Security Industry Monitor March 2014

For additional information on our Security Team, please contact:

John E. Mack III Co-head, Investment Banking Group Head of Mergers and Acquisitions (310) 246-3705 [email protected]

Michael McManus Managing Director, Investment Banking Group (310) 246-3702 [email protected]

PLEASE SEE IMPORTANT DISCLOSURES ON LAST PAGE About Imperial Capital, LLC

Imperial Capital is a full-service investment bank offering a uniquely integrated platform of comprehensive services to institutional investors and middle market companies. We offer sophisticated sales and trading services to institutional investors and a wide range of investment banking advisory, capital markets and restructuring services to middle market corporate clients. We also provide proprietary research across an issuer’s capital structure, including bank debt, debt securities, hybrid securities, preferred and common equity and special situations claims. Our comprehensive and integrated service platform, expertise across the full capital structure, and deep industry sector knowledge enable us to provide clients with superior advisory services, capital markets insight, investment ideas and trade execution. We are quick to identify opportunities under any market conditions and we have a proven track record of offering creative, proprietary solutions to our clients.

Imperial Capital’s expertise includes the following sectors: Aerospace, Defense & Government Services, Airlines & Transportation, Business Services, Consumer, Energy (Clean Energy and Traditional Energy), Financial Services, Gaming & Leisure, General Industrials, Healthcare, Homebuilding & Real Estate, Media & Telecommunications, Security & Homeland Security and Technology.

Imperial Capital has three principal businesses: Investment Banking, Institutional Sales & Trading and Institutional Research.

For additional information, please visit our Web site at www.imperialcapital.com. Security Industry Monitor Table of Contents

Table of Contents

Section I Executive Summary ...... 5 Defining the Security Industry 7 Macroeconomic Overview 9 Equity Performance and Valuation 10 M&A Snapshot 13 Public Debt and Equity Offerings Snapshot 14 Registered Direct and Private Placement Snapshot 14 Bankruptcies Snapshot 15 Security Industry Transactions Outlook 15 Physical Solutions Overview 16 Identity Solutions Overview 16 Information Security Overview 17 Section II Physical Security Sector ...... 19 Sector Outlook and Commentary 21 M&A Review and Outlook 42 Notable Middle Market Transactions 42 Registered Direct and Private Placement Snapshot 44 Public and 144A Debt and Equity Offering Snapshot 44 Bankruptcies 45 Section III Identity Solutions Sector ...... 47 Sector Outlook and Commentary 49 M&A Review and Outlook 70 Notable Middle Market Transactions 70 Registered Direct and Private Placement Snapshot 71 Public Debt and Equity Offering Snapshot 72 Bankruptcies 72 Section IV Information Security Sector ...... 75 Sector Outlook and Commentary 77 M&A Review and Outlook 90 Notable Middle Market Transactions 90 Registered Direct and Private Placement Snapshot 91 Public Debt and Equity Offering Snapshot 92 Bankruptcies 92 Section V Appendix ...... 95 Comparable Companies 97 Valuations—Security Industry Companies 100 Disclosures ...... Last Page

March 2014 3

Security Industry Monitor

[This page intentionally left blank.]

4 March 2014

Security Industry Monitor Table of Contents

Section I Executive Summary

March 2014 5

Security Industry Monitor

[This page intentionally left blank.]

6 March 2014

Security Industry Monitor ExecutiveTable of SummaryContents

Executive Summary Defining the Security Industry

Our Security Industry Monitor primarily focuses on and discusses the dynamics affecting the industry’s major sectors, as well as key developments and transaction trends.

According to the results of a recent study released by a leading industry trade organization, ASIS International (its first major study in nearly a decade and the largest industry report since the Hallcrest report in 1990), and the Institute of Finance and Management (IOFM), the U.S. security industry is a $350 billion market (versus our estimate of a $280 billion market at the end user level). The majority of the market consists of private sector spending ($282 billion) followed by federal government spending on homeland security ($69 billion). The major reason for the difference in the ASIS report and our industry estimate (at the user level) is that ASIS fully accounts for all homeland security (including Department of Defense (DoD)) spending, noted above, and we only provide for $4 billion of products and services sold to homeland security-specific users. According to ASIS, over 400 security industry executives participated in the survey.

Within the physical security sector, we discuss the need for a more meaningful conversation at the highest levels of clients’ organizational chart to communicate the security industry’s potential contribution toward efficiency, cost, and business process improvements. We discuss the increasing global demand for security equipment and the expansion of the security industry. Government agencies are increasingly leveraging communications intelligence and investigative solutions to gather evidence and generate actionable intelligence, thus reflecting the need to make sense of unstructured data from multiple sources. We expand our writing to discuss the challenges facing the integrators, the state of the home automation (post Google-Nest acquisition), and residential security monitoring industry, the convergence of access control and electronic locks, including the potential use of Blutooth Low Energy and Near Field Communication (NFC). With new and innovative technologies expanding the home services suite of offerings, users are able to see and hear their monitored premises from a remote device. We highlight this fast moving industry, and look at the historical trading ranges of select security companies based on Steady State Net Operating Cash Flow, along with why this metric is widely used and valid. The public emergency response sector has received much attention from recent events (e.g. Sandy Hook school shooting, Boston Marathon bombing), and we examine its various components, ranging from “Safe City Programs” to Mass Notification Systems (MNS) to wireless infrastructure to Physical Security Information Management (PSIM) systems. We complete this segment by discussing the security officer industry and the trends within it.

Within the identity solutions sector, we highlight identity and access management in the cloud, and the complexities which have risen. We discuss new developments in biometrics technology, particularly in fingerprint, which may overcome many of the real world deployment challenges and could drive broader adoption by commercial and institutional customers. Anti-counterfeiting and other relevant case studies are also highlighted.

Within the information security sector, we discuss the escalation in the volume and sophistication of attacks, which is driving broad-based market demand for more effective security solutions beyond traditional, signature-based defenses. The sector gained particular attention recently with one of the largest and most publicized data breaches in history at national retailer Target in December 2013. This breach impacted a substantial portion of the American public and made news headlines, elevating security from an “IT” problem to a strategic issue for the executive leadership and boards of numerous consumer-facing organizations. This attack was a major topic at this year’s RSA

March 2014 7

Executive Summary Security Industry Monitor

Conference in February 2014, one of the premier annual industry events, which saw strong expansion in attendance to approximately 30,000 people, up from 24,000 in 2013. In this monitor, we highlight several of the key themes at the conference, as well as emerging trends and challenges for the sector. We additionally discuss the details of the Target breach, which demonstrated the security challenges facing large organizations with complex IT infrastructures—even those with top-tier defenses. We also highlight increased prioritization of cybersecurity by the federal government based on details of the President’s budget request for FY2015. We particularly note significant expansion of the EINSTEIN3 and Continuous Diagnostics and Mitigation (CDM) programs which aim to provide ongoing situational awareness to protect federal civilian agencies and “.gov” networks. We also discuss the strong momentum of industry consolidation, with two major transactions since the beginning of the year. We anticipate further strategic acquisition activity over the coming quarters, as larger technology companies and security vendors seek to integrate new security technologies and to achieve early penetration of emerging categories.

Across the Security Industry, we cover three main sectors:

° Physical Security (integration, monitoring, video solutions, guards, and armored transport) ° Identity Solutions (ID management, biometrics, ID/video convergence) ° Information Security (Security-as-a-Service, encryption, attack mitigation, and endpoint) Homeland Security spans all three sectors.

Figure 1: A Massive, Multi-Segment, and Fragmented Industry with $280+ Billion in End User Revenues

Sources: Imperial Capital, LLC.

8 March 2014

Security Industry Monitor ExecutiveTable of SummaryContents

Macroeconomic Overview

Real U.S. GDP grew for the eighteenth straight quarter, up 2.4% sequentially during the fourth quarter of 2013 and up 4.1% sequentially during the third quarter of 2013, according to the U.S. Bureau of Economic Analysis (BEA). GDP growth was bolstered by exports and commercial equipment and software investment, which grew 9.4% and 10.6%, respectively, in the fourth quarter of 2013. Commercial construction also showed some signs of strength, up 0.2% and 3.4% in the fourth and third quarters of 2013, respectively. Government consumption expenditures and gross investment continued to lag in the fourth quarter of 2013, down 5.6% sequentially versus 6.5% in the fourth quarter of 2012.

Figure 2: GDP Components, Annualized Quarterly Changes, Fourth Quarter 2013 versus Fourth Quarter 2012

40%

30% Residential Construction Residential

20% Construction Commercial Equipment and and software Equipment

10% Imports Exports Nondefense Personal consumption expenditures consumptionPersonal Exports Nondefense National defense National State and and local State State and local and State 0%

-10% Imports National defense National -20% Equipment and and software Equipment Residential Construction Residential Commercial Construction Commercial

-30% Personal consumption expenditures consumptionPersonal

-40% 4Q12 4Q13

Sources: U.S. Bureau of Economic Analysis.

° Commercial equipment and software spending remained positive, while commercial construction continued to recover from a major drop

Commercial construction strengthened a modest 0.2% in the fourth quarter of 2013 after recovering from a 25% drop in the first quarter of 2013. Commercial equipment and software investment was up 10.6% in the fourth quarter of 2013, its largest sequential increase since a 14.6% increase in the fourth quarter of 2012. Exports surged 9.4% in the fourth quarter of 2013 while imports jumped by 1.5%. Federal spending again decreased, down 12.8%. State and local government spending saw a small 0.5% drop in the fourth quarter of 2013.

March 2014 9

Executive Summary Security Industry Monitor

Figure 3: Business Investment and State and Local Government Spending Trends, Annualized Quarterly Changes, Fourth Quarter 2011 to Fourth Quarter 2013

20%

15%

10%

-5%

-10%

-15%

-20%

-25%

-30% 4Q11 1Q12 2Q12 3Q12 4Q12 1Q13 2Q13 3Q13 4Q13

Commercial Construction Commercial Equipment and Software Investment State and local

Sources: U.S. Bureau of Economic Analysis.

Equity Performance and Valuation

° The relative stock returns of the Security Industry comparable companies that we analyzed generally fell behind S&P 500 during the fourth quarter of 2013 but outperformed the index for the year From December 2004 through December 2009, the select group of Security Industry comparable companies that we analyzed outperformed the S&P 500 (see the Appendix of this report for more detail on the composition of the select group), but fell along with the overall market in 2008 partly due to an (ultimately erroneous) expectation among many investors that residential monitoring would suffer in a poor housing environment. Since the markets hit a 12-year low in March 2009, the select group of Security Industry comparable companies that we have listed has generally exceeded the S&P 500’s return. Going forward, we continue to expect this select group of security companies to perform favorably versus the S&P 500 due to: 1) the perceived need for security in a more dangerous world, 2) the increasing ability of security to demonstrate return on investment (ROI) to business executives and consumer value to residential customers, 3) the significant improvements in service we expect due to the use and evolution of Internet Protocol (IP) and interactive technologies, and 4) a sustained robust M&A environment for the sector. ° Security Industry valuations have increased from 2012 with increases in Physical Security, Identity Solutions as well as Information Security Security Industry valuations, based on EV/LTM EBITDA at the end of the fourth quarter of 2013, were up by 16.8% compared to the prior year, driven by multiple increases in the Physical Security, Identity Solutions and Information Security sectors, which increased 15.2%, 43.1% and 0.8%, respectively.

10 March 2014

Security Industry Monitor ExecutiveTable of SummaryContents

Figure 4: Valuation Multiples, EV/LTM EBITDA, Fourth Quarter 2013 versus Fourth Quarter 2012

Industry / Sectors December 31, 2012 December 31, 2013 Year-over-Year Change Security Industry 9.0x 10.8x 20.0% Physical Security Sector 8.8x 10.1x 15.2% Identity Solutions Sector 8.0x 11.4x 43.1%

Information Security Sector 10.2x 10.9x 6.2%

Notes: Measured relative to period ending 6/30/13; LTM EBITDA based on reported financial results as of the date of this report. Companies used to generate these multiples are listed in the Appendix of this report. Sources: Imperial Capital, LLC and Capital IQ.

° Public valuations in the Physical Security sector increased significantly in the fourth quarter of 2013 compared to the same period in 2012

The Physical Security sector tends to have steadier and more predictable cash flows versus other Security segments as a result of its recurring revenue and relative maturity. Physical Security valuations hit a historical low during the first quarter of 2009, but rebounded significantly in 2010 despite market volatility earlier in that year. After several high-profile M&A transactions in the alarm monitoring space pushed valuations up during the end of 2010 and the beginning of 2011, valuations declined during the second half of 2011. During 2013, the sector’s average LTM EV/EBITDA multiple rebounded strongly to 11.3x from 9.6x during the same time in 2012, which is currently above the long-term average of 9.6x. This has been driven by increased M&A, a rebound in installation activity, higher stock prices, low interest rates and a long-term bull stock market.

