Information Package Page 1 of 19

Information Package
Raising Network and Information Security
Awareness
Status: Final version
Information Package: Table of Contents Page 2 of 19

Table of Contents
Information Package .............................................................................................1
Table of Contents ........................................................................................................2
Summary .....................................................................................................................3
Introduction ................................................................................................................4
Scope........................................................................................................................4
Objectives ................................................................................................................4
Target Audience.......................................................................................................5
Good Practices 5
Profile of Groups .....................................................................................................5
Target Group: Silver Surfers......................................................................................6
Category Description .............................................................................................6
Why this Target Is a Priority..................................................................................6
Objectives ..............................................................................................................6
Interests/Needs.......................................................................................................7
Channels.................................................................................................................8
Good Practices / Recommendations ......................................................................8
Bibliography ..........................................................................................................8
Target Group: SMEs ..................................................................................................9
Category Description .............................................................................................9
Why this Target Is a Priority..................................................................................9
Objectives ..............................................................................................................9
Interests/Needs.....................................................................................................10
Channels...............................................................................................................10
Benchmarking ......................................................................................................11
Country Case Studies...........................................................................................11
Good Practices / Recommendations ....................................................................12
Bibliography ........................................................................................................12
Target Group: Media................................................................................................13
Category Description ...........................................................................................13
Why this Target Is a Priority................................................................................13
Objectives ............................................................................................................14
Interests/Needs.....................................................................................................14
Channels...............................................................................................................14
Benchmarking ......................................................................................................15
Country Case Studies...........................................................................................15
Good Practices / Recommendations ....................................................................15
Bibliography ........................................................................................................16
Target Group: Local Government............................................................................17
Category Description ...........................................................................................17
Why this Target Is a Priority................................................................................17
Objectives ............................................................................................................17
Interests/Needs.....................................................................................................18
Channels...............................................................................................................18
Barriers.................................................................................................................18
Advantages...........................................................................................................19
Benchmarking ......................................................................................................19
Good Practices / Recommendations ....................................................................19
Bibliography ........................................................................................................19
 Information Package: Summary Page 3 of 19

Summary
The Information Package for Raising Network and Information Security Awareness
has been developed by the ENISA ad hoc working group for awareness raising
during the period June to December 2005. The group comprises nine members from
seven countries: Belgium, Denmark, Germany, Finland, Italy, Spain and Sweden.

The mission of the awareness raising working group is based on two underlying
aims:
• to enhance the development of the information society, and
• to promote trust in online services.
Its task has been to gather and disseminate examples of awareness raising through
the development of a customised information package for priority target groups,
namely Silver Surfers, Small- and Medium-sized Enterprises, Media and Local
Government. The information package is modular, other sections can be developed
at a later date.

The four priority target groups were chosen because of their importance in terms of
size, spending power and reach, but also because they constitute a weak link in the
security chain. Few awareness-raising campaigns have addressed these target
groups, and this accounts for the low number of Good Practice examples that have
been given.

The awareness raising working group broke into four sub-groups comprising three
members each to focus on the four priority target areas, each member therefore
working on two target areas. Work was conducted on- and off-line, each member
seeking relevant awareness raising information in his/her own country and field of
competency. Four face-to-face meetings enabled members to progressively review
each others’ work and ensure the consistency and coherency of the information
package.

Objectives, needs and interests have been defined for each target group. Where
applicable, barriers that must be overcome to raise the awareness of the target group
have been underlined, as well as the specific advantages that raised awareness
would bring. Targeted messages have been developed for all of the targets and the
most appropriate dissemination channels for reaching them have been discerned.
Each section concludes with supporting evidence in the form of best practice
examples and bibliography.

The information package is not intended as an awareness-raising tool in itself, but

rather as a framework upon which member states and European organisations in the
field can develop customised awareness raising campaigns. It can be localised by
adding national examples and bibliography, and constantly updated with new
examples of good practice. It constitutes an important building block in creating the
first of the nine pillars of Information Security put forward by OECD: “the development
of awareness, education, information-sharing and training that can lead to adoption
of better security understanding and practices” 1 .

