We have discussed Early Warning System (EWS) challenges in the past, such as:
and yesterday we focused on the International IT security conference “Innovation and Responsibility” that starts today in Berlin. For this reason we published:
|Early Warning System – it takes more work to create ‘added value’
|From time-to-time we will bring new insights regarding the running of EWS operations.|
|We hope that you enjoy reading these postingsand will get something out of them|
|We would appreciate if you leave a comment below what you think or maybe what can be added, why don’t you?|
One of the biggest challenges is to determine what type of risks we may be exposed to in the future. Especially those risks are of interest that could affect the reliability and dependability of our systems and, thereby jeopardize the availibility, integrity and confidentiality of information. What makes things more difficult, however, is that these risks must be defined for each of stakeholder groups separately, such as:- owners and/or managers of infrastructure (Internet backbone, Internet Service Providers (ISP),-
- large corporations and government agencies with huge ‘internal’ and ‘external’ networks (e.g., local area networks and virtual private networks),
- small and medium businesses (SMEs) that may have their own networks (e.g., 30 PCs linked on a local area network
- LAN), AND- home users (e.g., children and parents connect various gadgets to the home network and server or using a wireless router to surf the Internet)
This indicates that each one of the above groups has radically or detrimentally different risks to deal with regarding zero-day exploits or malware. This is not to say that they are not related (botnets create headaches for home users and their ISPs – infrastructure owners). To illustrate this further, any threat or vulnerabilitiy may cause little concern with home users, unless what it could mean for their PC’s hard-disk by becoming a victim of a hacker exploiting a newly discovered vulnerability in the operating system that runs the PC (see also CyTRAP Labs risk barometer).
For large firms things, however, things may be slightly different. Hence, a comprehensive instrument will be used to assess IT and information-related risks very thoroughly such as the EBIOS instrument:
And while Urs+Nahum’s Security Checklist may be used by large and smaller firms, how they apply it to assess the risk levels and internal controls across the enterprise will surely differ due to the complexty of their infrastructure.
In Berlin, delegates and country representatives attending the International IT security conference “Innovation and Responsibility” will face two major issues for which they should either get an answer from the conference or else ask ENISA to clarify at a subsequent meeting:
|a) launch a pan-European network that focuses on a very narrow target group, where the impact and benefits compared to costs and efforts should be greatest (e.g., SMEs or home-users)|
|b) before launch, define what benefits the ULTIMATE target group of the European Information Sharing and Alert System (EISAS) is supposed to get beyond what is already being offered in various Member States (value proposition).|
Without addressing the above two issues, ENISA and the European Union might launch another Early Warning System – the European Information Sharing and Alert System (EISAS) – that very likely will:
- neither satisfy its masters (EU Member States),
- nor its target group(s) (e.g., business and home-users)
by failing to provide information that is perceived by the people it is supposed to serve as adding real value (e.g., information is published faster than is currently the case, covers important issues that are currently not being addressed by any other early warning system).Without focusing first at one target group, the risk for EISAS will be in spreading itself too thin across too many areas. This is surely a no-win situation for EISAS and ENISA in particular.
Narrow target focus will improve EISAS’ chances for delivering quality services. Additionally, by addressing issues that have a more mid-range time-frame (e.g, 3-5 years) instead of offering another alerting service, EISAS will step into a space that has yet to be served. Examples could be such as focusing more on:
- open-document standard (ODF), and
- open-source software and solutions AND
answering questions pertaining to how their further development or diffusion could change the risk landscape for SMEs and home-users regarding
- identity theft,
- confidentiality and
- integrity of data and information.
Addressing such mid-range issues and providing satisfactory answers is critical to support the take-up of new technologies and services in e-government and e-commerce by SMEs and citizens.
However, reading the FAQ offered by ENISA regarding EISAS does not suggest a clear and relatively narrow focus of the services it intends to offer. Neither is it mid-range but, instead, it reads like another run of the mill alerting service:
Stay tuned, tomorrow we will bring you:
next week we will bring you:
We had another story about this issue on our sister blog Mobility@Work (in German):
To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.