Study of The ICT Security Sector in Spain

Instituto Nacional
de Tecnologías
de la Comunicación
Study of the ICT security sector

in Spain
1st Report from the Information Security and e-

Trust Analysis and Study Group
Study of the ICT security sector in Spain Page 1 of 64

OBSERVATORIO DE LA SEGURIDAD DE LA INFORMACIÓN
Observatorio de la Seguridad de la Información
Instituto Nacional
de Tecnologías
de la Comunicación
Edition: February 2009
This publication belongs to the Instituto Nacional de Tecnologías de la Comunicación –INTECO- (National
Communications Technologies Institute) and is under a Creative Commons Spain 2.5 Attribution Non-commercial license,
and for this reason copying, distributing and displaying this work is permitted under the following circumstances:
• Attribution: The content of this report can be totally or partially reproduced by third parties, specifying its source and
expressly referring to both INTECO and its website: www.inteco.es. This attribution can in no event suggest that INTECO
provides this third party support or supports the use made of its work.
• Non-commercial Use: The original material and the resulting works can be distributed, copied and shown as long provided
that it is not for commercial purposes.
When the work is reused or distributed, its license terms must be made very clear. Some of these conditions may be not be
applicable if the copyright license is not obtained from INTECO. Nothing in this license impinges or restricts INTECO's moral
rights.
Full license text:
http://creativecommons.org/licenses/by-nc/2.5/es/

Instituto Nacional
de Tecnologías
de la Comunicación
TABLE OF CONTENTS
table of contents ..................................................................................................................3
KEY POINTS .......................................................................................................................6
I. Introduction ..............................................................................................................6
II. ICT Security Market .................................................................................................6
III. Inhibiting and Stimulation Factors ............................................................................7
III.1 Inhibitors ..............................................................................................................7
III.2 Stimulation Factors ..............................................................................................7
IV. Prospects and Trends ..........................................................................................9
V. Public ICT Security Policies ...................................................................................10
VI. Recommendations .............................................................................................11
1 PRESENTATION AND OBJECTIVES........................................................................12
1.1 Presentation .......................................................................................................12
1.1.1 Instituto Nacional de Tecnologías de la Comunicación .................................12
1.1.2 Observatorio de la Seguridad de la Información ............................................13
1.2 Information Security and e-Trust Analysis and Study Group .............................14
2 INTRODUCTION ........................................................................................................16
3 ICT SECURITY MARKET...........................................................................................17
3.1 Classification of the ICT Security Market ...........................................................17
3.2 ICT Security Market in Spain .............................................................................18
3.3 Security Sector Agents in Spain ........................................................................20
4 STIMULATION AND INHIBITING FACTORS ............................................................21
4.1 Factors that inhibit ICT security .........................................................................21
4.1.1 Scant perception of the risk: if you cannot see the problem, it does not exist21
Instituto Nacional
de Tecnologías
de la Comunicación
4.1.2 Reactive attitude with regard to security ........................................................21
4.1.3 Cost and complexity of ICT security tools ......................................................22
4.2 Stimulation factors for the ICT security market ..................................................22
4.2.1 Legislation and regulation ..............................................................................22
4.2.2 Stimulating demand for ICT security ..............................................................22
4.2.3 Growing risk of security threats ......................................................................24
4.2.4 Support for the ICT security sector ................................................................24
5 ANALYSIS OF THE DEMAND FOR ICT SECURITY.................................................26
5.1 Demand for ICT security in the home ................................................................26
5.1.1 Measures adopted .........................................................................................26
5.1.2 Incidents declared by users. ..........................................................................28
5.1.3 Incidents detected by INTECO on users’ computers. ....................................29
5.2 Demand for ICT security in SMEs ......................................................................30
5.2.1 Knowledge of security incidents .....................................................................31
5.2.2 Security incidents declared by SMEs .............................................................31
5.2.3 ICT security solutions implemented in SMEs .................................................32
5.3 Demand for ICT security in large enterprises ....................................................33
5.3.1 Security Governance......................................................................................34
5.3.2 Measures adopted .........................................................................................34
5.4 Conclusions of the analysis ...............................................................................37
6 PROSPECTS AND TRENDS .....................................................................................39
6.1 Trends in the demand for ICT security in Spain .................................................39
6.1.1 Home users ....................................................................................................39
6.1.2 SMEs..............................................................................................................40

Instituto Nacional
de Tecnologías
de la Comunicación
6.1.3 Large companies............................................................................................40
6.2 Trends in the supply of ICT security in Spain ....................................................41
6.3 Evolution of the ICT security market in Spain ....................................................42
7 PUBLIC ICT SECURITY POLICIES ...........................................................................43
7.1 Regulation and legislation ..................................................................................43
7.1.1 Rules that protect security-related rights........................................................45
7.1.2 Regulations that establish obligations for ICT security questions ..................45
7.1.3 Rules that provide legal safeguards in the provision of services ...................47
7.1.4 Obligations for Public Administrations............................................................48
7.2 Public procurement of ICT security solutions .....................................................48
7.3 Emblematic tractor projects: eDNI .....................................................................50
7.4 Promotion, awareness, dissemination and training activities .............................51
8 RECOMMENDATIONS ..............................................................................................55
8.1 Regular publication of a report on ICT security in Spain ....................................55
8.2 National ICT Security Strategy: promoting standards and certification ..............56
8.3 Actions designed to boost demand for ICT security in the public administrations
56
8.4 Actions designed to boost demand for security in SMEs and homes ................58
8.5 Actions designed to boost the ICT security sector .............................................58
ANNEXE. CATEGORIES WITHIN THE ICT SECURITY MARKET ............................60
I. Security Hardware .................................................................................................60
II. Security Software ...................................................................................................61
III. Security Services ...................................................................................................62
LIST OF GRAPHS .............................................................................................................63

Instituto Nacional
de Tecnologías
de la Comunicación
KEY POINTS
I. Introduction
INTECO took the initiative to set up and head a top-level think-tank or group of experts –
with members drawn from the IT security private sector and scientific community in Spain,
as well as renowned public sector experts in this field – in order to analyse information
security issues within the Information and Communication Technology sector.
Its objectives are: first of all, to diagnose the current state – and predict the future trends –
of the information security market in Spain and Europe; secondly, to study tendencies in
ICT security and their impact on the Public Administration, the business sector and
citizens in general; and thirdly, to undertake a market analysis (of the actors, supply and
demand, etc.) that may provide an insight into the business models implemented in the
sector, as well as the positioning and importance of ICT security within the economy as a
whole.
II. ICT Security Market
• The worldwide security market has experienced steady growth in recent years,
constantly achieving significant growth rates year on year. The Spanish security
market has followed this same trend and, in 2006, reached the figure of €617M 1 . Of
this figure, security services account for 54.9% of the market, security software
for 36.4% and security hardware for 8.7%.
• There is a highly important ICT security industry in our country and the
Administration has introduced various initiatives with sufficient driving force (e.g. the
so-called ‘tractor projects’) to assist in developing the sector and positioning it on the
international market – it already has a presence, but its positioning could always be
improved.
• There basically exist two difficulties when it comes to implementing policies that
influence the development of the sector: the absence of consolidated data on the
sector and the heady pace of changes in the nature of the threats for which a
solution much be sought.
1
IDC (2006), The security market in Spain.

Instituto Nacional
de Tecnologías
de la Comunicación
III. Inhibiting and Stimulation Factors
III.1 Inhibitors
• There are certain factors in the Spanish market that hinder the development of the
ICT security sector, the most significant of which are to be found on the demand
side: modifying this is deemed a key element for ensuring the consolidation of a
mature security market.
• Homes and businesses have insufficient knowledge of their ICT security needs,
know nothing of the evolution of the threats and, possibly, are not even aware of
their legal obligations. In such a scenario, there would seem to be a clear need for
increased initiatives to educate and spread the word in order to foster a security
culture.
• Spain has yet to undergo the most transcendent change in the way ICT security is
conceived: that which entails moving from a reactive to a proactive approach. Only
the major organisations – basically those in certain sectors (banking, health,
defence) – have acquired a proactive security culture. In general, the predominant
conception of this issue centres on protection measures that require no intervention
on the part of the user, i.e. “install and forget” solutions, instead of conceiving
security as a need to foster personal and organisational behaviour patterns that
enhance protection.
• The consequence of a reactive attitude to security problems is to produce a kind of

“emergency demand”, where clients seek a rapid solution to their problem and resort
to partial solutions, instead of implementing global solutions based on an accurate
risk analysis, which, insofar as is possible, could prevent such incidents.
III.2 Stimulation Factors
• Pertinent legislation and the so-called tractor projects are considered to be the
factors that have most boosted development of ICT security in Spain.
o Legislation constitutes a powerful instrument for configuring demand and, by

introducing a legal obligation, offsets the lack of awareness and/or outright
ignorance of users.
o Among such tractor projects, the most noteworthy is a series of initiatives

related to the electronic ID card. This initiative could form the basis for
developing a wide-ranging market of products and services. In addition to the
efforts involved in starting it up and disseminating it among ordinary citizens,
we must consider those related to developments (libraries, etc.) that enable
its uses to be multiplied and further extended.

Instituto Nacional
de Tecnologías
de la Comunicación
o Insofar as security governance is concerned, it is particularly important that

established standards be made widely known. These can then act as
guidelines for facilitating purchasing decisions and bring the efforts of all
security product consumers into line with internationally recognised good
practices. Standards and certification stamps constitute a basic element for
coordinating the efforts of institutions, businesses and homes. Certification
could form the basis of an ICT security strategy to boost development within
the market.
• The public sector is a major consumer of ICT security solutions, given that they
are essential for providing services to its citizens (e.g. health, justice or education) or
for covering its own needs (defence, taxes, etc). The development of the ICT
security industry would benefit greatly from explicit consideration of these needs in
public procurement programmes.
• Demand for ICT security in large enterprises:
o The key concept as regards the demand for ICT security in major enterprises
is business continuity.
o Between 2006 and 2007, we have witnessed an increase in the number of

organisations with managers specifically dedicated to ICT security (10%).
This would seem to confirm the fact that security awareness is growing
considerably at larger companies and is being afforded specific attention,
clearly differentiated from other information systems issues.
o The most noteworthy process, given its spectacular evolution between 2006
and 2007, is the design of a global security strategy, which was implemented
in 37% of companies in 2006 and rose to 57% in 2007, this representing an
increase of 54% in just one year.
• Demand for ICT security in the home:
o Antivirus and firewalls are the most commonly used security tools in the
home, present in 94% and 75% of households, respectively.
o Those security measures that call for the active intervention of users are the
least common: document encryption, backup copies, separate disk partitions,
etc.
o There is a large volume of highly varied incidents, with the most prevalent
being the reception of unsolicited email (spam), which affects 83.3% of all

Instituto Nacional
de Tecnologías
de la Comunicación
users. Nonetheless, it is worth noting that serious incidents, such as account

or credit card fraud or theft are not very widespread.
• Demand for ICT security in the SME:
o The antivirus is the most commonly used security tool in SMEs; 98.9% say
they have one installed on their computers.
How SMEs act on security matters depends on factors such as their size and
sector of activity. In general, the behaviour of micro companies has a great
number of similarities with the household sector.
o 95% of Spanish SMEs believe ICT security is important or very important.

However, this does not seem to be accompanied by other indicators, such as
knowledge of the threats in question. This shortcoming may be due to the
absence of suitably qualified personnel in the ICT security field within
Spanish SMEs: a mere 16% of the SMEs surveyed said they have ICT
security experts on their staff. It would appear necessary to bolster the
training programmes undertaken by public entities in order to foster the
introduction of a security culture in Spanish SMEs, in keeping with the
importance this issue warrants.
o The concept of ICT security governance, as implemented in major

enterprises, must be extended to their small and medium-sized counterparts,
by means of a nationwide security strategy which, moreover, can provide the
support needed to assist SMEs in the task of complying with ICT security
legislation.
IV. Prospects and Trends
• Investment in security will continue to grow and the market will continue producing
highly significant growth rates.
• It is likely that the security market will go on to become a services market. Many
ICT firms who do not belong to the security segment, as well as telecoms operators,
are already entering this market through the provision of services. In the same
fashion, many software companies are starting to offer managed security services
on a large scale, in order to offset their reduced margins from software sales.
• The growth of the security services segment will accelerate in the medium and long
term, as this technology matures and the supply positions itself in managed
services, thus stealing market share from the security software segment.

Instituto Nacional
de Tecnologías
de la Comunicación
• The forecast is for greater growth in proactive security measures, given the high
penetration of security elements classified as being passive: antivirus, firewall,
antispam and antispyware programs, pop-up window blockers and operating system
security updates. Nonetheless, users will continue to rely on security mechanisms
which do not require constant attention and do not limit their sense of freedom when
using the Internet.
V. Public ICT Security Policies
• The legislation on security issues may be classified into four categories:
o Regulations that protect security-related rights and sanction contraventions:

Penal Code and Intellectual Property Act.
o Regulations that offer legal safeguards when providing services related to

ICT security: Electronic Signature Act, Spanish Evaluation and Certification
System for Information Technology Security.
o Regulations that establish obligations for ICT security questions: Data

Protection Act and Law on Measures to Promote the Information Society.
o Regulations that establish security obligations for public administrations: Law

on Electronic Access for Citizens to the Public Administrations and the
National Security Scheme.
• The public sector, in its role as a consumer with a large volume of public
acquisitions, can have a very direct impact on the development of the market,
stimulating innovation and serving as an example for the adoption of security
measures.
o Public acquisitions should not consider security as a component of some

other product or service, but rather as a fundamental element that, of
necessity, must form part of them all.
o The fact that the Public Administration has started up major tractor projects
has provided a new source of stimulation for the security market, with the key
example being the potential for further developing the market provided by the
electronic ID card project.
o The public sector must bring its financing policies for R&D&I on ICT security
issues into line with planning for its own demand (public procurement), so
that the investment may prove to be effective and contribute towards
developing the market.

