Beruflich Dokumente
Kultur Dokumente
de Tecnologías
de la Comunicación
This publication belongs to the Instituto Nacional de Tecnologías de la Comunicación –INTECO- (National
Communications Technologies Institute) and is under a Creative Commons Spain 2.5 Attribution Non-commercial license,
and for this reason copying, distributing and displaying this work is permitted under the following circumstances:
• Attribution: The content of this report can be totally or partially reproduced by third parties, specifying its source and
expressly referring to both INTECO and its website: www.inteco.es. This attribution can in no event suggest that INTECO
provides this third party support or supports the use made of its work.
• Non-commercial Use: The original material and the resulting works can be distributed, copied and shown as long provided
that it is not for commercial purposes.
When the work is reused or distributed, its license terms must be made very clear. Some of these conditions may be not be
applicable if the copyright license is not obtained from INTECO. Nothing in this license impinges or restricts INTECO's moral
rights.
Full license text:
http://creativecommons.org/licenses/by-nc/2.5/es/
TABLE OF CONTENTS
I. Introduction ..............................................................................................................6
1.2 Information Security and e-Trust Analysis and Study Group .............................14
2 INTRODUCTION ........................................................................................................16
4.1.1 Scant perception of the risk: if you cannot see the problem, it does not exist21
Study of the ICT security sector in Spain Page 3 of 64
Observatorio de la Seguridad de la Información
Instituto Nacional
de Tecnologías
de la Comunicación
6.1.2 SMEs..............................................................................................................40
7.1.2 Regulations that establish obligations for ICT security questions ..................45
7.1.3 Rules that provide legal safeguards in the provision of services ...................47
8 RECOMMENDATIONS ..............................................................................................55
8.2 National ICT Security Strategy: promoting standards and certification ..............56
8.3 Actions designed to boost demand for ICT security in the public administrations
56
8.4 Actions designed to boost demand for security in SMEs and homes ................58
KEY POINTS
I. Introduction
INTECO took the initiative to set up and head a top-level think-tank or group of experts –
with members drawn from the IT security private sector and scientific community in Spain,
as well as renowned public sector experts in this field – in order to analyse information
security issues within the Information and Communication Technology sector.
Its objectives are: first of all, to diagnose the current state – and predict the future trends –
of the information security market in Spain and Europe; secondly, to study tendencies in
ICT security and their impact on the Public Administration, the business sector and
citizens in general; and thirdly, to undertake a market analysis (of the actors, supply and
demand, etc.) that may provide an insight into the business models implemented in the
sector, as well as the positioning and importance of ICT security within the economy as a
whole.
• The worldwide security market has experienced steady growth in recent years,
constantly achieving significant growth rates year on year. The Spanish security
market has followed this same trend and, in 2006, reached the figure of €617M 1 . Of
this figure, security services account for 54.9% of the market, security software
for 36.4% and security hardware for 8.7%.
• There is a highly important ICT security industry in our country and the
Administration has introduced various initiatives with sufficient driving force (e.g. the
so-called ‘tractor projects’) to assist in developing the sector and positioning it on the
international market – it already has a presence, but its positioning could always be
improved.
• There basically exist two difficulties when it comes to implementing policies that
influence the development of the sector: the absence of consolidated data on the
sector and the heady pace of changes in the nature of the threats for which a
solution much be sought.
1
IDC (2006), The security market in Spain.
III.1 Inhibitors
• There are certain factors in the Spanish market that hinder the development of the
ICT security sector, the most significant of which are to be found on the demand
side: modifying this is deemed a key element for ensuring the consolidation of a
mature security market.
• Homes and businesses have insufficient knowledge of their ICT security needs,
know nothing of the evolution of the threats and, possibly, are not even aware of
their legal obligations. In such a scenario, there would seem to be a clear need for
increased initiatives to educate and spread the word in order to foster a security
culture.
• Spain has yet to undergo the most transcendent change in the way ICT security is
conceived: that which entails moving from a reactive to a proactive approach. Only
the major organisations – basically those in certain sectors (banking, health,
defence) – have acquired a proactive security culture. In general, the predominant
conception of this issue centres on protection measures that require no intervention
on the part of the user, i.e. “install and forget” solutions, instead of conceiving
security as a need to foster personal and organisational behaviour patterns that
enhance protection.
• Pertinent legislation and the so-called tractor projects are considered to be the
factors that have most boosted development of ICT security in Spain.
• The public sector is a major consumer of ICT security solutions, given that they
are essential for providing services to its citizens (e.g. health, justice or education) or
for covering its own needs (defence, taxes, etc). The development of the ICT
security industry would benefit greatly from explicit consideration of these needs in
public procurement programmes.
o The key concept as regards the demand for ICT security in major enterprises
is business continuity.
o The most noteworthy process, given its spectacular evolution between 2006
and 2007, is the design of a global security strategy, which was implemented
in 37% of companies in 2006 and rose to 57% in 2007, this representing an
increase of 54% in just one year.
o Antivirus and firewalls are the most commonly used security tools in the
home, present in 94% and 75% of households, respectively.
o Those security measures that call for the active intervention of users are the
least common: document encryption, backup copies, separate disk partitions,
etc.
o There is a large volume of highly varied incidents, with the most prevalent
being the reception of unsolicited email (spam), which affects 83.3% of all
o The antivirus is the most commonly used security tool in SMEs; 98.9% say
they have one installed on their computers.
How SMEs act on security matters depends on factors such as their size and
sector of activity. In general, the behaviour of micro companies has a great
number of similarities with the household sector.
• Investment in security will continue to grow and the market will continue producing
highly significant growth rates.
• It is likely that the security market will go on to become a services market. Many
ICT firms who do not belong to the security segment, as well as telecoms operators,
are already entering this market through the provision of services. In the same
fashion, many software companies are starting to offer managed security services
on a large scale, in order to offset their reduced margins from software sales.
• The growth of the security services segment will accelerate in the medium and long
term, as this technology matures and the supply positions itself in managed
services, thus stealing market share from the security software segment.
• The forecast is for greater growth in proactive security measures, given the high
penetration of security elements classified as being passive: antivirus, firewall,
antispam and antispyware programs, pop-up window blockers and operating system
security updates. Nonetheless, users will continue to rely on security mechanisms
which do not require constant attention and do not limit their sense of freedom when
using the Internet.
• The public sector, in its role as a consumer with a large volume of public
acquisitions, can have a very direct impact on the development of the market,
stimulating innovation and serving as an example for the adoption of security
measures.
o The fact that the Public Administration has started up major tractor projects
has provided a new source of stimulation for the security market, with the key
example being the potential for further developing the market provided by the
electronic ID card project.
o The public sector must bring its financing policies for R&D&I on ICT security
issues into line with planning for its own demand (public procurement), so
that the investment may prove to be effective and contribute towards
developing the market.
VI. Recommendations
o Support and foster greater knowledge and fulfilment of the regulations which
impose specific obligations within the field of ICT security and provide
support for complying with pertinent legislation. The standards, certification
stamps and self-regulation based on the dissemination of good practices
constitute a basic element for coordinating the efforts of institutions,
companies and households, which, without this reference framework, often
make a great effort lacking in any method.
1.1 Presentation
Drafting this report is in keeping with the overall objectives of Plan Avanz@, approved by
the Spanish government in 2005 and integrated within the programme known as Ingenio
2010. One of the major spheres of activity envisaged in the terms of Plan Avanz@ for the
period 2007-2010 is the so-called New Digital Context 2 . One of its principal features is the
promotion of ICT security and e-trust and, to this end, the Plan sets forth the following
objectives:
• Increase the level of awareness, training and knowledge of citizens, companies and
Public Administrations regarding the new Information and Communication
Technologies (hereinafter ICT).
In keeping with Plan Avanz@, this report aims to contribute towards achieving the
aforementioned goals, presenting an overview of the current situation in the Spanish ICT
security sector and proposing the role that all the agents within the sector should fulfil in
order to boost and develop ICT security and e-trust.
INTECO’s mission is to promote and develop innovation projects related to the field of
information and communication technology (ICT), generally in the field of the Information
Society, which will improve the position and competitiveness of Spain, expanding its
2
http://www.planavanza.es/LineasEstrategicas/AreasDeActuacion/NuevoContextoDigital/
3
http://www.boe.es/boe/dias/2007/08/08/pdfs/A34097-34099.pdf
capacities to both the European and Latin American environments. Thus, the Institute has
the vocation of being an innovative development center of national interest; it constitutes
an enriching initiative and tries to disseminate the new technologies in Spain, clearly in
tune with Europe.
The social purpose of INTECO is to manage advice about, promote and disseminate
technological projects. To this end, it will develop actions in the following strategic lines at
least: technological security, accessibility, innovation in ICT solutions for SMEs, e-health,
e-democracy.
http://www.inteco.es
The Observatory has designed a Business and Study Plan in order to produce useful and
expert knowledge on security and to develop recommendations and proposals that define
valid trends for future decision-making processes by public authorities.
