Does better security impact on the level of competitiveness in the market? And in case, does it influence market competitiveness for the better?
Of course, "better security" impact level of competitiveness, but we have to define "better security", because it does not mean "more security".
For me, "better security" means that security fits the needs of the users. I mean, for some activities we will need more security than for other, in the same way that F1 cars has more security measures than "normal" vehicles.
At the end, security is a risk management decission; so we have to develop best ways of managing risks in our society, and, of course, decide what are the maximum levels of risk we, as society, deserves.
My concern is that if we use this approach, it all becomes relative.
It goes without saying that companies and organizations would find better security to bring higher competitiveness.
It would be interesting to discuss what type of security creates the major concerns: is it about malware, theft of confidential information, blocking access to social media for unproductive employees, Bring-your-own-device (BYOD) policy, etc...
It would be good to discuss at #da13trustsec which are the aspects of security to be improved for increasing competitiveness.
Your're right... that's the pont I would raise. Risk management is very relative, theoretically we could define a risk acceptance level but, even we were able to do it, we will suffer because of the subjectivity of the main ways to "calculate" risk. So, in my opinion, we should work better in an impact acceptance level (i.e., not considering the probability of the threat), because impact could be define objectively and we could establish better security measures for IT systems with higher impacts and lower security needs for low risk systems.
I mostly agree, but my concern is that talking about security we are in a defensive position, so we need to defende from every threat, so we should not focus on specific issues... I mean, at the end, what should drive our decisions should be the impact we suffer.
Great hint for discussion, where the impact-versus-probability approach shall be blended/crossed with the competition and capability variable of the single actors...
The security offered to public organisations when they make use of external commercial cloud services as opposed to in-house resources is an issue where the security risks involved must be balanced against the gains expected. These points are being explored by the Helix Nebula initiative where the use of commercial cloud services by research organisations is being actively tested, as summarised in a recent report:http://www.helix-nebula.eu/index.php/uploads/file/81/56/HelixNebula-NOTE...
I agree with you njonesbb, we need to balance risk versus gains. So I have been asking to discuss about security labeling of ICT services in the DA... I think that this proposal from EU Cyber Security Strategy could serve a lot in this way. I mean, everyone can understand that a cloud service with an 'A' availability labeling is better (and probably expensive :) than another with a 'C'... and he/she could take a better informed decission that nowadays.
It's interesting to me that this question is being asked in the context of the Digital Agenda, which is often looking for a role for government. Is there an interest in having the Europe-wide security regulations, with the hope that, in addition to improving security, competition might also be improved as well?
That's an interesting place to take this discussion. I've heard that software companies don't have a strong incentive to take security seriously, because the losses are incurred to the end user. (Web based services have had enough scares though that they take security semi-seriously.) Regulations might help with this issue, but I fear that competitiveness would suffer as a result: startups, if not exempted, would be immediately burdened with complex regulations which larger firms would find easier to meet.
Even then, if somehow security regulations are established, that, all by itself, is a security problem. The regulations would probably induce group think ("ok we have to meet directive 253/69 part a which says we need this and this") and if all companies are following the same script, then the creative criminal simply needs to understand that script, and find where the script fails. Companies would be too busy trying to meet the directive to think outside of the box and worry about other issues.
An interesting example of this issue is the ECAS (European Commission Authentication Service) login that I created in order to log into this forum.
It required me to setup one of the most complex passwords I use, which has a lot of pitfalls (such as I'm likely to forget it and will have to reset it regularly) and for my use, it's not exactly necessary. Perhaps a single ECAS login may be used for a variety of different purposes, some of which may require a password that is (*rolls eyes*) 10 characters long, but there is something odd about people with such very different needs intermingling on the same system.