Incentives and Challenges to Information Sharing
In 2010, ENISA worked on an analysis of barriers to and incentives for information sharing in the field of Critical Information Infrastructure Protection (CIIP). Findings indicate that many of the barriers and incentives commonly identified in the available literature are of relatively low importance to security officials working in Information Exchanges (IEs).
According to the study the most important are:
- Economic incentives stemming from cost savings;
- Incentives stemming from the quality, value, and use of information shared;
- As most important barriers were identified:
- Poor quality of information;
- Misaligned economic incentives stemming from reputational risks;
- Poor management.
The report provides specific recommendations for both public decision-makers and private sector stakeholders.
- The European Institutions and ENISA as EU body are called upon to play an active role in developing a European information sharing platform, and to encourage participation of Member States and relevant private stakeholders including existing national platforms.
- Member States are called upon to establish a national information sharing platform, to ensure the legal framework is conducive to information sharing, and to co-operate with other Member States.
- The private sector is encouraged to be more transparent and share information responsibly, use information sharing to improve security voluntarily in order to avoid regulatory interest and strong regulatory action which might be counter-productive.
- Academia and research could work to identify, describe, and quantify the benefits and costs of participating in such platforms,undertaking case-study research into instances where attacks might have been prevented, or their impact lessened.
ENISA Good Practice Guide on Information Sharing
In 2009, ENISA issued its Good Practice Guide (GPG) on Information Sharing. It aims at assisting Member States and other relevant stakeholders in setting up and running Network Security Information Exchanges in their own countries.
The main characteristics of such a platform are:
Regular, face-to-face meetings comprising 20 and 30 high level security experts;
- Government role is instrumental in setting up and running an NSIE together with industry;
- Addresses strategic issues (e.g. major/critical disruptions) rather than operational ones;
- Participation is free of charge, new members require unanimous agreement from existing members;
- It should provide incentives to members to participate;
- It should respect members commercial sensitivities related to the disclosure of information to competitors and/or regulators;
- Emphasis is on information exchange rather than on information transfer.