Towards a culture of online security

Spotlight on Information Society

Making information systems trustworthy is a job that concerns everyone. What can be done? A cultural change is needed in the society’s perception of information technology security.

Did you know that August 2003 was reportedly the worst month in history for virus attacks? With the “Win32.Blaster” virus rapidly spreading worldwide and several other disruptive worms following behind in quick succession, the total damage has been estimated by one source at some US$2 billion (see references). At the same time, the number of reported security incidents is constantly rising: the CERT Coordination Center at the Carnegie Mellon Software Engineering Institute reports a number of 114,855 incidents for the first three quarters of 2003 alone (compared with 82,094 for 2002).

The message is straightforward: insecurity is expensive. Security risks hamper economic potential and severely affect day-to-day activity in companies and institutions. The more economies become reliant on technology, the more they become vulnerable.

How did we get here? One main reason is that the nature of our electronic environment has changed. Since the early 1990s information technology has evolved from modest use of mainly stand-alone systems in closed networks – basically, office computers and home game machines – to the development of the Internet and other networks connecting businesses, governments, consumers and any “wired” individual or organisation. And beyond computer networks connecting end-users, important business sectors, from energy and transport to international banking, use intelligent networks. Access devices have multiplied and diversified to include a variety of portable and wireless accesses. The Internet increasingly plays a major part in shaping the way the world works. The trouble is, the pervasiveness of information technology and related networks has raised new and quite complex security challenges for society.

There is no question that wide access to information systems has the potential to greatly assist economic and social development, not just through e-commerce, but through other innovations, like e-medicine and learning. However, this same interconnected openness demands new practices to ensure proper functioning and resistance to internal and external threats and vulnerabilities. And security is critical to local, national and global communications, essential infrastructures such as power generation and distribution, financial markets or transportation, and economic welfare.

There is no easy or perfect solution, no “silver bullet” to eliminate the security risks. Threats and vulnerabilities are constantly evolving. Moreover, a network is as weak as its weakest point: if one component is compromised, whether deliberately or by accident, everyone connected to the network is potentially exposed. This is an occupational hazard of interdependency.

What can be done? An obvious answer is to invest in more technology. And indeed, such investments have been in constant growth in recent years. As regards investments by business users, respondents to the Deloitte Touche Tohmatsu 2003 Global Security Survey said they were spending on average about 6% of their total IT budgets on security.

Perhaps we are getting used to such sums. After all, in the now almost forgotten Y2K episode, an estimated US$200 billion was spent worldwide to prevent computer date-reading problems from occurring in 2000. But not only are business investments costly, spending on designing security technology is rising too. Also, virus attacks have not diminished, suggesting that a technology-only route would be a long battle and so can only be part of the answer. What is needed is nothing less than a general cultural change in the way society perceives information technology security. Nor is this being too ambitious. Just as in air travel, where people now accept that mobile phones must be switched off before takeoff and landing, a public attitude that understands risks and, as importantly, responsibilities can and must be cultivated. Such a change is the best possible way to reach real user trust in the online environment.

To help initiate such a sea change, in 2002 the OECD developed new Guidelines for the Security of Information Systems and Networks. Building on the 1992 OECD Security Guidelines, the revised version responds to the ever changing security environment and calls for a “culture of security”. Since their adoption in July 2002, the OECD Guidelines served as the basis for a United Nations General Assembly resolution for the “Creation of a Global Culture of Cyber Security” in December 2002, the European Council “Resolution on a European Approach towards a Culture of Network and Information Security” (February 2003) and have been recognised by the Asia Pacific Economic Co-operation (APEC) forum. Apart from raising awareness about the risk to information systems and networks, the new guidelines offer advice on the policies, practices, measures and procedures available to address those risks, while addressing the need for their adoption and implementation. In short, the aim is to foster greater confidence among all participants in information systems and networks and the way in which they are delivered and used.

However, there is much work to be done before a culture of security well and truly takes hold. A survey conducted by IDC/Bull in 2002 with the IT Divisions of 250 European companies showed that security was not yet a strategic consideration for two out of three companies. A more recent survey from September 2003 conducted by Watchfire and IBM Global Services shows that 66% of companies surveyed used at least one web form that collected sensitive personal information without any protective encryption.

Still, try we must. Already, in January 2003, OECD countries agreed on an implementation plan for co-ordinated national online security policies and a survey of progress is now under way. Then in October 2003, at a global forum on information security and networks hosted by the Norwegian government in Oslo, governments and civil society participants explained how they are implementing the online security guidelines and educating their citizens, customers and the general public about best practice online, including campaigns aimed at parents and children. These are not talk shops, but a vital way of identifying problems and developing the culture of online security real people need.

