D4.4 Report on Cost-Benefit Analysis of Cyber-security ...D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models Work Package 4: Cyber-security, Cyber-crime

D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models

Work Package 4: Cyber-security, Cyber-crime Market and Regulatory Analysis

Document Dissemination Level

P

CΟ

Document Due Date: 31/10/2018 Document Submission Date: 03/12/2018

Public

Confidential, only for members of the Consortium (including the Commission Services)

☒

☐

This work is performed within the SAINT Project – Systemic Analyser in Network Threats – with the support of the European Commission and the Horizon 2020 Program, under Grant Agreement No 740829


Copyright SAINT Consortium. All rights reserved. 2

Document Information

Deliverable number: D4.4

Deliverable title: Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models

Deliverable version: 1.0

Work Package number: 4

Work Package title: Cyber-security, Cyber-crime Market and Regulatory Analysis

Due Date of delivery: 31/10/2018

Actual date of delivery: 03/12/2018

Dissemination level: Public

Editor(s): Theodoros Rokkas, Ioannis Neokosmidis, Dimitris Xydias (INCITES)

Contributor(s): Bryn Thompson, Jart Armin (CYBERDEFCON)

Reviewer(s): Montes de Oca (MNTMG) Yannis Stamatiou (CTI)

Ethical advisor(s): Christina Chalanouli (KEMEA)

Project name: Systemic Analyser in Network Threats

Project Acronym SAINT

Project starting date: 1/5/2017

Project duration: 24 months

Rights: SAINT Consortium

Version History

Version Date Beneficiary Description

0.1 20/10/2018 INCTS First Draft

0.2 25/10/2018 CYBE Description of cyber security products

0.3 28/10/2018 INCTS Description of framework, methodology and major sources

0.4 31/10/2018 INCTS Version sent for review

0.5 10/11/2018 CITE, MNTMG Comments from reviewers

0.6 22/11/2018 CYBE, INCTS Comments from reviewers addressed

0.8 28/11/2018 KEMEA, NCSRD, CYBE Security monitoring completed

0.9 01/12/2018 KEMEA Ethical monitoring and editorial review completed

1.0 03/12/2018 NCSRD, INCTS Final version



Abbreviations and Acronyms ACRONYM EXPLANATION

AI Artificial Intelligence

CAPEX Capital Expenditures

CBA Cost Benefit Analysis

CTI Cyber Threat Intelligence

ESG Enterprise Strategy Group

IDPS Intrusion Detection and Prevention Service

IDS Intrusion Detection Systems

IR Incident Response

IT Information Technology

NPV Net Present Value

OPEX Operational Expenditures

SIEM Security Information and Event Management

SIM Security Information Market



Table of Contents 1. Introduction ................................................................................................................................... 8

2. Cost-benefit analysis framework and data sources .......................................................................... 9

2.1 Net Present Value .............................................................................................................................. 9

2.2 Sensitivity and Risk analysis ............................................................................................................. 10

2.3 Methodological Issues ..................................................................................................................... 10

2.3.1 Classification of companies ..................................................................................................... 11

2.3.2 Number of companies by size, by country .............................................................................. 11

2.3.3 Number of employees by size and by country ........................................................................ 21

2.3.4 Number of individuals using the internet ................................................................................ 23

2.3.5 Hourly labour cost ................................................................................................................... 26

3. Cyber-security products and solutions ........................................................................................... 28

3.1 Cyber security product evolution .................................................................................................... 28

3.2 CTI, SIEM and IDPS products, solutions and providers .................................................................... 31

4. Cost of cyber security .................................................................................................................... 33

4.1 Cost of cyber security software ....................................................................................................... 33

4.2 Audit ................................................................................................................................................ 34

4.3 Advanced systems ........................................................................................................................... 34

5. Cost of cyber attacks ..................................................................................................................... 36

5.1 Major threats ................................................................................................................................... 36

5.1.1 Malware ................................................................................................................................... 37

5.1.2 Phishing ................................................................................................................................... 38

5.1.3 Spam ........................................................................................................................................ 39

5.1.4 Ransomware ............................................................................................................................ 42

5.1.5 Data Breaches .......................................................................................................................... 44

5.2 Cyber Risk profiles ........................................................................................................................... 48

6. Cost-benefit analysis ..................................................................................................................... 50

6.1 Cost of cyber-attacks calculation ..................................................................................................... 50

6.1.1 Cost per country ...................................................................................................................... 56

6.2 Cost of adopting cyber security products and solutions ................................................................. 57

6.3 Cost benefit results .......................................................................................................................... 58

6.4 Sensitivity analysis ........................................................................................................................... 61

6.5 Risk analysis ..................................................................................................................................... 63

7. Conclusion .................................................................................................................................... 66

8. References ................................................................................................................................... 67

Appendix A - Sensitivity results for various countries ............................................................................. 69



Table of Figures Figure 2-1: Calculation of number of enterprises by size, by country ............................................................ 13 Figure 2-2: Calculation of the average number of employees ........................................................................ 21 Figure 2-3: Calculation of the number of individuals that use the Internet .................................................... 23 Figure 5-1: Top-15 cyber threats and trends in 2016-17................................................................................. 36 Figure 5-2: Available malware and number of malware attacks..................................................................... 38 Figure 5-3: Email statistics forecasts ............................................................................................................... 40 Figure 5-4: Spam Statistics .............................................................................................................................. 41 Figure 5-5: Percentage of new families of misleading apps, fake AV, locker ransomware and crypto ransomware ([48]) ........................................................................................................................................... 42 Figure 5-6: Ransomware as a percentage of malware incidents .................................................................... 43 Figure 5-7: Blocked ransomware infections for consumer vs. enterprise ...................................................... 43 Figure 5-8: Probability of a data breach involving a minimum of 10,000 and a maximum of 100,000 records, [52]................................................................................................................................................................... 44 Figure 5-9: Probability of a data breach over the next 24 months of at least 10k records ............................ 44 Figure 5-10: USA data breaches by industry ................................................................................................... 45 Figure 5-11: Number of breach incidents by industry over time .................................................................... 45 Figure 5-12: Average cost of data breach in M$ ............................................................................................. 47 Figure 5-13: Records breached and global cost of data breaches .................................................................. 47 Figure 5-14: Cost per compromised data record ............................................................................................ 47 Figure 5-15: Loss categories from cyber-attacks and IT failures ..................................................................... 48 Figure 5-16: Risk profile for large companies .................................................................................................. 49 Figure 5-17: Risk profile for SMEs.................................................................................................................... 49 Figure A-1: Sensitivity results for Belgium ....................................................................................................... 69 Figure A-2: Sensitivity results for Bulgaria ....................................................................................................... 69 Figure A-3: Sensitivity results for Czech Republic ........................................................................................... 70 Figure A-4: Sensitivity results for Denmark ..................................................................................................... 70 Figure A-5: Sensitivity results for Germany ..................................................................................................... 71 Figure A-6: Sensitivity results for Estonia ........................................................................................................ 71 Figure A-7: Sensitivity results for Ireland ........................................................................................................ 72 Figure A-8: Sensitivity results for Greece ........................................................................................................ 72 Figure A-9: Sensitivity results for Spain ........................................................................................................... 73 Figure A-10: Sensitivity results for France ....................................................................................................... 73 Figure A-11: Sensitivity results for Croatia ...................................................................................................... 74 Figure A-12: Sensitivity results for Italy ........................................................................................................... 74 Figure A-13: Sensitivity results for Cyprus ....................................................................................................... 75 Figure A-14: Sensitivity results for Latvia ........................................................................................................ 75 Figure A-15: Sensitivity results for Lithuania ................................................................................................... 76 Figure A-16: Sensitivity results for Luxembourg.............................................................................................. 76 Figure A-17: Sensitivity results for Hungary .................................................................................................... 77 Figure A-18: Sensitivity results for Malta ........................................................................................................ 77 Figure A-19: Sensitivity results for Netherlands .............................................................................................. 78 Figure A-20: Sensitivity results for Austria ...................................................................................................... 78 Figure A-21: Sensitivity results for Poland ....................................................................................................... 79 Figure A-22: Sensitivity results for Portugal .................................................................................................... 79 Figure A-23: Sensitivity results for Romania ................................................................................................... 80 Figure A-24: Sensitivity results for Slovenia .................................................................................................... 80 Figure A-25: Sensitivity results for Slovakia ..................................................................................................... 81 Figure A-26: Finland ......................................................................................................................................... 81 Figure A-27: Sensitivity results for Sweden ..................................................................................................... 82 Figure A-28: Sensitivity results for United Kingdom ........................................................................................ 82



