Laurent Bernat
OECD Directorate for Science, Technology and Innovation
Lauren Crean
OECD Directorate for Science, Technology and Innovation
Economic Security in a Changing World
Protecting cybersecurity is of growing importance as digital technologies become increasingly complex and integral to critical sectors across the economy, raising the costs of their disruptions, and cyberattacks becoming more frequent. Ransomware and other cyberattacks present a growing threat, notably for public institutions, services and infrastructure. In 2021, for example, a cyberattack forced the shutdown of the largest pipeline in the United States for six days, leading to fuel shortages across the East Coast. While the number of cybersecurity incidents and their economic impact is notoriously difficult to determine, it appears to be growing. On average, a third of individuals (aged 16-74) across OECD countries reported in 2022 having experienced a security incident.1 According to some estimates, the number of cyberattacks has almost doubled since before the COVID-19 pandemic. Since 2020, the aggregated reported direct losses from cyber incidents have amounted to almost USD 28 billion (in real terms) globally, with billions of records stolen or compromised. Total direct and indirect costs of these incidents are most likely substantially higher, with estimates ranging significantly from 1 to 10% of global GDP.2
Governments play an important role in cybersecurity. Companies often lack incentives to invest sufficiently in cybersecurity, and complex supply chains make it difficult to determine who is responsible. The rapid pace of technology development means that cybersecurity is a constantly moving target requiring close and continued attention. Market forces alone are insufficient to address the risks and threats. Because these are inherently global challenges, to address them effectively countries need to take coherent, co‑ordinated policy action based on internationally recognised principles.
Over the last 30 years, the OECD has developed cybersecurity policies focused on economic and social prosperity. This approach is reflected in a set of Council Recommendations introduced in the OECD Policy Framework on Digital Security: Cybersecurity for Prosperity (OECD, 2022[1]). This chapter introduces this Framework and the related Recommendations. It also provides an overview of OECD work on the digital security of critical activities (OECD, 2019[2]; Bernat, 2021[3]) and the security of communication networks (OECD, 2023[4]).
The OECD defines digital security as the set of measures taken to manage digital security risks for economic and social prosperity (OECD, 2022[1]). As a global public policy priority, cybersecurity underpins several key areas, which often overlap and are interrelated (Figure 6.1):
Technical operations, i.e. ensuring that information systems work as intended. This aspect, which includes human errors, represents the origins of cybersecurity, initially perceived as a technical issue managed by technical experts, commonly referred to as computer security, information security (infosec), and data security.
Prosperity, i.e. ensuring that security supports broader economic and social objectives. This dimension shifts the focus from protecting the digital environment itself to safeguarding the economic and social activities that depend on it. The OECD refers to this as digital security or digital security risk management.
Criminal law enforcement, i.e. enforcing cybercrime laws to reduce threats. Cybercrime can include security aspects introduced below, but also crimes such as the exploitation of children online.
National and international security, i.e. establishing confidence‑building and other measures to prevent and de-escalate the extension of armed conflicts in cyberspace. This dimension is often called cyberdefense, cyberwarfare or cyberespionage.
Source: OECD.
Governments have adopted various institutional frameworks to develop and implement policies related to each of these dimensions, leveraging different domestic agencies, with variable degrees of centralisation and co-ordination with other government bodies. At the international level, each dimension is generally addressed by different international organisations, in line with their respective mandates. For example, the OECD addresses digital security policy in line with its mandate in economic and social affairs, including science, technology and innovation policy; standards development organisations such as the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Internet Engineering Task Force (IETF), European Telecommunications Standards Institute (ETSI), or International Telecommunications Union ITU-T Study Group 17 develop technical standards; the Council of Europe, the United Nations Office of Drugs and Crime (UNODC) and Interpol (at a more operational level), focus on cybercrime; and the United Nations Group of Governmental Experts (GGE) and Open Ended Working Group (OEWG) address international security issues. Building on OECD expertise, the rest of this chapter focuses more specifically on digital security policy. Box 6.1 introduces the key concepts related to digital security.
Digital security risk is the detrimental effect that digital security incidents can have on economic and social activities (OECD, 2020[5]; OECD, 2022[6]). In line with general risk management approaches, digital security risk is represented in terms of the likelihood and potential impact (i.e. severity) of incidents. The definition of risk in OECD digital security Recommendations is inspired by ISO/IEC risk management (ISO/IEC, 2022[7]) and information security standards.
Digital security incidents are events that disrupt the availability, integrity and/or confidentiality (AIC triad) of data, software, hardware and networks and, as a consequence, negatively affect economic and social activities that rely on these assets:
Availability: assets are not accessible and usable on demand by authorised users;
Integrity: assets have been altered in an unauthorised manner;
Confidentiality: unauthorised entities have access to the assets.
Incidents are caused by threats exploiting vulnerabilities. Threats can be intentional (i.e. attacks) or unintentional (e.g. human errors, fires, power cuts, etc.). They include malicious actors (“threat sources”) willing to exploit vulnerabilities to cause harm, and the tools and techniques (“threat vectors”) they use to carry out attacks (e.g. “malware”). Malicious actors range from relatively unskilled individuals to organised criminal groups and state-sponsored actors, with considerable resources, often called Advanced Persistent Threats (APTs). State-sponsored attacks are generally pursuing geopolitical goals, while cybercriminals tend to aim for financial gains. Some actors also pursue ideological objectives (e.g. “hacktivists”). In many cases, it can be extremely difficult to accurately attribute attacks to specific individuals, groups or their sponsors, solely on the basis of their mode of operation or forensic evidence, in part because well-resourced threat actors can mimic other threat actors’ modes of operation. Threats exploit vulnerabilities in people (e.g. lack of training and awareness), processes (e.g. no backup procedures or systematic vulnerability management) and technologies (e.g. vulnerabilities in software code).
Digital security risk focuses on economic and social risks resulting from digital security incidents. These may include financial losses, loss of opportunity, reputational damages, intellectual property theft, privacy and human safety damages. For example, when a ransomware hits a hospital and spreads across the network, some infected information systems may become unavailable and others have to be shut down to mitigate the incident (technical risk). As a result, patients being operated upon during the incident may be in danger because medical equipment may be disabled, scheduled surgeries may have to be postponed (economic and social risk), and personal data may be breached.1
Digital security risk management involves addressing digital security risk while maximising economic and social opportunities. Risk management is the assessment of the risk, followed by its treatment, i.e. a decision on what to do with the risk: reduce, avoid, transfer or take it (further introduced below). Risk is managed all the time. For example, in everyday life, to cross a street, people watch for cars or bicycles to assess the risk before deciding what to do. If it is a highway, they do not cross it to avoid the risk which his too high. To reduce risk they use pedestrian crossings, and they have an insurance policy to transfer the risk, “just in case”. If they simply cross the street without other action, they simply accept the risk, and will have to face the consequences. Risk assessment is absolutely central for security, including digital security. It marks the difference between accepting a risk after a careful and systematic evaluation and blindly accepting it without further consideration.
