Chapter 6. Digital risk and trust1

Individuals are increasingly concerned about digital security and privacy, but there are significant variations across countries as well as across digital technologies and applications

Digital security and privacy are among the most challenging issues raised by digital services, including e-commerce. Individuals perceive digital security as a major issue, in particular where there are significant risks of personal data breaches and identity theft. Concerns thus relate to the wealth of personal data that online activities generate, which, while enabling organisations to sketch rich profiles about individuals, also bring risks to both the individuals and the organisation. According to Special Eurobarometer surveys (EC, 2015c; 2013), for example, when using the Internet for online banking or shopping, the most common concern is about “someone taking or misusing personal data” (mentioned by 43% of Internet users in the European Union compared to 37% a year ago), before the “security of online payments” (42% compared to 35% a year ago). This is in line with the observation that around 70% of Internet users in Europe are still concerned that their online personal information is not kept secure by websites. That said, security concerns by individuals are not limited to the confidentiality of their personal data. Many are also concerned about the availability of digital services. For example, in 2014, around half of European Internet users were concerned about not being able to access online services because of digital security incidents (compared to around 37% a year earlier).

Concerns about the misuse of personal data go beyond security (e.g. personal data breaches), and include most notably concerns about the loss of control over personal data. According to a 2014 Pew Research Centre poll, for example, 91% of Americans surveyed agree that consumers have lost control of their personal information and data (Madden, 2014). The percentage of people who “agree” or “strongly agree” that it has become very difficult to remove inaccurate information about them online is as high as 88%. The share of social networking site users in the United States concerned with third-party access by businesses and governments is estimated to be 80% and 70% respectively. That said, 55% “agree” or “strongly agree” with the statement: “I am willing to share some information about myself with companies in order to use online services for free” (Madden, 2014). Similarly in the European Union, “two-thirds of respondents (67%) are concerned about not having complete control over the information they provide online.” (EC, 2015b) More than half (56%) say it is very important that tools for monitoring their activities online only be used with their permission. Meanwhile, “roughly seven out of ten people are concerned about their information being used for a different purpose from the one it was collected for.” Across the European Union in 2016, more than 60% of all individuals were concerned about their online activities being recorded to provide them with tailored adverts (Figure 6.1). In Germany, France and Denmark the share was even much higher, at 82%, 70% and 68% respectively.

Figure 6.1. Concerns about online activities being recorded to provide tailored advertising, 2016

As a percentage of individuals

Source: Eurostat, Digital Economy and Society (database), http://ec.europa.eu/eurostat/web/digital-economy-and-society/data/comprehensive-database (accessed March 2017).

 https://doi.org/10.1787/888933586331

Trust concerns could incite consumers to change their online behaviour, with potential negative effects on digital service adoption

Privacy and security concerns have led Internet users to be more reluctant in providing personal data and in some cases even in using digital services at all. Today, for example, 34% Internet users in the European Union say that they are less likely to give personal information on websites. Six out of ten respondents have already changed the privacy settings on their Internet browser (compared to three in ten in 2013; see OECD, 2014). Over one-third (37%) use software that protects them from seeing online adverts and more than a quarter (27%) use software that prevents their online activities from being monitored. Overall 65% of respondents have taken at least one of these actions. Individuals are also more demanding in respect to the level of security of the digital services they use. A survey among EU individuals shows that “more than seven in ten (72%) say it is very important that the confidentiality of their e-mails and online instant messaging is guaranteed”, and “almost two-thirds of respondents (65%) totally agree they should be able to encrypt their messages and calls, so they are only read by the recipient” (EC, 2016b). The changing behaviour is confirmed by a recent survey of 24 000 users in 24 countries in 2014 commissioned by the CIGI, which reveals that only 17% of users said they had not changed their online behaviour in recent years. The rest expressed a variety of behavioural change from using the Internet less often (11%) to making fewer purchases and financial transactions online (both around 25%). While the increasing occurrence of data breaches in the media can be seen as a determinant factor, some note that “some users may be concerned by other factors, including pervasive surveillance or how their data is collected and used by businesses” (Internet Society, 2016).

As individuals become more concerned about privacy and security, some have started to avoid using digital services. The behavioural change of consumers due to digital security and privacy concerns could negatively affect B2C e-commerce. Evidence confirms that many consumers remain reluctant to purchase online because of security and privacy concerns (OECD, 2014). There is considerable variation in the exact reasons though, even when only looking only at trust issues. Some cite fears around the misuse of personal data and security of online payments and in many cases identity theft is a major source of concern. Among European Internet users, for example, almost half abstained from certain online activities in 2015 because of security concerns (Figure 6.2). The most frequent activities were related to the risk of personal data misuse and of economic losses, for instance through identity theft. They included (in order of significance): providing personal information to online communities for social and professional networking (almost 30% of Internet users), e-banking and e-commerce (both around 20% of Internet users).4 When also taking privacy concerns into account the share is higher. In 2015, one-fourth of Internet users in the EU cited privacy and security concerns as the main reason for not buying online. Almost 15% all individuals in the European Union did not use cloud computing because of privacy or security concerns in 2014 (Figure 6.3). In Austria, France, Germany, Luxembourg, the Netherlands, Norway, Slovenia and Switzerland the share is as much as 20% or 25%. In the United States, the 2015 US Census Bureau survey of households online reported that 63% of the online households were concerned about identity theft and of these 35% refrained from conducting financial transactions online during the year prior to the survey. Similarly, of the 45% of online households concerned about credit card or banking fraud, 33% declined to buy goods or services using the Internet (NTIA, 2016); this is the equivalent of 15% of online households. The high variation in perceptions of security and privacy risks across countries with comparable degrees of law enforcement and technological know-how suggests that cultural attitudes towards online transactions play a significant role.

Figure 6.2. Security concerns kept Internet users from doing certain activities

As a percentage of individuals who used the Internet within the last year

Source: Eurostat, Digital Economy and Society (database), http://ec.europa.eu/eurostat/web/digital-economy-and-society/data/comprehensive-database (accessed March 2017).

 https://doi.org/10.1787/888933586350

Figure 6.3. Security and privacy concerns kept individuals from using cloud computing, 2014

As a percentage of individuals

Source: Eurostat, Digital Economy and Society (database), http://ec.europa.eu/eurostat/web/digital-economy-and-society/data/comprehensive-database (accessed March 2017).