Table of Tables Table 2-1: Classification of companies ............................................................................................................ 11 Table 2-2: Number of active enterprises by year (2010-2016) ....................................................................... 11 Table 2-3: Forecasted Number of active enterprises by year (2017-2021) .................................................... 12 Table 2-4: Percentage mix of total number of enterprises ............................................................................. 14 Table 2-5: Number of micro companies by country ........................................................................................ 14 Table 2-6: Number of small companies by country ........................................................................................ 15 Table 2-7: Number of medium companies by country ................................................................................... 16 Table 2-8: Number of large companies by country ......................................................................................... 17 Table 2-9: Number of companies with zero employees (2010-2016) ............................................................. 18 Table 2-10: Estimation of number of companies with zero employees (2018- 2021) .................................... 19 Table 2-11: Number of micro companies without the ones with zero employees (2018- 2021) ................... 20 Table 2-12: Persons employed per size of companies .................................................................................... 21 Table 2-13: Average Number of employees by company size ........................................................................ 22 Table 2-14: Population by country .................................................................................................................. 23 Table 2-15: Population in the age group 0-14 as a percentage of the total population ................................. 24 Table 2-16: Percentage of population that have never used the Internet ..................................................... 25 Table 2-17: Population that uses the Internet (age 14 and greater) .............................................................. 26 Table 2-18: Hourly labour cost ........................................................................................................................ 27 Table 3-1: Cybersecurity Product Categories .................................................................................................. 29 Table 3-2: Cybersecurity Emerging Technologies............................................................................................ 30 Table 3-3: Sample of CTI, SIEM and IDPS providers ........................................................................................ 31 Table 3-4: Satisfaction rates in CTI 2018 ......................................................................................................... 32 Table 4-1: Cost categories by enterprise ......................................................................................................... 33 Table 4-2: Cost of cyber security software for individuals .............................................................................. 34 Table 4-3: Cost of cyber security software for SMEs ....................................................................................... 34 Table 4-4: Cost of IDPS systems....................................................................................................................... 35 Table 5-1: Number of attacks and types of malware ...................................................................................... 37 Table 5-2: Phishing threat statistics ................................................................................................................ 38 Table 5-3: Broad phishing vs. Spear phishing comparison .............................................................................. 39 Table 5-4: Spam email statistics ...................................................................................................................... 40 Table 5-5: Victims of spam email by year 2012-17 ......................................................................................... 41 Table 5-6: Ransomware threat statistics ......................................................................................................... 42 Table 5-7: Ransomware attacks statistics ....................................................................................................... 44 Table 5-8: Record breached by year – global and US-only .............................................................................. 46 Table 6-1: Email traffic ..................................................................................................................................... 50 Table 6-2: Threat statistics .............................................................................................................................. 50 Table 6-3: ICT security incidents in Small Enterprises ..................................................................................... 51 Table 6-4: ICT security incidents in Medium Enterprises ................................................................................ 52 Table 6-5: ICT security incidents in Large Enterprises ..................................................................................... 52 Table 6-6: Individuals who have experienced cyber incidents ........................................................................ 53 Table 6-7: Ransomware statistics .................................................................................................................... 54 Table 6-8: Cost of attacks ................................................................................................................................ 54 Table 6-9: Time spent to fix problem for each cybercrime victim .................................................................. 55 Table 6-10: Data breach assumptions ............................................................................................................. 56 Table 6-11: Cost of cyber-attacks by country .................................................................................................. 56 Table 6-12: Annual cost for security software................................................................................................. 57 Table 6-13: Annual cost for security software................................................................................................. 57 Table 6-14: Cost of adopting cyber security products ..................................................................................... 58 Table 6-15: Security Product effectiveness ..................................................................................................... 58 Table 6-16: Cost of cyber-attacks after adopting cyber security products ..................................................... 59



Table 6-17: Savings after adopting cyber security products ........................................................................... 60 Table 6-18: Savings after adopting cyber security products ........................................................................... 60 Table 6-19: Sensitivity rank ............................................................................................................................. 62 Table 6-20: Risk parameter characteristics ..................................................................................................... 63 Table 6-21: Risk results .................................................................................................................................... 64 Table 6-22: Probability of negative NPV .......................................................................................................... 65



1. Introduction

This deliverable presents the methodology that was used and the derived results of the performed Cost Benefit Analysis (CBA) of cyber security solutions and products. The goal of this report is to form a methodology and adapt it to estimate the cost and benefits of selected cyber security products and solutions. The methodology calculates the direct costs and benefits by enterprise size and also for individuals. The methodology is be used to produce results for the EU-28 countries. To model the uncertainty, a sensitivity and a risk analysis are performed for the most crucial parameters.

CBA is a method used to select different policies and make the appropriate decisions. It is an analysis method that compares the balance between cost and benefits of the different alternatives to identify which of the alternatives has an advantage over the others. In this study, the benefits are related closely to the cost avoidance (the costs related with successful cyber-attacks). Net Present Value (NPV) is used to compare the profitability of different scenarios. This method is one of the most popular tools for evaluating capital projects because it reduces the evaluation complexity of each project to a single figure. When it is used to evaluate competing projects, one can compare their NPVs and determine which one is more promising, and, therefore, the better choice to invest in by selecting the one with the higher NPV.

In this deliverable, an ex-ante CBA analysis is performed, trying to identify and quantify the benefits of cyber security products and solutions for different organisation sizes. The cost and allocation of resources depends on the type and size of an organisation as these affect the necessary investments for Cybersecurity. As a consequence, an important input was the number of companies classified by their size. The study produced results for each of the EU 28 countries for which data was available in a consistent format. For most of the gathered data, such as the required demographics of each country and the number of enterprises according to their size, the data was collected from Eurostat. Special consideration has been made so that the results are aligned to those from other WPs of SAINT, and especially those of WP2 in which an estimation of the cost of cybercrime for the EU countries was performed.

The deliverable is organized as follows: the second chapter presents an introduction of the cost-benefit framework, the data sources that were used along with the necessary assumptions and calculations that were made to transform the data into the required format. In the third chapter a description of the different products and solutions along with some initial cost estimations is given. The fourth chapter presents the assumptions that were made for the calculation of the cost of these products and solutions. The fifth chapter presents the major threats that were considered, the assumptions and the calculation of the associated cybercrime cost. The sixth chapter presents the results and the final chapter presents the conclusions.



2. Cost-benefit analysis framework and data sources In this section we present the cost-benefit principles that were used to create the framework for the upcoming analysis. CBA is a method that is used to select different policies and make the appropriate decisions. It is an analysis that compares the balance between cost and benefits of the different alternatives in order to identify which of these alternatives has an advantage over the others. There are several definitions in the relevant literature applied to different sectors, but for the analysis of cybersecurity products and solutions we will use a more practical approach based on calculating the Net Present Value (NPV) of an alternative compared to the current situation. While CBA offers an informed estimate of the best alternative, perfect estimates of all present and future costs and benefits are difficult to attain and so perfection in terms of economic efficiency and social welfare is not guaranteed.

