Cybersecurity

1. Cluster Profile

“Cybersecurity commonly refers to the safeguards and actions that can be used to protect the cyber domain, both in the civilian and military fields, from those threats that are associated with or that may harm its interdependent networks and information infrastructure. Cybersecurity strives to preserve the availability and integrity of the networks and infrastructure and the confidentiality of the information contained therein.” (European Commission 2013)

 

• Overview

Cybersecurity includes a set of activities focused on protecting computers, networks, programs, and data from unauthorized and/or unintended access. Modern societies are rapidly becoming more digitalized so cybersecurity has become increasingly important as governments, corporations, and people collect, process, and store vast amounts of confidential information and transmit that data across different digital channels. Cyberattacks and various cyber threats have become commonplace in recent years. To deal with those threats, individuals and companies across the world are becoming more aware of the potential threats and are ready to allocate substantial resources toward products and solutions that help mitigate such risks.

A report from Business Insider Intelligence estimated that US$655 billion will be spent on cybersecurity initiatives to protect personal computers (PCs), mobile devices, and Internet of things (IoT) devices by 2020, of which US$386 billion will be spent on securing PCs, US$172 billion on securing IoT devices, and US$113 billion on securing mobile devices (Business Insider 2016). According to Bloomberg and International Data Corporation (IDC), the largest areas of growth within cybersecurity are mobile security, IoT security, and specialized threat analysis and protection (Rana 2016). These growth areas are dwarfed by the overall information technology (IT) security market by size, but their projected compound annual growth rates (CAGRs) are expected to be significantly higher than those of the IT security market. For instance, while the specialized threat analysis and protection segment is only about US$1.5 billion in size (minuscule compared to the US$35 billion IT security segment), its projected CAGR is about 28 percent, much higher than the 5 percent projected growth rate for the IT security segment (Rana 2016). This reveals that these three growth areas will continue to propel and expand the cybersecurity industry going forward. (Pendse 2017)

The Government of the Republic of Croatia has recognized cybersecurity as an increasingly important area for national security and has set up a strategic framework for cybersecurity through the National Strategy for Cybersecurity. The strategy is accompanied by the Action Plan that sets forth measures and defines responsible bodies and implementation time line to make the strategy become operational. The strategy identifies the following fields of importance: public electronic communications; e-government; financial electronic services; critical infrastructure and crisis management; cybercrime; data protection; technical coordination; international cooperation; and education, research and development (R&D), and awareness campaigns in relation to cyber and information security. These areas were defined based on assessment of key priority topics for secure cyberspace in Croatia and include five core and four cross-cutting thematic areas (Republic of Croatia 2015), as shown in Figure 1.

 

1.1.1. History and Significance of the Industry in Croatia

Through the creation of the Internet and the linking of a series of communication and information systems in public, academic, and economic sectors, modern cyberspace has been created consisting of many interconnected infrastructures. Users of this infrastructure generate vast amounts of data and use a growing number of different services that need to be protected.

The cybersecurity industry has also become an area of rapid growth due to an ever-increasing number of people on network systems and development of various new digital products. The main driver of this growth in the past 10 years has been the financial sector that has strict regulatory requirements on information security, imposed by the Croatian National Bank. Other than the financial sectors drivers of growth in this area were “security sensitive government institutions” (such as intelligence services, military, and police), as well as health services, the telecommunications industry, the insurance industry, and so on (Republic of Croatia 2016).

Information and communication technology (ICT) is, without a doubt, the basic support service for the cybersecurity industry. Since information security is a broad area and companies in the ICT sector cover only certain parts of security services (as part of their overall market operations), it is hard to present the exact number of ICT companies covering security-related R&D and services.

The ICT sector in Croatia has a great tradition and is considered one of the main drivers of economic and social development in Croatia. There is considerable technical capacity and know-how among Croatian ICT firms in the security field that date back to one or more of the following factors: (a) a relatively long history of industrialization and high levels of education in Croatia; (b) the need to build a defense industry from the ground up due to the 1991–1994 Homeland War; and (c) good technical universities.

Figure 2: Significance of the Croatian ICT Industry for National Economy, ICT Industry as Percentage of Croatian GDP, 2010–2014

Source: Center for Industrial Development (Centar za industrijski razvoj, CIRAZ) rendering of Eurostat data.

Note: GDP = gross domestic product.