Instituto Nacional
de Tecnologías
de la Comunicación
VI. Recommendations
• Actions designed to boost demand for security in the Public Administrations:
o Increasing the value and importance of ICT security in the public

procurement of ICT products and services.
o Planning of public procurement in order to boost R&D&I in security.
• Actions designed to boost demand for security in SMEs and homes:
o Organisation of public awareness campaigns in order to enhance the ICT

security culture and stress the rapid evolution of the very nature of the
threats.
o Support and foster greater knowledge and fulfilment of the regulations which
impose specific obligations within the field of ICT security and provide
support for complying with pertinent legislation. The standards, certification
stamps and self-regulation based on the dissemination of good practices
constitute a basic element for coordinating the efforts of institutions,
companies and households, which, without this reference framework, often
make a great effort lacking in any method.
• Actions designed to boost the ICT security sector:
o Draft an internationalisation plan for Spanish security technology.
o Promote and facilitate financing for innovative ICT security firms.
o Encourage R&D&I in the ICT security field.
o Draft periodical studies on ICT security in Spain.

Instituto Nacional
de Tecnologías
de la Comunicación
1 PRESENTATION AND OBJECTIVES
1.1 Presentation
Drafting this report is in keeping with the overall objectives of Plan Avanz@, approved by
the Spanish government in 2005 and integrated within the programme known as Ingenio
2010. One of the major spheres of activity envisaged in the terms of Plan Avanz@ for the
period 2007-2010 is the so-called New Digital Context 2 . One of its principal features is the
promotion of ICT security and e-trust and, to this end, the Plan sets forth the following
objectives:
• Increase the level of awareness, training and knowledge of citizens, companies and
Public Administrations regarding the new Information and Communication
Technologies (hereinafter ICT).
• Encourage the incorporation of IT security within organisations as a critical factor for

increasing their competitiveness, developing the security infrastructure necessary
and promoting the adoption of best practices, particularly the certification of
information security.
• Develop an effective infrastructure for the execution of a nationwide information

security policy, coordinating the different agents and activities, constantly monitoring
information security issues and coordinating international representation on ICT
security matters 3 .
In keeping with Plan Avanz@, this report aims to contribute towards achieving the
aforementioned goals, presenting an overview of the current situation in the Spanish ICT
security sector and proposing the role that all the agents within the sector should fulfil in
order to boost and develop ICT security and e-trust.
1.1.1 Instituto Nacional de Tecnologías de la Comunicación

The Instituto Nacional de Tecnologías de la Comunicación – INTECO- (National Institute
of Communication Technologies) is a state-owned company promoted by the Ministry of
Industry, Tourism and Trade. It is a platform for the development of the Knowledge
Society through projects in the field of innovation and technology.
INTECO’s mission is to promote and develop innovation projects related to the field of
information and communication technology (ICT), generally in the field of the Information
Society, which will improve the position and competitiveness of Spain, expanding its
2
http://www.planavanza.es/LineasEstrategicas/AreasDeActuacion/NuevoContextoDigital/
3
http://www.boe.es/boe/dias/2007/08/08/pdfs/A34097-34099.pdf

Instituto Nacional
de Tecnologías
de la Comunicación
capacities to both the European and Latin American environments. Thus, the Institute has
the vocation of being an innovative development center of national interest; it constitutes
an enriching initiative and tries to disseminate the new technologies in Spain, clearly in
tune with Europe.
The social purpose of INTECO is to manage advice about, promote and disseminate
technological projects. To this end, it will develop actions in the following strategic lines at
least: technological security, accessibility, innovation in ICT solutions for SMEs, e-health,
e-democracy.
http://www.inteco.es
1.1.2 Observatorio de la Seguridad de la Información

The Observatorio de la Seguridad de la Información (Information Security Observatory) is
positioned within the strategic line of action of INTECO regarding technological security.
The Observatory was founded with the purpose of describing the level of security and
trust in the Information Society systematically and in detail and to create expertise in this
area. Furthermore, it was created to serve citizens, companies and the public
administrations in Spain and describes, analyzes, advises and disseminates the culture of
information security and e-trust.
The Observatory has designed a Business and Study Plan in order to produce useful and
expert knowledge on security and to develop recommendations and proposals that define
valid trends for future decision-making processes by public authorities.
Within this action plan, research, analysis, study, counseling and dissemination activities
are carried out, which will follow the following strategies:
• Carrying out original studies and reports in the field of information and
communication technology security, with particular emphasis on Internet safety.
• Monitoring key indicators and public policies related to information security and trust,
both nationally and worldwide.
• Creation of a database that will allow for the analysis and assessment of security
and trust through time.
• Promotion of research projects focusing on ICT security.
• Dissemination of studies and reports issued by other organisations and national and
international agencies, as well as information about current national and European
news concerning security and trust in the information society.

Instituto Nacional
de Tecnologías
de la Comunicación
• Advising public administrations on information security and trust, in addition to

supporting the creation, monitoring and assessment of public policies in this field.
http://observatorio.inteco.es
1.2 Information Security and e-Trust Analysis and Study Group
The last two objectives of the Observatory gave rise to INTECO adopting the initiative to
form a group dedicated to furthering knowledge of the sector and analysing its progress.
The underlying philosophy was that of a think-tank, i.e. the ideas put forward by the
experts were to be the raw material that could produce solutions in order to achieve the
objectives laid down.
Thus, this forum was born with the aim of providing active support to the decision-making
process faced by all the agents involved, in general, and by the public authorities, in
particular. Such decisions concern the present and future of the ICT security sector and
the Information Society in general. As a result, to a large degree, they affect the future
competitiveness and growth of the Spanish economy and society at large.
Duly represented within this group of experts are the principal agents of the ICT security
sector in Spain, drawn from both public and private entities, as well as various experts
from the university world and the most important sectorial associations. While it is indeed
true that, given the inherent characteristics of the group, it is not possible to include all the
representatives and experts from this sector, it can be safely said that the sample is
sufficiently representative to ensure that the final work may be deemed to constitute a
studied diagnosis shared by those within the ICT security sector.
To be more specific, the following experts, all members of the Group, have participated in
the drafting of this report:
• Adolfo Borrero. CEO. TELVENT INTERACTIVA
• Adrián Mouré. Chair of the Commission on Information Technology Trust and

Security. SAFELAYER
• Alicia Álvarez. Deputy Director General of Information and Communication

Systems. INTERIOR MINISTRY
• Bernardino Cortijo. Director of Internet Security. TELEFONICA
• Carlos Jiménez. Chairman. SECUWARE
• Eduardo Barranca. CENTRE FOR INTER-BANK COOPERATION

Instituto Nacional
de Tecnologías
de la Comunicación
• Enrique Martínez. Director General. INTECO
• Jorge Pérez. PhD in Telecommunications Engineering and Professor at the

Telecommunications Engineering Superior College. POLYTECHNIC UNIVERSITY
OF MADRID
• José Antonio Mañas. PhD in Telematic Systems at the Telecommunications

Engineering Superior College. POLYTECHNIC UNIVERSITY OF MADRID
• José Carbajosa. Director of Spanish Operations. VISA EUROPE
• Josu Franco. Director of Corporate Development. PANDA SOTWARE
• Juan Carlos Yustas. Head of Corporate Logical Security. REPSOL-YPF
• Juan Gascón. Deputy Director of Telecommunications and Director.

INFORMATION TECHNOLOGIES FOUNDATION.
• Juan Miguel Márquez Director General of Modernisation. PUBLIC

ADMINISTRATIONS MINISTRY
• Luís Enrique Hernández. Public Administration & Health Director. INDRA
• Luís Jiménez. Head of Policy and Services Unit. DEFENCE MINISTRY – CNI
• Luís Martín. Marketing Director for the Enterprise Market. MICROSOFT
• Manuel Gallo. Independent consultant on business development and telecoms

security matters.
• Oscar Pastor. Security Manager. ISDEFE
• Salvador Soriano. Deputy Director General of Services for the Information Society.
S.E.T.S.I. – MINISTRY OF INDUSTRY, TOURISM & COMMERCE.
• Xavier Mitxelena. Director General. S21SEC.

Instituto Nacional
de Tecnologías
de la Comunicación
2 INTRODUCTION
In 2007, nearly 95% of all companies in the European Union with over 10 employees were
connected to the Internet and most of them had a website 4 . The use of the mobile
telephone and the computer has become commonplace in the workplace, and computer
and communication technologies have become an essential part of citizens’ lives and of
their options for leisure and entertainment. In 2007, 45% of Spanish households had a
broadband connection to the Internet 5 and the penetration rate of mobile telephones in
Spain stood at 110.5% 6 . Schools and universities are connected to Internet and it is a
widespread practice to integrate the use of computers and the Internet into study and
learning processes. The public administrations have implemented strategies to develop an
electronic Administration that can provide an ever-growing number of public services via
the Internet. In short, computer and electronic communications already form an intrinsic
part of our everyday activities.
This integration into our daily lives is producing a growing awareness of the possible
vulnerabilities and operational risks involved. All this has given rise to the concept of ICT
security, defined as the capacity of networks and information systems to resist – up to a
certain level of trustworthiness – accidents or illicit or malicious actions that compromise
the availability, authenticity, integrity and confidentiality of the data stored or transmitted
and of the services that the said networks offer or make accessible 7 .
The principal purpose of this report is to provide an overview of the situation surrounding
the ICT security sector in Spain, as seen from two different viewpoints: the needs that
citizens, companies and administrations demand be covered and the supply of security
solutions and services that currently exists on the market. This overview will allow us to
identify concrete measures and actions which, led by the public sector and counting on
the participation of the other agents involved, could boost the development of the ICT
security sector in Spain.
4
Eurostat (2007), Utilisation of the Internet by Companies.
5
Eurostat (2007), Internet access and e-skills in EU27 in 2007
6
Red.es (2007), Indicators for ICT sector, Telecommunications and Information Society Observatory
http://observatorio.red.es
7
Mañas, J. A. (2006) Glossary.

Instituto Nacional
de Tecnologías
de la Comunicación
3 ICT SECURITY MARKET
ICT security is a growing sector. Quantifying the size of a market is never an easy task
and, in the case of the security market, it is even more complex. The absence of
consolidated figures for the security sector, together with the fact that operations of many
of the companies overlap with other branches of ICT activity, means that it is really difficult
to obtain data that are validated and accepted by all the agents involved. The sector can
not even claim to have a structured classification system for ICT security-related activities,
which could be taken as a reference framework. Many classifications have been defined
and greatly differing market figures have been published, within the broad spectrum that
envelops the whole concept of ICT security.
To this difficulty, we must add the dizzy speed at which this market evolves, both in terms
of new threats and the new products and services launched to deal with them. In such an
ever-changing environment, it is not easy to get your hands on market data, much less
reliable historical data.
While recognising this difficulty, market figures are essential in order to be able to get a
better grasp of the situation. This section offers quantification data for the ICT security
market in Spain, based on reports published by the consultants IDC and Gartner. Given
all the foregoing, implementing the initiatives necessary to be able to have access to
market figures that reflect the true situation of the sector will prove to be an important
factor in the drive to effectively boost development in this market.
3.1 Classification of the ICT Security Market
The security of networks and information systems must guarantee the availability of
services and data, impede the interruption and unauthorised interception of
communications, confirm that the data sent, received or stored are complete and
unaltered, ensure their confidentiality, protect the information systems against
unauthorised access or attacks related to malicious software and guarantee the reliable
authentication that can confirm the identity of entities or users 8 .
In order to quantify the market that responds to all the needs outlined in this concept of
ICT security, we have segmented it into three areas of activity: security hardware, security
software and security services. The following figure details the elements considered in
each of these segments. Annexe lists the definitions associated with each of these areas
of activity.
8
European Commission (2003). Establishing the European Network and Information Security Agency.