In this study, the benefits are related closely to the cost avoidance (the costs related with successful cyber-attacks). The NPV is a merit of figure that calculates the difference between the present value of cash inflows and the present value of cash outflows over a selected period of time (usually called the study period). NPV is used to compare the profitability of different scenarios. This method is one of the most popular tools for evaluating capital projects because it narrows down the evaluation complexity of a project to a single figure: the total estimated value of the project, expressed in today's money. When it is used to evaluate competing projects, one can compare their NPVs and to determine which one is more promising, and therefore the better choice to invest in by selecting the one with the highest NPV. In this deliverable an ex-ante CBA analysis is performed, trying to identify and quantify the benefits of cyber security products and solutions for organisations of different sizes. The cost and allocation of resources are modelled according to size of the organisations as these have the major effect in the necessary investments for Cybersecurity.

We can distinguish two major categories for the costs associated with the cybersecurity solution: Operational Expenditures (OPEX) and Capital Expenditures (CAPEX). CAPEX are the investments that an organisation uses to acquire, upgrade, and maintain physical assets (for example a new firewall, or an intrusion detection system). These costs benefit the organisation for several years and are usually included in the balance sheet. On the other hand, OPEX are costs that benefit the organisation for a single period and are used for running a product, business, or system (for example costs for annual subscription of a cyber-security software).

The benefits of cybersecurity are directly associated with the cost savings or avoidance resulting from preventing the effects of a successful cyber-attack such as data-breaches, infections, loss of customer trust, or loss of intellectual property, among the most important. The optimal for each organisation would be to implement the level of security in which the net benefits (benefits – costs) are at maximum (since further spending might not have the desirable effect due to increasing costs).

The approach that is used is to make a comparison between cost and benefits. Benefits are the cost savings that can be achieved when security products are in place to avoid, minimize or deter cybersecurity incidents. This deliverable has the objective to investigate the costs (“without” any cyber security solutions in place scenario) and benefits (“with” a cyber-security solution in place scenario) that organisations would potentially experience. Only the direct cost and benefits experienced by the enterprises are considered, while the impacts in other sectors of the economy are not modelled. The study period is four years, specifically the period from 2018 -2021.

2.1 Net Present Value Net Present Value (NPV) is a metric to evaluate projects which assesses the difference between the revenue the investment is expected to generate over its lifecycle and the costs expected to be made over the same period, taking inflation into consideration and discounting both future costs and revenues at the appropriate discount rate. To simplify the analysis, we will assume that future costs and benefits are made at the end of each period (calendar year). The NPV can be calculated using the following formula:



∑ ( )

Where:

= The initial investments at the beginning of the study period

= Expected benefits at time period t

= Expected costs at time period t

t= the time period

d= the discount rate

If the calculated NPV is greater than zero, this means that PV (present value) of future benefits exceeds those of the costs; the opposite is true if NPV is less than zero.

2.2 Sensitivity and Risk analysis The difference between traditional “plain” sensitivity analysis and risk analysis based on Monte Carlo simulation [1] is that the former only reveals what is possible, not what is probable. In traditional sensitivity analysis, a number of variables are selected for the study and they are altered one at a time to measure their individual impact on the final output. Often, what-if scenarios are constructed with different combinations of worst-case and best-case values of each of the variables. Monte Carlo simulation, however, makes it possible not only to assign a probability distribution to each variable (we know that some variables are more uncertain than others) but also to update all the selected variables automatically and simultaneously. Random numbers are generated according to the selected distributions for each of the selected variables for the risk analysis. The simulation therefore calculates a large number (the number of simulation trials is specified by the user) of what-if scenarios. What is more, Monte Carlo simulation also allows us to keep track of the calculations for every change in each variable by measuring their individual impact on the final output. The type of probability distribution assigned to the variables under investigation is based on the variable’s statistical properties.

2.3 Methodological Issues An important factor that is critical for the successful implementation of the method is the accuracy of the collected data. For the implementation of the method a number of inputs are required in order to determine and identify costs and benefits for each type of organisation and to make forecasts for these. The main objective is to find out the cost related to the protection against cyber threats and also to calculate the benefits for each organisation according to its size.

One more aspect that should be mentioned is that the cost of cybersecurity solutions and implementations varies between different types of companies depending on their size, the assets they want to protect, and the data they own, amongst other factors. The prices of the different products are not publicly available as usually there are agreements that provide special discounts that are confidential. In our effort to overcome this obstacle the cost of cyber security products will be modelled as a function of the size of the company that is a parameter that drives the costs for cyber security investments and the costs of a successful cyber-attack. The model that was created calculates the results per company size for each of the EU-28 countries. In a complementary analysis, the cost and benefits for individual (for each of the countries) have also been calculated. The following sections present the available data and sources, along with the methodology that was used to bring the data into the required format. In the rest of the deliverable both the terms ‘companies’ and ‘enterprises’ are used to denote the same type of organisation and are used interchangeably.



2.3.1 Classification of companies In order to model the costs and benefits of the companies of different sizes, the classification for companies that is used by EU Commission [1] have been used in this study. According to that, enterprises are classified into the following categories:

Micro

Small

Medium

Large

The first three categories comprise the Small and Medium Enterprises (SMEs) that are defined as the companies having less than 250 people employed. Table 2-1 presents the criteria for classification that are used for these 4 categories.

Table 2-1: Classification of companies

Company category Number of employees Turnover Balance Sheet total

Micro 0 to 9 < €2 Million < €2 Million

Small 10 to 49 < €10 Million < €10 Million

Medium 50 to 249 < €50 Million < €43 Million

Large >250 > €50 Million > €43 Million

2.3.2 Number of companies by size, by country Eurostat produces annual structural business statistics that are used to derive the results for each of the EU-28 countries [1]. The main source of information is the number of companies (all sizes) that are active in each country for the past years. The available data cover the period from 2010 to 2016 for most of the countries and are presented at Table 2-2. In the cases where data points were missing, an extrapolation taking into consideration the available data was used to derive the missing points.

Table 2-2: Number of active enterprises by year (2010-2016)

Country 2010 2011 2012 2013 2014 2015 2016

Belgium 597,850 612,143 620,254 620,192 634,384 642,130 659,387

Bulgaria 323,872 319,937 323,745 327,503 332,800 339,175 347,962

Czech Republic

969,801 989,952 987,609 968,621 1,022,045 1,026,355 1,037,883

Denmark 212,593 218,082 218,078 216,297 217,960 216,458 224,942

Germany 2,958,720 2,985,718 2,997,832 2,972,456 2,818,836 2,795,899 2,801,030

Estonia 70,302 72,178 76,002 79,314 80,473 82,769 85,737

Ireland 195,431 189,055 185,530

238,249 248,843

Greece

777,268 765,974

Spain 3,102,016 3,056,440 3,012,443 2,951,815 2,943,908 2,970,947 3,026,237

France 2,947,623 2,977,599 3,039,203 3,181,072 3,414,614 3,492,052 3,559,026

Croatia

147,798 145,800 146,766 146,129 147,181

Italy 3,985,434 3,970,747 3,953,714 3,904,219 3,846,659 3,819,956 3,849,594

Cyprus 51,464 51,014 51,127 49,361 49,121 50,569 52,325

Latvia 82,650 87,973 93,664 97,023 100,979 110,310 116,393

Lithuania 120,830 131,986 150,855 158,190 177,752 185,954 197,254

Luxembourg 27,611 28,516 29,122 30,223 31,246 31,906 32,391

Hungary 563,368 557,889 524,749 515,925 522,058 531,121 535,507



Country 2010 2011 2012 2013 2014 2015 2016

Malta 33,039 32,824 31,427 30,494 31,841 32,143 32464

Netherlands 970,457 1,013,255 1,040,751 1,051,429 1,075,534 1,112,691 1,155,256

Austria 426,815 430,296 432,234 431,680 419,779 409,199 406,079

Poland 1,957,113 1,983,731 1,989,879 2,015,249 2,025,270 2,059,967 2,015,506

Portugal 875,083 846,013 807,358 791,101 794,398 818,120 843,693

Romania 450,168 609,827 647,325 689,983 696,142 695,108 717,388

Slovenia 123,467 125,413 128,088 134,601 137,438 141,118 143,451

Slovakia 374,114 421,909 404,369 398,895 438,067 446,471 454,191

Finland 286,432 291,080 291,410 290,778 293,685 291,307 289,631

Sweden 667,421 715,879 736,112 719,505 727,258 740,182 758,640

United Kingdom

2,013,225 2,027,600 2,054,940 2,126,775 2,218,955 2,326,020 2,467,365

The time period covered in our study is from 2018 to 2021 so, we have calculated the average growth for the last four years and then used that to make a forecast using in order to estimate the number of companies for the period 2016-2021 (for each of the countries). Then, the number of companies, by country, for the period 2017 to 2021 was calculated, and is presented in Table 2-3.