1
OECD Guidelines for the Security of Information Systems and Networks – TOWARDS A
CULTURE OF SECURITY, 2002 at http://www.oecd.org/dataoecd/16/22/15582260.pdf
 Information Package: Introduction Page 4 of 19

Introduction
As society becomes increasingly dependent on the availability and functioning of
information and communication technology (ICT), network and information security is
becoming a crucial issue. Over recent years, awareness-raising initiatives have been
implemented in most countries in Europe in the aim of informing the public of
potential risks and threats. However, only too often their impact is limited in particular
because they are too small-scale or broad-based. Indeed, different sectors of the
population have different needs and interests in terms of network and information
security (NIS), and need to be approached with different messages through different
channels.

For this reason, the ad hoc awareness raising group appointed by ENISA in June
2005 has focused during its six-month term to December 2005 on building an
information package that can be used as a basis for national awareness raising
initiatives and facilitate the exchange and sharing of awareness raising information
between member states. The members of the working group have brought together a
wealth of experience from broadly diverse professional backgrounds in eight member
states of the European Union. They have gathered data on the needs and interests
of four highly specific ICT user groups, developed targeted messages for each and
discerned the most appropriate dissemination channels for reaching them, and
pinpointed best practice examples and information sources across Europe and
beyond.

Scope
The information package contains chapters on four target groups, namely Silver
Surfers, Small- and Medium-sized Enterprises, Media and Local Government. The
choice of these four target groups was based on a number of criteria. Firstly, each
group is particularly important in terms of overall size, spending power and reach to
other population sectors, and constitutes a weak link in the security chain. Secondly,
few awareness-raising campaigns have previously addressed these target groups, as
can be seen by the dearth of good practice examples available. Other important
target groups such as parents, teachers and young people are already subject of
focus in ongoing campaigns e.g. the Safer Internet Programme of the European
Commission, but nevertheless should later be included in the information package.

Objectives
The aim of the ad hoc awareness raising group has been to identify and evaluate
awareness raising methods and initiatives that already exist for the four target
groups, and to bring this information together in an online and offline package to
facilitate dissemination. This information package is not an awareness-raising tool,
but rather an underlying framework upon which member states can build their own
focused awareness campaigns. These should necessarily be culturally adapted to
meet national contexts. The package aims at highlighting case studies and national
examples of best practice as a starting point that national authorities and experts can
build on.
 Information Package: Introduction Page 5 of 19

Target Audience
The information package is intended for national and local authorities, organisations
and experts in member states wishing to raise the level of NIS awareness of citizens
in specific sectors of the population. The information package should be extended to
meet the needs of other target groups.

Good Practices
The Good Practice examples provided offer only an indication of the type of initiatives
that exist and do not give a complete overview of the field. Moreover, benchmarking
in NIS awareness raising is rare and therefore the members of the ad hoc working
group have been unable to base their choice on established good practice criteria.
Few examples exist for some of the target groups, and for most groups good practice
is limited to websites.

Profile of Groups
The information package focuses on four target groups as follows:

Silver Surfers are citizens born in or before 1950. They often hold an influential
place as role models in society and are relatively affluent as a consumer group. They
nevertheless constitute an attractive target for fraudulent online practices due to their
lack of experience in the use of online technologies.

SMEs account for 99% of all enterprises and approximately 65 million jobs in the
European Union. Between 84% and 96% of SMEs use Internet, but only 73% have
implemented even minimal security requirements. Information security is an
important business enabler for SMEs and, given their broad-ranging functions,
should incorporate widely diverse strategies.

Media comprises radio, television, print, specialised and online press. It is an

important awareness-raising target because of the huge influence it wields in society
as “4th state power”. Very few campaigns to date have targeted this group, which
only too frequently tends to adopt a counter-effective, sensationalist attitude to ICT
security.

