Horizontal Market Analysis
In order to better understand a market, the first step may be to conduct a horizontal market analysis, i.e. an analysis of the number of players that are rivals at the same stage of the production chain. This also involves analysis of market structure, market segments and the competitive conduct of these rivals.
Market Definition and Relevant Players
Market Definition: The cyber-security market is a physical or virtual place, where demand and supply for cyber-security products and services meet.
Relevant Players: In order to identify a player as active in the cyber-security market, the company needs to offer one product line or a portfolio of cyber-security products or services in the market. These can span from authentication, authorization and access control to cryptography and system integrity as discussed below. Players that are active in the ICT market (like Microsoft) are not automatically firms with a separately identifiable portfolio of cyber-security products and services. So while all cyber-security firms are active in the ICT industry, by being part of the downstream market, the inverse does not hold. Ideally, the main share of revenue of a player would be associated with the marketing of the cyber-security products.
Figure 1 Specialized and End-to-End Cyber-security
Source: Jentzsch (2015).
Some of the players in cyber-security markets are end-to-end providers of cyber-security solutions (see Figure 1). End-to-end providers offer solutions that combine software, hardware and services. There are also many specialized firms that are only active in one specific segment, such as IT security consultancy services or encryption providers.
The segmentation along product lines (hardware, software and services) might be most useful for policy makers. The reason is that this segmentation allows the analysis of markets (for privacy and cyber-security) along the NACE classification systems. This in turn allows an international comparison of the markets across Europe.
Published Market Analyses
There is an increasing number of market analyses on cyber-security markets and industries, published primarily by consultancy firms. The problem with these studies is that they are very heterogenous in terms of scope of coverage, quality, transparency and research method used. As of October 2015, no representative study of the market could be identified. Moreover, there is no study that covers the complete market, either in the EU in general or at the level of an individual member state.
The challenge is due to the problems to identify the main players, their suppliers and main customers, we cannot extract robust insights on the technological dependencies of Europe. Moreover, many of the methods applied would not live up scientific standards. Most of the studies reviewed for IPACSO use non-transparent methods, for example, cyber-security firms are identified using internal databases of clients, and such proprietary information is combined with interviews, web surveys or desk-top research. This means that the results cannot be replicated by another researcher.
Those surveys that could be identified by the author are shown in Figure 2.
Figure 2 Cyber-security Market and Industry Studies
Source: Jentzsch (2015).
Figure 2 gives an overview of the main studies identified as well as the funding sources. While some of the studies cover the security industry, including the cyber-security industry (e.g. BIGS 2014 and Ecory 2015), others only cover the IT industry (excl. telecommunication, e.g. WIFOR 2013). The latter is the most transparent among these studies in terms of methodology and data used.
Another challenge is that the terms 'industry' and 'markets' are used interchangeably by many of the quoted studies. This is incorrect. In the following, it is briefly reflected what is explained in the study that WIFOR conducted:
Cyber-security market: The market is the total national consumption of cyber-security goods and services. It is calculated by taking the total production value minus the exports of cyber-security goods and services plus the imports. Other approximations are incorrect and do not reflect the understanding of a market as prevalent in economics.
Cyber-security industry: The size of the cyber-security industry is typically approximated by aggregating revenues across the relevant actors/players in the industry (including revenues from exports). If all industry players are known, we would obtain a total industry figure. However, if there is no complete list of active companies, a random sample must be selected. With adequate estimation techniques used, an output number would be representative of the whole industry. If that is not possible either, a non-random selection is used, where it is unclear what bias (considered a representative sample) it has. The latter is prevalent among the studies cited.
The European Commission should support to a much greater extent independent academic research on cyber-security markets and industries and support research effort to create complete or at least representative lists of companies.
Vertical Analysis: Supply Chains
A supply chain connects inputs to outputs by representing different stages of production. Supply chain analysis offers insights into the production of cyber-security and privacy goods and services of interacting agents at different levels of the production process. Interrelations in the production of cyber-security products and services are becoming more important, the more functions are outsourced to partner firms.
In today’s digital markets it is not sufficient to speak about vertical relationships, which is done here for exposition purposes, because networks of suppliers and buyers characterize these markets. Through increased inter-linkages, cyber-security risks are shared between ever more partners in the supply network. Supply chain analyses facilitate a better understanding of the incentive structures inherent in vertical relations, because the firms’ contracts state rules on:
- The allocation of value added (and revenues extracted) in the production process between the different actors in the supply chain; and
- The allocation of risks and liabilities related to the production and provision of the security goods and services.
The competitive environment can incentivize firms to vertically integrate, if competition is imperfect and causes multiple mark-ups, which then can be internalized in order to set a more competitive price in the final market. On the other hand, out-sourcing can lead to significant cost savings (examples are cloud-as-a-service or software-as-service). Outsourcing, however, may also lead to significant security and privacy risks related to the information assets stored in the cloud, for example.
Figure 3. Cyber-security Supply Chain
Source: Jentzsch (2015).
Due to the complexity of cyber-security products, only a generic model of vertical relations in digital markets can be provided here. Figure 3 shows the different stages of production in a generic cyber-security firm.
Cyber-security Management in Supply Chains
The management of secure supply chains is a critical question not only for firms active in the cyber-security business, but also for critical infrastructure industries in general. In the former, however, industry stakeholders often describe cyber-security as part of their company’s DNA: In order to develop secure products, product development and production must be based upon secure processes and inputs. And the same, which is often ignored, should also hold for the ideation and innovation process.
Box 1. Threats to the IT Supply Chain
Source: Government Accounting Office (2012)
Some companies therefore establish an extra monitoring department that ensures whether security products have been developed securely. In the ICT business and the ICT security business, secure supply chain management includes software, hardware, business procedures and overall system architecture. Vulnerable software aside, hardware is also exploitable (e.g. by containing manipulated microchips). Further, hardware and software interact and both depend on each other.
The management of cyber-secure supply chains is also important in critical infrastructure organizations including banking and finance, water and energy, and the health sector. These are – as end-users of products and services – at the final stage of the chain that needs to be secure in order to allow a secure operation of critical infrastructure.
Since no stakeholder claims that there is a 100% security, we must speak of the best level reachable given existing knowledge and technology and given the best effort invested.
IPACSO Publications and further links:
Jentzsch, N. (2015) Horizontal and Vertical Analysis of Privacy and Cyber-security Markets, IPACSO - Innovation Framework for ICT Security Deliverable 4.2A.
Inserra, D. and S.P. Bucci (2014). Cyber Supply Chain Security: A Crucial Step Towards U.S. Security, Prosperity, and Freedom in Cyberspace, http://report.heritage.org/bg2880
Government Accounting Office (GAO) (2012). IT Supply Chain: National Security-related Agencies Need to Better Address Risks, Report to Congressional Requesters, March 2012, http://www.gao.gov/assets/590/589568.pdf