SurveyMonkey Powered Online Survey

This business survey is part of an EU-funded project called TRUESSEC.eu.

The goal of the project is to understand how effective labelling, certification and other forms of assurance might make ICT products and services more trustworthy and secure.

TRUESSEC.eu will be making recommendations to the European Commission, which are likely to impact on any business that has a digital presence across the European Union.

One aspect that is crucial to the success of the project is to understand the attitudes of business and their users to security and trust. This survey undertakes to capture some of these views. It has been carefully designed so that, on average, it can be completed in 7 minutes or less.

We’d therefore be grateful if you can spend a short time answering the following 24 questions. We will assure anonymity of all respondents and the aggregated results will be collated into a short summary paper, which we will make available free to all participants.

Please be careful not to disclose information that could personally identify you or your company, especially in the text boxes.

Many thanks.

Jon.kingsbury@ktn-uk.org

Question Title

* 1. In which country is your company based?

Question Title

* 2. Please indicate the size of your company (in line with the definitions provided in EU recommendation 2003/361):

A micro enterprise (between 1 and 9 employees, including self employed professionals)

A small enterprise (between 10 and 49 employees)

A medium enterprise (between 50 and 249 employees)

Large enterprise (more than 250 employees)

Question Title

* 3. Type of organisation

Manufacturer / provider of ICT products (both hardware and software, Internet of Things) and services

User / Customer / Consumer of ICT products (both hardware and software, Internet of Things) and services

Manufacturer of testing equipment

Other (please specify)

Question Title

* 4. Do you think that ICT security certification is a valuable tool to reduce cyber vulnerabilities of ICT products or services, like those triggered by emerging technologies like Internet of Things?

Yes

Don't Know

Question Title

* 5. Has the security of your organisation / products /services been certified or labelled?

Yes

Don't Know

Question Title

* 6. What forms of certification, assurance or trust methods does your organisation put in place for customer-facing products and services?

Recommendations/ratings from other users which are displayed prominently (e.g. a reputation system)

A statement that outlines how security is managed and personal data safeguarded (e.g. privacy policy)

Graphical labels or "Trust marks" that show how security is managed and personal data safeguarded (e.g. Verisign)

Self-assurance systems

In-house security testing

Certification from a 3rd party on your products/services (such as a regular or trade body)

Reference to certification of a 3rd party for a digital or physical component that forms part of your product/service (e.g. certified hardware, standard protocol, secure payment systems or cloud computing systems)

Technology security, such as HTTPS or secure payment systems

ISO standards for security and data handling

User Terms of Use

Don't know

Other (please specify)

Question Title

* 7. Have you encountered any of the following problems when dealing with ICT security certification procedures? Please tick box(es) as appropriate.

Lack of mutual recognition of certificates across Member States

Cost

Duration of process

Lack of transparency

Lack of a dedicated scheme to cyber -certify a specific product/service

Lack of certification support for the lifecycle of the product (e.g., incremental certification for software and hardware changes/updates)

Diversity of obligations/processes/schemes depending on the country

Other: Please add detail

Question Title

* 8. Are you aware of the existence of ICT security certification schemes across EU Member States (MS) for the same product/service?

Yes

Don't Know

Question Title

* 9. If not, do you see the emergence of multiple national or sectorial certification schemes as a likely scenario in the future, especially in view of the growing cybersecurity risks?

Don't Know

Yes (please add detail on type of product/service/sector)

Question Title

* 10. Please explain to what extent the current or possible existence of multiple ICT certification schemes represents a barrier to market entry for your activities and explain which measures should in your view be considered in order to minimise the impact on SMEs

Question Title

* 11. On average, what is the range of costs for certifying an ICT service/product?

< 10,000 €

10,000 € – 100,000 €

100,000 € – 1,000,000 €

> 1,000,000 €

Question Title

* 12. Which of the following actions do you consider appropriate and proportionate to achieve the objective of reducing internal market fragmentation and improving trust in the security of ICT products and services in the EU?

Encouraging the development of self-regulatory industry initiatives

Enhancing the effectiveness of existing instruments for ICT certification

Creating a European certification general framework, laying down the essential rules for mutual recognition of certificates.

Regulating the security of ICT products and services, specifying essential security requirements for such products to be placed on the market

None of the above

Question Title

* 13. Currently, there is no EU-wide ICT certification framework allowing for mutual/cross recognition of national schemes. What would be the likely impact that a mutual recognition mechanism of certificates across all Member States can have on your operations? (You can tick multiple boxes)

Useful to simplify procedures and cut administrative burdens

Useful to reduce cost of compliance

Useful to mitigate the disparity with larger companies

Negligible impact

Don't Know

Other (please specify)

Question Title

* 14. Do you believe that the creation of an EU-wide ICT certification framework based on mutual recognition could facilitate SME's access to public procurements across Member States?