Digital security risk management roots security decisions in the economic and social reality of the activity at stake. It drives the selection of security measures which are appropriate to, and commensurate with, the risk and activity at stake. In so doing, it ensures that the security measures will support the economic and social activities at stake, and will not undermine them, for example, by inappropriately closing the environment or reducing functionality in a manner that would limit the possibility of taking advantage of ICTs to innovate and increase productivity. Digital security risk management prevents decisions from being made in isolation, from a separate technical or sole security point of view (security as an end in itself).
Digital security risk is a sub-category of digital risk, which itself is one among many other risks that a person or organisation may face when using digital technologies. All risks are interrelated and therefore risk management should not be approached in a silo. Other digital risks include crimes such as fraud (e.g. business email compromise) and the exploitation of children online. While there may be intersections between digital security risk and other digital risks, it is important to avoid confusion and not conflate these distinct categories, in particular when addressing digital security risk at the international level.
1 According to a 2021 survey by the research firm Ponemon, 21% of IT and IT security professionals in healthcare delivery organisations agreed that a ransomware attack increases mortality rates (https://ponemonsullivanreport.com/2023/01/survey-ransomware-attacks-impact-patient-outcomes-at-half-of-healthcare-facilities/).
The OECD Recommendation on Digital Security Risk Management (OECD, 2022[6]) provides high-level principles to help develop an effective economic and social approach to cybersecurity. These principles are central to fostering a culture of digital security among public policymakers, as well as leaders and decision‑makers in public and private organisations. They help the stakeholders to protect activities that rely on the digital environment from cyber threats, without inhibiting these activities, hindering innovation, impeding digital transformation and undermining human rights. Additionally, this protection must account for the dynamic nature of technologies, economic activities that rely on them and the threat landscape.
The general principles apply to all stakeholders, while the operational principles apply to leaders and decision‑makers in organisations (Table 6.1).
Note: The italicised text is a short extract from the Recommendation on Digital Security Risk Management.
Source: OECD (2022[6]), OECD Recommendation on Digital Security Risk Management.
General principles
A culture of digital security is essential to manage digital security risk (Principle 1). It is the mindset with which stakeholders should approach digital security, whether to develop and implement public policy, or protect their organisation, personal assets and safety, without inhibiting benefits, opportunities and human rights. A culture of digital security encompasses the understanding that such risk exists, and the need to acquire appropriate skills – through education, training, experience and/or practice – to make responsible decisions (empowerment). While the possible consequences of a car crash are intuitive, the complexity of the digital environment blurs the link between an incident and its consequences. For example, many people are aware that a virus may infect their equipment, but do not understand the potential consequences such as identity theft, financial fraud or theft of trade secrets. Consequences beyond the immediate individual implications are even less visible.
Individuals all share responsibility for their digital security decisions, or the lack thereof (Principle 2). However, the nature and levels of responsibility vary according to stakeholders’ role. For example, the responsibility of the user of a digital device is different from the responsibility of that device’s vendor, manufacturer, third-party developers of software components embedded in the device, cloud providers hosting data processed by the device, etc. Responsibility with respect to others is at the core of the OECD risk-based due diligence recommendations contained in the OECD MNE Guidelines (OECD, 2011[8]) and OECD Due Diligence Guidance for Responsible Business Conduct (OECD, 2018[9]).
Human rights and fundamental values need to be protected in the digital environment (Principle 3). Depending on how they are used, security measures can support or undermine human rights and fundamental values. For example, some security measures can enhance privacy protection, provide anonymity to whistle-blowers and protect human rights activists from authoritarian surveillance. They can also enable the illegitimate surveillance of citizens or employees or prevent access to activists’ content.
While the global interconnectedness of the digital environment enables considerable economic and social benefits, it also increases complexity, facilitates propagation of threats and vulnerabilities, and increases shared risk. Co-operation is essential at the domestic and cross-border levels to address these drawbacks (Principle 4). Isolated stakeholders cannot successfully address digital security. For example, organisations’ leaders and decision-makers need to co-operate with technical experts to assess digital security risk, and technical experts need to co-operate with leaders to ensure that technical security measures do not undermine their organisation’s objectives and activities. Co-operation is also needed within and across organisations, for example to share information such as through Information Sharing and Analysis Centres (ISACs).
Operational principles
Operational principles focus on the implementation of digital security risk management in organisations. The first step to manage digital security risk in organisations is the adoption of a strategic approach and the establishment of appropriate governance (Principle 5). Integrating digital security risk management in the organisation’s overall risk management framework (often called “enterprise risk management”) is essential to ensure that digital security decisions are driven by business objectives rather than only technical considerations, and follow established risk management good practice (e.g. systematic approach, continuous improvement cycle, etc.). The corporate board of directors has a clear role in the management of digital security risk, in line with the G20/OECD Principles for Corporate Governance chapter on boards which underlines that a key function of the board is to set risk management policies and to ensure “the integrity of the corporation’s accounting and financial reporting systems, including […] that appropriate systems of control are in place, in particular, systems for risk management […]” (Principle VI.D.7) (OECD, 2015[10]).
Digital security governance should set clear roles, responsibilities and processes, and ensure that appropriate resources and competencies are available. Leaders and decision-makers responsible for achieving economic and social objectives should be responsible for digital security risk to these activities (“risk ownership”). Risks and benefits are inherently related, because by definition risks affect benefits of an activity. As managing risk is a means to increase an activity’s likelihood of success, leaders and decision‑makers in an organisation who are responsible for an activity’s benefits should also be responsible for addressing the digital security risk to that activity and not simply delegate it to technical experts because: the economic and social consequences of incidents can be much more severe than their technical (i.e. ICT) impact for the organisation, its partners and third parties. In addition, security measures can undermine the activity they aim to protect. They can create barriers and constraints for this activity, such as increased financial cost, system complexity and time to market, reduced performance, usability, capacity to evolve, innovation, and user convenience.
