The European Network and Information Security Agency (ENISA), launched a new report on barriers to and incentives for cyber security information sharing. It shows that the economic incentives are more important for practitioners than what academic literature indicate.
The importance of information sharing for the Critical Information Infrastructure Protection (CIIP) is widely acknowledged by policy-makers, technical and practitioner communities alike. The Agency has researched peer-to-peer groups, e.g. Information Exchanges (IEs) and Information Sharing Analysis Centres (ISACs).
The report identifies the most important barriers and incentives in day-to-day practice in IEs and ISACs for CIIP. This research differs from other reports by being focused on the practitioners’ experiences. The material stems from three sources, literature analysis, interviews, and a two-round “Delphi’ exercise with security professionals.
Many of the barriers and incentives identified in literature are of low importance to practitioners and security officials working in IEs. The “real’ list of incentives for practitioners is instead: economic incentives (i.e. cost savings), incentives of quality, value, and use of information shared. Main barriers to sharing information are poor quality information, poor management, and/or reputational risks.
The Agency has produced recommendations to different target audiences:
- Member States should establish a national information sharing platform and co-operate with other Member States.
- The private sector should be more transparent in sharing information, improve preparedness measures based on information exchanged.
- Research and Academia should quantify the benefits and costs of participating in platforms; undertaking case-study research into where attacks might have been prevented, or their impact lessened.
- The EU Institutions and ENISA should establish a pan European information sharing platform for Member States and private stakeholders. The EU Commission’s European Public Private Partnership for Resilience (EP3R) is the main policy initiative in this area.