Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Work Package 4: Cyber-security, Cyber-crime Market and Regulatory Analysis
Document Dissemination Level
P
CΟ
Document Due Date: 31/10/2018 Document Submission Date: 03/12/2018
Public
Confidential, only for members of the Consortium (including the Commission Services)
☒
☐
This work is performed within the SAINT Project – Systemic Analyser in Network Threats – with the support of the European Commission and the Horizon 2020 Program, under Grant Agreement No 740829
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 2
Document Information
Deliverable number: D4.4
Deliverable title: Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Deliverable version: 1.0
Work Package number: 4
Work Package title: Cyber-security, Cyber-crime Market and Regulatory Analysis
Due Date of delivery: 31/10/2018
Actual date of delivery: 03/12/2018
Dissemination level: Public
Editor(s): Theodoros Rokkas, Ioannis Neokosmidis, Dimitris Xydias (INCITES)
Contributor(s): Bryn Thompson, Jart Armin (CYBERDEFCON)
Reviewer(s): Montes de Oca (MNTMG) Yannis Stamatiou (CTI)
Ethical advisor(s): Christina Chalanouli (KEMEA)
Project name: Systemic Analyser in Network Threats
Project Acronym SAINT
Project starting date: 1/5/2017
Project duration: 24 months
Rights: SAINT Consortium
Version History
Version Date Beneficiary Description
0.1 20/10/2018 INCTS First Draft
0.2 25/10/2018 CYBE Description of cyber security products
0.3 28/10/2018 INCTS Description of framework, methodology and major sources
0.4 31/10/2018 INCTS Version sent for review
0.5 10/11/2018 CITE, MNTMG Comments from reviewers
0.6 22/11/2018 CYBE, INCTS Comments from reviewers addressed
0.8 28/11/2018 KEMEA, NCSRD, CYBE Security monitoring completed
0.9 01/12/2018 KEMEA Ethical monitoring and editorial review completed
1.0 03/12/2018 NCSRD, INCTS Final version
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 3
Abbreviations and Acronyms ACRONYM EXPLANATION
AI Artificial Intelligence
CAPEX Capital Expenditures
CBA Cost Benefit Analysis
CTI Cyber Threat Intelligence
ESG Enterprise Strategy Group
IDPS Intrusion Detection and Prevention Service
IDS Intrusion Detection Systems
IR Incident Response
IT Information Technology
NPV Net Present Value
OPEX Operational Expenditures
SIEM Security Information and Event Management
SIM Security Information Market
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 4
Table of Contents 1. Introduction ................................................................................................................................... 8
2. Cost-benefit analysis framework and data sources .......................................................................... 9
2.1 Net Present Value .............................................................................................................................. 9
2.2 Sensitivity and Risk analysis ............................................................................................................. 10
2.3 Methodological Issues ..................................................................................................................... 10
2.3.1 Classification of companies ..................................................................................................... 11
2.3.2 Number of companies by size, by country .............................................................................. 11
2.3.3 Number of employees by size and by country ........................................................................ 21
2.3.4 Number of individuals using the internet ................................................................................ 23
2.3.5 Hourly labour cost ................................................................................................................... 26
3. Cyber-security products and solutions ........................................................................................... 28
3.1 Cyber security product evolution .................................................................................................... 28
3.2 CTI, SIEM and IDPS products, solutions and providers .................................................................... 31
4. Cost of cyber security .................................................................................................................... 33
4.1 Cost of cyber security software ....................................................................................................... 33
4.2 Audit ................................................................................................................................................ 34
4.3 Advanced systems ........................................................................................................................... 34
5. Cost of cyber attacks ..................................................................................................................... 36
5.1 Major threats ................................................................................................................................... 36
5.1.1 Malware ................................................................................................................................... 37
5.1.2 Phishing ................................................................................................................................... 38
5.1.3 Spam ........................................................................................................................................ 39
5.1.4 Ransomware ............................................................................................................................ 42
5.1.5 Data Breaches .......................................................................................................................... 44
5.2 Cyber Risk profiles ........................................................................................................................... 48
6. Cost-benefit analysis ..................................................................................................................... 50
6.1 Cost of cyber-attacks calculation ..................................................................................................... 50
6.1.1 Cost per country ...................................................................................................................... 56
6.2 Cost of adopting cyber security products and solutions ................................................................. 57
6.3 Cost benefit results .......................................................................................................................... 58
6.4 Sensitivity analysis ........................................................................................................................... 61
6.5 Risk analysis ..................................................................................................................................... 63
7. Conclusion .................................................................................................................................... 66
8. References ................................................................................................................................... 67
Appendix A - Sensitivity results for various countries ............................................................................. 69
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 5
Table of Figures Figure 2-1: Calculation of number of enterprises by size, by country ............................................................ 13 Figure 2-2: Calculation of the average number of employees ........................................................................ 21 Figure 2-3: Calculation of the number of individuals that use the Internet .................................................... 23 Figure 5-1: Top-15 cyber threats and trends in 2016-17................................................................................. 36 Figure 5-2: Available malware and number of malware attacks..................................................................... 38 Figure 5-3: Email statistics forecasts ............................................................................................................... 40 Figure 5-4: Spam Statistics .............................................................................................................................. 41 Figure 5-5: Percentage of new families of misleading apps, fake AV, locker ransomware and crypto ransomware ([48]) ........................................................................................................................................... 42 Figure 5-6: Ransomware as a percentage of malware incidents .................................................................... 43 Figure 5-7: Blocked ransomware infections for consumer vs. enterprise ...................................................... 43 Figure 5-8: Probability of a data breach involving a minimum of 10,000 and a maximum of 100,000 records, [52]................................................................................................................................................................... 44 Figure 5-9: Probability of a data breach over the next 24 months of at least 10k records ............................ 44 Figure 5-10: USA data breaches by industry ................................................................................................... 45 Figure 5-11: Number of breach incidents by industry over time .................................................................... 45 Figure 5-12: Average cost of data breach in M$ ............................................................................................. 47 Figure 5-13: Records breached and global cost of data breaches .................................................................. 47 Figure 5-14: Cost per compromised data record ............................................................................................ 47 Figure 5-15: Loss categories from cyber-attacks and IT failures ..................................................................... 48 Figure 5-16: Risk profile for large companies .................................................................................................. 49 Figure 5-17: Risk profile for SMEs.................................................................................................................... 49 Figure A-1: Sensitivity results for Belgium ....................................................................................................... 69 Figure A-2: Sensitivity results for Bulgaria ....................................................................................................... 69 Figure A-3: Sensitivity results for Czech Republic ........................................................................................... 70 Figure A-4: Sensitivity results for Denmark ..................................................................................................... 70 Figure A-5: Sensitivity results for Germany ..................................................................................................... 71 Figure A-6: Sensitivity results for Estonia ........................................................................................................ 71 Figure A-7: Sensitivity results for Ireland ........................................................................................................ 72 Figure A-8: Sensitivity results for Greece ........................................................................................................ 72 Figure A-9: Sensitivity results for Spain ........................................................................................................... 73 Figure A-10: Sensitivity results for France ....................................................................................................... 73 Figure A-11: Sensitivity results for Croatia ...................................................................................................... 74 Figure A-12: Sensitivity results for Italy ........................................................................................................... 74 Figure A-13: Sensitivity results for Cyprus ....................................................................................................... 75 Figure A-14: Sensitivity results for Latvia ........................................................................................................ 75 Figure A-15: Sensitivity results for Lithuania ................................................................................................... 76 Figure A-16: Sensitivity results for Luxembourg.............................................................................................. 76 Figure A-17: Sensitivity results for Hungary .................................................................................................... 77 Figure A-18: Sensitivity results for Malta ........................................................................................................ 77 Figure A-19: Sensitivity results for Netherlands .............................................................................................. 78 Figure A-20: Sensitivity results for Austria ...................................................................................................... 78 Figure A-21: Sensitivity results for Poland ....................................................................................................... 79 Figure A-22: Sensitivity results for Portugal .................................................................................................... 79 Figure A-23: Sensitivity results for Romania ................................................................................................... 80 Figure A-24: Sensitivity results for Slovenia .................................................................................................... 80 Figure A-25: Sensitivity results for Slovakia ..................................................................................................... 81 Figure A-26: Finland ......................................................................................................................................... 81 Figure A-27: Sensitivity results for Sweden ..................................................................................................... 82 Figure A-28: Sensitivity results for United Kingdom ........................................................................................ 82