Table 2-3: Forecasted Number of active enterprises by year (2017-2021)

Country 2017 2018 2019 2020 2021

Belgium 665,981 672,641 679,367 686,161 693,022

Bulgaria 351,442 354,956 358,506 362,091 365,712

Czech Republic 1,048,262 1,058,744 1,069,332 1,080,025 1,090,825

Denmark 227,191 229,463 231,758 234,076 236,416

Germany 2,829,040 2,857,331 2,885,904 2,914,763 2,943,911

Estonia 86,594 87,460 88,335 89,218 90,110

Ireland 253,845 256,383 258,947 261,536 264,152

Greece 773,634 781,370 789,184 797,076 805,046

Spain 3,056,499 3,087,064 3,117,935 3,149,114 3,180,606

France 3,594,616 3,630,562 3,666,868 3,703,537 3,740,572

Croatia 148,653 150,139 151,641 153,157 154,689

Italy 3,888,090 3,926,971 3,966,241 4,005,903 4,045,962

Cyprus 52,848 53,377 53,910 54,450 54,994

Latvia 117,557 118,732 119,920 121,119 122,330

Lithuania 199,227 201,219 203,231 205,263 207,316

Luxembourg 32,715 33,042 33,372 33,706 34,043

Hungary 540,862 546,271 551,733 557,251 562,823

Malta 32,789 33,117 33,448 33,783 34,120

Netherlands 1,166,809 1,178,477 1,190,261 1,202,164 1,214,186

Austria 410,140 414,241 418,384 422,567 426,793

Poland 2,035,661 2,056,018 2,076,578 2,097,344 2,118,317

Portugal 852,130 860,651 869,258 877,950 886,730



Country 2017 2018 2019 2020 2021

Romania 724,562 731,807 739,126 746,517 753,982

Slovenia 144,886 146,334 147,798 149,276 150,768

Slovakia 458,733 463,320 467,953 472,633 477,359

Finland 292,527 295,453 298,407 301,391 304,405

Sweden 766,226 773,889 781,628 789,444 797,338

United Kingdom 2,492,039 2,516,959 2,542,129 2,567,550 2,593,225

Eurostat does not provide information about the number of enterprises by size and by country in one dataset, so intermediate calculations were performed in order to create the required input from the available data. Instead, Eurostat provides data with the share of each type of companies by size as part of the total number in each of the country. Assuming that the mix will not change significantly in the next years, since historical data show that there is limited variation from one year to the next, by multiplying this percentage with the total number of enterprises we can determine the number of companies, by size, for each of the countries. One additional issue that must be considered is that in the definition of micro companies there are some that have zero employees. These are companies with self-employed individuals that for the purpose of our analysis must be in a separate category, so an adjustment to their number was made to take that into consideration. The methodology that was used to determine the number of enterprises per country into the following categories:

Self-employed (0 employees)

Micro (1 to 9 employees)

Small (10 to 49 employees)

Medium (49 to 250 employees)

Large (more than 250 employees)

is illustrated in Figure 2-1:

Figure 2-1: Calculation of number of enterprises by size, by country



The metric that shows the percentage of each company size out of the total number of companies is given in [4]. The available data is shown in Table 2-4.

Table 2-4: Percentage mix of total number of enterprises

Country Micro Small Medium Large

Belgium 94.61% 4.57% 0.67% 0.15%

Bulgaria 91.55% 6.95% 1.30% 0.20%

Czech Republic 96.05% 3.14% 0.66% 0.15%

Denmark 88.69% 9.25% 1.74% 0.32%

Germany 83.68% 13.67% 2.22% 0.43%

Estonia 90.53% 7.70% 1.52% 0.25%

Ireland 92.57% 6.19% 1.04% 0.20%

Greece 96.19% 3.38% 0.38% 0.05%

Spain 94.93% 4.36% 0.59% 0.12%

France 95.72% 3.58% 0.57% 0.13%

Croatia 91.60% 6.99% 1.16% 0.25%

Italy 95.14% 4.29% 0.49% 0.08%

Cyprus 93.32% 5.64% 0.91% 0.13%

Latvia 91.52% 6.99% 1.31% 0.18%

Lithuania 92.56% 6.12% 1.15% 0.17%

Luxembourg 87.93% 9.72% 1.91% 0.44%

Hungary 94.09% 4.94% 0.80% 0.17%

Malta 93.42% 5.22% 1.15% 0.21%

Netherlands 95.23% 3.83% 0.79% 0.15%

Austria 87.34% 10.72% 1.61% 0.33%

Poland 95.28% 3.61% 0.91% 0.20%

Portugal 95.07% 4.19% 0.64% 0.10%

Romania 88.51% 9.45% 1.71% 0.33%

Slovenia 94.73% 4.29% 0.82% 0.16%

Slovakia 96.79% 2.61% 0.49% 0.11%

Finland 91.33% 7.21% 1.20% 0.26%

Sweden 94.65% 4.42% 0.78% 0.15%

United Kingdom

89.28% 8.93% 1.46% 0.33%

We can then calculate the number of enterprises by size by country by multiplying tables 2-3 and 2-4. The calculations for each type of company, by country, are presented in the following tables 2-5 to 2-8.