Local government is broadly varied in structure and constitutes the frontline to

citizens for government content and services. Local government manages critical
infrastructure and therefore requires a high level of security awareness, yet often
lacks the necessary expertise.
 Information Package: Awareness Raising for Silver Surfers Page 6 of 19

Target Group: Silver Surfers

Category Description
The term “Silver Surfers” refers to citizens born in or before 1950. This target group,
which includes more females than males, grew up without access to modern
information and communication technology (ICT) and usually has only limited first-
hand experience of it. Silver surfers’ familiarity with ICT technical language is often
quite limited too.
Citizens in this sector of the population are not very technically oriented, but they are
service-oriented and are often quite avid users of:
– PC & Web based e-services
– Mobile phone based e-services
Nevertheless, they run the risk of being alienated from this new infrastructure of
civilization through mistrust, doubt and fear about using PC’s, smart mobile phones,
or both.

Why this Target Is a Priority

Silver Surfers constitute an important target group because:
• the network is, for them, an important means of avoiding isolation
• they are increasingly using the network and, with a longer life-span, will be
exposed for many years to come
• they understand the concept of responsibility, and can be a positive role-
model for families
• they are a likely target for fraud due to their economic affluence combined
with an overtly trusting approach

Objectives
Awareness raising initiatives addressing silver surfers should aim at:
• Using understandable non-tech language to communicate
– the risks and threats
– what to do and what not to do (behaviour)
– how to get protected
• Building confidence in their being able to participate in the new e-world and
take advantage of its services with no fear of threats
Silvers Surfers represent an important consumer group for e-products and services.
They need to be made aware of the risks but above all to develop confidence
develop in their ability to safely:
• conduct banking transactions
• have access to e-government services
• purchase goods and services on the net
• make bookings and orders over the net
• use preferred payment mechanisms over the net
 Information Package: Awareness Raising for Silver Surfers Page 7 of 19

• communicate in their private life and access private data/services (e.g.

healthcare) over the net

Figure I: Objectives of awareness raising for Silver Surfers

Awareness package for

Silver Surfers

• Silver Surfers need the

services of the net, but
Why? are prime targets and
may be too trusting

• They need to understand

What? the economic risks
involved and how to stay
safe

• Country telecom regulators

How should motivate ISPs and
mobile operators to
provide safety info and
i

Interests/Needs
With the aging of the population in most European countries, the elderly account for a
progressively larger percentage of future citizens and are an important economic
target for all sectors. Moreover, they have the patience to learn and the time to teach
their relatives, and are quite often an important “class” in working environments.

Silver surfers need to be made aware that e-services can be cost effective and lead
to increased service satisfaction levels. On the other hand, they need to understand:
• the connection between malware, damage and criminal activity, i.e. how you
can be safe…
• the economic risk of identity theft
– How to identify
– How to protect
– How spam and phishing work
– Source critique and information quality/dependability
• the difference between private and public information when communicating
over the net
It is important to get the message over to silver surfers that “Your wisdom and
experience can make the net a better place”.
Information Package: Awareness Raising for Silver Surfers Page 8 of 19

Channels
A broad number of channels could be used to reach silver surfers:
• Co-operation could be promoted between government regulators and ISP /
mobile operators to:
– provide information content, and
– ensure that operators communicate information and make protection
services available
• Associations for the elderly
• Health care stations for information distribution (“How healthy is your PC…”)
• Co-operation could be developed with social security institutions (e.g. “be
updated about your pension and do it safely”)
• Co-operation could be promoted with media through the provision of content
and stories that address network and information security (NIS) relevant to
the needs of silver surfers
• Senior web portals

Good Practices / Recommendations

Silver Surfers are a new target audience for NIS and therefore few examples of best
practice exist:
• Seniornet, active since 1986,is one of the most important on-line projects
dedicated to elders and technology, at www.seniornet.org
• Belgian senior net: www.seniorennet.be (also electronic ID’s for seniors)
• Advice for the whole family at www.getsafeonline.org
• Senior net in Sweden
http://www.seniornet.se/browse.jsp?id=01_02&&cikkid=2697

