Digital security

Digital security is essential for trust in the digital age.

The OECD has been facilitating international co-operation and developing policy analysis and recommendations in this area since the early 1990s. Our work on digital security aims to develop and promote policies that strengthen trust without inhibiting the potential of information and communication technologies (ICTs) to support innovation, competitiveness and growth.

 Flyer: OECD work on digital security policy

Why “digital security” instead of “cybersecurity”?

Digital security refers to the economic and social aspects of cybersecurity, as opposed to purely technical aspects and those related to criminal law enforcement or national and international security.

The term “digital” is consistent with expressions such as digital economy, digital transformation and digital technologies. It forms a basis for constructive international dialogue between stakeholders seeking to foster trust and maximise opportunities from ICTs.

Latest releases

OECD Policy Framework on Digital Security: Cybersecurity for Prosperity
December 2022

The OECD Policy Framework on Digital Security charts the economic and social dimension of cybersecurity, highlights the OECD approach to digital security policy and equips policymakers to use OECD digital security Recommendations in developing better policies. The Framework also identifies linkages with other policy areas addressed through existing OECD standards and tools.

OECD Recommendations on digital security support stakeholders in developing digital security policies for economic and social prosperity, in line with the OECD’s mandate to help governments develop “better policies for better lives”.

Current work

Current OECD work on digital security includes three workstreams building on the findings from the first event of the Global Forum on Digital Security for Prosperity, which focused on the roles and responsibilities of actors for digital security.

Enhancing the digital security of products

From “traditional” software to cloud services and Internet of Things (IoT) devices, our economies and societies are increasingly reliant upon “smart products”, i.e. products that contain code and can connect to each other, e.g. through the Internet.

In recent years, cyber-attacks such as Mirai, WannaCry, NotPetya and SolarWinds have underlined that the exploitation of vulnerabilities in smart products can have severe economic and social consequences. Beyond financial losses and reputational damages, these attacks increasingly impact users’ safety and can threaten human lives.

New OECD work in this area unveils that economic factors that play an important role in the relative “insecurity” of smart products.

In “Understanding the digital security of products: an in-depth analysis”, we provide an analytical framework based on smart products value chain and lifecycle, and apply it to three case studies: computers and smartphones, consumer Internet of Things (IoT) devices, and cloud services. The analysis shows that complex and opaque value chains lead to a misallocation of responsibility for digital security risk management, while significant information asymmetries and externalities often limit stakeholders’ ability to behave optimally.

In “Enhancing the digital security of products: a policy discussion”, we explore how policy makers can address the key economic challenges that prevent smart products from reaching an optimal level of digital security. Increasing transparency and information sharing, promoting co-operation (including at the international level), and ensuring the duty of care of supply-side actors (e.g. through the principles of security-by-design, security-by-default and responsible end-of-life) are important avenues for policy action. Many policy tools can be leveraged to achieve these objectives, from public procurement, certification and multi-stakeholder partnerships, to labels, liability law and ex ante legal requirements.

This work builds upon the OECD Recommendation on digital security risk management for economic and social prosperity. The findings from the two reports are informing the development of a new OECD Recommendation in this area.

Policy brief: Smart policies for smart products. A policy maker’s guide to enhancing the digital security of products

Encouraging vulnerability treatment

Most digital security incidents are caused by malicious actors (e.g. cybercriminals and state-sponsored groups) exploiting vulnerabilities in organisations’ digital ecosystems.

The OECD has explored how policy makers can help address cybersecurity vulnerabilities in:

  • Code vulnerabilities, i.e. vulnerabilities in software and firmware such as “zero-days”;
  • System vulnerabilities, i.e. misconfigurations of information systems and lack of patching.

OECD analysis shows that:

  • Over the last few years, the cybersecurity technical community has progressed in developing good practice for treating vulnerabilities, such as co-ordinated vulnerability disclosure (CVD), vulnerability disclosure policies, and bug bounties.
  • Economic and social challenges prevent stakeholders from adopting such good practice, including a lack of awareness and co-operation, limited market incentives, legal barriers, limited trust in government, and a lack of resources and skills.
  • Policy makers can play a decisive role. Removing obstacles and encouraging vulnerability treatment could significantly reduce digital security risk for all.
  • Governments need to take action, including to change the culture related to vulnerabilities, lead by example, and remove obstacles such as imperfect legal frameworks that create risk for “ethical hackers”.


This work builds upon the OECD Recommendation on digital security risk management for economic and social prosperity. The findings will inform the development of a new OECD Recommendation in this area.

Policy brief: Encouraging vulnerability treatment. How policy makers can help address digital security vulnerabilities

Responsible response: Clarifying the scope of businesses’ action in response to an attack

What should be the limits of businesses’ action in response to a digital security attack? Should they, for example, be allowed to counterattack, i.e. take action targeting the attacker? Or should they only block the attacks they detect?

While there seems to be a general recognition that businesses should not be allowed to counterattack, some security measures which do not fall in that category can go beyond just stopping the attacker (so-called “grey zone”). It is important to understand what these measures might be and assess whether they would be acceptable or should be banned, or perhaps regulated.

This workstream aims at ensuring that businesses can use the widest spectrum of security measures to protect their economic and social activities without creating risks for others.


  • Explore whether governments should ban counterattack by businesses
  • Develop a methodology to assess the acceptability of security measures’ categories from a public policy perspective
  • Foster an international dialogue in this area

The work is supported by an informal multistakeholder advisory group, including experts from governments, businesses, civil society, the technical community and academia.

OECD Recommendations on digital security

These legal instruments provide international standards in the area of digital security policy. 

Other work and reports

Policy responses to COVID-19

Measuring digital security

The OECD has developed several reports on digital security measurement, including a framework and a set of statistical indicators that can be used to assess the digital security risk management practices of businesses as well as guidance to improve the international comparability of computer security incident response team (CSIRT) statistics.

Enhancing trust in Brazil's digital economy

This chapter of the 2020 report Going Digital in Brazil includes an overview and analysis of Brazil’s digital security policies, as well as recommendations in this area.

Digital security policy in Sweden

This chapter in OECD Reviews of Digital Transformation: Going Digital in Sweden provides an overarching description and analysis of digital security policy in the country. Sweden’s 2017 National Cybersecurity Strategy aims to better integrate digital security policy within the broader digital transformation agenda and marks a positive turning point towards a more holistic approach to digital security.

National cybersecurity strategies

This 2012 report analysed the latest generation of national cybersecurity strategies in ten countries and identified commonalities and differences.

The full text of the contribution of non-governmental stakeholders to this work is also available.

Malware and botnets

Digital identity and electronic authentication

Enhancing the digital security of critical activities, Going Digital Toolkit policy note (2021)

Managing digital security and privacy risk, background report for the OECD Ministerial on the Digital Economy (2016)

Global Forum on Digital Security for Prosperity

The OECD Global Forum on Digital Security for Prosperity holds international thematic events gathering policy makers and experts from all stakeholder groups.

Outputs from these discussions influence international public policy discussions and can lead to the development of analytical work, principles and international policy recommendations, both at the OECD and in other international fora.

Working Party on Security in the Digital Economy

OECD work on digital security is carried out by Working Party on Security in the Digital Economy (SDE), which reports to the OECD Committee on Digital Economy Policy (CDEP). The SDE develops and promotes evidence-based policies strengthening security in the digital economy without inhibiting the benefits from digital transformation, with a particular focus on the management of digital security risks to economic and social activities, including critical ones, and on the improvement of security in digital products and services. The SDE works in co-operation with CDEP’s Working Party on Data Governance and Privacy (DGP) and other OECD bodies.