ICT SECURITY IN BUSINESSES – EFFICIENCY ANALYSIS

The purpose of this paper was to identify ICT security measures and to assess the level of ICT security in small, medium and large enterprises in spatial terms. The measures in the ICT security area were identified based on secondary data of European Union member states retrieved from the Eurostat database. The research used the CCR Date Envelopment Analysis (CCR-DEA) model to meet the research purpose.The research identifies countries where ICT security results were achieved with the optimum combination of expenditures, i.e. the so-called fully efficient countries. The authors demonstrate that the countries participating in the optimal shared technology are aligned to non-fully efficient countries and they can achieve their results at lower expenditures. In the optimal technologies of all non-fully efficient countries the volume of the achieved results of enterprises is slightly higher than the actual volume. Research conducted in the area of enterprise ICT security rarely focuses on the efficiency of actions undertaken. The authors of this paper examine the technical efficiency in the area of enterprise information security in spatial terms and formulate conclusions about enterprises in the EU member states. The application of the expenditure-oriented CCR-DEA model identifies countries that achieve their results fully utilising their expenditures and those that are able to achieve at least the same results as achieved by non-fully efficient countries but at lower expenditures. The technical efficiency analysis of actions undertaken represents the starting point for defining good practices and success factors in the area of ICT security, both at enterprise and country levels.


Introduction
Modern-day organisations are operating in the age of continuous real-time exchange of information. As information is the foundation of the decision-making process, effective competition requires organisations to have access to information and to be able to disseminate information among their stakeholders (Naicker et al., 2019). For this reason, it is necessary to ensure information security so that information can be used for making key business decisions. Indeed, while bringing numerous advantages to organisations, information technology has also made information security the main problem for organisations relying on the technology (Safa et al., 2018). Better understanding and acceptance of safeguards is an inherent element of the information security practice (Burdon & Coles-Kemp, 2019). Identification of good practices is needed (Brunner et al, 2020;Hoffmann et al, 2020;Tøndel et al, 2014), the more so as enterprises still fail to learn from security incidents (Ahmad et al, 2015). Security of computer information systems, commonly termed as cybersecurity, is an important operational issue for nearly each organisation (Solak & Zhuo, 2020). Security-related tasks can be very complex (Sönmez, 2019). For this reason, the literature on the subject includes models, which support the enterprise management process in terms of information security by raising awareness on security factors, which need to be taken into account in the decisionmaking process (Diesch et al, 2020). Furthermore, information security research focuses on information security data exchange, threat intelligence sharing or information security data sources, like vulnerability databases (Sauerwein et al, 2019).
However, there have been no studies assessing the level of enterprise security in geographical and structural terms in the context of the efficiency of the actions taken. Therefore, the following research questions have been asked: Q1: How do the development of information society and digital economy affect the enterprise information security? Q2: Does the available data allow defining measures which reflect the level of enterprise ICT security expenditure and achieved results in spatial terms? Q3: Are there any tools which provide for assessing enterprise ICT security in spatial terms taking into account effects in this respect and expenditure incurred to achieve those effects? Q4: Are there any differences in the level of the information security methods in small, medium and large enterprises?
To answer the questions, the following research hypotheses have been formulated: H1: The ICT security methods in enterprises provide for creating a system of measures for assessing the ICT security in the context of expenditures and results in enterprises in terms of geography. H2: An assessment of the enterprise ICT security level in spatial terms carried out with appropriate tools will allow identifying the countries where the enterprise ICT security level requires improvement and, most importantly, finding reference objects in the test group.
The proposed research method allows ranking EU countries in terms of ICT security taking into account the efficiency of actions taken respectively. The country ranking may in turn be used to facilitate best practices sharing which can constitute the foundation of national or international information security policies, to set priority goals in the area of ICT security practices and to identify the best means of achieving the goals. Furthermore, the analyses conducted will allow assessing the level of ICT security of enterprises active in specific markets, which can enhance trust in economic transactions made in those markets.
Considering the level of development and use of information and communication technologies, a comprehensive and scientific system needs to be created which will enhance technical breakthroughs, develop system recovery technologies and take various effective measures to prevent and respond to security risks (Guo & Wang, 2020). Best practices of enterprises with sound ICT security measures will serve as role models for other entities.

