Perception of information security among public bodies
Discrepancy in risk perception: the path to greater awareness of cyber security in public sectors
The National Cybernetics Agency (ACN) report shows that some public bodies claim they don't manage critical or strategic data, highlighting an issue with cybersecurity awareness. The resulting questionnaire showed a disparity between different Public Administration's perception of criticality. This underscores the need for more cybersecurity training within these agencies to ensure better protection of citizens' data.
A particular relief emerges from the recent report of the National Cybernetics Agency (ACN) to the Parliament: some public entities, including municipalities, schools, universities and other similar bodies, claim that they do not manage critical or strategic data. This highlights an awareness issue in relation to cyber security that deserves further investigation. To be able to address it, it is necessary to focus on a salient fact that emerges from the infographic on page 105 of the report, namely the significant discrepancy in the perception of the risk of compromising data and services.
Classification and response of public administrations
The report opens with a discussion of the categorization of data and services managed by public bodies, in an attempt to discern the potential impact of compromising the confidentiality, integrity and availability of such data. This classification is carried out on three levels: strategic, critical and ordinary. Subsequently, the public bodies were instructed to complete a questionnaire consisting of 23 questions, according to which ACN would be able to categorize the various data and services. Interestingly, 80% of public administrations answered the questionnaire, creating a statistically significant sample.
Surprising difference in the responses of public bodies
We now come to the essence of the problem, illustrated on page 105 of the report. The graph shows a significant discrepancy between the different categories of public bodies in terms of the percentage of services classified as ordinary, critical and strategic. While it is foreseeable that hospitals and local health authorities consider a significant portion of their data as critical (62%), other administrations, such as municipalities, schools and universities, state that services and critical data are equivalent to "zero". This figure is surprising, considering the evident criticality of some functions performed. For example, consider the large amounts of personal data handled by municipalities, much of which may be classified as "sensitive" and relevant to services of social importance such as social welfare and childcare enrollment.
The path towards cyber awareness in public administration
Several elements may help explain these surprisingly low responses. One element may be the current psychological state, influenced by the recent attacks on health systems. Additionally, biases may shape more passive responses, based on trust in the pre-defined classifications provided by ACN. The inability to accurately measure the consequences of a data breach can be another factor. This data indirectly illustrates the need for more cyber security training within government agencies. ACN has the task of further investigating and promoting greater awareness and expertise on the subject, starting for example with the most significant entities, such as municipalities with a large number of inhabitants. This step could represent an important turning point for the security of the public administration and for the protection of citizens' data.
Follow us on Threads for more pills like this07/07/2023 08:51
Editorial AI