PISCE stands for "Partnership for ICT Security Incident and Consumer Confidence Information Exchange". The purpose of PISCE is to create a platform for the exchange of information on IT security and consumer confidence trend data. Through PISCE, public and private partners can share and analyse past events, incidents and breaches. The primary objective is to encourage policy- and decision-makers to get involved. PISCE will enable the anticipation of future trends and possible emerging risks in information security in order to improve the resilience of, and confidence in, ICT in Europe.
Consumer confidence is vital fore ecommerce. Therefore, having access to data on security incidents and consumer confidence trends gives public and private organisations at both the national and European level the possibility to take decisions with a better knowledge of the overall risk situation.
Understanding how others approach data collection may lead to a more harmonised approach in Europe and the assessment of previously-implemented legal, regulatory, organisational and technical measures. The aim is not to benchmark countries, but rather to provide an overview, the “bigger picture” of the situation in Europe.
The European Commission recognises that security is one the four main challenges to be addressed in reaching a Single European Information Space. However, success in achieving a “safer internet” and “trust” can only be measured with more reliable data on information security incidents and user confidence. Consequently, the Commission requested ENISA to develop 1) a trusted partnership with Member States and other stakeholders and 2) a possible framework for data collection.
A wealth of data on information security incidents and consumer confidence is available but the problem is where to find and how to access it. No one wants to share information about embarrassing security incidents. Moreover, those who invest in data collection initiatives want a return on their investment. Collecting, aggregating and sharing such data requires a sustainable business model and a serious commitment. However, up to now European policy-makers have failed to express an interest in such an initiative and so there is no driving force with a long-term mandate.
Extensive discussion with the various actors made it clear that a single partnership (“one-size-fits-all” approach) is not feasible. Rather it will be more effective to create new (or promote existing) partnerships of different kinds and at various levels. PISCE’s role would be to act as an over-arching coordinating partnership bringing together the initiatives by supporting information and data exchange, harmonising collection methodologies and mediating trust.
ENISA identified almost 100 potential partners and evaluated more than 60 existing data collection initiatives. Organisations involved included managed security service providers, computer emergency response teams (CERTS inventory, national security organisations, statistics offices such as Eurostat, IT security vendors, communication service providers, universities and other researchers.
ENISA proposes to first concentrate on a selection of the most promising partners who focus on Europe, have already achieved high visibility for their work and established a relationship with the EU. As PISCE evolves, the door will be kept open to new entrants.
A conference was held at the end of 2007 where participants were invited to provide feedback on the study. At that time, a majority expressed a commitment to PISCE.
The approach will be phased and will evolve in several steps. PISCE will:
raise the visibility of existing data collection approaches and mediate supply and demand via a wiki (add link to http://wiki.enisa.europa.eu);
categorise reports and develop a data collection template;
facilitate understanding of reports (without revealing sensitive information);
develop summary reports for decision-makers (if, when or where resources are available);
enlarge and develop the partnership.
So far, ENISA’s has been to reply to the official request of the European Commission by provided an in-depth analysis on how to build up a trusted partnership to collect data on security incidents and consumers confidence. ENISA has also provided some support to the creation of such a partnership (PISCE) by will putting in place a public wiki and hosting the closed mailing list of participants. For the longer term, the PISCE partners expressed the need for a trusted and stable structure to centralise the collection of data and discussion on best methods and practices. This point will be examined in the upcoming discussions between the European Commission, ENISA and the various stakeholders.