Yes

Don't know

Question Title

* 15. Do you think that operators of essential services (energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure) have sufficient information regarding the security features of the ICT products / services they use for the functioning of their infrastructures?

Yes

Don't Know

Question Title

* 16. Do you think that certification and labelling of ICT products / services may contribute to enhance the level of assurance of critical infrastructures?

Yes

Don't Know

Other (please specify)

Question Title

* 17. Do you think that self-certification schemes could be considered a viable option to boost the level of cyber-security for selected product’ domains?

Yes

Don't know

Question Title

* 18. Do you think that the processes and tools used for ICT security certification should be sufficiently flexible and take into account different levels of assurances according to market needs (e.g. more stringent testing/assessment standards for more sensitive products/applications and less stringent for less sensitive products/applications)?

Yes

Don't know

Question Title

* 19. Do you see a specific role for certification in the Internet of Things domain?

Yes

Don't know

Question Title

* 20. Do you think that a labelling scheme underlying the level of security and privacy an IoT device encompasses would help you increase trust in IoT products and services?

Yes

Don't know

Question Title

* 21. Which are the main reasons that make you reluctant to buy products and services coming out from emerging digital technologies, like Internet of Things for example:

I am not reluctant at all

I do not trust the maturity of these technologies

They are too costly

I am afraid of the cybersecurity risks and of the damages such risks may bring to me

Other reasons (please specify)

Question Title

* 22. Would you feel comfortable to install yourself any software updates needed for the proper functioning of your connected device (e.g.: be it a car; a thermostat; a fridge etc.)

Yes I would be comfortable and I would prefer to install them myself

Yes I would be comfortable but I believe it is safer to have them installed by the producer/ manufacturer

I would not be comfortable to install them myself

Other explanations:

Question Title

* 23. Would you be in favour of the introduction of a common label signalling that the products have been certified within a certification scheme in accordance with EU rules?

Yes

Don't know

Question Title

Question Title

* 1. In which country is your company based?

Question Title

* 2. Please indicate the size of your company (in line with the definitions provided in EU recommendation 2003/361):

Question Title

* 3. Type of organisation

Question Title

* 4. Do you think that ICT security certification is a valuable tool to reduce cyber vulnerabilities of ICT products or services, like those triggered by emerging technologies like Internet of Things?

Question Title

* 5. Has the security of your organisation / products /services been certified or labelled?

Question Title

* 6. What forms of certification, assurance or trust methods does your organisation put in place for customer-facing products and services?

Question Title

* 7. Have you encountered any of the following problems when dealing with ICT security certification procedures? Please tick box(es) as appropriate.

Question Title

* 8. Are you aware of the existence of ICT security certification schemes across EU Member States (MS) for the same product/service?

Question Title

* 9. If not, do you see the emergence of multiple national or sectorial certification schemes as a likely scenario in the future, especially in view of the growing cybersecurity risks?

Question Title

* 10. Please explain to what extent the current or possible existence of multiple ICT certification schemes represents a barrier to market entry for your activities and explain which measures should in your view be considered in order to minimise the impact on SMEs

Question Title

* 11. On average, what is the range of costs for certifying an ICT service/product?

Question Title

* 12. Which of the following actions do you consider appropriate and proportionate to achieve the objective of reducing internal market fragmentation and improving trust in the security of ICT products and services in the EU?

Question Title

* 13. Currently, there is no EU-wide ICT certification framework allowing for mutual/cross recognition of national schemes. What would be the likely impact that a mutual recognition mechanism of certificates across all Member States can have on your operations? (You can tick multiple boxes)

Question Title

* 14. Do you believe that the creation of an EU-wide ICT certification framework based on mutual recognition could facilitate SME's access to public procurements across Member States?

Question Title

Question Title

* 16. Do you think that certification and labelling of ICT products / services may contribute to enhance the level of assurance of critical infrastructures?

Question Title

* 17. Do you think that self-certification schemes could be considered a viable option to boost the level of cyber-security for selected product’ domains?

Question Title

Question Title

* 19. Do you see a specific role for certification in the Internet of Things domain?

Question Title

* 20. Do you think that a labelling scheme underlying the level of security and privacy an IoT device encompasses would help you increase trust in IoT products and services?

Question Title

* 21. Which are the main reasons that make you reluctant to buy products and services coming out from emerging digital technologies, like Internet of Things for example:

Question Title

* 22. Would you feel comfortable to install yourself any software updates needed for the proper functioning of your connected device (e.g.: be it a car; a thermostat; a fridge etc.)

Question Title

* 23. Would you be in favour of the introduction of a common label signalling that the products have been certified within a certification scheme in accordance with EU rules?

Question Title

* 24. In your opinion, what role might the EU Agencies (such as ENISA) have in the management of a EU wide cybersecurity certification scheme?