Table 2-5: Number of micro companies by country

Country 2018 2019 2020 2021

Belgium 636,385 642,749 649,177 655,668

Bulgaria 324,962 328,212 331,494 334,809



Country 2018 2019 2020 2021

Czech Republic 1,016,924 1,027,093 1,037,364 1,047,738

Denmark 203,511 205,546 207,602 209,678

Germany 2,391,014 2,414,924 2,439,074 2,463,464

Estonia 79,178 79,970 80,769 81,577

Ireland 237,334 239,707 242,104 244,525

Greece 751,600 759,116 766,707 774,374

Spain 2,930,550 2,959,856 2,989,454 3,019,349

France 3,475,174 3,509,926 3,545,025 3,580,476

Croatia 137,528 138,903 140,292 141,695

Italy 3,736,120 3,773,481 3,811,216 3,849,328

Cyprus 49,811 50,309 50,812 51,320

Latvia 108,664 109,751 110,848 111,957

Lithuania 186,248 188,111 189,992 191,892

Luxembourg 29,054 29,344 29,638 29,934

Hungary 513,986 519,126 524,317 529,560

Malta 30,938 31,247 31,560 31,875

Netherlands 1,122,263 1,133,486 1,144,821 1,156,269

Austria 361,798 365,416 369,070 372,761

Poland 1,958,974 1,978,563 1,998,349 2,018,332

Portugal 818,221 826,403 834,667 843,014

Romania 647,723 654,200 660,742 667,349

Slovenia 138,623 140,009 141,409 142,823

Slovakia 448,448 452,932 457,461 462,036

Finland 269,837 272,535 275,261 278,013

Sweden 732,486 739,810 747,209 754,681

United Kingdom

2,247,141 2,269,612 2,292,309 2,315,232

Table 2-6: Number of small companies by country

Country 2018 2019 2020 2021

Belgium 30,740 31,047 31,358 31,671

Bulgaria 24,669 24,916 25,165 25,417

Czech Republic 33,245 33,577 33,913 34,252

Denmark 21,225 21,438 21,652 21,869

Germany 390,597 394,503 398,448 402,433

Estonia 6,734 6,802 6,870 6,939

Ireland 15,870 16,029 16,189 16,351

Greece 26,410 26,674 26,941 27,211

Spain 134,596 135,942 137,301 138,674

France 129,974 131,274 132,587 133,912

Croatia 10,495 10,600 10,706 10,813



Italy 168,467 170,152 171,853 173,572

Cyprus 3,010 3,041 3,071 3,102

Latvia 8,299 8,382 8,466 8,551

Lithuania 12,315 12,438 12,562 12,688

Luxembourg 3,212 3,244 3,276 3,309

Hungary 26,986 27,256 27,528 27,803

Malta 1,729 1,746 1,763 1,781

Netherlands 45,136 45,587 46,043 46,503

Austria 44,407 44,851 45,299 45,752

Poland 74,222 74,964 75,714 76,471

Portugal 36,061 36,422 36,786 37,154

Romania 69,156 69,847 70,546 71,251

Slovenia 6,278 6,341 6,404 6,468

Slovakia 12,093 12,214 12,336 12,459

Finland 21,302 21,515 21,730 21,948

Sweden 34,206 34,548 34,893 35,242

United Kingdom

224,764 227,012 229,282 231,575

Table 2-7: Number of medium companies by country

Country 2018 2019 2020 2021

Belgium 4,507 4,552 4,597 4,643

Bulgaria 4,614 4,661 4,707 4,754

Czech Republic 6,988 7,058 7,128 7,199

Denmark 3,993 4,033 4,073 4,114

Germany 63,433 64,067 64,708 65,355

Estonia 1,329 1,343 1,356 1,370

Ireland 2,666 2,693 2,720 2,747

Greece 2,969 2,999 3,029 3,059

Spain 18,214 18,396 18,580 18,766

France 20,694 20,901 21,110 21,321

Croatia 1,742 1,759 1,777 1,794

Italy 19,242 19,435 19,629 19,825

Cyprus 486 491 495 500

Latvia 1,555 1,571 1,587 1,603

Lithuania 2,314 2,337 2,361 2,384

Luxembourg 631 637 644 650

Hungary 4,370 4,414 4,458 4,503

Malta 381 385 389 392

Netherlands 9,310 9,403 9,497 9,592

Austria 6,669 6,736 6,803 6,871



Country 2018 2019 2020 2021

Poland 18,710 18,897 19,086 19,277

Portugal 5,508 5,563 5,619 5,675

Romania 12,514 12,639 12,765 12,893

Slovenia 1,200 1,212 1,224 1,236

Slovakia 2,270 2,293 2,316 2,339

Finland 3,545 3,581 3,617 3,653

Sweden 6,036 6,097 6,158 6,219

United Kingdom

36,748 37,115 37,486 37,861

Table 2-8: Number of large companies by country

Country 2018 2019 2020 2021

Belgium 1,009 1,019 1,029 1,040

Bulgaria 710 717 724 731

Czech Republic 1,588 1,604 1,620 1,636

Denmark 734 742 749 757

Germany 12,287 12,409 12,533 12,659

Estonia 219 221 223 225

Ireland 513 518 523 528

Greece 391 395 399 403

Spain 3,704 3,742 3,779 3,817

France 4,720 4,767 4,815 4,863

Croatia 375 379 383 387

Italy 3,142 3,173 3,205 3,237

Cyprus 69 70 71 71

Latvia 214 216 218 220

Lithuania 342 345 349 352

Luxembourg 145 147 148 150

Hungary 929 938 947 957

Malta 70 70 71 72

Netherlands 1,768 1,785 1,803 1,821

Austria 1,367 1,381 1,394 1,408

Poland 4,112 4,153 4,195 4,237

Portugal 861 869 878 887

Romania 2,415 2,439 2,464 2,488

Slovenia 234 236 239 241

Slovakia 510 515 520 525

Finland 768 776 784 791

Sweden 1,161 1,172 1,184 1,196

United Kingdom

8,306 8,389 8,473 8,558



The definition of micro companies includes companies with zero employees, which are enterprises of people that are self-employed, so in order to have the correct number of micro companies the 0 personnel companies must be subtracted from the total number of micro companies. The available data is from Eurostat 67[3] and is presented in Table 2-9.

Table 2-9: Number of companies with zero employees (2010-2016)

Country 2010 2011 2012 2013 2014 2015 2016

Belgium 403,900 417,214 427,888 430,673 446,358 456,014 468,715

Bulgaria 142,166 140,119 144,330 146,975 150,306 152,345 169,625

Czech Republic 743,081 763,119 750,682 737,555 815,315 800,365 811,579

Denmark 112,187 115,862 115,535 82,868 86,300 85,502 105,258

Germany 1,578,194 1,592,037 1,597,589 1,613,243 1,339,211 1,322,461 1,309,716

Estonia 30,906 31,733 33,389 34,981 33,788 32,021 31,415

Ireland 96,095 89,573 86,631

135,811 142,629 144055.29

Greece

366,452 354,419

Spain 1,731,527 1,737,266 1,662,304 1,632,095 1,657,159 1,688,181 1,720,532

France 1,916,252 1,964,146 2,023,988 2,052,572 2,289,048 2,361,988 2,482,415

Croatia

47,094 43,857 21,671 37,728 45,825

Italy 2,590,456 2,511,354 2,491,889 2,496,956 2,481,838 2,432,989 2,476,586

Cyprus 16,153 15,451 16,055 17,295 17,804 20,838 18,473

Latvia 26,677 27,589 43,921 45,650 47,562 55,969 45,731

Lithuania 56,779 65,148 77,806 91,610 105,648 112,630 122,179

Luxembourg 9,910 10,418 10,630 11,267 11,764 12,013 12,262

Hungary 250,808 241,176 209,039 208,444 198,198 171,131 168,179

Malta 22,657 22,165 21,374 20,751 19,102 19293.02

Netherlands 730,879 773,679 803,797 818,447 845,007 883,775 916,800

Austria 213,567 214,461 214,682 227,952 217,029 207,735 203,494

Poland 1,297,483 1,307,276 1,327,651 1,349,864 1,340,741 1,285,042 1,263,849

Portugal 543,231 522,138 498,069 487,307 489,105 510,096 532,838

Romania 90,501 252,961 291,580 333,275 341,817 341,556 344,917

Slovenia 58,968 60,775 62,962 70,176 72,010 74,611 75,618

Slovakia 254,953 252,186 245,068 230,808 322,961 327,389 329,555

Finland 153,394 155,751 141,877 157,253 157,547 155,088 153,820

Sweden 425,425 455,042 466,936 449,936 451,981 460,785 472,928

United Kingdom 303,785 285,200 273,910 266,880 258,325 241,520 233,805



Based on the growth trend of the period 2010-1016, a forecast (by country) for the years 2017-2021 was made (Table 2-10).