Bibliography
• SeniorNet Research Reports
http://www.seniornet.org/php/default.php?PageID=5469
• PEW/Internet report - The future of the internet
http://www.pewinternet.org/pdfs/PIP_Future_of_Internet.pdf
• Senior citizens and the Internet Nielsen Netrating findings
http://www.netratings.com/pr/pr_031120.pdf
• Resources for senior internet users
http://www.fspl.lib.ar.us/irseniors.html
http://www.csuchico.edu/~csu/seniors/computing2.html
http://www.chipublib.org/008subject/013seniors/seniorinternetresources.html
 Information Package: Awareness Raising for SMEs Page 9 of 19

Target Group: SMEs

Category Description
According to a definition provided by the European Commission, small- and medium-
sized enterprises can be defined as legal entities engaging in economic activities with
11 to 250 employees and an annual turnover between 2 and 50 million Euro. Micro
enterprises are defined as companies with less than 10 employees and an annual
turnover of less than 2 million Euro. Given these characteristics, this information
package deals separately with small- and medium-sized enterprises (SMEs) and
micro enterprises.

The most important difference is that SMEs typically have an in-house ICT employee.
In most cases this employee will not be a security expert. Micro enterprises typically
lack this type of resource. Moreover, micro enterprises appear to lack the necessary
confidence to fully engage in online activities.

Why this Target Is a Priority

SMEs are a cornerstone of the European Economy. There are currently 20 million
SMEs active in the EU. They employ 65 million people. As they represent 99% of all
enterprises in the EU, they are an important target group for an awareness
campaign. By raising the awareness of SMEs to Network and Information Security
(NIS) issues, Member States can decrease their vulnerability and minimise the risk
that they fall victim to serious security breaches that could affect economic activity
across the EU.

SMEs that have been educated about NIS issues also minimise their legal risks
towards their customers, improve their legal compliance (e.g. with BASEL II rules),
reduce incident costs and contribute generally towards a more stable economic
climate.

Additionally, SMEs can be used as multipliers to reach their employees.

Objectives
The aim is to raise awareness in SMEs in a three step process (see Figure I):

Why: Raise awareness to:

• the costs that lack of security can incur for an SME, and
• the operational advantages that NIS can provide.

What: Motivate SMEs to:

• develop risk analysis processes to measure the size and scope of the risk
• adopt a security policy customised to meet the risks and the security needs of
the SME
• implement timely and appropriate measure to counteract risks

How: through a broader knowledge of examples and best practices in the field to
avoid and overcome risks at the technical, organisational and personal level.
Information Package: Awareness Raising for SMEs Page 10 of 19

Figure II: Objectives of awareness raising for SMEs

Awareness Package SME

• Business incentives
Why? • Operational
advantage

• Risk analysis
What? • Security policy adoption
• Implementation of
appropriate measures

• Examples
How?
• “Best Practices“
- Technical measures
- Organisational measures
- Personal measures

Interests/Needs
Three target groups exist within SMEs, each with its own specific needs and
interests. These can be defined according to the role each group plays in the
organisation.
• At the highest level, the decision-maker (be it the owner or director) of the
SME needs to be convinced that investment in security is a vital element in a
successful business plan.
• The ICT manager in small- and medium-sized businesses needs to be
educated in the security aspects of his role. NIS needs to be recognised as an
essential part of his/her task.
• The employee is often the weakest link and needs to receive basic NIS
training.

Channels
We have identified six communication channels.
• Local workshops organised by or in cooperation with Chambers of Commerce
or SME organisations. These organisations typically have newsletters that
can also be used to disseminate NIS messages.
• Initiatives by big players in the ICT industry. These companies have direct
access to millions of consumers and businesses. As they have a business
interest in a stable and secure online environment, they will open their
communication channels for information sharing (e.g. Sicher-im-Netz in
Germany or GetSafeOnline in the UK).
Information Package: Awareness Raising for SMEs Page 11 of 19

• ISPs and Telecommunication providers have direct access to all their users
through homepages and invoicing. Printing security checklists on the back of
invoices would be a low-cost, efficient way of reaching the target audience.
• Industry associations – per sector – can also be used as communication
channels. They have not only a strong common interest, but they can also
focus on specific weaknesses or vulnerabilities in their sector.
• General and business press can be used to raise awareness on general NIS
issues.
• EURO-CERT-type initiatives could be taken advantage of through links with
existing projects in EU Member States.