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 1: Classification of the Security Market
ICT Security
Security Hardware Security Software Security Services
Authentication Physical Identity & Security Secure Threat Other Security

HW Devices Access Control Vulnerability Content Management Software
Management Management Management
(IAM) (SVM) (SCM)
Biometric FW/VPN PKI Event Antivirus Firewall SW Consultancy

Devices Management
Authentication UTM Advanced Vulnerability Web Filtering IDS&IPS Implementation

Devices Authentication Management of solutions
Smart Cards IDS&IPS SSO Compliance with Messaging Managed

Regulations Security Services
SCM Legal Others Others Education

Authentication (Antispyware)
Others User Provision
Directory
Services
Source: IDC
3.2 ICT Security Market in Spain
The worldwide security market has expanded considerably in recent years, constantly
achieving significant growth rates year on year. According to the estimations of IDC 9 , in
2006 the Spanish security market reached a figure of €617.2M. This figure represents
4.2% of the total for the Spanish ICT market which, that same year, reached €14,540.7M.
The following graph reveals the contribution of each segment to the total ICT security
market in Spain.
9
IDC (2006), The security market in Spain

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 2: Spanish Security Market in 2006 10
€53.7M; 8.7%
€224.4M; 36.4% €339.1M; 54.9%
Security Services Security Software Security Hardware
Source: IDC
Security Hardware
The hardware market is the smallest segment, only representing 8.7% of the total. At this
moment in time, it is fundamentally focused on the firewall and VPN (Virtual Private
Network) segment, but there is an evident upwards trend in the segments dealing with
SCM (Secure Content Management) and, above all, UTM (Unified Threat Management).
The need for integrated, consolidated storage solutions is clearly driving this market.
Security Services
The most representative segment is currently that of security services, with a value that
represents 54.9% of the total security market. The services segment is drawing in a large
number of agents involved in consultancy work and the integration of security solutions.
Positioning moves within the managed security solutions sector can also be observed.
Security Software
The security software market accounts for 36.4% of the Spanish security market. This
market is highly concentrated in the content management and security segment, the most
representative of the security solutions adopted by the consumer and SOHO (Small
Office-Home Office) market. The second most relevant market is threat management.
10
Authentication hardware is not included

Instituto Nacional
de Tecnologías
de la Comunicación
3.3 Security Sector Agents in Spain
Over the last few years, there has been a noticeable change in the structure of the ICT
security sector in Spain, with different integration processes taking place within the
industry and new actors, products and services constantly appearing. Within this
structure, the relevant agents in the ICT security market can be grouped into five
categories:
• Security software manufacturers. The developers of software tools play a

particularly important role in the market and Spain can boast some important
companies working to protect us all against malicious code (antivirus).
• Security hardware manufacturers. Among the agents on the Spanish market,

there are companies who cover all the different categories within the classification
used in the description of the market: biometric devices, authentication hardware,
smart cards, etc.
• Security solutions distributors. Intermediaries who supply the different security

solutions available (hardware, software and services) to large companies, SMEs and
individuals.
• Integrators specialising in security. Integrators who specialise in security issues

also play an important role in the Spanish market, given that they are the ones who
come into direct contact with users.
• Security consultants and auditors. Consultancy and audit companies are

noteworthy players in this sector, as they help companies to define information
security policies, analyse information risks and adopt measures that fall within the
remit of global security plans.
The following sections refer to several of the Spanish companies who particularly stand
out as a result of their advanced technology or their strong presence in the market.

Instituto Nacional
de Tecnologías
de la Comunicación
4 STIMULATION AND INHIBITING FACTORS
We must now move on from a description of the current state of the ICT security market in
Spain and duly analyse the factors that facilitate or inhibit the development of this market.
An analysis of the factors capable of influencing the evolution of the ICT security market
may point to certain elements for defining policies and initiatives that can boost ICT
security in Spain and allow us to base good security on the development of an
outstanding ICT industry.
4.1 Factors that inhibit ICT security
There are certain factors in the Spanish market that hinder the development of the ICT
security sector, the most significant of which are to be found on the demand side. The
scant perception of the risks involved and the reactive attitudes of users pose the greatest
challenge faced by the agents working in the ICT security sector in Spain.
4.1.1 Scant perception of the risk: if you cannot see the problem, it does not
exist
The low perception of risk on the part of users (both home and business users) produces
a situation where information systems are left unprotected and malicious software
(malware) can spread rapidly across communication networks.
One of the main factors responsible for this low perception of risk is the “silent” form of
attack adopted by most of the ICT security enemies. The most obvious example of this
kind of attack is that of the botnets, computer networks that have been infected by some
kind of malware that allows the operator of the botnet to control those computers, normally
with rather unethical ends, without their owners being aware of this. Users are never
aware of these threats or risks and, for this reason, believe they have sufficient protection
and so their perception of the risk tends to diminish.
4.1.2 Reactive attitude with regard to security

In general, users do not take proactive measures in order to avoid security problems. This
reactive attitude to security problems produces a kind of “emergency demand”, where
clients seek a rapid solution to their problem and resort to partial solutions, instead of
seeking to implement effective global solutions based on an accurate risk analysis.
The consequence of the reactive nature of an important part of the demand determines a
market that is not very stable and subject to fluctuations that are difficult to predict. This
situation represents a singular difficulty for the companies developing and
commercialising products, services and solutions related to ICT security. In many cases,

Instituto Nacional
de Tecnologías
de la Comunicación
this leads to strangulation of supply and a lack of appropriate matching of necessities and
proposed solutions.
4.1.3 Cost and complexity of ICT security tools

As is the case with other ICT products, security tools often resort to technical terms for the
threats and these can only be properly understood by the experts in these fields. In
addition to the difficulties arising from the use of barely intelligible names, there are the
difficulties involved in installing, configuring and using these tools. This can often lead to
their being inadequately used and to clients rating some solutions rather poorly.
Companies may even feel that the cost of these security tools is too high. Investment in
ICT security is not easy to justify if there exists no security culture and no clear perception
of the risk. Bringing investment in ICT security into line with the business of SMEs is a
task that remains pending in most Spanish companies.
4.2 Stimulation factors for the ICT security market
To date, the principal factor stimulating the ICT security market in Spain has been the
obligations stemming from regulatory impositions. However, this is not the only factor with
the ability to boost market possibilities; there exist others such as public procurement,
support for R&D&I, certification, etc.
4.2.1 Legislation and regulation

Legislation constitutes a powerful instrument for configuring demand and, by introducing a
legal obligation, offsets situations where there exists a lack of awareness on the part of
users. A good example of this would be the Spanish Organic Law on the Protection of
Personal Data, which lays down concrete obligations regarding the way in which any
company or entity must guarantee the security of data that affect a person’s privacy. This
law is applicable to any kind of company or organisation, regardless of its size.
Given its importance, this factor will be analysed in greater detail in Chapter 7, dedicated
to public policies.
4.2.2 Stimulating demand for ICT security

Without doubt, the weakest link in the Spanish market is demand. As we have stated
earlier, the low perception of risk and users’ reactive attitude clearly curb development in
this sector. While attempts are made to overcome these factors – through awareness
campaigns aimed at users (whether they be home users, SMEs or large enterprises) – for
the time being, at least, they do not seem to be bearing the fruits expected of them.
Modifying habits on the demand side is deemed a key element for ensuring the
consolidation of a mature security market.

Instituto Nacional
de Tecnologías
de la Comunicación
a) Education and awareness with respect to ICT security
Homes and businesses are often unaware of their ICT security needs, know nothing of the
ever-changing nature of the threats and are not even sufficiently aware of their legal
obligations. In such a scenario, there would seem to be a clear need for increased
initiatives to educate and spread the word in order to foster a security culture, given the
lack of awareness demonstrated by many citizens and a large part of Spanish companies,
particularly the SMEs.
The capacity of the news media for disseminating the security culture and making the
general public aware of ICT security issues has been patently demonstrated on numerous
occasions. In this sense, we must highlight the good work that specialised publications
such as the Spanish magazines SIC, Red Seguridad, Auditoria y Seguridad or eSecurity
have been performing for many years now, offering rigorous information that serves to
inform, teach and raise awareness among firms and public administrations regarding
different aspects of IT security and related products and services, thus fostering a larger,
yet more cohesive ICT security industry in our country.
Nonetheless, it must also be pointed out that, on occasions, the mainstream media has
been guilty of putting an alarmist slant on news, something which could cause reticence
regarding the use of the new technologies. In order to avert this risk, it would be
necessary to provide these media with sufficient data to be able to put any new threats
into context and educate the journalists on ICT security matters.
Moreover, it is essential that an appropriate environment is created, so as to leave no

room for institutions or individuals who are ill-informed or simply seeking fame through the
news items that are picked up by the media.
b) Security Certification
The appearance of international standards and certification stamps provides companies

with a model for starting up ICT security initiatives, promoting as they do codes of good
practice and facilitating compliance with legal obligations. Together with the impact on the
quality and uniformity of security policies, many companies also highly value the positive
effect on their image, which stems from compliance with rules and standards. Standards
and certification stamps constitute a basic element for coordinating the efforts of
institutions, businesses and homes.
Certification could form the basis of an ICT security strategy to further development within
the market. Standards such as Common Criteria or the ISO quality standards have
provided a positive boost in the task of raising awareness and starting up ICT security
projects in the business world.

Instituto Nacional
de Tecnologías
de la Comunicación
4.2.3 Growing risk of security threats

a) Professionalisation of the attacks
There has been a marked move in recent years from attacks based on the use of viruses,
Trojans and worms to others frequently based on criminal organisations making use of
networks of remotely controlled (zombie) computers and a myriad of technological tools
they can combine to suit their needs at any given time. The aim of the attacker has moved
on from merely wishing to become famous and is now clearly financial, resorting to
extortion, theft and espionage. In short, security attacks are now much more professional,
with the focus now firmly on reaping financial benefit.
This professionalisation and the more serious nature of the attacks could be considered
important factors for boosting ICT security development, insofar as they oblige the market
to react with increasingly complex new services and products, which, in turn, will then be
faced with new, more sophisticated attacks.
b) Protection of critical infrastructure
Critical infrastructure is taken to refer to that which is essential for a country to function
properly, such as electrical power, telecommunications, fuel supplies, transport services,
health services, security, etc. An incident in an ICT system could provoke a chain reaction
in the critical infrastructure network, which, in turn, could lead to a complete stoppage of
productive activity at any number of organisations. Given the extreme risk factor, special
emphasis is placed on security at such installations and, for this reason, this area
constitutes an important factor when it comes to boosting the ICT security market.
4.2.4 Support for the ICT security sector

a) Tractor projects promoted by the authorities
Projects promoted by the public sector may have a direct bearing on the development of
the ICT security market. In this sense, the Administration has started up emblematic
tractor projects that should have a really great impact on the future of the security market.
These tractor projects provide companies offering ICT security solutions with planning for
their investments in R&D&I, taking into due account the medium-term needs of those in
charge of public procurement. Among the initiatives introduced in our country, probably
the most noteworthy, given its enormous potential, is the electronic ID card project. Given
its importance, this stimulation factor will be analysed in greater detail in Chapter 7,
dedicated to public policies.
Beyond its role as legislator and regulator, the public sector is a major consumer of ICT
security solutions, given that they are essential for providing services to its citizens (e.g.
Instituto Nacional
de Tecnologías
de la Comunicación
health, justice or education) or for covering its own needs (defence, taxes, etc). Security
still does not carry enough weight in most public ICT projects to be able to bring its
influence to bear, to the degree that it should, in the development of the sector.
b) Support for R&D&I and financing start-up ICT security companies
ICT security entails a high degree of technical complexity and the development of new
products and solutions calls for significant R&D&I work sustained over lengthy periods of
time. All of this redounds in difficulties in obtaining financial resources, given the
perception of risk harboured by financial agents towards a market that is not yet fully
mature and with growing demand, but whose limits and possibilities have not yet been
sufficiently well defined. It is this situation which makes it necessary to value support for
investment in R&D&I as a highly significant stimulation factor.
This support serves as an incentive for new companies to get started in this market and,
as for those already firmly established, they can obtain a return on the efforts they made
in the past.

Instituto Nacional
de Tecnologías
de la Comunicación
5 ANALYSIS OF THE DEMAND FOR ICT SECURITY
An analysis of the situation regarding demand – where the behaviour of the actors is not
at all uniform – is a fundamental element in the struggle to boost the ICT security market
in our country.
The major corporations, the Public Administrations and certain economic sectors such as
the financial services, for whom information systems and the use of ICT prove critical,
have, in general, reached a significant degree of awareness regarding the importance of
ICT security and have dedicated the resources necessary to prevent possible problems
and to ensure the continuity of their activities, thanks to the availability of ICT solutions.
In addition, there exists another highly varied segment, made up of large and medium-
sized companies and organisations in which ICT security is less critical, companies and
organisations of a somewhat smaller size, professionals and home users. This segment
presents a level of demand much lower and unstable, highly reactive to concrete
problems.
On the basis of this reality, an analysis of the demand is undertaken by splitting it into
three different segments – homes users, SMEs and large companies.
5.1 Demand for ICT security in the home
The analysis of the demand for ICT security in the home is based on the Study on ITC
Security and e-Trust in Spanish Households carried out by INTECO, which is now into
its fourth wave. The methodology employed combines objective measures of incidents
and equipment with subjective measures of perception of security and trust on the Web. In
order to prepare this report, INTECO relies on a panel of over 3,000 households
connected to the Internet, from which it extracts information on actual security by way of
special software that analyses security incidents. It also analyses the perception and level
of trust of the users by carrying out personal surveys. The combination of both data
sources provides us with knowledge of the differences that exist between the perception
of security and the actual situation in the households being analysed.
5.1.1 Measures adopted

