The report, Economics of Security, identifies potential areas of improvement to boost information security and resilience in public systems, networks, products, and services. The study examines economic issues (e.g., total cost of ownership, return of investment, etc.) arising from the fulfillment of such requirements.
The report offers nine recommendations based on its analysis. First, ENISA supports harmonization of European Union (EU) information security legislation and effective enforcement across Europe.
Second, the report recommends that research institutions and universities expand the literature examining the economic relationships of actors involved in cybercrime and various methods to disrupt those relationships. Third, the agency supports incentives, such as rewards or penalties, for organizations to improve detection and cleanup of infected computers.
Fourth, ENISA calls on sector regulators and authorities to conduct evaluations of the effectiveness of current information security policies. Fifth, these authorities should develop a common data breach incident taxonomy and a common data pool of security incidents, along with their impact.
In addition, European institutions and software developers should develop a software liability program involving multidisciplinary stakeholder teams. Next, governmental agencies and private enterprises should cooperate on achieving wider adoption of return on security investment techniques.
Eighth, research institutions and universities should develop methods to classify the economic value of IT assets, identify the business impact of IT asset loss, and set the measurement parameters of business impact levels. Finally, national authorities should enhance the efficiency and effectiveness of information sharing and security notification schemes.