Potential for development of the cybersecurity industry in Croatia lies on the demand side as well. Nowadays, the right to access the Internet has become one of the common human rights. Statistics for Croatia from 2010 to 2016 show considerable evolution of Internet usage in Croatia that correspondingly also drives demand for digital security products. In the last six years, the number of Internet users has increased by over 20 percent, but Croatia is still lagging behind some developed countries such as Norway or other European countries similar to Croatia.

Figure 3: Individuals Regularly Using Internet, Percentage of Individuals Ages 16–74

Source: CIRAZ rendering of Eurostat data.

1.1.2. S3 and STPA

The government’s S3 provides useful insight into the scope and focus of the STPA described in the strategy. The Cybersecurity STPA within the S3 is one of three STPAs within the Security thematic priority area. This STPA is mostly focused on “development and research of investments in several areas/niches where Croatia intends to upgrade its current level of technological capacity, human resources and expertise” (Republic of Croatia 2016) to become globally competitive in cybersecurity industry.

The strategy spans a varying set of activities and lays out a range of R&D topics and key enabling technologies (KETs) that can be utilized to support private sector growth. The scope of the Cybersecurity STPA includes Research, Development & Innovation (RDI) topics and associated indicative RDI topics under cross-cutting themes KETs and ICT presented in Box 2. The RDI topics should serve as the main drivers of growth and development of the industry and their activities.

The following sections take stock of how the Croatian industry is performing now—particularly in the perspective of Global Value Chain (GVC) participation—and then map a set of relevant actors, agents, and organizations that represent the ‘cluster’ associated with this sector.

1.1.3. Regulatory Framework

The Government of the Republic of Croatia recognized cybersecurity as a critically important component of national security and has created a strategic framework for cybersecurity defined through the National Strategy for Cybersecurity. The strategy has been adopted by the government in October 2015. The national cybersecurity framework is implemented through the following:

• Coordination within the public sector

• National cooperation of the public, academic, and economic sectors

• Consultation with the interested public and information of citizenship

• International cooperation of cybernetic security stakeholders

As a member of the EU, Croatia has harmonized its legislation with acquis communatauire of the EU and transposed it into its legal system. The Croatian cybersecurity framework thus follows key strategies and guidelines set on the European level such as the Cybersecurity Strategy of the European Union and the Convention on Cybercrime of the European Council. The Government of the Republic of Croatia additionally reinforced the national cybersecurity regulatory framework by adopting several laws and acts that integrate some of the best practices from most relevant standard-setting authorities around the world. Responsibility for implementation of the framework lies with several government bodies, most notably the Ministry of Interior, Ministry of Defense (MOD), Croatian personal data protection agency, Croatian regulatory authority for network industries, security and intelligence agency, Croatian national computer emergency response team, and Croatian National Bank.

The most important pieces of legislation that regulate Croatian cybersecurity space are as follows:

• Cybersecurity Strategy of the European Union (European Commission, JOIN (2013) I final, 02.2013). The Strategy outlines the EU’s vision in cybersecurity domain, clarifies roles and responsibilities, and proposes specific activities at the EU level. Its goal is to ensure strong and effective protection and promotion of citizens’ rights to make the EU’s online environment the safest in the world.

• Convention on Cybercrime (European Council, ETS 185, 09.2001). The convention is the first international treaty on crimes committed through the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography, and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception.

• National Security Strategy (Croatian Parliament, Official Gazette 73/2017, 06.2017). The strategy establishes the homeland security system as a response to the modern threats, which has to be modern, cost-effective, efficient, and tailored to the tradition and needs of Croatia. The Act on Homeland Security System stipulates systematic security management of security risks and crises of national importance and establishes a homeland security system.

• National Cybersecurity Strategy (Croatian Parliament, Official Gazette 108/2015, 10.2015). The strategy defines a framework for systematic and comprehensive planning of the most important activities to protect all users of modern electronic services, in both public and private sectors.

• Information Security Act (Croatian Parliament, Official Gazette 79/07, 07.2007). The act defines the concept of information security, measures and standards of information security; areas of information security; and authorized bodies for establishing, implementing, and supervising measures and standards of information security.

• General Data Protection Regulation (European Parliament, EU 2016/679, 04.2016). It defines rules for protection of EU citizens with regard to the processing of personal data and the free movement of such data.