To increase the likelihood of success, a risk assessment and treatment cycle (Principle 6) addresses such uncertainties. As shown in Figure 6.2, it starts with the definition of the objectives and design of the activities that rely on the digital environment. The risk is then assessed to evaluate the probability and possible effects of uncertainties on the objectives of the activity. On the basis of this assessment process, a decision is made on what to do with the risk (risk treatment), i.e. whether and how the risk should be modified to increase the likelihood of the success of the activities to support and preserve the objectives.
Source: OECD.
The risk treatment process determines which part of the risk should be:
Taken (i.e. accepted), because the risk is within the bounds that are deemed acceptable by the entity carrying out the activity, also known as its “risk appetite” or “risk tolerance”. Taking the risk means accepting the potential detrimental economic and social consequences of incidents.
Avoided, knowing that it is not possible to eliminate the digital security risk entirely without at the same time giving up the benefits of using ICTs. In other words, the best way to avoid digital security risk is to not use digital technologies.
Reduced to the acceptable level according to the entity’s risk appetite, by establishing security measures that reduce the occurrence or impact of incidents. Because some detrimental events can always happen despite security measures in place, there will always be some residual risk that cannot be eliminated and must be accepted. Therefore, it is essential to create resilience and ensure business continuity, to be prepared for incidents and ready to reduce their consequences.
Transferred to a third-party, for example through insurance, if there is an insurance market.
Continuous, systematic and cyclical risk assessment is essential for leaders and decision‑makers to make informed risk treatment decisions that are tailored to constantly changing risk. Threats, vulnerabilities, incidents, technologies, their uses, and their benefits – to name a few variables in the risk equation of an activity – are extremely dynamic. The risk assessment needs to take into account risk related to suppliers, and partners with whom the organisation is digitally connected. The possible risk treatment decisions (take, reduce, transfer, avoid) require that leaders and decision-makers set their organisation’s digital security level of risk appetite (or tolerance) for each activity that relies on the digital environment.
To reduce the risk, security measures can then be selected and operated (Principle 7). Security measures, also called “mechanisms”, “controls”, or “safeguards”, can be of different natures: digital (e.g. security software), physical (e.g. locks, cameras, fences) or mixed (e.g. smart card); related to people (e.g. training), processes (e.g. organisational rule or practice) or technologies (e.g. cryptography), legal (e.g. contract), procedural (e.g. standards), managerial, etc. Security measures may also address vulnerabilities.
In addition to adopting security measures, stakeholders can reduce their exposure to digital security risk by innovating with respect to the activity, as well as the security measures (Principle 8). Innovation to reduce digital security risk can take many forms, which may or may not be related to digital aspects. For example, innovation may relate to the organisation’s economic or business model, to processes such as payment methods, or even to redesigning physical, legal, or other non-digital components of a product. As introducing innovation can create uncertainties in an activity, it should trigger a reassessment and treatment cycle, as shown in Figure 6.2. Thus, digital security can add value to an organisation, product or service, and become a driver for innovation, a stimulus for competitive advantage, provided that it is approached as an integral part of the economic and social decision-making processes related to an activity rather than as an isolated and only technical issue.
To further reduce risk, resilience, preparedness and continuity measures can be defined in order to be applied when an incident occurs (Principle 9). In addition to security measures and innovation, which aim to prevent the occurrence of harmful incidents, resilience, preparedness, and continuity measures aim to mitigate economic and social consequences when incidents do occur. Preparedness and continuity plans are essential to define in advance how to protect, detect, respond, and recover from incidents. Such plans should take into account the extremely rapid pace with which incidents can propagate and escalate in the digital environment.
While addressed under different labels, such as information security, data security, IT security, computer security or information assurance, cybersecurity has been a public policy issue for more than 35 years, and even more if one considers the security requirements embedded in privacy and data protection legislations adopted as far back as the 1970s in some countries. However, it is only with the wide adoption of Internet technologies and the broad availability of broadband connectivity that cybersecurity progressively became a standalone policy area with dedicated governance structures, strategies, plans as well as policy initiatives.
Digital security has progressively grown in this context. Today, the OECD maintains a total of seven Council Recommendations which reflect the consensus among OECD countries on how to approach cybersecurity from the economic and social perspective and a commitment to develop policies on that basis. They are introduced in the OECD Policy Framework on Digital Security: Cybersecurity for Prosperity (hereafter the Framework) (OECD, 2022[1]), represented in Figure 6.3. This set of Recommendations addresses the most important aspects of digital security policy, without addressing all facets of this complex and constantly evolving area.
Source: OECD.
The Foundational layer is the basis of digital security policy making upon which all the other layers rely, namely digital security risk management. It includes the fundamental principles to bear in mind to approach cybersecurity from the economic and social perspective, and to establish a culture of digital security to protect activities, people and the society without inhibiting benefits, opportunities, and human rights. All the other layers of this Framework are based upon these high-level principles. This layer consists of the Recommendation on Digital Security Risk Management (OECD, 2022[6]).
The Strategic layer focuses on how policymakers should use the foundation to develop national digital security strategies (“national strategies”) that provide a clear vision to ensure that all stakeholders, from government agencies to public and private sector organisations and individuals, join forces in a coherent and consistent manner. In addition to enabling a holistic and whole-of-government approach for digital security policy, national strategies facilitate the creation of interfaces and synergies with other policy areas, such as digital economy policy, privacy and data protection, sectoral policies (e.g. finance, energy, education, skills) and international co-operation. The strategic layer is reflected in the OECD Recommendation on National Digital Security Strategies (OECD, 2022[11]).
National strategies should articulate a clear vision of the country’s objectives with respect to digital security. They should aim to create a culture of digital security and protect individuals as well as public and private organisations from digital security threats while taking into account the need to safeguard national and international security and to preserve human rights and fundamental values. In addition to digital security, a national strategy may address several other dimensions of cybersecurity, such as those introduced in Figure 6.1., which are beyond the mandate of the OECD.
The national strategy needs to assign clear responsibilities to one or more existing or new government bodies for the development and implementation of digital security policies called for by the strategy. The OECD recommends that national strategies address at least nine areas, starting with awareness raising, the establishment of incident response capacity (generally through one or more Computer Security Incident Response Teams (CSIRT) or Computer Emergency Response Teams (CERT)), as well as the promotion of risk management standards. Other areas include the development and retention of a skilled workforce, the establishment of vulnerability co-ordination mechanisms to support co-ordinated vulnerability disclosure, the development of a cybersecurity industry, as well as initiatives to encourage research and innovation (OECD, 2020[12]), and the protection of individuals and SMEs (OECD, 2021[13]). Last, but not least, international co-operation should be an important component of national strategies, for sharing experience and good practices, providing and benefiting from mutual assistance, improving incident response at operational level and developing comparable risk metrics.