According to the degree of user intervention, a distinction is made between two types of
security measures adopted: passive and active.
Passive security refers to all measures that may be automated, i.e. they require no
specific intervention on the user’s part. Most of these actions are configurable, with the
result that users spend little time worrying about their maintenance. Among this type of
measures we could cite the antivirus, firewall, antispam and antispyware programs, pop-
up window blockers, operating system security updates and parental control programs.
Instituto Nacional
de Tecnologías
de la Comunicación
Active security covers all those measures that require direct, manual intervention on the
user’s part. Among such measures are document encryption, passwords, backup copies
of the boot disk and important documents, elimination of temporary files and partitioning
the hard disk.
The following graph depicts the degree of use declared by the users for both types of
measures and their evolution over the four waves of data compiled by INTECO throughout
2007.
Graph 3: Security measures adopted in Spanish households
9 2 .7
A nt iv irus P ro gra m s
9 4 .4
73 .5
F ire wa lls
6 5.3
6 6 .7
P o p- Up Windo w B lo c k e rs
6 1.5
E lim ina t io n o f t e m po ra ry f ile s & 58 . 5
c o o k ie s 55. 2
53 .3
A nt is pywa re P ro gra m s
4 9 .0
52 .7
A nt is pa m P ro gra m s
4 9 .9
4 9 .5
O S S e c urit y Upda t e s
4 5.8
P a s s wo rds ( c o m put e r & 4 7. 4

do c um e nt a c c e s s ) 4 4 .9
B a c k up C o pie s o f im po rt a nt 3 2 .0
f ile s 2 8 .5
3 0 .6
P a rt it io ning t he ha rd dis k
2 7. 3
2 3 .3
B a c k up c o py o f bo o t dis k
18 . 6
9 .6
E nc rypt io n o f do c um e nt s
6 .9
7.9
P a re nt a l C o nt ro l P ro gra m s
7.9
1.6
N o ne o f t ho s e m e nt io ne d
0 .4
0 10 20 30 40 50 60 70 80 90 100
1st Wave 2007 2nd Wave 2007 3rd Wave 2007 4th Wave 2007
Source: INTECO 11
In general, save certain exceptions (such as the antivirus programs, which have dropped
back slightly), the security measures analysed experienced increased penetration in
Spanish households between January and December 2007. This rise is in keeping with
another relevant piece of data drawn from this analysis, namely that a little under 2% of
households use no protection measures whatsoever.
11
National Institute of Communication Technologies (2007). Study on Information Security and e-Trust in Spanish
Households. Information Security Observatory. 4th Wave. http://www.inteco.es

Instituto Nacional
de Tecnologías
de la Comunicación
It is the passive security measures that have achieved the greatest penetration in Spanish
households, most noteworthy being the practically universal adoption of antivirus
programs. Among the active security measures, the use of passwords stands out and is
now common practice in half of all households. The conclusion that can be drawn,
therefore, is that home users entrust their ICT security to the security tools installed on
their computer equipment and pay less attention to their habits when making use of the
new technologies.
5.1.2 Incidents declared by users.

The incidents declared by users are drawn from the quarterly surveys carried out in the
homes that make up the panel chosen by INTECO. The users’ assessment of security
issues are simply the expression of their perception of security.
Graph 4: Security incidents detected by users in each quarter
R e c e pt io n o f uns o lic it e d e - 77.8

m a ils 8 3 .3
3 5.5
C o m put e r V irus e s
3 2 .8
19 .5
R e m o t e c o m put e r int rus io ns
2 5. 8
15. 7
E - m a il int rus io ns
18 .0
F ra udule nt t he f t o f pe rs o na l 12 .5
da t a 13 .1
10 .4
Wi- F i ba ndwidt h t he f t
8 .1
Int rus io ns int o o t he r we b 9 .1
s e rv ic e a c c o unt s 8 .5
O nline ba nk a c c o unt f ra ud o r 5.1
t he f t 4 .1
C re dit c a rd- re la t e d f ra ud o r 5.1
t he f t 4 .0
0 10 20 30 40 50 60 70 80 90 10 0
1st Wave 2007 2nd Wave 2007 3rd Wave 2007 4th Wave 2007
Source: INTECO 12
The graph above shows the incidents detected by the users, but it must be pointed out
that, given that they are “declared” incidents, they may not correspond exactly to reality.
In the four waves, the most prevalent incident was the reception of unsolicited email
(spam), which affects 77.8% of all users, followed by malicious codes, detected by 35.5%
of households in the last quarter. Although still a minority, one thing that stands out, given
the rapid growth, is the rise in online banking and credit card fraud. The number of users
12
IDC. Op. Cit.11

Instituto Nacional
de Tecnologías
de la Comunicación
who declare 13 having been the target of some fraud in the use of online banking has
reached an average rate of 4.5%. The increase in almost all types of security incidents
contrasts sharply with the increased adoption of security measures, as analysed above.
The conclusion that can be drawn from this analysis is that the incidents depend both on
the security measures adopted by users and their computers, and on their habits when
using Internet services.
5.1.3 Incidents detected by INTECO on users’ computers.

After analysing the incidents perceived by the users and declared in the surveys, it is
worth studying those detected by INTECO, thanks to a multi-platform application
specifically developed for this study, which we could therefore call “actual incidents” 14 .
It could be concluded that the evolution of infections on home computers has maintained
a slightly upward trend throughout 2007. Thus, 8 of every 10 computers are housing one
or more malicious codes on the system. The annual average for 2007 stands at 79.3% of
computers infected (not always seriously) in Spanish households.
Graph 5: Computers infected by malicious code in 2007 (%)
100%
20.4 20.7 19.3 16.0 17.2 18.4

21.8 25.1 22.3 21.2 23.8 22.2
80%
60%
40% 79.6 79.3 80.7 84.0 82.8 81.6

78.2 74.9 77.7 78.8 76.2 77.8
20%
0%
ly
ay
y
il
e
ry
ch
er
t
r
r
us
ar
pr
be
be
be
Ju
ua
ob
Ju
ar
nu
ug
em
em
em
br
ct
Ja
A
Fe
ov
ec
pt
Se
Infected Clean
Source: INTECO
13
It is important to recall that INTECO handles two types of data: on the one hand, those declared by the users (which have
the limitations outlined throughout this study) and, on the other hand, those obtained by INTECO by scanning their
computers.
14
This software scans the panellists’ computers on a monthly basis, detecting any malware resident on them, thanks to 32
different antivirus engines, and compiling data on the operating system and the state of its updates. The software sends this
information to INTECO, where it is handled in a totally anonymous manner and accumulated.

Instituto Nacional
de Tecnologías
de la Comunicación
As regards the evolution of the presence of malware by categories on the scanned

computers, in general, there is consistency in the data and the types of malware most
frequently found on the computers, the most noteworthy being Trojans and advert-related
software (adware).
Graph 6: Evolution of the presence of malware by categories (% of total no. of scanned

computers)
80%
70% 64.1
59.9
56.1 55.9 57.1 56.8
60% 54.5 53.7 52.7 53.5
51.8
47.1 46.2 45.9
50% 42.8 44.7
40.6 39.6 41.2 41.7 39.9
37.8 38.2 37.4
40%
29.2 29.7
25.8 25.5 26.5 26.0 25.5 26.1 27.4
30% 23.5 21.6 22.4
20%
10%
0%
ly
ay
y
il
e
ry
ch
er
t
r
r
us
ar
pr
be
be
be
Ju
ua
ob
Ju
ar
nu
ug
em
em
em
br
ct
Ja
A
Fe
ov
ec
pt
Se
D
Trojan Adw are Tool Spyw are Heuristic Virus Worm Others
Source: INTECO
There has been a noticeable, highly significant increase in the malware used by intruders
to take control of computers for criminal purposes (Trojans), as well as those that allow
them to monitor the information generated by users when using their PCs, such as
passwords, bank details etc. (spyware). Nonetheless, there has been a decrease in the
presence of malware with no economic motivation, such as viruses.
5.2 Demand for ICT security in SMEs
The analysis of the demand for ICT security in SMEs is based on the Study on security
incidents and needs in Spanish small and medium-sized enterprises, carried out by
INTECO 15 . The results of the study are based on declared information and, for this
reason, the lack of a security culture in SMEs introduces a certain bias into some of the
results obtained. It was not possible to complement the information drawn from the
surveys with data gathered thanks to the installation of specific programs on the
15
National Institute for Communication Technologies (2007), Study on security incidents and needs in Spanish small and
medium-sized enterprises, Information Security Observatory. http://www.inteco.es

Instituto Nacional
de Tecnologías
de la Comunicación
computers at SMEs. This is because, unlike the case of home users, it is difficult to
convince businesses to let outsiders install this kind of program on their computers.
In this section, we analyse the most important incidents and threats detected by SMEs
when using the new technologies. We also present the solutions implemented and the
security needs Spanish SMEs say they have.
5.2.1 Knowledge of security incidents

The incidents best known to the SMEs are those that have been around the longest,
namely viruses or spam, which are also the incidents most widely reported in the news
media. At the other extreme are those incidents that have appeared more recently and
which generally receive less media coverage, such as logic bombs or pharming. Around
60% of the SMEs polled declared little or no knowledge of these threats.
The following graph reveals how SMEs are not sufficiently educated to be in a position to
combat these new threats. This lack of knowledge may be due to the absence of suitably
qualified personnel in the ICT security field within Spanish SMEs: a mere 16% of the
SMEs surveyed said they have ICT security experts on their staff.
Graph 7: Degree of knowledge of security incidents
Virus 9.8% 74.6% 14.8% 0.8%
Spam 11.0% 67.4% 16.3% 5.3%
Spyware 8.7% 61.7% 20.9% 8.7%

Trojans 8.4% 53.0% 26.1% 12.5%
Technical faults 9.9% 50.2% 26.2% 13.7%
Lost of data 8.8% 47.3% 34.4% 9.5%
Fraud 6.5% 39.9% 43.7% 9.9%
Theft of personal data 6.1% 39.2% 39.5% 15.2%
Data theft 6.5% 38.8% 42.2% 12.5%
Phishing 7.6% 38.6% 23.1% 30.7%
Logic bombs 3.8% 37.9% 20.4% 37.9%
Denial of service 6.8% 36.9% 30.8% 25.5%
Pharming 6.5% 29.9% 20.8% 42.8%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
High Medium Low Zero
Source: INTECO
5.2.2 Security incidents declared by SMEs

The security incidents declared by Spanish SMEs pose a critical problem for business
development. Increasingly, the attacks are driven by economic interests that cause losses
of money or confidential information.

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 8: Perception of security incidents by SMEs
D e nia l o f s e rv ic e 8 9 .9 % 10 .1%
T ro ja ns 77.3 % 2 2 . 7%
S pa m 58 .7% 4 1.3 %
V irus 4 2 .7% 57.3 %
S pywa re 19 .5% 8 0 .5%
R e m o t e c o m put e r int rus io ns 13 .4 % 8 6 .6 %
E - m a il int rus io ns 9 .7% 9 0 .3 %
Int rus io ns int o o t he r we b s e rv ic e a c c o unt s 4 .6 % 9 5.4 %
Lo gic bo m bs 3 .9 % 9 6 .1%
D a t a t he f t 3 .1% 9 6 .9 %
F ra udule nt t he f t o f pe rs o na l da t a 2 . 7% 9 7.3 %
O nline ba nk ing- re la t e d f ra ud 1.9 % 9 8 . 1%
C re dit c a rd- re la t e d f ra ud 1.9 % 9 8 . 1%
Wi- F i ba ndwidt h t he f t 1.6 % 9 8 .4 %
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes No
Source: INTECO
Looking at the various types of incidents reported by Spanish SMEs, the most prevalent
threats are Trojan horses (77.3%) viruses (42.7%) and the reception of unsolicited email
(41.3%). One revealing piece of data regarding the scant knowledge of the SMEs on
security matters is that 90% of them claim to have suffered denial of service attacks (when
this is actually a rather infrequent type of incident), yet over 50% say they have little or no
knowledge of what this incident actually is.
5.2.3 ICT security solutions implemented in SMEs

The ICT security measures which the SMEs say they have installed are generally security
products. As in the case of the home market, the most widely-used product or tool is an
antivirus (98.9%), followed by a firewall (90.9%). At the opposite end of the scale,
encryption of communications (23%) and physical authentication devices (27.1%) are the
least used tools by SMEs. As in the case of homes, passive security measures are the
most widely implemented.