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 6
Table of Tables Table 2-1: Classification of companies ............................................................................................................ 11 Table 2-2: Number of active enterprises by year (2010-2016) ....................................................................... 11 Table 2-3: Forecasted Number of active enterprises by year (2017-2021) .................................................... 12 Table 2-4: Percentage mix of total number of enterprises ............................................................................. 14 Table 2-5: Number of micro companies by country ........................................................................................ 14 Table 2-6: Number of small companies by country ........................................................................................ 15 Table 2-7: Number of medium companies by country ................................................................................... 16 Table 2-8: Number of large companies by country ......................................................................................... 17 Table 2-9: Number of companies with zero employees (2010-2016) ............................................................. 18 Table 2-10: Estimation of number of companies with zero employees (2018- 2021) .................................... 19 Table 2-11: Number of micro companies without the ones with zero employees (2018- 2021) ................... 20 Table 2-12: Persons employed per size of companies .................................................................................... 21 Table 2-13: Average Number of employees by company size ........................................................................ 22 Table 2-14: Population by country .................................................................................................................. 23 Table 2-15: Population in the age group 0-14 as a percentage of the total population ................................. 24 Table 2-16: Percentage of population that have never used the Internet ..................................................... 25 Table 2-17: Population that uses the Internet (age 14 and greater) .............................................................. 26 Table 2-18: Hourly labour cost ........................................................................................................................ 27 Table 3-1: Cybersecurity Product Categories .................................................................................................. 29 Table 3-2: Cybersecurity Emerging Technologies............................................................................................ 30 Table 3-3: Sample of CTI, SIEM and IDPS providers ........................................................................................ 31 Table 3-4: Satisfaction rates in CTI 2018 ......................................................................................................... 32 Table 4-1: Cost categories by enterprise ......................................................................................................... 33 Table 4-2: Cost of cyber security software for individuals .............................................................................. 34 Table 4-3: Cost of cyber security software for SMEs ....................................................................................... 34 Table 4-4: Cost of IDPS systems....................................................................................................................... 35 Table 5-1: Number of attacks and types of malware ...................................................................................... 37 Table 5-2: Phishing threat statistics ................................................................................................................ 38 Table 5-3: Broad phishing vs. Spear phishing comparison .............................................................................. 39 Table 5-4: Spam email statistics ...................................................................................................................... 40 Table 5-5: Victims of spam email by year 2012-17 ......................................................................................... 41 Table 5-6: Ransomware threat statistics ......................................................................................................... 42 Table 5-7: Ransomware attacks statistics ....................................................................................................... 44 Table 5-8: Record breached by year – global and US-only .............................................................................. 46 Table 6-1: Email traffic ..................................................................................................................................... 50 Table 6-2: Threat statistics .............................................................................................................................. 50 Table 6-3: ICT security incidents in Small Enterprises ..................................................................................... 51 Table 6-4: ICT security incidents in Medium Enterprises ................................................................................ 52 Table 6-5: ICT security incidents in Large Enterprises ..................................................................................... 52 Table 6-6: Individuals who have experienced cyber incidents ........................................................................ 53 Table 6-7: Ransomware statistics .................................................................................................................... 54 Table 6-8: Cost of attacks ................................................................................................................................ 54 Table 6-9: Time spent to fix problem for each cybercrime victim .................................................................. 55 Table 6-10: Data breach assumptions ............................................................................................................. 56 Table 6-11: Cost of cyber-attacks by country .................................................................................................. 56 Table 6-12: Annual cost for security software................................................................................................. 57 Table 6-13: Annual cost for security software................................................................................................. 57 Table 6-14: Cost of adopting cyber security products ..................................................................................... 58 Table 6-15: Security Product effectiveness ..................................................................................................... 58 Table 6-16: Cost of cyber-attacks after adopting cyber security products ..................................................... 59
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 7
Table 6-17: Savings after adopting cyber security products ........................................................................... 60 Table 6-18: Savings after adopting cyber security products ........................................................................... 60 Table 6-19: Sensitivity rank ............................................................................................................................. 62 Table 6-20: Risk parameter characteristics ..................................................................................................... 63 Table 6-21: Risk results .................................................................................................................................... 64 Table 6-22: Probability of negative NPV .......................................................................................................... 65
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 8
1. Introduction
This deliverable presents the methodology that was used and the derived results of the performed Cost Benefit Analysis (CBA) of cyber security solutions and products. The goal of this report is to form a methodology and adapt it to estimate the cost and benefits of selected cyber security products and solutions. The methodology calculates the direct costs and benefits by enterprise size and also for individuals. The methodology is be used to produce results for the EU-28 countries. To model the uncertainty, a sensitivity and a risk analysis are performed for the most crucial parameters.
CBA is a method used to select different policies and make the appropriate decisions. It is an analysis method that compares the balance between cost and benefits of the different alternatives to identify which of the alternatives has an advantage over the others. In this study, the benefits are related closely to the cost avoidance (the costs related with successful cyber-attacks). Net Present Value (NPV) is used to compare the profitability of different scenarios. This method is one of the most popular tools for evaluating capital projects because it reduces the evaluation complexity of each project to a single figure. When it is used to evaluate competing projects, one can compare their NPVs and determine which one is more promising, and, therefore, the better choice to invest in by selecting the one with the higher NPV.
In this deliverable, an ex-ante CBA analysis is performed, trying to identify and quantify the benefits of cyber security products and solutions for different organisation sizes. The cost and allocation of resources depends on the type and size of an organisation as these affect the necessary investments for Cybersecurity. As a consequence, an important input was the number of companies classified by their size. The study produced results for each of the EU 28 countries for which data was available in a consistent format. For most of the gathered data, such as the required demographics of each country and the number of enterprises according to their size, the data was collected from Eurostat. Special consideration has been made so that the results are aligned to those from other WPs of SAINT, and especially those of WP2 in which an estimation of the cost of cybercrime for the EU countries was performed.
The deliverable is organized as follows: the second chapter presents an introduction of the cost-benefit framework, the data sources that were used along with the necessary assumptions and calculations that were made to transform the data into the required format. In the third chapter a description of the different products and solutions along with some initial cost estimations is given. The fourth chapter presents the assumptions that were made for the calculation of the cost of these products and solutions. The fifth chapter presents the major threats that were considered, the assumptions and the calculation of the associated cybercrime cost. The sixth chapter presents the results and the final chapter presents the conclusions.
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 9
2. Cost-benefit analysis framework and data sources In this section we present the cost-benefit principles that were used to create the framework for the upcoming analysis. CBA is a method that is used to select different policies and make the appropriate decisions. It is an analysis that compares the balance between cost and benefits of the different alternatives in order to identify which of these alternatives has an advantage over the others. There are several definitions in the relevant literature applied to different sectors, but for the analysis of cybersecurity products and solutions we will use a more practical approach based on calculating the Net Present Value (NPV) of an alternative compared to the current situation. While CBA offers an informed estimate of the best alternative, perfect estimates of all present and future costs and benefits are difficult to attain and so perfection in terms of economic efficiency and social welfare is not guaranteed.
