Saturday, March 24, 2018
logo economy journal
< view full issue: Cibersecurity
Luis Muñoz López

​Confidence and security in the digital field in Spain

Head of Indicators area of the National Observatory of Telecommunications and the Information Society (ONTSI)

Trust in the digital environment is fundamental for the development of the digital economy and society. The lack of trust has been identified as a barrier to digital transformation and the implementation of services such as cloud computing, e-commerce and e-government, among others, in the general public, businesses and administrations. For most governments, trust in the digital environment is among the priorities on their political agenda. This is evident in the latest analysis by the OECD on digital economy. It has been identified as one of the digital strategies in the strengthening of security and confidence in the digital field and it is among the four highest priority in half of the thirty-five countries analyzed in the study (OECD 2017). In the case of Spain, the strengthening of digital trust is among the objectives of the Digital Diary for Spain, and is one of the pillars on which the action of the Government of Spain in this legislature is based in the Digital Strategy for an intelligent Spain.

Era digital

One of the first aspects in analyzing the state of digital trust is businesses' and the general public's awareness of digital security risks. In the case of companies, the larger ones have a greater degree of knowledge regarding the consequences for their business of security incidents. In 2016, the percentage of Spanish companies that reported having suffered a security incident increased compared to that registered in 2012 (ONTSI, 2017). In the case of the general public, taking the OECD countries as a reference, Spanish awareness is among the highest: one in four Spaniards reports having suffered Internet security incidents, above the average of the countries of the OECD, which stands at 16% (OECD, 2017). 

Such evidence, far from being negative, could actually exhibition how companies and the general public are now able to more clearly identify the occurrence of security incidents, which would imply a greater response capacity.

The second aspect to be analyzed has to do with this capacity of response, This is to say, the companies' and the general public's degree of preparation in avoiding incidents and in mitigating their consequences. In the case of the general public, in 2017, six out of ten Spaniards used some type of security software, including antivirus, antispam, firewall, and so on, which shows that there is still a high margin of improvement to be made in the preparation of the general public to address incidents of digital security (INE, 2017).


Spanish companies' use of security systems is quite widespread. In 2017, most of the companies consulted considered information security as a matter of high or maximum priority. 87% of Spanish companies declared that they had internal security systems, which rose to 98%in the case of large companies. Among these systems, the use of secure password authentication stands out, 82% of companies have implemented this system

Implementing user identification and hardware authentication is present in 45% of companies. 

The use of biometric elements for user identification and authentication is still low, and only 11% of Spanish companies and 33% of large companies use it, but it will undoubtedly be one of the technologies that will grow more in the coming years in the field of digital security (INE 2017, 1).

As for the security products that have been implemented by companies, anti-virus/anti-spyware products are the most indicated by the companies consulted at 97.8%. Next, firewalls and web content filters represent the second-most-used product by the companies consulted with 76.1%. Finally, 71.4% of companies stated that they use contingency and continuity tools (ONTSI, 2017).

However, there is still a quite significant group of companies that are not aware of the advantages of generation and implementation of a security policy in the management of the impact that security incidents can have from an economic and business point of view. Thus, the percentage of companies with a formally defined ICT security policy is still low. By 2015, only 35% of Spanish companies had done so, although above the EU average of 32%. In the case of large companies, this percentage is higher both in Spain (70%) and in the European Union (72%). As a positive element, among the companies that maintain an ICT security policy, most have stated that they have reviewed it in the last 12 months.


There is also a low percentage of companies that are geared up to identify incidents, and 36% report using security incident protocols, rising to 71% in the case of large companies (INE 2017.1). 

We should note that that the companies that manage the most technological and information assets are those that consider information security as a high or maximum priority. 