• NIS Directive (European Parliament, EU 2016/1148, 07.2016). It defines a set of measures for a high common level of security of network and information systems across the Union;

• Guidelines on Internet Payments Security (European Banking Authority, EBA/GL/2014/12, 12.2014). It sets the minimum security requirements that payment services providers in the EU are expected to implement.

• Decision on Prudent Management of IT Systems (Croatian National Bank, Official Gazette 37/10, 03.2010). It defines requirements for managing IT systems of credit institutions in Croatia.

2. National Supply Profile

The definition of the Croatian Cybersecurity STPA, as defined in Croatia’s S3, relies upon the sector definitions used in international best practice and considers sector specifics related to the IT industry. In that respect, for this analysis, the Croatian cybersecurity sector has been defined through a list of representative companies mentioned in the strategy. The list was further updated by inputs from the Ministry of Economy, Entrepreneurship, and Crafts and HGK’s CIRAZ.

Methodology. Financial analysis of the Croatian cybersecurity sector was conducted using the Bisnode Portfolio Intelligence database. The database offers financial data on Croatian companies gathered through collection of data from mandatory regulatory fillings of Croatian companies submitted yearly to FINA (the Croatian Financial Agency, the payment and financial intermediary services provider) through a standardized GFI-POD form. Figures showed in Sections 3, 4, and 5, unless otherwise stated, were created by analysis of financial information of companies operating within the NACE sectors presented in Table 2. The database was accessed on October 17, 2017, with companies that had the status of (a) insolvent, (b) bankrupted, or (c) erased, excluded from the analysis.

The cybersecurity industry is difficult to define through NACE or Harmonized System (HS) codes given that most of the companies operating within the industry, in addition to their primary activities, often operate across multiple IT sectors, and the NACE and HS codes do not distinguish the uses to which IT goods and services are put. Mapping and analyzing the industry showed that a large number of the companies operating within Croatian cybersecurity industry fall within the following NACE codes:

2.1. Product Development

Most companies within the cybersecurity industry are system integrators and mainly implement solutions from leading global vendors of equipment or software and further customize those solutions to their clients’ needs. Only a handful of Croatian companies are developing or offering their own solutions (for example, Reversing Labs, Defense Code, Infigo IS, and Alfatec Group).

Looking at the demand side, in 2013, almost 47 percent of IT budget in Croatia was spent by about 3,000 state and state-owned businesses (state administration bodies, agencies, institutes, courts, hospitals and health centers, primary, secondary, and higher secondary schools, faculties and universities, local government, municipalities, towns, and cities) and 1,420 public companies in total or predominantly state ownership, followed by a group of about 40 blue chip companies that accounted for 20 percent of IT spending. Around 200 companies from the financial sector spent 12 percent of Croatian IT budget, with the telecom sector following with 8 percent of IT expenditure, while the remaining 13 percent was spent by small and medium enterprises (SMEs) (Žitnik 2015).

Looking at the product level, IT services account for 30 percent of IT budgets in Croatia in 2015 followed by PCs with 18 percent and smartphones with 17 percent (Juras 2016).

According to Žitnik (2015), Croatian IT expenditure per capita in 2015 amounted to US$250, roughly 30 percent below average IT expenditure per capita within EU 28.

2.2. Exports

Croatian firms within the industry mostly export software and secondary equipment. Domestic sales prevail in most sectors over exports. The highest ratio of exports can be seen in NACE J62.01 (34.3 percent), where the largest number of companies operate. NACE J62.01 represents firms that develop own software and application solutions and have exported 21.7 percent of their production.

Source: HGK and Bisnode Portfolio Intelligence database.

3. Industry Functioning

A total of 3,800 companies are operating within Croatian IT sector with more than EUR 1.9 billion turnover in 2016 and employing more than 19,500 people. However, the vast majority of companies dealing with cybersecurity are system integrators, integrating and implementing main global IT vendors’ products and solutions, and are working in areas outside of cybersecurity.

3.1. Economic Geography

3.1.1. Number of Firms

The vast majority of companies that are mapped to the aforementioned NACE codes are small companies. Small companies play a big role in this sector, especially in NACE J62.01 computer programming activities, and show the biggest potential for development of new, innovative solutions. Field research has shown that reasons for lack of substantial R&D and innovation activities in bigger companies can be attributed to lack of skilled workforce and human capacities given that the existing ones are predominantly occupied by serving Croatian and regional clients.

