ENISA looks to improve European IT network resilience

European security agency ENISA has warned that there is no way to ensure the availability of secure networks in times of need unless more effort is made to assess their resilience.

The agency's new report, Main Challenges and Recommendations on Network and Service Resilience Metrics, calls for better reporting and security measurement.

"It is imperative for the critical information infrastructure protection to be able to accurately measure the security and resilience in Europe," said Udo Helmbrecht, executive director of ENISA.

The security agency explained that a metrics and measurement framework is an essential part of any security assessment, and that only careful study will lead to policies and practices that improve network and service resilience.

This is likely to become increasingly important as hackers and online criminals increase the scale of their operations.

The need for improved metrics may be pressing in Europe, as the European Commission had some of its own systems attacked just last week.

ENISA said that there are very few measurement frameworks, and that none of them is globally acceptable.

In addition, there are no standard practices for measurement, which means that organisations are trying to adhere to a range of baseline metrics or are creating their own internally.

These discrepancies make it difficult for organisations like ENISA to produce high-level assessments of national preparedness.

A reliance on internal metrics creates an environment where any other resilience metrics, or ways of assessing performance, are difficult to deploy because of a lack of knowledge and awareness, said ENISA.

The EU agency recommended a number of changes, including the establishment of good practice resilience metrics, as well as the development of tools and software for automated resilience testing.