The Market regulation layer addresses areas where policy intervention is needed because market forces are insufficient to create an optimal level of digital security. While many markets may require policy intervention to enhance digital security across society, so far OECD Recommendations have primarily focused on the following two areas:
The digital security of critical activities such as financial, health or energy services, the disruption or destruction of which would affect the functioning of the economy and society, human lives, as well as national security. This policy area is further detailed in the next section and supported by the OECD Recommendation on the Digital Security of Critical Activities (OECD, 2019[2]).
The digital security of the products that contain (computer) code and associated services (e.g. cloud) on which stakeholders’ depend to carry out their economic and social activities. OECD work has shown that market forces alone are often insufficient to ensure that such products and services are adequately secure, and that market incentives on their own are unlikely to fix gaps in the digital security of these products and services. The OECD Recommendation on the Digital Security of Products and Services provides guidance in this area (OECD, 2022[14]).
Because market forces alone do not allow for some stakeholders to optimally address digital security, public policies are needed to encourage them to strengthen digital security. In an ideal world, market forces would ensure that products that include code (software, IoT devices, etc.) and related services are sufficiently secure, and that their security measures are proportionate to the risk faced by their users, hence increasing the marginal cost of cyberattacks for malicious actors and discouraging their efforts. However, OECD analysis shows a market failure often prevents stakeholders from optimally valuing the digital security of products and services, and that market incentives on their own are unlikely to fix gaps in digital security risk management (OECD, 2021[15]; OECD, 2021[16]; OECD, 2021[17]). To realign market incentives, digital security policy measures can aim to ensure that suppliers take responsibility for the digital security of their products and services throughout their products and services’ lifecycle. This could be broken down into action lines, whereby suppliers adopt security by design and security by default, treat and co-ordinate vulnerabilities, adopt responsible end-of-support policies, and co-operate across the supply chain’s code owners. Policies can also reduce information asymmetries to increase transparency and foster information sharing about the digital security of products and services for example through third‑party evaluation such as audits, inspection tests and certification.
The Technical layer focuses on more technical aspects that require policy guidance. It includes the need to encourage stakeholders to co-ordinate the disclosure of security vulnerabilities in products, better manage vulnerabilities in information systems, and protect vulnerability researchers, an area covered by the OECD Recommendation on the Treatment of Digital Security Vulnerabilities (OECD, 2022[18]). It also includes Cryptography policy, addressed in the OECD Recommendation concerning Guidelines for Cryptography Policy (“Cryptography Policy Guidelines”) (OECD, 1997[19]) and electronic authentication, addressed in the OECD Recommendation on Electronic Authentication (OECD, 2007[20]).
Vulnerabilities are a major source of digital security risk because code is never perfect, and almost always has vulnerabilities, and the same is true for information systems. Vulnerabilities are a by-product of the increasing complexity of code and systems, combined with weak digital security practices among suppliers and users. While it is not possible to completely eradicate vulnerabilities from all code and systems, improving their treatment is a major opportunity to reduce digital security risk and increase trust in the digital transformation era. Addressing these vulnerabilities before attackers take advantage of them is an effective means to reduce the probability of incidents. To reduce security risk, stakeholders should treat vulnerabilities, each according to their role. Developers should look and test for vulnerabilities in their code, develop mitigations to fix them (e.g. “patches”, “security updates”), and distribute them to other actors across the value chain towards end-users. Organisations should monitor their information systems to ensure that these mitigations are appropriately applied and avoid product misconfigurations. Vulnerability treatment refers to the overarching process encompassing the discovery of a vulnerability, how the vulnerability is handled by suppliers (“code owners”), managed by system owners, and publicly disclosed. Over the last few years, the technical community has made progress in developing good practice for treating vulnerabilities, including through co-ordinated vulnerability disclosure (CVD).
However, significant economic and social challenges prevent stakeholders from adopting good practice. For example, software developers and system owners are often insufficiently aware that it is their joint responsibility to address vulnerabilities. They may lack resources and skills, and misaligned market incentives may disincentivise them to act. Software developers and system owners can ignore vulnerability researchers and may even threaten them with legal proceedings. Vulnerability researchers discover and report vulnerabilities to the software developers and system owners who can mitigate them, thereby reducing cost and users’ “window of exposure” to digital security risk. When ignored or threatened, vulnerability researchers may be tempted to disclose the vulnerability information publicly without co‑ordinating with other stakeholders, which may create risk for all users and the economy. There is also a risk that bad actors may turn to the black market to monetise vulnerability information, thereby feeding the criminal ecosystem.
The OECD Recommendation on the Treatment of Digital Security Vulnerabilities covers five areas for policy action: Clarifying responsibilities for each category of stakeholders; encouraging responsible vulnerability researchers and creating safe harbours to protect them against threats of legal proceedings from vulnerability owners; fostering trust, by ensuring that stakeholders have access to at least one trusted co-ordinator to assist in resolving issues between them; mainstreaming good practice; Intensifying domestic and international co-operation, for example to reduce the grey market for vulnerabilities, share good practice across borders and ensure the cross-border interoperability of legal frameworks to protect vulnerability researchers (OECD, 2022[18]). An additional OECD document provides Good Practice Guidance on the Co-ordination of Digital Security Vulnerabilities Guidance to give policymakers an overarching understanding of the co-ordination of digital security vulnerabilities in practice, while avoiding technical jargon and detailed considerations (OECD, 2022[21]).
The digital transformation of critical activities such as the delivery of water, energy, healthcare, communications, and banking services increasingly exposes them to cybersecurity threats, which can affect the health, safety, and security of citizens, the functioning of essential services, or economic and social prosperity more broadly. This section builds upon the OECD Recommendation on the Digital Security of Critical Activities (OECD, 2019[2]), as well as the Going Digital Toolkit note on the same subject (Bernat, 2021[3]). It introduces key concepts, such as critical activities, critical information infrastructure (CII), cybersecurity and digital security risk management, and helps policymakers identify what needs to be protected and what types of measures operators of critical activities should take. It further discusses the institutional framework to develop and supervise policies to enhance the digital security of critical activities, including trust-based partnerships.
What is a critical activity?