Benchmarking
Progress in awareness raising on NIS issues can be tracked by comparing basic
metrics over a period of time.
• Degree of success in message dissemination can be measured by keeping
track of page-views on information hubs and/or calculating the percentage of
SMEs reached through awareness programs.
• Success in creating awareness can be measured by comparing the overtime
investment in NIS by SMEs or, on a more detailed level, by tracking the
average investment in NIS per employee in a specific geographical area or
sector.

Country Case Studies

We have selected an example from USA, another from the UK and one from Norway.
The US initiative promotes Security Awareness to the broader public.
• National Cyber Security Awareness Month (USA). The non-profit National
Cyber Security Alliance (NCSA), a public-private partnership that includes
computer companies and groups representing computer users, actually
sponsors national Cyber Security Awareness Month in the US. Its members
include the Department of Homeland Security, the Federal Trade
Commission, Cisco, RSA Security and America OnLine (AOL). Every year in
October right across the country, the NCSA holds weekly events and
workshops for consumers and SMEs on specific cyber-security topics.

The UK example (GetSafeOnline.org) is a public-private partnership that uses a

special website as its main communication channel.
• “GetSafeOnLine” (United Kingdom): an Initiative of the UK Government (the
CSIA, a unit of the UK Cabinet, together with the Department of Trade and
Industry, the Home Office and the National Infrastructure Security Co-
Ordination Centre) and private corporate sponsors, that is aimed at raising the
awareness of domestic users and small businesses to the importance of
security and threats on Internet.
• It includes as main features particularly relevant for SMEs: a Business
Security Checklist, detailed advice on protection of infrastructure, information
on specific threats that companies are exposed to and a 10 minute “starter”
guide.
In Norway an “organically-grown” network has brought together an impressive range
of partners for ongoing cooperation on NIS issues.
 Information Package: Awareness Raising for SMEs Page 12 of 19

• The BlueLight Network (Norway): a small group of experts has come together
in the aim of improving education on information security in Norway. The
effort has resulted in a bachelor- and a master-degree level study course. The
cooperation has rapidly developed into a network that now comprises about
40 members from industry, consultancy, academia and public administration.
The Network’s field of interest includes the establishment of new businesses
and joint ventures, knowledge-building and -sharing, development of tools
and best practices, promotion of education and research, and assistance for
the evolution of information security in public administration.

Good Practices / Recommendations

As there are no benchmarking tools available, it is impossible to recommend any
particular initiative targeting SMEs. However, using three criteria to estimate
effectiveness of campaigns – a) accessibility through the internet, b) amount of
referrals from other sources or NIS initiatives, and c) information-quality assessment
from experts – it would appear that public-private partnerships offer the best
guarantee for high quality, effective awareness campaigns targeting SMEs.

Bibliography
• “The New SME Definition: User guide and model declaration”, European
Commission, Enterprise and Industry Publications, at
http://europa.eu.int/comm/enterprise/enterprise_policy/sme_definition/index_
en.htm
• “IT Security in European Small and Midsize Enterprises”, Forrester Research
at http://www.ese-security.com/PDF/eSe_Security_-_Final_Report.pdf
• “The Go Digital Awareness Campaign 2001-2003: The main lessons to be
learnt”, European Commission, Directorate-General for Enterprise, Unit E-
business and ICT Industries and Services, at
http://europa.eu.int/comm/enterprise/ict/studies/aw_camp_fin_rep.pdf
• “An Investigation of Information Security in Small and Medium Enterprises
(SME’s) in the Eastern Cape”, The Open Group, European Software Institute
• “Common sense guide to cyber security for small business”, Internet Security
Alliance, at http://www.us-cert.gov/reading_room/CSG-small-business.pdf
• “Active loss prevention for ICT enabled enterprise”, Alpine Working Group,
European Software Institute, at
http://www.opengroup.org/external/alpine/uploads/40/3189/Intro_SH.pdf
• “Special Interest Group: Security Policy Management”, Alpine Working Group,
European Software Institute, at http://www.opengroup.org/alpine/spm/
• “Why security matters”, Microsoft Corp.
• “Get Safe Online”, at http://www.getsafeonline.org/
• “Deutschland sicher im Netz“, at:www.sicher-im-netz.de
• “The BlueLight Network: Security Awareness and business development –
Knowledge sharing and competition in practice”, Jan A. Audestad and Svein
E. Pettersen, at
http://www.telenor.com/telektronikk/volumes/pdf/1.2005/Page_004-006.pdf
• “Network security and the SMB: A guide to risk assessment, auditing and
implementing best practices”, SANS Institute
 Information Package: Awareness Raising for Media Page 13 of 19