All this seems to indicate that the greater the number of assets managed, the more they are aware of the need to manage security, showing that they are better grown. Contrary to what might be expected, companies with a defined security policy also faced more security incidents, which probably has to do with the existence of specific registries that allow their management, a greater capacity to mitigate the consequences and a greater awareness of the actual occurrence of incidents. We can conclude that the existence of a security policy does not necessarily diminish the existence of incidents, but rather permits an adequate management of them, reducing their impact (ONTSI, 2017).

The third aspect to be analyzed has to do with privacy and trust. Overall, Internet confidence is high among Spaniards: six out of ten Spaniards state that the degree of trust is fairly high or quite high (INE 2017). However, the lack of security and privacy in the digital field can lead to a delay in the adoption of certain services, such as buying on Internet. In 2017, one out of two Spanish Internet users who did not buy online declared that they were concerned about privacy or payment security. Security and confidence are the reasons that one in four Spanish Internet users argue against downloading software, music, video files, political parties or other data files. For this reason, those who have stopped providing personal information to online communities and social and professional networks have reached 30% of the total. 

For 23% of Internet users, mistrust also affects carrying out banking activities such as account management, and for the 20% who do not use mobile devices through wireless connection outside their home.

Internet mistrust also results in less use of e-government: in 2016, 14% of Spanish Internet users stated that they do not send completed forms to the administration because they are concerned about the protection and security of personal data. In the case of the use of cloud services, 8% of Internet users declared that they do not use them because they are concerned about security and trust in the service. Therefore, trust has a determinant effect on the behaviour and use of the Internet by individuals that has potentially negative effects on the adoption of digital services.


Nevertheless, a lack of confidence towards Internet companies and digital services is not always a barrier to the adoption of digital services. A large majority of the general public of the European Union (71%) and Spain (73.5%) state that providing personal information is a significant part of modern life and accepts that there is no alternative (OECD, 2017). 63% of Spanish Internet users are aware that cookies can be used to trace their movements on the Internet, to obtain a profile of each user and provide tailored or personalized publicity. In addition, only one in three Internet users ever changed their Internet browser settings to prevent or limit the amount of cookies on their computer (INE, 2016), which reflects a strong acceptance of this type of user activity tracking technique. However, this may also reflect a lack of skills and knowledge on the part of individuals to perform this type of configuration task.

On the business side, 63% of companies have stated that their website has a privacy policy statement, safeguarding privacy and security-related certification. 

93.6% of the companies state that they report on the existence of personal data, complying with the duty of information contained in the LOPD. 90.2% of the companies consulted require express consent for the processing of personal data, and 88.9% say that they have a procedure to facilitate and guarantee the right of access, rectification, cancellation and opposition to personal data.

There is a proportional relationship between the adoption of privacy policies in companies and their size. The larger the company, the more frequent it is that it manifests itself as having a privacy policy statement, privacy safeguard or certification related to the security of the website. Likewise, a greater proportion indicate they are also are knowledgeable about the LOPD, and to be in compliance with this regulation in all its requirements. It is worth noting the high percentage of micro-enterprises that do not know the status of their website (40.2%), which indicates the lack of knowledge of regulatory requirements that this type of company has.

Awareness-raising seems to have a major impact on micro-enterprises and small and medium-sized enterprises. (ONTSI, 2017).

A fourth aspect to be analyzed has to do with the impact of security incidents, both on the general public and on companies. The potential for loss of consumer confidence, reputation damage, negative revenue impacts, and so on, which a digital security incident can lead to are the main business concerns (OECD, 2017).

The perception that companies have about their confidence in the digital solutions that are on offer and the possible impacts that can occur, is one of the reasons that hinders companies' digital transformation. The latest ONTSI survey on cybersecurity in companies shows that 51.3% of companies cite the risk of lack of availability of ICT services as a reason to have a security policy. However, the most mentioned reason is the risk of destruction or corruption of data (83%), followed by confidential data disclosure (52.2%).