In this study, the benefits are related closely to the cost avoidance (the costs related with successful cyber-attacks). The NPV is a merit of figure that calculates the difference between the present value of cash inflows and the present value of cash outflows over a selected period of time (usually called the study period). NPV is used to compare the profitability of different scenarios. This method is one of the most popular tools for evaluating capital projects because it narrows down the evaluation complexity of a project to a single figure: the total estimated value of the project, expressed in today's money. When it is used to evaluate competing projects, one can compare their NPVs and to determine which one is more promising, and therefore the better choice to invest in by selecting the one with the highest NPV. In this deliverable an ex-ante CBA analysis is performed, trying to identify and quantify the benefits of cyber security products and solutions for organisations of different sizes. The cost and allocation of resources are modelled according to size of the organisations as these have the major effect in the necessary investments for Cybersecurity.
We can distinguish two major categories for the costs associated with the cybersecurity solution: Operational Expenditures (OPEX) and Capital Expenditures (CAPEX). CAPEX are the investments that an organisation uses to acquire, upgrade, and maintain physical assets (for example a new firewall, or an intrusion detection system). These costs benefit the organisation for several years and are usually included in the balance sheet. On the other hand, OPEX are costs that benefit the organisation for a single period and are used for running a product, business, or system (for example costs for annual subscription of a cyber-security software).
The benefits of cybersecurity are directly associated with the cost savings or avoidance resulting from preventing the effects of a successful cyber-attack such as data-breaches, infections, loss of customer trust, or loss of intellectual property, among the most important. The optimal for each organisation would be to implement the level of security in which the net benefits (benefits – costs) are at maximum (since further spending might not have the desirable effect due to increasing costs).
The approach that is used is to make a comparison between cost and benefits. Benefits are the cost savings that can be achieved when security products are in place to avoid, minimize or deter cybersecurity incidents. This deliverable has the objective to investigate the costs (“without” any cyber security solutions in place scenario) and benefits (“with” a cyber-security solution in place scenario) that organisations would potentially experience. Only the direct cost and benefits experienced by the enterprises are considered, while the impacts in other sectors of the economy are not modelled. The study period is four years, specifically the period from 2018 -2021.
2.1 Net Present Value Net Present Value (NPV) is a metric to evaluate projects which assesses the difference between the revenue the investment is expected to generate over its lifecycle and the costs expected to be made over the same period, taking inflation into consideration and discounting both future costs and revenues at the appropriate discount rate. To simplify the analysis, we will assume that future costs and benefits are made at the end of each period (calendar year). The NPV can be calculated using the following formula:
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 10
∑ ( )
Where:
= The initial investments at the beginning of the study period
= Expected benefits at time period t
= Expected costs at time period t
t= the time period
d= the discount rate
If the calculated NPV is greater than zero, this means that PV (present value) of future benefits exceeds those of the costs; the opposite is true if NPV is less than zero.
2.2 Sensitivity and Risk analysis The difference between traditional “plain” sensitivity analysis and risk analysis based on Monte Carlo simulation [1] is that the former only reveals what is possible, not what is probable. In traditional sensitivity analysis, a number of variables are selected for the study and they are altered one at a time to measure their individual impact on the final output. Often, what-if scenarios are constructed with different combinations of worst-case and best-case values of each of the variables. Monte Carlo simulation, however, makes it possible not only to assign a probability distribution to each variable (we know that some variables are more uncertain than others) but also to update all the selected variables automatically and simultaneously. Random numbers are generated according to the selected distributions for each of the selected variables for the risk analysis. The simulation therefore calculates a large number (the number of simulation trials is specified by the user) of what-if scenarios. What is more, Monte Carlo simulation also allows us to keep track of the calculations for every change in each variable by measuring their individual impact on the final output. The type of probability distribution assigned to the variables under investigation is based on the variable’s statistical properties.
2.3 Methodological Issues An important factor that is critical for the successful implementation of the method is the accuracy of the collected data. For the implementation of the method a number of inputs are required in order to determine and identify costs and benefits for each type of organisation and to make forecasts for these. The main objective is to find out the cost related to the protection against cyber threats and also to calculate the benefits for each organisation according to its size.
One more aspect that should be mentioned is that the cost of cybersecurity solutions and implementations varies between different types of companies depending on their size, the assets they want to protect, and the data they own, amongst other factors. The prices of the different products are not publicly available as usually there are agreements that provide special discounts that are confidential. In our effort to overcome this obstacle the cost of cyber security products will be modelled as a function of the size of the company that is a parameter that drives the costs for cyber security investments and the costs of a successful cyber-attack. The model that was created calculates the results per company size for each of the EU-28 countries. In a complementary analysis, the cost and benefits for individual (for each of the countries) have also been calculated. The following sections present the available data and sources, along with the methodology that was used to bring the data into the required format. In the rest of the deliverable both the terms ‘companies’ and ‘enterprises’ are used to denote the same type of organisation and are used interchangeably.
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 11
2.3.1 Classification of companies In order to model the costs and benefits of the companies of different sizes, the classification for companies that is used by EU Commission [1] have been used in this study. According to that, enterprises are classified into the following categories:
Micro
Small
Medium
Large
The first three categories comprise the Small and Medium Enterprises (SMEs) that are defined as the companies having less than 250 people employed. Table 2-1 presents the criteria for classification that are used for these 4 categories.
Table 2-1: Classification of companies
Company category Number of employees Turnover Balance Sheet total
Micro 0 to 9 < €2 Million < €2 Million
Small 10 to 49 < €10 Million < €10 Million
Medium 50 to 249 < €50 Million < €43 Million
Large >250 > €50 Million > €43 Million
2.3.2 Number of companies by size, by country Eurostat produces annual structural business statistics that are used to derive the results for each of the EU-28 countries [1]. The main source of information is the number of companies (all sizes) that are active in each country for the past years. The available data cover the period from 2010 to 2016 for most of the countries and are presented at Table 2-2. In the cases where data points were missing, an extrapolation taking into consideration the available data was used to derive the missing points.
Table 2-2: Number of active enterprises by year (2010-2016)
Country 2010 2011 2012 2013 2014 2015 2016
Belgium 597,850 612,143 620,254 620,192 634,384 642,130 659,387
Bulgaria 323,872 319,937 323,745 327,503 332,800 339,175 347,962
Czech Republic
969,801 989,952 987,609 968,621 1,022,045 1,026,355 1,037,883
Denmark 212,593 218,082 218,078 216,297 217,960 216,458 224,942
Germany 2,958,720 2,985,718 2,997,832 2,972,456 2,818,836 2,795,899 2,801,030
Estonia 70,302 72,178 76,002 79,314 80,473 82,769 85,737
Ireland 195,431 189,055 185,530
238,249 248,843
Greece
777,268 765,974
Spain 3,102,016 3,056,440 3,012,443 2,951,815 2,943,908 2,970,947 3,026,237
France 2,947,623 2,977,599 3,039,203 3,181,072 3,414,614 3,492,052 3,559,026
Croatia
147,798 145,800 146,766 146,129 147,181
Italy 3,985,434 3,970,747 3,953,714 3,904,219 3,846,659 3,819,956 3,849,594
Cyprus 51,464 51,014 51,127 49,361 49,121 50,569 52,325
Latvia 82,650 87,973 93,664 97,023 100,979 110,310 116,393
Lithuania 120,830 131,986 150,855 158,190 177,752 185,954 197,254
Luxembourg 27,611 28,516 29,122 30,223 31,246 31,906 32,391
Hungary 563,368 557,889 524,749 515,925 522,058 531,121 535,507
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 12
Country 2010 2011 2012 2013 2014 2015 2016
Malta 33,039 32,824 31,427 30,494 31,841 32,143 32464
Netherlands 970,457 1,013,255 1,040,751 1,051,429 1,075,534 1,112,691 1,155,256
Austria 426,815 430,296 432,234 431,680 419,779 409,199 406,079
Poland 1,957,113 1,983,731 1,989,879 2,015,249 2,025,270 2,059,967 2,015,506
Portugal 875,083 846,013 807,358 791,101 794,398 818,120 843,693
Romania 450,168 609,827 647,325 689,983 696,142 695,108 717,388
Slovenia 123,467 125,413 128,088 134,601 137,438 141,118 143,451
Slovakia 374,114 421,909 404,369 398,895 438,067 446,471 454,191
Finland 286,432 291,080 291,410 290,778 293,685 291,307 289,631
Sweden 667,421 715,879 736,112 719,505 727,258 740,182 758,640
United Kingdom
2,013,225 2,027,600 2,054,940 2,126,775 2,218,955 2,326,020 2,467,365
The time period covered in our study is from 2018 to 2021 so, we have calculated the average growth for the last four years and then used that to make a forecast using in order to estimate the number of companies for the period 2016-2021 (for each of the countries). Then, the number of companies, by country, for the period 2017 to 2021 was calculated, and is presented in Table 2-3.