Target Group: Media

Category Description
Media is a very heterogeneous target group.

We differentiate between mass media such as television, radio and newspapers

(websites included) and specialised media e.g. computer magazines and ICT-
dedicated web sites. Different types of media need to be addressed differently.
In addition, professional guilds e.g. journalist associations, journalist schools and
vocational training institutions are included in the target as they could be encouraged
to complement their training program with information on ICT-security.

Several different types of journalists work in media organisations or as freelancers:

• “Mass media” journalists in politics, economy, society... addressing the
broader public through:
– Magazines and newspapers (writers)
– Online media (mostly writers)
– Radio (reporters)
– Television (reporters specialising in audio-visual media)

• Specialist journalists (computer scientists, scientific journalists, etc.)

addressing the informed citizen through:
– Magazines and newspapers (writers)
– Online media (mostly writers)
– Radio (reporters)
– Television (reporters specialising in audio-visual media)

Why this Target Is a Priority

Media is worthy of special attention in security awareness because:

• ICT-security is a topic that is seldom included in journalists’ education

(neither for their own professional practices, nor as a topic that they will be
required to report about)
• until now ICT-security has been topic somewhat neglected by mass media
(except, for example, in the case of extreme virus attacks)
• journalists have to be persuaded that ICT-security is a useful and important
issue in our information society and an important topic that they should be
reporting on
• media plays an important role in awareness raising and in educating the
broader public
• journalists need support and incentives to report much more on the topic of
network and information security (NIS) in order to raise the awareness of the
broader public
 Information Package: Awareness Raising for Media Page 14 of 19

• media is an important channel for gaining public attention and in lobbying for
amended legislation

Objectives
The main communication objective is to educate media about ICT-Security so that it
will fully assume its social responsibility and fulfil its “Public service” commitment as
“4th state power”. It is important that media is aware of the need for network and
information security (NIS) and the increasing dependency of society on ICT.

Interests/Needs
The Media is an important target group for awareness raising for three main reasons:
• Media is professionally dependent on secure Internet and mobile
communication and therefore requires a sound knowledge of tools and
measures if it is to fulfil its professional function
• ICT is playing an increasingly important role in the functioning of our society,
and therefore media has a huge social and educational responsibility to
inform the public of the socio-economic consequences of poor network and
information security (NIS)
• Media and citizens have to be made aware of the risks, for example, by
receiving information about threats and countermeasures (e.g. 10 tips on ICT
security)

Channels
Journalists are usually highly skilled at obtaining information from a very large
number of sources. Therefore a wide variety of channels are possible:

A. Channels for journalists who have no idea what ICT security is

• Training sessions and workshops
• Vocational and in-service training on ICT security and ICT vulnerability
issues through public-private partnership
• National meeting points (online) created for Media in member states

B. Channels for increasing ICT security awareness and ICT security knowledge
• Articles, information
• Press associations
• Press conferences and press releases
• Specialist magazines for journalists
• Press background talks/briefings in member states (organized by computer
associations or by national authorities such as BSI)
• Media sessions integrated into European Union conferences
• National meeting points (online) created for media in Member States
• Workshops/Conferences:
 Information Package: Awareness Raising for Media Page 15 of 19