ENTREPRENEURSHIP AND SUSTAINABILITY ISSUES
ISSN 2345-0282 (online) http://jssidoi.org/jesi/ 2021 Volume 9 Number 1 (September) http://doi.org/10. 9770/jesi.2021.9.1(8) 125 The study contributes to the literature on the subject in three following respects. Firstly, the variables that determine the outlays and effects in the area of ICT security of enterprises have been identified.
Correct identification of variables is a key stage in the efficiency analysis and ensures its credibility. Secondly, the usefulness of the set of variables in the diagnosis of information security activities of enterprises in individual states of the European Union was verified. A set of variables that measure inputs and outputs in information security was used to assess the efforts of enterprises to achieve results in the area of ICT security. Thirdly, research to date in the field of ICT security in enterprises rarely focuses on the effectiveness of actions taken. Moreover, technical efficiency in the area of information security in enterprises was examined, but in spatial terms, which allowed for formulating conclusions regarding enterprises operating on the markets of individual European Union countries.

Context of the Information society and digital economy
The digital spread was revolutionary in the last decades with a wide range of opportunities that are available through the new technologies, the rapid growth of the internet, WAN. Information and communication technology (ICTs) sector is the pioneer of the digital economy. New technologies, particularly artificial intelligence (AI) reshape the labour market that comes on one hand, with creation of jobs in some sector but on the other hand, with disappearance of others.
Digital advances have generated enormous but concentrated wealth around minor number of individuals, companies and countries. New key risk areas have been created: cybersecurity, privacy concerns, facilitation of illegal economic activities or digital disruptions are amongst the major concerns (UNCTAD, 2019).
Information has become swiftly available and there is actual oversupply of information. Beyond the obvious positive impacts, this carries also some negative aspects. The quality of information might be questionable, the origin of sources may lead to confusion and as such can cause indecisiveness; overall this can result in higher information costs. The so called TIME marketstelecommunication, information technology, media technology, and entertainmentform the basis of the network economy or Net Economy. This Net Economy now coexists with and evolves next to the -physical products and/or services focused -Real Economy (Kollmann, 2006).
The orientation of information, communication and transaction processes within Net Economy have evolved from the supply-orientated Web 1.0, then to the membership-orientated Web 2.0, and to the demand-oriented Web 3.0. (Kollmann et al, 2016).
In the digital age, information and knowledge have central role; the concept of both information and knowledge society have been created. Information society describes the technological options related to the electronic age; knowledge society gives prominence to the problems and strategies of making sense of information (Krohn, 2001).
The concept of the new social structure promoted by Castells is the so-called network society: society made of networks in all the key dimensions of social organization and social practice. This network society is considered as a global system (Castells, 2010).
The Industry 4.0 refers to the fourth technological revolution and follows the third revolution known as "Information Age" that developed to "knowledge-based economy" .
The term information society is defined in the EUR-Lex, European Union Law Glossary as a "society where a significant degree of activity focuses on the creation, distribution, use and reuse of information." This happens through the means of Information and communication technology (ICTs) (EUR-Lex Glossary, n.d.).

126
"ICT covers all technical means used to handle information and aid communication. This includes both computer and network hardware, as well as their software" as defined in the European Commission Eurostat database (Eurostat Glossary, n.d.). ICT has economic contribution to growth (Goodridge et al, 2019).
ICTs -defined as the combination of all company's audio-visual, telephone, and computing networksused to be costly and were deployed by companies carefully, however, advances in connectivity, cloud computing, and other technologies are easier to be adopted. Services can turn IT into an affordable resource, regardless of company size (Bossert & Laartz, 2018).
In harmony with the requirements of the information economy an industrial enterprise need to define a strategy that consider automation, robotization and business processes (Кwilinski, 2018). This new era has brought numerous positive impacts, however, a number of challenges and new risks still are to be addressed. These challenges are basically round the digital vulnerabilities and the digital divide that arose as a result of the digital transformation. The digital sphere has opened up new opportunities for criminals; new security threats appear such as cyber-crime, data theft. The role of security measures and relevant control procedures at the enterprises focusing on mitigating these risks are fundamental and inevitable to maintain a stable operation.
With regards information society the inclusion and exclusion exists meaning that participation is not available unconditionally. In addition to the access to online information, the digital divide is about the different uses, misuses and abuses of information (Segev, 2010).