Figure 5: Physical Security Sector Historical EBITDA Multiples, December 2008 to December 2013 (1)

EV / LTM EBITDA 13.0x

12.0x

11.0x

10.0x

9.0x

8.0x

7.0x

6.0x

Last Twelve Months Mean Long Term Average

(1) Companies used to generate these multiples are listed in the Appendix of this report. Sources: Imperial Capital, LLC and Capital IQ.

March 2014 11

Executive Summary Security Industry Monitor

° Public valuations in the Identity Solutions sector strengthened significantly in the last two quarters of 2013 The Identity Solutions companies that we analyzed traded at 11.4x LTM EBITDA on average in the fourth quarter of 2013, up from 8.0x during the same period a year earlier, driven partly by several marquee M&A deals. Identity Solutions technology, from software to biometric equipment, is continuing to mature, as evidenced by its increasing adoption by an array of government and defense programs in response to increased security threats, international identification programs, as well as increased cloud-based hosted access and ID systems being installed by integrators for both government and commercial sites. The increase in valuation was also helped by a rising stock market and several M&A deals which stirred the sector.

Figure 6: Identity Solutions Sector Historical EBITDA Multiples, December 2008 to December 2013 (1)

12.0x EV / LTM EBITDA

11.0x

10.0x

9.0x

8.0x

7.0x

6.0x

5.0x

Last Twelve Months Mean Long Term Average (1) Companies used to generate these multiples are listed in the Appendix of this report. Sources: Imperial Capital, LLC and Capital IQ.

° Public valuations in the Information Security sector rose year over year in the fourth quarter of 2013. Public valuations in the Information Security sector rose 6.2% from the comparable period in 2012 on an EV/LTM EBITDA basis. Valuations steadily traded below their long-term historical averages for the entirety of 2013. In late 2010 and early 2011, several M&A transactions provided a short-term increase to valuations, which was not repeated in 2012. Unfortunately, the information security sector is really a tale of two separate valuation worlds. Broad-based increases in budget outlays against cybercrime and M&A have been helped by strong performers such as Palo Alto Networks, Qualys, Fortinet, Proofpoint, and Imperva. Unfortunately, cutbacks in government-related IT programs have adversely affected or blunted valuation growth in larger index companies, such as Symantec, IBM, Hewlett Packard, CA Technologies, and Juniper Networks.

12 March 2014

Security Industry Monitor ExecutiveTable of SummaryContents

Figure 7: Information Security Sector Historical EBITDA Multiples, December 2008 to December 2013 (1)

14.0x EV / LTM EBITDA

12.0x

10.0x

8.0x

6.0x

Last Twelve Months Mean Long Term Average (1) Companies used to generate these multiples are listed in the Appendix of this report. Sources: Imperial Capital, LLC and Capital IQ.

M&A Snapshot

° The Fourth quarter of 2013 saw an increase in the number of transactions compared to the third quarter of 2013

There was a large increase in the number of transactions in the fourth quarter of 2013 from both the previous quarter and the comparable quarter in 2012. The M&A market rebounded during 2013, largely due to lower interest rates, a recovering economy and a bull market. Overall, the value of M&A deals in 2013 was approximately $5.0 billion. The average value of a deal has increased from $120m in 2011 to $147 million in 2013.

Figure 8: Historical M&A Transactions in the Security Industry, Fourth Quarter 2010 to FourthQuarter 2013

180

160

140

120

100

0 Q4 2010 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Q3 2013 Q4 2013

Physical Security Sector Identity Solutions Sector Information Security Sector

Sources: Imperial Capital, LLC and Capital IQ.

March 2014 13

Executive Summary Security Industry Monitor

Public Debt and Equity Offerings Snapshot

° Public offerings in the fourth quarter of 2013 increased quarter over quarter as well as year over year

The fourth quarter of 2013 saw an increase in public offerings after a sharp decrease in the first quarter. Public offering activity has rebounded significantly due to robust capital markets in CY2013.

Figure 9: Public Offering Transactions in the Security Industry, Fourth Quarter 2010 to Fourth Quarter 2013

60 60 55

50 43 41 42 40 38 33 31 31 30 23 22

20 16

10 6

0 Q4 2010 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Q3 2013 Q4 2013

Sources: Imperial Capital, LLC and Capital IQ.

Registered Direct and Private Placement Snapshot

° Registered direct offerings and private placements in the Security Industry increased to more historic averages in the last two quarters of 2013

The fourth quarter 2013 saw the most registered direct and private placements compared to the previous four quarters, continuing an upward trend.

Figure 10: Historical Registered Direct and Private Placement Transactions in the Security Industry, Fourth Quarter 2010 to Fourth Quarter 2013

200

180 163 159 155 160 140 140 130 133

120

100 77 80 69 59 59 63 60 55 53

0 Q4 2010 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Q3 2013 Q4 2013

Sources: Imperial Capital, LLC and Capital IQ.

14 March 2014

Security Industry Monitor ExecutiveTable of SummaryContents

Bankruptcies Snapshot

° Bankruptcies have decreased significantly since their high in 2011, as the economic and market recoveries have driven an improved operating environment and access to capital markets During the second half of 2013, there were two bankruptcies in the industry.

Figure 11: Historical Bankruptcy Transactions in the Security Industry, fourth Quarter 2010 to fourth Quarter 2013

6 6

5 5

3 3 3

2 2 2 2

1 1 1 1 1

-- 0 Q4 2010 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Q3 2013 Q4 2013

Sources: Imperial Capital, LLC and Capital IQ.

Security Industry Transactions Outlook

Figure 12: Security Industry Transactions Outlook

e ry t ts s en e onda em c c e rings nd Priva a S e a ff ic Pl nd O te Equity M&A teg a Bankruptci riv IPO a P Stra Registered Direct and

Physical Security

Identity Solutions

Information Security

*Arrows reflect what we view as current trends for each of these areas. Sources: Imperial Capital, LLC.

March 2014 15

Executive Summary Security Industry Monitor

Physical Solutions Overview

Physical Security Services M&A transactions were higher in the fourth quarter of 2013, compared to the fourth quarter of 2012. There was one Initial Public Offering (IPO) and a low number of secondary offerings and private placements.

° IPO and secondary offerings

There were numerous Physical Security equity and debt secondary offerings in the second half of 2013.

° Strategic and private equity M&A

Physical Security Services M&A transactions were higher in the fourth quarter of 2013.

° Registered direct and private placements

The market for private placements rebounded for the Physical Security Industry during the fourth quarter of 2013, up year over year.

° Bankruptcies

There were three bankruptcies in the Physical Security space in the second half of 2013.

Identity Solutions Overview

Activity in the Identity Solutions sector was driven primarily by M&A transactions. Both public offerings and private placements increased from the comparable prior year period.

° IPO and secondary offerings

RX Safes, maker of fingerprint medical security storage solutions for consumers and healthcare professionals filed its IPO in February 2014.

° Strategic and private equity M&A

Identity Solutions M&A experienced an increase in volume in the fourth quarter 2013, compared to the first quarter.

° Registered direct and private placements

The volume of transactions in the Identity Solutions sector increased in the fourth quarter of 2013, compared to the fourth quarter of 2012.

° Bankruptcies

There were no significant Identity Solutions bankruptcies during the fourth quarter of 2013.

16 March 2014

Security Industry Monitor ExecutiveTable of SummaryContents

Information Security Overview

Transaction volumes increased in the fourth quarter of 2013 over the fourth quarter of 2012.

° Initial public offerings and secondary offerings

FireEye, Inc. raised $321 million in an initial public offering on September 20, 2013. The company subsequently raised $442 million in a follow-on offering on March 7, 2014.

Barracuda Networks, Inc. raised $75 million in an initial public offering on November 12, 2013.

Varonis Systems, Inc. raised $95 million in an initial public offering on February 28, 2014.

° Strategic and private equity M&A

M&A activity increased in the fourth quarter of 2013, compared to the fourth quarter of 2012.

° Registered direct and private placements

Private Placement activity in the fourth quarter of 2013 increased significantly from the fourth quarter of 2012.

° Bankruptcies

There were no significant Information Security bankruptcies during the fourth quarter of 2013.

March 2014 17

Physical Security Sector Security Industry Monitor

[This page intentionally left blank.]

18 March 2014

Consumer Industry Monitor Executive Summary

Section II Physical Security Sector

March 2014 19

Physical Security Sector Security Industry Monitor

[This page intentionally left blank.]

20 March 2014

Security Industry Monitor Physical Security Sector

Physical Security Sector Sector Outlook and Commentary

Looking Back at 2013—A Decent Year—The Best Since 2008

In residential security, the industry experienced higher than expected “take” rates of base level wireless interactive systems by residential users of monitoring systems. This had the effect of bolstering our case of a minimum doubling in 6-7 years of the current 25 million homes using some form of security or home automation system. The side issues arising from this acceleration in take rates include the fading value of POTS-line based security systems, the generally higher costs to install cellular raising creation cost multiples initially, and the emerging value of “the platform” rather than the device as prime center of value in the residential system.

In commercial/industrial/institutional we saw what we defined as the first multiple separation from the pack of superior integrators who ask for, and price for full services value, rather than just installation and break-fix service margins. While we have written about this trend for several years, before 2013 the ability to demand full margins was usually the province of just one or two outliers. We now see several security integration companies being recognized as trusted service partners by leading, sophisticated end users, who testify at meetings featuring end users like the “Security 500” (New York) and “The Great Conversation” (Seattle).

In 2103, we witnessed steady gains (actually rather dramatic in the context of their history) even faster than video—in development and acceptance of wireless, interactive, electronic lock and access control and identity systems, with multiple types of form factors as credentials. Relative to its conservative nature, the changes in access and locking technologies could even be deemed relatively more dramatic than video. While we have yet to see what “killer” app will emerge as the winner, it is clear that the changes and flexibility for end users are going to grow significantly based on the acceleration in 2013.

Last year we witnessed the first real national media articles around the migration of the fight against infosec crime and terrorism into the physical realm, including identity solutions. The still undiscovered (by the media) fight by the DoD and certain leading integrators to deal with billions of dollars of substandard, cloned, recycled counterfeit parts in our critical military and commercial infrastructure. This has given rise in some cases grudging acceptance of a new age marking and “provenance” technologies, such as DNA.

Looking Forward: We See Even More Acceleration in Physical Security Over the Next 12 Months

In the residential sector, we believe superior “platforms” for interactive home services will emerge that provide a more personal, easy-use experience for the end user. We already have the “basic upgrade” that allows one to turn on and turn off the system and perform other simple operations with their smart phone. Now, that 2013 has provided high take rates in this area, we now need to see which layers of apps and at what cost end users are willing to pay.

It will be a couple of years before we can prove out an attrition curve for the industry that proves out the thesis for lower attrition and better internal rate of return (IRR). However, we will see the first end-of-contract statistics coming in from companies like ADT and Vivint in late 2014 and into 2015.

March 2014 21

Physical Security Sector Security Industry Monitor

We will also witness the beginning of an entirely new technology upgrade in remote health and personal emergency response devices and services as form factors become more compact and more integrated with sensors that passively detect vital signs. Competition to gain contracts with payers and health care providers, rather than the end user, will also heat up.

This year will also see the first major move by larger and better capitalized monitoring companies to upgrade radios to 3G from 2G, a necessary cost that may mean leaving smaller dealers even further behind.

In the commercial/industrial segment there will be continued bifurcation between the best and the rest, particularly by a few highly disciplined and focused integrators with superior “IT IQ”. They are in the best position to increase their services as a percentage of revenues, and increase margins, while the majority of the industry continues to experience falling profit margins.

We will continue to see an increase in the development of partnerships between video and access/locking/ID companies from a product standpoint, well before the integrators are brought in to incorporate the various offerings together.

We believe in 2014 there will be a breakout, separately, of several formerly strongly promoted technologies that have been enduring a decade of slow acceptance and “false” starts. This includes:

° Gateways for both the home and small business that drive value from the underlying platform, to a more “human” interface with a connected premises and the various devices that are part of the system. This includes devices that “learn” the behavior of the end users and provide more automated responses when things are as they should be, and warnings to the user (or to a monitoring center) when exception incidents and environments develop. This coincides with broader trends outside the security industry with the "internet of things" (IoT). IoT refers to the embedding of sensors in physical objects throughout the home or office, and being able to identify them in a virtual format, often using the same internet protocol which connects the internet. In this area Alarm.com is a notable leader. ° Radio frequency identification (RFID) in retail for asset tracking and inventory management, integrated with existing anti-theft technologies, an area where Checkpoint Systems (CKP) stands out after years of investments in this technology. ° “New-age” fingerprint technologies that have the ability to overcome virtually all the read problems of older “ridge” technologies and which are virtually error proof, such as Lumidigm which was recently sold to industry leader HID Global, a division of Assa Abloy. ° DNA anti-counterfeiting technology, in the retail, commercial, and government sectors, respectively, an area where Authentix, OpSec Security, Hologram Industries Group and Applied DNA Sciences are leaders. ° Continuing development of wireless, remotely interrogated locks and access control systems, with the developing question of what types of communications interfaces (i.e., NFC, Bluetooth Low Energy) will be preferred by manufacturers, integrators and end users down the road; an area where Brivo was an early pioneer. We also believe that the leading independent “wholesale” alarm monitoring companies will continue to pick up business from cable companies and telcos who need other than generic CSR’s providing response service. In addition, the leading independent monitoring companies will benefit from the increasing business they are getting from personal emergency response companies. According to Barnes Associates, the leading independent wholesale alarm monitoring companies grew 19% in 2013, well beyond the market as a whole, and the highest growth rate we have seen from this niche sector of the business.