Table 2-10: Estimation of number of companies with zero employees (2018- 2021)

Country 2016 2017 2018 2019 2020 2021

Belgium 468,715 473,402 478,136 482,918 487,747 492,624

Bulgaria 169,625 171,321 173,034 174,765 176,512 178,278

Czech Republic

811,579 819,695 827,892 836,171 844,532 852,978

Denmark 105,258 106,311 107,374 108,447 109,532 110,627

Germany 1,309,716 1,322,813 1,336,041 1,349,402 1,362,896 1,376,525

Estonia 31,415 31,729 32,046 32,367 32,691 33,017

Ireland 144,055 145,496 146,951 148,420 149,905 151,404

Greece 354,419 357,963 361,543 365,158 368,810 372,498

Spain 1,720,532 1,737,737 1,755,115 1,772,666 1,790,392 1,808,296

France 2,482,415 2,507,239 2,532,312 2,557,635 2,583,211 2,609,043

Croatia 45,825 46,283 46,746 47,214 47,686 48,163

Italy 2,476,586 2,501,352 2,526,365 2,551,629 2,577,145 2,602,917

Cyprus 18,473 18,658 18,844 19,033 19,223 19,415

Latvia 45,731 46,188 46,650 47,117 47,588 48,064

Lithuania 122,179 123,401 124,635 125,881 127,140 128,411

Luxembourg 12,262 12,385 12,508 12,634 12,760 12,887

Hungary 168,179 169,861 171,559 173,275 175,008 176,758

Malta 19,293 19,486 19,681 19,878 20,076 20,277

Netherlands 916,800 925,968 935,228 944,580 954,026 963,566

Austria 203,494 205,529 207,584 209,660 211,757 213,874

Poland 1,263,849 1,276,487 1,289,252 1,302,145 1,315,166 1,328,318

Portugal 532,838 538,166 543,548 548,984 554,473 560,018

Romania 344,917 348,366 351,850 355,368 358,922 362,511

Slovenia 75,618 76,374 77,138 77,909 78,688 79,475

Slovakia 329,555 332,851 336,179 339,541 342,936 346,366

Finland 153,820 155,358 156,912 158,481 160,066 161,666

Sweden 472,928 477,657 482,434 487,258 492,131 497,052

United Kingdom

233,805 236,143 238,504 240,890 243,298 245,731



Based on this data, we then calculated the adjusted number of micro companies that do not include companies of self-employed.

Table 2-11: Number of micro companies without the ones with zero employees (2018- 2021)

Country 2016 2017 2018 2019 2020 2021

Belgium 158,249 159,832 161,430 163,044 158,249 159,832

Bulgaria 151,928 153,447 154,982 156,531 151,928 153,447

Czech Republic

189,032 190,923 192,832 194,760 189,032 190,923

Denmark 96,137 97,099 98,070 99,050 96,137 97,099

Germany 1,054,973 1,065,523 1,076,178 1,086,940 1,054,973 1,065,523

Estonia 47,131 47,603 48,079 48,560 47,131 47,603

Ireland 90,383 91,287 92,200 93,122 90,383 91,287

Greece 390,057 393,958 397,897 401,876 390,057 393,958

Spain 1,175,436 1,187,190 1,199,062 1,211,052 1,175,436 1,187,190

France 942,863 952,291 961,814 971,432 942,863 952,291

Croatia 90,782 91,689 92,606 93,532 90,782 91,689

Italy 1,209,755 1,221,852 1,234,071 1,246,411 1,209,755 1,221,852

Cyprus 30,967 31,277 31,589 31,905 30,967 31,277

Latvia 62,014 62,634 63,260 63,893 62,014 62,634

Lithuania 61,613 62,229 62,852 63,480 61,613 62,229

Luxembourg 16,545 16,711 16,878 17,047 16,545 16,711

Hungary 342,427 345,851 349,309 352,803 342,427 345,851

Malta 11,257 11,370 11,483 11,598 11,257 11,370

Netherlands 187,036 188,906 190,795 192,703 187,036 188,906

Austria 154,214 155,756 157,314 158,887 154,214 155,756

Poland 669,721 676,418 683,183 690,014 669,721 676,418

Portugal 274,673 277,420 280,194 282,996 274,673 277,420

Romania 295,873 298,832 301,820 304,838 295,873 298,832

Slovenia 61,485 62,099 62,720 63,348 61,485 62,099

Slovakia 112,269 113,391 114,525 115,670 112,269 113,391

Finland 112,925 114,054 115,195 116,347 112,925 114,054

Sweden 250,052 252,552 255,078 257,629 250,052 252,552

United Kingdom

2,008,637 2,028,723 2,049,010 2,069,500 2,008,637 2,028,723



2.3.3 Number of employees by size and by country To calculate the average number of employees, for the different enterprise sizes, by country we have used the data from Table 2-11 along with the number of employees by company size, for all available countries from Eurostat [3]. The process that was implemented is illustrated in Figure 2-2.

Figure 2-2: Calculation of the average number of employees

The data showing the number of employees for the different types of companies by country is presented in Table 2-12. The companies in the ‘Small’ category is divided into two sub categories (10 to 19 and 20 to 49) so as to match this with the existing definition of Small companies, the total people in small enterprises is the sum of these two columns.

Table 2-12: Persons employed per size of companies

Country Large Medium Small (20 to 49) Small (10 to 19) Micro Belgium 863,715 423,503 314,572 232,026 968,611

Bulgaria 493,848 419,472 265,904 189,367 592,929

Czech Republic

1,196,643 696,211 368,528 265,962 1,134,528

Denmark 595,198 354,491 217,024 162,651 336,684

Germany 10,471,499 5,691,495 3,469,844 3,123,955 5,501,621

Estonia 90,210 97,179 59,312 45,162 129,639

Ireland 381,540 248,969 164,155 379,072 385,386

Greece 346,200 255,492 187,491 202,851 1,139,461

Spain 3,248,856 1,536,888 1,287,144 1,099,947 4,540,883

France 5,725,748 2,304,725 1,646,440 1,261,153 4,681,373

Croatia 305,028 185,646 111,310 95,560 299,791

Italy 3,108,862 1,882,976 1,413,049 1,611,800 6,530,641

Cyprus 38,220 46,911 28,706 25,089 90,366

Latvia 132,966 137,687 84,801 62,522 216,980

Lithuania 233,385 218,565 133,595 93,876 275,218

Luxembourg 86,543 64,446 38,303 28,973 46,772



Country Large Medium Small (20 to 49) Small (10 to 19) Micro Hungary 812,072 443,080 274,093 237,678 905,522

Malta 30,962 31,841 19,654 14,227 45,922

Netherlands 1,875,814 992,658 590,377 426,003 1,576,224

Austria 865,209 535,523 366,359 311,036 700,318

Poland 2,865,583 1,591,891 707,347 469,064 3,375,788

Portugal 66,9293 49,9433 352,652 288,233 1,274,600

Romania 1,378,040 832,677 500,670 366,050 900,656

Slovenia 163,575 115,048 58,584 52,789 214,243

Slovakia 431,905 251,444 125,393 86,304 631,580

Finland 500,179 265,908 181,705 143,638 363,187

Sweden 1,120,662 604,553 404,136 310,221 764,337

United Kingdom

9,190,814 3,164,738 2,090,304 1,583,765 3,764,911

Taking these tables into consideration we then calculated the average number of employees for the different categories of company sizes, for the EU 28 countries. The results are presented at Table 2-13.

Table 2-13: Average Number of employees by company size

Country Micro Small Medium Large

Belgium 6 18 94 856

Bulgaria 4 18 91 696

Czech Republic 6 19 100 753

Denmark 4 18 89 811

Germany 5 17 90 852

Estonia 3 16 73 413

Ireland 3 34 93 744

Greece 3 15 86 886

Spain 4 18 84 877

France 5 22 111 1,213

Croatia 3 20 107 813

Italy 5 18 98 990

Cyprus 3 18 97 551

Latvia 3 18 89 622

Lithuania 4 18 94 682

Luxembourg 3 21 102 595

Hungary 3 19 101 874

Malta 4 20 84 445

Netherlands 8 23 107 1,061

Austria 5 15 80 633

Poland 5 16 85 697

Portugal 3 18 91 778

Romania 3 13 67 571

Slovenia 3 18 96 699

Slovakia 6 18 111 847



Finland 3 15 75 651

Sweden 3 21 100 965

United Kingdom 2 16 86 1,107

2.3.4 Number of individuals using the internet While the percentage of companies using the Internet is almost 100%, this is not the case for individuals. What is required for our model is the number of individuals that are above 14 years old and own a device that can access the Internet as well as the percentage of them that are using the Internet. The available data from Eurostat include the population by country, the population for the age group from zero to fourteen and the percentage of population that have never used the Internet. The calculation process is illustrated in Figure 2-3.