Identification of the ICT security problem -definition of ICT security
ICT is an extremely developing, innovative sector, which fulfils strategic role in the European Union. In the context of today's knowledge-based, resp. information society, the management and use of information has become the key to success, which can lead to competitive advantages in the market. The use of the ICT services is becoming more and more widespread amongst businesses. By now ICTs have become fundamental infrastructure and promote the knowledge-based digital society. The spread of information with the means of information communication has almost no boundaries. Networking is general. Information flows in and out. ICT systems are naturally vulnerable to security threats. In the digitalized world the connection is built through ICTs and this is a key concern if the system is compromised, misused or attacked (OSCE Cyber/ICT security, n.d.). The Internet threat landscape have changed, there is a significant shift toward well-organized cyber-crime carried out in a targeted manner circumventing common security measures (Skopik et al, 2016). Enterprises constantly experience information security related incidents, which are very likely to disrupt their business operations and threaten the information security (Ahmadian et al, 2020;Evans et al, 2019;Bartnes et al, 2016).
Internet of things (IoT)that refers to Internet-connected devices such as sensors, radio frequency identification (RFID) chips that are embedded in objects enabling them to send and receive various kinds of data (Digital McKinsey, 2018)is built on the basis of the Internet, thus security problems of the Internet will also show up in IoT devices. This requires customized security and privacy levels to be guaranteed, and solutions that ensure confidentiality, access control, and privacy for users and things, trustworthiness among devices and users, compliance with de-fined security and privacy policies (Tewari & Gupta, 2020). "Security is like a chain. It is as strong as its weakest link. Security depends on people more than on technology. Employees are far greater threat to information security than outsiders" (Technical Department of ENISA, 2006). The threat of humans to information protection can be minimized by ideal or strong information security culture (Veiga et al, 2020).
Information technology has widened the scope of management; in addition to organizational performance, productivity and human resources perspectives, information security should be considered as a responsibility of management, which has also an impact on the market position (Soomro et al, 2016). Entities need to build resilience to ensure smooth operation: to provide appropriate response to these threats, adequate control measures are necessary. The use of ICT services can generate value added in the operation of a business. However, all this 127 requires special attention from security point of view; security measures ensuring proper control are needed. Security measures play an important role in the security system of businesses, which are highly exposed to security risks related to ICT.
The e-commerce segment of business channels -depending on the volume of segment -underpin the need for adequate protection. The parameters of the process on ICT security measures can be described through a typical action planwho does what, when, where and what evidence thiswith the help of control operations. These security elements can be automatic, manual, or semi-automatic, semi-manual operations. The planning of activities shows who / what does it.
The implementation of the process is supported by an appropriate process documentation and operation, as well as by providing appropriate information to the stakeholders.
The model of information security factors for decision makers shows that there are key security-indicators, which directly impact the security-status of an organization while other indicators are only indirectly connected.
The identified key security-indicators are ̶ "Physical security" (in practice: physical protection of buildings, offices, servers, and hardware), ̶ "Vulnerability" (in practice: known vulnerabilities within systems and software), ̶ "Access control" (in practice: the management and regulation of access to systems, applications, data, and infrastructure), ̶ "Infrastructure" (in practice: knowing all systems, software and the connections between them and if they are secured or not; "strengthening" of all available systems, prepare threat models and secure the infrastructure in each network layer), ̶ "Awareness" (in practice: all topics that concern people and cannot be treated with technology) (Diesch et al, 2020).
The Castle Model that has "the defence as walls" approach on cybersecuritywith a safe inside and a dangerous outsideis also worth to be mentioned here. This approach leaves namely a blind spot. Organizations open up their walls and make their gateways more "leaky" so that they can do more, faster and better. Walls from the outside are increasingly destroyed by technological developments. The Millennial generation tend to mix professional and private life. All these factors call for a new approach to cybersecurity (Leuprecht et al, 2016).
"ICT security refers to relevant incidents as well as measures, controls and procedures applied by enterprises in order to ensure integrity, confidentiality and availability of their data and ICT systems" as defined by the Eurostat database. A set of security measures is also compiled to describe this (Eurostat, n.d.). Good practices are required to ensure that the processes of the enterprise are designed and operated in a way that the enterprise is resilient towards the ICT challenges.