22 March 2014

Security Industry Monitor Physical Security Sector

But Challenges Abound for The Above Predictions

The Security Industry has never been known to do things easy or fast. There are a lot of reasons for this, but the main reason is an attempt to avoid errors when lives and valuable assets are at stake. In the past the industry was committed to silo-like, proprietary, analog equipment installed in an almost customized manner by integrators at the commercial level, and dealer/installers at the residential level. This has mostly (but not completely) changed with the advent of IP networks, driving down product margins, but building up service margins when the value proposition could be properly made to someone much higher than a security manager. This has led to the fast expanding market for managed services business models for Security as a Service (SaaS.)

Another challenge, in the IT world, involves getting large and small end users to finally recognize that password use is slowly dying, and that “next gen” authentication is critically needed to protect physical assets as well as IT assets.

We believe, based on our continuous checks with the industry channels, that too many manufacturers still do not do enough work to combine standards that are being developed with partnerships to their channels. True, this means giving up gross margin (i.e., standards), but it also means a larger market for all and more business for those that do develop these relationships under standards. Having the “best” product, does not necessarily mean that your company is collaborating enough externally to provide the best communication and solution to the integrator—or to the end user. We continue to see companies not willing enough to give up some profit to standards or to other partners who might add that extra value to put the proposal over the top. In other words, too many manufacturers still want as much of the 100% of the share of the sale as they can get, when getting 30% or 50% of a similar or much larger sale or larger market may lead to a higher level of service revenue and a longer, stickier customer life.

Another challenge will be for Video Surveillance as a Service (VSaaS) and other hosted, cloud-based solutions to prove out solutions to both security and ROI concerns at scale to meet elevated expectations of what VSaaS can bring to the value proposition, and create higher market share for companies trying to sell a cloud-based solution, either hosted or premises based.

In residential security, there are a number of challenges that have developed with wireless interactive systems. We do not believe that the top tier of the residential security companies are at risk of disintermediation by cable and telecom companies, simply because we believe the market will be expanding rapidly enough to allow for future growth within the residential security companies. Those price sensitive users who really just want to make their overall home experience a little easier and who are not generally discriminating consumers will choose a lower price telecom or cable service provider. We believe the majority of consumers or minority (users who value life safety, service and response) will want to make sure they receive verified, high quality response, even if it means paying a higher price.

Cable and telecom companies trying to add homeservices revenues to their existing “triple play” base, may also face their own challenges. Google has already run very high speed fiber into three cities (Kansas City, Missouri, Austin, Texas and Provo, Utah), and has targeted several dozen more for 2014. This cannot be good news for a cable company that depends on its existing base of triple-play users to leverage advertising, lower upfront costs and lower monthly costs against the incumbent security companies.

March 2014 23

Physical Security Sector Security Industry Monitor

There are already cost challenges to consider as residential moves increasingly toward interactive wireless systems. It is 20-25% more expensive to install cellular compared to Plain Old Telephone Service (POTS) systems, although that can be partially offset by less installation time. This can be overcome by simply selling more apps and getting more recurring monthly revenue (RMR) upfront—not always the easiest thing to do with Telco and Cable companies advertising at lower prices. This can be overcome by investing in technology to lower even further the time and the labor involved in installing the new systems. Finally, we are seeing lower creation cost multiples from residential companies who have very high percentages of their base already installed with cellular systems.

Commercial/Industrial Sector Review: Key Conferences Discuss the Need for Integrating Far More Than Security Devices. Reviews of “Securing New Ground” and “The Great Conversation”

New technologies and secular trends for video products and video management, access control, identity management, data management, and analytics are only a small part of what is transforming the “physical” security sector into something more akin to “electronic” security. Indeed, even once prosaic door locks can now be integrated with sophisticated access control technology and can “talk” with a company’s network. Along with new standards, technology developments are increasingly driving the proliferation of innovative products and interactive services. However, while these industry changes have the potential to substantially expand the addressable market opportunity, they may also be outrunning many companies’ abilities to clearly install, integrate, and then make the data easily accessible to and understood by the client. The ability to first have a conversation with company executives, rather than physical security managers, and then to make the steps to integrate with other corporate services (e.g., IT, human resources) is crucial to generating stickier, long-term, recurring revenue streams at higher (35%-plus) gross margins over the long term. Bridging this chasm is becoming critical, particularly given shrinking margins for traditional installations and products.

Securing New Ground: New York, November 3-5, 2013

We participated on a discussion panel regarding the security company valuations, at the 18th annual Securing New Ground Conference, which was held at the Sheraton New York Times Square Hotel in New York City from November 5, 2013 through November 6, 2013. Securing New Ground is one of the leading security industry conferences (now owned and operated by the Security Industry Association, SIA) which includes select Security industry executives. The key themes driving both commercial and residential security investment were the most positive we have seen since 2006-2007.

° Themes at Securing New Ground Integral to Success of Security Companies

Based on the conversations we had and the presentations which we attended, we see five key elements which could be integral for any Security company aiming to increase competitiveness: 1) using multiple services, with high value content, as a key differentiator; 2) infusion of mobility, SaaS, and other “cloud” solutions within suites of products and services, especially as it relates to access control, video, monitoring, data analytics for specific vertical markets, and other key services; 3) becoming an “extension” of the customer and taking the customers into an “environment” where they can participate in discussing “design” of their own security ecosystem; 4) taking the time to understand what the end user needs and expanding the circle of solutions; and 5) driving the four previous points to ensure a business conversation with a potential end user at the “C-Level” or IT-HR-Building Services level, and not at the lower margin security director level.

24 March 2014

Security Industry Monitor Physical Security Sector

The Great Conversation, Seattle, March 3-4, 2014

The Great Conversation, hosted annually by Aronson Security Group, a Seattle-based, rapidly growing “thought leader” in the security integration community, is based on the reality that success in the commercial security installation and integration industry requires a more meaningful conversation at the highest levels of a client’s organizational chart. The industry has to show to institutional, commercial, and industrial end users that it contributes to a more efficient, less expensive, and yes—a safer—operation. Security companies that can bridge the gap from “insurance” and “compliance” cost center to what Microsoft calls a “Trusted Advisor” (or at the very top of the value chain “Trusted Leader”), can, in our opinion, generate far higher margins and keep their clients far longer. This is not easy, but we learned a lot about how to approach this at a recent annual conference of security industry thought leaders, The Great Conversation.

° At the 2014 Great Conversation, we participated in a panel on the “State of the Industry” featuring: Microsoft’s Senior Director of Technology & Investigations, Brian Tuskin, who oversees the Security Technology, Investigations, and Communications for the Microsoft Global Security team ° Larry Trittschuh, Executive Director, Threat Management General Electric ° Francis D’Addario, Security Executive Council

All of these participants must deal with a wide range of partners to help ensure their networks, ensure safe travel for employees, to securing and permitting access to facilities.

The Great Conversation, in our view, focuses not so much on the technology, but on what processes and people are needed with the IT IQ who can talk to the “C-Suite” and potential clients. A group of security companies that have adopted IT IQ have become the model for developing an environment where the interoperability of the company’s “culture” with the end user’s own needs create recognition and high trust with the client. The trust brings long-lived relationships and the potential for not just higher margins, but significant recurring revenues (beyond break-fix and maintenance). While we have already observed this in residential, we are starting to see this in the types of proposals and value propositions within those proposals to make over security into one of the key business process improvement drivers.

For example, Microsoft has 180,000 employees, 90,000 independent contractors, and 700 facilities. Microsoft will look at outside partners as those who, starting from the bottom, take care of 1) tactical activities, then 2) subject matter expertise. Where the company appears to take the next step in terms of partnering comes at a higher level of strategic thinking and a longer-lived relationship as a 3) “Trusted Advisor,” and finally 4) as a “Trusted Leader.” This highest level is where we believe the relationship with companies likes Aronson has evolved.

Home Automation Overview

° Who will benefit and who will be challenged by the Google-Nest transaction?

In our January 2014 White Paper, “Home Automation: The Players in Post Google-Nest Environment,” we set out to explain the implications of Google’s acquisition of Nest Labs for $3.2 billion signaled to us the value of connecting many services and devices in the home that far exceeds that of the devices and applications. We asked why Google has stressed that a fully connected home is a cornerstone in the developing IoT.

March 2014 25

Physical Security Sector Security Industry Monitor

° Imperial Capital Estimates on Size of Home Services Market 2013-2020

The SDM Magazine–a trade publication–and Barnes studies (published in February 2014) back up our contention that a combination of a) better value proposition for end users, even though they pay more monthly, interactive wireless and verifiable systems, b) the advertising and marketing from cable and telecom companies and c) general “buzz” created by Google/Nest, new cool do-it-yourself systems in the news has already started to generate increased awareness and acceptance of the better premises control systems available.

Between 1990 and 2007, penetration of U.S. homes from mainly security (and a few high end home automation systems), increased from about 5% to nearly 20%. This was due mainly to a dramatic fall in equipment prices and to the digital switch, which multiplied by a factor of 10x, then 50x the number of accounts that could be serviced by the same monitoring personnel. The adoption of a business model in the early 90s that entailed the subsidization of the upfront cost of a system by virtue of the customer signing a longer term service and monitoring agreement additionally increased adoption rates.

However, since 2008, penetration in the U.S. by security systems has been flat. This is due to the lack of any improvement in the value proposition of old, POTS-line based security systems, and to some extent, the recession of 2008-2010.

Companies like Alarm.com and iControl changed this equation with software platforms that allowed a major technology and functionality step-up. The data seen coming from the leading companies in the security industry, the increase in marketing and awareness coming from the cable and telecom newcomers to home security, and the “buzz factor” we mentioned above, back up our contention that the overall penetration of U.S. homes for some form of wireless interactive home service is going to increase dramatically over the seven years, providing significant growth for several sectors, and a huge challenge for for smaller, undercapitalized security companies.

As depicted below in Figure 13, Imperial Capital estimates that the market for homeservices, currently mainly centered around security, is going to broaden in scope and in size over the next seven years. We estimate that there are currently 25 million homes using some form of home services, nearly all security, including several hundred thousand home automation systems, and several hundred thousand do-it-yourself (DIY) home monitoring systems.

If we define home automation more broadly as a wireless connected service within the Security industry, then our estimate of several hundred thousand home automation services would actually be closer to, and likely above, 3 million customers.

Within the security, industry the Top 30 SDM residential companies currently represent about 12 million, or 48%, of the 25 million homes with systems. We note that there could also be several hundred thousand non-monitored and self-monitored DIY systems, many of which may not really be in active use. The remaining 52% of homes use one of thousands of small, local security companies, most of them still selling nearly 100% of their systems based on hard telephone lines, and focused solely on intrusion.

Over the next seven years we believe that the overall home services industry, meaning using some form of home services, not necessarily security, will expand to 50 million to 51 million. That is about a 10.5% compound annual growth rate (CAGR). That includes these changes from today’s $25 million home services “pie”.

26 March 2014

Security Industry Monitor Physical Security Sector

Cable and telecom companies grew from 1-2% (300,000 systems) to 43% of the market (22-25 million homes). Admittedly this is a very aggressive number of a larger universe of users than several other consultants have published (e.g., ABI Research projects, a smaller market in six years than we do(see figure 14) but also a smaller percentage of the business going purely to cable and telco’s than we do. In addition, this number could be impacted in many unpredictable ways by the entrance of Google (e.g. the acquisition of Nest Labs and the emergence of fiber optics capabilities).

Top 30 residential security companies (including Vivint in this category) growing from 11-12 million to 16-17 million homes (4-6% CAGR), with certain companies growing faster, offsetting slower growth by ADT, which due to its 6.4 million existing subs simply cannot grow net new subscribers that fast in percentage terms. However, this does not mean that ADT would not make a significant contribution to the growth of the industry, if they grow at a rate of 2-3%, simple because of their size relative to their direct competitors.

Home automation only and DIY device companies are growing from 500,000 homes to 3 million homes, a 30% CAGR.

The smaller security monitoring companies fell to 8 million from 13 million homes serviced. And in this sector, we may be too optimistic, depending on the amount of consolidation, competition from new entrants, etc.