3.1.2. Clustering of Firms

Analysis of geographical concentration was done according to NACE code (2007), classification of business activities of main players. Majority of the firms are concentrated in the City of Zagreb (capital city) and County of Zagreb, followed by the rest of Croatia with most of the activities focused around big urban areas of Rijeka, Split, and Osijek. Significant factors for such concentration could be found in better access to financial institutions and capital market, work force, and logistical connectivity (airports) to other regions, both nationally and internationally.

Međimurje and Varaždin counties, north of Zagreb, have historically been manufacturing centers of Croatia, so pockets of ICT industrial expertise (for example, companies that produce intelligent traffic systems, cybersecurity laboratory at the Faculty of Engineering) have found their home there. Kvarner and Istria regions that lie close to Italy and Slovenia have traditionally served these markets and are closely integrated with many of the input suppliers operating in those countries.

Figure 7: Distribution of Active ICT Companies by County on June 30, 2017

3.2. Profitability Analysis

Looking at the key financials of Croatian IT sector by aggregating data for companies operating under NACE codes presented in Table 2, the sector posted stable revenue growth with CAGR of 7.84 percent over the last three years. Firms were able to defend their margins and slightly increase operating profits compared to the growth rates of revenues. To satisfy growing demand, the sector continued to add employment at a CAGR of 6.34 percent with the total number of employees rising to 19,646 at the end of 2016.

3.2.1. Assets, Debt, and Revenue

Firms operating under NACE 62.01 code – Computer programming activities have a considerable role in Croatian IT industry. Most of the players that produce their own cybersecurity solutions are also located there but tend to present a small portion of total revenues of the sector. In 2016, top 10 players such as Span, Apis IT, Asseco SEE, and IN2 accounted for 28 percent of all the revenues that are growing at CAGR of 8.87 percent. Another big sector is represented by companies operating under NACE 26.20 code – Manufacture of computers and peripheral equipment, where the top two players (M San Group and King ICT) captured 56 percent sectors’ revenues in 2016. Sector NACE 62.02 – Information technology consultancy activities (representative companies: Huawei technologies, Hewlett-Packard, Mrežne tehnologije Verso) has recorded the highest growth rate with revenue CAGR of 16.75 percent in the last three years.

 

Assets of the Croatian IT sector mimic the growth rates of net profits. Given that financial liabilities remained steady, the increase in assets was mainly driven by retained earnings that increased funds for new investments. Implied dividend payout ratio stood at 20 percent in 2014 and 35 percent in 2015.

Except for NACE J62.01 that witnessed a light increase in financial liabilities, most of the other sectors are deleveraging given the abundance of own funds to finance their operations. The aggregated leverage ratio (debt/equity) stood at 1.2 in 2016 representing a decrease for 1.36 in 2016.

3.2.2. Employees

Most employees, over 11,000, work for companies in NACE J62.01, which is at the same time the subsector with the largest number of firms and has added new employees at a CAGR of 7.9 percent during 2014–2016. The fastest employment CAGR of 10.15 percent was recorded by NACE J62.09,- Other information technology service activities, represented by the companies iStyle, SedamIT, and Veracomp. Given that this analysis uses only companies that are not bankrupt, insolvent, or erased, employment figures may be upward biased.

 

Croatian IT sector employed 19,646 people at the end of 2016, adding 3,310 new employees in the last three years. The largest share of the employees was in NACE J62.01 – Computer programming activities, which accounted for 56 percent of the total IT sectors employment in 2016.

 

3.2.3. Cost Structure and Margins

Margins in Croatian IT industry remained constant and stood at on average 6.5 percent in the last three years. The subsector NACE J62.01 witnessed the highest net margin peaking at 10.8 percent in 2016. Lowest margins were recorded by the subsector NACE G47.41 – Retail sale of computers, peripheral units, and software in specialized stores, evidencing competitive pressures from online sales of IT products. Given that this analysis uses only companies that are not bankrupt, insolvent, or erased, net profit figures may be upward biased.

Figure 14: Net Profit Margins 2014–2016 per IT Industry Subsector

Source: Bisnode Portfolio Intelligence database.

Croatian IT industry remained profitable despite competitive pressures and unfavorable tax and business environment.