Control measures related to ICT security
There is sound European approach on digital transformation that is covered underneath not exhaustively. The adoption of Regulation 1025/2012 on European standardization emphasised "the fast evolution of ICT and the way in which new products and services, such as 'smart' or connected devices (referred to as the 'Internet of Things' or IoT) or the Cloud, transform markets (Regulation (EU) No 1025/2012, 2012). The Commission has identified the following priority areas as the essential technology building blocks of the Digital Single Market: cloud computing, the internet of things (IoT), 5G communications, cybersecurity and (big) data technologies (European Commission, 2016). The so-called 2020 Rolling plan for ICT standardisation has a unique link between EU policies and standardization activities in the field of ICT (European Commission, 2020). 128

ENTREPRENEURSHIP AND SUSTAINABILITY ISSUES
The Directive on security of network and information systems (NIS Directive) is the first EU level legislation on cybersecurity. The deadline for the transposition into national legislation was by 9 May 2018, and by 9 November 2018 for the identification of operators of essential services. Energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure count among the sectors that heavily rely on ICTs. Businesses identified as operators of essential services have to take appropriate security measures and notify serious incidents to the relevant authority.
This is applicable also for search engines, cloud computing services and online market places as well as they are key digital service providers. A culture of security across sectors is in the focus (European Commission, NIS Directive, 2020).
Data has been defined as the fuel of digital economy. In the context of ICT the role of data protection becomes key issue. The EU directive 2016/679known as GDPRmeant to protect natural persons with regard to the processing of personal data and on the free movement of such data (REGULATION (EU) 2016/679, 2016).
The EU's digital strategy "A Europe fit for the digital age" count among the six Commission priorities for 2019-24 with policy areas of Data protection; Better access to online goods for consumers and businesses; The right environment for digital network and services; Economy and Society and the European Data Strategy. New rules on e-commerce were introduced which are key elements of the Digital Single Market Strategy: the revised Payment Services Directive and new rules on cross-border parcel delivery services (already in force), new rules to stop unjustified geo-blocking (entered into force on 3 December 2018), revised consumer protection rules (will enter into force in 2020), new VAT rules for online sales of goods and services (will enter into force in 2021) (European Commission, 2021).
The Organization for Security and Co-operation in Europe (OSCE) -that has 57 participating States from Europe, Central Asia and North America (OSCE, n.d.). -names the key challenge that ICTs made the offence easy and defence difficult. This organization has a special role in strengthening cyber/ICT security with particular focus on reducing the risks of conflict arising from the use of ICTs -with the so-called confidence-building measures (CBMs) -between its participating States. Protecting ICT-enabled critical infrastructure as part of enhancing cyber resilience in the OSCE region for the favour of all. The OSCE also pays particular attention to tackling cyber/ICT security threats such as organized criminals and terrorists (OSCE, n.d.).
Information security standards such as ISO/IEC 27001:2013 mark information security policies as mandatory. Albeit, there is little guidance on how to develop good and effective policies. Currently organization-specific information security needs are in the focus of information security policy development (Paananen et al, 2020).

ICT risks in the context of manufacturing industry, service-oriented organizations and e-commerce
The new technological solutions are usually associated with unexpected risks due to security vulnerabilities.
The different entity sizessmall, medium or large enterprisesand businesses may face and address the risks differently. The more so as the findings of studies conducted to date show that the current perception of information risk and readiness to take such risk are low, especially among small economic entities (Line et al, 2016).
Proper risk management process is necessary for each companies to ensure the stable operation. Due to their significant role, the author covers the risk areas of the manufacturing industry, the service-oriented organizations and the e-commerce business model.
ICT activities are adopted in most of the industry activities, but especially in logistics and production operations . 129

