ENISA publishes a new report based on a study and analysis of approaches to national-level risk assessment and threat modelling for cyber security which was conducted between April and October 2013.
ENISA aimed to provide an evidence-based methodology for establishing a National-level Risk Assessment in order to contribute to the wider objective of improving national contingency planning practices (NCPs). This report will help towards rationalising national risk assessments in EU Member States in order to reduce or eliminate vulnerabilities of critical Information and Communication Technology (ICT) services and infrastructures.
Based on an analysis of the data gathered the following key findings have been identified:
- Member States should understand better the underlying cyber threats and risks that they face and the impact to society.
- Member States are advised to integrate National-level Risk Assessment into the lifecycle of NIS incident management and cooperation plans and procedures.
- Member States should expand public–private sector dialogue and information sharing.
- A practical step-by-step guide on how to perform National-level Risk Assessments should be developed, tested and maintained. Such a guide should be piloted by countries at the early stages of preparing their own National-level Risk Assessment programme. ENISA or another international institution would be appropriate bodies to oversee this action.
- A catalogue of scenarios to help Member States in their National-level Risk Assessments should be established at EU level. Such a catalogue could be based on work already being done at ENISA on the threat landscape and incident reporting.
- The EU community of practitioners with an interest in cyber National-level Risk Assessments should be established and strengthened as information exchange platform, e.g., within the framework of the European Commission’s NIS Platform.
- Risk analysis expertise must be shared from other domains that assess complex cross-border risks, such as border security, financial services, aviation or public health for example within the European Commission’s NIS Platform and other activities organised by ENISA.
Full report: National-level Risk Assessments: An Analysis Report