Figure 2-3: Calculation of the number of individuals that use the Internet

Table 2-14: Population by country

Country 2018 2019 2020 2021

Belgium 11,413,058 11,472,470 11,528,829 11,582,290

Bulgaria 7,050,034 7,003,223 6,951,710 6,901,286

Czech Republic 10,610,055 10,629,428 10,653,639 10,680,217

Denmark 5,781,190 5,823,921 5,864,875 5,902,321

Germany 82,850,000 83,549,224 84,072,127 84,479,875

Estonia 1,319,133 1,318,498 1,319,950 1,321,094

Ireland 4,838,259 4,885,152 4,940,449 4,993,634

Greece 10,738,868 10,675,416 10,641,823 10,608,622

Spain 46,659,302 46,629,145 46,714,539 46,789,320



Country 2018 2019 2020 2021

France 67,221,943 67,595,652 67,829,753 68,114,927

Croatia 4,105,493 4,078,380 4,037,099 3,998,279

Italy 60,483,973 60,422,383 60,312,982 60,233,206

Cyprus 864,236 860,553 867,886 872,624

Latvia 1,934,379 1,917,156 1,899,603 1,882,542

Lithuania 2,808,901 2,779,269 2,740,086 2,703,270

Luxembourg 602,005 616,020 629,143 642,159

Hungary 9,778,371 9,751,071 9,724,278 9,698,682

Malta 475,701 485,054 497,035 509,099

Netherlands 17,118,084 17,209,257 17,284,546 17,356,083

Austria 8,822,267 8,922,733 8,999,876 9,068,246

Poland 37,976,687 37,953,570 37,946,825 37,945,403

Portugal 10,291,027 10,247,472 10,221,344 10,191,527

Romania 19,523,621 19,427,146 19,308,107 19,196,222

Slovenia 2,066,880 2,068,568 2,069,905 2,071,319

Slovakia 5,443,120 5,448,903 5,456,587 5,464,310

Finland 5,513,130 5,531,931 5,545,337 5,559,608

Sweden 10,120,242 10,231,292 10,360,142 10,487,886

United Kingdom 66,238,007 66,743,225 67,186,976 67,634,915

Table 2-15: Population in the age group 0-14 as a percentage of the total population

Country 2018 (%) 2019 (%) 2020 (%) 2021 (%)

Belgium 17.04 17.00 17.03 17.02

Bulgaria 14.30 14.45 14.57 14.71

Czech Republic

15.74 15.94 16.12 16.33

Denmark 16.34 16.21 15.97 15.80

Germany 13.00 13.13 13.07 13.08

Estonia 16.43 16.52 16.68 16.81

Ireland 21.61 21.14 21.17 21.00

Greece 14.43 14.31 14.24 14.19

Spain 15.30 15.18 15.22 15.19

France 18.50 18.33 18.35 18.28

Croatia 14.28 14.20 14.08 13.97

Italy 13.60 13.39 13.36 13.21

Cyprus 15.96 16.14 16.02 15.99

Latvia 15.46 15.95 16.09 16.40

Lithuania 14.45 14.62 14.53 14.58

Luxembourg 16.04 15.83 15.71 15.45



Country 2018 (%) 2019 (%) 2020 (%) 2021 (%)

Hungary 14.35 14.45 14.43 14.45

Malta 13.75 13.74 13.53 13.42

Netherlands 16.15 15.90 15.71 15.49

Austria 13.98 14.14 14.00 14.03

Poland 14.83 14.93 14.87 14.86

Portugal 13.80 13.61 13.40 13.19

Romania 15.34 15.38 15.28 15.29

Slovenia 15.15 15.19 15.36 15.44

Slovakia 15.21 15.37 15.28 15.33

Finland 16.23 16.15 16.11 16.07

Sweden 17.69 17.94 18.08 18.24

United Kingdom

17.72 17.82 17.83 17.88

Table 2-16: Percentage of population that have never used the Internet

Country 2018 (%) 2019 (%) 2020 (%) 2021 (%)

Belgium 9.15 8.33 7.37 6.76

Bulgaria 28.04 26.23 24.26 22.48

Czech Republic

10.01 8.93 8.17 7.17

Denmark 1.58 1.35 1.10 0.97

Germany 6.00 5.12 4.31 3.73

Estonia 7.32 6.95 6.53 5.63

Ireland 14.78 14.82 14.56 14.42

Greece 25.26 23.98 22.85 21.57

Spain 12.69 11.10 9.61 8.37

France 8.75 8.27 7.74 7.21

Croatia 24.66 24.50 24.80 25.07

Italy 19.92 17.51 15.64 13.91

Cyprus 16.65 14.34 12.16 10.48

Latvia 14.47 13.24 12.40 11.36

Lithuania 17.74 16.15 14.24 12.93

Luxembourg 1.29 1.07 0.97 0.75

Hungary 15.92 14.56 13.21 12.14

Malta 17.14 15.76 14.51 13.12

Netherlands 3.18 2.76 2.44 2.01

Austria 9.56 8.42 7.47 6.49

Poland 17.85 15.78 13.73 12.38

Portugal 20.69 18.67 16.71 15.03

Romania 23.78 21.14 19.27 17.05

Slovenia 18.25 16.55 15.33 14.04

Slovakia 14.38 13.92 13.30 13.10

Finland 4.08 3.78 3.69 3.58



Country 2018 (%) 2019 (%) 2020 (%) 2021 (%)

Sweden 2.00 1.27 0.93 0.73

United Kingdom

3.16 2.70 2.21 1.95

Table 2-17: Population that uses the Internet (age 14 and greater)

Country 2018 (%) 2019 (%) 2020 (%) 2021 (%)

Belgium 8,601,535 8,728,982 8,860,612 8,960,971

Bulgaria 4,347,337 4,419,589 4,497,725 4,562,608

Czech Republic

8,045,856 8,137,597 8,206,864 8,296,128

Denmark 4,760,446 4,814,088 4,874,016 4,921,031

Germany 67,754,382 68,864,318 69,934,200 70,687,567

Estonia 1,021,647 1,024,250 1,027,981 1,037,167

Ireland 3,232,305 3,281,418 3,327,578 3,376,068

Greece 6,868,853 6,954,718 7,040,960 7,139,963

Spain 34,505,476 35,160,570 35,798,026 36,361,157

France 49,993,210 50,636,347 51,095,801 51,649,358

Croatia 2,651,707 2,642,080 2,608,477 2,577,461

Italy 41,847,944 43,164,483 44,083,898 44,999,856

Cyprus 605,375 618,152 640,245 656,244

Latvia 1,398,668 1,397,948 1,396,212 1,395,082

Lithuania 1,976,544 1,989,714 2,008,507 2,010,465

Luxembourg 498,910 512,989 525,121 538,867

Hungary 7,041,830 7,127,146 7,222,312 7,289,793

Malta 339,994 352,484 367,446 382,920

Netherlands 13,896,814 14,074,736 14,212,363 14,373,363

Austria 6,863,167 7,015,692 7,161,807 7,290,459

Poland 26,573,061 27,192,401 27,866,842 28,309,877

Portugal 7,035,867 7,199,579 7,372,155 7,517,548

Romania 12,598,235 12,963,566 13,206,705 13,488,956

Slovenia 1,433,674 1,463,986 1,483,488 1,505,599

Slovakia 3,951,569 3,969,468 4,008,228 4,020,583

Finland 4,429,881 4,463,003 4,480,039 4,499,104

Sweden 8,163,276 8,288,537 8,408,583 8,511,613

United Kingdom

52,781,491 53,368,642 53,990,940 54,457,894

2.3.5 Hourly labour cost To estimate the cost associated with the cleaning of spam, the hourly labour cost will be needed We have used historical data from Eurostat for 2012-17 to make an estimation of how this is expected to evolve in the 2018-21 period. The results are presented in Table 2-18.