With regard to the consequences, large companies mention that they suffer fewer negative consequences from security incidents. The fact that large companies suffer more security incidents, but conversely suffer fewer consequences, reinforces the idea that their greater preparedness to the incidents minimizes the negative consequences that these have for their business. The impact of security incidents is quite focused, given that 87% of companies concentrate their response on a single type of impact. 94.7% of the companies consulted have stated that the consequences of the incidents had an operational impact on their business. Only 13.2% reported having suffered an economic-financial impact, with little impact on the company's image/reputation (5.8%) or legal/contractual impact (1%).

With regard to the economic impact, contrary to what we might imagine, there is an inversely proportional relationship between the size of the companies and the quantification of the economic impact produced by the security incidents.

Micro-enterprises are those that most declare to have quantified the economic damage (44%), followed by small companies (31%), medium enterprises (29%) and, finally, large companies (27%). The percentage of companies that report having quantified the economic impact of security incidents (32%) is low. This is undoubtedly an unresolved issue for companies.

The bulk of the companies have quantified the economic damage caused by the incidents as less than 5,000 Euros, and 62.8% place their losses between 1,000 Euros and 5,000 Euros. 23.2% of companies quantified their economic losses as above 5,000 Euros.

The change in corporate habits as a consequence of having a security incident varies according to the size of the company. Micro-enterprises and small companies have shown a greater proportion of the use of certain Internet services and have begun to make backups, while medium- and large-scale enterprises indicate to a greater extent that they establish stricter security protocols and procedures or contract external audit services.

To lessen the impact of incidents, 96.2% of Spanish companies state that they have defined security policy measures to ensure the integrity of data and information. The second measure has to do with the availability of business operations and the availability of services in case of crisis, with 73.9% of the responses. The protection against theft of assets of the company with 70.3% is another of the most mentioned measures. (ONTSI, 2017).

In the case of individuals, the most analyzed impact is online fraud, which is growing as a consequence of the increased importance of electronic commerce. However, in 2015 the perception of economic fraud by Spanish and European was low. Only 3.6% of Spaniards and 2.6% of Europeans had experienced economic losses due to fraudulent use of credit or debit cards, or as a result of receiving phishing messages or being redirected to websites Another significant aspect is the violation of personal data, which not only causes significant losses in the affected business, but also can cause damage as a result of the invasion of privacy of people whose personal data have been violated (OECD, 2017).

Finally, we asked what the barriers are that companies perceive for the implementation of security measures and solutions. A certain disparity of criteria was detected on the perception of barriers to the implementation of security measures and solutions. 62.2% of companies mentioned only one, 24.7% perceived two barriers and the remaining 14% three or more barriers. In addition, a high percentage of companies stated that they did not perceive any barriers to the implementation of security measures (36.7%). The most mentioned barrier was the price and the lack of budget (36%), followed by lack of time (28.8%) and lack of qualified personnel to deal with the process (25.4%). It is striking that it was the large companies that mention the lack of qualified personnel as a barrier in greater proportion than the rest, particularly micro-enterprises, which undoubtedly has to do with the greater awareness that these great companies can have on the complexity which addressing security involves, and the skills that the dedicated personnel has to have in a complex environment such as these organisations (ONTSI, 2017).

Luis Muñoz López is Head of the Indicators area of the National Observatory of Telecommunications and the Information Society (ONTSI). He has a degree in Computer Science and a Master's degree in Information Technology applied to the company by the Polytechnic University of Madrid. Degree in Political Science and Administration by the UNED.



Ronda Universitat 12, 7ª Planta -08007 Barcelona
Tlf (34) 93 301 05 12
Inscrita en el Registro Mercantil de Barcelona al tomo 39.480,
folio 12, hoja B347324, Inscripcion 1



Ronda Universitat 12, 7ª Planta -08007 Barcelona
Tlf (34) 93 301 05 12
Inscrita en el Registro Mercantil de Barcelona al tomo 39.480,
folio 12, hoja B347324, Inscripcion 1