The OECD has launched a Global Culture of Security web site as a resource to help users everywhere learn how to follow online security practices. The best defence against information system viruses, hackers and other online risks is to strengthen the network through improving behaviour. That means spreading good practices around.


Computer Economics, Inc. (2003), “April 2003 – Worst Virus Season Ever?”,

CERT Coordination Center at the Carnegie Mellon Software Engineering Institute (2003),CERT/CC Statistics 1988-2003,

Deloitte Touche Tohmatsu (2003), 2003 Global Security Survey,

Getzinger, L., (2000), “Y2K Investments Were Sound, Industry Spokesmen Say”, Washington File, Office of International Information Programs, U.S. Department of State,

OECD (2002), OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security,

OECD (2003), Implementation Plan for the OECD Guidelines for the Security of Information Systems and Networks

Watchfire and IBM (2003), The State of Online Financial Services,

©OECD Observer No 240/241, December 2003

Economic data

GDP growth: +0.6% Q1 2019 year-on-year
Consumer price inflation: 2.3% May 2019 annual
Trade: +0.4% exp, -1.2% imp, Q1 2019
Unemployment: 5.2% July 2019
Last update: 8 July 2019

OECD Observer Newsletter

Stay up-to-date with the latest news from the OECD by signing up for our e-newsletter :

Twitter feed

Subscribe now

<b>Subscribe now!</b>

To order your own paper editions,email

Online edition
Previous editions

Don't miss

  • MCM logo
  • The following communiqué and Chair’s statement were issued at the close of the OECD Council Meeting at Ministerial level, this year presided by the Slovak Republic.
  • Food production will suffer some of the most immediate and brutal effects of climate change, with some regions of the world suffering far more than others. Only through unhindered global trade can we ensure that high-quality, nutritious food reaches those who need it most, Angel Gurría, Secretary-General of the OECD, and José Graziano da Silva, Director-General of the United Nations Food and Agriculture Organization, write in their latest Project Syndicate article. Read the article here.
  • Globalisation will continue and get stronger, and how to harness it is the great challenge, says OECD Secretary-General Gurría on Bloomberg TV. Watch the interview here.
  • OECD Secretary-General Angel Gurría with UN Secretary-General António Guterres at the 73rd Session of the UN General Assembly, in New York City.
  • The new OECD Observer Crossword, with Myles Mellor. Try it online!
  • Listen to the "Robots are coming for our jobs" episode of The Guardian's "Chips with Everything podcast", in which The Guardian’s economics editor, Larry Elliott, and Jeremy Wyatt, a professor of robotics and artificial intelligence at the University of Birmingham, and Jordan Erica Webber, freelance journalist, discuss the findings of the new OECD report "Automation, skills use and training". Listen here.
  • Do we really know the difference between right and wrong? Alison Taylor of BSR and Susan Hawley of Corruption Watch tell us why it matters to play by the rules. Watch the recording of our Facebook live interview here.
  • Has public decision-making been hijacked by a privileged few? Watch the recording of our Facebook live interview with Stav Shaffir, MK (Zionist Union) Chair of the Knesset Committee on Transparency here.
  • Can a nudge help us make more ethical decisions? Watch the recording of our Facebook live interview with Saugatto Datta, managing director at ideas42 here.
  • The fight against tax evasion is gaining further momentum as Barbados, Côte d’Ivoire, Jamaica, Malaysia, Panama and Tunisia signed the BEPS Multilateral Convention on 24 January, bringing the total number of signatories to 78. The Convention strengthens existing tax treaties and reduces opportunities for tax avoidance by multinational enterprises.
  • Globalisation’s many benefits have been unequally shared, and public policy has struggled to keep up with a rapidly-shifting world. The OECD is working alongside governments and international organisations to help improve and harness the gains while tackling the root causes of inequality, and ensuring a level playing field globally. Please watch.
  • Checking out the job situation with the OECD scoreboard of labour market performances: do you want to know how your country compares with neighbours and competitors on income levels or employment?
  • Trade is an important point of focus in today’s international economy. This video presents facts and statistics from OECD’s most recent publications on this topic.
  • The OECD Gender Initiative examines existing barriers to gender equality in education, employment, and entrepreneurship. The gender portal monitors the progress made by governments to promote gender equality in both OECD and non-OECD countries and provides good practices based on analytical tools and reliable data.
  • Interested in a career in Paris at the OECD? The OECD is a major international organisation, with a mission to build better policies for better lives. With our hub based in one of the world's global cities and offices across continents, find out more at .
  • Visit the OECD Gender Data Portal. Selected indicators shedding light on gender inequalities in education, employment and entrepreneurship.

Most Popular Articles

OECD Insights Blog

NOTE: All signed articles in the OECD Observer express the opinions of the authors
and do not necessarily represent the official views of OECD member countries.

All rights reserved. OECD 2019