Table 2-3: Forecasted Number of active enterprises by year (2017-2021)
Country 2017 2018 2019 2020 2021
Belgium 665,981 672,641 679,367 686,161 693,022
Bulgaria 351,442 354,956 358,506 362,091 365,712
Czech Republic 1,048,262 1,058,744 1,069,332 1,080,025 1,090,825
Denmark 227,191 229,463 231,758 234,076 236,416
Germany 2,829,040 2,857,331 2,885,904 2,914,763 2,943,911
Estonia 86,594 87,460 88,335 89,218 90,110
Ireland 253,845 256,383 258,947 261,536 264,152
Greece 773,634 781,370 789,184 797,076 805,046
Spain 3,056,499 3,087,064 3,117,935 3,149,114 3,180,606
France 3,594,616 3,630,562 3,666,868 3,703,537 3,740,572
Croatia 148,653 150,139 151,641 153,157 154,689
Italy 3,888,090 3,926,971 3,966,241 4,005,903 4,045,962
Cyprus 52,848 53,377 53,910 54,450 54,994
Latvia 117,557 118,732 119,920 121,119 122,330
Lithuania 199,227 201,219 203,231 205,263 207,316
Luxembourg 32,715 33,042 33,372 33,706 34,043
Hungary 540,862 546,271 551,733 557,251 562,823
Malta 32,789 33,117 33,448 33,783 34,120
Netherlands 1,166,809 1,178,477 1,190,261 1,202,164 1,214,186
Austria 410,140 414,241 418,384 422,567 426,793
Poland 2,035,661 2,056,018 2,076,578 2,097,344 2,118,317
Portugal 852,130 860,651 869,258 877,950 886,730
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 13
Country 2017 2018 2019 2020 2021
Romania 724,562 731,807 739,126 746,517 753,982
Slovenia 144,886 146,334 147,798 149,276 150,768
Slovakia 458,733 463,320 467,953 472,633 477,359
Finland 292,527 295,453 298,407 301,391 304,405
Sweden 766,226 773,889 781,628 789,444 797,338
United Kingdom 2,492,039 2,516,959 2,542,129 2,567,550 2,593,225
Eurostat does not provide information about the number of enterprises by size and by country in one dataset, so intermediate calculations were performed in order to create the required input from the available data. Instead, Eurostat provides data with the share of each type of companies by size as part of the total number in each of the country. Assuming that the mix will not change significantly in the next years, since historical data show that there is limited variation from one year to the next, by multiplying this percentage with the total number of enterprises we can determine the number of companies, by size, for each of the countries. One additional issue that must be considered is that in the definition of micro companies there are some that have zero employees. These are companies with self-employed individuals that for the purpose of our analysis must be in a separate category, so an adjustment to their number was made to take that into consideration. The methodology that was used to determine the number of enterprises per country into the following categories:
Self-employed (0 employees)
Micro (1 to 9 employees)
Small (10 to 49 employees)
Medium (49 to 250 employees)
Large (more than 250 employees)
is illustrated in Figure 2-1:
Figure 2-1: Calculation of number of enterprises by size, by country
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 14
The metric that shows the percentage of each company size out of the total number of companies is given in [4]. The available data is shown in Table 2-4.
Table 2-4: Percentage mix of total number of enterprises
Country Micro Small Medium Large
Belgium 94.61% 4.57% 0.67% 0.15%
Bulgaria 91.55% 6.95% 1.30% 0.20%
Czech Republic 96.05% 3.14% 0.66% 0.15%
Denmark 88.69% 9.25% 1.74% 0.32%
Germany 83.68% 13.67% 2.22% 0.43%
Estonia 90.53% 7.70% 1.52% 0.25%
Ireland 92.57% 6.19% 1.04% 0.20%
Greece 96.19% 3.38% 0.38% 0.05%
Spain 94.93% 4.36% 0.59% 0.12%
France 95.72% 3.58% 0.57% 0.13%
Croatia 91.60% 6.99% 1.16% 0.25%
Italy 95.14% 4.29% 0.49% 0.08%
Cyprus 93.32% 5.64% 0.91% 0.13%
Latvia 91.52% 6.99% 1.31% 0.18%
Lithuania 92.56% 6.12% 1.15% 0.17%
Luxembourg 87.93% 9.72% 1.91% 0.44%
Hungary 94.09% 4.94% 0.80% 0.17%
Malta 93.42% 5.22% 1.15% 0.21%
Netherlands 95.23% 3.83% 0.79% 0.15%
Austria 87.34% 10.72% 1.61% 0.33%
Poland 95.28% 3.61% 0.91% 0.20%
Portugal 95.07% 4.19% 0.64% 0.10%
Romania 88.51% 9.45% 1.71% 0.33%
Slovenia 94.73% 4.29% 0.82% 0.16%
Slovakia 96.79% 2.61% 0.49% 0.11%
Finland 91.33% 7.21% 1.20% 0.26%
Sweden 94.65% 4.42% 0.78% 0.15%
United Kingdom
89.28% 8.93% 1.46% 0.33%
We can then calculate the number of enterprises by size by country by multiplying tables 2-3 and 2-4. The calculations for each type of company, by country, are presented in the following tables 2-5 to 2-8.