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 9: Security measures employed in SMEs
A nt iv irus 9 8 .9 % 1.1%
F ire wa lls 9 0 .9 % 9 .1%
A nt is pa m 8 5.4 % 14 .6 %
A nt is pywa re 8 1.4 % 18 .6 %
P o p-up B lo c k e rs 71.2 % 2 8 .8 %
S e c urit y Upda t e s 6 7.6 % 3 2 .4 %
B a c k up C o pie s 6 6 .7% 3 3 .3 %
D a t a B a c k ups 6 6 .5% 3 3 .5%
P a s s wo rds 6 6 .4 % 3 3 .6 %
D e le tio n o f t e m po ra ry f ile s / c o o k ie s 57.3 % 4 2 .7%
C o nte nt F ilt e ring 4 8 .4 % 51.6 %
H a rd D is k P a rtit io ning 4 8 .0 % 52 .0 %
E le c t ro nic s igna t ure a nd digit a l c e rt if ic a t e s 4 1.1% 58 .9 %
E nc rypt io n o f do c um e nt s 3 2 .0 % 6 8 .0 %
V P N f o r re m o t e a c c e s s 3 1.3 % 6 8 .7%
P hys ic a l a ut he nt ic a t io n de v ic e s 2 7.1% 72 .9 %
E nc rypt e d c o m m unic a t io ns 2 3 .0 % 77.0 %
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes No
Source: INTECO
5.3 Demand for ICT security in large enterprises
For the analysis of the demand for ICT security in large enterprises, we have used data
from surveys carried out by PricewaterhouseCoopers 16 and Ernst&Young 17 at companies
all over the world (7,200 and 1,200 organisations, respectively).
Large companies reveal a high level of concern and awareness of ICT security issues.
They have invested heavily in technology in recent years and have implemented
processes and organisations designed to enhance their security levels. The budget
dedicated to security has grown considerably and now accounts for over 15% of the total
ICT budget 18 .
16
CIO, CSO & PricewaterhouseCoopers (2007), The Global State of Information Security 2007.
17
Ernst&Young (2006), Achieving Success in a Globalized World. Is Your Way Secure? 2006 Global Information Security
Survey.
18
IDC. Op. Cit. 16

Instituto Nacional
de Tecnologías
de la Comunicación
5.3.1 Security Governance

The last few years have seen the appearance of a series of guides, recommendations,
rules and tools (CobiT, COSO, NIST, ISO, CMM, GAISP, FISMA, etc.) 19 which offer help
when it comes to determining how information security governance should be
implemented, within the context of general Information Technology (IT) governance.
These recommendations have been well received by the industry, given that they provide
a standard road map which the organisations can easily adapt to suit their particular case.
This has allowed companies to start up long-term security initiatives, which are set up in
an organised fashion and ensure that the security strategy falls in line with the IT strategy
in general, as well as the business goals, thus providing a boost for ICT security.
5.3.2 Measures adopted

Making large companies more aware of the importance of ICT security has led to the
introduction of four measures: hiring specialised personnel, implementation of new
security processes, implementation of new technological solutions and business continuity
management.
a) Hiring specialised personnel
Historically, the duties of coordinating and managing information security and data
protection were taken care of by the Information Systems managers. However, nowadays,
the number of companies with specific manager profiles for security activities has risen
considerably from 2006 to 2007 (10%). This would seem to confirm the fact that security
awareness is growing considerably at larger companies and is being afforded specific
attention, clearly differentiated from other information systems issues.
19
Self-Assessment Questionnaire prepared by the United States National Institute of Standards and Technology (NIST)
(identified among its publications with the code 800-26). GAISP (Generally Accepted Information Security Principles).
Groups of documents that have arisen around the FISMA (United States Federal Information Systems Management Act).

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 10: Percentage of companies with security executives (CSO, CISO, CPO)
40%
35% 32.0%
30% 28.0%
25% 22.0% 22.0%

21.0%
20%
16.0%
15%
10%
5%
0%
CSO CISO CPO
2006 2007
Source: PricewaterhouseCoopers
b) Implementation of security processes
The most noteworthy process, given its spectacular evolution, is the design of a global
security strategy, which was implemented in 37.0% of companies in 2006 and rose to
57.0% in 2007, this representing an increase of 54.05% in just one year.
Graph 11: Percentage of companies which have implemented security processes
60% 57.0%
50%
44.0%
42.0%
40% 37.0%
34.0%
30% 25.0%
20%
10%
0%
Global security strategy Establishing security reference Centralised management of
bases for clients & partners information security
2006 2007

Instituto Nacional
de Tecnologías
de la Comunicación
c) Implementation of technological solutions
The third measure which provides evidence of increased awareness is the deployment of
security technology.
Graph 12: Percentage of companies which have implemented security tools
70.0%
Internet security 31.0%
83.0%
Intrusion prevention system s / Filters
44.0%
89.0%
Identity m anagem ent 73.0%
82.0%
Data backups 78.0%
Intrusion detection system s / Antivirus / other detection 90.0%

system s 57.0%
72.0%
Encryption of docum ents 43.0%
93.0%
Firew alls 77.0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
2006 2007
d) Business continuity management
One of the greatest risks facing a company’s Information Technology operations is no

longer a hurricane, flood, an interrupted power supply or even a dropped connection.
Planning for continuity in an e-business environment has to take into account vulnerability
to network attacks, intrusions by computer hackers, viruses and spam, as well as failures
of the telecommunications lines and the ISP (Internet Service Providers).
When it comes to gauging the awareness of companies with regard to ICT security, a
relevant indicator is the effort made to ensure the continuity of the business. The following
graph lists business continuity management activities and the percentage of companies
implementing them.
The vast majority of companies identify the critical processes (79%) and assess the risks
for their information systems (75%). Nevertheless, barely 57% of them perform tests on
the measures incorporated into the business continuity plan and less than half of them
possess a communication strategy for this plan (46%).

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 13: Percentage of companies who manage a business continuity plan
Identifying and prioritising

critical business processes 79.0%
Evaluation of IT risks 75.0%
Definition of recovery times

following incidents 65.0%
Tests on the continuity plan 57.0%
Communication strategies
for the internal/external plan 46.0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: Ernst&Young
5.4 Conclusions of the analysis
Homes, SMEs and large enterprises have very different circumstances regarding their
demands for ICT security.
Homes
Antiviruses and firewalls are the most commonly used security tools in the home, present
in 94% and 75% of households, respectively. For the most part, users rely on passive
security measures, with those requiring active intervention being relegated to use by a
minority.
There is a large volume of highly varied incidents, with the most prevalent being the
reception of unsolicited email (spam). On the other hand, it is worth noting that serious
incidents reported by users, such as account or credit card fraud or theft, do not exceed
5%.
In this context, households require measures that orient their security culture towards
more proactive behaviour patterns and make them more aware of the value of security.
SMEs
Instituto Nacional
de Tecnologías
de la Comunicación
The analysis of the security culture in Spanish SMEs reveals the need to bolster the
training programmes undertaken by public entities in order to foster the introduction of a
security culture in SMEs, in keeping with the importance this issue warrants. Education
and increased awareness are the key aspects for adequately configuring the demand for
security in the SMEs.
The concept of ICT security governance, as implemented in major enterprises, must be

extended to their small and medium-sized counterparts, by means of a nationwide
security strategy which, moreover, can provide the support needed to assist SMEs in the
task of complying with ICT security legislation.
Large companies
The analysis of the security measures adopted by large companies reveals a highly
positive evolution in awareness from 2006 to 2007, which has given rise to an increase in
security measures at the vast majority of companies. Another noteworthy aspect as
regards awareness of ICT security matters is the importance companies afford to
business continuity.
The incorporation of the guidelines laid down for ICT security governance clearly shows
the path to be followed, extending this culture to every company. This objective must lead
to the formulation of a national security strategy so as to focus our efforts, allow us to
identify the measures that need to be put in place and facilitate compliance with legal
mandates.

Instituto Nacional
de Tecnologías
de la Comunicación
6 PROSPECTS AND TRENDS
Predicting the future is never an easy task and it becomes even more complex when you
are dealing with a relatively new sector. While fully aware of this complexity, this chapter
will strive to identify certain tendencies – both on the supply and the demand side – that
will shape the evolution of the ICT security market in the coming years.
This chapter incorporates forecasts on the evolution of the market size, as a useful
reference of the importance and progress of the sector. To the aforementioned difficulties
when it comes to quantifying the current security market, we must add the always difficult
task of forecasting future figures for the different segments of the market. While
recognising this difficulty, market projection figures may provide us with a framework
scenario which can assist the different agents to make the right decisions in order to boost
the development of the sector. For this very reason, we have included them in this report.
6.1 Trends in the demand for ICT security in Spain
In order to define the expected evolution of demand in the Spanish market, we shall follow
the segmentation criterion employed in the analysis of the demand: home users
(households), SMEs and large companies.
6.1.1 Home users

Security measures
According to the opinions of the users themselves, the security measures considered
proactive or involving the direct intervention of the user (document encryption, passwords,
backup copies, elimination of temporary files and partitioning the hard disk) are those with
the greatest growth prospects. This affirmation makes sense if we observe the high
penetration in Spanish households of those security elements classified as passive:
antivirus, firewall, antispam and antispyware programs, pop-up window blockers and
operating system security updates. Nonetheless, users will continue to rely on security
mechanisms which do not require constant attention and do not limit their sense of
freedom when using the Internet.
Security incidents
It could be said that, while there will continue to be a considerable number of security
incidents, their gravity will tend to diminish. This will be possible, thanks to the increased
awareness of citizens, which will facilitate the adoption of more extensive monitoring of
the recommended security measures.

Instituto Nacional
de Tecnologías
de la Comunicación
6.1.2 SMEs
Security measures
The study of security incidents and needs in the Spanish small and medium-sized
enterprises highlights a significant shortcoming in the technical services associated with
security management 20 . Moreover, what the sector needs are services to configure and
adequately maintain the various security and incident management tools. As a result, the
SMEs have been identified as a niche market to be exploited, particularly as regards the
provision of services.
Perception of the risk
Although the SMEs will continue with their reactive behaviour patterns to ICT security in
the medium term, the evolution of attacks towards economic targets will contribute
towards achieving a heightened perception of the risk. This is because the threats not only
compromise their computer equipment and the information stored there, but also the very
financial survival of the SME. This heightened perception of the risk will feed an increased
demand for education and rising consumption of security products.
Security needs will continue to be differentiated on the basis of the characteristics of the
SME, determined equally by their size and by the sector of activity.
6.1.3 Large companies

As regards the demand for ICT security in large companies, four priorities can be
identified which will determine its evolution in the short and medium term 21 :
• Integrate ICT security management into the company’s overall risk management
strategy.
• Extend the adaptation to meet legal and regulatory requirements.
• Manage risks in relationships with third parties (suppliers and clients).
• Place special emphasis on the protection of personal data and privacy.
Managing information security is starting to be fully integrated within the overall risk
management process at companies. Company chiefs are starting to recognise that
information security must form part of their risk management process, given that the value
of the information handled by major companies is now one of their principal assets.
20
National Institute for Communication Technologies (2007), Study on security incidents and needs in Spanish small and
medium-sized enterprises, Information Security Observatory. http://www.inteco.es
21
IDC. Op. Cit. 16

Instituto Nacional
de Tecnologías
de la Comunicación
Dealing with information security is gradually ceasing to be an isolated task and is being
brought under the umbrella of general risk management programmes and processes.
The forecast for the coming years is that the impetus driving ICT security in large
companies will continue to be compliance with current rules and legislation on security
matters. Over the last few years, compliance with regulations has been the stimulation
factor that has had the greatest impact on the development of ICT security in major
enterprises. There will no foreseeable change in the importance of this factor in the
medium term.
Relations with third parties, both clients and suppliers, will require greater rigour in the
future when it comes to monitoring the security practices of companies in their relations
with each other, insisting on the presentation of security standard certifications and
applying stricter rules and more formal approaches towards risk management vis-à-vis
their suppliers.
As the business globalisation process gathers pace, questions relating to privacy issues
become ever more relevant. Increased pressure regarding privacy requirements will
provide an impetus for the formalisation of procedures and protocols necessary to
manage personal data protection and privacy.
The effectiveness of information security depends, to a large degree, on the employees’

understanding of the security policies and procedures in place at the company and the
need to apply them responsibly. The forecast is therefore for significant growth in the
implementation of information security management processes and the drive to
disseminate word on these processes among the workforces of the companies.
6.2 Trends in the supply of ICT security in Spain
The analysis of the trends in the demand for security solutions allows us to affirm that the
market will continue to enjoy significant growth rates. The evolution of the demand for
security solutions, together with the growth of the market and the commoditisation 22 of
many of the security solutions (particularly in the consumer range), is producing a
transformation of the security market into a services market.
Many ICT firms who do not belong to the security segment, as well as telecoms operators,
are already entering this market through the provision of services. In the same fashion,
many software companies are starting to offer managed security services on a large
scale, in order to offset their reduced margins from software sales.
22
Turning into a mere commodity: process whereby a product is purchased on the basis of its price and not for its
differentiating qualities.

Instituto Nacional
de Tecnologías
de la Comunicación
The growth of the security services segment will accelerate in the medium and long term,
as this technology matures and the supply positions itself in managed services, thus
stealing market share from the security software segment. The managed services
segment is the one with the greatest growth prospects, although consultancy and
security integration services will maintain intense growth rates, as a response to the
need of companies to simplify and analyse their security architectures and management
models.
6.3 Evolution of the ICT security market in Spain 23
The prospects for the Spanish security software market in the coming years are highly
positive.
Graph 14: Forecasts for the security software market (€ millions)
450
400
350
300
250
425.0
200 380.0
340.0
150 290.0
260.0
224.4
100
50
0
2005 2006 2007 2008 2009 2010
Source: IDC
The evolution towards pay-per-use models and managed security services, as well as the
evolution of the consumer market, which is easing off as a consequence of the saturation
in the adoption of technological security software solutions for homes and SMEs, is
producing a smooth, progressive fall off in the levels of growth.
23
IDC (2006), The security market in Spain.

