EU Agency Identifies Incentives & Challenges for Cyber Security Information Sharing in Europe

BRUSSELS and HERAKLION, Greece, September 10, 2010 - The EU 'cyber security' Agency ENISA, i.e. the European Network and
Information Security Agency, launched a new report on barriers to and
incentives for cyber security information sharing. The report shows e.g. that
the economic incentives are much more important for practitioners than what
academic literature indicate.

The importance of information sharing for the Critical Information
Infrastructure Protection -CIIP-is widely acknowledged by policy-makers,
technical and practitioner communities alike. The Agency has researched
peer-to-peer groups, e.g. Information Exchanges (IEs) and Information Sharing
Analysis Centres (ISACs). The report identifies the most important barriers
and incentives in day-to-day practice in IEs and ISACs for CIIP. This
research differs from other reports by being focused on the practitioners'
experiences. The material stems from three sources, literature analysis,
interviews, and a two-round 'Delphi' exercise with security professionals.

Many of the barriers and incentives identified in literature are of low
importance to practitioners and security officials working in IEs. The 'real'
list of incentives for practitioners is instead: economic incentives (i.e.
cost savings), incentives of quality, value, and use of information shared.
Main barriers to sharing information are poor quality information, poor
management, and/or reputational risks.

The Agency has produced 20 recommendations to different target
audiences, e.g.:

    - Member States should establish a national information sharing platform
      and co-operate with other Member States.

    - Private sector should be more transparent in sharing information,
      improve preparedness measures based on information exchanged

    - Research and Academia should quantify the benefits and costs of
      participating in platforms; undertaking case-study research into where
      attacks might have been prevented, or their impact lessened.

    - The EU Institutions and ENISA should establish a pan European
      information sharing platform for Member States and private stakeholders.
      The EU Commission's European Public Private Partnership for Resilience
      (EP3R)
      (ec.europa.eu/information_society/policy/nis/strategy/activities/
      ciip/impl_activities/ep3r_29_06_2010/index_en.htm) is the main policy
      initiative in this area.

The Executive Director of ENISA, Dr Udo Helmbrecht, comments:

"Information sharing is a corner stone to improve the
protection of critical information infrastructure-CIIP, which is vital for
Europe's economy and communications within Europe".

Background: For full report, including all recommendations

www.enisa.europa.eu/act/res/policies/good-practices-1/information-
sharing-exchange

(Due to the length of the above URLs, it may be necessary to copy and
paste these hyperlinks into your Internet browser's URL address field.
Remove the space if one exists.)

For interviews: Pls contact Dr. Evangelos Ouzounis, Senior Expert-Network Security Policies: resilience-policies at enisa.europa.eu or Ulf Bergstrom, Spokesman, ENISA, press at enisa.europa.eu, Mobile: +30-6948-460143