Table 2-5: Number of micro companies by country
Country 2018 2019 2020 2021
Belgium 636,385 642,749 649,177 655,668
Bulgaria 324,962 328,212 331,494 334,809
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 15
Country 2018 2019 2020 2021
Czech Republic 1,016,924 1,027,093 1,037,364 1,047,738
Denmark 203,511 205,546 207,602 209,678
Germany 2,391,014 2,414,924 2,439,074 2,463,464
Estonia 79,178 79,970 80,769 81,577
Ireland 237,334 239,707 242,104 244,525
Greece 751,600 759,116 766,707 774,374
Spain 2,930,550 2,959,856 2,989,454 3,019,349
France 3,475,174 3,509,926 3,545,025 3,580,476
Croatia 137,528 138,903 140,292 141,695
Italy 3,736,120 3,773,481 3,811,216 3,849,328
Cyprus 49,811 50,309 50,812 51,320
Latvia 108,664 109,751 110,848 111,957
Lithuania 186,248 188,111 189,992 191,892
Luxembourg 29,054 29,344 29,638 29,934
Hungary 513,986 519,126 524,317 529,560
Malta 30,938 31,247 31,560 31,875
Netherlands 1,122,263 1,133,486 1,144,821 1,156,269
Austria 361,798 365,416 369,070 372,761
Poland 1,958,974 1,978,563 1,998,349 2,018,332
Portugal 818,221 826,403 834,667 843,014
Romania 647,723 654,200 660,742 667,349
Slovenia 138,623 140,009 141,409 142,823
Slovakia 448,448 452,932 457,461 462,036
Finland 269,837 272,535 275,261 278,013
Sweden 732,486 739,810 747,209 754,681
United Kingdom
2,247,141 2,269,612 2,292,309 2,315,232
Table 2-6: Number of small companies by country
Country 2018 2019 2020 2021
Belgium 30,740 31,047 31,358 31,671
Bulgaria 24,669 24,916 25,165 25,417
Czech Republic 33,245 33,577 33,913 34,252
Denmark 21,225 21,438 21,652 21,869
Germany 390,597 394,503 398,448 402,433
Estonia 6,734 6,802 6,870 6,939
Ireland 15,870 16,029 16,189 16,351
Greece 26,410 26,674 26,941 27,211
Spain 134,596 135,942 137,301 138,674
France 129,974 131,274 132,587 133,912
Croatia 10,495 10,600 10,706 10,813
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 16
Italy 168,467 170,152 171,853 173,572
Cyprus 3,010 3,041 3,071 3,102
Latvia 8,299 8,382 8,466 8,551
Lithuania 12,315 12,438 12,562 12,688
Luxembourg 3,212 3,244 3,276 3,309
Hungary 26,986 27,256 27,528 27,803
Malta 1,729 1,746 1,763 1,781
Netherlands 45,136 45,587 46,043 46,503
Austria 44,407 44,851 45,299 45,752
Poland 74,222 74,964 75,714 76,471
Portugal 36,061 36,422 36,786 37,154
Romania 69,156 69,847 70,546 71,251
Slovenia 6,278 6,341 6,404 6,468
Slovakia 12,093 12,214 12,336 12,459
Finland 21,302 21,515 21,730 21,948
Sweden 34,206 34,548 34,893 35,242
United Kingdom
224,764 227,012 229,282 231,575
Table 2-7: Number of medium companies by country
Country 2018 2019 2020 2021
Belgium 4,507 4,552 4,597 4,643
Bulgaria 4,614 4,661 4,707 4,754
Czech Republic 6,988 7,058 7,128 7,199
Denmark 3,993 4,033 4,073 4,114
Germany 63,433 64,067 64,708 65,355
Estonia 1,329 1,343 1,356 1,370
Ireland 2,666 2,693 2,720 2,747
Greece 2,969 2,999 3,029 3,059
Spain 18,214 18,396 18,580 18,766
France 20,694 20,901 21,110 21,321
Croatia 1,742 1,759 1,777 1,794
Italy 19,242 19,435 19,629 19,825
Cyprus 486 491 495 500
Latvia 1,555 1,571 1,587 1,603
Lithuania 2,314 2,337 2,361 2,384
Luxembourg 631 637 644 650
Hungary 4,370 4,414 4,458 4,503
Malta 381 385 389 392
Netherlands 9,310 9,403 9,497 9,592
Austria 6,669 6,736 6,803 6,871
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 17
Country 2018 2019 2020 2021
Poland 18,710 18,897 19,086 19,277
Portugal 5,508 5,563 5,619 5,675
Romania 12,514 12,639 12,765 12,893
Slovenia 1,200 1,212 1,224 1,236
Slovakia 2,270 2,293 2,316 2,339
Finland 3,545 3,581 3,617 3,653
Sweden 6,036 6,097 6,158 6,219
United Kingdom
36,748 37,115 37,486 37,861
Table 2-8: Number of large companies by country
Country 2018 2019 2020 2021
Belgium 1,009 1,019 1,029 1,040
Bulgaria 710 717 724 731
Czech Republic 1,588 1,604 1,620 1,636
Denmark 734 742 749 757
Germany 12,287 12,409 12,533 12,659
Estonia 219 221 223 225
Ireland 513 518 523 528
Greece 391 395 399 403
Spain 3,704 3,742 3,779 3,817
France 4,720 4,767 4,815 4,863
Croatia 375 379 383 387
Italy 3,142 3,173 3,205 3,237
Cyprus 69 70 71 71
Latvia 214 216 218 220
Lithuania 342 345 349 352
Luxembourg 145 147 148 150
Hungary 929 938 947 957
Malta 70 70 71 72
Netherlands 1,768 1,785 1,803 1,821
Austria 1,367 1,381 1,394 1,408
Poland 4,112 4,153 4,195 4,237
Portugal 861 869 878 887
Romania 2,415 2,439 2,464 2,488
Slovenia 234 236 239 241
Slovakia 510 515 520 525
Finland 768 776 784 791
Sweden 1,161 1,172 1,184 1,196
United Kingdom
8,306 8,389 8,473 8,558
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 18
The definition of micro companies includes companies with zero employees, which are enterprises of people that are self-employed, so in order to have the correct number of micro companies the 0 personnel companies must be subtracted from the total number of micro companies. The available data is from Eurostat 67[3] and is presented in Table 2-9.
Table 2-9: Number of companies with zero employees (2010-2016)
Country 2010 2011 2012 2013 2014 2015 2016
Belgium 403,900 417,214 427,888 430,673 446,358 456,014 468,715
Bulgaria 142,166 140,119 144,330 146,975 150,306 152,345 169,625
Czech Republic 743,081 763,119 750,682 737,555 815,315 800,365 811,579
Denmark 112,187 115,862 115,535 82,868 86,300 85,502 105,258
Germany 1,578,194 1,592,037 1,597,589 1,613,243 1,339,211 1,322,461 1,309,716
Estonia 30,906 31,733 33,389 34,981 33,788 32,021 31,415
Ireland 96,095 89,573 86,631
135,811 142,629 144055.29
Greece
366,452 354,419
Spain 1,731,527 1,737,266 1,662,304 1,632,095 1,657,159 1,688,181 1,720,532
France 1,916,252 1,964,146 2,023,988 2,052,572 2,289,048 2,361,988 2,482,415
Croatia
47,094 43,857 21,671 37,728 45,825
Italy 2,590,456 2,511,354 2,491,889 2,496,956 2,481,838 2,432,989 2,476,586
Cyprus 16,153 15,451 16,055 17,295 17,804 20,838 18,473
Latvia 26,677 27,589 43,921 45,650 47,562 55,969 45,731
Lithuania 56,779 65,148 77,806 91,610 105,648 112,630 122,179
Luxembourg 9,910 10,418 10,630 11,267 11,764 12,013 12,262
Hungary 250,808 241,176 209,039 208,444 198,198 171,131 168,179
Malta 22,657 22,165 21,374 20,751 19,102 19293.02
Netherlands 730,879 773,679 803,797 818,447 845,007 883,775 916,800
Austria 213,567 214,461 214,682 227,952 217,029 207,735 203,494
Poland 1,297,483 1,307,276 1,327,651 1,349,864 1,340,741 1,285,042 1,263,849
Portugal 543,231 522,138 498,069 487,307 489,105 510,096 532,838
Romania 90,501 252,961 291,580 333,275 341,817 341,556 344,917
Slovenia 58,968 60,775 62,962 70,176 72,010 74,611 75,618
Slovakia 254,953 252,186 245,068 230,808 322,961 327,389 329,555
Finland 153,394 155,751 141,877 157,253 157,547 155,088 153,820
Sweden 425,425 455,042 466,936 449,936 451,981 460,785 472,928
United Kingdom 303,785 285,200 273,910 266,880 258,325 241,520 233,805
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 19
Based on the growth trend of the period 2010-1016, a forecast (by country) for the years 2017-2021 was made (Table 2-10).
