ENISA Inventory of publicly available sources on Information Security

Objective

Within 2012 work on “Identifying and Responding to the Evolving Threat Environment”, ENISA plans to assess emerging risks and opportunities. This forward-looking activity is considered to be an essential preparedness step towards future information security challenges.

One of the main objectives of this work is to include publicly available information on information security risks and opportunities in all upcoming assessments. This objective will lead to faster assessments with less effort, based on already existing information. To this extend, one of the core tasks of this work is the collection and aggregation of existing data.

Collection and aggregation of existing quantitative data will be a long-term objective that will be developed initially and refined in future versions of the work programme. The announced stock taking exercise is the start of this action and will remain on-going beyond 2012.

Content

Within the work on “Identifying and Responding to the Evolving Threat Environment”, ENISA is interested in information on risks and opportunities, and in particular with regard to emerging technologies and/or applications. Nevertheless, existing information on threats, vulnerabilities and mitigation strategies/controls are also of interest.

In order to give a better view on the information expected to be part of risks and opportunities, the following assumptions are being made:

• As regards Risks: According to the widely accepted ISO 27005 definition, risks emerge when: “Threats abuse vulnerabilities of assets to generate harm for the organization”. In more detailed terms, a risk is consider as taking into account the following elements:

Asset (Vulnerabilities, Controls), Threat (Threat Agent Profile, Likelihood) and Impact

• As regards Opportunities: Due to missing standardised definitions of opportunities it is being consider that an opportunity is “an uncertainty that will enhance ability to achieve objectives”[1]. An opportunity can include savings from increased organisational efficiency. In addition, an (business) opportunity is a gain for the organization as the result of a better exploitation of market /business conditions. In order to achieve opportunity management, elements that have to be considered are[2]: driving improvements in an operational environment, balancing return and investment, obtaining change buy-in and manage reward. In addition, some resources[3] argue that opportunity management might be the result of a risk management by focussing on positive consequences of a risk.

Due to our focus on Information Security issues, the elements of both risks and opportunities should have an ICT context and be directly or indirectly related to Information Security.

Method

The stock taking exercise will be performed by means of a questionnaire. Purpose of this questionnaire is to assess all relevant information residing on a publicly available information source. The questions cover the following information about an information security source:

• General Information and Scope,
• Organisational Issues,
• Content regarding Security Risks,
• Content regarding Opportunities,
• Content regarding Security Trends,
• Content on details of Risks,
• Additional information,
• Targeted Groups,
• Available communication Channels

ENISA is going to collect this information, a) by putting the questionnaire online. Interested operators of information security sources will be able to fill the template and send it to ENISA, b) by directly sending the questionnaire to identified information security source operators asking them to fill it and return it to ENISA. Due to the large number of security sources, the stock taking will be open, that is interested organisations/individuals may submit the questionnaire at any time. It is expected that the completion of the questionnaire will take ca. 15 minutes.

The assessed information will be put online by means of an inventory that will be publicly available.

The questionnaire

The complete questionnaire can be found HERE. Please download the document, fill the questions and return it to ENISA to the e-mail address: [email protected]. To this address you may also send any further points you might like to make on this subject matter.

[1] Guide to Risk and Opportunity Management, http://www.thurrock.gov.uk/i-know/pdf/perf_how_05_risk_2012.pdf

[2] Based on available material from Turner and Townsend, URL: http://www.turnerandtownsend.com/risk.html 

[3] Embracing uncertainty in DoD Acquisition, 1SG David E. Frick, USA, July 2010, in http://www.dau.mil