Perception of information security among public bodies

A particular relief emerges from the recent report of the National Cybernetics Agency (ACN) to the Parliament: some public entities, including municipalities, schools, universities and other similar bodies, claim that they do not manage critical or strategic data. This highlights an awareness issue in relation to cyber security that deserves further investigation. To be able to address it, it is necessary to focus on a salient fact that emerges from the infographic on page 105 of the report, namely the significant discrepancy in the perception of the risk of compromising data and services.

Classification and response of public administrations

The report opens with a discussion of the categorization of data and services managed by public bodies, in an attempt to discern the potential impact of compromising the confidentiality, integrity and availability of such data. This classification is carried out on three levels: strategic, critical and ordinary. Subsequently, the public bodies were instructed to complete a questionnaire consisting of 23 questions, according to which ACN would be able to categorize the various data and services. Interestingly, 80% of public administrations answered the questionnaire, creating a statistically significant sample.

Surprising difference in the responses of public bodies

We now come to the essence of the problem, illustrated on page 105 of the report. The graph shows a significant discrepancy between the different categories of public bodies in terms of the percentage of services classified as ordinary, critical and strategic. While it is foreseeable that hospitals and local health authorities consider a significant portion of their data as critical (62%), other administrations, such as municipalities, schools and universities, state that services and critical data are equivalent to "zero". This figure is surprising, considering the evident criticality of some functions performed. For example, consider the large amounts of personal data handled by municipalities, much of which may be classified as "sensitive" and relevant to services of social importance such as social welfare and childcare enrollment.

The path towards cyber awareness in public administration

Several elements may help explain these surprisingly low responses. One element may be the current psychological state, influenced by the recent attacks on health systems. Additionally, biases may shape more passive responses, based on trust in the pre-defined classifications provided by ACN. The inability to accurately measure the consequences of a data breach can be another factor. This data indirectly illustrates the need for more cyber security training within government agencies. ACN has the task of further investigating and promoting greater awareness and expertise on the subject, starting for example with the most significant entities, such as municipalities with a large number of inhabitants. This step could represent an important turning point for the security of the public administration and for the protection of citizens' data.