Table 2-10: Estimation of number of companies with zero employees (2018- 2021)
Country 2016 2017 2018 2019 2020 2021
Belgium 468,715 473,402 478,136 482,918 487,747 492,624
Bulgaria 169,625 171,321 173,034 174,765 176,512 178,278
Czech Republic
811,579 819,695 827,892 836,171 844,532 852,978
Denmark 105,258 106,311 107,374 108,447 109,532 110,627
Germany 1,309,716 1,322,813 1,336,041 1,349,402 1,362,896 1,376,525
Estonia 31,415 31,729 32,046 32,367 32,691 33,017
Ireland 144,055 145,496 146,951 148,420 149,905 151,404
Greece 354,419 357,963 361,543 365,158 368,810 372,498
Spain 1,720,532 1,737,737 1,755,115 1,772,666 1,790,392 1,808,296
France 2,482,415 2,507,239 2,532,312 2,557,635 2,583,211 2,609,043
Croatia 45,825 46,283 46,746 47,214 47,686 48,163
Italy 2,476,586 2,501,352 2,526,365 2,551,629 2,577,145 2,602,917
Cyprus 18,473 18,658 18,844 19,033 19,223 19,415
Latvia 45,731 46,188 46,650 47,117 47,588 48,064
Lithuania 122,179 123,401 124,635 125,881 127,140 128,411
Luxembourg 12,262 12,385 12,508 12,634 12,760 12,887
Hungary 168,179 169,861 171,559 173,275 175,008 176,758
Malta 19,293 19,486 19,681 19,878 20,076 20,277
Netherlands 916,800 925,968 935,228 944,580 954,026 963,566
Austria 203,494 205,529 207,584 209,660 211,757 213,874
Poland 1,263,849 1,276,487 1,289,252 1,302,145 1,315,166 1,328,318
Portugal 532,838 538,166 543,548 548,984 554,473 560,018
Romania 344,917 348,366 351,850 355,368 358,922 362,511
Slovenia 75,618 76,374 77,138 77,909 78,688 79,475
Slovakia 329,555 332,851 336,179 339,541 342,936 346,366
Finland 153,820 155,358 156,912 158,481 160,066 161,666
Sweden 472,928 477,657 482,434 487,258 492,131 497,052
United Kingdom
233,805 236,143 238,504 240,890 243,298 245,731
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 20
Based on this data, we then calculated the adjusted number of micro companies that do not include companies of self-employed.
Table 2-11: Number of micro companies without the ones with zero employees (2018- 2021)
Country 2016 2017 2018 2019 2020 2021
Belgium 158,249 159,832 161,430 163,044 158,249 159,832
Bulgaria 151,928 153,447 154,982 156,531 151,928 153,447
Czech Republic
189,032 190,923 192,832 194,760 189,032 190,923
Denmark 96,137 97,099 98,070 99,050 96,137 97,099
Germany 1,054,973 1,065,523 1,076,178 1,086,940 1,054,973 1,065,523
Estonia 47,131 47,603 48,079 48,560 47,131 47,603
Ireland 90,383 91,287 92,200 93,122 90,383 91,287
Greece 390,057 393,958 397,897 401,876 390,057 393,958
Spain 1,175,436 1,187,190 1,199,062 1,211,052 1,175,436 1,187,190
France 942,863 952,291 961,814 971,432 942,863 952,291
Croatia 90,782 91,689 92,606 93,532 90,782 91,689
Italy 1,209,755 1,221,852 1,234,071 1,246,411 1,209,755 1,221,852
Cyprus 30,967 31,277 31,589 31,905 30,967 31,277
Latvia 62,014 62,634 63,260 63,893 62,014 62,634
Lithuania 61,613 62,229 62,852 63,480 61,613 62,229
Luxembourg 16,545 16,711 16,878 17,047 16,545 16,711
Hungary 342,427 345,851 349,309 352,803 342,427 345,851
Malta 11,257 11,370 11,483 11,598 11,257 11,370
Netherlands 187,036 188,906 190,795 192,703 187,036 188,906
Austria 154,214 155,756 157,314 158,887 154,214 155,756
Poland 669,721 676,418 683,183 690,014 669,721 676,418
Portugal 274,673 277,420 280,194 282,996 274,673 277,420
Romania 295,873 298,832 301,820 304,838 295,873 298,832
Slovenia 61,485 62,099 62,720 63,348 61,485 62,099
Slovakia 112,269 113,391 114,525 115,670 112,269 113,391
Finland 112,925 114,054 115,195 116,347 112,925 114,054
Sweden 250,052 252,552 255,078 257,629 250,052 252,552
United Kingdom
2,008,637 2,028,723 2,049,010 2,069,500 2,008,637 2,028,723
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 21
2.3.3 Number of employees by size and by country To calculate the average number of employees, for the different enterprise sizes, by country we have used the data from Table 2-11 along with the number of employees by company size, for all available countries from Eurostat [3]. The process that was implemented is illustrated in Figure 2-2.
Figure 2-2: Calculation of the average number of employees
The data showing the number of employees for the different types of companies by country is presented in Table 2-12. The companies in the ‘Small’ category is divided into two sub categories (10 to 19 and 20 to 49) so as to match this with the existing definition of Small companies, the total people in small enterprises is the sum of these two columns.
Table 2-12: Persons employed per size of companies
Country Large Medium Small (20 to 49) Small (10 to 19) Micro Belgium 863,715 423,503 314,572 232,026 968,611
Bulgaria 493,848 419,472 265,904 189,367 592,929
Czech Republic
1,196,643 696,211 368,528 265,962 1,134,528
Denmark 595,198 354,491 217,024 162,651 336,684
Germany 10,471,499 5,691,495 3,469,844 3,123,955 5,501,621
Estonia 90,210 97,179 59,312 45,162 129,639
Ireland 381,540 248,969 164,155 379,072 385,386
Greece 346,200 255,492 187,491 202,851 1,139,461
Spain 3,248,856 1,536,888 1,287,144 1,099,947 4,540,883
France 5,725,748 2,304,725 1,646,440 1,261,153 4,681,373
Croatia 305,028 185,646 111,310 95,560 299,791
Italy 3,108,862 1,882,976 1,413,049 1,611,800 6,530,641
Cyprus 38,220 46,911 28,706 25,089 90,366
Latvia 132,966 137,687 84,801 62,522 216,980
Lithuania 233,385 218,565 133,595 93,876 275,218
Luxembourg 86,543 64,446 38,303 28,973 46,772
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 22
Country Large Medium Small (20 to 49) Small (10 to 19) Micro Hungary 812,072 443,080 274,093 237,678 905,522
Malta 30,962 31,841 19,654 14,227 45,922
Netherlands 1,875,814 992,658 590,377 426,003 1,576,224
Austria 865,209 535,523 366,359 311,036 700,318
Poland 2,865,583 1,591,891 707,347 469,064 3,375,788
Portugal 66,9293 49,9433 352,652 288,233 1,274,600
Romania 1,378,040 832,677 500,670 366,050 900,656
Slovenia 163,575 115,048 58,584 52,789 214,243
Slovakia 431,905 251,444 125,393 86,304 631,580
Finland 500,179 265,908 181,705 143,638 363,187
Sweden 1,120,662 604,553 404,136 310,221 764,337
United Kingdom
9,190,814 3,164,738 2,090,304 1,583,765 3,764,911
Taking these tables into consideration we then calculated the average number of employees for the different categories of company sizes, for the EU 28 countries. The results are presented at Table 2-13.
Table 2-13: Average Number of employees by company size
Country Micro Small Medium Large
Belgium 6 18 94 856
Bulgaria 4 18 91 696
Czech Republic 6 19 100 753
Denmark 4 18 89 811
Germany 5 17 90 852
Estonia 3 16 73 413
Ireland 3 34 93 744
Greece 3 15 86 886
Spain 4 18 84 877
France 5 22 111 1,213
Croatia 3 20 107 813
Italy 5 18 98 990
Cyprus 3 18 97 551
Latvia 3 18 89 622
Lithuania 4 18 94 682
Luxembourg 3 21 102 595
Hungary 3 19 101 874
Malta 4 20 84 445
Netherlands 8 23 107 1,061
Austria 5 15 80 633
Poland 5 16 85 697
Portugal 3 18 91 778
Romania 3 13 67 571
Slovenia 3 18 96 699
Slovakia 6 18 111 847
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 23
Finland 3 15 75 651
Sweden 3 21 100 965
United Kingdom 2 16 86 1,107
2.3.4 Number of individuals using the internet While the percentage of companies using the Internet is almost 100%, this is not the case for individuals. What is required for our model is the number of individuals that are above 14 years old and own a device that can access the Internet as well as the percentage of them that are using the Internet. The available data from Eurostat include the population by country, the population for the age group from zero to fourteen and the percentage of population that have never used the Internet. The calculation process is illustrated in Figure 2-3.