Figure 13: Home Services Market 2013—25 Million Homes

Sources: Imperial Capital, LLC.

Figure 14: Home Services Market 2020E—50-51 Million Homes

Sources: Imperial Capital, LLC.

March 2014 27

Physical Security Sector Security Industry Monitor

° The acquisition of Nest by Google signals some positives and some challenges for existing companies throughout the residential device and services spectrum

In this Security Monitor, we seek to expand on the list of public and private companies who may benefit from the broadening awareness through marketing, M&A, and technology “step-ups,” coming nearly every year.

We would also refer readers to our deep domain expertise in this sector, including the residential section on another White Paper, “Securing the Smart Grid” section in our Security Industry Monitor published in August 2011, as well as our White Paper, “Smart Grid Security Technology and Next Gen Premise Services,”, dated October 2011, to gain a more balanced view of how small and large companies connected with the smart grid are restructuring their business to serve and protect grid data in an increasingly interconnected, networked—and hacked—world.

Figure 15: Home Automation Capabilities

Sources: Alarm.com.

Home Services: Who Will Benefit and Who Will Be Challenged by the Google-Nest Transaction?

Clearest Likely Beneficiaries

In this publication, we focus on the public and private companies who are most likely to benefit from unavoidable acceleration in connected home services posed by the Google acquisition of Nest. Of the public companies, we see Control4 as a potential beneficiary in interoperable home services. Echelon, Itron, and to a lesser extent, Silver Spring Networks (a smaller part of their business) will be “connected home” energy beneficiaries. Nexia is a DIY home automation system from Ingersoll Rand, which is built around a central control module, and allows Zigbee-based hook ups with over 200 affiliated devices.

28 March 2014

Security Industry Monitor Physical Security Sector

Privately held Vivint is creating what we believe could be a new standard in vertically integrated, subscription-based home automation services (“Vivint SkyControl”), with its own control interface, its own platform, some of its own devices, and software development kit (SDK)’s for an increasing line-up of app writers who want to take advantage of the company’s 700,000 subscribers.

Alarm.com and iControl Networks have been and remain from our past publications the best known companies providing interactive wireless software platforms to the security and cable-telecom industries. However, several lesser known companies, such as The Essence Group (Israel), SecureNet Technologies, and RSI/Videofied (France/U.S.), also provide home automation platforms and/or devices that are integral parts of home services platforms. These companies will bear increased responsibility and increased value as their security and cable/telco clients ask for more and improved home services applications.

Service Companies That Will Benefit from the Emergence of New Home Automation Platforms

Among the leading security companies in this “would-be beneficiaries” category are ADT Corp. (ADT), Securitas Direct in Europe (SECUB-SK, debt), Vivint, Ascent Capital Group (ASCMA), and Protection One (private), and other leading regional alarm companies. We believe that with recent trade publication surveys predicting 10-14% residential revenue growth for 2014, some of the turmoil and moving around in the real estate market has calmed down and homeowners observe how they can make their homes more secure and more in line with their lifestyles.

Among the leading cable, satellite and telecom competitors in the sector are AT&T (T), Comcast/xfinity (CMCSA), Time Warner Cable (TWC), Cox Communications (private), Rogers Communications (RCI/B), Verizon Communications (VZ), and DirecTV (DTV). We expect these companies, currently with about 400,000-500,000 home services subscribers, to gain another 20 million new subscribers using some form of home service system by 2020. One caveat for the cable companies is the emergence of Google as a potential force in disrupting the “triple play.” Google has laid fiber with very high throughput speeds in three cities so far—Austin, Texas, Provo, Utah, and Kansas City, Missouri. Google has enumerated 35 more cities where it intends to lay fiber and compete for Internet services.

In addition, we would include two home device manufactures that have new offerings in the market, but still very large legacy production they must support: Honeywell (HON) (despite its late, but growing home services platform business in “Total Connect,”), and Nortek’s (NTK) Linear equipment division, including its acquisition of 2GIG.

We would note that in December 2011, Tyco International acquired Visonic Ltd, an Israeli company that develops cutting edge IP and cellular electronic security solutions. This includes, a) “PowerMax” connectivity options for broadband and/or GSM/GPRS communications which enable uninterrupted data transfer (via frequency spread spectrum technology) in the event of link interference or failure, and b) advanced personal emergency response equipment and systems that are also used with the “PowerMax” communications technology.

° What are the criteria that we see for beneficiaries and those challenged in this future?

Legacy manufacturers of control components for the home are at risk. We have been noodling around with a Nest thermostat, as well as a Canary DIY security system for a number of months, and have found that they are easy to install, easy to use, even friendly in some ways, and provide feedback and future functioning based on past use patterns. These new devices will surely disintermediate older, harder-to-use home devices, even though they may function just as well as the newcomers.

March 2014 29

Physical Security Sector Security Industry Monitor

However, there is still a life-safety response, monitoring and service requirements that we see in both police and medical response that goes beyond current capabilities of friendly, smart products and a trust factor behind the use of those services with regard to security and medical needs that still makes the internet a very uncertain place to be. We disagree with media articles and market surveys that overlook the importance of verifiable professional response for the premises.

With that, we provide our current list of potential beneficiaries and those that are challenged in this environment. This list is ever evolving, as new products, services and technologies are both introduced and put to sleep.

° Cable and Telco Marketing in Wireless Interactive Homeservices is Creating an “Awareness Wave”

In our opinion, the attitude of the larger residential “RMR” companies was quite upbeat relative to their current competitive position for wireless interactive lifesafety-fire-personal emergency response services for residential users. We believe these leading residential alarm companies are not living in an being overly optimistic. News of personnel moves in the security divisions of cable companies, the recent “unbundling” of lifesafety services from core home services packages by large cable and telcos from the core of the package to an option, and the dedicated security industry’s better-than-expected growth (8% as noted in a presentation by the editor of SDM Magazine) all underscore to use the sustainability of the dedicated business for those largest companies. We continue to believe the many small, undercapitalized alarm dealers, who make up 80% of the companies (though less than 25% of the revenues), remain at severe risk to disintermediation by cable and telco competition.

We continue to estimate that dedicated security monitoring companies will garner 6-7 million of the 25-32 million new home systems estimated to be installed over the next 6-7 years.

Home Automation and Energy Control Companies

Companies that provide software and equipment that make it easier for the residential end user to monitor and control their premises, similar to Nest, will have an easier time convincing investors of their ability to move rapidly with changes in the market. In particular, we believe technologies that manage home energy consumption will be in the spotlight.

° Publicly-Held Companies Providing Home Services

In the integrated home, there are already companies pushing easier-to-use technology in smart grid lighting and electricity, as well as overall home services. Vivint developed its own gateway, platform, and critical devices (platform will accommodate outside devices) that could potentially generate very high monthly average revenue per user (ARPU). Control4 systems, sold by a network of integrator/dealers developed the control architectures and hardware technology that bring smart capabilities to a range of products, from audio-visual systems to kitchen technology.

° Control4 Corp (CTRL)

The company is the market leader and the first pure play publicly traded home automation company in the U.S. with a fully integrated offering. Its intent is to deliver an affordable way to control and automate lighting, music, video, security, and energy, in a single room or throughout the home or business. CTRL has installed more than 135,000 homes and boosts a dealer base of over 3,000 in more than 80 countries. CTRL’s model provides an advantage over its competitors who typically use an approach that is less customized for the client, and is much harder to turn into a long-term relationship. A key to Control4’s integration capabilities and its attraction to

30 March 2014

Security Industry Monitor Physical Security Sector

dealers is its “Simple Device Discovery Protocol” (SDDP) in which leading consumer electronic brands integrate Control4 SDDP into projectors, Blu-ray players, flat panel TVs, audio/video receivers, and a variety of other wired and wireless devices.

Dealers add these devices to a Control4 system and the controller automatically recognizes them. If the dealer chooses to include the device, then the correct driver is automatically added to the project and the device is installed. The company is, as of now, one of the few outside partners with Nest, due to its integration capabilities, among other factors. Control4’s stock is up by about 43% since the Google-Nest announcement on January 1, 2014.

Figure 16: Control4 Panel

Sources: centralintegration.net.

Nexia Home Intelligence

Nexia remained with Ingersoll Rand and was not part of the spin-off with Allegion. Nexia’s home automation offering is based around its “Nexia Bridge,” which services as the home automation controller. It actually looks like a router and works like one, too. The system uses the Z-Wave communications protocol. It is just a matter of plugging into a home network, telling it which compatible devices you want it to communicate with over the wireless network, and then use Nexia's Web site and smartphone app to control them however you see fit. There are nearly 300 Nexia-compatible devices currently available for purchase form a variety of manufacturers, including, not surprisingly, Ingersoll Rand and Allegion. This also includes: Schlage locks and cameras, Trane thermostats, light dimmers, and motion detectors.

The most impressive aspect of the Nexia system is its Website, which functions as a true home automation power station. The site is very sophisticated, given its simplicity to use and the scope of its capabilities with hundreds of devices. The devices can all be purchased on the website.

The issue with many users and reviewers of the Nexia Home Intelligence systems is that for what is essentially a self-monitored DIY system, in addition to the cost of the Nexia Bridge, there is a $10 monthly fee. There is no independent monitoring option for the system, which we always prefer, and for which there should be a charge. This is one of the conundrums that nearly all home automation systems, whether truly automated and integrated like Control4 or via a Z-Wave “router” like Nexia, face. There is a segment of the population who want a verified security aspect to their system, which they are willing to pay a monthly fee for; however, incorporating a monthly fee into a system that is essentially sold, is an issue that will continue to appear in the future.

March 2014 31

Physical Security Sector Security Industry Monitor

Digimarc Corporation (DMRC) based in Beaverton, OR, provides media identification and management solutions to commercial entities and government customers. It develops and patents intellectual property to differentiate products and technologies, mitigate infringement risk, and develop opportunities for licensing. The company’s patents relate to various methods for embedding and detecting digital information in video, audio, images, and printed materials, whether the content is rendered in analog or digital formats. Imperceptible to human senses, Digimarc’s digital watermarking technology allows users to embed digital information into audio, images, video and printed materials in a way that is persistent, imperceptible and easily detected by computers and digital devices.

We are particularly interested in Digimarc’s “Discover” application, where smartphones can instantly see, hear and engage with all forms of media while connecting users to interactive experiences via a smart phone from home. Digimarc® Discover uses multiple content identification technologies–digital watermarking for print and audio plus QR code and barcode detection–to give mobile devices the ability to see, hear and engage with all forms of media.

How “Discover” works: One points a mobile device at a Digimarc-enabled advertisement, article, package, retail sign, television or radio commercial to trigger brand-defined mobile experiences. “Discover” offers a new means of visual and audio search, delivering a broad swath of media experiences and capabilities on the computing devices we carry with us 24/7–our smartphones.

° Napco Security Technologies

About one year ago, NAPCO Security Technologies, Inc. (NSSC-7), security equipment provider to midsize and smaller commercial and residential dealers (with about $70 million in revenues), launched iBridge Connected Home solutions. This SaaS-based system of products enable consumers to remotely control and schedule:

° Security ° Thermostats ° Lighting ° Small appliances ° Motion/occupancy sensing ° Video cameras and recorders ° Door locks

Additionally, text, email and video notifications are sent to users and notify them of any important status conditions or events. All of this utility is controlled by the consumer using free NAPCO proprietary apps, via a smartphone, tablet or an internet-connected PC. New activations of the iBridge Connected Home have, from a small base, grown sequentially 62% and 45% for the three months ended September 30, 2013 and December 31, 2013, respectively.

° Energy Management Companies

As we have stated in our previously noted publications, smart grid companies including Silver Spring Networks (SSNI), and private companies such as Sensus and CEIVA Energy are likely to see rising interest in the capabilities of their technology to communicate into the home, which should start unlocking the potential of smart grid. In 2009, Silver Spring acquired GreenBox Technologies, a home-energy management-and-automation company, in order to bolster its information software capabilities in the home.

32 March 2014

Security Industry Monitor Physical Security Sector

NIST seeks increased funding for securing cyber-physical systems in “Smart Homes”

As we noted in our January 2014 white paper, “Home Automation: The Players in Post Google-Nest Environment,” a new generation of smart systems that network with previously stand-alone devices (e.g. thermostat, refrigerator, or smart meter) also bring the potential for new cyber attacks.

In newly released details of the agency's budget proposal for the coming year, published on March 17, 2014 by “Fierce Government,” NIST says it needs $18.8 million to study "cyber-physical systems," with $5 million of that dedicated to improving their security.

Recent security improvements to purely digital systems haven't been widely adopted in the physical systems world, for want of perceived threats and because of the degradation in performance things such as default encryption causes.

NIST says it intends to develop lightweight encryption and trustworthy networking and distributed control networking protocols that could be implemented on an industrial scale.

