Maintaining information security in the face of antagonistic security threats is no easy task. While it is difficult to estimate the number and scope of attacks against information systems and associated data breaches – as all breaches might not be detected and those that are may not necessarily be reported – numbers from security companies seem to suggest an increase in the frequency of data breaches with a slight reduction in the number of records exposed over the last three years.1 In any case, countering the threat to information systems from antagonistic actors is increasingly highlighted as a priority for the European Union,2 as well as governments in many states around Europe.3 A recent industry survey by PwC further suggest that a top information security priority for the public sector is adopting continuous monitoring of technical controls and further use of monitoring systems and security intelligence.4 One such type of monitoring system will be analysed in this article; the implementation of information security sensor systems in government information architecture. The term ‘information security sensor systems’ is used here to describe network monitoring tools which detect attacks (including attempted breaches) against network servers by analysing traffic and comparing this traffic to known attack-vectors, traffic profiles or content, while also recording attacks and thus providing information to sensor databases for the prevention of future attacks. It is not a term that necessarily connotes a specific type of equipment or configurations of such measures as this may depend on the context where it is deployed or the manufacturer of the technology. Instead it refers to technologies, processes and other measures that may include or be described as ‘Security Information and Event Management tools (SIEM)’,۵ ‘New-Generation Cybersecurity Monitoring and Management Systems’,۶ ‘Network filters’,۷ or ‘proactive cooperative defense’.۸ Generally speaking though, the type of sensor system discussed here operates by monitoring the attributes of connections to information systems. This includes, for example, the originating IP-address or e-mail address, the requested resources, and may include the content of e-mails and other communications to and from information systems to enable the real-time or retrospective identification of potential malicious code, phishing attempts or DDoS attacks. A more detailed explanation and concrete examples of their function and use is given in Section 2 below.