The Agency Insider with Linda McGlasson

EU Report Underscores Need for Cooperation

Economic Incentives are No. 1 Way to Promote Information Sharing
EU Report Underscores Need for Cooperation

The recent report on cybersecurity information sharing from the European Network and Information Security Agency showcases barriers and incentives. Namely, the report points out that money and economic incentives are much more important for information security pros than what the academics say.

Two weeks ago, the arrests of cyber criminals around Europe and a day later in the U.S., cracking a gang using Zeus malware to loot U.S. bank accounts, show the intricate sharing of information across borders in tracking down criminals. The same cross-border information sharing among industries in Europe is also needed.

The importance of information sharing for the Critical Information Infrastructure Protection isn't at issue, as it is widely acknowledged by policy-makers, technical and practitioner communities. What ENISA did was research peer-to-peer groups such as Information Exchanges and Information Sharing Analysis Centers. Here in the U.S. our industry's ISAC is the Financial Services Information Sharing and Analysis Center.

The report identifies the most important barriers and incentives in day-to-day practice in IEs and ISACs for CIIP. The material comes from three sources: literature analysis, interviews and an exercise with security professionals.

What ENISA found was many of the barriers and incentives identified in literature are of low importance to practitioners and security officials working in IEs. The "real" list of incentives for practitioners instead includes: economic incentives in the way of cost savings, as well as incentives of quality, value and use of information shared.

The main barriers to sharing information are poor quality information, poor management and/or reputational risks.

ENISA makes 20 recommendations to different target audiences, including:

  • Member States should establish a national information sharing platform and co-operate with other Member States.
  • Private Sector should be more transparent in sharing information, improve preparedness measures based on information exchanged;
  • Research and Academia should quantify the benefits and costs of participating in platforms, undertaking case-study research into where attacks might have been prevented, or their impact lessened.
  • EU Institutions and ENISA should establish a pan-European information sharing platform for Member States and private stakeholders.

We've got our ISACs in the critical infrastructure industries here in the U.S., and the Department of Homeland Security is heading up the information sharing that is done across the ISACs, resulting in solid, measurable outcomes. A bit of advice to our European peers -- we've learned here in the U.S. when it comes to sharing information security threats, the advice needs to be actionable, relevant and specific enough for companies to take and act upon.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.