Many organisations view cybersecurity threats as a technical challenge that needs primarily technical solutions, and many governments view them primarily as a national security issue. Yet the economic and social consequences of cyber incidents can be much more severe than their technical impact for the organisation, its partners and third parties. For example, ransomware in hospitals can be fatal, and IP breaches can cost years of a company’s R&D. Furthermore, security measures can undermine economic objectives by increasing cost and complexity, reducing performance, and limiting innovation. 

This is why the OECD promotes digital security risk management, a cybersecurity approach focusing on the economic and social consequences of technical breaches rather than only on technical or national security aspects.

At an operational level, the first step to manage digital security risk in organisations is the adoption of a strategic approach and the establishment of appropriate governance, where the economic leadership of the organization owns the digital security risk and works with technical experts to address it. The strategy should create a risk assessment and treatment cycle, whereby the risk is systematically evaluated, and the business leadership decides which part of the risk to take, avoid, reduce and transfer. 

On that basis, they can work with technical experts to select security measures which may involve technologies, human and organisational aspects. They should explore how security can add value and create a competitive advantage. Lastly, they should also take resilience, preparedness and continuity measures in order to be prepared when an incident happens. 

Over the past decade, our societies have become more reliant on digital technology, exposing critical activities to increased cyber threats. Governments face pressure to implement innovative policies to bolster the digital security of critical activities such as health care, energy, and transport services. However, this endeavor may entail substantial costs and constraints for critical activity operators. The policy challenge lies in ensuring policies target critical aspects without burdening the others or impeding the benefits of digital transformation.

The OECD Recommendation on the digital security of critical activities provides a roadmap provides guidance for policy makers on how to define what operators should do, set up the right institutional framework, establish trust-based partnership, and co-operate at international level.