Measuring Security and Trust in the Online Environment

Geneva, 28 May 2008

Martin SchaaperOECDDirectorate for Science, Technology and IndustryEconomic Analysis and Statistics Division

Introduction

• Security vs. trust• OECD Ministerial Meeting• Measuring security and trust

– Official data– Other sources

OECD model surveyof ICT use by businesses

7. Did your business have any of the following IT security measures in place at <reference date>?– Virus checking or protection software which is

regularly updated– Anti-spyware software which is regularly updated– Firewall– Spam filter– Secured communication between clients and

servers (e.g. via SSL, SHTTP)– …/…

OECD model surveyof ICT use by businesses

7. Continued– …/…– Authentication software or hardware for

internal users– Authentication software or hardware for

external users (e.g. customers)– Intrusion detection system– Regular back up of data critical to your

business operations– Offsite data backup– No IT security measures in place

OECD model surveyof ICT use by businesses

8. Did your business experience an attack by a virus or similar (for example, a trojan horse or worm) which has resulted in loss of data or time, or damage to software during <period>?

Excluding: attacks which were successfully prevented by security measures in place.

–No/Yes

OECD model surveyof ICT use by businesses

14. Which of the following factors, if any, limited or prevented Internet selling by your business during <period>?

– Products are not well suited to sell via the Internet– Security concerns– Privacy concerns– Prefer to maintain current business model, e.g.

face to face interaction– Customers' or suppliers' computer systems are

incompatible with yours– …/…

OECD model surveyof ICT use by businesses

14. Continued– …/…– Insufficient level of customer demand for purchasing

via the Internet– Uncertainty concerning legal/regulatory framework

for selling over the Internet– Cost of development and/or maintenance is too high– Lack of skilled employees– No limitations to selling over the Internet– Not relevant

– Other (please specify)

OECD model surveyof ICT use by businesses

16. As at <reference date> did your business' Web site have any of the following features?

– Product catalogues or price lists– Customised Web page or information provided

for repeat clients– Facility for collecting customer information on

line– A privacy policy statement– A privacy seal or certification (trustmark)

– …/…

OECD model surveyof ICT use by businesses

16. Continued– …/…– An online ordering facility for your business'

products– Facility for online payment– Provision of online after sales support– Order tracking available on line– A security policy statement

– A security seal or certification (trustmark)

OECD model survey of ICT access and use by households and individuals

5. What are ALL the reasons for members of this household not having access to the Internet at home?– Not interested– Costs are too high– Lack of confidence, knowledge or skills– Concern that content is harmful– Have access to Internet elsewhere– Security concerns, for example, concerns about viruses– Privacy concerns, e.g. abuse of personal information– Other (please specify)

OECD model survey of ICT access and use by households and individuals

8. When using a computer at home in the last 12 months, how frequently did you back up files (such as documents, spreadsheets or digital photographs) which you created and kept on the computer?– Always or almost always– Sometimes– Never or hardly ever– Not applicable - I have not created files which I

kept on a computer used at home

OECD model survey of ICT access and use by households and individuals

15. When using a computer to access the Internet at home in the last 12 months, have you experienced an attack by a virus or similar (for example, a Trojan horse or worm) which has resulted in loss of data or time, or damage to software?

– No/Yes/Don’t know

OECD model survey of ICT access and use by households and individuals

16. Was the computer you (mainly) used to access the Internet at home protected by:

No/Yes/Don’t know

– Virus checking or protection software?– A firewall?– Anti-spyware software?

OECD model survey of ICT access and use by households and individuals

23. What were ALL the reasons for not buying or ordering goods or services for private use over the Internet in the last 12 months?

– Not interested– Prefer to shop in person or deal personally with a

service provider– Security concerns, for example, worried about

giving debit or credit card details over the Internet

– …/…

OECD model survey of ICT access and use by households and individuals

23. Continued– …/…– Privacy concerns, for example, worried about

giving personal details over the Internet– Trust concerns, for example, worried about

warranties, receiving goods or services, or returning goods

– Lack of confidence, knowledge or skills– Speed of connection is too slow– Other (please specify)

Eurostat ICT model questionnaire on ICT use by households and

individuals 2009

Eurostat ICT model questionnaire on ICT use by households and

individuals 2009

Eurostat ICT model questionnaire on ICT use by households and

individuals 2009

Eurostat ICT model questionnaire on ICT use by households and

individuals 2009

Some examples

• Access barriers• Protection• Problems encountered• E-commerce barriers• E-commerce problems• Consumer trust enhancing measures• Government and security

Access barriers

0

2

4

6

8

10

12

14

16

18

20

CY DE

JAP (2

003) PT UK SI

EEEU25 FR HU FI

LU EL IT

TR (200

4) AT PLBE NL IS SK

SGPBRA

USA (200

3) IE DK LT LV SE CZNO

RO (200

4)

2006 2005

Privacy or security concerns as one of the main reasons for not having access to the Internet at home (% of households without

Internet access)

Protection

0

10

20

30

40

50

60

70

80

90

100

FISE

NO UK NLDK DE M

TSGP IE LU BE IS AT

EU25 HU SIFR

AUS EL PT IT ESJA

P EEBRA CZ CY SK PL LV LT BG

KOR RO

2006 2005 2004 2003

Enterprises with Internet access with a firewall (%)