A critical activity is an economic and social activity, the interruption or disruption of which would have serious consequences on the health, safety, and security of citizens; or the effective functioning of services essential to the economy and society, and of the government; or economic and social prosperity more broadly (OECD, 2019[2]). The latter type of critical activities includes those that are essential for prosperity without being necessarily critical to the functioning of the economy and society, nor affecting the health, safety and security of citizens. For example, car manufacturing or mining, in a country where such activities would represent a significant share of the GDP. Countries use different terminology to refer to critical activities, such as “critical functions” (CISA, 2024[22]) or “essential services” (European Union, 2022[23]). The notion of critical activity (sometimes called critical functions or essential services) is different from that of critical infrastructure because it focuses on the risk to the delivery of the service rather than to the assets on which the delivery of the service relies.
The notion of critical infrastructure emerged in the late 1990s, as some OECD countries started to adopt critical infrastructure protection policies. These policies typically considered critical infrastructure sectors such as energy, finance, communications or public health.
Progressively, the need to develop policies to protect information systems and networks that support such critical infrastructure sectors became increasingly clear. Around 2008, it seemed natural to call these ICT assets “critical information infrastructure” (CII), as if they formed an additional critical infrastructure sector. However, although quite popular among experts, the concept of CII has rarely been used to develop domestic policy frameworks. This may be due to the difficulty to delineate CII in practice. For example, the Internet can be considered as being part of the CII because most operators of other critical infrastructures rely on it, such as banks, hospitals and energy distributors. However, these operators also rely on their internal critical information systems and networks, which therefore are also part of the CII. Some parts of these information systems and networks may be internal to the operators of critical infrastructure, i.e. “on-premises”, but others may be “in the cloud”, i.e. on the Internet, and owned and managed by third parties, potentially in other jurisdictions. This combination of shared and isolated, as well as internal and external technical components makes CII difficult to represent and more complex than the more traditional “critical infrastructure” sectors upon which the CII concept was inspired.
In 2019, the OECD agreed to simplify the framework established in its 2008 Recommendation on the protection of critical information infrastructure (OECD, 2008[24]) by focusing on the need to enhance the digital security of critical activities, i.e. encourage operators of critical activities to better manage digital security risk.
From the perspective of the OECD, the overarching challenge for enhancing the digital security of critical activities is to develop policies that encourage, and in some countries require, operators of critical activities to strengthen digital security, without creating unnecessary burdens that would inhibit or reduce their ability to realise the full potential of digital transformation. Such policies need to be consistent with the OECD digital security risk management principles, including with regards to human rights and fundamental values.
Policies to enhance the digital security of critical activities aim primarily at encouraging public and private operators of these activities, such as banks, hospitals, water and energy distributors, communication network providers, airports, rail companies, etc., to better manage digital security risk. Targeting too many operators that are not truly vital to the delivery of the critical activities at stake would impose unnecessary burdens on large parts of the economy. Targeting too few would not sufficiently protect the economy. Therefore, governments need a process to identify which operators should be targeted by their policies.
To determine which operators the policy should target, governments can build upon an existing critical infrastructure protection or national risk management framework to protect their critical infrastructure. In the lack of such a framework, they have to develop a methodology from scratch. The first step is the development of a national risk assessment covering all economic and social activities. On the basis of this assessment, and working with relevant public and private actors, the government identifies critical activities and the operators of these critical activities. Different countries have different methodologies to do so, taking into account different thresholds or criteria of criticality (e.g. possible number of users or citizens impacted by an incident). For example, the European Union Network and Information Security 2 (NIS 2) Directive considers important and essential entities, with criteria such as their sector, size and turnover (European Union, 2022[23]).
Overarching principles in regulating operators of critical activities to strengthen digital security
While operators are responsible for the digital security of their activities, governments – in their role to protect the public interest – are expected to intervene, including to determine the level of risk that the society can tolerate with respect to critical activities, and to ensure the continuity of these activities.
The nature of governments’ intervention takes many forms and uses many tools including standards’ promotion, legal obligations, regulation, co‑regulation, encouragement of self-regulation, crisis management assistance and technical support, among others. There has been a recent trend towards the adoption of mandatory regulation, largely driven by the implementation of the 2016 NIS Directive in the European Union, according to which EU members had to create compliance requirements for operators of essential services, and reinforced by the 2022 NIS 2 Directive which extends the goals and scope of the previous Directive to strengthen protection (European Union, 2022[23]). In contrast, some countries such as Japan and the United States favour a voluntary approach, whereby they provide support and guidance to operators without establishing mandatory requirements.
Overall, governments share common objectives with respect to the types of measures that operators should take, such as adopting enhanced digital security risk management and sharing risk-related and/or best practice information, and/or reporting incidents.
As it is not possible to protect everything at the same level, the designated operators of critical activities need to identify the functions without which they could not effectively carry out their critical activities, as well as the critical parts of the digital ecosystem supporting these critical functions. Digital ecosystems include hardware, software, networks and data, operational technologies that detect or cause changes in physical processes (such as industrial control systems), as well as the internal and external entities, persons, and processes that design, maintain and operate them, and the relationships between them. Lastly, operators need to systematically and cyclically manage digital security risk related to these critical functions. They conduct a digital security risk assessment, and make a business decision to treat digital security risk.
A key challenge for government intervention is to formulate recommendations or requirements to implement state-of-the-art digital security risk management at the appropriate level of detail. Digital technologies are dynamic, and so are threats, vulnerabilities, as well as techniques and processes to protect digital ecosystems. If policy measures are too detailed, public policies aiming to incentivise operators to take more robust security measures may be quickly outdated and become an inhibiting factor for operators, without providing the expected level of security. If they are too generic, operators may face regulatory uncertainty if they experience difficulties in interpreting policies for implementation and compliance purposes.
In the United States, for example, the government promotes the Cybersecurity Framework developed by the National Institute of Standards and Technologies (NIST) in co-operation with the industry (NIST, 2024[25]). The Cybersecurity Framework is voluntary guidance based on existing standards, guidelines, and practices. This Framework is widely recognised as a useful tool, including beyond the United States and beyond operators of critical activities. In Japan, the National Center of Incident readiness and Strategy for Cybersecurity (NISC) provides guidance through the Cybersecurity Policy for Critical Infrastructure Protection which includes Guideline for Establishing Safety Principles for Ensuring Information Security of Critical Infrastructure. In March 2021, the Korea Internet & Security Agency (KISA) issued “Technical Vulnerability Analysis and Assessment Guidelines for Critical Information Infrastructure” in order to strengthen the cybersecurity capacity of critical infrastructure operators.
The OECD Recommendation on digital security of critical activities represents the consensus among OECD members regarding the high-level set of risk management measures that operators should be recommended to adopt (OECD, 2019[2]).
