Towards a culture of online security

Spotlight on Information Society

Making information systems trustworthy is a job that concerns everyone. What can be done? A cultural change is needed in the society’s perception of information technology security.

Did you know that August 2003 was reportedly the worst month in history for virus attacks? With the “Win32.Blaster” virus rapidly spreading worldwide and several other disruptive worms following behind in quick succession, the total damage has been estimated by one source at some US$2 billion (see references). At the same time, the number of reported security incidents is constantly rising: the CERT Coordination Center at the Carnegie Mellon Software Engineering Institute reports a number of 114,855 incidents for the first three quarters of 2003 alone (compared with 82,094 for 2002).

The message is straightforward: insecurity is expensive. Security risks hamper economic potential and severely affect day-to-day activity in companies and institutions. The more economies become reliant on technology, the more they become vulnerable.

How did we get here? One main reason is that the nature of our electronic environment has changed. Since the early 1990s information technology has evolved from modest use of mainly stand-alone systems in closed networks – basically, office computers and home game machines – to the development of the Internet and other networks connecting businesses, governments, consumers and any “wired” individual or organisation. And beyond computer networks connecting end-users, important business sectors, from energy and transport to international banking, use intelligent networks. Access devices have multiplied and diversified to include a variety of portable and wireless accesses. The Internet increasingly plays a major part in shaping the way the world works. The trouble is, the pervasiveness of information technology and related networks has raised new and quite complex security challenges for society.

There is no question that wide access to information systems has the potential to greatly assist economic and social development, not just through e-commerce, but through other innovations, like e-medicine and learning. However, this same interconnected openness demands new practices to ensure proper functioning and resistance to internal and external threats and vulnerabilities. And security is critical to local, national and global communications, essential infrastructures such as power generation and distribution, financial markets or transportation, and economic welfare.

There is no easy or perfect solution, no “silver bullet” to eliminate the security risks. Threats and vulnerabilities are constantly evolving. Moreover, a network is as weak as its weakest point: if one component is compromised, whether deliberately or by accident, everyone connected to the network is potentially exposed. This is an occupational hazard of interdependency.

What can be done? An obvious answer is to invest in more technology. And indeed, such investments have been in constant growth in recent years. As regards investments by business users, respondents to the Deloitte Touche Tohmatsu 2003 Global Security Survey said they were spending on average about 6% of their total IT budgets on security.

Perhaps we are getting used to such sums. After all, in the now almost forgotten Y2K episode, an estimated US$200 billion was spent worldwide to prevent computer date-reading problems from occurring in 2000. But not only are business investments costly, spending on designing security technology is rising too. Also, virus attacks have not diminished, suggesting that a technology-only route would be a long battle and so can only be part of the answer. What is needed is nothing less than a general cultural change in the way society perceives information technology security. Nor is this being too ambitious. Just as in air travel, where people now accept that mobile phones must be switched off before takeoff and landing, a public attitude that understands risks and, as importantly, responsibilities can and must be cultivated. Such a change is the best possible way to reach real user trust in the online environment.

To help initiate such a sea change, in 2002 the OECD developed new Guidelines for the Security of Information Systems and Networks. Building on the 1992 OECD Security Guidelines, the revised version responds to the ever changing security environment and calls for a “culture of security”. Since their adoption in July 2002, the OECD Guidelines served as the basis for a United Nations General Assembly resolution for the “Creation of a Global Culture of Cyber Security” in December 2002, the European Council “Resolution on a European Approach towards a Culture of Network and Information Security” (February 2003) and have been recognised by the Asia Pacific Economic Co-operation (APEC) forum. Apart from raising awareness about the risk to information systems and networks, the new guidelines offer advice on the policies, practices, measures and procedures available to address those risks, while addressing the need for their adoption and implementation. In short, the aim is to foster greater confidence among all participants in information systems and networks and the way in which they are delivered and used.

However, there is much work to be done before a culture of security well and truly takes hold. A survey conducted by IDC/Bull in 2002 with the IT Divisions of 250 European companies showed that security was not yet a strategic consideration for two out of three companies. A more recent survey from September 2003 conducted by Watchfire and IBM Global Services shows that 66% of companies surveyed used at least one web form that collected sensitive personal information without any protective encryption.

Still, try we must. Already, in January 2003, OECD countries agreed on an implementation plan for co-ordinated national online security policies and a survey of progress is now under way. Then in October 2003, at a global forum on information security and networks hosted by the Norwegian government in Oslo, governments and civil society participants explained how they are implementing the online security guidelines and educating their citizens, customers and the general public about best practice online, including campaigns aimed at parents and children. These are not talk shops, but a vital way of identifying problems and developing the culture of online security real people need.

The OECD has launched a Global Culture of Security web site as a resource to help users everywhere learn how to follow online security practices. The best defence against information system viruses, hackers and other online risks is to strengthen the network through improving behaviour. That means spreading good practices around.

