14. Digital security risk


This module summarises Chapter 14 which focuses on public policies to manage digital security. It first distinguishes digital security risk management from other aspects of cybersecurity related to technology, law enforcement, national security and defence. Next, it introduces the key elements of national strategies that can create framework conditions to increase trust for all stakeholders using ICTs, and for the digital environment for economic and social prosperity. The chapter surveys existing measurement and impact assessment tools and provides an overview of public policy efforts in the LAC region. Finally, it introduces selected good practices.

Explore this module

Main policy objectives
Tools for measurement and analysis
The LAC region
Leading good practices


Main policy objectives

The main high-level policy objective for the adoption of a national strategy for managing digital security risk is to create framework conditions for all stakeholders to use ICTs and the digital environment for economic and social prosperity. This general policy involves certain key objectives:

  • Understanding digital security and stakeholders’ responsibility for managing it. All stakeholders should be aware that digital security risk can affect their economic and social welfare and that their management of digital security can affect others. Stakeholders should be equipped with the education and skills to understand risk and to manage it. In particular, they should understand that digital security risk management is an economic and social challenge, not simply a technical or national security issue.

  • Developing a national strategy for the management of digital security risks. National strategies for the management of digital security risk should aim to promote economic and social prosperity. They should be co-ordinated broadly within the government to ensure consistency with other strategies for economic and social prosperity, and coherence with policies intended to protect critical infrastructure and ensure the provision of essential services. The aim is to combat criminality, protect national security and preserve international stability. These strategies should be supported at the highest level of government, to ensure that the various interests at stake are appropriately balanced. They should be flexible and technologically neutral, and meanwhile, preserve and protect human rights and fundamental values.

  • Engaging with other stakeholders. Policy makers should encourage the active participation of all stakeholders, from business, civil society, the Internet technical community and academia, in developing and implementing strategy and policy.

  • Cultivating international co-operation and mutual assistance.Policy makers should establish multilateral and bilateral relationships to share experiences and good practices and promote an approach to digital security risk management that does not increase risk to other countries.

+ content

Tools for measurement and analysis

There are a limited number of references on key performance indicators and measurements for policy makers in the area of digital security risk management. These include the ITU Global Cybersecurity Index (ITU, 2014), the Cybersecurity Capability Maturity Model of the Oxford-based Global Cybersecurity Capacity Centre (2014), the Business Software Alliance (BSA) Cybersecurity Dashboard (BSA, 2015), and, in the area of energy, the US Department of Energy’s Cybersecurity Capability Maturity Model (C2M2) Program (US Department of Energy, 2015). However, these generally approach cybersecurity as a technical issue rather than an economic and social challenge. Work is currently under way at the national level in some countries and in international forums to improve the evidence base for public policy in this area.

+ content

Overview of the situation in the LAC region

Many LAC countries have adopted national digital strategies or are in the process of implementing one. Unfortunately, the great majority of national digital strategies in place lack a clear long-term vision on digital security risk and face a number of challenges, such as:

  • creating and improving legal frameworks on digital security
  • creating operational security risk management capabilities
  • a clear distribution of responsibilities among government institutions
  • international and multi-stakeholder co-operation (OAS, 2014).

All indications are that the majority of LAC countries are not approaching digital security risk from the economic and social perspective. It should also be acknowledged that some LAC countries face various additional challenges that limit their ability to adopt this approach (OAS and Symantec, 2014).

The implementation of co-ordination mechanisms within governments to formulate and carry out national digital security strategies is a key challenge in LAC countries. Instead of distinguishing clearly the various facets of what is often known as “cybersecurity”, and addressing them through an overarching strategy that ensures government co-ordination and coherence, governments often view this issue from a single perspective, such as national security, international security or cybercrime. As a result, the economic aspects are set aside and the issue addressed in isolation from nongovernmental stakeholders, in a public policy silo. Budgetary concerns have constrained the adoption of co-ordination mechanisms among government agencies of the region. Only a few countries have allocated annual budgets for national digital strategies by the respective ministries and competent authorities.

Stakeholder engagement in most national digital security strategies has improved, but it is not yet mature in most LAC countries. Many still lack flexible mechanisms and medium and long-term plans to support stakeholders in developing policies and legal frameworks on digital security (OAS and Symantec, 2014). By contrast, a significant number of countries, including Colombia, Mexico, Panama and Peru have established national CSIRTs fully endorsed by their respective national governments, which have been very active in facilitating the exchange of information on security and computer incidents and threats and providing training on information security to their staff and the general public. The number of LAC countries that have adopted legislation to counter cybercrime pursuant to the Council of Europe’s Budapest Convention keeps growing. Many in the region are interested in formally requesting access to the convention and its Additional Protocol. This, however, will involve a complex and long-term political process.

+ content

Good practices

Chapter 14 of the Toolkit introduces a number of good practices to encourage digital security risk management policies and strategies, based on the 2015 OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity and its companion document (OECD, 2015a).

In particular, policy makers should recognise that digital security risk is an economic and social issue rather than solely a technical challenge. They should also note that it is impossible to create a fully safe and secure digital environment where risk is entirely avoided. As a consequence, they should encourage an approach where leaders and decision makers take responsibility to manage the risk. That means to reduce it to an acceptable level, depending on the context and the economic and social objectives and benefits at stake. All measures in national cybersecurity strategies should reflect this approach, whether they relate to critical information infrastructure, international co-operation or CSIRTs.

+ content


Introduction •  Regulatory frameworks and digital strategies •  Spectrum policy •  Competition and infrastructure bottlenecks •  Extending broadband access and services •  Affordability, government charges and digital inclusion •  Convergence •  Regional integration •  Skills and Jobs •  Business uptake, entrepreneurship and digital content •  E-health •  Digital government •  Consumer protection and e-commerce •  Digital security management •  Privacy protection


Related Documents