 https://doi.org/10.1787/888933586369

However, lack of trust towards Internet businesses and digital services must not always translate into a barrier for adopting digital services. Although a majority of people may be uncomfortable about Internet companies using information about their online activity to tailor adverts or are concerned about the recording of their activities via payment cards and over mobile telephones, a large majority of individuals may accept this. In the European Union, for example, more than half of all individuals are concerned about their privacy, yet “a large majority of people (71%) still say that providing personal information is an increasing part of modern life and accept that there is no alternative other than to provide it if they want to obtain products of services” (EC, 2015b). Meanwhile, the survey also reveals that “more than six out of ten respondents say that they do not trust landline or mobile phone companies and Internet service providers (ISPs) (62%) or online businesses (63%)”. However, the share of European households without access to the Internet that cite privacy or security concerns as the main reason for not having an Internet connection is low, although it increased from 5% in 2008 to 9% in 2016.5 At the same time, in the United States, where the share of households indicating privacy and security concerns as a main reason for not having an Internet connection at home also increased (by 1 percentage point compared to 2009), albeit from an even lower level (at 1.4% of all households) in 2015. An increasing share of people not using the Internet due to privacy and security concerns can also be observed in Brazil, where up to 12% of households without an Internet connection cited privacy and security concerns as a reason.6

Uncertainties about mechanisms for redress and the quality of products sold online could also slow the growth of business-to-consumers e-commerce

With the increasing complexity of the online environment and the emergence of new e-commerce business models, consumers are now faced with further challenges as well as opportunities. In its work leading to the 2016 revisions to the OECD Recommendation of the Council on Consumer Protection in E-commerce (OECD, 2016d), the Committee on Consumer Policy identified a number of key developments in e-commerce that pose challenges for consumers. These developments included the growth of non-traditional payment mechanisms, such as mobile phone bills or prepaid cards; new types of digital content products, such as mobile applications (apps) or e-books; and new types of online business models, such as those involving consumer-to-consumer or peer transactions facilitated by online platforms and those involving “free” goods and services provided in exchange for consumers’ personal data.

Consumers’ propensity to engage in domestic or cross-border online transactions may be facilitated or inhibited not only by perceived benefits and risks of e-commerce but also by consumer awareness of key consumer rights online and capacity to seek redress if these rights are violated. When Australian consumers were asked if they believe they have the same rights when purchasing online as they do in a physical store, more than one-third of respondents reported that they did not believe they have the same rights online or were unsure about the situation. In terms of actual problems experienced by Australian consumers, 23% were related to online purchases (Australian Government, 2016). Some studies suggest knowledge of consumer rights increases with age: for instance, Italian consumers over 54 are more aware of their rights, as well as more engaged and skilled, than consumers in the 15-24 age bracket (EC, 2016a). EU consumers have raised concerns beyond data protection and security with about one-quarter reporting concerns about the infringement of consumer rights related to redressing problems with the goods. In addition, 19% of the surveyed EU consumers expressed concerns about the possibility of buying unsafe or counterfeit goods (EC, 2015a).

Consumer protection enforcement agencies are a key source of information about the problems facing consumers online. These agencies work together through the International Consumer Protection and Enforcement Network (ICPEN), which has members from over 60 countries. In 2015, ICPEN members recognised misleading and inadequate information disclosures related to pricing information as a key problem for online consumers. As part of an internationally co-ordinated “sweep” of online pricing practices in travel and tourism, ICPEN members identified misleading or deceptive conduct such as “drip pricing,” which resulted in the delayed disclosure of final prices, fees and terms and conditions to consumers, false reference prices and best price claims, non-existent discounts and time-sensitive representations, and a lack of cancellation and refund information.

Another element affecting consumer trust in a global context is the range of unsafe products which are available in e-commerce, as revealed by an OECD product online sweep co-ordinated by the Australian Competition and Consumer Commission in April 2015. During the sweep, product safety authorities in 25 countries inspected 3 categories of goods that had been identified in their country as: 1) banned and recalled products; 2) products with inadequate product labelling and safety warnings; and 3) products that did not meet voluntary or mandatory safety standards (OECD, 2016e).

Of the nearly 700 products inspected for the purpose of detecting banned or recalled products, 68% were available for sale online. Out of the 880 products which were inspected to detect inadequate labelling and safety warnings, 57% were not supported by adequate labelling information on relevant websites, and 22% showed incomplete labelling information. Moreover, a small majority of the 136 products inspected for the purpose of detecting products which did not comply with voluntary and mandatory safety standards did not comply with such standards. A key challenge suggested by the sweep is the share of unsafe products bought online from overseas, with goods banned in one country due to safety concerns being accessible to buyers from another country without knowledge of the ban. Another example is labels and warnings in a foreign language or products that do not meet voluntary and mandatory safety standards, and which are more prevalent in a cross-border context (OECD, 2016e).

Digital security risk has become a concern for organisations of all types

Companies recognise that digital technologies are key to greater productivity, but most express significant concerns over digital security risk, which makes adoption challenging. Digital security concerns vary according to firm size and country, and will depend on the digital technologies and applications, with the more advanced ones creating greater concerns. E-commerce adoption, for example, and in particular mobile e-commerce, remains below its potential, with security concerns frequently cited as an impediment by a significant share of businesses. According to Eurostat data, for instance, more than a third of all firms stated that security-related risks prevented or limited the use of mobile Internet in 2013, and almost a third of these firms stated that a mobile connection to the Internet was needed for business operation. In Finland, France and Luxembourg, more than 50% of all businesses do not use mobile Internet to its full potential due to security concerns even though, as in the case of Finland, more than a third of all firms would need a mobile connection for their business operation.

It is even more apparent in the case of cloud computing that trust issues have become a barrier to adoption. In the OECD area, only 20% of businesses had used cloud computing by 2014, with SMEs being more reluctant compared to large firms (40% of firms with 250 or more employees compared to 20% of firms with 10 to 49 employees). In some countries the gap between large and small firms is great. In the United Kingdom, for example, 21% of all smaller enterprises (10 to 49 employees) are using cloud computing services compared to 54% of all larger enterprises. A similar gap can be observed in other countries (see Chapter 4). Risk of security breach is perceived as a major barrier to cloud computing adoption by businesses. Almost 30% of all businesses in the European Union do not use the cloud because of security concerns. The share ranges from almost 45% in Austria, Hungary, Luxembourg and Portugal to 10% to 15% in the Nordic countries (Denmark, Finland, Iceland, Ireland, Norway and Sweden), which are also those countries where the rates of cloud computing adoption by businesses are the highest among OECD countries (Figure 6.4).

Figure 6.4. Reasons businesses do not use cloud computing, 2014

As a percentage of all enterprises

Source: Eurostat, Digital Economy and Society (database), http://ec.europa.eu/eurostat/web/digital-economy-and-society/data/comprehensive-database (accessed March 2017).

 https://doi.org/10.1787/888933586388

Loss of control of data is perceived as a major digital risk for businesses considering using Internet-based services

In a survey of European SME perspectives on cloud computing, the security of corporate data and potential loss of control featured highly among the concerns for SME owners (ENISA, 2009). Loss of control in the case of cloud computing is partly related to uncertainties about the location of the data, which is perceived across countries as significant a barrier to cloud computing adoption as the risk of security incidents (Figure 6.4). In addition, there is another major challenge which is related to the lack of appropriate open standards and the potential for vendor lock-in due to the use of proprietary solutions: applications developed for one platform often cannot be easily migrated to another application provider (OECD, 2015b).