Cyber-physical systems "have the potential to change every aspect of life," NIST says, pointing to likely applications such as the smart electricity grid, intelligent buildings and highway systems studded with sensors for managing traffic.

In all, NIST is requesting $928.3 million in discretionary spending, $693.7 million for scientific and technical research and services, $174.5 million for industrial technology services, and $60 million for research facility construction.

Privately Held Companies Best Positioned for Home Automation in the Security Industry

Vivint’s New Home Automation System: Vertically integrated, “Warm & Fuzzy,”—And All its Own

Vivint has been playing it low key lately, and for a good reason—they may be taking home subscription-based home automation to a new level. The company this year will introduce a new vertically integrated gateway, and what we can only define as a true home automation system with its own “warm, human” control box, into the cloud. The new Vivint system (Vivint SkyControl), to be introduced during summer of 2014, will include a cloud-based package that learns (like NEST) its users preferences and habits, only over an entire menu of sensors and apps. The bundle will include Voice Over IP (VOIP), geolocation, as well as Siri-like voice interaction, if desired, so that in addition to a menu of applications there will be greater “human” interaction with the apps as well.

Vivint will still support its 700,000 users on the Alarm.com platform, as well as its 2GiG panel users, but new systems going forward will include the company’s own platform and controller. By becoming vertically integrated, a risky move to some, yet opening up its system enough to provide SDK’s to developers, the company hopes to create its own ecosystem and better control its own appearance and relationship with end users. Vivint executives believe there is real value in designing a system from the sensor on up to the cloud. They believe they will now have the flexibility to move into other premises functions beyond “home automation” which could bring the company “closer” to its customers, further increase their base and the stickiness of the base. The platform is scalable to millions of customers.

As we see it, the new Vivint systems will have unusual intelligence in being able to understand patterns of occupancy, patterns of heating and heating, ventilation, and air conditioning (HVAC) use, via its own analytics. The system will include its own digital video recorder (DVR) in the panel, and the panel will include some of the anti-“smash & crash” prevention software that has made Alarm.com so desirable.

March 2014 33

Physical Security Sector Security Industry Monitor

Figure 17: Vivint Panel

Sources: Vivint, Inc.

Independent Homeservices Platform Leaders

Several companies provide the communications and functionality for interactive wireless solutions to both the dedicated security monitoring industry as well as to cable and telecom companies. The most prominent of these are Alarm.com, iControl Networks, and the Essence Group. These companies’ value to their end users (monitoring companies to cable/telco’s) will only increase as their clients clamor to add more services and a better value proposition.

° Alarm.com

Alarm.com, based in Vienna, VA, virtually created interactive wireless security and continue to impress with some of the most advanced, first to market solutions. While security companies can debate how much value, relative to the monitoring function itself, Alarm.com deserves out of each payment that providers receive from their customers, there is no doubt many would not be in business today were it not for Alarm.com. As the value proposition of connected devices in the home changes rapidly, security companies need a partner that can move as fast as or faster than the market. Alarm.com’s litany of wireless services includes interactive security, video monitoring, energy management, and home automation through a connected platform and accessed through easy to use mobile apps.

Alarm.com is already well ensconced in connecting devices in what Google and others define as the IoT space. The company effectively creates subscribers to the IoT space through its relationships with security companies to the extent that we do not know of very many companies anywhere that help create the types of interconnected clients that Google talks about with Nest. Alarm.com is not tied to, nor locked out of the DIY market, so that if Canary Security (or Apple for that matter) needs to at least offer the option of enhanced monitoring services to its young, hip users, it has a company in Alarm.com with the software to provide that.

34 March 2014

Security Industry Monitor Physical Security Sector

° iControl Networks

iControl, is similar in some ways to Alarm.com, but with some stark differences (the proprietary panel, the communications protocols, the customer interface, and the client base of mainly cable and telecom companies, along with ADT). The current formation of the company was created out of the merger of uControl, a primarily ZigBee based home automation communication platform, with iControl (Z-wave). The company offers a wide range of services in interactive home security (including remote video, touch screen, web/mobile access, email/text alerts), energy management (smart meter demand response, real time monitoring, energy efficiency), home health care (activity monitoring, heart rate, blood pressure, emergency aids, and medication schedules), and other related offerings.

In November 2013, iControl introduced in Europe “iControl Touchstone,” a self-installable, self-managed, and self-monitored smart home solution, for resale by broadband service providers.

° The Essence Group

Established in 1994, privately held Essence Group (based in Herzliya, Israel), is a leading provider of wireless-based systems for residential & business applications with over 12 million devices deployed globally. The company has its greatest strength in Europe, and includes being a key platform and device provider for the “Verisure” system of Securitas Direct, the leading residential security services company in Europe. Essence also provides systems to Gulfstream Security, the largest privatized security monitoring company in Russia. A close Israeli competitor to Essence historically, particularly in its device and communications technologies has been Visonic, now a subsidiary of Tyco International.

The Essence portfolio provides tools to access various market fields, among them:

° Security Monitoring ° Home & Family Monitoring ° Healthcare Monitoring ° Home Energy Management (HEM) Similar to Alarm.com, iControl offers a long menu of services up to its dealer and multiple-system operator (MSO) clients. A difference between Essence and iControl, and Alarm.com, apart from communication protocols, and with whom they go to market, is that both Essence and iControl manufacture devices (from panels to sensors) for their clients, while Alarm.com is primarily a software company and is currently hardware agnostic.

Other Selected Home Service Providers

° RSI/Videofied

RSI, based out of Strasbourg, France, has been specializing in wireless video applications for 20 years and has over one million installations of its products. For the last eight years, our focus of interest in this company has been its Videofied offering in the U.S., based in suburban Minneapolis, Minnesota. Videofied is a complete video alarm system that sends a short video clip with the alarm notification to the central station for immediate review. Videofied links the video with the central station, DIY self-surveillance does not. A monitored video alarm delivers quicker police dispatch. Videofied includes an interactive smartphone app that provides remote arming/disarming and Look-in request.

March 2014 35

Physical Security Sector Security Industry Monitor

Videofied panels always transmit to a professionally staffed 24-hour monitoring center to provide customers with full-time security, not self-protected security without any response. Customers are notified only when human activity has been confirmed and not on non-emergency.

° SecureNet Technologies

SecureNet, based in central Florida, has been successful in combining life-safety security intrusion monitoring with many levels of video from very simple to high-end, and for both home and business at a reasonable cost. The company’s best home surveillance systems feature a DVRfeature, so one can save surveillance footage (highly unusual for this price level) which can serve as a deterrent and make it easier to identify and prosecute a suspect. For small-and-medium businesses, SecureNet also integrates specialty cameras, such as infrared, all types of monitors, including liquid crystal display (LCD), flat panel, and touch-screen, which can be viewed on a web browser at home, to SecureNet’s professional monitoring station.

Security Dealer Revenues Accelerate for First Time since 2008

There is a great deal of scrutiny focused on subscriber growth and RMR/revenue growth in the monitored security industry. Much of this can be attributed to articles, analyst reports, and public relations announcements from cable and telco companies, that this is where the threat of disintermediation for security, fire and personal emergency response will begin. Almost nowhere do we see such articles and analyst reports on the quality of training, systems, and 10-30 second response in the monitoring station by “five diamond” and UL-certified personnel and systems that save people’s lives (and create very loyal and long customer lives).

After five years of essentially flat revenues for the entire channel, both commercial and residential, along with no increase in U.S. homeowner penetration by the residential channel in particular, it was a relatively easy conclusion to make from the outside that future growth in the sector will be generated by the larger cable and telco providers, as well as “new age” self-monitored devices, like the much strongly promoted Canary Security offering. Investors or reporters outside the security industry may not realize that an RSI/Videofied unit can do just about anything that a Canary unit can do, except that it is also used for verifying images and sensor trips for the monitoring station and the police, not just for observation by the end user on a smart phone.

The Security dealer channel actually exceeded internal industry expectations for just one or two percent revenue growth in 2013, with the SDM Subscriber Market Forecast Study showing 9.9% growth for respondents for 2013 to about $47.9 billion.

Total dealer industry channel revenue is defined as total revenue from the sale, lease, installation, service and monitoring of security systems. It includes both commercial and residential revenues. (Under a new SDM methodology, 2013 is going being reclassified at $59.9 billion). The forecast for 2014 is for 12% increase in industry revenues to $67.1 billion.

In 2013 about:

° 51% of industry revenues were related to commercial activities ° 31% of revenues were residential ° 18% divided among various services and maintenance (not specified)

36 March 2014

Security Industry Monitor Physical Security Sector

It is not surprising that in the commercial security monitoring area, the SDM subscriber base expects the Educational Institutional area as its greatest rate of revenue growth in 2014, moving from 11% in 2013 to 21% in 2014, far outpacing Commercial office space which falls from 26% to 16%.

In the residential security market, even though 47% (consistent with previous years) believe that “middle income” home will be the largest market, it is noteworthy that “new construction” showed the greatest movement, either way with 18%, expecting it to be the largest market, compared with 13% a year ago, according to the 2014 SDM Magazine survey of security executives.

The SDM Forecast Study attributes part of the new-found growth to the amount of advertising and marketing being done by newer entrants, such as Comcast and AT&T.

° Barnes Associates Survey Results

The Barnes Associates Survey, presented at the Barnes Buchanan Conference in February 2014, came up with slightly different industry numbers, though they were based on some of the information generated by SDM. We would note that the estimate of the size of the un-surveyed companies by Barnes was 49% of the market, which he estimated to be growing at 9%.

According to Barnes, total security industry revenues of surveyed companies rose 5% year over year to $45.8 billion (the un-surveyed companies rose an estimated 9%).

° The SDM 100 (top 100 companies) grew 7%, as larger companies were able to increase wireless interactive service revenues faster ° Monitoring & service revenue up 9% to $21.2 billion. Monitoring & service rose to 46.3%, of total revenue from 44.5% in 2012. ° Sales and installation grew 2% to $24.5 billion in 2013, the first increase since 2008. ° Independent (“wholesale”) monitoring services grew 19%, helped by contracts from personal emergency response companies and telco and cable companies (source: Security Systems News and CSAA Contract Monitoring Council). Non-monitoring services as a percentage of total RMR, down 10pb year over year, as monitoring pricing increases margin on monitoring & service, down 6bp to 54.1%, the result of a surge in cellular hookups, which currently carry lower margins, as well as new video, personal emergency response, new cloud and managed services, are all added to what had been a simple mix of basic monitoring and service agreements.

The current size of the all-combined telco and cable accounts is estimated by Barnes to be about 400,000-500,000 accounts, and an estimated $8-20 million of RMR. Based on this data, the market percentage is something between 1-2%. Most of those gains have come from existing cable/telco customers, and from small, POTS-line based local security companies.

The cable and telco’s end of year rate gross additions are estimated to be about 15,000-30,000 accounts per month, which would add about $600,000-$1.2 million of RMR per month.

The gross attrition rate decreased 10bp to 11.8%, but this number is deceptive. Although the top 10 providers with national or super-regional basis (some not in the Barnes survey) all increased due to an increase in movers, the movers constitute 45% of gross attrition, up from 43% in 2012, while financial reasons dropped to 28% from 31% as the reason for attrition. This shift to “movers” in attrition is unprecedented, and highly unlikely to be sustained.

March 2014 37

Physical Security Sector Security Industry Monitor

The 2013 creation multiple rose to 29.2% from 28.5%, mainly due to the increase in more costly interactive cellular systems. It was noted that the creation multiple had stopped going up for a select group of companies whose percentage of accounts using wireless interactive accounts had surpassed 60-70%.

The net internal RMR growth rate rose to 9% in 2013 from 8% growth in 2012.

Figure 18: 2013 Transaction RMR Multiples for Companies in the Above RMR Ranges Less than $50,000 35.1x $50K-$100K 38.4x $100K-$500K 39.7x Over $500,000 47.1x Sources: Imperial Capital, LLC.

Historical Trading Range Based on Steady State Cash Flow

Engaging in the “good fight” for metrics that properly describe the efficacy and value of a residential alarm monitoring company trading in the public markets has not been easy. In our previous discussions, we have described key performance indicators (KPIs) that have been used over the last 15 years by senior lenders and private equity firms to value security services companies built around recurring revenue. While there are serious “real world” and “forward growth” flaws in using only steady state net operating cash flow (SSNOCF) as the only metric in judging the value of a public or private alarm monitoring company, many believe it is one of the best indicators of quality and margin in a security monitoring company’s primary business: monitoring and service. We also use three key performance metrics against the peer group, and EV/RMR as a “sanity check”. The quality of the monitoring and service business is usually a good indicator of how the rest of the company—the creation side—pans out.