Within this action plan, research, analysis, study, counseling and dissemination activities
are carried out, which will follow the following strategies:
• Carrying out original studies and reports in the field of information and
communication technology security, with particular emphasis on Internet safety.
• Monitoring key indicators and public policies related to information security and trust,
both nationally and worldwide.
• Creation of a database that will allow for the analysis and assessment of security
and trust through time.
• Dissemination of studies and reports issued by other organisations and national and
international agencies, as well as information about current national and European
news concerning security and trust in the information society.
http://observatorio.inteco.es
The last two objectives of the Observatory gave rise to INTECO adopting the initiative to
form a group dedicated to furthering knowledge of the sector and analysing its progress.
The underlying philosophy was that of a think-tank, i.e. the ideas put forward by the
experts were to be the raw material that could produce solutions in order to achieve the
objectives laid down.
Thus, this forum was born with the aim of providing active support to the decision-making
process faced by all the agents involved, in general, and by the public authorities, in
particular. Such decisions concern the present and future of the ICT security sector and
the Information Society in general. As a result, to a large degree, they affect the future
competitiveness and growth of the Spanish economy and society at large.
Duly represented within this group of experts are the principal agents of the ICT security
sector in Spain, drawn from both public and private entities, as well as various experts
from the university world and the most important sectorial associations. While it is indeed
true that, given the inherent characteristics of the group, it is not possible to include all the
representatives and experts from this sector, it can be safely said that the sample is
sufficiently representative to ensure that the final work may be deemed to constitute a
studied diagnosis shared by those within the ICT security sector.
To be more specific, the following experts, all members of the Group, have participated in
the drafting of this report:
• Luís Jiménez. Head of Policy and Services Unit. DEFENCE MINISTRY – CNI
• Salvador Soriano. Deputy Director General of Services for the Information Society.
S.E.T.S.I. – MINISTRY OF INDUSTRY, TOURISM & COMMERCE.
2 INTRODUCTION
In 2007, nearly 95% of all companies in the European Union with over 10 employees were
connected to the Internet and most of them had a website 4 . The use of the mobile
telephone and the computer has become commonplace in the workplace, and computer
and communication technologies have become an essential part of citizens’ lives and of
their options for leisure and entertainment. In 2007, 45% of Spanish households had a
broadband connection to the Internet 5 and the penetration rate of mobile telephones in
Spain stood at 110.5% 6 . Schools and universities are connected to Internet and it is a
widespread practice to integrate the use of computers and the Internet into study and
learning processes. The public administrations have implemented strategies to develop an
electronic Administration that can provide an ever-growing number of public services via
the Internet. In short, computer and electronic communications already form an intrinsic
part of our everyday activities.
This integration into our daily lives is producing a growing awareness of the possible
vulnerabilities and operational risks involved. All this has given rise to the concept of ICT
security, defined as the capacity of networks and information systems to resist – up to a
certain level of trustworthiness – accidents or illicit or malicious actions that compromise
the availability, authenticity, integrity and confidentiality of the data stored or transmitted
and of the services that the said networks offer or make accessible 7 .
The principal purpose of this report is to provide an overview of the situation surrounding
the ICT security sector in Spain, as seen from two different viewpoints: the needs that
citizens, companies and administrations demand be covered and the supply of security
solutions and services that currently exists on the market. This overview will allow us to
identify concrete measures and actions which, led by the public sector and counting on
the participation of the other agents involved, could boost the development of the ICT
security sector in Spain.
4
Eurostat (2007), Utilisation of the Internet by Companies.
5
Eurostat (2007), Internet access and e-skills in EU27 in 2007
6
Red.es (2007), Indicators for ICT sector, Telecommunications and Information Society Observatory
http://observatorio.red.es
7
Mañas, J. A. (2006) Glossary.
ICT security is a growing sector. Quantifying the size of a market is never an easy task
and, in the case of the security market, it is even more complex. The absence of
consolidated figures for the security sector, together with the fact that operations of many
of the companies overlap with other branches of ICT activity, means that it is really difficult
to obtain data that are validated and accepted by all the agents involved. The sector can
not even claim to have a structured classification system for ICT security-related activities,
which could be taken as a reference framework. Many classifications have been defined
and greatly differing market figures have been published, within the broad spectrum that
envelops the whole concept of ICT security.
To this difficulty, we must add the dizzy speed at which this market evolves, both in terms
of new threats and the new products and services launched to deal with them. In such an
ever-changing environment, it is not easy to get your hands on market data, much less
reliable historical data.
While recognising this difficulty, market figures are essential in order to be able to get a
better grasp of the situation. This section offers quantification data for the ICT security
market in Spain, based on reports published by the consultants IDC and Gartner. Given
all the foregoing, implementing the initiatives necessary to be able to have access to
market figures that reflect the true situation of the sector will prove to be an important
factor in the drive to effectively boost development in this market.
The security of networks and information systems must guarantee the availability of
services and data, impede the interruption and unauthorised interception of
communications, confirm that the data sent, received or stored are complete and
unaltered, ensure their confidentiality, protect the information systems against
unauthorised access or attacks related to malicious software and guarantee the reliable
authentication that can confirm the identity of entities or users 8 .
In order to quantify the market that responds to all the needs outlined in this concept of
ICT security, we have segmented it into three areas of activity: security hardware, security
software and security services. The following figure details the elements considered in
each of these segments. Annexe lists the definitions associated with each of these areas
of activity.
8
European Commission (2003). Establishing the European Network and Information Security Agency.
ICT Security
Directory
Services
Source: IDC
The worldwide security market has expanded considerably in recent years, constantly
achieving significant growth rates year on year. According to the estimations of IDC 9 , in
2006 the Spanish security market reached a figure of €617.2M. This figure represents
4.2% of the total for the Spanish ICT market which, that same year, reached €14,540.7M.
The following graph reveals the contribution of each segment to the total ICT security
market in Spain.
9
IDC (2006), The security market in Spain
€53.7M; 8.7%
Source: IDC
Security Hardware
The hardware market is the smallest segment, only representing 8.7% of the total. At this
moment in time, it is fundamentally focused on the firewall and VPN (Virtual Private
Network) segment, but there is an evident upwards trend in the segments dealing with
SCM (Secure Content Management) and, above all, UTM (Unified Threat Management).
The need for integrated, consolidated storage solutions is clearly driving this market.
Security Services
The most representative segment is currently that of security services, with a value that
represents 54.9% of the total security market. The services segment is drawing in a large
number of agents involved in consultancy work and the integration of security solutions.
Positioning moves within the managed security solutions sector can also be observed.
Security Software
The security software market accounts for 36.4% of the Spanish security market. This
market is highly concentrated in the content management and security segment, the most
representative of the security solutions adopted by the consumer and SOHO (Small
Office-Home Office) market. The second most relevant market is threat management.
10
Authentication hardware is not included
Over the last few years, there has been a noticeable change in the structure of the ICT
security sector in Spain, with different integration processes taking place within the
industry and new actors, products and services constantly appearing. Within this
structure, the relevant agents in the ICT security market can be grouped into five
categories:
The following sections refer to several of the Spanish companies who particularly stand
out as a result of their advanced technology or their strong presence in the market.
We must now move on from a description of the current state of the ICT security market in
Spain and duly analyse the factors that facilitate or inhibit the development of this market.
An analysis of the factors capable of influencing the evolution of the ICT security market
may point to certain elements for defining policies and initiatives that can boost ICT
security in Spain and allow us to base good security on the development of an
outstanding ICT industry.
There are certain factors in the Spanish market that hinder the development of the ICT
security sector, the most significant of which are to be found on the demand side. The
scant perception of the risks involved and the reactive attitudes of users pose the greatest
challenge faced by the agents working in the ICT security sector in Spain.
4.1.1 Scant perception of the risk: if you cannot see the problem, it does not
exist
The low perception of risk on the part of users (both home and business users) produces
a situation where information systems are left unprotected and malicious software
(malware) can spread rapidly across communication networks.
One of the main factors responsible for this low perception of risk is the “silent” form of
attack adopted by most of the ICT security enemies. The most obvious example of this
kind of attack is that of the botnets, computer networks that have been infected by some
kind of malware that allows the operator of the botnet to control those computers, normally
with rather unethical ends, without their owners being aware of this. Users are never
aware of these threats or risks and, for this reason, believe they have sufficient protection
and so their perception of the risk tends to diminish.
The consequence of the reactive nature of an important part of the demand determines a
market that is not very stable and subject to fluctuations that are difficult to predict. This
situation represents a singular difficulty for the companies developing and
commercialising products, services and solutions related to ICT security. In many cases,
this leads to strangulation of supply and a lack of appropriate matching of necessities and
proposed solutions.
