SCP - Appendix B: Cyber taxonomy

Cyber security product categories

As digital technology evolves, so does cyber security. To the layperson, cyber security might mean firewalls and off-the-shelf anti-virus software, but that limited scope is no longer accurate. Protecting digital assets is now multidisciplinary, and cyber security today involves anything from tools and technologies to behavioural practices and procedures.

Cyber security has traditionally been understood in terms of hardware, software and services. The diversity and sophistication of modern cyber security means that this categorisation is no longer appropriate.

The Cyber Security Body of Knowledge (CyBOK) is a international collaboration headed by the University of Bristol that structures cyber security according to five main categories:

  • Infrastructure security: securing computer and digital networks and related physical hardware and systems from intruders and intrusions, whether targeted or opportunistic.
  • Systems security: operational, network and systems security that includes the processes and decisions for handling and protecting data assets. The permissions users have when accessing a network and the procedures that determine how and where data may be stored or shared all fall under this umbrella.
  • Software and platform security: security that focuses on keeping software and an entire computing platform and devices - including mobile, cloud and web applications - resilient to cyber threats. This includes information security that protects the integrity and privacy of data, both in transit and at rest.
  • Attacks and defences: a proactive and adversarial 'attack' approach to protecting against cyber attacks, which includes penetration and vulnerability testing as well as ethical hacking. Defensive security focuses on reactive measures such as patching software and detection.
  • Human, organisational and regulatory aspects: tools and services to protect against intentional and unintentional user mistakes; support observance of organisational governance and policies; and enforce compliance with regulatory requirements.

This new framework provides a more robust foundation for researchers, policymakers and industry to study the sector.

Cyber security product categories

Segment of the cyber sector

Examples

Infrastructure security
  • Managed security service provider
  • Security operations centres
  • Security hardware and physical systems

System security
  • Cryptography
  • Operating systems, network, cloud, quantum control and autonomous systems security
  • Authentication including biometrics
  • Identity access management

Software and platform security
  • IoT security
  • Software as a service (SaaS)
  • Threat intelligence analytics
  • Mobile, web and application security

Attacks and defences
  • Penetration testing
  • Bug bounty programs
  • Threat detection and response
  • Wargaming and exercising
  • Cyber deception technologies
  • Digital forensics

Human, organisational and regulatory aspects
  • Governance, risk and compliance management
  • Readiness and maturity audits
  • Privacy impact assessment
  • Training and education
  • Cyber-related professional services

Research methodology

Output

Description

Approach

Data sources

Cyber security spending
  • Business and consumer spending on cyber security products and services in Australia.
  • Spending on cyber security in Australia was estimated using the weighted average of external market research estimates, as well as previous SCP modelling.
  • Gartner1
  • IBISWorld2
  • 2019 SCP measurement model

Sector revenue

  • The amount of revenue that accrues to cyber security providers where their core activities take place in Australia (includes both Australian- and foreign-owned providers).
  • A proprietary model was developed to estimate the proportion of total spend that is captured in Australia (as opposed to being imported), as well as the amount of export revenue captured by cyber providers in Australia.
  • Expert interviews with leading representatives from industry, government and academia informed the key assumptions in the model, such as the market share of providers with core business in Australia, and the proportion of revenues derived from exports.
  • To further validate the sector measurement model in a bottom-up way, analysis on aggregated revenue data from the Digital Census was performed, supplemented with illion revenue data to fill in gaps for providers that did not respond to the survey.
  • Gartner3
  • IBISWorld4
  • Expert interviews
  • AustCyber's Digital Census 2020
  • Illion5

Employment
  • Employees in the cyber security sector, as well as those in internal cyber security roles such as chief information security officers and in-house cyber teams.
  • ABS data on total output and employment figures was used to estimate the revenue generated per job for cyber-related roles.
  • Sector revenue estimates were then used to estimate the number of jobs in the cyber sector.
  • Informed by expert interviews, an assumption of the rate of internal cyber security spending per dollar of external cyber spending was applied to estimate the number of jobs in internal cyber security roles.
  • Gartner6
  • IBISWorld7
  • Expert interviews
  • Australian Bureau of Statistics (ABS)

Gross value added (GVA)
  • Measuring the cyber security sector's GVA reveals its direct contribution to the size of Australia's economy.
  • GVA is made up of profit and returns to workers (wages).
  • Sector profit was estimated using the weighted average profit margin of over 100 survey respondents. This was applied to top-down revenue estimates (factoring in depreciation, amortisation and tax).
  • A weighted average wage-to-revenue ratio for the sector was determined using survey responses. This was applied to top-down revenue estimates to estimate total wages for the sector.
  • Gartner8
  • IBISWorld9
  • AustCyber's Digital Census 2020
  • illion10
  1. Gartner (2020), Forecast: Information Security and Risk Management, Worldwide, 2018-2024, 2Q20 Update.
  2. IBISWorld (2020), IT Security Consulting in Australia and Data processing and web hosting services in Australia.
  3. Gartner (2020), Forecast: Information Security and Risk Management, Worldwide, 2018-2024, 2Q20 Update.
  4. IBISWorld (2020), IT Security Consulting in Australia and Data processing and web hosting services in Australia.
  5. Customised data from illion
  6. Gartner (2020), Forecast: Information Security and Risk Management, Worldwide, 2018-2024, 2Q20 Update.
  7. IBISWorld (2020), IT Security Consulting in Australia and Data processing and web hosting services in Australia.
  8. Gartner (2020), Forecast: Information Security and Risk Management, Worldwide, 2018-2024, 2Q20 Update.
  9. IBISWorld (2020), IT Security Consulting in Australia and Data processing and web hosting services in Australia.
  10. Customised data from illion