Problems encountered

0%

10%

20%

30%

40%

50%

60%

70%

80%

Men

Wom

en

Low e

duca

tion

Midd

le ed

ucat

ion

High

educ

ation

Broad

band

No br

oadb

and

Objecti

ve O

ne re

gion

Other

regio

ns

Aged

16-2

4

Aged

25-3

4

Aged

35-4

4

Aged

45-5

4

Aged

55-6

4

Aged

65-7

4

Virus (2005) Spam (2006) Virus (2005) all Spam (2006) all

Internet users in the EU suffering from virus attacks or receiving spam (%)

E-commerce barriers

0

10

20

30

40

50

60

70

80

EL (2

005)

SI (20

05)

CY (200

5)

BG (04/

05)

SK (200

5)

BE (200

4)

LU (2

004)

ES (200

5)

HU (200

5)

PL (2

005)

LV (2

005)

DE (200

5)

IT (2

002)

AT (200

4)

FR (200

2)

IE (2

005)

BRA (200

5)

RO (2

004)

JAP (2

003)

PT (05/

04)

CHE (200

2)

CZ (200

3)

FI (20

04)

CAN (200

4)

AUS (200

5)

MEX (2

003)

MT (2

005)

DK (200

2)

NO (2

005)

non-sellers sellers

Security concerns, e.g. over payments, as extremely important or very important barrier in limiting or preventing sales via the

Internet (%)

E-commerce problems

0% 2% 4% 6% 8% 10% 12%

Speed of delivery longer than indicated

Wrong or damaged goods delivered

Complaints/redress difficult or no satisf. response after complaint

Other

Difficulties concerning guarantees

Delivery costs/final price higher than indicated

Lack of security of payments

2005 2006

Problems encountered by individuals in the EU when buying/ordering goods or services over the Internet in the last 12 months (% of individuals who bought or ordered goods over the

Internet in the last 12 months)

Consumer trustenhancing measures

Enterprises that used trust marks, customer service/complaints mechanisms, or alternative dispute resolution mechanisms and informed about this on their Web sites, by category, 2005 (%

enterprises with a Web site)

0%

10%

20%

30%

40%

50%

HU

IT (2

003) M

T ES EL

SE (200

3)

BG (200

4) SK IE

BE (200

4) DE

FI (20

03)

CY

LU (2

004)

NL (2

003) LV

PT (200

4)

AT (200

3)

Customer service Trust marks ADR

Government and security

0

10

20

30

40

50

60

70

80

90

Virus-attacks Denial of serviceattacks

Data lossbecause of lack of

backup

Unauthorisedaccess

Economic ITabuse

Blackmail withdata or software

Central government Regional authorities All municipalities

Security problems encountered by public authorities in Denmark, 2005 (%)

Some conclusions

• Despite increasing use of protection measures, security incidents still widespread

• Intensity of use impacts the results• Credit card fraud: serious barrier, but low

incidence • Challenge for business: convince consumers

e-commerce is safe• Collecting (official) indicators is a statistical

challenge, in particular for e-government and security

Online identity theft

• OECD Scoping paper on online identity theft: http://www.olis.oecd.org/olis/2007doc.nsf/ENGDATCORPLOOK/NT00005CAE/$FILE/JT03240674.PDF

• ID theft occurs when a party acquires, transfers, possesses, or uses personal information of a natural or legal person in an unauthorised manner, with the intent to commit, or in connection with, fraud or other crimes.

• …/…

Online identity theftData limitations• Statistics do not provide a clear picture of the notion

of “victims” which either covers individuals, governments, international organisations, business and/or industry, or the economy as a whole.

• Statistics do not measure the same types of frauds or crimes and are thus incomparable.

• Statistics gathered by public authorities for policy purposes vary from those collected by private businesses for commercial purposes.

• Direct and indirect losses data do not cover all victims and all types of ID theft cases.

Other data …

• Phishing • Spoofing• Spyware• Viruses, worms, trojans and incidents• Botnets (zombie machines)• Modem hijacking• Click fraud and “search spam”• Secure sockets layer (SSL)

… and other sources

• Perception, opinion and usage surveys• Surveys of security professionals and

law enforcement agencies• Consumer complaint and Internet

fraud statistics• Crime statistics• European Network Information and

Security Agency (ENISA)

Areas for improvement

• Data quality issues: understanding survey questions, reluctance of respondents to provide sensitive information, insufficient sample sizes

• More details on fraudulent payment card use and on spam

• E-government and security and trust: a real challenge, e.g. level of government

• Developing new indicators on online identity theft, e-crime, reporting security incidents and business management of e-security

Links

• OECD Guide: www.oecd.org/sti/measuring-infoeconomy/guide

• Eurostat surveys and more: http://epp.eurostat.ec.europa.eu/cache/ITY_SDDS/EN/isoc_pi_base.htm

• Papers– Measuring Security and Trust in the Online

Environment: A View Using Official Data: http://www.oecd.org/dataoecd/47/18/40009578.pdf

– Scoping Study for the Measurement of Trust in the Online Environment: http://www.oecd.org/dataoecd/26/15/35792806.pdf

THANK YOU!THANK YOU!martin.schaaper@oecd.org