The lack of open standards is a key problem, especially when it comes to the model of “platform as a service” and to digital services based on this model. In this service model, application programming interfaces are generally proprietary. Applications developed for one platform typically cannot easily be migrated to another cloud host. While data or infrastructure components that enable cloud computing (e.g. virtual machines) can currently be ported from selected providers to other providers, the process requires an interim step of manually moving the data, software and components to a non-cloud platform and/or conversion from one proprietary format to another. Consequently, once an organisation has chosen a service provider, it is – at least at the current stage – locked in (OECD, 2015b). Some customers have raised the difficulty of switching between providers as a major reason for not adopting cloud-based services. Almost 30% of all businesses in the European Union, for example, had not used cloud computing to its full potential in 2014 because of perceived difficulties in unsubscribing or changing service providers (Figure 6.5). A major difficulty of switching providers is that users can become extremely vulnerable to providers’ price increases. This is all the more relevant as some IT infrastructure providers may be able to observe and profile their users to apply price discrimination to maximise profit (OECD, 2015b). See the section below on “empowering individuals and businesses” for trends on the use of mechanisms for consumers to control their personal data and see Chapter 2 for trends on policy initiatives to promote data portability.

Figure 6.5. Limited use of cloud computing services due to difficulties of businesses in changing service providers, 2014

As a percentage of enterprises buying cloud computing services

Source: Eurostat, Digital Economy and Society (database), http://ec.europa.eu/eurostat/web/digital-economy-and-society/data/comprehensive-database (accessed March 2017).

 https://doi.org/10.1787/888933586407

The risk of digital security incidents is growing with the intensity of ICT use

Across surveys undertaken over the past decade, it has consistently been found that over half of businesses and individuals report that they did not experience a digital security incident of any kind. There are, however, considerable cross-country variations. The share of businesses experiencing digital security incidents, for instance, ranges from around a third in Japan and Portugal to below 10% in Hungary, Korea and the United Kingdom12 in 2010 or later (Figure 6.6).13 A similar variation can be observed in the case of individuals: in the European Union, 20% to 30% of all individuals stated that they experienced a digital security incidence in 2015, compared to below 5% in Mexico and New Zealand (Figure 6.7).14

Figure 6.6. Digital security incidents experienced by businesses, 2010 or later

As a percentage of all enterprises

Notes: For European countries, data are only available for 2010. For New Zealand, data refer to 2016. For Japan and Switzerland, data refer to 2015. For Korea, they refer to 2014. For Canada, data refer to 2013. Canada, Japan, Korea and Switzerland follow a different methodology.

Source: OECD, ICT Access and Usage by Businesses (database), http://oe.cd/bus (accessed June 2017).

 https://doi.org/10.1787/888933586426

Figure 6.7. Digital security incidents experienced by individuals, 2015 or later

As a percentage of all individuals and by level of educational attainment

Notes: Data for Korea refer to 2016 for all individuals but the breakdown by level of educational attainment refers to 2014. Data for New Zealand and Switzerland refer to 2014. Data for Iceland refer to 2010. Data for Korea, Mexico, New Zealand and Switzerland follow a different methodology.

Source: OECD, ICT Access and Usage by Households and Individuals (database), http://oe.cd/hhind (accessed June 2017).

 https://doi.org/10.1787/888933586445

Evidence suggests that the actual proportion varies more significantly depending on the target population. For businesses that do experience an incident, for example, the number of incidents detected increases with firm size. In the case of individuals, the rate of incidents detected tends to increase with the level of education. One explanation could be that larger businesses and more educated individuals may have better detection capacities. The higher rate of experiencing an incident could, however, simply be because larger businesses have larger information technology (IT) infrastructures, which in turn are more likely to incur at least one incident. Similarly, evidence shows that individuals are more likely to use digital technologies and applications more intensively the more educated they are (see Chapter 4). The greater the intensity of usage, the greater the likelihood of experiencing a digital security incident.

Recent surveys confirm that large businesses are more likely to experience digital security incidents than small businesses. The 2016 Cyber Security Breaches Survey focusing on the United Kingdom showed that the proportion of businesses that had experienced an incident in the previous 12 months increased with business size. While overall 24% of all businesses surveyed had had an incident in the last 12 months, only 17% were micro businesses, 33% were small businesses, 51% were medium-sized business and 33% were large businesses. That said, many SMEs are not sufficiently aware of the actual digital security risks and the incidents they may have been victim of. The 2016 Ponemon State of Cybersecurity in Small and Medium-Sized Businesses, for example, found that 55% of respondents had experienced a cyber-attack in the past 12 months but that 16% were unsure. This calls for a careful interpretation of existing statistics and the need for further efforts to strengthen the evidence base in digital security and privacy.

The frequency and magnitude of security incidents differ substantially depending on the type of incident

Available evidence suggests that viruses/malware remain the most common type of digital security incident experienced.15 Some surveys also highlight the increase in incidents related to phishing and social engineering. Other surveys show that denial of service (DoS)16 attacks tend to affect fewer businesses, although the share of affected businesses remains significant. More importantly, the sophistication and magnitude of DoS attacks are growing rapidly, with an increasing number of incidents based on the exploitation of IoT devices to generate large packet floods (Box 6.2). In 2015, several attacks used over 300 Gigabits per second (Gbps) and one peaked at 500 Gbps, which represents a tenfold increase compared to 2009 (Arbor Networks, 2016). In 2016, the largest attack reported was 800 Gbps, with several surveyed organisations reporting attacks of between 500 Gbps and 600 Gbps (Figure 6.8) (Arbor Networks, 2017). Fraud was also reported as an issue, but more for larger businesses than for smaller ones. That said, it should be noted that all these incidents may be inter-related. For instance, web-based attacks, phishing, or social engineering and malware more generally may be used to gain access to servers or IoT devices which may then be used to take part of a distributed DoS attack.

Figure 6.8. Evolution of bandwidth used for largest denial of service attacks

Note: Gbps = Gigabits per second.

Source: Author’s calculations based on Arbor Networks (2016), Worldwide Infrastructure Security Report Volume XI, www.arbornetworks.com/images/documents/WISR2016_EN_Web.pdf; Arbor Networks (2017), Worldwide Infrastructure Security Report Volume XII, www.arbornetworks.com/insight-into-the-global-threat-landscape.

 https://doi.org/10.1787/888933586464

In the 2012 ICSPA survey in Canada, for example, the category with the highest average number of incidents per business was “phishing, spear phishing, social engineering”. The 2016 Ponemon State of Cybersecurity in Small and Medium-Sized Businesses, as another example, found that the most commonly experienced attacks (for SMEs) were web-based attacks, phishing/social engineering and general malware. In the National Small Business Association’s Year End Economic Reports for 2014 and 2015 (NSBA 2015, 2016), it was found that the highest proportion of businesses experienced a service interruption due to digital security incidents. The most common impact of an incident, according to the survey, was “service interruption” in both 2014 and 2015. A relatively small proportion of respondents reported impacts suggestive of a data breach (“sensitive information and data was stolen” or “information about and/or from my clients was stolen”) or fraud (“the attack enabled hackers to access my business bank accounts/credit card[s]”).

