02 ICT security measure used: user identification and authentication via biometric methods implemented by the enterprise
03 ICT security measure used: encryption techniques for data, documents or e-mails
04 ICT security measure used: data backup to a separate location (including backup to the cloud)
05 ICT security measure used: network access control (management of access by devices and users to the enterprise's network)
06 ICT security measure used: VPN (Virtual Private Network extends a private network across a public network to enable secure exchange of data over public network)
07 ICT security measure used: maintaining log files for analysis after security incidents
08 ICT security measure used: ICT risk assessment, i.e. periodically assessment of probability and consequences of ICT security incidents
09 ICT security measure used: ICT security tests
0a Enterprises using any ICT security measure
0b ICT security measure used: combination of at least two authentication mechanisms (e.g. user-defined password, one-time password (OTP), code generated via a security token or received via a smartphone, biometric methods)
0c ICT security measure used: monitoring system that allows detecting suspicious activity in the ICT systems and alerts the enterprises about it, other than standalone anti-virus software
0d Enterprises using any ICT security measure (as of 2022)
0e Enterprises using at least 3 ICT security measures (as of 2022)
0f Enterprises using at least 5 ICT security measures (as of 2022)
0g Enterprises using at least 7 ICT security measures (as of 2022)
0h Enterprises using all ICT security measures (as of 2022)
0i Enterprises had a formally defined ICT security policy (as of 2015)
0j The enterprise's ICT security policy was defined or most recently reviewed within the last 12 months
0k The enterprise's ICT security policy was defined or most recently reviewed more than 12 months and up to 24 months ago
0l The enterprise's ICT security policy was defined or most recently reviewed more than 24 months ago
0m The enterprise's ICT security policy was defined or most recently reviewed within the last 24 months
0n Enterprises had a formally defined ICT security policy with a plan of regular review
0o Enterprises have document(s) on measures, practices or procedures on ICT security
0p The document(s) on measures, practices or procedures on ICT security address: management of access rights for the usage of ICT
0q The document(s) on measures, practices or procedures on ICT security address: storage, protection, access or processing of data
0r The document(s) on measures, practices or procedures on ICT security address: procedures or rules to prevent or respond to security incidents
0s The document(s) on measures, practices or procedures on ICT security address: responsibility, rights and duties of persons employed in the field of ICT
0t The document(s) on measures, practices or procedures on ICT security address: training of persons employed in the safe usage of ICT
0u The ICT security policy addressed the risks of destruction or corruption of data due to an attack or by unexpected incident
0v The ICT security policy addressed the risks of disclosure of confidential data due to intrusion, pharming, phishing attacks or by accident
0w The ICT security policy addressed the risks of unavailability of ICT services due to an attack from outside (e.g. Denial of Service attack)
0x The ICT security policy addressed the risks of destruction or corruption of data, disclosure of confidential data and unavailability of ICT services due to an attack or an accident
0y Enterprises make persons employed aware of their obligations in ICT security related issues by voluntary training or internally available information (e.g. information on the intranet)
0z Enterprises make persons employed aware of their obligations in ICT security related issues by compulsory training courses or viewing compulsory material
10 Enterprises make persons employed aware of their obligations in ICT security related issues by contract (e.g. contract of employment)
11 Enterprises make persons employed aware of their obligations in ICT security related issues
12 Enterprises don't make persons employed aware of their obligations in ICT security related issues
13 Enterprises have made staff aware of their obligations in ICT security related issues through compulsory training or presentations
14 Enterprises have made staff aware of their obligations in ICT security related issues through contract, e.g. contract of employment
15 Enterprises have not made staff aware of their obligations in ICT security related issues
16 Enterprises have made staff aware of their obligations in ICT security related issues
17 Enterprises have made staff aware of their obligations in ICT security related issues through voluntary training or generally available information (on the Intranet, news letters or paper documents)
18 The ICT security related activities are carried out by the own employees
19 The ICT security related activities are carried out by external suppliers
1a The ICT security related activities are carried out by own employees or external suppliers
Unit of measure
0 Percentage of enterprises
1 Percentage of enterprises with an ICT security policy (as of 2015)
2 Percentage of enterprises with document(s) on measures, practices or procedures on ICT security (as of 2019)
3 Percentage of enterprises with an ICT security policy
4 Percentage of the enterprises which use a computer
5 Percentage of enterprises where persons employed have access to the internet
Geopolitical entity (reporting)
00 European Union - 27 countries (from 2020)
01 European Union - 28 countries (2013-2020)
02 European Union - 27 countries (2007-2013)
03 European Union - 25 countries (2004-2006)
04 European Union - 15 countries (1995-2004)
05 Euro area (EA11-1999, EA12-2001, EA13-2007, EA15-2008, EA16-2009, EA17-2011, EA18-2014, EA19-2015, EA20-2023)
Security policy: measures, risks and staff awareness by size class of enterprise
methods, notes and classification
Methods 
Variables