A Data Collection Framework on security incidents - a way to increase resilience of eCommunication systems in Europe?
ENISA has in the first study ever in this field investigated the feasibility of a European Data Collection Framework on security incidents. The study will help policymakers to define more cost-effective security policies, and the Agency is now presenting its results. As an outcome, ENISA proposes to establish a new “Partnership for ICT Security Incident and Consumer Confidence Information Exchange (PISCE)”.
PISCE will allow public and private policy makers, EU and national organisations with an ‘NIS spectrometer’ to take more informed decisions based on more reliable data and knowledge of security incidents. The Partnership consequently will contribute to the improved the resilience of eCommunication systems in Europe.
The ENISA feasibility study underlines that EU-wide data collection is a complex matter. ENISA identified ca 100 potential partners and evaluated >60 existing data collection initiatives. A single and centralised EU data collection partnership (“one-size-fits-all”) is neither feasible nor desirable. Conversely, new and innovative partnerships to move forward in this area are both needed and possible. In this context, ENISA supports the creation of a new partnership (PISCE) to tie together existing/new data collection initiatives to improve information & data exchange, promote common collection methodologies, and build trusted relations between partners.
PISCE may become a powerful European area for information exchange on IT security and consumer confidence trend data. ENISA advocates to first concentrate on a selection of the most promising partners but keep the door open to new entrants.
Time to act for decision makers: no free NIS lunch
EU wide data collection is hindered by 2 factors – a weakness of expressed demand by policy makers and the absence of a driving force with a long-term mandate. Nevertheless, the involvement of dozens of organisations and 100’s of data collection reports do not exist without a reason, but still a more direct commitment by policy makers is needed.
A wealth of data exists: of different nature and from various sources, but the question is how to assess its reliability, and how to combine it. Not everyone wants to share the information amassed on embarrassing security incidents. Moreover, data collectors want a return on their investment. Collecting, aggregating and sharing data needs a sustainable business model.
The Agency commented:
ENISA supports the establishment of PISCE, a partnership open to security researcher, business partners, and public policy makers.