Companies may even feel that the cost of these security tools is too high. Investment in
ICT security is not easy to justify if there exists no security culture and no clear perception
of the risk. Bringing investment in ICT security into line with the business of SMEs is a
task that remains pending in most Spanish companies.
To date, the principal factor stimulating the ICT security market in Spain has been the
obligations stemming from regulatory impositions. However, this is not the only factor with
the ability to boost market possibilities; there exist others such as public procurement,
support for R&D&I, certification, etc.
Given its importance, this factor will be analysed in greater detail in Chapter 7, dedicated
to public policies.
Homes and businesses are often unaware of their ICT security needs, know nothing of the
ever-changing nature of the threats and are not even sufficiently aware of their legal
obligations. In such a scenario, there would seem to be a clear need for increased
initiatives to educate and spread the word in order to foster a security culture, given the
lack of awareness demonstrated by many citizens and a large part of Spanish companies,
particularly the SMEs.
The capacity of the news media for disseminating the security culture and making the
general public aware of ICT security issues has been patently demonstrated on numerous
occasions. In this sense, we must highlight the good work that specialised publications
such as the Spanish magazines SIC, Red Seguridad, Auditoria y Seguridad or eSecurity
have been performing for many years now, offering rigorous information that serves to
inform, teach and raise awareness among firms and public administrations regarding
different aspects of IT security and related products and services, thus fostering a larger,
yet more cohesive ICT security industry in our country.
Nonetheless, it must also be pointed out that, on occasions, the mainstream media has
been guilty of putting an alarmist slant on news, something which could cause reticence
regarding the use of the new technologies. In order to avert this risk, it would be
necessary to provide these media with sufficient data to be able to put any new threats
into context and educate the journalists on ICT security matters.
b) Security Certification
Certification could form the basis of an ICT security strategy to further development within
the market. Standards such as Common Criteria or the ISO quality standards have
provided a positive boost in the task of raising awareness and starting up ICT security
projects in the business world.
There has been a marked move in recent years from attacks based on the use of viruses,
Trojans and worms to others frequently based on criminal organisations making use of
networks of remotely controlled (zombie) computers and a myriad of technological tools
they can combine to suit their needs at any given time. The aim of the attacker has moved
on from merely wishing to become famous and is now clearly financial, resorting to
extortion, theft and espionage. In short, security attacks are now much more professional,
with the focus now firmly on reaping financial benefit.
This professionalisation and the more serious nature of the attacks could be considered
important factors for boosting ICT security development, insofar as they oblige the market
to react with increasingly complex new services and products, which, in turn, will then be
faced with new, more sophisticated attacks.
Critical infrastructure is taken to refer to that which is essential for a country to function
properly, such as electrical power, telecommunications, fuel supplies, transport services,
health services, security, etc. An incident in an ICT system could provoke a chain reaction
in the critical infrastructure network, which, in turn, could lead to a complete stoppage of
productive activity at any number of organisations. Given the extreme risk factor, special
emphasis is placed on security at such installations and, for this reason, this area
constitutes an important factor when it comes to boosting the ICT security market.
Projects promoted by the public sector may have a direct bearing on the development of
the ICT security market. In this sense, the Administration has started up emblematic
tractor projects that should have a really great impact on the future of the security market.
These tractor projects provide companies offering ICT security solutions with planning for
their investments in R&D&I, taking into due account the medium-term needs of those in
charge of public procurement. Among the initiatives introduced in our country, probably
the most noteworthy, given its enormous potential, is the electronic ID card project. Given
its importance, this stimulation factor will be analysed in greater detail in Chapter 7,
dedicated to public policies.
Beyond its role as legislator and regulator, the public sector is a major consumer of ICT
security solutions, given that they are essential for providing services to its citizens (e.g.
Study of the ICT security sector in Spain Page 24 of 64
Observatorio de la Seguridad de la Información
Instituto Nacional
de Tecnologías
de la Comunicación
health, justice or education) or for covering its own needs (defence, taxes, etc). Security
still does not carry enough weight in most public ICT projects to be able to bring its
influence to bear, to the degree that it should, in the development of the sector.
ICT security entails a high degree of technical complexity and the development of new
products and solutions calls for significant R&D&I work sustained over lengthy periods of
time. All of this redounds in difficulties in obtaining financial resources, given the
perception of risk harboured by financial agents towards a market that is not yet fully
mature and with growing demand, but whose limits and possibilities have not yet been
sufficiently well defined. It is this situation which makes it necessary to value support for
investment in R&D&I as a highly significant stimulation factor.
This support serves as an incentive for new companies to get started in this market and,
as for those already firmly established, they can obtain a return on the efforts they made
in the past.
An analysis of the situation regarding demand – where the behaviour of the actors is not
at all uniform – is a fundamental element in the struggle to boost the ICT security market
in our country.
The major corporations, the Public Administrations and certain economic sectors such as
the financial services, for whom information systems and the use of ICT prove critical,
have, in general, reached a significant degree of awareness regarding the importance of
ICT security and have dedicated the resources necessary to prevent possible problems
and to ensure the continuity of their activities, thanks to the availability of ICT solutions.
In addition, there exists another highly varied segment, made up of large and medium-
sized companies and organisations in which ICT security is less critical, companies and
organisations of a somewhat smaller size, professionals and home users. This segment
presents a level of demand much lower and unstable, highly reactive to concrete
problems.
On the basis of this reality, an analysis of the demand is undertaken by splitting it into
three different segments – homes users, SMEs and large companies.
The analysis of the demand for ICT security in the home is based on the Study on ITC
Security and e-Trust in Spanish Households carried out by INTECO, which is now into
its fourth wave. The methodology employed combines objective measures of incidents
and equipment with subjective measures of perception of security and trust on the Web. In
order to prepare this report, INTECO relies on a panel of over 3,000 households
connected to the Internet, from which it extracts information on actual security by way of
special software that analyses security incidents. It also analyses the perception and level
of trust of the users by carrying out personal surveys. The combination of both data
sources provides us with knowledge of the differences that exist between the perception
of security and the actual situation in the households being analysed.
Passive security refers to all measures that may be automated, i.e. they require no
specific intervention on the user’s part. Most of these actions are configurable, with the
result that users spend little time worrying about their maintenance. Among this type of
measures we could cite the antivirus, firewall, antispam and antispyware programs, pop-
up window blockers, operating system security updates and parental control programs.
Study of the ICT security sector in Spain Page 26 of 64
Observatorio de la Seguridad de la Información
Instituto Nacional
de Tecnologías
de la Comunicación
Active security covers all those measures that require direct, manual intervention on the
user’s part. Among such measures are document encryption, passwords, backup copies
of the boot disk and important documents, elimination of temporary files and partitioning
the hard disk.
The following graph depicts the degree of use declared by the users for both types of
measures and their evolution over the four waves of data compiled by INTECO throughout
2007.
9 2 .7
A nt iv irus P ro gra m s
9 4 .4
73 .5
F ire wa lls
6 5.3
6 6 .7
P o p- Up Windo w B lo c k e rs
6 1.5
E lim ina t io n o f t e m po ra ry f ile s & 58 . 5
c o o k ie s 55. 2
53 .3
A nt is pywa re P ro gra m s
4 9 .0
52 .7
A nt is pa m P ro gra m s
4 9 .9
4 9 .5
O S S e c urit y Upda t e s
4 5.8
0 10 20 30 40 50 60 70 80 90 100
1st Wave 2007 2nd Wave 2007 3rd Wave 2007 4th Wave 2007
Source: INTECO 11
In general, save certain exceptions (such as the antivirus programs, which have dropped
back slightly), the security measures analysed experienced increased penetration in
Spanish households between January and December 2007. This rise is in keeping with
another relevant piece of data drawn from this analysis, namely that a little under 2% of
households use no protection measures whatsoever.
11
National Institute of Communication Technologies (2007). Study on Information Security and e-Trust in Spanish
Households. Information Security Observatory. 4th Wave. http://www.inteco.es
It is the passive security measures that have achieved the greatest penetration in Spanish
households, most noteworthy being the practically universal adoption of antivirus
programs. Among the active security measures, the use of passwords stands out and is
now common practice in half of all households. The conclusion that can be drawn,
therefore, is that home users entrust their ICT security to the security tools installed on
their computer equipment and pay less attention to their habits when making use of the
new technologies.
0 10 20 30 40 50 60 70 80 90 10 0
1st Wave 2007 2nd Wave 2007 3rd Wave 2007 4th Wave 2007
Source: INTECO 12
The graph above shows the incidents detected by the users, but it must be pointed out
that, given that they are “declared” incidents, they may not correspond exactly to reality.
