7. Trust
Source: OECD, based on Eurostat, Digital Economy and Society Statistics, Comprehensive Database, July 2017. See chapter notes.
In 2015, 70% of large enterprises in Europe had a formal security policy but only 30% of SMEs.
The digitisation of information and network connectivity are creating new challenges for the protection of sensitive data and network communications. Having a formal ICT security policy is a sign that an enterprise has experienced or is aware of digital risks.
In 2015, about 32% of European enterprises had a formally defined ICT security policy. However, this proportion varied widely across countries and by firm size. While 30% of European SMEs had a formal ICT security policy in 2015, in the United States this proportion was 23% (US National Cyber Security Alliance and Symantec, 2011).
SMEs also tend to rely more on external workers to ensure their digital security and data protection, probably due to limited access to financial resources and specialised skills. In 2015, digital security and data protection was performed internally in over 64% of large enterprises as opposed to 14% in SMEs.
In 2016, more than 70% of Internet users in Europe provided some kind of personal information online, with many performing actions to control access to this data on the Internet. 46% of all Internet users in Europe refused to allow the use of personal information for advertising and 40% limited access to their profile or content on social networking sites. More than one-third of Internet users read privacy policy statements before providing personal information and restricted access to their geographical location.
Young people show a higher propensity to share personal information online, but also undertake actions to control access to the information more often. Men tend to be more willing to share private information online than women in over two-thirds of the countries surveyed.
Definitions
ICT security policies include measures, controls and procedures applied to ICT systems to ensure the integrity, authenticity, availability and confidentiality of data and systems. In particular, such policies are designed to address the following security risks: destruction or corruption of data due to hardware or software failures; unavailability of ICT services due to outside attacks; and disclosure of confidential data due to intrusion, pharming or phishing attacks.
Size classes are defined as SMEs (10 to 249 person employed) and large (250 and more).
Personal information refers to information that the user considers private and would not necessarily disclose to the public, such as personal, contact and payment details or other personal information.
Source: OECD, based on Eurostat, Digital Economy and Society Statistics, Comprehensive Database, July 2017. StatLink contains more data.
Source: OECD, based on Eurostat, Digital Economy and Society Statistics, Comprehensive Database, July 2017. StatLink contains more data.
Information on ICT security policies is collected through the Eurostat’s Survey on ICT usage and e-commerce in enterprises. Information on disclosure and protection of personal information online is collected through the ICT usage surveys in households and by individuals.
Both the European and OECD model surveys on ICT usage ask direct questions about security and privacy, including on the use of protection from IT threats, the frequency of security updates and security incidents.
The 2014 revision of the OECD Model Survey on ICT Access and Usage by Households and Individuals includes a specific module on security and privacy, based on policy-relevant indications from the OECD Working Party on Security and Privacy in the Digital Economy.
It is a matter of debate among statisticians whether respondents are able to answer technical questions about IT security. To minimise this problem, coverage of the OECD security module is limited to home use, as this is the ICT environment about which users are more likely to have information, as opposed to ICT use at work or school.