References

Computer Economics, Inc. (2003), “April 2003 – Worst Virus Season Ever?”, www.computereconomics.com/article.cfm?id=867

CERT Coordination Center at the Carnegie Mellon Software Engineering Institute (2003),CERT/CC Statistics 1988-2003, www.cert.org/stats/cert_stats.html

Deloitte Touche Tohmatsu (2003), 2003 Global Security Survey, www.deloitte.com/dtt/cda/doc/content/2003%20Global%20Security%20Survey.pdf

Getzinger, L., (2000), “Y2K Investments Were Sound, Industry Spokesmen Say”, Washington File, Office of International Information Programs, U.S. Department of State, http://usembassy-australia.state.gov/hyper/2000/0112/epf308.htm

OECD (2002), OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, www.oecd.org/dataoecd/16/22/15582260.pdf

OECD (2003), Implementation Plan for the OECD Guidelines for the Security of Information Systems and Networks www.olis.oecd.org/olis/2002doc.nsf/LinkTo/dsti-iccp-reg(2002)6-final

Watchfire and IBM (2003), The State of Online Financial Services, www.watchfire.com

©OECD Observer No 240/241, December 2003




Economic data

E-Newsletter

Stay up-to-date with the latest news from the OECD by signing up for our e-newsletter :

Twitter feed

Suscribe now

<b>Subscribe now!</b>

To receive your exclusive paper editions delivered to you directly


Online edition
Previous editions

Don't miss

  • Africa's cities at the forefront of progress: Africa is urbanising at a historically rapid pace coupled with an unprecedented demographic boom. By 2050, about 56% of Africans are expected to live in cities. This poses major policy challenges, but make no mistake: Africa’s cities and towns are engines of progress that, if harnessed correctly, can fuel the entire continent’s sustainable development.
  • “Nizip” refugee camp visit
    July 2016: OECD Secretary-General Angel Gurría visits the “Nizip” refugee camp, situated between Gaziantep and the Turkish-Syrian border, accompanied by Turkey’s Deputy Prime Minister Mehmet Şimşek. The camp accommodates a small number of the 2.75 million Syrians currently registered in Turkey, mostly outside the camps. In his tour of the camp, Mr Gurría visits a school, speaks with refugees and gives a short interview.
  • OECD Observer i-Sheet Series: OECD Observer i-Sheets are smart contents pages on major issues and events. Use them to find current or recent articles, video, books and working papers. To browse on paper and read on line, or simply download.
  • Queen Maxima of the Netherlands gives a speech next to Mexico's President Enrique Pena Nieto (not pictured) during the International Forum of Financial Inclusion at the National Palace in Mexico City, Mexico June 21, 2016.
  • How sustainable is the ocean as a source of economic development? The Ocean Economy in 2030 examines the risks and uncertainties surrounding the future development of ocean industries, the innovations required in science and technology to support their progress, their potential contribution to green growth and some of the implications for ocean management.
  • OECD Environment Director Simon Upton presented a talk at Imperial College London on 21 April 2016. With the world awash in surplus oil and prices languishing around US$40 per barrel, how can governments step up efforts to transform the world’s energy systems in line with the Paris Agreement?
  • Happy 10th birthday to Twitter. This 2008 OECD Observer interview with Henry Copeland said you’d do well.
  • The OECD Gender Initiative examines existing barriers to gender equality in education, employment, and entrepreneurship. The gender portal monitors the progress made by governments to promote gender equality in both OECD and non-OECD countries and provides good practices based on analytical tools and reliable data.
  • Once migrants reach Europe, countries face integration challenge: OECD's Thomas Liebig speaks to NPR's Audie Cornish.

  • Message from the International Space Station to COP21

  • The carbon clock is ticking: OECD’s Gurría on CNBC

  • If we want to reach zero net emissions by the end of the century, we must align our policies for a low-carbon economy, put a price on carbon everywhere, spend less subsidising fossil fuels and invest more in clean energy. OECD at #COP21 – OECD statement for #COP21
  • They are green and local --It’s a new generation of entrepreneurs in Kenya with big dreams of sustainable energy and the drive to see their innovative technologies throughout Africa. blogs.worldbank.org
  • Pole to Paris Project
  • In order to face global warming, Asia needs at least $40 billion per year, derived from both the public and private sector. Read how to bridge the climate financing gap on the Asian Bank of Development's website.
  • How can cities fight climate change?
    Discover projects in Denmark, Canada, Australia, Japan and Mexico.
  • Climate: What's changed, what hasn't, what we can do about it.
    Lecture by OECD Secretary-General Angel Gurría, hosted by the London School of Economics and Aviva Investors in association with ClimateWise, London, UK, 3 July 2015.
  • Is technological progress slowing down? Is it speeding up? At the OECD, we believe the research from our Future of ‪Productivity‬ project helps to resolve this paradox.
  • Is inequality bad for growth? That redistribution boosts economies is not established by the evidence says FT economics editor Chris Giles. Read more on www.ft.com.
  • Interested in a career in Paris at the OECD? The OECD is a major international organisation, with a mission to build better policies for better lives. With our hub based in one of the world's global cities and offices across continents, find out more at www.oecd.org/careers .

Most Popular Articles

Poll

What issue are you most concerned about in 2016?

Unemployment
Euro crisis
International conflict
Global warming
Other

OECD Insights Blog

NOTE: All signed articles in the OECD Observer express the opinions of the authors
and do not necessarily represent the official views of OECD member countries.

All rights reserved. OECD 2016