The recently released European Commission report, led by the Information Security Forum with contribution from CC-Driver, a consortium of 13 partner organizations from nine European countries, issued a cybersecurity framework of five interrelated elements deemed critical to tackling cybercrime and bolstering cybersecurity defences. Funded by a €5m European Commission Horizon 2020 research program, the report is compliant with the European Commission’s ethical, legal and security requirements.
Steve Durbin, Chief Executive of the ISF, breaks down each element of the cybersecurity framework presented in the report.
1. Strategy
Strategy is defined here as the high-level plan consisting of objectives to be achieved and the organization’s direction to achieve said goals. Objectives can include bolstering cybersecurity capabilities, improving cybersecurity awareness or tackling cybersecurity-related offences. For a strategy to be effective, it must consist of comprehensive and balanced guidance for all stakeholders and not just focus on a subset of individuals or groups. Strategy must also clearly define the key performance indicators (KPIs) alongside realistic timelines to provide all stakeholders with a more transparent review process and assurance. It is often the case that identification and prevention of cyber-threats receive more attention than the latter stages of the cybercrime lifecycle – conviction and punishment. CC-Driver recommends that all stages of the cybercrime lifecycle must receive an equal focus from lawmakers.
2. Legislation
Legislation is a fundamental element that governs the behaviour of people in the cyber-sphere. Since the cyber-sphere has no physical boundaries, no single entity, government or individual control, it is extremely difficult to regulate. Therefore, legislative authorities and governments must come together and harmonize cybercrime definitions, penalties and fines. Cybercrime reforms should be performed regularly compared to other forms of legislation because the cyber-sphere is fast evolving and regulations can quickly become obsolete if not updated regularly. Lawmakers must maintain a web-based repository of cybercrime offenses that is globally accessible so that other countries can take benefit. Users can educate themselves on the different types of crime offenses, and perpetrators are made aware of the consequences of their actions. Legislation must also encourage victims to come forward and explore avenues of legal remedy. Cybercrime offenses have a low conviction rate, which can act as a deterrent for victims to come forward. Legislation should also include guidance for non-culpable actors like penetration testers, academics, researchers, journalists or even negligent members of the public as there have been cases of non-culpable individuals who’ve been prosecuted when, ideally, they shouldn’t have been.
3. Engagement
Engagement means initiatives or activities (such as training, programs, campaigns) that try to increase the reach and awareness of cybersecurity and cybercrime-related issues. If potential victims are made aware of cyber-threats and how they can mitigate cyber-risks and if potential criminals are made aware of the consequences of committing cybercrime offenses, then this can help reduce cybercrime to a great extent. Such engagement and education must start from a young age. Statistics show that cyber-criminals tend to be younger in comparison to traditional criminals in the physical world. Specific demographics should be engaged more than others; data shows adults under 25 and over 75 are most vulnerable to cyber fraud. As people spend more time online, legislators must leverage well-known online platforms and gamification techniques as a means to disseminate engagement activities…