ENTREPRENEURSHIP AND SUSTAINABILITY ISSUES
The manufacturing industrywith its processes well supported by ICT -face increased security risks due to the new technologies, the spread of Industry 4.0, cloud-based systems, IoT, Big Data, BYOD (Bring Your Own Device) and CYOD (Choose Your Own Device) trends. The security implications of the evolving smart systems should be addressed. Employees need to be properly trained. The interconnected organizational systems pose significant security risks. Hackers with malicious intent benefit from software vulnerabilities. The era of Industry 4.0 is greatly exposed to cyber-espionage. High value assets should be protected with a security approach that contains data loss prevention solutions as well as encryption algorithms. The industrial sector run the risk of Denial-of-Service (DoS) causing that a system or an application is unavailable (for instance, overloading a server with massive number of requests to consume the available system sources); DoS attacks are very difficult to control; are often unforeseeable. These attacks cause not only operational issues but the remediation is usually expensive .
In service-oriented systems the key issues of the security management process are identity management; proper security controls management; security management sovereignty; seamless connection to other organizations on a real-time basis (security of the communication protocols of the services) and protection of data in transit and rest (Dudziak-Gajowiak et al, 2019).
E-commerce is one of the components of the digital economy (UNCTAD, 2019). In the e-commerce context, the critical and vulnerable points of system security are hardware, software and environment. The basic security threats are ̶ Denial-of-Service (DoS)see above ̶ SQL Injectionlet a malicious user execute commands in the application's database by using the privileges granted to the application's login ̶ Price Manipulationvery common whereby the final payable price is manipulated by the attacker using a web application proxy. ̶ Session Hijackingtakes control of a user session after successfully obtaining or generating an authentication session ID. ̶ Cross-site script (XSS)special case code injection; the hacker fold malicious content into the content being delivered from the compromised site which appears at the client-side web-browser as it has been delivered from the trusted source. Viruses, worms, Trojan horse, bots, EXE file, browser parasites, adware, and spyware etc. are also used by attackers to compromise the security of the e-commerce systems. Secure site designto be both proactive and reactive in handling security threats -is up to the development team and up to the shopper (Singh, 2014).

Data description
In order to verify the hypotheses, a database was constructed consisting of the following variables: 1.
variables characterizing the results of DEA: ̶ Enterprises did not experience any problem due to ICT security incident: unavailability of ICT services (OUT_ unavailability), ̶ Enterprises did not experience any problem due to ICT security incident: destruction or corruption of data (OUT_destruction), ̶ Enterprises did not experience any problem due to ICT security incident: disclosure of confidential data In the enterprises the ICT security related activities are carried out by own employees or external suppliers (IN_suppliers).
The "Enterprises did not experience any problem due to ICT security incidents: unavailability of ICT services" (OUT_unavailability) variable shows the share of enterprises which use computers and which in 2019 did not report any unavailability of ICT services due to overloads, failures and human errors occurring during introduction of updates (including in networks, applications, configuration). Continuous availability of ICT services can be ensured by means of adequately efficient hardware and systems as well as through creating redundant configurations, where key computer system components (including inter alia servers, network and security devices) are composed of many elements, so that when one element fails, another operational element can take over its tasks.
The "Enterprises did not experience any problems due to ICT security incidents: destruction or corruption of data" (OUT_destruction) variable shows the share of enterprises which use computers and which in 2019 did not report any destruction or corruption of data due to, mainly, software or physical destruction or damage of data carriers.
Since the methods of destruction or corruption employed do not always allow recovery of data, enterprises should avoid situations which may lead to loss of data.
The "Enterprises did not experience any problems due to ICT security incidents: disclosure of confidential data" (OUT_disclosure) variable shows share of enterprises which use computers and which in 2019 did not lose any confidential data. Safeguarding information which is critical to further operations and the future of an enterprise is fundamental to running a business.
Confidentiality most often covers commercial and financial information, business development plans and strategies, customer and contractor databases, product and service information as well as the related know-how.
The obligation to keeping such information confidential rests on employees as well as contractors and clients to whom it is provided when establishing cooperation (e.g. during negotiations) and thereafter.
Therefore, the effect-related variables express the security level achieved by enterprises for their computer systems with respect to individual functions of these systems as well as confidential information gathered and processed there. These effects are ensured by putting in place appropriate procedures and deploying methods and technologies which ensure correct and efficient implementation of these procedures. The expenditure-related variables express capabilities of enterprises on the expenditure front. One should remember that perpetrators of security incidents (including insider criminals) can use the cyberspace only to a limited extent to generate threats by using gaps and vulnerabilities in security systems (Szczepaniuk et al, 2020). Therefore, actions taken can reduce the number of security incidents even further.
The "Enterprises using any ICT security measure (IN_measure)" variable shows the share of enterprises which use computers and which in 2019 used any ICT security measure, in particular: keeping the software (including operating systems) up-to-date; user identification and authentication via biometric methods implemented by the enterprise; encryption techniques for data, documents or e-mails; data backup to a separate location (including backup to the cloud); network access control (management of access by devices and users to the enterprise's network); VPN (Virtual Private Network extends a private network across a public network to enable secure exchange of data over public network); maintaining log files for analysis after security incidents; ICT risk assessment, i.e. periodically assessment of probability and consequences of ICT security incidents; ICT security tests. The "Enterprises having insurance against ICT security incidents" (IN_insurance) variable shows the share of enterprises which use computers and which in 2019 implemented the security method involving transfer of effects of security incidents onto other entities. Having such insurance allows minimisation of losses which may arise in the event of an incident or a series of incidents that directly jeopardise information security, especially such aspects as confidentiality, integrity and availability.