Figure 2-3: Calculation of the number of individuals that use the Internet
Table 2-14: Population by country
Country 2018 2019 2020 2021
Belgium 11,413,058 11,472,470 11,528,829 11,582,290
Bulgaria 7,050,034 7,003,223 6,951,710 6,901,286
Czech Republic 10,610,055 10,629,428 10,653,639 10,680,217
Denmark 5,781,190 5,823,921 5,864,875 5,902,321
Germany 82,850,000 83,549,224 84,072,127 84,479,875
Estonia 1,319,133 1,318,498 1,319,950 1,321,094
Ireland 4,838,259 4,885,152 4,940,449 4,993,634
Greece 10,738,868 10,675,416 10,641,823 10,608,622
Spain 46,659,302 46,629,145 46,714,539 46,789,320
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 24
Country 2018 2019 2020 2021
France 67,221,943 67,595,652 67,829,753 68,114,927
Croatia 4,105,493 4,078,380 4,037,099 3,998,279
Italy 60,483,973 60,422,383 60,312,982 60,233,206
Cyprus 864,236 860,553 867,886 872,624
Latvia 1,934,379 1,917,156 1,899,603 1,882,542
Lithuania 2,808,901 2,779,269 2,740,086 2,703,270
Luxembourg 602,005 616,020 629,143 642,159
Hungary 9,778,371 9,751,071 9,724,278 9,698,682
Malta 475,701 485,054 497,035 509,099
Netherlands 17,118,084 17,209,257 17,284,546 17,356,083
Austria 8,822,267 8,922,733 8,999,876 9,068,246
Poland 37,976,687 37,953,570 37,946,825 37,945,403
Portugal 10,291,027 10,247,472 10,221,344 10,191,527
Romania 19,523,621 19,427,146 19,308,107 19,196,222
Slovenia 2,066,880 2,068,568 2,069,905 2,071,319
Slovakia 5,443,120 5,448,903 5,456,587 5,464,310
Finland 5,513,130 5,531,931 5,545,337 5,559,608
Sweden 10,120,242 10,231,292 10,360,142 10,487,886
United Kingdom 66,238,007 66,743,225 67,186,976 67,634,915
Table 2-15: Population in the age group 0-14 as a percentage of the total population
Country 2018 (%) 2019 (%) 2020 (%) 2021 (%)
Belgium 17.04 17.00 17.03 17.02
Bulgaria 14.30 14.45 14.57 14.71
Czech Republic
15.74 15.94 16.12 16.33
Denmark 16.34 16.21 15.97 15.80
Germany 13.00 13.13 13.07 13.08
Estonia 16.43 16.52 16.68 16.81
Ireland 21.61 21.14 21.17 21.00
Greece 14.43 14.31 14.24 14.19
Spain 15.30 15.18 15.22 15.19
France 18.50 18.33 18.35 18.28
Croatia 14.28 14.20 14.08 13.97
Italy 13.60 13.39 13.36 13.21
Cyprus 15.96 16.14 16.02 15.99
Latvia 15.46 15.95 16.09 16.40
Lithuania 14.45 14.62 14.53 14.58
Luxembourg 16.04 15.83 15.71 15.45
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 25
Country 2018 (%) 2019 (%) 2020 (%) 2021 (%)
Hungary 14.35 14.45 14.43 14.45
Malta 13.75 13.74 13.53 13.42
Netherlands 16.15 15.90 15.71 15.49
Austria 13.98 14.14 14.00 14.03
Poland 14.83 14.93 14.87 14.86
Portugal 13.80 13.61 13.40 13.19
Romania 15.34 15.38 15.28 15.29
Slovenia 15.15 15.19 15.36 15.44
Slovakia 15.21 15.37 15.28 15.33
Finland 16.23 16.15 16.11 16.07
Sweden 17.69 17.94 18.08 18.24
United Kingdom
17.72 17.82 17.83 17.88
Table 2-16: Percentage of population that have never used the Internet
Country 2018 (%) 2019 (%) 2020 (%) 2021 (%)
Belgium 9.15 8.33 7.37 6.76
Bulgaria 28.04 26.23 24.26 22.48
Czech Republic
10.01 8.93 8.17 7.17
Denmark 1.58 1.35 1.10 0.97
Germany 6.00 5.12 4.31 3.73
Estonia 7.32 6.95 6.53 5.63
Ireland 14.78 14.82 14.56 14.42
Greece 25.26 23.98 22.85 21.57
Spain 12.69 11.10 9.61 8.37
France 8.75 8.27 7.74 7.21
Croatia 24.66 24.50 24.80 25.07
Italy 19.92 17.51 15.64 13.91
Cyprus 16.65 14.34 12.16 10.48
Latvia 14.47 13.24 12.40 11.36
Lithuania 17.74 16.15 14.24 12.93
Luxembourg 1.29 1.07 0.97 0.75
Hungary 15.92 14.56 13.21 12.14
Malta 17.14 15.76 14.51 13.12
Netherlands 3.18 2.76 2.44 2.01
Austria 9.56 8.42 7.47 6.49
Poland 17.85 15.78 13.73 12.38
Portugal 20.69 18.67 16.71 15.03
Romania 23.78 21.14 19.27 17.05
Slovenia 18.25 16.55 15.33 14.04
Slovakia 14.38 13.92 13.30 13.10
Finland 4.08 3.78 3.69 3.58
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 26
Country 2018 (%) 2019 (%) 2020 (%) 2021 (%)
Sweden 2.00 1.27 0.93 0.73
United Kingdom
3.16 2.70 2.21 1.95
Table 2-17: Population that uses the Internet (age 14 and greater)
Country 2018 (%) 2019 (%) 2020 (%) 2021 (%)
Belgium 8,601,535 8,728,982 8,860,612 8,960,971
Bulgaria 4,347,337 4,419,589 4,497,725 4,562,608
Czech Republic
8,045,856 8,137,597 8,206,864 8,296,128
Denmark 4,760,446 4,814,088 4,874,016 4,921,031
Germany 67,754,382 68,864,318 69,934,200 70,687,567
Estonia 1,021,647 1,024,250 1,027,981 1,037,167
Ireland 3,232,305 3,281,418 3,327,578 3,376,068
Greece 6,868,853 6,954,718 7,040,960 7,139,963
Spain 34,505,476 35,160,570 35,798,026 36,361,157
France 49,993,210 50,636,347 51,095,801 51,649,358
Croatia 2,651,707 2,642,080 2,608,477 2,577,461
Italy 41,847,944 43,164,483 44,083,898 44,999,856
Cyprus 605,375 618,152 640,245 656,244
Latvia 1,398,668 1,397,948 1,396,212 1,395,082
Lithuania 1,976,544 1,989,714 2,008,507 2,010,465
Luxembourg 498,910 512,989 525,121 538,867
Hungary 7,041,830 7,127,146 7,222,312 7,289,793
Malta 339,994 352,484 367,446 382,920
Netherlands 13,896,814 14,074,736 14,212,363 14,373,363
Austria 6,863,167 7,015,692 7,161,807 7,290,459
Poland 26,573,061 27,192,401 27,866,842 28,309,877
Portugal 7,035,867 7,199,579 7,372,155 7,517,548
Romania 12,598,235 12,963,566 13,206,705 13,488,956
Slovenia 1,433,674 1,463,986 1,483,488 1,505,599
Slovakia 3,951,569 3,969,468 4,008,228 4,020,583
Finland 4,429,881 4,463,003 4,480,039 4,499,104
Sweden 8,163,276 8,288,537 8,408,583 8,511,613
United Kingdom
52,781,491 53,368,642 53,990,940 54,457,894
2.3.5 Hourly labour cost To estimate the cost associated with the cleaning of spam, the hourly labour cost will be needed We have used historical data from Eurostat for 2012-17 to make an estimation of how this is expected to evolve in the 2018-21 period. The results are presented in Table 2-18.