Figure 15: Croatian IT Sector Return on Assets and Return on Equity 2014–2016

Source: Bisnode Portfolio Intelligence database.

On average the return on assets (ROA) recorded by the industry in the last three years stood at 9.1 percent while return on equity (ROE) averaged 20.8 percent. The most profitable subsector is NACE 62.01 – Computer programming activities, while NACE J62.09 – Other information technology service activities, recorded the biggest decline. Given that this analysis uses only companies that are not bankrupt, insolvent, or erased, net profit figures may be upward biased.

3.3. Productivity and Innovation

3.3.1. Productivity

Data on productivity of Croatian IT firms can be approximated by analyzing the revenues per employee ratio. In the last three years, overall productivity stagnated at around EUR 738,000 per employee. Compared to 2015 when it reached a record level of EUR 767,000 per employee, the productivity of labor in the Croatian IT sector even decreased in 2016. The major reason for such development is that demand for highly skilled employees is driving staff cost that on average accounts for 20 percent of total capital expenditure (CAPEX) in the Croatian IT industry. For example, average gross monthly salary increased by 5 percent to EUR 11,880 in 2016 compared to 2015 for companies operating in NACE J62.

Figure 16: Croatian IT Sector Productivity (Revenues per Employee) 2014–2016 (HRK)

 

4. Cluster Figures: Market-Based Actors

When considering the cluster, it is important to look at all agents and actors operating in the sector. The sector consists of both market actors (firms) and supporting bodies and organizations (for example, universities and the government). Market-based agents are displayed to the left in Figure 18, while the support bodies are cross-cutting across these. This chapter describes the market agents in the cluster, both the set of ‘core’ firms that are the focus of the STPA and a number of other private firms that may be necessary to help move the industry into more attractive segments. These market-based actors are depicted in typified form in Figure 18: Cluster Mapping and are described in more detail in this chapter.

 

Figure 18: Cluster Mapping: Cybersecurity Sector

Source: CIRAZ and World Bank.

4.1. Core Firms

4.1.1. Notable Firms

Table 5: Croatian Notable Core Cybersecurity Companies, 2016

Source: FINA

INSig2, a company owned by IN2 Group, was established with two main objectives: to develop and implement sophisticated solutions of integrated security and provide expertise in the field of digital forensics. Today, the company is the market leader in the region for areas of integrated security and digital forensics, hosting educational workshops for clients such as Europol.

Infigo IS was founded in 2005. The company specializes in providing information security consulting services. It offers services in the fields of GDPR consulting, security assessment, data leakage prevention, security analytics, and fraud management. The company also acts as a system integrator for some leading international security solutions such as Qualys, Splunk, and Digital Guardian.

Defense Code was privately founded in 2010. The company provides a range of consulting and assessment services to help organizations measure their security posture and build a thorough and compliant security program. Defense Code developed its own products designed to analyze and test web, desktop, and mobile applications for security vulnerabilities using Dynamic Application Security Testing (DAST, BlackBox Testing) and Static Application Security Testing (SAST, WhiteBox Testing) technologies. The company also offers services of penetration testing, zero-day vulnerability research, security audit, and source code security analysis.

Diverto was founded in 2007 and provides various IT security services such as penetration testing, vulnerability testing, social engineering, education, ISO 27001 implementation, and IT security consulting.

Alfatec Group was founded in 1990 and employs around 60 experts. The company is active in the field of information security and offers various cryptographic equipment and solutions, such as Thales e-Security, Verisoft, Qualys, Collis, Arcot, Acertigo, and so on.

Top Five Firms: Revenues

4.2. Peripheral Firms

4.2.1. Input Providers

Table 6: Croatian Input Providers for Cybersecurity Companies, 2016

4.2.2. Buyers

Table 7: Croatian Buyers of Cybersecurity Products, 2016 (EUR, millions unless otherwise specified)

4.3. FDI in the STPA

World Bank analysis showed that only a minor part of FDIs in Croatia are investments in sectors based on knowledge and R&D. FDIs in Croatia were primarily attracted by sectors such as trade and financial sectors that do not necessarily promote knowledge transfer (World Bank Group 2006).

According to the Croatian National Bank, the overall FDI in NACE J63 (information service activities) from 1993 up to February 2017 amounted to EUR 92.3 million (net incurrence of liabilities) with 2016 being a record year with EUR 47.8 million of investments (Hrvatska narodna banka 2017).