2013 ITU survey on measures taken to raise awareness on cybersecurity ITU‐D Study Group Question 22‐1/1 Securing information and communication networks: best practices for developing a culture of cybersecurity August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity SURVEY BACKGROUND Raising awareness of different aspects of cybersecurity and developing a culture of cybersecurity awareness is regarded by many as an integral part of a nation’s cybersecurity strategy and requires collaboration among the different stakeholders and coordinated actions to be taken. The ITU‐D Study Group 1 Rapporteur Group for Question 22‐1/1 dedicated to “Securing information and communication networks: best practices for developing a culture of cybersecurity”, at its meeting held on 13 September 2012 in Geneva, agreed to issue a survey on measures taken in member states to raise awareness on cybersecurity. SURVEY OBJECTIVES The purpose of the 2013 ITU survey on measures taken to raise awareness on cybersecurity is to collect ideas from all sources on how countries, businesses and expert groups are educating and encouraging individuals and entities on the subject of cybersecurity, including child online protection, and the cybersecurity needs of persons with disabilities. (See reference in item 2.(b)(v), of the work program for ITU‐D SG1 Question 22‐1/1 as agreed during WTDC‐10 at: http://www.itu.int/net3/ITU‐D/stg/rgqlist.aspx?rgq=D10‐RGQ22.1.1&stg=1 The input received through the survey will be shared during the next ITU‐D Study Group 1 Rapporteur Group meeting for Question 22‐1/1 which will take place in Geneva on 19 April 2013 and incorporated into the final outputs and guidelines to come out of the work on SG1 Question 22‐1/1 during the 2010‐2014 study period. August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Overview of Answers Received (as of 27 June 2013) 193 Member States in ITU Answers were received from 50 Member States 1 Observer 1 Regional/International Organisation 5 Sector Members and 5 non‐members 62 entries received List of countries and observers (Res.99 (Rev. Guadalajara, 2010)) who participated (55) Afghanistan, Andorra, Australia, Belarus, Benin, Bhutan, Brazil, Bulgaria, Burkina Faso, Cambodia, Colombia, Côte d’Ivoire, Croatia, Cyprus, Dominican Republic, Egypt, France, Hungary, Iraq, Italy, Japan, Lebanon, Lesotho, Malaysia, Maldives, Mali, Mauritius, Moldova, Morocco, Myanmar, Namibia, Niger, Norway, Oman, Pakistan, Panama, Portugal, Serbia, Sri Lanka, Sudan, Swaziland, Switzerland, Syria, Tanzania, Togo, Trinidad and Tobago, Tunisia, Uganda, Ukraine, United States of America, Vanuatu, Venezuela, Viet Nam, Zambia and Palestine The non‐members are, in fact, members of IMPACT, to whom the survey was disseminated. The Questionnaire was sent to Administrations of ITU Member States and Observer (Res. 99), ITU‐D Sector Members, Associates and Academia, Management Teams for ITU‐D Study Groups 1 and 2, Observers (Regional and International Organizations) and members of IMPACT. August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Survey Questions CONTACT INFORMATION a. Contact details b. Please select the name of your Administration/Organization from the list. (If it is not available, indicate the name in the field below the list) c. Region where your organization is based: Africa The Americas Asia and Pacific Arab States CIS countries Europe d. Country/countries where your organization is based August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Survey Questions (Cont’d) SURVEY 1 In your opinion, how important is raising awareness on cybersecurity as a basic step to achieving security in cyberspace? Not important Somewhat important Important Very important 2 Has your country already adopted a general framework/strategy for cybersecurity? If not, move directly to survey question 5. Yes No If yes, please provide links/references: 3 If you answered ‘yes’ to the previous question, has any part of this policy/framework/strategy been directed to raising the awareness of the general public? Yes No If yes, please provide links/references: 4 If you answered ‘yes’ to the previous question, at which stage of the general framework/strategy for cybersecurity should the raising of awareness start? August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Survey Questions (Cont’d) 5 If your country has not yet adopted a general framework/strategy for cybersecurity, has it been discussing/developing/formulating one? (If “No” is selected, please move directly to question 9) Yes No If yes, please provide links/references: 6 Do these discussions/formulations include raising cybersecurity awareness? Yes No If yes, please provide links/references: 7 At which stage of the general framework/strategy for cybersecurity should awareness raising start according to these discussions/formulations? 8 Who are the parties concerned with raising public awareness on cybersecurity, in accordance with the legislations/policies/practices adopted in your country? 9 Are there other parties not identified by the legislations/policies/practices that are concerned with raising public awareness on cybersecurity? Yes No If yes, please specify: August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Survey Questions (Cont’d) 10 Was any specific research or survey conducted concerning cybersecurity in your country and/or region? Yes No If yes, please provide links/references: 11 Which groups are targeted by cybersecurity awareness campaigns in your country? Children Youth Students Elderly people Persons with disabilities Private institutions Government agencies Others If “others” was selected, please specify: 12 Which one of the groups identified below is more targeted? Please arrange in order of 1 to 6 for the highly targeted to the less targeted? (1 to indicate highly targeted and 6 to indicate less targeted) Children Youth Students Elderly people Persons with disabilities Private institutions Government agencies August 2013 Others ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Survey Questions (Cont’d) 13 Has your country designed, or is in the process of designing, a dedicated plan in the general cybersecurity framework/strategy for persons with disabilities? Yes No If yes, please provide links/references: 14 What are the cybersecurity issues that are addressed by existing awareness campaigns? Internet safety Privacy Fraud Phishing Malware Child Online Protection Other, such as cyber‐bullying and harassment, identity theft, spam, firewalls, passwords, shopping and business August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Survey Questions (Cont’d) 15 What is the degree of importance of each issue? Please arrange in order of the most important to the less important and give reasons for such order? Internet safety Privacy Fraud Phishing Malware Child Online Protection Other, such as cyber‐bullying and harassment, identity theft, spam, firewalls, passwords, shopping