Man as a factor in cybersecurity

EISAS of ENISA: the European Commission promotes awareness-raising in Europe.

The European Information and Warning System (EISAS), set up in 2006, aims to improve cooperation between Member States in their efforts to provide end users and SMEs with relevant safety information. In 2012, ENISA (the European Network and Information Security Agency) carried out a pilot project on a large scale. The large-scale EISAS pilot report provides detailed information on the successful measures and identifies the cost-effectiveness of European awareness-raising activities, while the updated EISAS roadmap provides for future action.

Cybersecurity is usually in the hands of specialists implementing technical solutions. Users and small and medium-sized enterprises (SMEs) are excluded from this measure, although end-users should be fully aware that they are the first line of defense against cyber threats. Therefore, these players must have the ability to protect their devices, data and online identity. No firewall or security policy can protect users efficiently if they are not sufficiently aware of the risks they face. As EU Commissioner Nelly Kroes said: “Cyber ​​security is also about making sure that normal computer users are” Web Wise. ” A recent Eurobarometer survey shows that most EU citizens are not prepared to protect their online information. Unfortunately, most awareness-raising efforts are directed at a limited audience: employees of a company or, at best, certain groups of citizens of a country. To raise awareness of cybersecurity among all citizens and businesses, the European Commission has decided to promote a collaborative approach to raising awareness in Europe. Launched in 2006, the European Information and Alert System EISAS aims to improve cooperation between Member States in their work in order to provide citizens and SMEs with relevant safety information. Following the 2010 EISAS Roadmap4 Recommendation and the 2011 EISAS Implementation Report5, ENISA launched the EISAS Pilot Project this year. This project follows the recently successfully tested three-level methodology defined in EISAS Basic Toolset6: information gathering, information processing and information dissemination. As part of the EISAS pilot project, National / State Computer Emergency Response Teams (CERTs) and other communities in Germany, Hungary, Portugal, Norway, Spain and Poland, who have agreed to participate, have joined forces to launch a collaborative and cross-border awareness campaign. Innovative awareness-raising materials have been won by key players at national level. An international team was created to work together and adapt the materials to the needs and characteristics of the population of each stakeholder.

These materials were then disseminated through appropriate communication channels (social media, large public websites, special mailing lists, etc.) aimed at EU citizens and SMEs. In due course, this large-scale pilot project reached more than 1,500 people. Citizens and SMEs across Europe have been provided with security knowledge to guard against some of today’s key cyber threats: botnets, identity theft (ID) and social engineering. However, the realization of this pilot project goes beyond sensitizing citizens. It also shows that the EISAS approach to European cooperation on awareness-raising works and is a cost-effective solution to better prepare EU citizens for the ever-evolving cyber-threats. The results of this pilot project must now be built through continued cooperation.

This pilot project has shown that this cooperation must be promoted by a brokerage agent. Therefore, EISAS needs a body that acts as an information broker and facilitator. ENISA had taken on this role in this project, but now needs to be transferred to a collaborative community of willing stakeholders. In this context, the infrastructure set up this year by the NISHA project, Network for Information Sharing and Alerting (NISHA), a project complemented by EISAS and co-funded by the Directorate-General for Home Affairs (DG HOME) 7, is a promising one Candidate in support of the information required by EISAS

EISAS Large Scale pilot-final

Projects for ENISA with senior participation of

• The study „European Information Sharing and Alert System (EISAS) Basic toolset”: https://www.enisa.europa.eu/publications/eisas-basic-toolset
• Execution of the: “EISAS Large-Scale Pilot – Collaborative Awareness Raising for EU Citizens & SMEs“: https://www.enisa.europa.eu/publications/eisas-large-scale-pilot

In the field of information security and privacy, Code and Concept has been working since 2015 among others. in close cooperation with KomFIT (Kommunales Forum für Informationstechnik e.V.) in Schleswig-Holstein and is there inter alia. tasked with the development of training concepts and employee training. The methodology has proven itself in many projects and is also described as publicly accessible – using the example of live phishing training in the state capital Kiel:

• Phishing simulation of the information security working group of the state capital (LH) Kiel: Artikel „Fisherman’s Foe“ in „<kes> – Die Zeitschrift für Informations-Sicherheit, Nr. 2 April 2018“. In cooperation with the project “Sicherheit für Kommunen in Schleswig-Holstein” (Si-KoSH), supported in the implementation by Code and Concept.
•  Artikel (pdf) „SiKoSH besiegt den großen Weißen Hai“ (Dr. Werner Degenhardt, Andreas Amann, Jan Koppelmann, Frank Weidemann) in: Die Gemeinde – Zeitschrift für die kommunale Selbstverwaltung in Schleswig-Holstein (70. Jahrgang, 05/2018)
• „SiKoSH Awareness für Kommunen“, YouTube-Video https://www.youtube.com/watch?v=2Lo4kpgnUAo

The campaign presented as part of a press conference convened by the City of Kiel was well received by the public press:

• „Datenschutz-Training – Stadt testet Mitarbeiter mit Fake-Mail“ in: Kieler Nachrichten Online (22.06.2018): http://www.kn-online.de/Kiel/Datenschutz-Training-Stadt-testet-Mitarbeiter-mit-Fake-Mails
• „Datenschutz-Training – Kieler Verwaltung mit Fake-Mails getestet – Lob vom Städteverband“ in: shz.de (22.06.2018): https://www.shz.de/regionales/kiel/kieler-verwaltung-mit-fake-mails-getestetlob-vom-staedteverband-id20222672.html
• „Phishing im Rathaus – Drei von vier Stadtmitarbeitern waren wachsam“ in: shz.de (22.06.2018): https://www.shz.de/regionales/kiel/drei-von-vier-stadtmitarbeitern-waren-wachsamid20227837.html
• „Sensibilisierung für Phishing – Kieler Behörden fallen auf Fake-Mails herein“ in: n-tv.de (22.06.2018): https://www.n-tv.de/panorama/Kieler-Behoerden-fallen-auf-Fake-Mails-herein-article20493461.html
• „Fake-Mails: Verwaltung in Kiel getestet“ in: Lübecker Nachrichten Online (22.06.2018): http://www.ln-online.de/Nachrichten/Norddeutschland/Fake-Mails-Verwaltung-in-Kiel-getestet
• „Sensibilisierung für Cyber-Attacken – Kieler Verwaltung mit gefälschten Mails getestet“ in: Saarbrücker Zeitung (online) (22.06.2018): https://www.saarbruecker-zeitung.de/panorama/kieler-verwaltung-mit-gefaelschten-mails-getestet_aid-23575581
• „Cyber-Attacke – Verwaltung mit Fake-Mails getestet“ in: Bergedorfer Zeitung (online) (23.06.2018): https://www.bergedorfer-zeitung.de/incoming/article214665367/Verwaltung-mit-Fake-Mails-getestet.html
• „Cyber-Attacke vom Chef“ in: Hamburger Abendblatt (online) (23.06.2018): https://www.abendblatt.de/hamburg/article214665785/Cyber-Attacke-vom-Chef.html
• „Kiels Verwaltung mit Fake-Mails getestet“ in: welt.de (23.06.2018): https://www.welt.de/print/die_welt/hamburg/article178074816/Kiels-Verwaltung-mit-Fake-Mails-getestet.html