In the four waves, the most prevalent incident was the reception of unsolicited email
(spam), which affects 77.8% of all users, followed by malicious codes, detected by 35.5%
of households in the last quarter. Although still a minority, one thing that stands out, given
the rapid growth, is the rise in online banking and credit card fraud. The number of users
12
IDC. Op. Cit.11
who declare 13 having been the target of some fraud in the use of online banking has
reached an average rate of 4.5%. The increase in almost all types of security incidents
contrasts sharply with the increased adoption of security measures, as analysed above.
The conclusion that can be drawn from this analysis is that the incidents depend both on
the security measures adopted by users and their computers, and on their habits when
using Internet services.
It could be concluded that the evolution of infections on home computers has maintained
a slightly upward trend throughout 2007. Thus, 8 of every 10 computers are housing one
or more malicious codes on the system. The annual average for 2007 stands at 79.3% of
computers infected (not always seriously) in Spanish households.
100%
60%
20%
0%
ly
ay
y
il
e
ry
ch
er
t
r
r
us
ar
pr
be
be
be
Ju
ua
ob
Ju
ar
nu
ug
em
em
em
br
ct
Ja
A
Fe
ov
ec
pt
Se
Infected Clean
Source: INTECO
13
It is important to recall that INTECO handles two types of data: on the one hand, those declared by the users (which have
the limitations outlined throughout this study) and, on the other hand, those obtained by INTECO by scanning their
computers.
14
This software scans the panellists’ computers on a monthly basis, detecting any malware resident on them, thanks to 32
different antivirus engines, and compiling data on the operating system and the state of its updates. The software sends this
information to INTECO, where it is handled in a totally anonymous manner and accumulated.
80%
70% 64.1
59.9
56.1 55.9 57.1 56.8
60% 54.5 53.7 52.7 53.5
51.8
47.1 46.2 45.9
50% 42.8 44.7
40.6 39.6 41.2 41.7 39.9
37.8 38.2 37.4
40%
29.2 29.7
25.8 25.5 26.5 26.0 25.5 26.1 27.4
30% 23.5 21.6 22.4
20%
10%
0%
ly
ay
y
il
e
ry
ch
er
t
r
r
us
ar
pr
be
be
be
Ju
ua
ob
Ju
ar
nu
ug
em
em
em
br
ct
Ja
A
Fe
ov
ec
pt
Se
D
Trojan Adw are Tool Spyw are Heuristic Virus Worm Others
Source: INTECO
There has been a noticeable, highly significant increase in the malware used by intruders
to take control of computers for criminal purposes (Trojans), as well as those that allow
them to monitor the information generated by users when using their PCs, such as
passwords, bank details etc. (spyware). Nonetheless, there has been a decrease in the
presence of malware with no economic motivation, such as viruses.
The analysis of the demand for ICT security in SMEs is based on the Study on security
incidents and needs in Spanish small and medium-sized enterprises, carried out by
INTECO 15 . The results of the study are based on declared information and, for this
reason, the lack of a security culture in SMEs introduces a certain bias into some of the
results obtained. It was not possible to complement the information drawn from the
surveys with data gathered thanks to the installation of specific programs on the
15
National Institute for Communication Technologies (2007), Study on security incidents and needs in Spanish small and
medium-sized enterprises, Information Security Observatory. http://www.inteco.es
computers at SMEs. This is because, unlike the case of home users, it is difficult to
convince businesses to let outsiders install this kind of program on their computers.
In this section, we analyse the most important incidents and threats detected by SMEs
when using the new technologies. We also present the solutions implemented and the
security needs Spanish SMEs say they have.
The following graph reveals how SMEs are not sufficiently educated to be in a position to
combat these new threats. This lack of knowledge may be due to the absence of suitably
qualified personnel in the ICT security field within Spanish SMEs: a mere 16% of the
SMEs surveyed said they have ICT security experts on their staff.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: INTECO
D e nia l o f s e rv ic e 8 9 .9 % 10 .1%
T ro ja ns 77.3 % 2 2 . 7%
S pa m 58 .7% 4 1.3 %
Lo gic bo m bs 3 .9 % 9 6 .1%
D a t a t he f t 3 .1% 9 6 .9 %
F ra udule nt t he f t o f pe rs o na l da t a 2 . 7% 9 7.3 %
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes No
Source: INTECO
Looking at the various types of incidents reported by Spanish SMEs, the most prevalent
threats are Trojan horses (77.3%) viruses (42.7%) and the reception of unsolicited email
(41.3%). One revealing piece of data regarding the scant knowledge of the SMEs on
security matters is that 90% of them claim to have suffered denial of service attacks (when
this is actually a rather infrequent type of incident), yet over 50% say they have little or no
knowledge of what this incident actually is.
A nt iv irus 9 8 .9 % 1.1%
A nt is pa m 8 5.4 % 14 .6 %
A nt is pywa re 8 1.4 % 18 .6 %
P o p-up B lo c k e rs 71.2 % 2 8 .8 %
B a c k up C o pie s 6 6 .7% 3 3 .3 %
P a s s wo rds 6 6 .4 % 3 3 .6 %
H a rd D is k P a rtit io ning 4 8 .0 % 52 .0 %
E nc rypt io n o f do c um e nt s 3 2 .0 % 6 8 .0 %
V P N f o r re m o t e a c c e s s 3 1.3 % 6 8 .7%
P hys ic a l a ut he nt ic a t io n de v ic e s 2 7.1% 72 .9 %
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes No
Source: INTECO
For the analysis of the demand for ICT security in large enterprises, we have used data
from surveys carried out by PricewaterhouseCoopers 16 and Ernst&Young 17 at companies
all over the world (7,200 and 1,200 organisations, respectively).
Large companies reveal a high level of concern and awareness of ICT security issues.
They have invested heavily in technology in recent years and have implemented
processes and organisations designed to enhance their security levels. The budget
dedicated to security has grown considerably and now accounts for over 15% of the total
ICT budget 18 .
16
CIO, CSO & PricewaterhouseCoopers (2007), The Global State of Information Security 2007.
17
Ernst&Young (2006), Achieving Success in a Globalized World. Is Your Way Secure? 2006 Global Information Security
Survey.
18
IDC. Op. Cit. 16
This has allowed companies to start up long-term security initiatives, which are set up in
an organised fashion and ensure that the security strategy falls in line with the IT strategy
in general, as well as the business goals, thus providing a boost for ICT security.
Historically, the duties of coordinating and managing information security and data
protection were taken care of by the Information Systems managers. However, nowadays,
the number of companies with specific manager profiles for security activities has risen
considerably from 2006 to 2007 (10%). This would seem to confirm the fact that security
awareness is growing considerably at larger companies and is being afforded specific
attention, clearly differentiated from other information systems issues.
19
Self-Assessment Questionnaire prepared by the United States National Institute of Standards and Technology (NIST)
(identified among its publications with the code 800-26). GAISP (Generally Accepted Information Security Principles).
Groups of documents that have arisen around the FISMA (United States Federal Information Systems Management Act).
Graph 10: Percentage of companies with security executives (CSO, CISO, CPO)
40%
35% 32.0%
30% 28.0%
10%
5%
0%
CSO CISO CPO
2006 2007
Source: PricewaterhouseCoopers
The most noteworthy process, given its spectacular evolution, is the design of a global
security strategy, which was implemented in 37.0% of companies in 2006 and rose to
57.0% in 2007, this representing an increase of 54.05% in just one year.
60% 57.0%
50%
44.0%
42.0%
40% 37.0%
34.0%
30% 25.0%
20%
10%
0%
Global security strategy Establishing security reference Centralised management of
bases for clients & partners information security
2006 2007
Source: PricewaterhouseCoopers
The third measure which provides evidence of increased awareness is the deployment of
security technology.
70.0%
Internet security 31.0%
83.0%
Intrusion prevention system s / Filters
44.0%
89.0%
Identity m anagem ent 73.0%
82.0%
Data backups 78.0%
72.0%
Encryption of docum ents 43.0%
93.0%
Firew alls 77.0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
2006 2007
Source: PricewaterhouseCoopers
When it comes to gauging the awareness of companies with regard to ICT security, a
relevant indicator is the effort made to ensure the continuity of the business. The following
graph lists business continuity management activities and the percentage of companies
implementing them.
The vast majority of companies identify the critical processes (79%) and assess the risks
for their information systems (75%). Nevertheless, barely 57% of them perform tests on
the measures incorporated into the business continuity plan and less than half of them
possess a communication strategy for this plan (46%).
Communication strategies
for the internal/external plan 46.0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: Ernst&Young
Homes, SMEs and large enterprises have very different circumstances regarding their
demands for ICT security.
Homes
Antiviruses and firewalls are the most commonly used security tools in the home, present
in 94% and 75% of households, respectively. For the most part, users rely on passive
security measures, with those requiring active intervention being relegated to use by a
minority.