ENTREPRENEURSHIP AND SUSTAINABILITY ISSUES
The "Enterprise's ICT security policy was defined or most recently reviewed within the last 12 months" (IN_policy) variable shows the share of enterprises which use computers and which in 2019 developed or verified their security policies.
A key instrument to reduce information security threats is to create deploy and enforce information security policies (Jaeger et al, 2020). Information security policy is an internal document to ensure information asset and information technology security with a specific procedure to support the organization objectives (Angraini et al, 2019). A security policy includes a list if physical and technical safeguards, data processing locations, information on personal data processing software. A security policy includes also the assessment of information security threats, which is among key obligations of decision-makers in the area of information security (Schmitz & Pape, 2020), and it should take into account stakeholder feedback regarding the security methods deployed (Samonas et al, 2020). Employees' non-compliance with organisational information security policy have become the main reason for continuous security incidents (Liu et al, 2020).
The "Enterprises make persons employed aware of their obligations in ICT security related issues" (IN_obligations) variable shows the share of enterprises which use computers and which in 2019 implemented practices aimed at increasing their employees' awareness in ICT security related issues, e.g. by organising voluntary training or disseminating information within the company; organising mandatory training or obliging employees to familiarise themselves with information prepared by the employer; signing clauses or commitments. Information security training allows organisations to raise awareness among employees about ICT security best practices (Abraham & Chengalur-Smith, 2019). Training is important for the development of employees' information security behaviour (Karjalainen et al, 2020). Currently, in information security, employee behavior and social factors are as important as the physical and logical resources of an organization (Shameli-Sendi, 2020).
The "In the enterprises the ICT security related activities are carried out by own employees or external suppliers" (IN_suppliers) variable shows the share of enterprises which use computers and which in 2019 employed ICT security personnel.
Enterprises can employ various strategiesthey can either engage their own employees to take care of ICT security or commission this task to external entities. Whatever strategy is employed by an enterprise, personnel adequately trained in security procedures ensures the security of its ICT assets.
The analyses were made for the year 2019 for small, medium and large enterprises. The enterprise structure approach will allow observing changes in the level of ICT security of enterprises depending on their size. Due to the availability and completeness of data, 28 EU countries for small and large enterprises and 27 EU countries for medium enterprises (excluding Portugal) will be analysed.

Stages of DEA modelling
Data Envelopment Analysis (DEA) is a non-parametric method for the measurement of efficiency in multidimensional situations. It allows evaluating the performance of a set of units called decision-making units (DMUs), which are characterised by multiple inputs and outputs (Zu et al, 2018).
DEA provides for finding the best combination of resources held within a specific technology (Anokhin et al, 2011) -i.e. determining the technical efficiency. At present, DEA is considered as one of the most effective approaches to evaluating unit efficiency (Chen, 2018;Premachandra et al, 2011).