Policies to enhance the digital security of critical activities are at the crossroad of several areas (Figure 6.4). They aim to support digital transformation by ensuring trust in activities that are essential to the functioning and prosperity of our economies and societies. Therefore, they are part of a national digital transformation policy agenda, as well as national digital security agenda. As explained above, policies to enhance the digital security of critical activities can build upon the national risk assessment resulting from the country’s critical infrastructure protection framework, which is often part of a national security and public safety agenda. In addition, they also span across different sectors such as finance, energy, communications, transports and health care, with specific technical, market, economic, regulatory, cultural and other characteristics. Therefore, these policies can also be viewed as part of several sectoral agendas (e.g. smart cities, smart grid, smart health, etc.) and have to take into account sectoral regulations and market conditions. The United States 2024 Executive Order 14117 on "Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern" and the related data security rule, which restrict the transfer of bulk sensitive personal data to countries of concern, protects US national security while addressing the intersecting demands of privacy and cybersecurity and avoiding broad data localisation mandates (US Department of Justice, 2025[26]).
Source: OECD.
It is generally a significant challenge for governments to take into account these different perspectives in a balanced manner. Three elements are required: 1) adopting at the highest level of government, and as part of a national digital security strategy, clear objectives to strengthen digital security and resilience of critical activities, 2) adopting a domestic governance mechanism that allocates responsibility to one or more government bodies to enhance the digital security of critical activities within and across sectors, and 3) ensuring a whole-of-government domestic co-ordination to establish intra-governmental co‑operation, ensure consistency of the measures adopted across sectors, allocate resources across responsible government bodies and create a critical mass of expertise and skills, and facilitate cross‑border co‑operation.
Governance framework for digital security of critical activities in OECD counties
There is no one-size-fits-all approach to a whole-of-government co-ordination in OECD countries. Governance frameworks vary significantly, according in part to a country’s constitution, style of government, and administrative structure. In all cases, governance frameworks need to ensure consistency with human rights and fundamental values.
The governance relates generally to three key functions: 1) the definition of the overarching policy framework or strategy, 2) the implementation of the framework in each sector and 3) the operational capacity. The three functions can be centralised in a single body as in France (the National Agency for the Security of Information Systems, ANSSI), or distributed in different ways.
For example, the strategy development can be led by a department or ministry (e.g. Germany, the United Kingdom, Japan), and the operational capacity can be located in a separate agency (e.g. NCSC in the United Kingdom, the Federal Office for Information Security (BSI) in Germany, NISC in Japan). The implementation of the framework and supervision can be centralised or decentralised through sectoral regulators. In Denmark, the overarching policy framework was developed by the Ministry of Finance as part of the national digital security strategy, but each ministry responsible for a critical sector (energy, healthcare, transports, etc.) is required to develop a specific sub-strategy in its area of competence (Danish Ministry of Finance, 2018[27]). In Türkiye, cybersecurity strategies are developed by the Cyber Security Board, under the Ministry of Transport and Infrastructure. The relevant authorities regulating critical infrastructure sectors, if any, or the relevant ministries, are responsible for implementing the macro-level measures in the Board’s cybersecurity action plans. In many countries, the body in charge of operational digital security assistance can liaise with law enforcement and intelligence bodies.
Each approach has pros and cons. For example, a centralised approach facilitates regulatory consistency but makes detailed sector-specific regulation more difficult, requiring the central body to consult relevant sectoral regulators and create links with private operators of critical activities. A decentralised approach facilitates the development and implementation of sector-specific regulation while requiring more efforts to ensure consistency across sectors and provide the government with a holistic understanding of the situation. A key advantage of the decentralised approach is that sectoral regulators already have relationships with operators in their sectors and understand their constraints. However, operators may be reluctant to disclose digital security‑related information to sectoral regulators which might be used for other regulatory purposes (European Commission, 2019[28]).
An important aspect is the need to ensure that the responsible body (or bodies) has (or have) sufficient capacity to accomplish its (their) tasks, including funding and resources as well as digital security expertise, which is scarce in most countries and difficult to retain in the public sector. It may seem easier to aggregate a critical mass of digital security expertise through a central body, as the bulk of technical digital security challenges is common to all sectors.
Governments can address this issue by separating the policy from the operational expertise. For example, in the United Kingdom, the NCSC supports sectoral regulators by offering technical advice and Computer Security Incident Response Team (CSIRT) services. A central body can also issue guidance and guidelines to help sectoral agencies carry out their mission, as in Japan and the United Kingdom (DCMS, 2018[29]; Government of Japan, 2024[30]). In reality, most countries follow a relatively hybrid model. Countries with a centralised approach compensate centralisation through intra-governmental consultations and co-operation, and countries with a decentralised model generally maintain a central operational body to support sectoral regulators and ensure holistic situational awareness.
As part of this overarching framework, governments should build capacity to support digital security risk management and resilience of critical activities. This includes developing a new or strengthening an existing incident response capability through a computer security incident response team (CERTs/CSIRTs) or Security Operation Centre (SOCs), or several of them operating for example by sector. While governments need to have at least one CERT/CSIRT to address incidents in their own systems, other CERTs/CSIRTs are not necessarily public sector bodies. Governments also often take a leadership role to organise sector and cross-sector cybersecurity exercises or drills with operators to test and improve existing measures, including information flows between stakeholders during crises. Such exercises can involve partners across borders at regional (e.g. Cyber Europe organised by ENISA) and international levels (e.g. US-led Cyberstorm organised by CISA) (ENISA, 2024[31]; CISA, 2024[32]).
The security of communication networks
In 2023, the OECD analysed the security of communication infrastructure (OECD, 2023[4]) in light of recent development such as the generalisation of digital transformation and how it affects communication operators. Given the crucial role of communication networks to digital transformation, their digital security and resilience have become a priority for policy makers across the OECD to ensure the functioning of our digitally dependent economies and societies and to strengthen trust in the ongoing digital transformation. However, cyberattacks on these networks are on the rise and increasingly sophisticated. At the same time, communication networks are undergoing significant changes and are being upgraded to new technological standards (e.g. 5G), which, in turn, impact their security.
The report finds four trends that are changing communication networks and the digital security implications these raise (OECD, 2023[4]):
The increasing criticality of and reliance on communication networks by the economy and society, which is changing the context of digital security of communication networks.
An increased virtualisation of networks and a greater use of cloud services.
A shift towards more openness in networks, including for the Radio Access Network (RAN).
The role of artificial intelligence in communication networks.
Each of these trends is shaping communication networks and, therefore, prompts questions on their implications on digital security.