The cost of digital security incidents is significant but still difficult to assess

As noted above, digital security incidents can have various types of consequences for organisations: undermined reputation when the brand is exposed, loss of competitiveness when trade secrets are stolen, financial loss resulting from the attack itself (e.g. in sophisticated scam schemes17 ), from lost business, disruption of operations (e.g. sabotage), recovery costs or legal proceedings and fines.18 It is difficult to estimate the actual cost of incidents: organisations are often reluctant to share potentially damaging information, intellectual assets are difficult to value and, in many instances, organisations do not even report incidents, such as when there is no legal obligation to do so, for example in cases of theft of trade secrets and sabotage. It is also difficult to assess the cost of digital security incidents outside the organisation, for example to individuals and society. Also, different incidents will have different costs. Rarely are the estimates disaggregated by incident type.

As a result, there are no official statistics, data sources or widely recognised methodologies to measure the aggregate cost of incidents. Thus, much of the evidence is anecdotal. Some studies provide interesting aggregated estimates, which should nevertheless be treated cautiously. Examples include the joint study by the US Center for Strategic and International Studies (CSIS, 2014) and Intel McAfee, which estimated that the likely annual cost to the global economy from cybercrime is between USD 375 billion and USD 575 billion. According to this source, the costs of cybercrime would range from 0.02% of gross domestic product in Japan to 1.6% in Germany, 0.64% in the United States and 0.63% in China. Other studies provide firm-level estimates based on surveys. That being said, these also should be treated cautiously, given that they suffer from survey-specific issues, and in particular selection bias. Furthermore, costs estimated based on some of these surveys can fluctuate significantly over years, as a result of the “fat tailed” distribution. As a result, mean or median costs are hard to interpret, in particular when statistics are broken down by business size or sectors are missing. In NSBA (2015, 2016), for instance, the estimated cost of digital security incidents for the average firm fluctuates substantially from year-to-year: from USD 8 700 in 2013 to USD 20 750 in 2014 and USD 7 115 in 2015.

The 2016 Cyber Security Breaches Survey undertaken in the United Kingdom found that the average cost of all breaches, in absolute terms, was higher for micro- and small enterprises than for medium-sized enterprises. The mean remained quite stable, which indicates that a small proportion of incidents in a small proportion of businesses are likely responsible for a large proportion of total costs (Table 6.1). The 2016 Ponemon State of Cybersecurity in Small and Medium-Sized Businesses confirms that small businesses tend to lose less than large businesses. In particular, it shows that the mean cost/loss associated with incidents increased with firm size. That said, the consequences of some incidents may be harder to weather for SMEs even if costs/losses are smaller compared to those experienced by large organisations.19 According to a 2011 study cited by the US House Small Business Subcommittee on Health and Technology, for example, roughly 60% of small businesses close within six months of a digital security attack (Kaiser, 2011).

Personal data breaches have increased in terms of scale and profile

Digital security incidents affecting the confidentiality of personal data, commonly referred to as “data breaches”,21 have increased as organisations collect and process large volumes of personal data. In 2005 ChoicePoint – a consumer data aggregation company – was the target of one of the first high-profile data breach involving over 150 000 personal records.22 The company ended up paying more than USD 26 million in fees and fines. In 2007, retail giant TJX announced that it was the victim of an unauthorised computer system intrusion that affected over 45.7 million customers and cost the company more than USD 250 million. Since then, data breaches have become almost commonplace. According to a study commissioned by the UK government, 81% of large organisations suffered a security breach in 2014 (UK Department for Business Innovation and Skills, 2014).23 Data breaches are not limited to the private sector, as evidenced by the theft in 2015 of over 21 million records stored by the US Office of Personnel Management, including 5.6 million fingerprints, and by the Japanese Pension Service breach that affected 1.25 million people (Otake, 2015).

An accurate estimate of the total cost of personal data breaches is hard to calculate. As argued above, available estimates have to be treated with caution, given that not all breaches are discovered, and when they are discovered, not all breaches are fully disclosed. Available estimates indicate a range of magnitude that strongly suggests that personal data breaches have a significant economic cost to society. One firm-level study by the Ponemon Institute suggests that the average total cost of a data breach was USD 4 million in 2016 (an increase of 29% compared to 2013). According to the study, this would correspond to an average cost per lost record of USD 158. There are significant cross-country and sectoral variations though. The average cost per lost record was estimated to be as high as USD 221 in the United States and as low as USD 61 in India. Furthermore, the average cost per lost record tends to be the highest in specific sectors, such as healthcare and transportation.

The greatest cost component for organisations tends to be loss of business, or: “This confirms the impact of a data breach on consumer loyalty” (Internet Society, 2016). The second highest cost component is remediation. Based on anecdotal evidence, it appears that litigation is increasingly common in the case of data breaches, with card issuers seeking to recover the costs of reissuing payment cards from the hacked companies and affected individuals launching class-action lawsuits. Breached organisations can end up paying fines, legal fees and redress costs. ChoicePoint, for example, paid more than USD26 million in fees and fines as a result of the action by the US Federal Trade Commission (FTC, 2006). In 2008, a data breach at one of the largest US credit card processing companies in the United States, Heartland Payment Systems, affected more than 600 financial institutions for a total cost of more than USD 12 million in fines and fees (McGlasson, 2009). In 2015, AT&T agreed to pay USD 25 million to settle an FTC investigation relating to data breaches involving almost 280 000 US customers (FTC, 2016).

Big data analytics presents new privacy risks to individuals’ privacy

Advances in data analytics now make it possible to infer sensitive information from data which may appear trivial at first, such as past individual purchasing behaviour or electricity consumption. This increased capacity of data analytics is illustrated by Duhigg (2012) and Hill (2012), who describe how the US-based retailing company Target “figured out a teen girl was pregnant before her father did” based on specific signals in historical buying data.24 The misuse of these insights can implicate the core values and principles which privacy protection seeks to promote, such as individual autonomy, equality and free speech, and this may have a broader impact on society as a whole.