There is a large volume of highly varied incidents, with the most prevalent being the
reception of unsolicited email (spam). On the other hand, it is worth noting that serious
incidents reported by users, such as account or credit card fraud or theft, do not exceed
5%.
In this context, households require measures that orient their security culture towards
more proactive behaviour patterns and make them more aware of the value of security.
SMEs
Study of the ICT security sector in Spain Page 37 of 64
Observatorio de la Seguridad de la Información
Instituto Nacional
de Tecnologías
de la Comunicación
The analysis of the security culture in Spanish SMEs reveals the need to bolster the
training programmes undertaken by public entities in order to foster the introduction of a
security culture in SMEs, in keeping with the importance this issue warrants. Education
and increased awareness are the key aspects for adequately configuring the demand for
security in the SMEs.
Large companies
The analysis of the security measures adopted by large companies reveals a highly
positive evolution in awareness from 2006 to 2007, which has given rise to an increase in
security measures at the vast majority of companies. Another noteworthy aspect as
regards awareness of ICT security matters is the importance companies afford to
business continuity.
The incorporation of the guidelines laid down for ICT security governance clearly shows
the path to be followed, extending this culture to every company. This objective must lead
to the formulation of a national security strategy so as to focus our efforts, allow us to
identify the measures that need to be put in place and facilitate compliance with legal
mandates.
Predicting the future is never an easy task and it becomes even more complex when you
are dealing with a relatively new sector. While fully aware of this complexity, this chapter
will strive to identify certain tendencies – both on the supply and the demand side – that
will shape the evolution of the ICT security market in the coming years.
This chapter incorporates forecasts on the evolution of the market size, as a useful
reference of the importance and progress of the sector. To the aforementioned difficulties
when it comes to quantifying the current security market, we must add the always difficult
task of forecasting future figures for the different segments of the market. While
recognising this difficulty, market projection figures may provide us with a framework
scenario which can assist the different agents to make the right decisions in order to boost
the development of the sector. For this very reason, we have included them in this report.
In order to define the expected evolution of demand in the Spanish market, we shall follow
the segmentation criterion employed in the analysis of the demand: home users
(households), SMEs and large companies.
According to the opinions of the users themselves, the security measures considered
proactive or involving the direct intervention of the user (document encryption, passwords,
backup copies, elimination of temporary files and partitioning the hard disk) are those with
the greatest growth prospects. This affirmation makes sense if we observe the high
penetration in Spanish households of those security elements classified as passive:
antivirus, firewall, antispam and antispyware programs, pop-up window blockers and
operating system security updates. Nonetheless, users will continue to rely on security
mechanisms which do not require constant attention and do not limit their sense of
freedom when using the Internet.
Security incidents
It could be said that, while there will continue to be a considerable number of security
incidents, their gravity will tend to diminish. This will be possible, thanks to the increased
awareness of citizens, which will facilitate the adoption of more extensive monitoring of
the recommended security measures.
6.1.2 SMEs
Security measures
The study of security incidents and needs in the Spanish small and medium-sized
enterprises highlights a significant shortcoming in the technical services associated with
security management 20 . Moreover, what the sector needs are services to configure and
adequately maintain the various security and incident management tools. As a result, the
SMEs have been identified as a niche market to be exploited, particularly as regards the
provision of services.
Although the SMEs will continue with their reactive behaviour patterns to ICT security in
the medium term, the evolution of attacks towards economic targets will contribute
towards achieving a heightened perception of the risk. This is because the threats not only
compromise their computer equipment and the information stored there, but also the very
financial survival of the SME. This heightened perception of the risk will feed an increased
demand for education and rising consumption of security products.
Security needs will continue to be differentiated on the basis of the characteristics of the
SME, determined equally by their size and by the sector of activity.
• Integrate ICT security management into the company’s overall risk management
strategy.
Managing information security is starting to be fully integrated within the overall risk
management process at companies. Company chiefs are starting to recognise that
information security must form part of their risk management process, given that the value
of the information handled by major companies is now one of their principal assets.
20
National Institute for Communication Technologies (2007), Study on security incidents and needs in Spanish small and
medium-sized enterprises, Information Security Observatory. http://www.inteco.es
21
IDC. Op. Cit. 16
Dealing with information security is gradually ceasing to be an isolated task and is being
brought under the umbrella of general risk management programmes and processes.
The forecast for the coming years is that the impetus driving ICT security in large
companies will continue to be compliance with current rules and legislation on security
matters. Over the last few years, compliance with regulations has been the stimulation
factor that has had the greatest impact on the development of ICT security in major
enterprises. There will no foreseeable change in the importance of this factor in the
medium term.
Relations with third parties, both clients and suppliers, will require greater rigour in the
future when it comes to monitoring the security practices of companies in their relations
with each other, insisting on the presentation of security standard certifications and
applying stricter rules and more formal approaches towards risk management vis-à-vis
their suppliers.
As the business globalisation process gathers pace, questions relating to privacy issues
become ever more relevant. Increased pressure regarding privacy requirements will
provide an impetus for the formalisation of procedures and protocols necessary to
manage personal data protection and privacy.
The analysis of the trends in the demand for security solutions allows us to affirm that the
market will continue to enjoy significant growth rates. The evolution of the demand for
security solutions, together with the growth of the market and the commoditisation 22 of
many of the security solutions (particularly in the consumer range), is producing a
transformation of the security market into a services market.
Many ICT firms who do not belong to the security segment, as well as telecoms operators,
are already entering this market through the provision of services. In the same fashion,
many software companies are starting to offer managed security services on a large
scale, in order to offset their reduced margins from software sales.
22
Turning into a mere commodity: process whereby a product is purchased on the basis of its price and not for its
differentiating qualities.
The growth of the security services segment will accelerate in the medium and long term,
as this technology matures and the supply positions itself in managed services, thus
stealing market share from the security software segment. The managed services
segment is the one with the greatest growth prospects, although consultancy and
security integration services will maintain intense growth rates, as a response to the
need of companies to simplify and analyse their security architectures and management
models.
The prospects for the Spanish security software market in the coming years are highly
positive.
450
400
350
300
250
425.0
200 380.0
340.0
150 290.0
260.0
224.4
100
50
0
2005 2006 2007 2008 2009 2010
Source: IDC
The evolution towards pay-per-use models and managed security services, as well as the
evolution of the consumer market, which is easing off as a consequence of the saturation
in the adoption of technological security software solutions for homes and SMEs, is
producing a smooth, progressive fall off in the levels of growth.
23
IDC (2006), The security market in Spain.
The legal measures and diverse regulations related directly or indirectly to ICT security,
the impetus given to security-related tractor projects, the security promotion campaigns or
the boost provided to research in these areas all have a decisive impact on the supply and
demand for security.
The legal measures and regulations may impose requirements and obligations on certain
ICT security solutions that have a bearing on both those companies who demand them
and those offering this type of products or services. The legal obligations thus
compensate for those situations where users demonstrate an evident lack of awareness
on the subject, referred to above. Good examples we could cite are the Spanish Organic
Law on the Protection of Personal Data or the Electronic Signature Act.
Moreover, the public sector has a very direct bearing on the development of the ICT
security market, in its capacity as a major consumer of this type of solutions. This
consumption stimulates innovation and contributes towards consolidating the activity of
those companies offering security solutions and services. In addition, the use of secure
systems by the Administration has an important didactic effect on the SMEs and domestic
users, generating trust in the use of the new technologies and spreading the word about
solutions and products related to ICT security issues.
The Administration has also started up certain emblematic tractor projects with a really
great impact on the future development of solutions for the security market. Most
noteworthy among them is the electronic ID card project.
Finally, the Administration undertakes really important work as regards promoting and
raising awareness in the ICT field in general, and ICT security in particular. Particularly
worth mentioning are the programmes in support of R&D&I, dissemination, awareness
and education programmes on aspects of ICT security among SMEs, professionals and
home users, as well as other services related to these subjects.
The following sections offer a summarised overview of these areas in which the
authorities have a more direct impact on the ICT security market.
The obligations relating to ICT security, which are directly or indirectly imposed by
legislation, constitute an element of the utmost importance when it comes to creating a
stable demand for security solutions. Such is the importance of this question that the
experts identify it as the principal stimulation factor for the ICT security market in Spain.
Some of the legal provisions establish direct obligations on all companies and
organisations regarding ICT security questions. Other regulations do not directly lay down
obligations on security matters, but impose on their target audience the need to adopt the
measures necessary to guarantee the security of their information systems, with the goal
of being able to fulfil the legal obligations imposed on them.