On the one hand, these trends benefit digital security risk management of communication infrastructure. They can help improve network visibility and management, enable network segmentation and isolation, allocate security resources more effectively, and automate the early detection of malware and malicious activity (OECD, 2023[4]). Increased transparency and reduced dependencies on certain suppliers are additional possible benefits to digital security, driven by the shift towards more openness.
On the other hand, these trends also challenge digital security risk management in communication infrastructure. Overall, the report finds that they result in:
An expanding attack surface (i.e. the set of points of an information system which are potentially vulnerable to an attack). Since the architecture of communication networks is increasingly complex, and because networks are increasingly software-defined, cloud-based and virtualised, they contain more software vulnerabilities that can be exploited (OECD, 2023[4]).
A broader and more complex supply chain. Some of the technological advancements outlined in the trends tend to increase the dependency of network operators on some of their suppliers and to redistribute control and responsibility for the management of digital security risk along the entire value chain. These suppliers include providers of communication equipment, as well as providers of cloud and managed services, which are likely to play an increasingly important role in the digital security of communication networks. The communication infrastructure supply chain is often complex, which makes the allocation of responsibility in case of a digital security incident even more difficult.
An aggravating threat landscape, driven in part by the commoditisation of attacks (e.g., “ransomware-as-a-service”) and the increasing sophistication of state-sponsored and other threat actors. Against this backdrop, malicious actors’ motivation to breach communication networks’ availability, integrity or confidentiality is significantly increasing as communication networks become increasingly critical (OECD, 2023[4]).
The paradox facing governments is that while communication networks are increasingly considered critical infrastructure, their digital security ultimately depends upon decisions made by third parties, namely network operators and their suppliers. Nevertheless, governments do have a clear role to play to incentivise the adoption of digital security best practices and to support an enabling environment that empowers stakeholders to reach an optimal level of digital security (OECD, 2023[4]). This can be fostered through the following policy objectives that can help structure public policy interventions to improve the digital security of communication infrastructure (OECD, 2023[4]):
First, adopting a holistic and strategic approach towards enhancing the digital security of communication infrastructure, which i) considers the entire lifecycle of products and services on which operators rely, ii) gathers all relevant stakeholders and iii) is co-ordinated across the whole government and at the international level. Importantly, co-ordination across governmental agencies and a clear definition of responsibility and/or mandates between them are essential.
Second, incentivising network operators to enhance digital security and adopt comprehensive risk management frameworks (i.e., risk assessment and risk treatment) and encouraging them to explore more advanced security approaches, such as the “zero trust” model.
Third, addressing supply chain digital security risk by incentivising suppliers to improve supply chain transparency (e.g. through enhanced traceability of components and digital security certification) and supporting supply chain diversification.
To complement these policy objectives, governments can apply several policy actions to address the cross-cutting challenges and uphold policy objectives, ranging from light-touch to more interventionist approaches: voluntary frameworks and guidance, multistakeholder initiatives and funding research, third‑party evaluation and certification, public procurement, and legal requirements (OECD, 2023[4]). These actions can be shaped as needed to carefully address the cross-cutting challenges in terms of scope, scale and speed of cyberattacks. OECD countries have introduced policy initiatives spanning these policy actions, from voluntary frameworks to legal requirements on digital security. However, digital security is an ever-moving target that requires constant re-evaluation, both regarding the best practices available for private stakeholders to implement as well as the structure and objective of public policies to create the enabling environment to incentivise the adoption of best practices by private stakeholders (OECD, 2023[4]).
This chapter discussed how the OECD approaches digital security from the economic and social perspectives. It explained the main differences between digital security and the other dimensions of cybersecurity and presented digital security risk management. After a brief overview of areas of policy action related to digital security, the chapter detailed the OECD approach to strengthening the digital security of critical activities, an area at the intersection of economic and national security policy making, including with a focus on the security of the communication infrastructure.
As this chapter illustrates, OECD has a range of tools to assist governments in advancing digital security. The Policy Framework on Digital Security: Cybersecurity for Prosperity presents the OECD approach to digital security as reflected in the seven Recommendations adopted by the OECD Council to guide governments in their efforts to strengthen digital resilience and build robust trust foundations for our digital future. The Framework covers the Recommendations on:
Digital Security Risk Management (OECD, 2022[6])
National Digital Security Strategies (OECD, 2022[11])
The Digital Security of Critical Activities (OECD, 2019[2])
The Digital Security of Products and Services (OECD, 2022[14])
The Treatment of Digital Security Vulnerabilities (OECD, 2022[18])
Cryptography Policy (OECD, 2007[20])
Electronic Authentication (OECD, 1997[19]).
In addition to Recommendations and guidance documents, the OECD has been analysing other aspects of digital security, such as the security of the domain name system (DNS) (OECD, 2022[33]) and routing security (OECD, 2022[34]). The OECD Global Forum on Digital Security for Prosperity (GFDSP) also provides an international multilateral setting for all stakeholder communities of experts to dialogue, share experiences and influence public policy making on digital security. The GFDSP holds thematic events every year. Outputs from these discussions influence international public policy discussions and can lead to the development of analytical work, principles and international policy recommendations, both at the OECD and in other international fora. The GFDSP discussed issues such as open source and zero trust in 2024, the Internet of Things in 2023, and digital security innovation in 2019 (OECD, 2024[35]).
As the implications of digital security on the economy and society become more pronounced, and as the pace of technology development accelerates, the OECD will maintain a key focus on this critical area of economic security and continue supporting governments and stakeholders, notably through:
Identifying and analysing policy implications to digital security of frontier issues such as quantum computing and generative AI. Quantum information technologies, in particular, are expected to have a disruptive impact on digital security in that they would make some of today’s widely-used encryption methods less secure, but at the same time could boost the development of new, more resistant defences (OECD, 2024[36]).
Supporting the implementation of the OECD Policy Framework on Digital Security: Cybersecurity for Prosperity (OECD, 2022[1]), including through consideration and analysis of the role of labels and certification schemes as complementary policy measures; of vulnerabilities related to the systemic risks to global supply chains represented by Managed Service Providers (MSPs) (OECD, 2024[36]); and of measures to bridge the skills gap for digital security.
Building on the OECD's work on measuring cybersecurity posture and performance across countries (OECD, 2024[37]), work to measure cybersecurity uncertainty can complement existing statistics and help anticipate emerging cybersecurity trends, develop more targeted cybersecurity awareness programmes, and promote a more secure and resilient digital ecosystem. Efforts to measure cybersecurity innovation can also support a more robust evidence base for designing and implementing digital security policies.