Table 2-18: Hourly labour cost

Country 2018 (€) 2019 (€) 2020 (€) 2021 (€)

Belgium 39.90 40.19 40.47 40.76

Bulgaria 5.14 5.52 5.93 6.37

Czech Republic 10.84 11.08 11.33 11.58

Denmark 43.03 43.67 44.32 44.98

Germany 34.72 35.52 36.34 37.18

Estonia 12.40 13.17 13.99 14.86

Ireland 30.94 31.17 31.41 31.64

Greece 13.88 13.69 13.50 13.31

Spain 21.18 21.19 21.20 21.21

France 36.27 36.63 36.99 37.36

Croatia 10.49 10.71 10.93 11.16

Italy 28.27 28.33 28.38 28.44

Cyprus 15.52 15.37 15.22 15.07

Latvia 8.52 9.06 9.63 10.24

Lithuania 8.29 8.79 9.32 9.89

Luxembourg 38.38 39.10 39.84 40.59

Hungary 9.09 9.43 9.79 10.15

Malta 14.44 14.90 15.37 15.86

Netherlands 35.06 35.48 35.90 36.33

Austria 35.14 36.12 37.13 38.17

Poland 9.44 9.74 10.04 10.36

Portugal 14.04 14.20 14.36 14.53

Romania 6.56 7.12 7.73 8.39

Slovenia 16.91 17.21 17.52 17.83

Slovakia 11.45 11.96 12.48 13.03

Finland 33.58 33.91 34.25 34.59

Sweden 38.29 38.44 38.59 38.74

United Kingdom 27.73 28.21 28.70 29.19



3. Cyber-security products and solutions The evolving threat landscape is becoming increasingly complex. The days when attacks on PCs were viewed simply as an inconvenience appear to be confined to history. The emergence and growth of the Internet fuelled a new generation of attacks motivated by monetary gain, state-sponsored actions, and malicious intent, among other disparate reasons. Alongside, the sophistication of threats has continued to grow presenting an on-going challenge to organisations and their security teams. The older types of threats remain valid and cannot be ignored, creating a threat landscape with eclectic considerations. Security professionals are required to stay ahead of the game, or at least on top of the dame, whilst balancing the needs of their organisation alongside budgetary considerations.

Against this backdrop, a growing awareness of the need for defence in depth and prevention is responsible for a shift away from an increasing number of protection-point products towards cybersecurity platforms which may be 'off-the-shelf' or ‘bespoke’ solutions tailored to client specific requirements. The aim here is to briefly acknowledge and summarise the 'older' types of cyber security products which are still available on the market, while exploring the newer and fast-growing cybersecurity platform market in more detail. The purpose is to enumerate the progressive and disruptive technologies most relevant to the emerging threat landscape and to the future as it advances towards Artificial Intelligence (AI) product integration.

3.1 Cyber security product evolution Designing and building an architecture that is secure is not for the faint-hearted. Security-by-design is not yet an integral feature of the product research and design stage. The fact remains that too often security is an afterthought in the manufacturing cycle of new products. Security defence was developed out of the necessity for protection and, invariably, through ad hoc steps. Originally, physical security was all that was needed to thwart assailants [5]. Once interconnected systems had appeared, networks became vulnerable to outside intrusions. Activity in one part of a system could have inadvertent yet serious consequences in other parts. Security products began to be designed and developed but as add-ons for systems, networks or individual PCs. Built-in protections were still not available although the need for security-by-design was clear to many researchers and professionals [6].

A new market for security products grew rapidly, based on the exposed vulnerabilities and shortcomings of existing systems and infrastructures as well as the architectures behind them. Inherent weaknesses were being increasingly exposed by the rise of the cybercrime. Two new markets grew in parallel: the black or underground economy and the cyber security industry, in an almost endless cat and mouse game.

The early cyber security products were mainly software solutions, such as antivirus, installed on each endpoint device, most often a desktop computer that retrospectively defended against threats. Firewall programs and anti-virus were developed in the late 1980’s and early 1990’s. Firewalls were developed over time into highly sophisticated tools that monitor and prevent potentially malicious requests or traffic from reaching systems and networks. Numerous companies developed software that would “clean” a computer after an infection (anti-virus software). These software products became a mandatory addition to any network and, thus, the cybersecurity industry came to inception. Antivirus companies increased their profits and dominated the cybersecurity industry for the next 20 years but as the cyber threats escalated, the losses grew exponentially [7].

As the cybersecurity market continued to develop, software installed on endpoint devices, became the standard defence against threats, at least for the organisations with awareness of the growing risks. The increase in the digitization level of a company brought greater risk due to the vulnerabilities of its systems. More cyber defence products were developed as a consequence of the need to keep systems safe. An article posted by Joe Howard (Enterprise Account Manager - U.S Army at Hewlett Packard) identified 70 distinct categories of cyber security products) as illustrated in Table 3-1 [8].



Table 3-1: Cybersecurity Product Categories

Further in the article, Joe Howard refers to the need for a new approach to cyber security as, clearly, adding an almost endless list of point products to any system is not sustainable. Défense-in-depth, providing multiple layers of redundant defensive measures, is a valid strategy but requires considerable management and cost in man-hours and in-house equipment [9].

The necessity for better defences, and more integrated products, is an on-going observation. Reactive responses to cybersecurity incidents have not been effective. Systems have become increasingly complex and malware ubiquitous. The scale and scope of emergent threats necessitated a proactive incident response strategy [10]. Since 2014, new, creative strategies such as Artificial Intelligence, machine learning and behavioural detection have been employed by new players in the industry [11].

A new generation of cyber defence solutions began to emerge to meet the demands of diverse threats. Sophisticated systems gather transmission characteristics from network devices. Unusual traffic patterns are flagged and scrutinised further for signs of malicious activity or the behavioural characteristics which may be indicative of a threat. Complex queries could identify device or user behaviours indicative of a threat or other malicious activity and this became known as the Security Information Market (SIM). This technology, based largely on log management and rules-based detection platforms, is gradually being replaced by data science methods like machine learning and Artificial Intelligence, known as security analytics.

As the complexity of data gathering and security analytics has increased, so has the popularity of SIEM (Security Information and Event Management) platforms. SIEMs emerged as a way to store all the data as well as aggregate and correlate logs and events. As the volume of data grows, the limitations of SIEMs were



exposed. For an organisation using this type of solution, it can be costly to store everything in the SIEM with the result that they pick and choose what to include and what to exclude and, as a consequence, leave themselves exposed in some areas.

A consequence of the increasing volumes of data is that Incident Response (IR) has become more difficult. Research, conducted in early 2016 by security automation and orchestration company Phantom and IT analyst and business strategy firm Enterprise Strategy Group (ESG), found that two-thirds of organisations believe that Incident Response had become significantly more difficult or somewhat more difficult during the previous two years [12]. The main reasons cited were: more IT activities, including cloud and mobile computing, the addition of new security management and threat detection tools, and the growing volume of security alerts. Alarmingly, the same report found that:

A vast majority (74%) of enterprises admit that they regularly ignore some security alerts as part of prioritising investigations and managing the cybersecurity team’s workload.

Nearly one-third (31%) of organisations claim that they ignore at least 50% of all security alerts because they simply can’t keep up with the volume.

The difficulties facing security teams is demonstrated in an example ontology of the types of emerging technologies that are now being considered as mandatory within a cybersecurity platform (Table 3-2) [13].

Table 3-2: Cybersecurity Emerging Technologies

The growth in the cybersecurity market is a testimony to the rise in complexity of available products. In 2004, the global cybersecurity market was worth $3.5 billion. In 2021 it is predicted to be worth more than $120 billion [14]. The cybersecurity market grew by rou

Documents

D4.4 Report on Cost-Benefit Analysis of Cyber-security ...D4.4 Report on Cost-Benefit Analysis of Cyber-security Solutions, Products and Models Work Package 4: Cyber-security, Cyber-crime