These legislative and regulatory obligations have led to an increase in the demand for ICT
security (products, services and professionals). In Spain, the Organic Law on Data
Protection has had a tremendous impact, principally due to the fact that it is a law whose
application affects practically every company in the country. The sector has also felt the
effect of the Sarbanes-Oxley Act, given that, although it is US legislation, those obliged
to comply with its provisions include any foreign company with headquarters in the United
States. This has resulted in ICT security solutions designed to comply with this law being
consumed in Spain.
In addition, there also exist specific regulations for certain sectors. The banking sector
accounted for a tremendous boost in ICT security as a result of the compulsory adoption
of the PCI Data Security Standard 24 (PCI DSS), a regulation that must be fulfilled by any
business that stores, processes and/or transmits credit/debit card information. In short,
regulatory compliance would appear to be a key aspect in furthering the implementation of
ICT security on a large scale and acting as a stimulation factor for the market.
Apart from regulations of a general nature, as is the case with sectorial regulations in the
private sector, there exists a series of rules that bolster security requirements in specific
areas of the Administration which need greater protection for their information systems. As
an example, we could mention all the provisions relating to the Tax Administration, with
detailed requirements regarding the security of electronic payments, the presentation of
tax declarations or furnishing information to the fiscal authorities.
The legal provisions may be grouped into four categories: rules that protect rights related
to information security; rules that establish obligations on security matters; rules that
provide legal safeguards in the provision of services related to ICT security; and rules that
establish security obligations specifically for the public administrations.
Moreover, we must stress the importance held in the regulatory field by standards and
certification, acting as they do as efficient mechanisms for promoting good practices. Self-
regulation through user agreements also plays an important role in disseminating and
furthering good ICT security practices.
24
Payment Card Industry.
This whole regulatory security structure constitutes an important advance in the process
of guiding companies and institutions along the difficult road towards an adequate
implementation of ICT security policies.
As regards legal protection, the Penal Code establishes criminal sanctions for the most
serious misconduct, such as those that violate personal privacy or the privacy of personal
data, or those that constitute fraud, performed utilising the new technologies. Moreover,
the law covers activities that cause deliberate damage to the information or computer
systems of others, corporate espionage carried out using the new technologies or
illegitimate access to pay television services or suchlike.
In the same fashion, there also exist civil protection measures, consisting of sanctions and
protective measures, for less serious misconduct that does not constitute a criminal
offence. A noteworthy aspect in this area is the legislated protection of intellectual
property, which regulates aspects such as the protection of computer program copyright
issues, conceding to the holder the exclusive rights over its use, or the protection of
technological measures and information for rights management, duly sanctioning any
conduct that infringes upon these protected rights.
Insofar as the rules that establish direct security obligations are concerned, standing head
and shoulders above the rest is the Personal Data Protection Act. This law is undoubtedly
the regulatory framework that has had the most direct impact on the development of the
ICT security market in Spain, establishing as it does a whole series of provisions covering
the security of computer files that contain personal data, which must be fulfilled by all
public entities (Administrations) and private entities (save individuals in their personal or
domestic activities) who hold the said files.
The broad sweep of this Personal Data Protection Act has provided a tremendous
impetus for the market offering security solutions. This has affected many different
elements of the value chain, e.g. hardware equipment and systems manufacturers, the
development of computer applications, systems integration, support and maintenance
services, consultancy and the implementation of procedures or security auditing services.
Electronic invoice
In this same area, we should mention the legal provisions related to the introduction of the
electronic invoice for companies or professionals. Although the use of the electronic
invoice in the relations between private parties is voluntary, those who decide to make use
of it must guarantee basic aspects related to the security of the same, such as the
authenticity of the source and the integrity of its contents, by means of an electronic
signature or the fulfilment of security and accessibility requirements that deal with the
conservation of the electronic invoices. The exchange of electronic invoices with the
Administration is subject to additional security requirements. This is therefore another
widely applicable regulatory framework which affects all those who issue or receive
invoices.
Particularly worthy of mention, given its importance, is the Law on Measures to Promote
the Information Society. The law obligates all companies which provide the general public
with particularly significant economic services to facilitate their users a telematic
communication channel, so that they may perform any of the different procedures they
may require: online contracting of services, supplies and goods; consultation of their
customer details; the presentation of complaints, incidents, suggestions and, where
appropriate, claims; and exercise their rights of access, rectification, opposition and
cancellation, in keeping with the provisions of the regulatory dictates on the protection of
personal data. To this end, it imposes on these companies the obligation to guarantee
security through the use of duly recognised electronic signature certificates.
The Law on Measures to Promote the Information Society likewise makes it obligatory to
employ electronic invoicing within the context of contracts with the state public sector. For
this purpose, the electronic invoice will be an electronic document which fulfils the
demands required of invoices and which, in addition, guarantees the authenticity of its
sources and the integrity of its contents, thus preventing the issuer from disowning the
invoice. In addition, it is envisaged that the electronic invoice will be used in other
communications between citizens and the Administration, such as proving eligibility for
state benefits and subsidies.
This law has also introduced obligations relating to information on security. It obligates
Internet service providers (ISPs) to inform their clients – free of charge and in an ongoing,
direct, straightforward manner – about the different technical means available for
increasing the levels of information security in order to achieve protection against
computer viruses and spyware and restrict the entry of unsolicited emails (spam). They
must also inform their clients about the tools which exist for filtering and restricting access
to certain undesirable Internet contents and services, or those that could prove harmful for
youngsters or young children. Users must likewise be warned about possible legal
liabilities they may incur from using the Internet for illicit purposes, in particular for
committing criminal offences or for violating legislation relating to intellectual and industrial
property.
The maximum exponent in this area is the Electronic Signature Act, which has
established a stable regulatory framework, thus enabling the development of security
solutions based on the electronic signature in different fields (e-Administration, electronic
invoicing, etc.). In addition, it has laid down the basic conditions for regulating the activity
of the electronic signature providers, thus establishing a framework for the development of
this segment of the ICT security market. The fundamental aspect of this regulation is to
afford the same legal value to the electronic signature as that of a handwritten signature,
whenever the former is used in certain conditions and meets particular security
requirements.
A second point of reference, when considering regulations that help to generate trust in
the ICT security market, is the Spanish Evaluation and Certification System for
Information Technology Security. This provides a national benchmarking system for
those manufacturers of IT products or systems who so wish to be able to certify the
security of their products and thus enhance the trust users place in this type of solutions.
This system regulates two basic aspects. First of all, it establishes the requirements that
must be satisfied by the evaluation laboratories and the procedures required in order to be
duly accredited. Secondly, it regulates the procedures employed for certifying products
and systems, as well as the criteria and methodologies used for evaluating the security.
The Law on Electronic Access for Citizens to the Public Services is designed to regulate
the basic aspects of the utilisation of Information Technologies in administrative processes
undertaken between the Public Administrations, as well as in their relations with citizens.
The regulation reflects a series of requirements needed to guarantee the secure use of
ICT in this area, obligating all the Administrations to ensure the availability, access,
integrity, authenticity, confidentiality and conservation of data, information and services
they run in the performance of their duties and to create conditions of trust in the use of
electronic communications, duly implementing the measures necessary to preserve the
integrity of fundamental rights, in particular those related to privacy and the protection of
personal data, by means of guaranteeing the security of the systems, data,
communications and electronic services.
Likewise, included among the rights of citizens is that related to obtaining and using
electronic signature systems, particularly the electronic ID card, in their relations with the
Administration.
Finally, given its importance, it proves necessary to underscore the creation of the
National Security Scheme, within the field of cooperation between Administrations. The
purpose of the NSS is to establish a security policy regarding the use of electronic media
within the sphere of the law. It comprises the basic principles and minimum requirements
that allow for information to be adequately protected.
The Administration boosts the ICT security market and offers it stability, thanks to public
purchases of ICT security solutions. Apart from representing a rather significant volume,
the demand from the public sector – within the framework of its major public contracts –
provides the setting for solution-provider companies to undertake the development of
innovative solutions, which, given the very nature of the security sector, prove extremely
costly and, in general, require lengthy periods of time. In this manner, favourable
conditions are created for inspired innovation and the development of new products,
which will then benefit other companies or users in general.
The adoption of secure ICT solutions by the Administration also helps to bolster the
confidence of citizens and the private sector in these technologies and has a powerful
“tractor effect”, encouraging companies and citizens to make use of them in their relations
with the Administration. Nonetheless, the adoption of ICT security is not reflected in the
periodical reports on the use of the Information and Communication Technologies drafted
by the Administration, which severely hinders the task of monitoring the efforts made
towards acquiring more secure technologies. As an example, we could mention the
REINA and IRIA reports, which offer a comprehensive review of the situation vis-à-vis ICT
in the State Administration, yet barely refer to security questions.
Most noteworthy within this area, apart from the consumption of ICT security solutions
specifically designed for the defence sector, are certain emblematic projects involving
security solutions, such as those developed for the health and justice sectors or for the
Tax Administration.