- Pan-European workshop for awareness-raising on ICT security (e.g. during

the 2006 EU presidency of Austria, a country highly involved in ICT) where
journalists from the web, newspapers, television etc. could meet and
discuss topics related to awareness raising on ICT security.
- Conducted by associations and industrial organisations

C. Channels for motivating journalists to report about ICT security

• Create a “Best Article Award” sponsored by the private sector on a different
topic each year. Journalists could send articles to an organisation in their
Member State which would set up a jury to discern the best article; articles
should support awareness raising and not create fear, uncertainty and
doubt (FUD)!

Benchmarking
Benchmarking for media is difficult. The following suggestions could provide some
indication of progress made in the field, though such indicators would not produce
loadable statistical data.

Education:
Number of training courses per year; number of media representatives attending
courses per Member State compared to total number of accredited journalists

Social responsibility:
Number of articles published on ICT-security (broken down per subject area) and
percentage of population reached

Member States:
Number of articles published within the European Union on NIS-related topics (per
country and media type)
Number of visitors to web sites in Member States focusing on media and NIS
Number of journalists attending pan-European awareness raising workshops on NIS

Country Case Studies

Despite investigation, no Case Studies are known to date.

Good Practices / Recommendations

Although no specific awareness raising actions have yet been implemented for
media, approaches are being developed:
• European Newspapers Publisher Association (www.enpa.be): this is a non-
profit organization currently representing 3,200 daily, weekly and Sunday
titles in 21 European countries. Affiliated press sell more than 91 million
copies each day that are read by over 240 million people. ENPA is service-
oriented and provides a comprehensive information network for its
members from which officials in the European Union and the Member
States can also benefit. ENPA aims at facilitating the exchange and transfer
of know-how and ideas to its members and to relevant organisations.
• The Federal Agency for Civic Education in Germany (www.bpb.de,
Bundeszentrale für politische Bildung): The work done by the Federal
Agency for Civic Education (Bundeszentrale für politische Bildung/bpb)
Information Package: Awareness Raising for Media Page 16 of 19

centres on promoting awareness for democracy and participation in politics.

It takes up topical and historical subjects by issuing publications, by
organising seminars, events, study trips, exhibitions and competitions, by
providing extension training for journalists and by offering films and on-line
products. The bpb develops, for example, special media packages such as
the “Journalist reader for RFID”.
• Ecole de Journalisme et de Communication de Marseille
http://www.ejcm.univ-mrs.fr/: MEDI@SIC, Laboratorie de Recherche Sur
Les Medias, L’Information et la Connaissance (GERSIC EA 3240). The
consortium, founded by the EU and comprising academics and experts
from industry (Cegetel, Gem Plus, Sun Microsystems), has put together a
cycle of 10 videoconferences on ICT for journalists and a masters-level
professional course on "New technology and Strategic Information"

Bibliography
• “The Go Digital Awareness Campaign 2001-2003: The main lessons to be
learnt”, European Commission, Directorate-General for Enterprise, Unit E-
business and ICT Industries and Services
• "Participatory Journalism and Asia: From Web Logs to Wikipedia," Paper
delivered at ICT & Media Inputs & Development Outcomes: Impacts of New &
Old Media on Development in Asia, 13th Asian Media Information and
Communication Centre Annual Conference, July 1-3, 2004, Bangkok,
Thailand
 Information Package: Awareness Raising for Local Government Page 17 of 19

Target Group: Local Government

Category Description
Given the widely varying forms of local government existing in Member States, this
target group includes structures of very different types. According to EU
classifications, the 112,119 local government bodies in the European Union can be
divided into 5 categories ranging from regional authorities to communes – for further
information see
http://europa.eu.int/comm/eurostat/ramon/nuts/introannex_regions_en.html
A typical infrastructure within a local government would:
• comprise a mixture of discrete networks,
• include amongst it basic functions the implementation of perimeter security
and antivirus measures, though a typical local government infrastructure
would not have the required technical expertise to deal with these.