In some cases, personal data are provided or revealed: 1) by choice, for example, through social media and e-mail; in other situations, through compulsory disclosure, for example as a pre-condition to receiving services; or 2) without awareness or consent, for example through tracking an individual’s browsing. In the European Union, more than 60% of all individuals have provided their personal data over the Internet (Figure 6.10). Most of them provide personal details (name, date of birth, identity card number) as well as contact details. But around a third of these individuals have provided other personal information such as photos, location data, and information about their health and income over the Internet. Other personal data are collected by sensors in smartphones, tablets, laptops, wearable technologies and even sensor-enabled clothing, automobiles, homes and offices. Moreover, increasingly, new data are derived or inferred based on correlations gleaned from existing data (Abrams, 2014). The type of personal data that is collected and the means used to collect such data may vary by sector (Figure 6.11). Utilities, for example, are more likely to collect big data from sensors and to use geolocation data from mobile devices. Mobile devices are also used in the transportation sector. Social media data, in contrast, are used to a large extent in accommodation and food, mainly for marketing purposes.

Figure 6.10. Individuals providing their personal information over the Internet, 2016

Percentage of individuals who used the Internet within the last year

Source: Eurostat, Digital Economy and Society (database), http://ec.europa.eu/eurostat/web/digital-economy-and-society/data/comprehensive-database (accessed March 2017).

 https://doi.org/10.1787/888933586502

Figure 6.11. Business use of big data by data source and industry in the EU28, 2016

As a percentage of all enterprises

Source: Eurostat, Digital Economy and Society (database), http://ec.europa.eu/eurostat/web/digital-economy-and-society/data/comprehensive-database (accessed March 2017).

 https://doi.org/10.1787/888933586521

By collecting and analysing large amounts of consumer data, firms are able to predict aggregate trends, such as variations in consumer demand as well as individual preferences, thus minimising inventory risks and maximising returns on marketing investment. Furthermore, by observing individual behaviour, firms can learn how to improve their products and services, or redesign them in order to take advantage of the observed behaviour. These uses may also benefit the consumer: targeted advertising may give consumers useful information, since the adverts are tailored to consumers’ interests (Acquisti, 2010). However, this ability to profile and send targeted messages and marketing offers to individuals may also have adverse consequences: some consumers may object to having their online activities observed; they may end up paying higher prices as a result of price discrimination; or they could be manipulated towards products or services they may not even need (OECD, 2015b).

Trust-enhancing technologies are needed but not sufficient for empowering individuals and businesses

There is strong evidence for the increasing use of trust-enhancing technologies. There are, however, also significant variations by country, firm size and industry. According to the 2016 Ponemon State of Cybersecurity in Small and Medium-Sized Businesses anti-malware, client firewalls and password protection/management rank among the highest security tools used. In Korea, the 2015 Survey on Information Security in Business revealed that by far the largest proportion of respondents invested in or planned on investing in wireless local area network (LAN) security.

As products (goods and services) and business processes become more data-intensive, and data proliferates to more and more locations, such as mobile devices and the cloud, encryption is increasingly seen as a needed supplement to existing infrastructure-centric protection measures. According to a 2016 Encryption Application Trends Study sponsored by Thales e-Security and covering over 5000 respondents in 14 major industry sectors and 11 countries, encryption has never been as profoundly used in the 11-year history of the survey after accelerating in 2014. More companies are also embracing an enterprise-wide encryption strategy. In 2015, 41% of surveyed businesses indicated having extensively deployed encryption compared to 34% in 2014 and 16% in 2005 (Figure 6.15). Germany, the United States, Japan and the United Kingdom rank above average in terms of the share of businesses having deployed or deploying an enterprise-wide encryption strategy (with 61%, 45%, 40% and 38% respectively). Surveyed businesses indicate privacy compliance regulation,29 digital security threats targeting in particular intellectual property, as well as employee and customer data as the main reason for this fast increase in encryption adoption in recent years. In particular, firms in heavily regulated industries dealing extensively with (big) data rank high among the list of extensive encryption users. These include most notably: financial services, healthcare and pharmaceuticals, and technology and software firms.

Figure 6.15. Extensive deployment of encryption by businesses worldwide

Note: Based on over 5 000 respondents from 14 industry sectors and 11 countries across the globe.

Source: Thales e-Security (2016), 2016 Encryption Application Trends Study.

 https://doi.org/10.1787/888933586597

Internet communications (e.g. Transport Layer Security [TLS] or its predecessor Secure Socket Layer [SSL]) still rank the highest among the application for encryption use across industries, before databases and mobile devices. SSL is a security protocol used by Internet browsers and web servers to exchange sensitive information such as passwords and credit card numbers. It relies on a certificate authority, such as those provided by companies like Symantec and GoDaddy, that issues a digital certificate containing a public key and information about its owner, and confirms that a given public key belongs to a specific site. In doing so, certificate authorities act as trusted third parties. In the past, there has, however, been a series of security incidents targeting certificate authorities (see for example the 2001 security incident affecting DigiNotar, a company based in the Netherlands).

Netcraft carries out monthly secure server surveys on public secure websites (excluding secure mail servers, intranet and non-public extranet sites). According to the March 2017 survey, more than 27 million secure servers were deployed worldwide. This corresponds to a compound average growth rate of 65% annually (compared to 2.2 million in 2012). Growth rates accelerated in 2014. Prior to that the number of servers grew by around 20% year-on-year.30 The number of secure servers hosted in the OECD area was slightly above 14 million in March 2017, accounting for 83% of the total number of secure servers hosted worldwide.31 The United States accounted for the largest share of secure servers (6.2 million), at 38% of the world total. It was followed by Germany (1.7 million) and the United Kingdom (953 000) (Figure 6.16). Relative to the total number of sites hosted, however, most countries still perform poorly in terms of the share of secure servers over their total number of servers hosted. In the United States, for example, less than 1% of all servers hosted use SSL/TLS.32

Figure 6.16. Secured servers by hosting country, March 2017

As a percentage of total number of secured servers and in millions

Source: Netcraft, www.netcraft.com, (accessed April 2017).

 https://doi.org/10.1787/888933586616

The use of encryption has also intensified in the market for consumer goods and services, where companies such as Apple and Google continue to increase their default use of encryption (OECD, 2015b). These firms’ latest mobile operating systems encrypt nearly all data at rest (in addition to data in transit) by default. Additionally, demand for end-to-end encryption has increased considerably in recent years with apps such as Signal Private Messenger and Threema being increasingly adopted and massively popular apps like WhatsApp also rolling out end-to-end encryption.33 Users’ increasing interest for encryption is also reflected in the adoption of PETs such as OpenPGP (Pretty Good Privacy), a data-encryption software used most commonly to secure e-mails. According to data collected by Fiskerstrand (2017), more than 1 100 new PGP keys are being added every day. The data show in particular that in the months following the Snowden disclosures (Q3 2013), PGP key creation reached the highest levels in the history of the software with almost 101 000 new PGP keys are being added in Q3 2017 (Figure 6.17). This correlation does not imply causation and would call for further analysis.