Instituto Nacional
de Tecnologías
de la Comunicación
7 PUBLIC ICT SECURITY POLICIES
The legal measures and diverse regulations related directly or indirectly to ICT security,
the impetus given to security-related tractor projects, the security promotion campaigns or
the boost provided to research in these areas all have a decisive impact on the supply and
demand for security.
The legal measures and regulations may impose requirements and obligations on certain
ICT security solutions that have a bearing on both those companies who demand them
and those offering this type of products or services. The legal obligations thus
compensate for those situations where users demonstrate an evident lack of awareness
on the subject, referred to above. Good examples we could cite are the Spanish Organic
Law on the Protection of Personal Data or the Electronic Signature Act.
Moreover, the public sector has a very direct bearing on the development of the ICT
security market, in its capacity as a major consumer of this type of solutions. This
consumption stimulates innovation and contributes towards consolidating the activity of
those companies offering security solutions and services. In addition, the use of secure
systems by the Administration has an important didactic effect on the SMEs and domestic
users, generating trust in the use of the new technologies and spreading the word about
solutions and products related to ICT security issues.
The Administration has also started up certain emblematic tractor projects with a really
great impact on the future development of solutions for the security market. Most
noteworthy among them is the electronic ID card project.
Finally, the Administration undertakes really important work as regards promoting and
raising awareness in the ICT field in general, and ICT security in particular. Particularly
worth mentioning are the programmes in support of R&D&I, dissemination, awareness
and education programmes on aspects of ICT security among SMEs, professionals and
home users, as well as other services related to these subjects.
The following sections offer a summarised overview of these areas in which the
authorities have a more direct impact on the ICT security market.
7.1 Regulation and legislation
The obligations relating to ICT security, which are directly or indirectly imposed by
legislation, constitute an element of the utmost importance when it comes to creating a
stable demand for security solutions. Such is the importance of this question that the
experts identify it as the principal stimulation factor for the ICT security market in Spain.

Instituto Nacional
de Tecnologías
de la Comunicación
Some of the legal provisions establish direct obligations on all companies and
organisations regarding ICT security questions. Other regulations do not directly lay down
obligations on security matters, but impose on their target audience the need to adopt the
measures necessary to guarantee the security of their information systems, with the goal
of being able to fulfil the legal obligations imposed on them.
These legislative and regulatory obligations have led to an increase in the demand for ICT
security (products, services and professionals). In Spain, the Organic Law on Data
Protection has had a tremendous impact, principally due to the fact that it is a law whose
application affects practically every company in the country. The sector has also felt the
effect of the Sarbanes-Oxley Act, given that, although it is US legislation, those obliged
to comply with its provisions include any foreign company with headquarters in the United
States. This has resulted in ICT security solutions designed to comply with this law being
consumed in Spain.
In addition, there also exist specific regulations for certain sectors. The banking sector
accounted for a tremendous boost in ICT security as a result of the compulsory adoption
of the PCI Data Security Standard 24 (PCI DSS), a regulation that must be fulfilled by any
business that stores, processes and/or transmits credit/debit card information. In short,
regulatory compliance would appear to be a key aspect in furthering the implementation of
ICT security on a large scale and acting as a stimulation factor for the market.
Apart from regulations of a general nature, as is the case with sectorial regulations in the
private sector, there exists a series of rules that bolster security requirements in specific
areas of the Administration which need greater protection for their information systems. As
an example, we could mention all the provisions relating to the Tax Administration, with
detailed requirements regarding the security of electronic payments, the presentation of
tax declarations or furnishing information to the fiscal authorities.
The legal provisions may be grouped into four categories: rules that protect rights related
to information security; rules that establish obligations on security matters; rules that
provide legal safeguards in the provision of services related to ICT security; and rules that
establish security obligations specifically for the public administrations.
Moreover, we must stress the importance held in the regulatory field by standards and
certification, acting as they do as efficient mechanisms for promoting good practices. Self-
regulation through user agreements also plays an important role in disseminating and
furthering good ICT security practices.
24
Payment Card Industry.

Instituto Nacional
de Tecnologías
de la Comunicación
This whole regulatory security structure constitutes an important advance in the process
of guiding companies and institutions along the difficult road towards an adequate
implementation of ICT security policies.
7.1.1 Rules that protect security-related rights

An initial regulatory group comprises the rules that protect ICT security and sanction
conduct contrary to the security of information. The Spanish Constitution itself, among the
fundamental rights and liberties it espouses, includes protection of the secrecy of
communications and the privacy of individuals in the use of electronic devices.
As regards legal protection, the Penal Code establishes criminal sanctions for the most
serious misconduct, such as those that violate personal privacy or the privacy of personal
data, or those that constitute fraud, performed utilising the new technologies. Moreover,
the law covers activities that cause deliberate damage to the information or computer
systems of others, corporate espionage carried out using the new technologies or
illegitimate access to pay television services or suchlike.
In the same fashion, there also exist civil protection measures, consisting of sanctions and
protective measures, for less serious misconduct that does not constitute a criminal
offence. A noteworthy aspect in this area is the legislated protection of intellectual
property, which regulates aspects such as the protection of computer program copyright
issues, conceding to the holder the exclusive rights over its use, or the protection of
technological measures and information for rights management, duly sanctioning any
conduct that infringes upon these protected rights.
7.1.2 Regulations that establish obligations for ICT security questions

The final group identified comprises the rules that establish obligations for ICT security
matters, which, in practice, represent the legal provisions that most directly contribute
towards developing the ICT security market and providing it with stability. This group of
rules includes both those that impose obligations on the private sector and those that
involve obligations related to ICT security for the public sector.
Personal Data Protection Act
Insofar as the rules that establish direct security obligations are concerned, standing head
and shoulders above the rest is the Personal Data Protection Act. This law is undoubtedly
the regulatory framework that has had the most direct impact on the development of the
ICT security market in Spain, establishing as it does a whole series of provisions covering
the security of computer files that contain personal data, which must be fulfilled by all
public entities (Administrations) and private entities (save individuals in their personal or
domestic activities) who hold the said files.

Instituto Nacional
de Tecnologías
de la Comunicación
The broad sweep of this Personal Data Protection Act has provided a tremendous
impetus for the market offering security solutions. This has affected many different
elements of the value chain, e.g. hardware equipment and systems manufacturers, the
development of computer applications, systems integration, support and maintenance
services, consultancy and the implementation of procedures or security auditing services.
Electronic invoice
In this same area, we should mention the legal provisions related to the introduction of the
electronic invoice for companies or professionals. Although the use of the electronic
invoice in the relations between private parties is voluntary, those who decide to make use
of it must guarantee basic aspects related to the security of the same, such as the
authenticity of the source and the integrity of its contents, by means of an electronic
signature or the fulfilment of security and accessibility requirements that deal with the
conservation of the electronic invoices. The exchange of electronic invoices with the
Administration is subject to additional security requirements. This is therefore another
widely applicable regulatory framework which affects all those who issue or receive
invoices.
Law on Measures to Promote the Information Society
Particularly worthy of mention, given its importance, is the Law on Measures to Promote
the Information Society. The law obligates all companies which provide the general public
with particularly significant economic services to facilitate their users a telematic
communication channel, so that they may perform any of the different procedures they
may require: online contracting of services, supplies and goods; consultation of their
customer details; the presentation of complaints, incidents, suggestions and, where
appropriate, claims; and exercise their rights of access, rectification, opposition and
cancellation, in keeping with the provisions of the regulatory dictates on the protection of
personal data. To this end, it imposes on these companies the obligation to guarantee
security through the use of duly recognised electronic signature certificates.
The Law on Measures to Promote the Information Society likewise makes it obligatory to
employ electronic invoicing within the context of contracts with the state public sector. For
this purpose, the electronic invoice will be an electronic document which fulfils the
demands required of invoices and which, in addition, guarantees the authenticity of its
sources and the integrity of its contents, thus preventing the issuer from disowning the
invoice. In addition, it is envisaged that the electronic invoice will be used in other
communications between citizens and the Administration, such as proving eligibility for
state benefits and subsidies.

Instituto Nacional
de Tecnologías
de la Comunicación
This law has also introduced obligations relating to information on security. It obligates
Internet service providers (ISPs) to inform their clients – free of charge and in an ongoing,
direct, straightforward manner – about the different technical means available for
increasing the levels of information security in order to achieve protection against
computer viruses and spyware and restrict the entry of unsolicited emails (spam). They
must also inform their clients about the tools which exist for filtering and restricting access
to certain undesirable Internet contents and services, or those that could prove harmful for
youngsters or young children. Users must likewise be warned about possible legal
liabilities they may incur from using the Internet for illicit purposes, in particular for
committing criminal offences or for violating legislation relating to intellectual and industrial
property.
7.1.3 Rules that provide legal safeguards in the provision of services

The second group of regulatory measures comprises the rules that provide legal
safeguards in the provision of services related to ICT security. These sorts of rules do not,
in themselves, establish obligations that affect the demand for security, but they do offer
security and trust to users regarding certain specific segments of the ICT security market,
providing them with legal coverage and, in other cases, establishing requirements and
conditions on the offer from those companies providing security-related products or
services.
The maximum exponent in this area is the Electronic Signature Act, which has
established a stable regulatory framework, thus enabling the development of security
solutions based on the electronic signature in different fields (e-Administration, electronic
invoicing, etc.). In addition, it has laid down the basic conditions for regulating the activity
of the electronic signature providers, thus establishing a framework for the development of
this segment of the ICT security market. The fundamental aspect of this regulation is to
afford the same legal value to the electronic signature as that of a handwritten signature,
whenever the former is used in certain conditions and meets particular security
requirements.
A second point of reference, when considering regulations that help to generate trust in
the ICT security market, is the Spanish Evaluation and Certification System for
Information Technology Security. This provides a national benchmarking system for
those manufacturers of IT products or systems who so wish to be able to certify the
security of their products and thus enhance the trust users place in this type of solutions.
This system regulates two basic aspects. First of all, it establishes the requirements that
must be satisfied by the evaluation laboratories and the procedures required in order to be
duly accredited. Secondly, it regulates the procedures employed for certifying products
and systems, as well as the criteria and methodologies used for evaluating the security.

Instituto Nacional
de Tecnologías
de la Comunicación
7.1.4 Obligations for Public Administrations

Finally, worthy of mention is the group of regulatory provisions which establish security
obligations for the public administrations.
Law on Electronic Access for Citizens
The Law on Electronic Access for Citizens to the Public Services is designed to regulate
the basic aspects of the utilisation of Information Technologies in administrative processes
undertaken between the Public Administrations, as well as in their relations with citizens.
The regulation reflects a series of requirements needed to guarantee the secure use of
ICT in this area, obligating all the Administrations to ensure the availability, access,
integrity, authenticity, confidentiality and conservation of data, information and services
they run in the performance of their duties and to create conditions of trust in the use of
electronic communications, duly implementing the measures necessary to preserve the
integrity of fundamental rights, in particular those related to privacy and the protection of
personal data, by means of guaranteeing the security of the systems, data,
communications and electronic services.
Likewise, included among the rights of citizens is that related to obtaining and using
electronic signature systems, particularly the electronic ID card, in their relations with the
Administration.
National Security Scheme
Finally, given its importance, it proves necessary to underscore the creation of the
National Security Scheme, within the field of cooperation between Administrations. The
purpose of the NSS is to establish a security policy regarding the use of electronic media
within the sphere of the law. It comprises the basic principles and minimum requirements
that allow for information to be adequately protected.
7.2 Public procurement of ICT security solutions
The Administration boosts the ICT security market and offers it stability, thanks to public
purchases of ICT security solutions. Apart from representing a rather significant volume,
the demand from the public sector – within the framework of its major public contracts –
provides the setting for solution-provider companies to undertake the development of
innovative solutions, which, given the very nature of the security sector, prove extremely
costly and, in general, require lengthy periods of time. In this manner, favourable
conditions are created for inspired innovation and the development of new products,
which will then benefit other companies or users in general.

Instituto Nacional
de Tecnologías
de la Comunicación
The adoption of secure ICT solutions by the Administration also helps to bolster the
confidence of citizens and the private sector in these technologies and has a powerful
“tractor effect”, encouraging companies and citizens to make use of them in their relations
with the Administration. Nonetheless, the adoption of ICT security is not reflected in the
periodical reports on the use of the Information and Communication Technologies drafted
by the Administration, which severely hinders the task of monitoring the efforts made
towards acquiring more secure technologies. As an example, we could mention the
REINA and IRIA reports, which offer a comprehensive review of the situation vis-à-vis ICT
in the State Administration, yet barely refer to security questions.
Most noteworthy within this area, apart from the consumption of ICT security solutions
specifically designed for the defence sector, are certain emblematic projects involving
security solutions, such as those developed for the health and justice sectors or for the
Tax Administration.
Health
The various public administrations are all developing projects for implementing ICT in the
health sector. Among such projects, we could cite the introduction of electronic health
cards, online medical appointments, electronic medical histories and the development of
electronic prescription systems. Any of these projects, particularly the last two, require
major investment and call for extremely high security elements, given the demands for
maximum confidentiality in the processing, access and storage of the medical and health
details of individuals granted the maximum level of protection under the Data Protection
Act. These major projects affect the whole value chain of the ICT security market, from the
equipment and systems that store patient data, through the protection of the
communications systems, to access control through the use of electronic signature
systems and the development and implementation of appropriate procedures and
certification and security control services.
Justice
In the same manner, for this area we could mention the justice system modernisation
programmes and the implementation of the e-Administration in this area where the
underlying problems are similar to those outlined for projects in the health sector, as
regards the question of data protection.
Tax Authorities
Finally, we cannot fail to mention the example of the administration services of the Tax
Authorities, pioneers in Spain in the use of the electronic signature when citizens and
companies have to communicate with the Administration and in the development of e-

Instituto Nacional
de Tecnologías
de la Comunicación
Administration services for such sensitive questions as the payment of taxes and the
fulfilment of fiscal obligations.
7.3 Emblematic tractor projects: eDNI
In order for the ICT security systems and services to be able to really take off and become
truly widespread throughout society and the Spanish business world, it is vital to be able
to count on tractor projects with great pulling power, which can facilitate interoperability
and offer a recognisable framework that can generate trust among users.
Within such projects, a very special mention must be made of the creation of the
electronic ID card (eDNI), which allows for the implementation of new, enhanced services
with an adequate level of security, based on the familiarity with a document already well-
known to the general public.
“The goal of the eDNI is to facilitate the incorporation of citizens into the Information
Society, providing them with a trustworthy identity on the Internet. It is also designed to
boost the development of administrative and commercial relations and, thirdly, to make it
truly possible for the right to a legal personality to be recognised on the Web, as
proclaimed in Article 6 of the Universal Declaration of Human Rights: Everyone has the
right to recognition everywhere as a person before the law” 25 . The electronic ID card
constitutes a universal identification and signature element in the electronic world, offers a
legal guarantee and practically the whole population is accustomed to using it.
From a legal standpoint, the Electronic Signature Act determines that the eDNI is the
national identity document that electronically accredits the personal identity of its holder
and permits documents to be signed electronically. All natural or legal persons, public or
private, will recognise the effectiveness of the electronic national identity document for
accrediting the identity and other personal data of the holder stored thereon and for
accrediting the identity of the signatory and the integrity of the documents signed with the
integrated electronic signature devices. This instrument proves very effective for bringing
ICT security closer to Spanish citizens and, in addition, provides a suitable structure upon
which to develop new security services within Spanish industry.
The project to develop and implement the eDNI is accompanied by the complementary
electronic ID card Programme within Plan Avanz@, which entails carrying out activities
aimed at disseminating, training, developing adapted digital services, deploying
infrastructure and providing equipment so as to ensure the successful rollout of the
electronic ID card.
25
Sánchez, C. (2006) The Key to Security, IV Ceres Conference. Quoting Víctor García, director general of the Police.

