European month of network and information security for all - a feasibility study
As part of its ongoing awareness raising mission, ENISA assesses the establishment and organisation of a European Month of Network and Information Security for All. This concept was inspired by similar projects that have been held successfully in other places around the world for some years now. ENISA suggests that this project will significantly raise the awareness of EU citizens on Network and Information Security (NIS) issues. The particularities of the European territory compared to other areas of the world indicate that a significant amount of effort will be required in order for this idea to deliver its full potential across Europe. To this effect, one of the most critical elements for the success of this activity is to develop an effective structure and coordination scheme among participating entities. This year, ENISA has been asked to assess the feasibility and explore various options on how such a campaign can become an effective instrument to raising awareness about NIS challenges and in particular : · generate awareness about NIS, · achieve long-lasting behavioural change, · modify perception of risks, · involve relevant stakeholders, · disseminate security-relevant information. To this end, a virtual working group was created to : · gather information with regard to Member States' experiences on organising national security events held for one or more days or an entire week ; · compile these results and produce a European overview (as-is) ; · assess feasibility by developing a coordination scheme and model ; · identify and eventually develop awareness material to be used during such a campaign. The following did not qualify to be included in this analysis : · any event organised under Safer Internet Day ; · programmes funded by the Structural Funds of the European Union and/or the European Commission ; · any event organised within an international project or international commemoration (e.g. International Youth Day) ; · any conference, summit or forum organised for professionals only. The report covers two main parts : · the overview of the security-related days/weeks currently organised at national level across Europe ; · the organisational insights and patterns for delivering a European Month of Network and Information Security for All on annual basis. The first part of the study looks at the current state of play in Europe. The main findings are : · half of the Member States hold either a security day(s) or week(s) ; · the majority focus was around security week(s) rather than day(s) ; · the proportion of campaigns encompassing general users versus those targeting business users is almost the same ; · a wide variety of key messages are promoted across the different European countries ; · most of the events are organised in October and November, although many are organised in February and April ; · all supporting material and communication is produced in the official language of the countries concerned ; · printed materials (41 %) and electronic messages (36 %) are featured in many cases ; · websites are the most prominent channels of communication used (12 out of 15 Member States) ; · all Member States used a variety of techniques that were fun, exciting and motivating ; · the public sector has been involved in the organisation of all the events that have been reviewed ; · messages should be tailored specifically to the audience and each intermediary ; · the wide variety of delivery channels used clearly demonstrates that there is no particular delivery method that has proven to be successful across all sectors and countries;· the use of websites as a communication vehicle is followed by the use of magazines, brochures, documents, annual reports and other printed material (seven Member States) and events and meetings (seven Member States). Video clips and TV/radio/webcasts are two other common delivery channels. The second part assesses the feasibility of delivering the European Month of Network and Information Security for All. The main findings are : · leveraging on European and worldwide experiences would be essential - in particular Insafe could provide useful information of the success and challenges their previous campaigns and competitions have encountered ; · the implementation in coordination with the United States, where the cybersecurity month is established, is a supplemental model to jump-start the activities in Europe ; · engaging with relevant parties such as Member States and intermediaries is one of the most critical elements of this project ; · the involvement of the private sector would be required in order to deliver the full potential of this idea ; · an aim should be to broaden the scope of national security events to make them a solely international event ; · using appropriate communication channels and vocabulary will be critical for addressing multicultural aspects ; · branding will be key for the success of the 'European security month' ; · a roadmap will be needed to provide a mechanism to help forecast developments and a framework to help plan and coordinate these developments. Member States might consider implementing one or more identified activities according to the level of engagement and information security awareness maturity of their country ; · alternative methods to jump-start the 'European security month' have been identified ; · one method appears to meet most of the requirements in relation to the organisation of a yearly security month across Europe. This method foresees three different phases: the production of a feasibility study ; various activities and options of involvement and engagement of actors at national, European and global level; the implementation of a 'European security month' in all EU countries. The main features are : - the number and type of actors involved simultaneously ; - the different type of proposed activities ; - the various options of involvement and engagement open to the actors ; - the timeframe foreseen for implementing coordinated annual awareness efforts. · a structure would be essential to coordinate such a campaign across all Member States; the general principle of subsidiarity would apply ; · a decision-maker and someone to undertake the planning is essential, as well as national groups which should work to implement the 'European security month' activities at national level. The analysis carried out in the study lead to the conclusion that organising a European Month of Network and Information Security for All is feasible especially because of the existing good practices and experiences of the Member States. This will be an annual activity, conducted in collaboration with the Member States and featuring a variety of national/European cybersecurity awareness raising initiatives and competitions.