Figure 6.17. Trends in newly created OpenPGP keys

OpenPGP keys generated daily

Source: Author’s calculations based on data collected by Kristian Fiskerstrand (sks-keyservers.net) (accessed June 2017).

 https://doi.org/10.1787/888933586635

Another example for a PET also showing a similar adoption pattern is Tor (originally the acronym for The Onion Router), an anonymity network that allows anyone to use the Internet without easily revealing their location or identity.34 Figure 6.18 shows that the total number of Tor users worldwide has increased dramatically in mid-2013 following the Snowden disclosures.35 Although it dropped rapidly as well, the number of daily users has reached a new level of around 2 million after the Snowden disclosures compared to before, when the number of daily users was around half as much. Most daily users are located in the United States (around 20%), followed by Germany, the Islamic Republic of Iran, France, Italy, Korea and the Russian Federation.

Figure 6.18. Daily numbers of directly connecting users from all countries, September 2011-August 2017

Source: The Tor Project, https://metrics.torproject.org, (accessed August 2017).

 https://doi.org/10.1787/888933586654

Reviews, endorsements and product comparison tools are becoming increasingly important for consumers

Consumers increasingly inform their purchasing decisions by consulting online reviews and endorsements by other consumers. A 2013 web survey by the European Consumer Centres Network shows that 82% of respondents look at consumer reviews before shopping online (ECCN, 2015). In its report on “Online reviews and endorsements”, the Competition Markets Authority found that more than half of UK adults use online reviews and estimated that GBP 23 billion (USD 28.5 billion) per year of consumer spending is influenced by online reviews (CMA, 2015a). The influence of reviews and endorsements is further increasing with the development of the peer platform market, where trust in unknown sellers is often based on such reviews. Businesses are also increasingly using reviews as a form of advertising their product. This further amplifies the importance of making sure reviews and endorsements in peer platform markets are not misleading (ICPEN, 2016).

Authentic reviews benefit consumers by providing unbiased information and peer feedback on the quality of products and services. They can make consumers feel empowered by providing them an opportunity to question information provided by businesses. They also provide businesses with feedback that can help them to improve their products and services. The rapid increase in the uptake and use of these tools and the influence they can have on consumer decisions have, however, given rise to concerns about their trustworthiness. Concerns have been expressed about whether reviews are truly representative of consumer experiences (EC, 2017). One specific issue is fake reviews, which can mislead consumers into taking decisions that they would not have taken otherwise, resulting in financial loss and diminished enjoyment of those goods and services. Consumers tend to assume that data provided are trustworthy. A 2014 consumer review survey shows that Canadian and US consumers are inclined to trust what they read, with 88% reporting that they have as much confidence in online reviews as they do in personal recommendations. Conversely, research in 2016 suggests that three-quarters of consumers surveyed in ten EU countries have trust-related reservations about online reviews (EC, 2017). It is difficult to evaluate the extent of the problem of fake reviews, with estimates ranging from 1 to 16% of all reviews (Valant, 2015).

Closely related to reviews are product endorsements and testimonials, which are statements that draw on the experience an individual has had with a good or service. Here again the trustworthiness issue is raised, with some endorsements resulting from commercial relationships that businesses have not disclosed to consumers. For example, celebrities sometimes promote the use of a specific product in social media, without disclosing that they have been paid to do so or have received other benefits, such as free products or trips (Frier and Townsend, 2016). The 2016 OECD Recommendation of the Council on Consumer Protection in E-commerce (OECD, 2016d) addresses this conduct, stating that “Endorsements used in advertising and marketing should be truthful, substantiated and reflect the opinions and actual experience of the endorsers. Any material connection between businesses and online endorsers, which might affect the weight or credibility that consumers give to an endorsement, should be clearly and conspicuously disclosed”. In line with this recommendation, a number of OECD countries have taken enforcement actions to address this issue.

Another aspect of the changing consumer information environment is price and product comparison websites. These have become a popular type of consumer tool in many sectors such as insurance, energy, telecommunication services and payment cards. A 2015 survey conducted by the UK Competition & Markets Authority shows that 71% of respondents who shopped online in the last three years used a price and product comparison website to search for information (CMA, 2015b). These comparison websites can help consumers feel more informed and empowered by allowing them to access information about various offers more easily and reducing the search time. It also allows consumers to act on this information by providing highly customised analysis of the best value for the goods and services they purchase (UKRN, 2016).

Despite a number of benefits for consumers, the effectiveness of comparison websites can be undermined by misleading and deceptive advertising. A study commissioned by the European Commission found that two-thirds of the consumers using comparison tools had experienced a problem in the process, such as the unavailability of the product advertised on the seller’s website (32%) or incorrect prices (21%). Most of the comparison tools tested did not disclose information on their business model or their relationship with suppliers (ECME Consortium, 2013). A 2014 study of online hotel reviews highlighted different transparency issues, with only around 30% of websites providing an explanation of how their scoring or rating system works (EC, 2014).

Security and privacy-related skills and competencies are crucial and their demand is growing rapidly

The growing importance and visibility of security and privacy risks has increased the number of potential new jobs for experts in these areas. Demand for security expertise is characterised by a continuation of the steady growth evident over the last decade, while growth in demand for privacy professionals has accelerated rapidly in recent years (Figure 6.19). However, locating available professionals with the required skills and expertise in privacy and security remains a challenge for organisations looking to strengthen their capacities in these areas (OECD, 2015a).

Figure 6.19. Trends in the numbers of certified/professionals privacy and security experts

Index 100 = 2005

Note: (ISC²) is an international non-profit membership association focused on inspiring a safe and secure cyber world. The International Association of Privacy Professionals (IAPP) is a non-profit membership association.

Sources: Author’s calculations based on OECD (2015a), Digital Security Risk Management for Economic and Social Prosperity: OECD Recommendation and Companion Document, https://doi.org/10.1787/9789264245471-en; (ISC)² (2015), “The 2015 (ISC)² global information security workforce study”, https://www.boozallen.com/content/dam/boozallen/documents/Viewpoints/2015/04/frostsullivan-ISC2-global-information-security-workforce-2015.pdf; IAPP (2016), “IAPP-EY annual privacy governance report 2016”, https://iapp.org/media/pdf/resource_center/IAPP-2016-GOVERNANCE-SURVEY-FINAL2.pdf.

 https://doi.org/10.1787/888933586673

The (ISC)² (International Information Systems Security Certification Consortium) estimates the global number of digital security workforce in 2014 at 3.4 million people and forecasts a compound average growth rate of almost 6% over the five years to 2019. According to the distribution of survey respondents, 46% are practitioners (mainly information security analysts) and the rest are leaders: chief information security officer (CISO) and executive levels (12%), managers (20%), auditors (5%), architects and strategic advisors (17%) ((ISC)², 2015). Employment numbers for individual countries are still scarce, but evidence from Korea and the United States can be used to illustrate some global trends. The Korean 2014 Information Security Workforce Survey reports 94 224 information security specialists employed at the end of 2013. The number of information security specialists in Korea continues to grow. In 2013, 10 000 additional workers were employed and the number of additional employees is expected to be over 11 000 in the years to come. This growth mainly results from more hiring in the middle and top-level positions, whereas entry-level recruitments are estimated to remain flat, confirming the impact of Korean national policy on CISOs. Official data for the United States are available only for information security analysts, a sub-set of the digital security specialists. There were 80 180 such analysts in US firms in 2014, of which only 18% were women. Employment increased by 3% that same year compared to 2013.