Why this Target Is a Priority

Local government is worthy of special attention in security awareness because:
• Local government bodies are critical infrastructures
• They manage critical infrastructures that depend on information systems
(transportation, water supply, local tax etc.)
• They constitute a front line to citizen
• They must guarantee transparency and accountability
• They don’t usually have the skills required to manage information security
• They can act as awareness agents for citizens and schools

Local governments need to strengthen their own awareness first, then transfer
relevant knowledge to their citizens.

Objectives
Local government needs an extra high level of security awareness.
National governments have to customise the security strategies they
implement/recommend at the local government level, in particular due to the large
difference that exists in degrees of autonomy. In particular, local governments
should:
• define and implement an ICT security concept adapted to their organizational
needs
• implement ICT baseline protection (BSI-Standard 100 - 1, BS7799, ISO
27001)
• protect critical infrastructures that play an important role in citizens’ lives
• sensitize employees in order to foster an “information-security culture”

A flexible approach should be used to cater to the broad differences in the target.
What is required is a long term initiative rather than an ”advertising campaign”.
 Information Package: Awareness Raising for Local Government Page 18 of 19

Figure III: Objectives of awareness raising for Local Government

Awareness Package LG

Local government:
• manages critical infrastructures
• constitutes a front line to citizens
Why? • lacks required skills
• manages important content

• Risk analysis
What • Leverage on key role
• Implementation of IT baseline
protection (e.g. ISO 27001)

How
• Long term initiative
• Promote “golden rules“
• Encourage ISAC for LG

Interests/Needs
Needs for awareness raising within any local government are many and varied, and
include:
• focus on the importance of the systems that local government manages
• focus on the responsibility of local government to protect the personal and
often sensitive information that it manages
A preliminary action should be to foster information sharing (e.g. implementing an
“ISAC” – Information Sharing and Analysis Center) in order to encourage the
exchange of expertise and build confidence in mutual support strategies.
Local government needs to remember that:
• even a small door can leave the path open to big risks
• nobody is too small to matter – in information security, everyone counts

Channels
In most countries local government bodies are organised into associations which
could be an excellent vehicle for security awareness campaigns. For the smallest
organisations, existing levels of coordination can serve as an operating arm to
support practical actions and as a channel for disseminating messages. Other
channels include:
• trade-shows and events for local government
• civil society (pressure-groups)

Barriers
It is not possible to use a ”one size fits all” approach for local governments due to:
 Information Package: Awareness Raising for Local Government Page 19 of 19

• Difference in size and resources

• Difference in culture and context
• Different levels of awareness in work-force in local government
• Difficulty in building and implementing the required level of skills for the task

Advantages
• Protection of peripheral systems is key to protecting national critical
infrastructures.
• The scope of local government networks and the increased speed of
technology make every input/ouput point a threat to the entire system.
• Local government can act as an awareness promotion agent to society

Benchmarking
Measurement should take into consideration the number of initiatives as well as the
number of citizens potentially reached by the initiatives. Indicators could
include:Average resources spent on education
• % of local government personnel reached through educational actions
• Page-views on local government security pages
• Local government investment in ICT security

Good Practices / Recommendations

• “10 golden rules” (Denmark)
• •“Elektroniska intryck och avtryck” – a Swedish document distributed to local
government agents in charge of IT-security
• “Surfa lugnt” – a Swedish DVD (English spoken) – that offers basic advice for
all Swedish citizens
More recently, increasing threats to information security has raised public attention to
the role of local government. Several best practice cases exist, e.g. City of Lugano
Police - http://www.lugano.ch/bambini/welcome.cfm
• See the different ISAC services supported by the US government at
http://www.isaccouncil.org/about/
Bibliography
• German IT Baseline Protection Manual at
www.bsi.bund.de/english/gshb/manual/index.htm
• German eGovernment manual at
www.bsi.bund.de/english/themes/egov/3_en.htm
• Best Practices https://www.it-isac.org/bestpractices.php