After years of education and use by lenders and private equity firms, operating executives as well as private equity financial owners have turned to SSNOCF, along with IRRs (levered and unlevered), as the best predictable measure of a company’s valuation, and relegating the older metrics, such as simple RMR, or the very unreliable EBITDA variants to secondary status. There simply is a much tighter bell curve for SSNOCF valuations for quality transactions, indicating that buyers and their advisors are now solving for that metric first. This is underlined by the fact that senior lenders generally look at the recurring monitoring revenue as an asset (not as simple cash flow), and are willing to lend against that asset.

For example, while RMR valuations for selected transactions from 2003-2012 have ranged from 25-70x, and EBITDA valuations for these transactions have also been spread out 6.3–13.5x, SSNOCF values for the same transactions have typically remained in a much tighter 10–14x valuation range. In addition, private equity buyers have guided toward a mid-teens hurdle rate for unlevered IRRs in their investment considerations for these recurring revenue security companies.

38 March 2014

Security Industry Monitor Physical Security Sector

The Emergence of Smart Locks (Part II)

(See Part 1 in our September 2013 Monitor)

Mobile Security and School Tragedies Driving Growth in Commercial/Institutional Wireless Locks that Connect to Network and Access Control

In our September 2013 Security Monitor, we profiled Assa Abloy’s Hi-O, Aperio, and Seos wireless systems. In this edition, we profile Allegion’s “aptiQ” two-way interactive system for connecting cards, readers and locking devices.

The locking and access business is misleadingly perceived as a very sleepy, but steady business made up almost entirely of mechanical and sometimes electro-mechanical locks. This business is changing rapidly and Imperial Capital estimates (see our September 2013 Security Monitor) that electro-mechanical, electronic and wireless access and locking devices will take over 50% of new sales by 2016. Allegion is at the forefront of this technology change. Perhaps the most underrated area of growth in security that we have seen at security trade shows and seminars in 2013 has been what we consider to be the replacement of legacy mechanical and electro-mechanical locks, and the movement toward networked locks that can allow encrypted card access, allow privileges inside, can be shut down for emergencies almost immediately, and which can provide the overused phrase to “actionable intelligence” to those who are in charge of a premises, not just the security personnel. At the heart of these new smart, electronic locking systems, is a short distance encrypted wireless communication protocol linked to an online electronic access control system, such as Assa Abloy’s HID Global, or Tyco’s Software House. In many cases, these locks look almost identical to the commercial/industrial locks they are replacing, and again, in many case, may be the very same brand.

We believe that the market for “smart locks” that are either wireless or hardwired to an enterprise’s or institution’s network will be able to increase overall organic growth in the lock area by 1-2% over the next two years, through both remodeling of existing facilities, and/or new construction. These functions range with working with the access control system, including smart cards and prospectively, NFC and low blue tooth-enabled phones to assist with premises entry, permissions within the building, and internal access, once the permissions level of the authentication are encoded into the card or key. Access and permission levels can be remotely given and revoked, and remotely changed via the system. One of the hurdles that wireless locks have had to overcome is the conservation of battery power, and making the locks smarter to “wake up” instantly, but only when signaled. This has been a big industry move ahead.

It is critical to be able to “wake up” an electronic lock to do something (lock or unlock) in a very short period of time. Ingersoll Rand, which is spinning off its $2 billion Security business, Allegion PLC, includes the well-known Schlage brand of locks and other access control products. Allegion’s and Schlage’s single biggest growth area and its biggest single market for interactive, wireless locks is in the educational institution market, currently nearly a third of Allegion sales. Allegion’s “aptiQ” (pronounced: ap-teeck) contactless smart card credentials provide a two–way dialog between the card and reader instead of just reading a proximity card serial number. The cards are used in conjunction with an entire ecosystem of Allegion and partner products, which provide on-line, real time lock controls that can be changed or upgraded without replacing the entire lock—as we were shown at the show. Other brands in the Allegion portfolio include most notably Von Duprin, CISA, LCN, Von Duprin, Interflex, Briton, Bricard, BOCOM Systems, Dexter, Kryptonite, Falcon, and Fusion Hardware Group.

March 2014 39

Physical Security Sector Security Industry Monitor

aptiQ: Allegion’s Platform for Connecting Wireless Systems aptiQ is a group of Allegion technologies (mainly readers right now) built around a short-distance, wireless communication protocol, designed to link with an online electronic access system with apitQ-enabled locks and devices. aptiQ allows for online access control and management, increasing both security and controllability. aptiQ is able to integrate with most wireless units and systems, regardless of the manufacturer, because it has been developed around an open standard. Each of these readers handle all applicable ISO standards (14443A, 14443B, 15693), are FIPS 201-1 compliant (for government agency and GSA listing) and are versatile enough to read 125 kHZ proximity and 13.56 MHz contactless smart cards. They are not yet FIPS 2011-2 compliant, which is the latest standard in government access control technology, but we expect them to be soon. The aptiQ Alliance Program is a group of leading companies coming together in tandem with Allegion to create an ecosystem of applications that support aptiQ smart card technology. The Alliance consists of global companies that are using an open architecture smart card technology which extends the use of an access control card or near field communications (NFC) enabled smart phone credential to an increasing number of applications. These global companies’ end users will learn how they can better leverage smart credentials to build out an increasing number of solutions available to them. Such partners as Matrix Systems (a leading physical access control provider), Access Smart (cyber authentication and network access), Gemalto (leading dual technology credentials), BadgePass (badge printing and smart cards), CBORD (cashless payment), Heartland Campus Solutions (one of many college campus providers using aptiQ cashless payment), Mobile Security Solutions, Nedap (RFID and long-range ID), TagMaster (standards-based long-range identification), XID (biometric facial readers), all create an ecosystem of adjacent solutions. While just a small slice of the aptiQ Alliance, all these companies provide vertical market product suites or manufacture ancillary products that can be bundled as part of an overall smart solution. aptiQ field devices report to a wireless receiver, called a hub. The hub is mounted in the ceiling or on the wall, and handles all control functions for the door.

aptiQ appears to be the major platform for Allegion to migrate its installed base from wired to networked and wireless. The technology is fully compatible with RFID and other contactless credential technologies, so, in most cases, there is no need to change a user’s credentials–the user can just use an existing card. Doors and locking systems do not need to be changed out, only upgraded with aptiQ-enabled products.

For example, the aptiQ multi-technology reader, which reads both proximity and smart credentials, now also reads magnetic stripe cards to provide users with a simple migration path to increased credential security levels, including various forms of proximity contactless card industry standards (MIFARE Classic, and MIFARE DESFire EV1, which opens up global standards for both air interface and cryptographic methods). The readers are also Near Field Communications.

40 March 2014

Security Industry Monitor Physical Security Sector

Allegion plc Settles into Life as An Independent Public Company

Allegion plc, formerly a business within the Ingersoll Rand Security Technologies Group, was spun-out as a public company in December 2013. As part of the locking, access control industry, and with a presence in the Identity Solutions market, Allegion competes in multiple product areas.

Allegion is a market leader in door exit devices in North America, where it competes with Stanley Black & Decker, Assa Abloy, Spectrum Brands, Fortune Brands, and DORMA. In Germany, where Allegion has the second largest market share in the workforce management category, KABA Holding and Primion are the main competitors. Within systems integration video analytics in Asia, where Allegion has the third largest market share, it competes with CSST and China Telecom.

U.S. Lock Market

Within the U.S. lock market, Assa Abloy and Allegion hold the number one and number two market shares, respectively. Between these two competitors, Allegion has the higher operating margins. Allegion also faces less competitive pressure within the door openers and closers business. Stanley Black & Decker and Assa Abloy have stronger competitive positions in doors than does Allegion, which has developed a patented geometrically flexible (in its locking points) door, where fixed points are no longer needed, a significant advantage for servicing doors even after years of building and door entrance shift. Allegion expects that its most intense competition will be in locks.

Within Europe, where Allegion competes with Assa Abloy and Kaba Holding, Allegion’s position based on revenue from its security products is ranked first in Italy, second in France, and third in the U.K. In Europe, where Allegion’s operating margins are very low, improving under-absorbed capacity, competing in geographic sectors where it can win, acquisitions, rationalization in weak areas, and changing a culture to where the brands cooperate more on “Allegion” projects are all important milestones for the company.

Allegion is growing its acquisition pipeline and management has already completed two small transactions and future acquisitions will be logical bolt-ons, including locks, exits, closers, and doors.

March 2014 41

Physical Security Sector Security Industry Monitor

M&A Review and Outlook

° M&A activity in the Physical Security Product sector was relatively strong during the second half of 2013. With both Physical Security Service and Products sector experiencing year over year rebounds.

With the convergence of IT and Physical Security and the intersection of defense and security continuing to drive value in the Physical Security sector, deal volume trended upward through 2011. The M&A activity in 2012 moderated in the physical security sector, which corresponds to the overall slowdown in M&A activity resulting from the European Credit Crisis and the Fiscal Cliff in the U.S. The first half of 2013 saw slow M&A activity because the valuations went up, but buyers became much more active in the second portion of the year.

Figure 19: M&A Transactions in the Physical Security Sector, Fourth Quarter 2010 to Fourth Quarter 2013

0 Q4 2010 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Q3 2013 Q4 2013

Physical Security Services Physical Security Products

Sources: Imperial Capital, LLC and Capital IQ.

Notable Middle Market Transactions The market for M&As in the fourth quarter of 2013 was again strong like the preceding quarter and year over period.

° ADT announced the acquisition of Devcon Security Services, Corp.

On July 30, 2013, The ADT Corporation entered into a definitive agreement to acquire Devcon Security Systems from Golden Gate Capital for approximately $150 million in cash. The deal was completed on August 2, 2013 and gave Decon Security Services, Corp. an implied enterprise value of $148.5 million.

Imperial Capital acted as the financial advisor for Devcon on the deal.

° Securadyne Systems, LLC agreed to acquire Advanced Control Concepts, Inc.

On September 4, 2013, Securadyne Systems announced the acquisition of Advanced Control Concepts, an integration firm that offers managed electronic security solutions with risk mitigation and business process improvement services. Details of the transaction have not yet been disclosed.

42 March 2014

Security Industry Monitor Physical Security Sector

° Assurant Specialty Property acquired Field Asset Services

On September 30, 2013 Assurant, Inc acquired Field Asset Services, a provider of property preservation and REO asset management services for $55 million.

° Assa Abloy agreed to buy U.S. fence maker Ameristar Fence

On October 1, 2013 Assa Abloy, the Swedish company that is the world's biggest lock maker by sales, agreed to buy Ameristar Fence for an undisclosed amount.

° Securitas AB bought South African companies Rentsec and Vamsa for $9 million

On October 21, 2013, Securitas AB announced that it acquired the security solutions companies Rentsec and Vamsa in South Africa. The two companies, having the same owners, work closely together focusing on remote video surveillance as well as a range of advanced security technology applications specifically suited for the South African and the regional market.

° Atkins agreed to acquire US based nuclear business Nuclear Safety Associates

On November 19, 2013, WS Atkins plc announced it acquired the 130 person engineering and technical services firm, Nuclear Safety Associates. The target focuses on nuclear safety, design engineering, and professional security services.

° Kastle Systems International bought business segments from The ADT Corp.

On November 22, 2013, Kastle Systems International added 4,000 customer sites and a new, highly specialized UL-listed Five Diamond central station in New York City with the November 21, 2013 acquisition of Mutual Central Alarm Services and Stat-Land Security Systems from ADT.

Imperial Capital acted as the financial advisor to ADT on the deal.

° Convergint Technologies announced it bought Acme Future Security Controls

On December 9, 2013 Convergint Technologies, a systems integrator backed by KRG Capital Partners, said it acquired Acme Future Security Controls Inc., a provider of physical security systems and services in Eastern Canada.

° InnovAntennas acquired Force 12 on December 30, 2013

On December 30, 2013 InnovAntennas acquired the legendary Force 12 antenna company and product line and has moved the Force 12 factory from Bridgeport, Texas, to Grand Junction, Colorado.

° Universal Protection Service Acquired International Security Management Group, Inc.

On February 11, 2014, Universal Protection Service, a division of Universal Services of America and one of the largest providers of security services in the U.S. announced it acquired International Security Management Group, a risk management and physical security services company in the US.

March 2014 43

Physical Security Sector Security Industry Monitor

° Barrette Outdoor Living Acquired Alumi-Guard Inc. on February 12, 2014

On February 12, 2014 Barrette Outdoor Living, Inc. (BOL) announced the acquisition of Alumi-Guard, Inc., a leading manufacturer in the aluminum fence and rail industry.

° Carlyle agreed to buy Tyco South Korea unit for $1.93 billion

On March 3, 2014 Carlyle (CG) Group LP agreed to buy Tyco International Ltd. (TYC)’s fire and security business in South Korea for $1.93 billion, the country’s largest private equity buyout deal in U.S. dollar value in more than five years.

Registered Direct and Private Placement Snapshot

The market for private placements significantly strengthened in the fourth quarter of 2013, compared to the fourth quarter of 2012.