Health
The various public administrations are all developing projects for implementing ICT in the
health sector. Among such projects, we could cite the introduction of electronic health
cards, online medical appointments, electronic medical histories and the development of
electronic prescription systems. Any of these projects, particularly the last two, require
major investment and call for extremely high security elements, given the demands for
maximum confidentiality in the processing, access and storage of the medical and health
details of individuals granted the maximum level of protection under the Data Protection
Act. These major projects affect the whole value chain of the ICT security market, from the
equipment and systems that store patient data, through the protection of the
communications systems, to access control through the use of electronic signature
systems and the development and implementation of appropriate procedures and
certification and security control services.
Justice
In the same manner, for this area we could mention the justice system modernisation
programmes and the implementation of the e-Administration in this area where the
underlying problems are similar to those outlined for projects in the health sector, as
regards the question of data protection.
Tax Authorities
Finally, we cannot fail to mention the example of the administration services of the Tax
Authorities, pioneers in Spain in the use of the electronic signature when citizens and
companies have to communicate with the Administration and in the development of e-
Administration services for such sensitive questions as the payment of taxes and the
fulfilment of fiscal obligations.
In order for the ICT security systems and services to be able to really take off and become
truly widespread throughout society and the Spanish business world, it is vital to be able
to count on tractor projects with great pulling power, which can facilitate interoperability
and offer a recognisable framework that can generate trust among users.
Within such projects, a very special mention must be made of the creation of the
electronic ID card (eDNI), which allows for the implementation of new, enhanced services
with an adequate level of security, based on the familiarity with a document already well-
known to the general public.
“The goal of the eDNI is to facilitate the incorporation of citizens into the Information
Society, providing them with a trustworthy identity on the Internet. It is also designed to
boost the development of administrative and commercial relations and, thirdly, to make it
truly possible for the right to a legal personality to be recognised on the Web, as
proclaimed in Article 6 of the Universal Declaration of Human Rights: Everyone has the
right to recognition everywhere as a person before the law” 25 . The electronic ID card
constitutes a universal identification and signature element in the electronic world, offers a
legal guarantee and practically the whole population is accustomed to using it.
From a legal standpoint, the Electronic Signature Act determines that the eDNI is the
national identity document that electronically accredits the personal identity of its holder
and permits documents to be signed electronically. All natural or legal persons, public or
private, will recognise the effectiveness of the electronic national identity document for
accrediting the identity and other personal data of the holder stored thereon and for
accrediting the identity of the signatory and the integrity of the documents signed with the
integrated electronic signature devices. This instrument proves very effective for bringing
ICT security closer to Spanish citizens and, in addition, provides a suitable structure upon
which to develop new security services within Spanish industry.
The project to develop and implement the eDNI is accompanied by the complementary
electronic ID card Programme within Plan Avanz@, which entails carrying out activities
aimed at disseminating, training, developing adapted digital services, deploying
infrastructure and providing equipment so as to ensure the successful rollout of the
electronic ID card.
25
Sánchez, C. (2006) The Key to Security, IV Ceres Conference. Quoting Víctor García, director general of the Police.
Security has become an increasingly important question for Internet users. The
development of the Information Society and the progressive use of ICT products and
services will only prove possible if a suitable climate of confidence is created.
In this sense, the Administration plays an important role in promoting and raising
awareness within the ICT sector in general, and the ICT security area in particular. For
instance, we could mention the support programmes for R&D&I or dissemination,
awareness and training programmes for certain aspects of ICT security.
Within the field of activities designed to promote and generate e-trust, Plan Avanz@ has
included an information security programme. This programme envisages dissemination
actions, management of alerts, security consultancy, developing digital services adapted
to the use of the electronic ID card and drafting studies that help to spread the word about
ICT security 26 . The principal concrete actions envisaged under the terms of Plan Avanz@
are detailed below.
INTECO-CERT, which started out in 2006, serves to support the development of the
national industrial fabric and boost the confidence of users in the Internet and ICT,
through the provision of the classic services of an Incident Response Centre. Thus, it
offers reactive solutions to computer incidents and prevention services in the face of
possible threats, as well as information, awareness and training services on security
issues for Spanish SMEs and private citizens. Throughout the process of defining and
creating the INTECO-CERT, the guidelines proposed by ENISA (European Network and
Information Security Agency) were strictly followed.
The response centre therefore arose as a public initiative with the following objectives:
26
Secretary of State for Telecommunications and the Information Society (2005), Plan 2006-2010 for the development of
the Information Society and Convergence with Europe by Spain’s Autonomous Communities and Cities.
• Act as a liaison between the needs of SMEs and citizens and the solutions on offer
from firms within the Information Technology security sector.
This centre complements other public CERT in Spain, such as the CERT at the National
Cryptology Centre (CCN-CERT) and the IRIS-CERT (a centre maintained by Rediris-
Red.es aimed primarily at the scientific community).
In this manner, the Information Security Observatory has become established as the
centre of reference for analysing and monitoring information security and the ICT, as well
as trust in the Information Society in Spain.
To this end, it undertakes research, analysis, study, consultation and informative work
with a view to describing, analysing, advising on and disseminating the culture of
Information Security and e-trust within this Information Society.
In order to complete its twofold mission of assessing and diagnosing, while spreading the
idea of a culture of information security among citizens, companies and administrations,
the Observatory has drawn up a Study and Activities Plan, within which actions are taken
to fulfil the following strategies, among others:
• Monitor the principal indicators and public policies related to information security
and trust on both the national and international stage.
• Generate a database that allows for an ongoing analysis and evaluation of security
and trust over time.
• Disseminate studies and reports published by other entities and agencies, both
national and international, as well as information on the current domestic and
European state of security and trust within the Information Society.
• Support the preparation, monitoring and evaluation of public policies in this area.
The creation of the Observatory reflects the growing importance that must be afforded to
diagnosing and measuring progress. This work enables the public sector to design
suitable public policies, both reactive and preventive, as well as monitor the actions
undertaken and evaluate their impact, thus being in a position to continuously assess and
improve the services provided in such a fast-changing sector as that of the new
technologies. At the same time, it enables the private sector to adapt its offer to meet the
needs and niche markets identified.
Born out of the desire to foster and further the use of information security technologies
among Spanish SMEs, which represent over 90% of the domestic business sector. This
work aims to achieve three objectives:
This service has the goal of providing citizens who browse the Web with the confidence
necessary to successfully negotiate any possible security incidents which may affect
them. This free service will offer specialised advice and guidance in the face of possible
doubts or incidents related to security issues on the Internet. Should it be required, it
would establish contact with the Spanish security forces in order to facilitate the
processing of security incidents that might involve some computer crime or fraud.
Moreover, through promotion campaigns for the different services offered on various
channels, it will boost the detection and reporting of new online threats, frauds and scams,
as well as any other kinds of attacks on ICT security. Likewise, it will provide citizens with
the necessary information and advice on legal issues regarding the Internet and related
technologies.
In 2007, when INTECO was entrusted with the task, the SETSI initiated a series of
promotional activities designed to spread the word and awareness of the benefits of
implementing an Information Security Management System (ISMS), including, in
collaboration with the Chambers of Commerce, the organisation of informative symposia
and the editing of manuals, guides and other documentation.
In addition, it offers consultancy services whose prime goal is to respond to the demand
and interest generated by the dissemination and awareness campaigns. Among its
activities, the plan includes support and consultancy work for the following: undertaking a
diagnostic analysis of the information systems implemented, of the existing security risks
and of the solutions and tools that may be incorporated; understanding how to adapt to
meet the existing technical regulations covering information security management
systems; and how to certify a security management system.
Within the field of R&D&I and training, apart from the above initiatives that form part of
Plan Avanz@, we could mention other significant public initiatives. The following by no
means constitute a comprehensive list.
This programme offers public subsidies for R&D&I programmes, with specific grants for
ICT security projects.
This programme supports training programmes targeted at both ordinary citizens and
professionals and companies, on ICT subjects in general, including training in security.
8 RECOMMENDATIONS
ICT security is a sector of activity full of possibilities. Our country, which has an important
security industry and some pioneering public policies, has the opportunity of boosting the
development of a sector with a bright future. In order to be successful, it proves necessary
to maximise the many capabilities of this sector and the public policies in this country.
Optimising stimulation factors and minimising or getting rid of inhibiting factors calls for the
implementation of initiatives and activities which require the coming together of both public
and private initiatives. The following points are just a few ideas in this direction.
Throughout this document, we have referred to the existence of important shortfalls in the
data available on the ICT security market in Spain. Taking actions designed to foster and
boost the ICT security sector in Spain requires, first of all, tackling the absence or
dispersion of the necessary information.
