcyber crime legislation, in particular in the area of digital evidencepreservation.Media campaigns should be complemented by schools and highereducation programs, with the objective to educate future employeesabout their role and responsibility.

Small enterprises are more exposed to security risks than the other.While many actions are undertaken to sensitise them to those risks,

few known initiatives help them implement tailored and easy-to-usesolutions. In addition to continuing to educate/raise awareness ofSMEs and individuals about security risks, it is essential to helpdevise methods for risk analysis and security solutions tailored totheir needs.

Many SMEs are still unaware that they were a possible target forattacks, and even convinced it could never happen to thembecause their businesses were too insignificant. In parallel, there is


19/20

Final Report 19/20


low awareness of the risk of assets loss, and even that theirinformation system contained assets that were valuable for theirbusiness.

Education must overcome the phenomenon of fatalism, of de-motivation or security fatigue, defined as desensitisation and risktolerance within a community or organisation leading to anincreased risk exposure. Drivers for such fatalism include

information overload (when information is too vague, not directlyunderstandable, not targeted to the right person), warnings withoutactualisation, over-shooting risk assessments, and information inthe public domain inconsistent with the day to day experience of thecommunity.

Campaign could find inspiration in the health sector (avoidingsmokers continue to smoke), as well as with regards to security intraffic (awareness of speed limits and consequences of trespassingetc.). As security fatigue and doubt were propagating through anorganisations culture, it was key to ensure that new initiativeswould be taken seriously. Cultural recognition of the importance ofinformation security was necessary to avoid security fatigue.

Innovative Dissemination Channels

Today, Open Source software has been met with a growing supportfrom the European Commission and from governments, with theaim to make public and private sector user free from the vendorlocking policies developed by the proprietary software industry.The Commission will support an Open Source Repository (IDABCprogramme) as a platform for collaborative software developmentand a Web portal providing open source software and tools, basedon open standards, especially in the direction of SMEs. A series ofincentives should be provided to mobilise a wide developerscommunity around the common issue of cyber security and toprovide affordable tools, free of licensing costs, through this model,which has proven efficiency concerning both the developmentperformance and the security (by transparency and peer revision).


20/20

Final Report 20/20

Executive Summary European Commission - DG Information Society and Media

European Network Information Security Agency (ENISA)

The Agency could focus on the validation of policies specifically inregard to the implementation of EU policy, by monitoring theefficiency of these policies.

ENISA should complete its Risk Roadmap, aimed to illustrate how

the Risk Management and Risk Assessment objectives will be met.

A common security language

Co-operation amongst the various European initiatives in thearea of Risk Management

A technological neutral reference framework for RiskPreparedness, detailing requirements, key activities andactions.

An education programme for senior business leaders thatseeks to promote security as not just an overhead but assomething that could add real value to the business.

A relationship programme with representative organisations, as

the Eurochambers, UNICE etc.

Whenever possible, these activities should be carried out usinglocal languages and according to local requirements.

infso risk execsum

Documents