Digital Single Market
Digital Economy & Society

Improving cybersecurity through incentives

Given our growing dependence on the smooth functioning of information networks and services, ensuring their security and availability is of utmost importance for our society.

--- Posted by Marina Nedelcheva, DG INFSO: Internet, Network and Information security unit, Workshop organiser at the Digital Agenda Assembly

ICT networks and services, and in particular the Internet, are a key driver for our economy and society. They bring immense economic opportunities and at the same time provide a vital public good. Given our growing dependence on the smooth functioning of these networks and services, ensuring their security and availability is of utmost importance for our society.

Enhancing the level of cybersecurity is everyone's responsibility and this poses certain governance challenges. States are ultimately responsible for defining policies for the protection of vital information infrastructures, such as the Internet, however, their implementation depends on the involvement of the private sector, which owns and manages a large number of these infrastructures. The level of security is also affected by the actions of individual end-users.

So one of the questions that emerge is what are the right incentives for stakeholders to invest in cybersecurity at a level which meets the public policy and public safety expectations.

At the moment, the answer to this question is not straightforward.

One of the reasons is the lack of trusted data on cyber security risks and their economic impact which makes it difficult to assess the economic benefits of possible investments.

It is also unclear how the roles and responsibilities of the different stakeholders are allocated along the digital value chain. This creates externalities arising from situations where those investing in cyber security are not necessarily the ones that will benefit from the investment.

To address these problems, the Commission proposed in the policy initiative on Critical Information Infrastructure Protection to create the proper social and economic incentives to strengthen security, resilience and preparedness across the European Union.

 We will be discussing this issue at the Digital Agenda Assembly (#daa11eu) in a workshop entitled “Cybersecurity: barriers and incentives”.

You are invited to share your ideas about this workshop on this blog or on Twitter using the #daa11security hashtag.

Editor Connect's picture
Published in DSM blog


's picture
The European Commission should require disclosure of source code from critical applications to the authorities. In particular with the methods of automatic static analysis and through review of source code it is possible to reduce security vulnerabilities. There should also be sanctions when manufacturers of mission critical applications fail to close vulnerabilities.
's picture
"incentive" implies the regulators have no power and you have to feed the industry to do the right thing, in other words a weak state paradigm that is discredited after the transatlantic financial crisis put our markets at risk. It seems as if the current security market shortcomings are quite profitable and everything is done by industry to sustain the status quo, unless the government comes and intervenes. Why does it take companies 3 years to patch a known security vulnerability, or they don't react at all? We don't accept insecurity in aviation and it is possible to apply similar high standards to operating system environments. Availability of source code is very useful but it is not enough. The EU should develop its own secure operating system like the NSA did. We cannot trust American software to not contain hidden backdoors and we know that these agencies hoard zero day exploits to hack our systems. The infamous 2008 ssh vulnerability was much greater in importance than the eEstonia incident show case because it shook the very foundation of networked secure communications Here source code was fully disclosed and it was only revealed when the person who wrote it got rid off his contractual NDA obligations. Here the EU may kick in and review such source code and protocols of CII. Reviewing source code is expensive but it pays off.