The sources of information and the statistics currently available are not sufficient, from the
viewpoint of undertaking a diagnosis of both the supply and the demand. The efforts that
have been made in the public sector are quite recent and have centred fundamentally on
diagnosing the demand for security, with respect to certain user profiles (citizens, SMEs
and Local Administrations).
In particular, the specific actions that need to be taken would be the following:
a) Regularly obtaining and processing demand data that are not yet available. Namely,
demand data for public administrations, large companies and, above all, micro
companies. In this sense, an adequate mechanism for obtaining these data would
probably be to seek a collaboration between entities and organisations that may have
similar interests: Ministry of Public Administrations, Autonomous Communities, large
companies that consume security products, foundations, associations of SMEs, etc.
b) Obtaining and processing data on the offer of security products. In this sense, it
would appear wise to seek agreements with the most relevant sectorial associations of
the ICT security sector in order to compile data on their associated companies, or with
major providers of ICT security services. It is also worth stressing the need to use
additional tools or instruments, such as the catalogue of ICT security companies the
public sector is currently preparing.
c) Drafting of an annual report each year on the ICT security market. The actions
outlined above would allow for the compilation of all the available information in an
annual report which could thus monitor the progress of both public and private projects
The use of standards and certification stamps provides companies with a model for
starting up ICT security initiatives, promoting as they do the observance of codes of good
practice and ensuring compliance with legal obligations.
Likewise, we cannot fail to mention the need to support companies on their way to
implementing ICT security corporate governance, encouraging the use of technological
tools, the dissemination of adequate security procedures and training for the human
resources required.
The creation of a National ICT Security Strategy – which focuses all efforts on the target
of boosting the use of standards and certifications, and the dissemination of good
practices – could provide an important impetus to the development of the ICT security
market in Spain.
8.3 Actions designed to boost demand for ICT security in the public
administrations
An inhibiting factor which severely puts the brakes on the ICT security market is the poor
perception of the value of ICT security on the part of both companies and end users. The
public administration itself, when acting as a purchaser, on occasions reveals a lack of
perspective with respect to the specific value of security issues. In this sense, an
interesting point which must be underscored is the fact that the insufficient relevance
generally placed by public tenders for contracts (excluding those projects which could be
considered exceptional, insofar as security is their essential feature) on security products
and services, often results in these being incorporated into, or lumped in with, other
services.
For this reason, there is a clear need for this first recommendation, aimed specifically at
the public sector, namely, by the use of suitable mechanisms, increase the importance
afforded to ICT security elements.
In this same direction, and as a specific recommendation for those public purchases
related to innovation or with a special ‘tractor’ capability, it would be necessary to initiate
dialogue with the sector so as to be able to encourage planning and adequate
management of public procurement, especially where a high degree of R&D&I is involved.
Thus, any interested companies could orient their investment and efforts towards
producing the services and products the public sector demands.
In relation to the above recommendations, it would appear necessary to increase the trust
and confidence, both at a technical and legal level, of public purchasers of services or
products closely linked to ICT security, insofar as they may feel that the lack of
specifications or standards in this area could entail a certain degree of “risk” for the
success of a project based on, or with a significant role played by, ICT security. The State
must not only purchase in a planned manner, it must – fundamentally – generate
standards and tractor projects to lay the foundations for the ICT security sector in our
country.
In this sense, it is essential that the competent agencies within the public sector should
strive to define those technical and legal requirements deemed to be the absolute
minimum for ensuring the security of certain projects (for example, access to databases or
connections between the databases of different public organisations, access to web
services, etc.). In certain cases, it could prove necessary to make some specific statutory
modification; in others, all that would be needed is a development or specification of the
legal requirements in force, or to introduce the desired specifications or standards in
bidding forms or model clauses.
8.4 Actions designed to boost demand for security in SMEs and homes
With regard to the above, and more directly aimed at consumers, it appears necessary to
create or enhance the security culture by means of specific campaigns. In this case, the
determining role of the public sector is evident, without prejudice to the support and
reinforcement it may receive from similar private initiatives.
The public sector must advance decisively in this determining role, e.g. within the
awareness campaigns, by offering free access to certain basic security products or
services to companies and citizens – and even to other Administrations – through the
CERT.
On the basis of these services, once the security culture has been created or generated, it
will be up to the private sector to offer attractive services, adequately managed to serve all
kinds of companies, in particular the SMEs, over and above the services offered free of
charge by the Administrations. The market must prove capable of providing the SMEs with
suitable managed security services.
b) Oversee compliance with the regulations that impose specific obligations within
the field of ICT security
At this moment in time, at least within the European Union, we have been unable to
identify any more far-reaching regulations, in addition to those already in force in Spain,
which impose, or could impose in the short term, further obligations on security matters. In
this sense, this recommendation is geared more towards ensuring that the regulatory
measures already in force are adequately implemented and fulfilled, rather than
suggesting the need for, and imposing, new obligations in the field of ICT security.
The laws must be able to rely on posterior projects that can facilitate their development. It
is essential that, together with the law, there be a drive towards launching products and
services on the market which can facilitate compliance with the same. Instruments such
as the preparation of guides or the creation of suitable consultancy services must be
taken into consideration right from the start. At all costs, we must avoid the perception that
the security laws are difficult to implement.
Given that the domestic ICT security market is relatively small, special attention must be
placed on promoting internationalisation plans for the leading companies in ICT security
technology, so that they can compete effectively in other markets, designing specific
programmes for this kind of company, in a similar fashion to what already happens in
other sectors.
Likewise, we have identified that the lack of proper training in ICT security is yet another
encumbrance or inhibiting factor slowing development of the sector. Thus, the importance,
as a general recommendation, of developing adequate training and specialisation policies.
c) Promote and facilitate financing for the most innovative ICT security firms
The experts believe that in the security sector, just as in other sectors of the economy, the
companies should be facilitated access to financing, particularly in the initial stages,
precisely when these needs are, on the one hand, most critical and, on the other, more
difficult to obtain.
In the case of ICT security, given that this is a sector which requires significant investment
in R&D&I and is still in a phase of relative immaturity and rapid growth, the question of
company financing is a particularly pressing need. While these problems do not
exclusively affect this sector, it is worth mentioning the fact that the risks associated with a
very rapidly evolving market, which offers significant business opportunities, demand that
the finance instruments be readily adapted to suit the realities of the companies and the
market.
It would therefore seem a good idea to study the possibility of finance being made
available using venture capital, along the lines of similar nationwide or regional
programmes targeting the financing of technological companies in their initial phases.
An important factor for boosting the sector is deemed to be encouraging R&D&I work from
the public sector, as well as from the private sector. This must be one of the prime
recommendations to be adopted by both sectors.
The public sector must bring its financing policies for R&D&I on ICT security issues into
line with planning for its own demand (public procurement), so that the investment may
prove to be effective and contribute towards developing the market. It is thus essential
that, at the same time, there exists strategic planning of the different ICT security needs
within the public administrations.
I. Security Hardware
Security devices
• Firewall/VPN devices.
Authentication hardware
The authentication elements constitute an important segment within the identity and
access management market. These elements comprise the tools necessary to perform
this management work:
• USB authentication elements: devices which are connected to a USB port on the
computers.
Security software includes a wide range of technologies employed in order to enhance the
security of computer equipment, information systems, communications, networks and
electronic transactions. It is used to ensure their confidentiality, integrity, privacy and
availability.
This covers a whole set of solutions utilised to identify users in a system (employees,
clients, etc.) and control their access to resources within the system by establishing rights
and restrictions depending on the profile of the identity in question.
Threat management
Threat management includes solutions which constantly monitor network traffic or the
activity of an application, in order to discover malicious activities or ensure compliance
with the defined security policies. Once a security violation is detected, these tools are
designed to mitigate the scope of the attack on the monitored network. Threat
management combines two families of products: firewalls and intrusion detection and
prevention software.
Vulnerability management
This includes emerging security functions that do not correctly fit into any of the previous
categories. The areas included under the category of other security software are:
encryption tools, database security, storage security, VPN clients, wireless security, web
security services and secure operating systems.
Security services cover all those activities necessary to plan, design, construct and
manage the security of a company’s network infrastructures, processes, programs and
information.
Security planning
Implementation of security
The implementation of security is dominated by system integrators and resellers who offer
security implementation services as part of a comprehensive systems implementation
project. There exists a large number of providers specialising in particular security
technologies. Consultancy companies do not generally get involved in technological
aspects and so they leave this implementation to the systems integrators.
LIST OF GRAPHS
Graph 10: Percentage of companies with security executives (CSO, CISO, CPO) ..........35
Graph 12: Percentage of companies which have implemented security tools ..................36
Graph 13: Percentage of companies who manage a business continuity plan .................37
Graph 14: Forecasts for the security software market (€ millions) ....................................42
http://www.inteco.es
http://observatorio.inteco.es