Instituto Nacional
de Tecnologías
de la Comunicación
7.4 Promotion, awareness, dissemination and training activities
Security has become an increasingly important question for Internet users. The
development of the Information Society and the progressive use of ICT products and
services will only prove possible if a suitable climate of confidence is created.
In this sense, the Administration plays an important role in promoting and raising
awareness within the ICT sector in general, and the ICT security area in particular. For
instance, we could mention the support programmes for R&D&I or dissemination,
awareness and training programmes for certain aspects of ICT security.
Within the field of activities designed to promote and generate e-trust, Plan Avanz@ has
included an information security programme. This programme envisages dissemination
actions, management of alerts, security consultancy, developing digital services adapted
to the use of the electronic ID card and drafting studies that help to spread the word about
ICT security 26 . The principal concrete actions envisaged under the terms of Plan Avanz@
are detailed below.
Centro Nacional Respuesta a Incidentes en Tecnologías de la Información para

pymes y Ciudadanos -INTECO-CERT- (National Response Centre for Information
Technology Incidents for SMEs and Citizens)
INTECO-CERT, which started out in 2006, serves to support the development of the
national industrial fabric and boost the confidence of users in the Internet and ICT,
through the provision of the classic services of an Incident Response Centre. Thus, it
offers reactive solutions to computer incidents and prevention services in the face of
possible threats, as well as information, awareness and training services on security
issues for Spanish SMEs and private citizens. Throughout the process of defining and
creating the INTECO-CERT, the guidelines proposed by ENISA (European Network and
Information Security Agency) were strictly followed.
The response centre therefore arose as a public initiative with the following objectives:
• Establish prevention and reaction mechanisms in the face of information security

incidents.
• Provide clear, concise information on security technologies in order to enhance

comprehension and extend use of the same. Facilitate access to guides on good
practices, recommendations and precautions to be taken into account in order to
enhance security.
26
Secretary of State for Telecommunications and the Information Society (2005), Plan 2006-2010 for the development of
the Information Society and Convergence with Europe by Spain’s Autonomous Communities and Cities.

Instituto Nacional
de Tecnologías
de la Comunicación
• Convince SMEs and citizens of the importance of considering and adequately

tackling all aspects related to computer and communication network security.
• Act as a liaison between the needs of SMEs and citizens and the solutions on offer
from firms within the Information Technology security sector.
This centre complements other public CERT in Spain, such as the CERT at the National
Cryptology Centre (CCN-CERT) and the IRIS-CERT (a centre maintained by Rediris-
Red.es aimed primarily at the scientific community).
Observatorio de la Seguridad de la Información (Information Security Observatory)
The Information Security Observatory has the mission of describing in a detailed,

systematic manner the level of security and trust in the Information Society in homes,
businesses and Administration, as well as producing informative, specialised knowledge
of this area, thus fulfilling one of the objectives set forth for INTECO within the framework
of Plan Avanz@.
In this manner, the Information Security Observatory has become established as the
centre of reference for analysing and monitoring information security and the ICT, as well
as trust in the Information Society in Spain.
To this end, it undertakes research, analysis, study, consultation and informative work
with a view to describing, analysing, advising on and disseminating the culture of
Information Security and e-trust within this Information Society.
In order to complete its twofold mission of assessing and diagnosing, while spreading the
idea of a culture of information security among citizens, companies and administrations,
the Observatory has drawn up a Study and Activities Plan, within which actions are taken
to fulfil the following strategies, among others:
• Draft in-house studies and reports on Information and Communication Technology

security issues, placing special emphasis on security on the Internet.
• Monitor the principal indicators and public policies related to information security
and trust on both the national and international stage.
• Generate a database that allows for an ongoing analysis and evaluation of security
and trust over time.
• Foster increased research projects on ICT security issues.

Instituto Nacional
de Tecnologías
de la Comunicación
• Disseminate studies and reports published by other entities and agencies, both
national and international, as well as information on the current domestic and
European state of security and trust within the Information Society.
• Support the preparation, monitoring and evaluation of public policies in this area.
The creation of the Observatory reflects the growing importance that must be afforded to
diagnosing and measuring progress. This work enables the public sector to design
suitable public policies, both reactive and preventive, as well as monitor the actions
undertaken and evaluate their impact, thus being in a position to continuously assess and
improve the services provided in such a fast-changing sector as that of the new
technologies. At the same time, it enables the private sector to adapt its offer to meet the
needs and niche markets identified.
Centro Demostrador de Tecnologías de Seguridad (Security Technology

Demonstration Centre)
Born out of the desire to foster and further the use of information security technologies
among Spanish SMEs, which represent over 90% of the domestic business sector. This
work aims to achieve three objectives:
• Analysis of the security situation and demand within Spanish SMEs.
• Analysis of the solutions on offer in the marketplace.
• Raising awareness of the need to implement secure working environments within

SMEs.
In addition, the Demonstration Centre wishes to go on to become a showcase for boosting

the Information and Communication Technology (ICT) Security sector in Spain. To this
end, the Demonstration Centre is set up to act as a facilitator of early demand
mechanisms, keeping a close match on the actual needs of the SMEs through various
different lines of work. Most noteworthy among these is the preparation and distribution of
a catalogue of security products, solutions and services available on the markets, whether
they be national or international.
Internet User Security Service
This service has the goal of providing citizens who browse the Web with the confidence
necessary to successfully negotiate any possible security incidents which may affect
them. This free service will offer specialised advice and guidance in the face of possible
doubts or incidents related to security issues on the Internet. Should it be required, it
would establish contact with the Spanish security forces in order to facilitate the

Instituto Nacional
de Tecnologías
de la Comunicación
processing of security incidents that might involve some computer crime or fraud.
Moreover, through promotion campaigns for the different services offered on various
channels, it will boost the detection and reporting of new online threats, frauds and scams,
as well as any other kinds of attacks on ICT security. Likewise, it will provide citizens with
the necessary information and advice on legal issues regarding the Internet and related
technologies.
Plan to Promote Information Security Management Systems
In 2007, when INTECO was entrusted with the task, the SETSI initiated a series of
promotional activities designed to spread the word and awareness of the benefits of
implementing an Information Security Management System (ISMS), including, in
collaboration with the Chambers of Commerce, the organisation of informative symposia
and the editing of manuals, guides and other documentation.
In addition, it offers consultancy services whose prime goal is to respond to the demand
and interest generated by the dissemination and awareness campaigns. Among its
activities, the plan includes support and consultancy work for the following: undertaking a
diagnostic analysis of the information systems implemented, of the existing security risks
and of the solutions and tools that may be incorporated; understanding how to adapt to
meet the existing technical regulations covering information security management
systems; and how to certify a security management system.
Within the field of R&D&I and training, apart from the above initiatives that form part of
Plan Avanz@, we could mention other significant public initiatives. The following by no
means constitute a comprehensive list.
Profit Programme of the Ministry of Industry, Tourism & Commerce
This programme offers public subsidies for R&D&I programmes, with specific grants for
ICT security projects.
Avanz@ Training Programme of the Ministry of Industry, Tourism & Commerce
This programme supports training programmes targeted at both ordinary citizens and
professionals and companies, on ICT subjects in general, including training in security.

Instituto Nacional
de Tecnologías
de la Comunicación
8 RECOMMENDATIONS
ICT security is a sector of activity full of possibilities. Our country, which has an important
security industry and some pioneering public policies, has the opportunity of boosting the
development of a sector with a bright future. In order to be successful, it proves necessary
to maximise the many capabilities of this sector and the public policies in this country.
Optimising stimulation factors and minimising or getting rid of inhibiting factors calls for the
implementation of initiatives and activities which require the coming together of both public
and private initiatives. The following points are just a few ideas in this direction.
8.1 Regular publication of a report on ICT security in Spain
Throughout this document, we have referred to the existence of important shortfalls in the
data available on the ICT security market in Spain. Taking actions designed to foster and
boost the ICT security sector in Spain requires, first of all, tackling the absence or
dispersion of the necessary information.
The sources of information and the statistics currently available are not sufficient, from the
viewpoint of undertaking a diagnosis of both the supply and the demand. The efforts that
have been made in the public sector are quite recent and have centred fundamentally on
diagnosing the demand for security, with respect to certain user profiles (citizens, SMEs
and Local Administrations).
In particular, the specific actions that need to be taken would be the following:
a) Regularly obtaining and processing demand data that are not yet available. Namely,
demand data for public administrations, large companies and, above all, micro
companies. In this sense, an adequate mechanism for obtaining these data would
probably be to seek a collaboration between entities and organisations that may have
similar interests: Ministry of Public Administrations, Autonomous Communities, large
companies that consume security products, foundations, associations of SMEs, etc.
b) Obtaining and processing data on the offer of security products. In this sense, it
would appear wise to seek agreements with the most relevant sectorial associations of
the ICT security sector in order to compile data on their associated companies, or with
major providers of ICT security services. It is also worth stressing the need to use
additional tools or instruments, such as the catalogue of ICT security companies the
public sector is currently preparing.
c) Drafting of an annual report each year on the ICT security market. The actions
outlined above would allow for the compilation of all the available information in an
annual report which could thus monitor the progress of both public and private projects

Instituto Nacional
de Tecnologías
de la Comunicación
or programmes, with a view to determining their influence on IT security in homes,

companies and Administrations, on the growth of the industry and on the development
of security-related research.
In short, this is a recommendation for an approach designed to offer greater knowledge of

the sector and of the effectiveness of the measures adopted in order to energise it.
8.2 National ICT Security Strategy: promoting standards and certification
The use of standards and certification stamps provides companies with a model for
starting up ICT security initiatives, promoting as they do the observance of codes of good
practice and ensuring compliance with legal obligations.
The standards, certification stamps and self-regulation based on the dissemination of

good practices constitute a basic element for coordinating the efforts of institutions,
companies and households, which, without this reference framework, often make a great
effort lacking in any method, which does not always head in the right direction.
Likewise, we cannot fail to mention the need to support companies on their way to
implementing ICT security corporate governance, encouraging the use of technological
tools, the dissemination of adequate security procedures and training for the human
resources required.
The creation of a National ICT Security Strategy – which focuses all efforts on the target
of boosting the use of standards and certifications, and the dissemination of good
practices – could provide an important impetus to the development of the ICT security
market in Spain.
8.3 Actions designed to boost demand for ICT security in the public
administrations
a) Increase the perception of the value of ICT security in public procurement
An inhibiting factor which severely puts the brakes on the ICT security market is the poor
perception of the value of ICT security on the part of both companies and end users. The
public administration itself, when acting as a purchaser, on occasions reveals a lack of
perspective with respect to the specific value of security issues. In this sense, an
interesting point which must be underscored is the fact that the insufficient relevance
generally placed by public tenders for contracts (excluding those projects which could be
considered exceptional, insofar as security is their essential feature) on security products
and services, often results in these being incorporated into, or lumped in with, other
services.