° Offsite Vision Holdings raised $10 million in private placement of convertible notes

On October 6, 2013, Offsite Vision Holdings, Inc., provider of remote video surveillance solutions for commercial and residential customers announced that it will receive $10,000,000 through the issuance of convertible debt securities along with option, warrant or other right to acquire another security.

° Guardian 8 Holdings raised $2 million in equity capital

On November 21, 2013 Guardian 8 Holdings announced the final closing on a $1,984,500 private placement of its securities.

° Micro Technologies (India) Ltd. raised $40.35 million

On December 27, 2013 Micro Technologies (India) Limited, which develops and markets transformational security devices, services and technologies in India and internationally, raised $40.35 million in a private placement.

° Northeast Automotive Holdings placed $2 million in equity securities for acquisition financing

On December 31, 2013 Northeast Automotive Holdings sold an aggregate of 7,142,857 newly issued shares of common stock at $0.28 per share, for aggregate gross proceeds of approximately $2.0 million.

Public and 144A Debt and Equity Offering Snapshot

The Physical Security sector experienced an increase in the fourth quarter of 2013 from the fourth quarter of 2012.

° Control4 Corporation completed its IPO on August 1, 2013

Control4 Corporation, provider of automation and control solutions for the connected home, completed its IPO on August 1, 2013, raising $64 million. Control4 Corporation intends to use a portion of the net proceeds to pay off the remaining amounts owed under a litigation settlement agreement.

44 March 2014

Security Industry Monitor Physical Security Sector

° Monitronics International, Inc refinanced existing senior notes with $175 million of unregistered 9.125% Senior Secured Notes

On November 4, 2013, Monitorinics International, provider of security alarm monitoring and related services to residential and business subscribers in the United States and parts of Canada offered to exchange up to $175 million of registered 9.125% Senior Notes due 2020 for a like principal amount of unregistered 9.125% Senior Notes due 2020.

° Stanely Black & Decker, Inc. offered $400 million Fixed-to-Floating Rate Junior Subordinated Debentures due 2053 concurrently with 3 million equity units

On November 25, 2013, Stanley Black & Decker, Inc. provider of power and hand tools, mechanical access solutions, and electronic security and monitoring systems for various industrial applications offered $400 million aggregate principal amount of a new series of fixed-to-floating rate junior subordinated debentures due 2053. Stanley concurrently offered 3,000,000 Equity Units. The Company expects the Equity Units will initially consist of $300 million aggregate principal amount of junior subordinated notes due 2018 and contracts obligating the investors to purchase, for an aggregate of $300 million, shares of common stock. The Company intends to use the net proceeds from the offering for general corporate purposes, including repayment of short term borrowings.

° Securitas AB issued $473 million 2.625% notes due 2021

On November 15, 2013 Securitas AB, provider of security services in North America, Europe, Latin America, the Middle East, Asia, and Africa, issued 350 million euro notes yielding 2.625% due 2021.

Bankruptcies

There were three physical security bankruptcy in the second half of 2013.

° IPC International filed for Chapter 11 bankruptcy

On August 9, 2013, IPC International Corporation, provider of security services for people and facilities filed for Chapter 11 bankruptcy.

° Kranem Corporation filed for Chapter 11 bankruptcy

On November 11, 2013, Kranem Corporation, provider of digital security, data analytics, visualization, and surveillance solutions for law enforcement, homeland security, and intelligence markets worldwide, filed for Chapter 11 bankruptcy protection.

° Evergreen Defense & Security services filed petition to liquidate under Chapter 7 Bankruptcy code

On December 31, 2013, Evergreen Defense & Security Services, Inc., a private military contractor that offers defense and security services to government, military, and NGOs filed for Chapter 7 bankruptcy.

March 2014 45

Physical Security Sector Security Industry Monitor

Notable Transactions

Figure 20: Select M&A Transactions in the Physical Security Sector, Second Half of 2013 and YTD 2014 Announced Target TEV / TEV / / Filing Closed Date Target Business Description Buyer Implied TEV Revenue EBITDA Date ($mm) Tyco Fire & Security Services Tyco Fire & Security Services Korea Co., Ltd., through its 3/2/2014 NA The Carlyle Group LP $2,388.6 3.5x 17.5x Korea Co., Ltd. subsidiaries, provides security solutions in Korea.

Alumi-Guard, Inc. engages in the design and manufacture of pow der Barrette Outdoor Living, 2/12/2014 02/12/2014 Alumi-Guard, Inc. NA NA NA coated aluminum fences, matching gates, and arbors. Inc.

International Security Management Group, Inc. provides security and International Security Universal Services of 2/11/2014 02/11/2014 risk management services to companies, corporations, and properties NA NA NA Management Group, Inc. America, Inc. in the United States. Force 12 Inc. designs, manufactures, and markets antennas for 12/30/2013 12/30/2013 Force 12 Inc InnovAntennas Limited NA NA NA amateur, commercial, military, and security markets.

Acme Future Security Controls Acme Future Security Controls Inc. provides security management Convergint Technologies 12/9/2013 12/09/2013 NA NA NA Inc. solutions. LLC

Mutual Central Alarm Services and Stat-Land Security Systems Mutual Central Alarm Services designs commercial intrusion, fire, video, and access control systems Kastle Systems 11/21/2013 11/21/2013 and Stat-Land Security NA NA NA for financial service, jew elers and retail stores in the New York City International, LLC Systems area.

Nuclear Safety Associates, Nuclear Safety Associates, Inc. provides safety, security, and 11/19/2013 NA WS Atkins plc NA NA NA Inc. engineering services to the nuclear markets.

Rentsec Equipment (Pty) Ltd Rentsec Equipment (Pty) Ltd and Video Alarming Monitoring SA 10/21/2013 10/21/2013 and Video Alarming Monitoring represent the combined operations of Rentsec Equipment (Pty) Ltd Securitas AB NA NA NA SA and Video Alarming Monitoring SA in their sale to Securitas AB.

Ameristar Fence Products, Ameristar Fence Products, Inc. manufactures ornamental and 10/1/2013 NA Assa Abloy AB NA NA NA Inc. decorative metal fences and gates.

Field Asset Services, Inc. provides property preservation and REO 9/30/2013 09/30/2013 Field Asset Services, Inc. Assurant Inc. $55.0 NA NA asset management services.

Advanced Control Concepts is an integration firm based in Pensacola, Advanced Control Concepts Securadyne Systems, 09/04/2013 09/04/2013 FL that offers managed electronic security solutions w ith risk NA NA NA Inc. LLC mitigation and business process improvement services.

As of August 29, 2013, Security Division of The Budd Group, Inc. The Budd Group, Inc., Security w as acquired by Universal Services of America, Inc. Security Universal Services of 8/29/2013 08/29/2013 NA NA NA Division Division of The Budd Group, Inc. provides guard and security America, Inc. services.

X7 is a Washington DC-based systems integrator that provides 08/28/2013 08/28/2013 X7 SDI NA NA NA comprehensive security management systems.

Shenzhen Produck Technologies Co. Ltd. specializes in electronic Shenzhen Probuck 08/23/2013 08/23/2013 door lock soltions w ith biometric identification, based on ow n Kaba Group NA NA NA Technolgies Co. Ltd. fingerprint technology, as w ell as time and attenance terminals

Industry Retail Group, Inc. provides broadband-based applications and services to largest apparel and specialty stores, quick-serve 8/20/2013 08/20/2013 Industry Retail Group, Inc. restaurants, seasonal and pop-up stores, insurance companies, real Vector Security, Inc. NA NA NA estate firms, medical facilities, and other franchises in the United States.

As of August 20, 2013, VisibleRisk Inc. w as acquired by Click Security, Inc. VisibleRisk Inc., an information security analytics 8/20/2013 08/20/2013 VisibleRisk Inc. Click Security, Inc. NA NA NA company, provides solutions to support enterprise visibility and advanced security analytics efforts. As of August 20, 2013, Sentinel Security Systems w as acquired by American Alarm & 8/20/2013 08/20/2013 Sentinel Security Systems American Alarm & Communications, Inc. Sentinel Security Systems NA NA NA Communications, Inc. provides security services to homes and businesses. Agero, Inc., Connected SIRIUS XM Radio Inc. Vehicle Services Division Sirius XM Connected Vehicle Services Inc. provides telematics 8/14/2013 Announced (nka:Sirius XM Holdings $525.4 NA NA (nka:Sirius XM Connected services. Inc.) Vehicle Services Inc.)

Tessera Technologies Inc., Micro-Optics Business Based in Charlotte, DigitalOptics Corporation East, North Carolina produces and markets diffractive optical elements, 8/12/2013 08/12/2013 Certain Micro-Optics Business FLIR Systems, Inc. NA NA NA refractive optical elements, and integrated micro-optic sub- Assets in Charlotte assemblies.

Devcon Security Services, 7/30/2013 08/02/2013 Devcon Security Services, Crop. The ADT Corporation $148.5 NA NA Corp.

As of September 27, 2013, HomeLink Product Line of Johnson Controls Inc. w as acquired by Gentex Corp. Johnson Controls Inc., Johnson Controls Inc., 7/18/2013 07/18/2013 HomeLink Product Line comprises a a vehicle-based radio-frequency Gentex Corp. $700.0 NA NA HomeLink Product Line device that communicates w ith other radio-frequency devices including garage door openers, estate gates, and home lighting.

Security Netw orks, LLC, a life safety solutions company, engages in the sale, installation, maintenance, and monitoring of commercial and Monitronics International, 7/10/2013 08/16/2013 Security Netw orks, LLC $740.2 8.1x NA residential burglar alarms, fire alarms, medical alerts, access Inc. controls, and CCTV systems. Sources: Capital IQ and Imperial Capital, LLC.

46 March 2014

Consumer Industry Monitor Executive Summary

Section III Identity Solutions Sector

March 2014 47

Information Security Sector Security Industry Monitor

[This page intentionally left blank.]

48 March 2014

Security Industry Monitor Identity Solutions Sector

Identity Solutions Sector Sector Outlook and Commentary

Industry Size: Fingerprint Continues to Lead as the Technology Improves

Biometrics has been covered in nearly every Security Monitor published. Most of what we have written about involved lumpy government purchases of expensive Live-Scan equipment and growing international acceptance for security, voting, and empowering “off-the-grid” citizenry. However, in the U.S., based on our observations, there has mostly been frustration with the pace of adoption relative to the potential of the technology—particularly in a commercial environment with a strong demand for biometrics, but which has also had to deal with ROI and efficacy shortcomings. Each year, we interview integrators and potential end users about the technology, and for the first time, we may see some light at the end of the tunnel due to improved technology for the most common biometric of all—fingerprint. This is borne out by a scanning of the many market surveys being done on biometrics (it may be the most market-researched ID technology in history), which have begun to get more bullish and more specific regarding increasing acceptance outside of government use. If we were to take the mean of 12 separate reports, it would be fair to deduce that at least the market survey world believes that the worldwide biometric industry will grow about 15-25% annually through 2018 to about $18-20 billion, and that by far the largest modality will remain fingerprint, with potential industry-wide growth to about $10-11 billion. Below we note the reasons why this might be the case after many years of lumpy, unpredictable growth.

A biometric is unique, and with the right technology, copies can almost always be detected and prevented. Contrast this to the current industry standards of passwords and RFID badges, all of which can be much more easily replicated and used by sophisticated electronic programs to gain access to invaluable personal information and confidential enterprise assets.

On a yearly basis for over a decade, we have interviewed several leading integrators and non-government end users regarding their potential use of biometrics. It has been a long road. The shortcomings of certain fingerprint technologies have led biometric system integrators and developers to push end users toward very expensive multi-model installations (usually iris or face, or both), which dramatically reduces ROI, and raises privacy issues, particularly in “passive” and even less accurate facial recognition. What is clearly needed is a solution to those issues affecting the most convenient, inexpensive, and familiar biometric, which is fingerprint.

Because of its ease of use and familiarity, fingerprint biometrics is once again gaining momentum and scale as governments and corporations around the world are adopting practices to better safeguard their key information and assets. Fingerprint has, and will continue to be, a key factor when single or multi-modal biometrics is used. Typical (of the many reports we aggregated above) would be RNCOS Industry Research Solutions' latest forecast, in which the global biometric market is expected to expand at a CAGR of 21% from 2012 to 2014. Although fingerprint biometrics have traditionally stemmed from government applications, the technology is being increasingly accepted and adopted in various external and internal commercial applications, including physical access control, logical access controls (such as ATMs), point of sale or delivery, and time and attendance. Pricing and interoperability of “multi-modal” biometric systems, or iris, simply remain too costly or complicated, and facial remains too inaccurate at the price points for a mass market.