and business 16 What are the mechanisms used to raise awareness among the targeted groups stated in question 11? Please provide links/references: 17 Are there unconventional channels used for cybersecurity awareness? If yes, what are they? Please provide links/references: 18 Are there certain technologies related to providing cybersecurity, such as anti‐virus or anti‐spam software, available to the persons with disabilities? Yes No Please provide links/references: August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Survey Questions (Cont’d) 19 Is the public encouraged to use the different technologies for cybersecurity such as anti‐virus or anti‐spam software? Yes No If yes, please specify: 20 If the answer is ‘yes’ to the previous question, are these different types of technologies made available to the public and how? Yes No If yes, please specify: August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity c Region where your organization is based: 62 responses received CIS countries 3 5% Europe 13 21% Africa 9 22% Arab States 7 11% Asia and Pacific 13 21% August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity The Americas 9 15% Least developed countries 29.03% Developed countries 24.19% Responses by level of development Developing countries 38.71% Transition countries 8.06% SURVEY 1 In your opinion, how important is raising awareness on cybersecurity as a basic step to achieving security in cyberspace? 62 responses received 60 54 50 40 30 20 8 10 0 0 0 Not important Somewhat important August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Important Very important 2 Has your country already adopted a general framework/strategy for cybersecurity? Yes 60 responses received No No 26 43% 70% 60% 60% 60% 59% 50% 50% 50% 40% 40% 40% 41% 30% 20% 10% 0% Developed countries Transition countries Developing countries August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Least developed countries Yes 34 57% 3 If you answered ‘yes’ to the previous question, has any part of this policy/framework/strategy been directed to raising the awareness of the general public? 39 responses received No 8 21% Yes 31 79% August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity 5 If your country has not yet adopted a general framework/strategy for cybersecurity, has it been discussing/developing/formulating one? 48 responses received No 16 33% Yes 32 67% August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity 6 Do these discussions/formulations include raising cybersecurity awareness? No 1 3% 30 responses received Yes 29 97% Responses by level of development: Developed countries Transition countries Yes 5 4 11 9 No 0 0 1 0 August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Developing Least countries developed countries Are there other parties not identified by the legislations/policies/practices that are concerned with raising public awareness on cybersecurity? 9 54 responses received Responses by level of development: 120% No 21 39% 100% Yes 100% No 80% Yes 33 61% 67% 58% 60% 50% 50% 42% 40% 33% 20% 0% 0% Developed countries August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Transition countries Developing countries Least developed countries 10 Was any specific research or survey conducted concerning cybersecurity in your country and/or region? 53 responses received No 19 36% Yes 34 64% August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Results by level of development: Developed countries Transition countries Developing countries Least developed countries Yes 83% 50% 44% 53% No 17% 50% 56% 47% 11 Which groups are targeted by cybersecurity awareness campaigns in your country? *Replies to more than one item possible 20% 18% 18% 17% 17% 16% 16% 13% 14% 12% 9% 10% 8% 7% 6% 4% 3% 2% 0% Children Youth Students August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Elderly people Persons with disabilities Private institutions Government agencies Others 12 Which one of the groups identified below is more targeted? Please arrange in order of 1 to 6 for the highly targeted to the less targeted? Percentage of value 1 responses assigned to each category 1.11% Children Youth 26.67% 25.56% Students Elderly people Persons with disabilities Private institutions Government agencies 6.67% Others 17.78% 2.22% 4.44% 15.56% August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Total number of responses received with value 1: 90 Some respondents assigned value 1 more than once 13 Has your country designed, or is in the process of designing, a dedicated plan in the general cybersecurity framework/strategy for persons with disabilities? 56 responses received Yes 7 12% Results by level of development: The ‘No’ is predominant in all categories of countries August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity No 49 88% 14 What are the cybersecurity issues that are addressed by existing awareness campaigns? 341 responses received *Replies to more than one item possible Others 40 12% Internet safety 56 17% Child Online Protection 51 15% Privacy 49 14% Malware 48 14% Phishing 48 14% August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Fraud 49 14% 15 What is the degree of importance of each issue? Please arrange in order of the most important to the less important and give reasons for such order? Percentage of value 1 responses assigned to each category 13.79% 14% Privacy 24.14% 24% Fraud 1.15% 1% Phishing Malware Child Online Protection Others 9.20% 9% 36.78% 37% Total number of responses received with value 1: 87 Some respondents assigned value 1 more than once August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity 14.94% 15% 18 Are there certain tools and technical measures related to providing cybersecurity, such as anti‐virus or anti‐spam software, available to the persons with disabilities? Yes 13 25% Results by level of development: 52 responses received 120% 100% 80% No 39 75% 60% 40% 20% 0% Developed countries Transition countries Yes No August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity Developing countries Least developed countries 19 Is the public encouraged to use the different tools and technical measures for cybersecurity such as anti‐virus or anti‐spam software? 53 responses received No 7 13% Yes 46 87% August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity 20 If the answer is ‘yes’ to the previous question, are these different types of tools and technical measures made available to the public and how? No 12 26% 46 responses received 120% 100% 100% Yes 34 74% 100% 80% 74% 58% 60% 42% 40% 26% 20% 0% Yes 0% Developed countries 0% Transition countries Developing countries August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity No Least developed countries Information compiled by the Secretariat to the ITU‐D Study Groups devsg@itu.int August 2013 ITU‐D Study Group Question 22‐1/1 2013 ITU survey on measures taken to raise awareness on cybersecurity