Industry Responses to the European Directive on Security of Network and Information Systems (NIS): Understanding policy implementation practices across critical infrastructures

Aleksandra Michalec; Dirk Van Der Linden; Sveta Milyaeva; Awais Rashid

Industry Responses to the European Directive on Security of Network and Information Systems (NIS): Understanding policy implementation practices across critical infrastructures

Aleksandra Michalec, Dirk Van Der Linden, Sveta Milyaeva, Awais Rashid

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

6 Citations (Scopus)

170 Downloads (Pure)

Abstract

As traditional legacy systems that run critical national infrastructures (CNI) are increasingly digitized for performance monitoring and efficiency, significant attention has been brought to improving their cyber security. Network and Information Systems Security (NIS) Directive is the first Europeanscale attempt to establish a high standard of cyber security among CNIs. NIS raises questions about defining scope, providing evidence or mobilizing funding. Most importantly, there is the fundamental question whether it would become a tick-box exercise or lead to long-term improvements in security practices. We interviewed 30 cyber security practitioners in the UK to gather an in-depth understanding of NIS implementation and its probable futures. Our analysis found that the emerging field of Operational Technology Security is yet to formulate norms, standards and career trajectories. We are, therefore, at a critical junction, where the scope of the profession is shaping together with the need for evidence-based policy advice. Our findings are twofold: (1) a number of security tropes (e.g., “security solutions are the same across the sectors”), which may drive implementation of regulations such as NIS; (2) a classification of cyber security practices mapping the diversity of policy interpretations. We conclude
with recommendations for policymakers and CNI operators.

Original language	English
Title of host publication	Proceedings of the Sixteenth Symposium on Usable Privacy and Security
Publisher	USENIX Association
Pages	301-318
Number of pages	18
ISBN (Electronic)	9781939133168
ISBN (Print)	978-1-939133-16-8
Publication status	Published - 10 Aug 2020
Event	16th Symposium on Usable Privacy and Security, SOUPS 2020 - Virtual, Online Duration: 10 Aug 2020 → 11 Aug 2020

Publication series

Name	Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020

Conference

Conference	16th Symposium on Usable Privacy and Security, SOUPS 2020
City	Virtual, Online
Period	10/08/20 → 11/08/20

Bibliographical note

Funding Information:
This work was supported by RITICS grant “How many shades of NIS? Understanding Organizational Cybersecurity Cultures and Sectoral Differences”.

Publisher Copyright:
© 2020 by The USENIX Association.

Access to Document

Full-text PDF (final published version)
This is the final published version of the article (version of record). It first appeared online via Usenix at https://www.usenix.org/conference/soups2020/presentation/michalec. Please refer to any applicable terms of use of the publisher.
Final published version, 555 KB

https://www.usenix.org/conference/soups2020/presentation/michalec

Handle.net

Persistent link

Cite this

Michalec, A., Van Der Linden, D., Milyaeva, S., & Rashid, A. (2020). Industry Responses to the European Directive on Security of Network and Information Systems (NIS): Understanding policy implementation practices across critical infrastructures. In Proceedings of the Sixteenth Symposium on Usable Privacy and Security (pp. 301-318). (Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020). USENIX Association. https://www.usenix.org/conference/soups2020/presentation/michalec

Michalec, Aleksandra ; Van Der Linden, Dirk ; Milyaeva, Sveta et al. / Industry Responses to the European Directive on Security of Network and Information Systems (NIS) : Understanding policy implementation practices across critical infrastructures. Proceedings of the Sixteenth Symposium on Usable Privacy and Security. USENIX Association, 2020. pp. 301-318 (Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020).

@inproceedings{8d2e8ba979e8462692e5f3bde4b514ec,

title = "Industry Responses to the European Directive on Security of Network and Information Systems (NIS): Understanding policy implementation practices across critical infrastructures",

abstract = "As traditional legacy systems that run critical national infrastructures (CNI) are increasingly digitized for performance monitoring and efficiency, significant attention has been brought to improving their cyber security. Network and Information Systems Security (NIS) Directive is the first Europeanscale attempt to establish a high standard of cyber security among CNIs. NIS raises questions about defining scope, providing evidence or mobilizing funding. Most importantly, there is the fundamental question whether it would become a tick-box exercise or lead to long-term improvements in security practices. We interviewed 30 cyber security practitioners in the UK to gather an in-depth understanding of NIS implementation and its probable futures. Our analysis found that the emerging field of Operational Technology Security is yet to formulate norms, standards and career trajectories. We are, therefore, at a critical junction, where the scope of the profession is shaping together with the need for evidence-based policy advice. Our findings are twofold: (1) a number of security tropes (e.g., “security solutions are the same across the sectors”), which may drive implementation of regulations such as NIS; (2) a classification of cyber security practices mapping the diversity of policy interpretations. We concludewith recommendations for policymakers and CNI operators.",

author = "Aleksandra Michalec and {Van Der Linden}, Dirk and Sveta Milyaeva and Awais Rashid",

note = "Funding Information: This work was supported by RITICS grant “How many shades of NIS? Understanding Organizational Cybersecurity Cultures and Sectoral Differences”. Publisher Copyright: {\textcopyright} 2020 by The USENIX Association.; 16th Symposium on Usable Privacy and Security, SOUPS 2020 ; Conference date: 10-08-2020 Through 11-08-2020",

year = "2020",

month = aug,

day = "10",

language = "English",

isbn = "978-1-939133-16-8",

series = "Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020",

publisher = "USENIX Association",

pages = "301--318",

booktitle = "Proceedings of the Sixteenth Symposium on Usable Privacy and Security",

address = "United States",

}

Michalec, A, Van Der Linden, D, Milyaeva, S & Rashid, A 2020, Industry Responses to the European Directive on Security of Network and Information Systems (NIS): Understanding policy implementation practices across critical infrastructures. in Proceedings of the Sixteenth Symposium on Usable Privacy and Security. Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020, USENIX Association, pp. 301-318, 16th Symposium on Usable Privacy and Security, SOUPS 2020, Virtual, Online, 10/08/20. <https://www.usenix.org/conference/soups2020/presentation/michalec>