Instituto Nacional
de Tecnologías
de la Comunicación
Within a context characterised by the growing presence of the Internet, security is no

longer an option, but rather it is an absolute necessity. Public acquisitions should not
consider security as a component of some other product or service, but rather as a
fundamental element that, of necessity, must form part of them all.
For this reason, there is a clear need for this first recommendation, aimed specifically at
the public sector, namely, by the use of suitable mechanisms, increase the importance
afforded to ICT security elements.
b) Plan the management of public procurement in order to boost R&D&I in security
In this same direction, and as a specific recommendation for those public purchases
related to innovation or with a special ‘tractor’ capability, it would be necessary to initiate
dialogue with the sector so as to be able to encourage planning and adequate
management of public procurement, especially where a high degree of R&D&I is involved.
Thus, any interested companies could orient their investment and efforts towards
producing the services and products the public sector demands.
c) Enhance the trust and confidence of public purchasers of ICT security
In relation to the above recommendations, it would appear necessary to increase the trust
and confidence, both at a technical and legal level, of public purchasers of services or
products closely linked to ICT security, insofar as they may feel that the lack of
specifications or standards in this area could entail a certain degree of “risk” for the
success of a project based on, or with a significant role played by, ICT security. The State
must not only purchase in a planned manner, it must – fundamentally – generate
standards and tractor projects to lay the foundations for the ICT security sector in our
country.
In this sense, it is essential that the competent agencies within the public sector should
strive to define those technical and legal requirements deemed to be the absolute
minimum for ensuring the security of certain projects (for example, access to databases or
connections between the databases of different public organisations, access to web
services, etc.). In certain cases, it could prove necessary to make some specific statutory
modification; in others, all that would be needed is a development or specification of the
legal requirements in force, or to introduce the desired specifications or standards in
bidding forms or model clauses.

Instituto Nacional
de Tecnologías
de la Comunicación
8.4 Actions designed to boost demand for security in SMEs and homes
a) Organisation of public awareness campaigns in order to enhance the IT security

culture
With regard to the above, and more directly aimed at consumers, it appears necessary to
create or enhance the security culture by means of specific campaigns. In this case, the
determining role of the public sector is evident, without prejudice to the support and
reinforcement it may receive from similar private initiatives.
The public sector must advance decisively in this determining role, e.g. within the
awareness campaigns, by offering free access to certain basic security products or
services to companies and citizens – and even to other Administrations – through the
CERT.
On the basis of these services, once the security culture has been created or generated, it
will be up to the private sector to offer attractive services, adequately managed to serve all
kinds of companies, in particular the SMEs, over and above the services offered free of
charge by the Administrations. The market must prove capable of providing the SMEs with
suitable managed security services.
b) Oversee compliance with the regulations that impose specific obligations within
the field of ICT security
At this moment in time, at least within the European Union, we have been unable to
identify any more far-reaching regulations, in addition to those already in force in Spain,
which impose, or could impose in the short term, further obligations on security matters. In
this sense, this recommendation is geared more towards ensuring that the regulatory
measures already in force are adequately implemented and fulfilled, rather than
suggesting the need for, and imposing, new obligations in the field of ICT security.
The laws must be able to rely on posterior projects that can facilitate their development. It
is essential that, together with the law, there be a drive towards launching products and
services on the market which can facilitate compliance with the same. Instruments such
as the preparation of guides or the creation of suitable consultancy services must be
taken into consideration right from the start. At all costs, we must avoid the perception that
the security laws are difficult to implement.
8.5 Actions designed to boost the ICT security sector
a) Drawing up an internationalisation plan for Spanish ICT security technology
Given that the domestic ICT security market is relatively small, special attention must be
placed on promoting internationalisation plans for the leading companies in ICT security

Instituto Nacional
de Tecnologías
de la Comunicación
technology, so that they can compete effectively in other markets, designing specific
programmes for this kind of company, in a similar fashion to what already happens in
other sectors.
b) Increase training and specialisation in ICT security
Likewise, we have identified that the lack of proper training in ICT security is yet another
encumbrance or inhibiting factor slowing development of the sector. Thus, the importance,
as a general recommendation, of developing adequate training and specialisation policies.
c) Promote and facilitate financing for the most innovative ICT security firms
The experts believe that in the security sector, just as in other sectors of the economy, the
companies should be facilitated access to financing, particularly in the initial stages,
precisely when these needs are, on the one hand, most critical and, on the other, more
difficult to obtain.
In the case of ICT security, given that this is a sector which requires significant investment
in R&D&I and is still in a phase of relative immaturity and rapid growth, the question of
company financing is a particularly pressing need. While these problems do not
exclusively affect this sector, it is worth mentioning the fact that the risks associated with a
very rapidly evolving market, which offers significant business opportunities, demand that
the finance instruments be readily adapted to suit the realities of the companies and the
market.
It would therefore seem a good idea to study the possibility of finance being made
available using venture capital, along the lines of similar nationwide or regional
programmes targeting the financing of technological companies in their initial phases.
d) Encourage R&D&I in the field of ICT security
An important factor for boosting the sector is deemed to be encouraging R&D&I work from
the public sector, as well as from the private sector. This must be one of the prime
recommendations to be adopted by both sectors.
The public sector must bring its financing policies for R&D&I on ICT security issues into
line with planning for its own demand (public procurement), so that the investment may
prove to be effective and contribute towards developing the market. It is thus essential
that, at the same time, there exists strategic planning of the different ICT security needs
within the public administrations.

Instituto Nacional
de Tecnologías
de la Comunicación
ANNEXE. CATEGORIES WITHIN THE ICT SECURITY

MARKET
I. Security Hardware
Security hardware includes a whole series of secure access devices, as well as

authentication hardware solutions. According to the classification of this report, the
following elements are included:
Security devices
A security device consists of a hardware system with an embedded Operating System,

with a limited set of security applications. Security devices may include other
characteristics such as access policies, Quality of Service (QoS), load balancing, high
availability or bandwidth management. Within this category we find:
• Firewall/VPN devices.
• Unified threat management devices: they incorporate many security characteristics

in one piece of equipment, which must include a network firewall capability,
network intrusion detection and prevention and a virus-protected gateway.
• Intrusion detection and prevention devices: their principal function is to provide

continual network monitoring and the capability of reporting and reacting to
malicious activities.
• Content security management devices: These products offer antivirus protection,

web filtering, antispam and messaging security. These appliances differ from the
unified threat management devices in that they do not include firewall capabilities,
nor intrusion detection and prevention.
Authentication hardware
The authentication elements constitute an important segment within the identity and
access management market. These elements comprise the tools necessary to perform
this management work:
• Authentication servers: store information on the users (logins, passwords, etc.)

and provide verification capabilities in the face of authentication requests.
• Client-side authentication software: permits the control of access from users’

computers to the resources of the corporate network and Internet.

Instituto Nacional
de Tecnologías
de la Comunicación
• Traditional authentication elements: small hardware devices that allow users to

authenticate their identity with the server by using passwords or replication or
exchange methods.
• USB authentication elements: devices which are connected to a USB port on the
computers.
• Authentication elements for licensing software: dongles connected to a USB (or

parallel/serial) port to authorise the use of a certain piece of software on a
particular computer.
II. Security Software
Security software includes a wide range of technologies employed in order to enhance the
security of computer equipment, information systems, communications, networks and
electronic transactions. It is used to ensure their confidentiality, integrity, privacy and
availability.
Identity and access management
This covers a whole set of solutions utilised to identify users in a system (employees,
clients, etc.) and control their access to resources within the system by establishing rights
and restrictions depending on the profile of the identity in question.
Threat management
Threat management includes solutions which constantly monitor network traffic or the
activity of an application, in order to discover malicious activities or ensure compliance
with the defined security policies. Once a security violation is detected, these tools are
designed to mitigate the scope of the attack on the monitored network. Threat
management combines two families of products: firewalls and intrusion detection and
prevention software.
Content management and security
Content management and security includes software solutions designed to protect

information and computer equipment from viruses, spyware, spam, phishing, Trojans,
worms and other kinds of malicious code. It also includes solutions to protect confidential
data, intellectual property and other sensitive information of the organisation. Content
management and security includes these sub-segments: antivirus software, web filtering
software and messaging security software.

Instituto Nacional
de Tecnologías
de la Comunicación
Vulnerability management
A set of solutions that puts organisations in a position to be able to determine, interpret

and enhance their position in the face of risks.
Other security software
This includes emerging security functions that do not correctly fit into any of the previous
categories. The areas included under the category of other security software are:
encryption tools, database security, storage security, VPN clients, wireless security, web
security services and secure operating systems.
III. Security Services
Security services cover all those activities necessary to plan, design, construct and
manage the security of a company’s network infrastructures, processes, programs and
information.
Security planning
Security planning and assessment generally responds to requirements of the risk

prevention business. Business consultancy projects usually give rise to new projects for
implementing the solutions necessary to provide the required security, duly carried out by
other providers.
Implementation of security
The implementation of security is dominated by system integrators and resellers who offer
security implementation services as part of a comprehensive systems implementation
project. There exists a large number of providers specialising in particular security
technologies. Consultancy companies do not generally get involved in technological
aspects and so they leave this implementation to the systems integrators.
Managed security services
These services are usually offered as part of an overall outsourcing contract.

Instituto Nacional
de Tecnologías
de la Comunicación
LIST OF GRAPHS
Graph 1: Classification of the Security Market...................................................................18
Graph 2: Spanish Security Market in 2006 ........................................................................19
Graph 3: Security measures adopted in Spanish households...........................................27
Graph 4: Security incidents detected by users in each quarter .........................................28
Graph 5: Computers infected by malicious code in 2007 (%)............................................29
Graph 6: Evolution of the presence of malware by categories (% of total no. of scanned

computers).........................................................................................................................30
Graph 7: Degree of knowledge of security incidents .........................................................31
Graph 8: Perception of security incidents by SMEs...........................................................32
Graph 9: Security measures employed in SMEs ...............................................................33
Graph 10: Percentage of companies with security executives (CSO, CISO, CPO) ..........35
Graph 11: Percentage of companies which have implemented security processes..........35
Graph 12: Percentage of companies which have implemented security tools ..................36
Graph 13: Percentage of companies who manage a business continuity plan .................37
Graph 14: Forecasts for the security software market (€ millions) ....................................42

Instituto Nacional
de Tecnologías
de la Comunicación
http://www.inteco.es
http://observatorio.inteco.es

Study of The ICT Security Sector in Spain

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Study of The ICT Security Sector in Spain

Hochgeladen von

Copyright:

Verfügbare Formate

Instituto Nacional

Study of the ICT security sector

1st Report from the Information Security and e-

Study of the ICT security sector in Spain Page 1 of 64

Edition: February 2009

Study of the ICT security sector in Spain Page 2 of 64

table of contents ..................................................................................................................3

KEY POINTS .......................................................................................................................6

II. ICT Security Market .................................................................................................6

III. Inhibiting and Stimulation Factors ............................................................................7

III.1 Inhibitors ..............................................................................................................7

III.2 Stimulation Factors ..............................................................................................7

IV. Prospects and Trends ..........................................................................................9

V. Public ICT Security Policies ...................................................................................10

VI. Recommendations .............................................................................................11

1 PRESENTATION AND OBJECTIVES........................................................................12

1.1 Presentation .......................................................................................................12

1.1.1 Instituto Nacional de Tecnologías de la Comunicación .................................12

1.1.2 Observatorio de la Seguridad de la Información ............................................13

3 ICT SECURITY MARKET...........................................................................................17

3.1 Classification of the ICT Security Market ...........................................................17

3.2 ICT Security Market in Spain .............................................................................18

3.3 Security Sector Agents in Spain ........................................................................20

4 STIMULATION AND INHIBITING FACTORS ............................................................21

4.1 Factors that inhibit ICT security .........................................................................21

4.1.2 Reactive attitude with regard to security ........................................................21

4.1.3 Cost and complexity of ICT security tools ......................................................22

4.2 Stimulation factors for the ICT security market ..................................................22

4.2.1 Legislation and regulation ..............................................................................22

4.2.2 Stimulating demand for ICT security ..............................................................22

4.2.3 Growing risk of security threats ......................................................................24

4.2.4 Support for the ICT security sector ................................................................24

5 ANALYSIS OF THE DEMAND FOR ICT SECURITY.................................................26

5.1 Demand for ICT security in the home ................................................................26

5.1.1 Measures adopted .........................................................................................26

5.1.2 Incidents declared by users. ..........................................................................28

5.1.3 Incidents detected by INTECO on users’ computers. ....................................29

5.2 Demand for ICT security in SMEs ......................................................................30

5.2.1 Knowledge of security incidents .....................................................................31

5.2.2 Security incidents declared by SMEs .............................................................31

5.2.3 ICT security solutions implemented in SMEs .................................................32

5.3 Demand for ICT security in large enterprises ....................................................33

5.3.1 Security Governance......................................................................................34

5.3.2 Measures adopted .........................................................................................34

5.4 Conclusions of the analysis ...............................................................................37

6 PROSPECTS AND TRENDS .....................................................................................39

6.1 Trends in the demand for ICT security in Spain .................................................39

6.1.1 Home users ....................................................................................................39

Study of the ICT security sector in Spain Page 4 of 64

6.1.3 Large companies............................................................................................40

6.2 Trends in the supply of ICT security in Spain ....................................................41

6.3 Evolution of the ICT security market in Spain ....................................................42

7 PUBLIC ICT SECURITY POLICIES ...........................................................................43

7.1 Regulation and legislation ..................................................................................43

7.1.1 Rules that protect security-related rights........................................................45

7.1.4 Obligations for Public Administrations............................................................48

7.2 Public procurement of ICT security solutions .....................................................48

7.3 Emblematic tractor projects: eDNI .....................................................................50

7.4 Promotion, awareness, dissemination and training activities .............................51

8.1 Regular publication of a report on ICT security in Spain ....................................55

8.5 Actions designed to boost the ICT security sector .............................................58

ANNEXE. CATEGORIES WITHIN THE ICT SECURITY MARKET ............................60

I. Security Hardware .................................................................................................60