Security Economics and the Internal Market
Full Title of Reference
Security Economics and the Internal Market
Ross Anderson, Rainer Bohme, Richard Clayton, Tyler Moore, Security Economics and the Internal Market (2008). European Network and Information Security Agency (ENISA). Web
- Issues: Cybercrime; Economics of Cybersecurity; Information Sharing/Disclosure; Public/Private Cooperation
Network and information security are of significant and growing economic importance. The direct cost to Europe of protective measures and electronic fraud is measured in billions of euros; and growing public concerns about information security hinder the development of both markets and public services, giving rise to even greater indirect costs. For example, while writing this report, the UK government confessed to the loss of child-benefit records affecting 25 million citizens. Further revelations about losses of electronic medical information and of data on children have called into question plans for the development of e-health and other systems. Information security is now a mainstream political issue, and can no longer be considered the sole purview of technologists. Fortunately, information security economics has recently become a live research topic: as well as collecting data on what fails and how, security economists have discovered that systems often fail not for some technical reason, but because the incentives were wrong. An appropriate regulatory framework is just as important for protecting economic and other activity online as it is offline. This report sets out to draw, from both economic principles and empirical data, a set of recommendations about what information security issues should be handled at the Member State level and what issues may require harmonisation – or at least coordination. In the report, fifteen key policy proposals are made. A consultative meeting was held in December 2007 which established that almost all of these proposals had wide stakeholder support and provide a basis for future action by ENISA and the European Commission.
Follow the key recommendations:
- We recommend that the EU introduce a comprehensive security-breach notification law.
- We recommend that the Commission (or the European Central Bank) regulate to ensure the publication of robust loss statistics for electronic crime.
- We recommend that ENISA collect and publish data about the quantity of spam and other bad traffic emitted by European ISPs.
- We recommend that the European Union introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of compromised machines, coupled with a right for users to have disconnected machines reconnected if they assume full liability.
- We recommend that the EU develop and enforce standards for network-connected equipment to be secure by default.
- We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle.
- We recommend security patches be offered for free, and that patches be kept separate from feature updates.
- The European Union should harmonise procedures for the resolution of disputes between customers and payment service providers over electronic transactions.
- We recommend that the European Commission prepare a proposal for a Directive establishing coherent regime of proportionate and effective sanctions against abusive online marketers.
- ENISA should conduct research, coordinated with other affected stakeholders and the European Commission, to study what changes are needed to consumer-protection law as commerce moves online.
- We recommend that ENISA should advise the competition authorities whenever diversity has security implications.
- We recommend that ENISA sponsor research to better understand the effects of Internet exchange point (IXP) failures. We also recommend they work with telecomms regulators to insist on best practice in IXP peering resilience.
- We recommend that the European Commission put immediate pressure on the 15 EU Member States that have yet to ratify the Council of Europe Convention on Cybercrime.
- We recommend the establishment of an EU-wide body charged with facilitating international co-operation on cyber crime, using NATO as a model.
- We recommend that ENISA champion the interests of the information security sector within the European Commission to ensure that regulations introduced for other purposes do not inadvertently harm security researchers and firms.
Additional Notes and Highlights
Expertise Required: Economics - Low
Study commissioned by the European Network and Information Security Agency (ENISA) to identify existing economic barriers for addressing Network and Information Security (NIS) issues. A description of goals of the study is available here.