Industry Responses to the European Directive on Security of Network and Information Systems (NIS) : Understanding policy implementation practices across critical infrastructures. / Michalec, Aleksandra; Van Der Linden, Dirk; Milyaeva, Sveta et al.

Proceedings of the Sixteenth Symposium on Usable Privacy and Security. USENIX Association, 2020. p. 301-318 (Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020).

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

TY - GEN

T1 - Industry Responses to the European Directive on Security of Network and Information Systems (NIS)

T2 - 16th Symposium on Usable Privacy and Security, SOUPS 2020

AU - Michalec, Aleksandra

AU - Van Der Linden, Dirk

AU - Milyaeva, Sveta

AU - Rashid, Awais

N1 - Funding Information: This work was supported by RITICS grant “How many shades of NIS? Understanding Organizational Cybersecurity Cultures and Sectoral Differences”. Publisher Copyright: © 2020 by The USENIX Association.

PY - 2020/8/10

Y1 - 2020/8/10

N2 - As traditional legacy systems that run critical national infrastructures (CNI) are increasingly digitized for performance monitoring and efficiency, significant attention has been brought to improving their cyber security. Network and Information Systems Security (NIS) Directive is the first Europeanscale attempt to establish a high standard of cyber security among CNIs. NIS raises questions about defining scope, providing evidence or mobilizing funding. Most importantly, there is the fundamental question whether it would become a tick-box exercise or lead to long-term improvements in security practices. We interviewed 30 cyber security practitioners in the UK to gather an in-depth understanding of NIS implementation and its probable futures. Our analysis found that the emerging field of Operational Technology Security is yet to formulate norms, standards and career trajectories. We are, therefore, at a critical junction, where the scope of the profession is shaping together with the need for evidence-based policy advice. Our findings are twofold: (1) a number of security tropes (e.g., “security solutions are the same across the sectors”), which may drive implementation of regulations such as NIS; (2) a classification of cyber security practices mapping the diversity of policy interpretations. We concludewith recommendations for policymakers and CNI operators.

AB - As traditional legacy systems that run critical national infrastructures (CNI) are increasingly digitized for performance monitoring and efficiency, significant attention has been brought to improving their cyber security. Network and Information Systems Security (NIS) Directive is the first Europeanscale attempt to establish a high standard of cyber security among CNIs. NIS raises questions about defining scope, providing evidence or mobilizing funding. Most importantly, there is the fundamental question whether it would become a tick-box exercise or lead to long-term improvements in security practices. We interviewed 30 cyber security practitioners in the UK to gather an in-depth understanding of NIS implementation and its probable futures. Our analysis found that the emerging field of Operational Technology Security is yet to formulate norms, standards and career trajectories. We are, therefore, at a critical junction, where the scope of the profession is shaping together with the need for evidence-based policy advice. Our findings are twofold: (1) a number of security tropes (e.g., “security solutions are the same across the sectors”), which may drive implementation of regulations such as NIS; (2) a classification of cyber security practices mapping the diversity of policy interpretations. We concludewith recommendations for policymakers and CNI operators.

UR - http://www.scopus.com/inward/record.url?scp=85091825610&partnerID=8YFLogxK

M3 - Conference Contribution (Conference Proceeding)

AN - SCOPUS:85091825610

SN - 978-1-939133-16-8

T3 - Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020

SP - 301

EP - 318

BT - Proceedings of the Sixteenth Symposium on Usable Privacy and Security

PB - USENIX Association

Y2 - 10 August 2020 through 11 August 2020

ER -

Michalec A, Van Der Linden D, Milyaeva S , Rashid A. Industry Responses to the European Directive on Security of Network and Information Systems (NIS): Understanding policy implementation practices across critical infrastructures. In Proceedings of the Sixteenth Symposium on Usable Privacy and Security. USENIX Association. 2020. p. 301-318. (Proceedings of the 16th Symposium on Usable Privacy and Security, SOUPS 2020).

Industry Responses to the European Directive on Security of Network and Information Systems (NIS): Understanding policy implementation practices across critical infrastructures

Abstract

Publication series

Conference

Bibliographical note

Access to Document

Handle.net

Other files and links

Embargoed Document

Fingerprint

How many shades of NIS? Understanding organisational cultures and sectoral differences during cyber security policy implementation

Cite this

Industry Responses to the European Directive on Security of Network and Information Systems (NIS): Understanding policy implementation practices across critical infrastructures

Abstract

Publication series

Conference

Bibliographical note

Access to Document

Handle.net

Other files and links

Embargoed Document

Fingerprint

Projects

How many shades of NIS? Understanding organisational cultures and sectoral differences during cyber security policy implementation

Cite this