In terms of privacy professionals, the number of members of the International Association of Privacy Professionals (IAPP) – the largest and most global in reach association of privacy professionals36 – can be used as proxy for employment trends related to privacy. The IAPP’s membership numbers have continuously increased, from over 10 000 in 2012 to more than 26 000 in 2016 in nearly 90 countries around the world. Recent developments have been driven by regulation setting the parameters for the development of a privacy workforce, including chief privacy officers and their staff. Organisations affected by the new GDPR, which enters into force in 25 May 2018 to replace the EU Data Protection Directive, have expressed an increasing demand for data protection specialists. It is estimated that around 30 000 to 75 000 new positions will be created in the coming years in response to the new regulation, given in particular the requirement for data controllers and processors to designate a data protection officer in specific cases37 (Ashford, 2016a; 2016b). Policies and regulations stimulating demand for privacy professionals are not limited to the European Union, but can be found in countries such as Canada, Korea and the United States to just name a few (see Chapter 2).38

According to many forecasts, demand for digital security experts will also continue to increase worldwide. In the United States, the Bureau of Labor Statistics forecasts demand for information security analysts to grow much faster (37%) than the average for computer-related occupations (18%) (Bureau of Labor Statistics, 2014).39 This is reflected in the total number of job vacancies for information security analysts, which is generally growing in the United States as in other OECD countries. According to Burning Glass data, the average vacancy duration for cybersecurity occupations (skills) in the United States in 2016 was 33% (44%) higher than for all IT specialists (skills). Job vacancies reached their highest level in the last quarter of 2014 (over 17000 job postings in the United States). Despite some divergent trends in 2013 where job vacancies for information security analysts grew much faster than employment (first and third quarters of 2013), both job vacancies and people employed have grown at the same pace since the beginning of 2014 (Figure 6.20). The fact that this ratio has remained relatively stable in recent years shows that demand for information security analysts exists but it seems that to some extent employers are finding people to fill the postings.

Figure 6.20. Information security analyst job vacancies and employment in the United States

Source: Data on employment are from the Current Population Survey, https://www.census.gov/programs-surveys/cps.html (accessed October 2015) and data on job postings are provided by Labor/Insight Jobs (Burning Glass Technologies), October 2015.

 https://doi.org/10.1787/888933586692

That said, there is a general feeling that there is still a workforce shortage. The increasing number of digital security incidents and employers’ requirements for an advanced education together with the increasing need of credentials and a longer experience in the field are seen as key reasons for the shortage. (ISC)² finds that information security specialists are growing in number but still do not fully meet the market demand in terms of all the challenges to be addressed. The main reasons for the challenge in hiring remain: 1) an insufficient understanding of the requirement for digital security risk management, in particular among business executives; 2) a lack of financial resources; 3) the shortage of digital security specialists in the labour market with the consequence of 4) a difficulty of retaining existing digital security specialists.40

The above-mentioned challenges are particularly pertinent for SMEs, which rarely (can) have a dedicated person for digital risk management, including for example a CISO, a data protection officer or equivalent. This is perhaps not surprising given that small businesses, by definition, have a lower headcount than medium or large business, and are thus less likely to employ a dedicated person responsible for digital risk management. The 2016 Cyber Security Breaches Survey in the United Kingdom found that a lower proportion of smaller businesses had board members with responsibility for digital security (21% of micro, 37% of small, 39% of medium and 49% of large businesses). The 2012 US National Cyber Security Alliance (NCSA) and Symantec National Small Business Study found that 90% of respondents did not have an internal IT manager whose job is solely focused on technology-related issues. Moreover, 11% of respondents felt they had none responsible for online and digital security at their business. Similarly, according to the 2016 Ponemon State of Cybersecurity in Small and Medium-Sized Businesses Survey, 35% of respondents felt “no one function determines IT security priorities” in their business.41 When combined with the findings of the NCSA/Symantec study, it might be inferred that overall between 10% and 30% of SMEs do not have any one person dedicated to digital risk management issues. In terms of privacy-related responsibilities, surveys confirm that large companies are more likely to employ numerous professionals with full-time or part-time privacy duties, while smaller organisations employ just a few, if at all. The IAPP (2016) survey, for example, shows that companies with more than USD 25 billion in revenue protect it with an average of 15 full-time privacy staff while those with less than USD 100 million in revenue generally have just 1 full-time privacy professional.

Attracting younger people and women to the field of security and privacy is still a challenge. Regarding information security professions, some efforts have been undertaken to make this field more attractive and rewarding. Since the beginning, information security jobs tended to be very technical, but technical skills alone are not sufficient in resolving the complex risk management dilemmas business leaders and decision makers confront nowadays and in the future (OECD, 2015a). As previously mentioned, the skills and competencies required for information security specialists are slowly changing. This is especially obvious for leaders who see increasing importance in managerial roles and governance, risk and compliance roles. According to a PricewaterhouseCooper survey on information security leaders, the three main roles of a CISO42 are: 1) communicate risks and strategies to the executive board; 2) consider information security as an enterprise risk management issue; and 3) understand the complex and competitive business climate. The responsibilities and competencies of CISOs have become increasingly visible and critical (PwC, 2015). Overall, this will lead to a rising demand for skills and competencies related to digital security risk.

One widely adopted means to enhance skills and competences on digital security risk is (on-the-job) training. Across surveys, 15% to 30% of businesses provide some form of training or skills development related to digital security risks. The 2012 NCSA/Symantec National Small Business Study in the United States found that 29% of small businesses provided training to their employees on how to keep their computers secure. The 2015 Survey on Information Security and Businesses in Korea found that 15% of businesses provided information security education. This was approximately 2% more than in 2014. The UK Department for Business Innovation and Skills (2014) Digital Capabilities in SMEs Survey in the United Kingdom found that 14% of respondents had received support or advice relating to digital security over the previous 12 months. According to the 2016 Cyber Security Breaches Survey in the United Kingdom, smaller businesses were less likely to provide digital security training than larger businesses (Klahr et al., 2016). For instance, 12% of micro-sized businesses provided digital security training over the prior 12 months, compared to 22% of small, 38% of medium and 62% of large businesses.