132
DEA is a non-parametric method for the assessment of the efficiency of each set of comparable decision-making variants (Saen, 2010). DEA models provide for determining the efficiency of an object on the basis of an efficiency indicator taking into account multiple expenditures and results at the same time (Song et al, 2011).
In order to assess the technological efficiency European Union countries, the author has: 1. defined set J of objects assessed O1, …, Oj, J=28, 2. defined set R of the results to be the basis for the efficiency assessment of the objects examined, R=3, 3. determined set N of expenditures which allow achieving the pre-determined results, N=5, 4. defined the volume of the object-specific results yrj (r = 1, 2, 3, j = 1, …, 28) and expenditures xnj (n = 1, …, 5, j = 1, …, 28), 5. defined the relative technological efficiency for respective objects.
One must bear in mind that expenditures are the amounts, which allow achieving certain operating results and do not have to be considered in terms of accounting, finances or productivity analysis. In other words, they are a physical quantity, which should ceteris paribus be increased in order to increase the result. In turn, the term "technological efficiency" means the effectiveness of transforming expenditures into results. The technology of an object will therefore be its vector of empirical expenditures and results.
The technological efficiency has been assessed on the basis of the indicator understood as the ratio of the results to the value of expenditures, calculated in accordance with the following formula:

Results
The results for the assumed variables are presented in Table 1. Due to the interpretation possibilities, only the optimal values of the expenditure level factor are given. The value of the optimal factor o ˆ lower than one means that the optimal expenditures of the shared technology necessary to achieve results at the level corresponding to those achieved by the object examined are not greater than the expenditures actually incurred by that object. Therefore, one can say that the object examined has achieved given results with the use of more expenditures than required, and thus it is not fully efficient.
The object's non-efficiency level can be defined as 1-o ˆ. Where the optimal factor o ˆ equals one, the optimal expenditures necessary to achieve the effects which occurred in the object concerned are the same as the actual expenditures of that object, which means that the object is fully efficient. One can therefore say that the optimal expenditures are the expenditures of a fully efficient object.
On analysing efficiency indicators small, medium and large enterprises, one can say that most EU countries are non-fully efficient in the area of ICT security. The lowest value of the efficiency indicator is observed for small enterprises, where it ranges from 0.8421 to 0.9914, and therefore is close to one. However, it is the expenditures and results in small enterprises where the largest amount of fully efficient states can be observed. For all types of enterprises, fully efficient countries include Bulgaria, Estonia, Greece, Croatia, Romania and Slovenia. One can therefore assume that enterprises in those countries achieve their results in the area of ICT security through the optimal use of expenditures. Tables 2 -4 show optimal technologies minimising expenditures in small, medium and large enterprises in non-efficient countries.  Source: own calculations. 136 Table 4. Optimal technology (the optimal value as percentage of the empirical value) for large enterprises in non-efficient countries

Source: own calculations
Countries which participate in an optimal shared technology oriented to non-fully efficient countries can together achieve their results at lower expenditures, while: ̶ In optimal technologies of all non-fully efficient countries, the physical quantity of results of small, medium and large enterprises is slightly higher than the actual quantity. In the said optimal technologies, most results are at the same level as the one observed, and this applies particularly to the enterprises which were not affected by disclosure of confidential data. Deployment of an optimal shared technology in nonfully efficient countries would in turn cause the highest increase in the share of enterprises which did not report any problems with availability of ICT services compared to the actual value of that share. ̶ Among non-fully efficient countries, the calculated optimal expenditures related to having insurance against ICT security incidents and defining or reviewing the security policy within the last 12 months account for less than 50% of the empirical expenditures in a number of countries. This is true mainly for small and medium enterprises in such countries as Denmark, Ireland, Spain, France, Malta, the Netherlands, Austria, Finland, Sweden (for small enterprises) and Belgium, the Czech Republic, Denmark, Germany, Ireland, Spain, France, Italy, Luxembourg, Malta, the Netherlands, Austria, Finland, Sweden, the United Kingdom (for medium enterprises).
Based on the optimal technology, the authors evaluated surpluses and deficits of results with respect to the optimal amounts in non-efficient states, and the findings are presented in Tables 5 -7. Slacks mean the difference between the optimal expenditures and o ˆ-proportional expenditures. The expenditure slacks for the acceptable and optimal technologies result of Pareto non-optimality. In turn, the surplus of empirical expenditures is the difference between the empirical expenditures and o ˆ-proportional expenditures.