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 27
Table 2-18: Hourly labour cost
Country 2018 (€) 2019 (€) 2020 (€) 2021 (€)
Belgium 39.90 40.19 40.47 40.76
Bulgaria 5.14 5.52 5.93 6.37
Czech Republic 10.84 11.08 11.33 11.58
Denmark 43.03 43.67 44.32 44.98
Germany 34.72 35.52 36.34 37.18
Estonia 12.40 13.17 13.99 14.86
Ireland 30.94 31.17 31.41 31.64
Greece 13.88 13.69 13.50 13.31
Spain 21.18 21.19 21.20 21.21
France 36.27 36.63 36.99 37.36
Croatia 10.49 10.71 10.93 11.16
Italy 28.27 28.33 28.38 28.44
Cyprus 15.52 15.37 15.22 15.07
Latvia 8.52 9.06 9.63 10.24
Lithuania 8.29 8.79 9.32 9.89
Luxembourg 38.38 39.10 39.84 40.59
Hungary 9.09 9.43 9.79 10.15
Malta 14.44 14.90 15.37 15.86
Netherlands 35.06 35.48 35.90 36.33
Austria 35.14 36.12 37.13 38.17
Poland 9.44 9.74 10.04 10.36
Portugal 14.04 14.20 14.36 14.53
Romania 6.56 7.12 7.73 8.39
Slovenia 16.91 17.21 17.52 17.83
Slovakia 11.45 11.96 12.48 13.03
Finland 33.58 33.91 34.25 34.59
Sweden 38.29 38.44 38.59 38.74
United Kingdom 27.73 28.21 28.70 29.19
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 28
3. Cyber-security products and solutions The evolving threat landscape is becoming increasingly complex. The days when attacks on PCs were viewed simply as an inconvenience appear to be confined to history. The emergence and growth of the Internet fuelled a new generation of attacks motivated by monetary gain, state-sponsored actions, and malicious intent, among other disparate reasons. Alongside, the sophistication of threats has continued to grow presenting an on-going challenge to organisations and their security teams. The older types of threats remain valid and cannot be ignored, creating a threat landscape with eclectic considerations. Security professionals are required to stay ahead of the game, or at least on top of the dame, whilst balancing the needs of their organisation alongside budgetary considerations.
Against this backdrop, a growing awareness of the need for defence in depth and prevention is responsible for a shift away from an increasing number of protection-point products towards cybersecurity platforms which may be 'off-the-shelf' or ‘bespoke’ solutions tailored to client specific requirements. The aim here is to briefly acknowledge and summarise the 'older' types of cyber security products which are still available on the market, while exploring the newer and fast-growing cybersecurity platform market in more detail. The purpose is to enumerate the progressive and disruptive technologies most relevant to the emerging threat landscape and to the future as it advances towards Artificial Intelligence (AI) product integration.
3.1 Cyber security product evolution Designing and building an architecture that is secure is not for the faint-hearted. Security-by-design is not yet an integral feature of the product research and design stage. The fact remains that too often security is an afterthought in the manufacturing cycle of new products. Security defence was developed out of the necessity for protection and, invariably, through ad hoc steps. Originally, physical security was all that was needed to thwart assailants [5]. Once interconnected systems had appeared, networks became vulnerable to outside intrusions. Activity in one part of a system could have inadvertent yet serious consequences in other parts. Security products began to be designed and developed but as add-ons for systems, networks or individual PCs. Built-in protections were still not available although the need for security-by-design was clear to many researchers and professionals [6].
A new market for security products grew rapidly, based on the exposed vulnerabilities and shortcomings of existing systems and infrastructures as well as the architectures behind them. Inherent weaknesses were being increasingly exposed by the rise of the cybercrime. Two new markets grew in parallel: the black or underground economy and the cyber security industry, in an almost endless cat and mouse game.
The early cyber security products were mainly software solutions, such as antivirus, installed on each endpoint device, most often a desktop computer that retrospectively defended against threats. Firewall programs and anti-virus were developed in the late 1980’s and early 1990’s. Firewalls were developed over time into highly sophisticated tools that monitor and prevent potentially malicious requests or traffic from reaching systems and networks. Numerous companies developed software that would “clean” a computer after an infection (anti-virus software). These software products became a mandatory addition to any network and, thus, the cybersecurity industry came to inception. Antivirus companies increased their profits and dominated the cybersecurity industry for the next 20 years but as the cyber threats escalated, the losses grew exponentially [7].
As the cybersecurity market continued to develop, software installed on endpoint devices, became the standard defence against threats, at least for the organisations with awareness of the growing risks. The increase in the digitization level of a company brought greater risk due to the vulnerabilities of its systems. More cyber defence products were developed as a consequence of the need to keep systems safe. An article posted by Joe Howard (Enterprise Account Manager - U.S Army at Hewlett Packard) identified 70 distinct categories of cyber security products) as illustrated in Table 3-1 [8].
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 29
Table 3-1: Cybersecurity Product Categories
Further in the article, Joe Howard refers to the need for a new approach to cyber security as, clearly, adding an almost endless list of point products to any system is not sustainable. Défense-in-depth, providing multiple layers of redundant defensive measures, is a valid strategy but requires considerable management and cost in man-hours and in-house equipment [9].
The necessity for better defences, and more integrated products, is an on-going observation. Reactive responses to cybersecurity incidents have not been effective. Systems have become increasingly complex and malware ubiquitous. The scale and scope of emergent threats necessitated a proactive incident response strategy [10]. Since 2014, new, creative strategies such as Artificial Intelligence, machine learning and behavioural detection have been employed by new players in the industry [11].
A new generation of cyber defence solutions began to emerge to meet the demands of diverse threats. Sophisticated systems gather transmission characteristics from network devices. Unusual traffic patterns are flagged and scrutinised further for signs of malicious activity or the behavioural characteristics which may be indicative of a threat. Complex queries could identify device or user behaviours indicative of a threat or other malicious activity and this became known as the Security Information Market (SIM). This technology, based largely on log management and rules-based detection platforms, is gradually being replaced by data science methods like machine learning and Artificial Intelligence, known as security analytics.
As the complexity of data gathering and security analytics has increased, so has the popularity of SIEM (Security Information and Event Management) platforms. SIEMs emerged as a way to store all the data as well as aggregate and correlate logs and events. As the volume of data grows, the limitations of SIEMs were
D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models
Copyright SAINT Consortium. All rights reserved. 30
exposed. For an organisation using this type of solution, it can be costly to store everything in the SIEM with the result that they pick and choose what to include and what to exclude and, as a consequence, leave themselves exposed in some areas.
A consequence of the increasing volumes of data is that Incident Response (IR) has become more difficult. Research, conducted in early 2016 by security automation and orchestration company Phantom and IT analyst and business strategy firm Enterprise Strategy Group (ESG), found that two-thirds of organisations believe that Incident Response had become significantly more difficult or somewhat more difficult during the previous two years [12]. The main reasons cited were: more IT activities, including cloud and mobile computing, the addition of new security management and threat detection tools, and the growing volume of security alerts. Alarmingly, the same report found that:
A vast majority (74%) of enterprises admit that they regularly ignore some security alerts as part of prioritising investigations and managing the cybersecurity team’s workload.
Nearly one-third (31%) of organisations claim that they ignore at least 50% of all security alerts because they simply can’t keep up with the volume.
The difficulties facing security teams is demonstrated in an example ontology of the types of emerging technologies that are now being considered as mandatory within a cybersecurity platform (Table 3-2) [13].
Table 3-2: Cybersecurity Emerging Technologies
The growth in the cybersecurity market is a testimony to the rise in complexity of available products. In 2004, the global cybersecurity market was worth $3.5 billion. In 2021 it is predicted to be worth more than $120 billion [14]. The cybersecurity market grew by rou