8.1. Digital security
The digitisation of information and network connectivity are creating new challenges for the protection of sensitive data and network communications, affecting the trust of businesses and individuals in online activities.
Having a formal ICT security policy is a sign that an enterprise is aware of digital risks. In 2015, about 32% of European enterprises had a formally defined ICT security policy. However, this proportion varied widely across countries and by firm size. While 27% of European small firms had a formal ICT security policy in 2015, the proportion was lower in the United States at 23% (US National Cyber Security Alliance and Symantec, 2011).
Evidence from the Canadian Survey on Cyber Security and Cybercrime shows that, in 2017, only 13% of Canadian businesses had a written policy in place to manage or report digital security incidents. Meanwhile 21% businesses, almost twice as many, reported that they were involved in a digital security incident, which affected their operations. Large businesses (41%) were more than twice as likely as small businesses (19%) to have identified such an incident.
On average, 23% of Internet users in the OECD area reported experiencing a digital security incident in 2015, with notable differences across countries. In Hungary and Mexico, this share was nearly 40%, as opposed to less than 10% in the Czech Republic, the Netherlands and New Zealand.
The share of Internet users affected by a computer virus or other computer infection, with a resulting impact in terms of loss of information or time, has decreased since 2010 in most countries. This is possibly due to the integration of anti-virus software into operating systems and increased general awareness around the issue. In 2016, only 21% of Internet users in the OECD area experienced a security breach; however, the proportion was much higher in Japan at 65%.
National digital security strategies describe how countries prepare and respond to attacks against their digital networks. They can be considered an important dimension of national readiness in terms of digital security risk management. Across all countries covered globally in the ITU’s Global Cybersecurity Index 2017, only 38% reported having a published digital security strategy, with 11% having a dedicated standalone strategy. Another 12% of countries had a cybersecurity strategy under development.
Despite half of countries not having a digital security strategy, 61% do have national emergency response team (i.e. CIRT, CSRIT or CERT). However, only 21% publish metrics on cybersecurity incidents. This makes it difficult to objectively assess incidents based on evidence in most countries and therefore to determine the efficiency of protection measures.
In 2016, 65% of Internet users in Japan were affected by a computer virus or other computer infection, which caused a loss of information or time.
Definitions
ICT security refers to measures, controls and procedures applied to ICT systems to ensure the integrity, authenticity, availability and confidentiality of data and systems.
SMEs contracting out digital security services refers to the share of SMEs that have a formal ICT security policy where the security and data protection are mainly performed by external suppliers.
The impact of a computer virus or other computer infection refers to loss of information or time.
The Global Cybersecurity Index is computed on the basis of the following pillars: legal (legal institutions and frameworks dealing with cybersecurity and cybercrime); technical (technical institutions and frameworks dealing with cybersecurity); organisational (policy co-ordination institutions and strategies for cybersecurity development at the national level); capacity building (the existence of research and development, education and training programmes, as well as; certified professionals and public sector agencies fostering capacity building), and co-operation (refers to partnerships, co-operative frameworks, and information-sharing networks).
Measurability
Official data on digital security in firms and digital security incidents experienced by individuals are traditionally collected through ICT usage surveys. Countries within the European Statistical System cover these topics through special modules administered every few years. However, given the increasing policy relevance of digital security and trust, both from the perspectives of businesses and individuals, there is a need for additional and more timely metrics. The recently developed OECD measurement framework on Digital Security Risk Management in Firms (see page 8.6) is expected to provide more detailed information in the future.
In 2014, UN Member States committed to support ITU initiatives on cybersecurity, including the Global Cybersecurity Index (GCI), in order to promote government strategies and the sharing of information on efforts across industries and sectors. Data used to compute the 2017 GCI originate from an online survey, administered between January and September 2016, in the 193 ITU countries and the Palestinian Authority. Due to a lack of internationally comparable statistics on digital security from the perspective of governments, qualitative data from the 2017 GCI data collection are presented here to provide a general picture of national initiatives on digital security.
Source: OECD, based on Eurostat, Digital Economy and Society Statistics, Comprehensive Database, September 2018. See 1.
← 1. SMEs are defined as companies with between 10 and 249 employees and large firms as companies with 250 or more employees.
Source: OECD, ICT Access and Usage by Households and Individuals Database, http://oe.cd/hhind, November 2018. See 1.
← 1. Unless otherwise stated, Internet users are defined as individuals who accessed the Internet within the last 12 months.
For Chile, data refer to 2014.
For Costa Rica, data refer to OECD estimates for 2017 based on data provided by the National Institute of Statistics and Censuses and by the Ministry of Science, Technology and Telecommunications (MICITT). Internet users are defined as individuals who accessed the Internet within the last three months.
For Japan, data refer to 2016 instead of 2015.
For Korea, data refer to 2011 and 2017.
For Mexico and Switzerland, data refer to 2017 instead of 2015.
Source: ITU, Global Cybersecurity Index 2017. StatLink contains more data. See 1.
← 1. The GCI includes 25 indicators and 157 questions. The indicators used to calculate the GCI were selected on the basis of the following criteria: i) relevance to the five GCA pillars and in contributing towards the main GCI objectives and conceptual framework; ii) data availability and quality and iii) possibility of cross verification through secondary data.
Various levels of cybersecurity development among countries, as well as the different cybersecu-rity needs reflected by a country’s overall ICT development status were taken into consideration. The index is computed on the basis of the assumption that the more developed cybersecurity is, the more complex the solutions observed will be. Therefore, the further a country confirms the presence of pre-identified cyber solutions, the more complex and sophisticated the cybersecurity commitment allowing a higher score.