139
Among small enterprises in countries which are not fully efficient in terms of ICT security, one can observe fairly large differences in the surpluses of individual expenditures understood as the difference between the empirical and optimal expenditures. The surplus peaks for expenditures related to insurance against ICT security incidents.
In the case of such countries as Denmark, Ireland, France, Malta, Finland and Sweden they should be reduced by more than 70%. Fairly large differences in the surpluses of individual expenditures can also be observed among medium enterprises in countries which are not fully efficient in terms of ICT security. It peaks for expenditures related to having insurance against ICT security incidents and ICT security policy. In such countries as Ireland, France, Spain, Luxembourg, Malta, Finland and Sweden the reduction should be relatively larger than in the case of other expenditures. Among large enterprises in countries which are not fully efficient in terms of ICT security, one can observe much smaller differences in the surpluses of individual expenditures than in the case of small and medium enterprises. The surplus peaks for expenditures related to having an ICT security policy and actions taken to make persons employed aware of their obligations in ICT security related issues.
The authors positively verified, by means of empirical studies, the hypotheses regarding the possibility of identification of a system of measures for the assessment of ICT security in enterprises and the assessment of the ICT security level in enterprises in spatial terms with the use of appropriate tools that allow identifying countries where the level of ICT security in enterprises requires improvement and that provide for identifying the threshold objects in the test group. To assess ICT security in small, medium and large enterprises in geographical terms, the authors used DEA models which allowed assessing the enterprise security system in a number of terms, in particular with multiple expenditures and results based on the technical efficiency. The technical efficiency has been determined through the relation between the productivity of the object concerned and the productivity of the object considered as fully efficient. The efficiency thus determined showed the actual relation between the benefits and expenditures with reference to the maximum level that can be reached in specific technological conditions. The studies allowed the author to identify both DEA expenditures and achieved results. The expenditures and results have been referenced to the share of enterprises, which did not report any security incidents, and to the share of enterprises, which deployed specific methods to prevent such incidents. The share of enterprises which did not report any ICT risks has been considered as the result of deployment of information security systems in enterprises because -although an increasing number of more and more sophisticated safeguards are being applied -organisations still experience information security related incidents.
The research allowed identifying countries where ICT security results were achieved with the optimum combination of expenditures, i.e. the so-called fully efficient countries. Countries which are fully efficient in terms of ICT security in enterprises are in the Central and Eastern Europe, and therefore are less economically developed than other EU member states. This fact should not come as a surprise since enterprises active in economically developed countries more often apply much more advanced technologies than less developed countries, which makes them more vulnerable to cyberattacks (Li & Wu, 2020;Hughes et al, 2017;Jorgenson & Vu, 2016). Consequently, these enterprises are exposed to more security incidents, which translates into the need to incur much greater expenditures on information security.
The studies are also very important from the perspective of technical efficiency of ICT security actions. Identification of the possibilities of more effective planning of expenditures to achieve a specific level of ICT security can contribute to the improvement of their information risk management systems deployed.
Furthermore, the findings of the studies can be used for identifying the best practices in determining expenditures and results in the area of ICT security. Indeed, it is highlighted that DEA is the best tool for identifying the best practices or success, as it allows finding the best combination of resources held within a given technology.
The efficiency of ICT security measures undertaken by enterprises is key concern for the management of entities. Digital technologies are spreading and enterprises need to be continually watched out for ICT security matters. ICT technologies open up numerous new opportunities for enterprises. However, management should focus on designing and maintaining effective security procedures to ensure adequate protection for their organization.

Limitations and future research
The theoretical deliberations and analyses regarding the ICT security level in the context of technical efficiency presented in this paper cannot be considered as exhaustive and closed. The multitude and variety of information security problems in economic entities, coupled with the lack of clear solutions in this respect, require further research and studies. In the future, it would be advisable to identify barriers and possibilities regarding the development of ICT security systems in small, medium and large enterprises. It would also be appropriate to analyse the level of the results and expenditures in the context of technical efficiency over the last several years. Taken dynamically, it would provide for observing changes in the level of ICT security in enterprises over the years. Future studies should also focus on defining good practices to provide enterprises with adequate safeguards against data security breaches.