Organisations have also significantly increased their privacy-related investments, including for developing policies, training, certification and communications, but also for audits and data inventories. Evidence also strongly suggests that investments will also continue to grow in the near future. According to the IAPP (2016) survey, for instance, the median total investment in privacy across all surveyed organisations increased by almost 50%, from around USD 415 000 in 2016 to slightly above USD 277 000 in 2015. This corresponds to an average investment of USD1.7 million per organisation, which was spent on average for the salary of the privacy team (accounting for 35% of total investments), external spend by the privacy team (27%), with the remainder as salary and spend by the rest of the organisation (38%).43 It should be noted that while larger organisations obviously tend to have bigger privacy budgets, they also tend to invest greater amounts outside their core privacy team, in contrast to smaller companies, which dedicated a greater proportion of their budgets to the privacy team itself.

Associations of privacy professionals also play a crucial role for fostering skills development. Besides the IAPP, senior privacy officers involved in the practical implementation of privacy initiatives can meet and exchange ideas through associations such as the Privacy Officers Network, and national bodies such as the Association française des correspondants à la protection des données à caractère personnel in France, and the Asociación Profesional Española de Privacidad in Spain. These associations provide training, certification, conferences, publications, professional resources and industry research to their growing number of members.

Organisations, and in particular small and medium-sized enterprises, are lagging behind in implementing digital security risk management practices

Organisations are increasingly adopting a risk-based approach to security, which is reflected among others in the increasing demand for digital security risk management skills and competencies as discussed above. However, the share of organisations with effective risk management approaches to security still remains much too low. Furthermore, the proportion of businesses that had a formal digital security plan also varies widely across countries and by firm size. Results from the Eurostat Community Survey on ICT usage and e-commerce in enterprises consistently indicate that SMEs were less likely to have a formally defined ICT security policy across all reporting EU countries in 2015. In almost all countries, the differential between SMEs and large enterprises was approximately 30 percentage points (Figure 6.21). Furthermore, for a security plan and associated risk mitigation measures to remain effective over time, monitoring and periodic audit/evaluation are required. Of those businesses that had a digital security plan in place, which ranged from approximately one-third to two-thirds of businesses, the majority undertook at least a periodic internal audit. Results from the Eurostat Community Survey on ICT usage and e-commerce in enterprises indicate that, in 2015, of those enterprises that did have an ICT security plan, SMEs were less likely to have reviewed their strategy over the past year than large enterprises.

Figure 6.21. Enterprises having a formally defined ICT security policy by size, 2015

As a percentage of all enterprises in each employment size class

Source: Eurostat, Digital Economy and Society (database), http://ec.europa.eu/eurostat/web/digital-economy-and-society/data/comprehensive-database (accessed March 2017).

 https://doi.org/10.1787/888933586711

The observed gap between larger and smaller firms is consistent with the results of the 2016 Cyber Security Breaches Survey in the United Kingdom. The survey found that lower proportions of smaller businesses had formal policies covering digital security risks or digital security risks documented in their business continuity plans, internal audits or risk registers. This trend held for the proportion of businesses with formal digital security incident management processes as well. At the same time, a 2013 survey of business leaders by the Economist Intelligence Unit (2013) suggests that most companies, and particularly SMEs, are failing to create a culture of risk awareness. Data from a 2012 study, co-sponsored by the NCSA/Symantec as well as a 2013 Study of the Impact of Cyber Crime on Businesses in Canada also confirm these findings.46

A number of obstacles preventing the effective use of risk management for addressing trust issues can be identified. Across those surveys that asked respondents about the biggest obstacles to more effective digital risk management practices, the highest rated obstacle was consistently related to insufficient budget. A lack of qualified personnel also figured prominently. The 2015 Survey on Information Security in Business in Korea found that “securing budget for information security” was the highest rated obstacle among respondents. This was followed by “securing information security professionals” and “operation of information security personnel”. The 2012 NCSA/Symantec National Small Business Study in the United States also highlighted “no additional funds to invest” as the biggest obstacle to implementing more robust digital security solutions before the lack of technical skills or knowledge. A similar outcome can be observed from the 2016 Ponemon State of Cybersecurity in Small and Medium-Sized Businesses Survey.

Applying risk management to privacy protection is still challenging for most organisations

As noted above, privacy risk can directly affect business reputation, revenues and trust in the marketplace, with respect to customers, shareholders, employees and other stakeholders. Customers are often hesitant to do business with an organisation that does not adequately protect its data, and the damage to a firm’s reputation could dissuade enough customers to the point that the company is no longer viable.47 The financial impacts of a privacy breach involving personal data can also be significant. In particular for a small business without the resources to pay for legal assistance, forensic investigations, the required notifications, remediation measures, and the fines, penalties or judgments that could arise in the event of a privacy breach, just might find itself out of business.

Despite the recognition of the need of treating privacy as an economic and social risk, and the potential to address it as a strategic issue that could provide a competitive advantage in the marketplace, many organisations still tend to approach privacy solely as a legal compliance issue. Many SMEs, even if they recognise that privacy protection is good for their business, often lack the resources and expertise needed to effectively manage privacy-related risks discussed above. Where they have resources, SMEs often tend to not recognise the distinction between privacy and security risk, even when privacy risk may be unrelated to security, for example when personal data is processed by the organisation in a manner that infringes on individuals’ rights. This is coherent with findings by a study of business practice in Canada funded by Canada’s Office of the Privacy Commissioner which notes that privacy risk management is a much talked about but poorly developed in practice (Greenaway, Zabolotniuk and Levin, 2012).

While the study by Greenaway, Zabolotniuk and Levin (2012) may indicate a lack of understanding of how to implement privacy regulatory requirements, it may also reflect a lack of organisational strategies on how to deal with privacy risk and a gap in the assignment of responsibilities. This is consistent with evidence showing that many businesses, and SMEs in particular, lack a formal policy to manage privacy risks. Across OECD countries for which data are available, only 10% to 40% of all business had such a formal policy in 2015 (Figure 6.22). Greenaway, Zabolotniuk and Levin (2012) conclude that “integrating privacy risk into an organisation’s risk management strategy requires an understanding of the type or categorisation of risk and where it should reside within the risk management structure”. This is not straightforward as risk managers often do not view privacy as within their remit and IT managers see risk management in the context of technical digital security (Greenaway, Zabolotniuk and Levin, 2012). Those responsible for privacy see the management of risk as captured by activities such as privacy impact assessment, or not as their responsibility. Privacy is seen either as a digital security issue or as a compliance issue. Privacy risk management is therefore often viewed as “someone else’s responsibility”.

Figure 6.22. Enterprises having a formal policy to manage digital privacy risks, 2015

As a percentage of all enterprises in each employment size class

Note: For Korea data refer to 2014; for Iceland, Lithuania and Turkey to 2010. Data for Switzerland follow a different methodology.

Source: OECD, ICT Access and Usage by Businesses (database), http://oe.cd/bus (accessed August 2017).

 https://doi.org/10.1787/888933586730