Navigation path

Does better security ensure a higher level of competitiveness in the market?

Does better security impact on the level of competitiveness in the market? And in case, does it influence market competitiveness for the better? 

up
45 users have voted.
Interesting

Comments

nramaton's picture

Of course, "better security" impact level of competitiveness, but we have to define "better security", because it does not mean "more security".
For me, "better security" means that security fits the needs of the users. I mean, for some activities we will need more security than for other, in the same way that F1 cars has more security measures than "normal" vehicles.
At the end, security is a risk management decission; so we have to develop best ways of managing risks in our society, and, of course, decide what are the maximum levels of risk we, as society, deserves.

up
42 users have voted.
Interesting
nmoyerja's picture

An interesting example of this issue is the ECAS (European Commission Authentication Service) login that I created in order to log into this forum.

It required me to setup one of the most complex passwords I use, which has a lot of pitfalls (such as I'm likely to forget it and will have to reset it regularly) and for my use, it's not exactly necessary. Perhaps a single ECAS login may be used for a variety of different purposes, some of which may require a password that is (*rolls eyes*) 10 characters long, but there is something odd about people with such very different needs intermingling on the same system.

up
39 users have voted.
Interesting
nbezmarg's picture

Thanks, very interesting. This will mean a very relative approach to what is considered "risk", meaning that what can be accepted in a certain sector in terms of risk, won't be accepted in another sector, right?
up
43 users have voted.
Interesting
nramaton's picture

Your're right... that's the pont I would raise. Risk management is very relative, theoretically we could define a risk acceptance level but, even we were able to do it, we will suffer because of the subjectivity of the main ways to "calculate" risk. So, in my opinion, we should work better in an impact acceptance level (i.e., not considering the probability of the threat), because impact could be define objectively and we could establish better security measures for IT systems with higher impacts and lower security needs for low risk systems.

up
47 users have voted.
Interesting
ncimmimi's picture

My concern is that if we use this approach, it all becomes relative.
It goes without saying that companies and organizations would find better security to bring higher competitiveness.
It would be interesting to discuss what type of security creates the major concerns: is it about malware, theft of confidential information, blocking access to social media for unproductive employees, Bring-your-own-device (BYOD) policy, etc...
It would be good to discuss at #da13trustsec which are the aspects of security to be improved for increasing competitiveness.

up
33 users have voted.
Interesting
nramaton's picture

I mostly agree, but my concern is that talking about security we are in a defensive position, so we need to defende from every threat, so we should not focus on specific issues... I mean, at the end, what should drive our decisions should be the impact we suffer.

up
40 users have voted.
Interesting
nbezmarg's picture

Great hint for discussion, where the impact-versus-probability approach shall be blended/crossed with the competition and capability variable of the single actors... 

up
38 users have voted.
Interesting
njonesbb's picture

The security offered to public organisations when they make use of external commercial cloud services as opposed to in-house resources is an issue where the security risks involved must be balanced against the gains expected. These points are being explored by the Helix Nebula initiative where the use of commercial cloud services by research organisations is being actively tested, as summarised in a recent report:
http://www.helix-nebula.eu/index.php/uploads/file/81/56/HelixNebula-NOTE...

up
46 users have voted.
Interesting
nramaton's picture

I agree with you njonesbb, we need to balance risk versus gains. So I have been asking to discuss about security labeling of ICT services in the DA... I think that this proposal from EU Cyber Security Strategy could serve a lot in this way. I mean, everyone can understand that a cloud service with an 'A' availability labeling is better (and probably expensive :) than another with a 'C'... and he/she could take a better informed decission that nowadays.

up
39 users have voted.
Interesting
nmoyerja's picture

It's interesting to me that this question is being asked in the context of the Digital Agenda, which is often looking for a role for government. Is there an interest in having the Europe-wide security regulations, with the hope that, in addition to improving security, competition might also be improved as well?

That's an interesting place to take this discussion. I've heard that software companies don't have a strong incentive to take security seriously, because the losses are incurred to the end user. (Web based services have had enough scares though that they take security semi-seriously.) Regulations might help with this issue, but I fear that competitiveness would suffer as a result: startups, if not exempted, would be immediately burdened with complex regulations which larger firms would find easier to meet.

Even then, if somehow security regulations are established, that, all by itself, is a security problem. The regulations would probably induce group think ("ok we have to meet directive 253/69 part a which says we need this and this") and if all companies are following the same script, then the creative criminal simply needs to understand that script, and find where the script fails. Companies would be too busy trying to meet the directive to think outside of the box and worry about other issues.

up
41 users have voted.
Interesting
nmoyerja's picture

Ah, I see that there is indeed a proposed cybersecurity directive...and that microenterprises are indeed exempted.

My initial instinct is that the competitiveness issues will be based on the mechanism for determining risk. I could see situations in which two competing companies are treated differently because, for some reason, they have been put into different risk categories and have to meet different security standards. Is it possible that member states would have different risk assessments?

up
39 users have voted.
Interesting
nmoyerja's picture

Here is a potentially different risk assessment for two competing companies.

Snapchat and Instagram are apps that do approximately the same thing--sharing visual images with people. Though they do them in a different way (Snapchat sends friends images which auto delete, Instagram images are posted to a profile until that image is deleted) they still accomplish the same purpose and a person may use them interchangeable.

However, a risk assessment may look at the two apps and classify them differently, because one hypothetically archives images, and the other doesn't. Is that an appropriate conclusion? Perhaps, but it could also be creating an unreasonable regulatory outcome.

up
40 users have voted.
Interesting
nkirwagr's picture

Another aspect of this relates to how a user perceives risk. There's a great deal of psychological research in this area, particularly in relation to the effects of salience, recency and visualisation. If an individual has recently heard about a risk, and can easily visualise what the effects of victimisation might be, then they are more likely to consider a threat more seriously.

It's tempting to think that users accurately determine risk when carrying out tasks, but there are a great number of cognitive errors that individuals can make when forming a decision under uncertainty. It's important to also consider the human element in this question - what factors will encourage an individual to have trust in a given online setting, and what can be done to ensure that individuals are also aware of any potential risks, without overinflating either fear or confidence.

up
38 users have voted.
Interesting
 

Previous issues

Group managers

Recently subscribed to this group

My groups

User is not a member of any group.