This work will aim to keep policymakers ahead of new developments in the evolving area of digital security and build stronger defences for the digital future.
References
[3] Bernat, L. (2021), “Enhancing the digital security of critical activities”, Going Digital Toolkit Note, No. 17, https://goingdigital.oecd.org/data/notes/No17_ToolkitNote_DigitalSecurity.pdf.
[32] CISA (2024), Cyber Storm : Securing Cyber Space, https://www.cisa.gov/cyber-storm-securing-cyber-space.
[22] CISA (2024), National Critical Functions, https://www.cisa.gov/topics/risk-management/national-critical-functions.
[27] Danish Ministry of Finance (2018), Danish Cyber and Information Security Strategy, https://en.digst.dk/media/17189/danish_cyber_and_information_security_strategy_pdf.pdf.
[29] DCMS (2018), NIS Regulations: Guidance for Competent Authorities, https://www.gov.uk/government/publications/nis-regulations-guidance-for-competent-authorities.
[31] ENISA (2024), Cyber Europe, https://www.enisa.europa.eu/topics/training-and-exercises/cyber-exercises/cyber-europe-programme.
[28] European Commission (2019), Report from the Commission assessing the consistency of the approaches taken by Member States in the identification of operators of essential services, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52019DC0546&from=EN.
[23] European Union (2022), Directive (UE) 2022/2555 du Parlement européen et du Conseil du 14 décembre 2022 concernant des mesures destinées à assurer un niveau élevé commun de cybersécurité dans l’ensemble de l’Union, http://data.europa.eu/eli/dir/2022/2555/oj.
[30] Government of Japan (2024), The Cybersecurity Policy for Critical Infrastructure Protection (4th Edition), https://www.nisc.go.jp/eng/pdf/cip_policy_2024_eng.pdf.
[7] ISO/IEC (2022), ISO 31073:2022(en) - Risk management — Vocabulary, https://www.iso.org/obp/ui/#iso:std:iso:31073:ed-1:v1:en.
[25] NIST (2024), NIST Cybersecurity Framework 2.0, https://www.nist.gov/cyberframework.
[36] OECD (2024), Digital Economy Outlook: Volume 2, https://doi.org/10.1787/3adf705b-en.
[35] OECD (2024), Global Forum on Digital Security for Prosperity, https://www.oecd.org/en/networks/global-forum-on-digital-security-for-prosperity.html.
[37] OECD (2024), “New perspectives on measuring cybersecurity”, OECD Digital Economy Papers, No. 366, OECD Publishing, Paris, https://doi.org/10.1787/b1e31997-en.
[4] OECD (2023), “Enhancing the security of communication infrastructure”, OECD Digital Economy Papers, No. 358, OECD Publishing, Paris, https://doi.org/10.1787/bb608fe5-en.
[21] OECD (2022), Good Practice Guidance on the Co-ordination of vulnerabilities, OECD, Paris, https://one.oecd.org/document/DSTI/CDEP/SDE(2021)9/FINAL.
[1] OECD (2022), OECD Policy Framework on Digital Security: Cybersecurity for Prosperity, OECD Publishing, Paris, https://doi.org/10.1787/a69df866-en.
[6] OECD (2022), Recommendation of the Council on Digital Security Risk Management, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0479.
[11] OECD (2022), Recommendation of the Council on National Digital Security Strategies, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0480.
[14] OECD (2022), Recommendation of the Council on the Digital Security of Products and Services, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0481.
[18] OECD (2022), Recommendation of the Council on the Treatment of Digital Security Vulnerabilities, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0482.
[34] OECD (2022), “Routing security: BGP incidents, mitigation techniques and policy actions”, OECD Digital Economy Papers, No. 330, OECD Publishing, Paris, https://doi.org/10.1787/40be69c8-en.
[33] OECD (2022), “Security of the Domain Name System (DNS): An introduction for policy makers”, OECD Digital Economy Papers, No. 331, OECD Publishing, Paris, https://doi.org/10.1787/285d7875-en.
[13] OECD (2021), “Digital security in SMEs”, in The Digital Transformation of SMEs, OECD Publishing, Paris, https://doi.org/10.1787/cb2796c7-en.
[16] OECD (2021), “Enhancing the digital security of products: A policy discussion”, OECD Digital Economy Papers, No. 306, OECD Publishing, Paris, https://doi.org/10.1787/cd9f9ebc-en.
[17] OECD (2021), Smart policies for smart products: A policy maker’s guide to enhancing the digital security of products, https://www.oecd.org/digital/smart-policies-for-smart-products.pdf, https://www.oecd.org/digital/smart-policies-for-smart-products.pdf.
[15] OECD (2021), “Understanding the digital security of products: An in-depth analysis”, OECD Digital Economy Papers, No. 305, OECD Publishing, Paris, https://doi.org/10.1787/abea0b69-en.
[12] OECD (2020), “Encouraging digital security innovation : Global Forum on Digital Security for Prosperity”, OECD Digital Economy Papers, No. 298, OECD Publishing, Paris, https://doi.org/10.1787/e65d02af-en.
[5] OECD (2020), “Going Digital integrated policy framework”, OECD Digital Economy Papers, No. 292, OECD Publishing, Paris, https://doi.org/10.1787/dc930adc-en.
[2] OECD (2019), OECD Recommendation on Digital Security of Critical Activities, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0456.
[9] OECD (2018), OECD Due Diligence Guidance for Responsible Business Conduct, https://mneguidelines.oecd.org/OECD-Due-Diligence-Guidance-for-Responsible-Business-Conduct.pdf.
[10] OECD (2015), G20/OECD Principles of Corporate Governance, OECD Publishing, Paris, https://doi.org/10.1787/9789264236882-en.
[8] OECD (2011), OECD Guidelines for Multinational Enterprises, 2011 Edition, OECD Publishing, Paris, https://doi.org/10.1787/9789264115415-en.
[24] OECD (2008), Recommendation of the Council on the Protection of Critical Information Infrastructures, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0361.
[20] OECD (2007), Recommendation of the Council on Electronic Authentication, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0353.
[19] OECD (1997), Recommendation of the Council Concerning Guidelines for Cryptography Policy, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0289.
[26] US Department of Justice (2025), Data security, https://www.justice.gov/nsd/data-security.
← 1. OECD Going Digital Toolkit, Individuals who have experienced security incidents – last 3 months, [accessed 29 July 2024], https://goingdigital.oecd.org/datakitchen/#/explorer/1/toolkit/indicator/explore/en.