March 2014 49

Identity Solutions Sector Security Industry Monitor

This is unfortunate, because we believe whatever the government-civil biometric market is, our discussions with participants in the commercial/industrial/institutional markets indicate a potential market more than double the government market—only if and when security, durability, cost, and ease of operation issues are solved. The immediate markets that could be secured with biometrics (versus passwords, keys, or RFID cards) include:

° Physical access and logical access—border control, amusement parks, commercial/institutional buildings, driver recognition, fleet management, medical dispensing, point-of-sale, single-sign on, civil ID, e-Prescribing, and process control ° Self-service kiosks—ATMS, medical dispensing, financial services ° Time and attendance ° Mobile/hand-held—public (deliver goods), civil (verify citizens), secure financial services Fingerprint technology is the most established and widespread form of biometrics and will likely dominate the residential and commercial security product marketplace. Biometric Research Group, in a report published in September 2012, projected that fingerprint technology will represent $3 billion of revenue within the residential and commercial security product marketplace by 2017. While that seems like large growth from a little over $1 billion today, it still represents only 15% of the total biometric market estimated by Biometric Research Group. As we have noted, we believe the commercial market by itself should be larger than the government market as key issues are solved.

We believe new, advanced fingerprint technologies will drive this ultimately significant growth in commercial and residential biometrics.

The main advantages of fingerprint technology is that it is the most economical biometric technology and its small storage space, reduced power requirements, and resistive nature to temperature and background lighting make it an ideal technology to be deployed in a range of logical and physical access environments.

Targeted market environments that will exceedingly benefit will include home-based and small to mid-sized businesses. To be sure, there are still challenges that remain for the overall fingerprint biometric industry. Frost & Sullivan’s 2011 publication, Best Practices Guide to Fingerprint Biometrics, found that the most concerning and prevalent issues holding back the industry were accuracy, fraud (“spoof” or “liveness”) detection, environmental, and physiological usability and throughput speed.

Accuracy remains the most important factor in the equation. False rejections can cause the user significant inconvenience and interfere with timely processing and access. Even more problematic are false acceptances, instances in which a non-approved user gains access to sensitive information or valuable assets. Finally, some of the fingerprint technologies have tried to overcome what limitations or inaccuracies they have, but it comes at a cost, which puts the majority out of immediate consideration by specifiers, integrators, and end users.

The most common fingerprint technology used today (includes most of the largest providers, such as Safran, NEC, and Cross Match) have been sensors that use arrays of photodiode or phototransistor detectors to convert the energy in light on the detector into an electrical charge. The sensor package usually includes a light-emitting-diode (LED) to illuminate the finger. Total internal reflectance (TIR) biometric sensors are the most common of these sensors. TIR sensors collect images based on the difference between air and material in contact with the sensor. Among the capture methods used in fingerprint technologies, TIR sensors rely on the image generated by the material in contact with the sensor. Therefore, any material placed on a sensor that has the same ability as expected can be used to generate a fingerprint. As a result, spoof fingerprints and “less than

50 March 2014

Security Industry Monitor Identity Solutions Sector

optimal” environments are an issue with TIR sensors, particularly in unattended applications. TIR sensors can be affected by a number of real life factors such as stray light, surface contamination, or even prior fingerprint impressions present on the sensor surface. Hence, it is essential to clean the fingerprint reader glass on a regular basis for optimal performance. In truth, some TIR sensors can now detect a real fingerprint from a fake fingerprint using “spoof” or “live finger” detection, but that increases cost.

In real world applications, the user's hands may not always been clean and dry. The same concept applies to outdoor sensors that are subject to the wind and rain. Dust, pollen, chalk, and chemicals may often dirty a user's prints, which will decrease a TIR sensor's ability to detect and collect the full print. This sometimes leads to false negatives, user frustration, and a backlog in throughput. The government can get around this with maintenance, expensive multi-finger “swipe” and “static finger” readers, or by going “multi-modal” with several biometrics. However, this is not acceptable for the potentially much larger commercial/industrial/institutional market where throughput, cost, ROI, and total cost of ownership are important considerations.

Capacitive Sensors—Thin, (Sometimes) Inexpensive, and Small—Still Many Drawbacks

The most widely used fingerprint technology outside of optical (i.e., AuthenTec, acquired by Apple) use electric current to sense a fingerprint and capture the image. As sensors apply a small voltage to the finger, a real fingerprint is required rather than a visual impression of it. This technique makes the fingerprint reader more reliable as it becomes harder to fake enrollment. Another benefit of capacitive sensing fingerprint readers is that they are more compact and thus easy to install. However, there are reasons why capacitive sensors have done well in small form factors but have not broadened their base in the market, particularly into enterprise use, and the list is not short: 1) The thinner silicon chips are inherently fragile and susceptible to damage by hard external impact and scratches, and are susceptible to damage by electrostatic discharge, 2) their thin form factor also exposes them to more corrosion from everyday handling and exposure, resulting in greater replacement, maintenance, and downtime costs, and 3) capacitive sensors usually only offer a smaller imaging area, image size, and resolution. This is due to greater cost of manufacturing larger, high quality chips, but is an area that we believe is being improved over time.

Is Multi-Spectral Imaging the Silver Bullet?

Vastly improved technologies are being developed for fingerprint at the commercial/ industrial/institutional level, most notably, multispectral imaging (MSI), which has already been on the market for several years. A MSI sensor captures multiple images of the finger under varied conditions such as different wavelengths, different illumination orientations, and different polarization conditions. This data is processed to obtain a composite fingerprint image. The advantage of a multi-spectral fingerprint reader over others is that the functioning is not affected by external factors such as contaminants or improper contact or bright ambient lights. MSI is also able to identify whether the fingerprint is genuine or a spoof. This process thus captures data on both the surface and subsurface features of the skin, as opposed to TIR sensors, which cannot retrieve subsurface features, and also produces inferior surface images. This same MSI concept of collecting data under different conditions has been successfully tested in harsh environments as well.

Unlike TIR sensors, MSI technology also allows for the imaging of a fingerprint without direct contact with the sensor. An MSI sensor will always acquire a fingerprint image whether or not there is direct contact with the sensor or an appropriate amount of pressure is applied to the sensor.

March 2014 51

Identity Solutions Sector Security Industry Monitor

We believe that as MSI technology continues to gain traction as being a convenient, robust, and secure authentication tool, then the superior ROI/TCO (return on investment/total cost of ownership) and integration capability (with other security technologies), could create the fast growing market in commercial/industrial/institutional markets that we have been predicting. The markets for this technology already include banking and healthcare. Lumidigm, Inc. is currently the only company that is offering MSI technology in its sensors. To the best of our knowledge, Lumidigm's spoof detection technology provides spoof performance that exceeds that of any other fingerprint sensor currently on the market.

Other Major Fingerprint Technologies Include:

Thermal Sensors. A fingerprint image is created by the skin-temperature ridges and the ambient temperature measure for valleys. The biggest drawback of this technique is that the temperature change is dynamic and it only takes about a tenth of a second for the sensor surface touching ridges and valleys to come to the same temperature, erasing the fingerprint image.

Pressure Sensors. Pressure sensing scanners (including micro electro-mechanical, or MEMS), can be made very thin and are often used in electronic devices. Pressure sensing scanners are just now moving beyond having to make a tradeoff between durability and quality because any protective layer on the detector surface would diminish the contrast of the impression.

RF Sensors. A low radio frequency (RF) signal is applied to the user’s finger and then read by the detector array, with each pixel operating like a tiny antenna. The advantage of this detector is that it reads the fingerprint from the dermal layer underneath the surface making it less susceptible to damaged or dry fingertips. However, it is more expensive.

Ultrasonic Sensors. Ultrasonic scanners have an advantage of being able to see beneath the skin. This provides not only verification of a live finger; it also provides more information as a biometric measure. However, this technology is slower, expensive, bulky, and too data intensive for many access control applications. Ultrascan is the leading provider of this technology.

NIST Protocol from May 2013 Beginning to Become Reality for an Easy-to-Use, Standardized Biometric Communication with the Web

In May 2013, researchers at the National Institute of Standards and Technology (NIST) developed and published a new protocol for communicating with biometric sensors over wired and wireless networks using some of the same technologies that underpin the web—and now they are demonstrating it.

The protocol, called WS-Biometric Devices (WS-BD), allows desktops, laptops, tablets, and smartphones to access sensors that capture biometric data such as fingerprints, iris images, and face images using web services. Web services themselves are not new; for example, video-on-demand services use web services to stream videos to mobile devices and televisions. We were recently shown a demo of this protocol and believe it could be a significant step in making biometrics easier to use interoperable between not just government agencies, but also between sites in a large, commercial multi-store enterprise.

52 March 2014

Security Industry Monitor Identity Solutions Sector

The WS-Biometric Devices protocol could greatly simplify setting up and maintaining secure biometric systems for verifying identity because such biometric systems will be easier to assemble with interoperable components compared to current biometrics systems that generally have proprietary device-specific drivers and cables. WS-BD enables interoperability by adding a device-independent web-services layer in the communication protocol between biometric devices and systems.

In other words, any type of web device—a phone, a laptop, or a tablet can talk to any type of biometric scanner (finger, face, iris, etc.). The operator does not have to learn anything new; no new drivers are required, no proprietary knowledge about the scanner, making life a lot easier for the end user.

With the pushback that came with interoperable ID credentialing, NIST recognized this need several years ago and developed a solution with the support of the Department of Homeland Security Science and Technology Directorate, the Federal Bureau of Investigation’s Biometric Center of Excellence and NIST’s Comprehensive National Cybersecurity Initiative. However, NIST also is now working with industry through the Small Business Innovation Research Program to help bring these plug-and-play biometric devices to market, and take them out of the demo stage.

Identity and Access Management’s Increase Use of Biometrics: Growth of Secure and Underpenetrated Market

We view the competitive and consolidation environment in Identity and Access Management as robust from the physical, logical, and converged perspectives. Adoption of biometric systems appears to be a strategic and secure direction for companies, countries, and even academic institutions that deal and interact with access control, identification, verification, and secure payment needs.

The Need. The current method to identity and properly document a citizen, or access a secure document are not able to meet the growing demand for enhanced security, thus giving high growth opportunity to the use of biometric technology.

Types and Uses of Technologies. Biometrics systems are used to measure physiological and behavioral characteristics to identify people, grant them access to secure items (e.g., files, doors), and perform transactions (e.g., pay for lunch, online payments via two-factor authentication). Physiological characteristics include Vascular Recognition, iris, face, and fingerprints. Behavioral characteristics include a dynamic signature and voice recognition.

As more countries use biometrics to combat terrorism, enhance airport security, adopt a national ID or driver’s license, or even a passport, the market availability will become larger. India, Mexico, and Russia are increasing their use of biometric systems, while China recently began using a biometric national ID program. Commercial, government, and consumer-based data security concerns have given rise to biometric based two-factor authentication devices, and the companies that are able to create a sustainable competitive advantage via product quality, enhanced features, usability, and brand awareness will garner a greater portion of this new and accelerating market.

Market Size. We believe that biometric systems may not just replace, but enhance the way in which we perform and interact with certain processes (e.g., pay for items, state/national ID, passwords). If we were to take the mean of 12 separate market research reports, we believe it would be fair to deduce that at least the market survey world believes that the global biometric industry will grow about 15-25% annually through 2018 to about $18-20 billion, and that by far the largest modality will remain fingerprint, with potential industry-wide growth to about $10-11 billion. Transparency Marker Research notes that the facial, iris, veins, and voice recognition together constitute the second largest segment, estimated at $1.4 billion in 2010 and expected to reach $3.5 billion by 2015.

March 2014 53

Identity Solutions Sector Security Industry Monitor

Concerns. Many of the concerns regarding the use of biometric systems for physical security purposes seem to stem from the lack of awareness and understanding about improvements in cost and efficacy technology. We believe that the use of biometric systems, in the right places, greatly enhance security and efficiency to the end user.

The Opportunity. Each year, more biometric functionality is being added to mobile devices, and the proliferation of unique apps is allowing consumers to control their home security systems, enter premises, deposit checks, and remotely log into their work computers (e.g., GoToMyPC). Consider the recent acquisition by Apple of AuthenTec, Intel’s venture capital business investing in Validity Sensors, Inc. (creator of fingerprint sensors), or Microsoft working towards biometric sensors which it can incorporate in its Xbox game console. The gaming and mobile markets are not the only places in which we will see the infusion of biometric technology. Schools, universities, banking industry (e.g., ATM, credit cards), state and national governments (e.g., IDs), hospitals are and will see an increase in the use of biometric systems as a way to increase security and combat fraud.

Biometrics Update: Companies Are Forging Forward With This Technology Even While There Are Some Who May Fear It

Types of Notable Biometric Technologies

There are two main purposes of biometric systems: authenticate and identify. An individual could use their finger to be able to access a door, or to be able to pay for lunch at school. Both physical (i.e., fingerprint, iris) and physiological (i.e., handwriting) characteristics are examined to identify a person and to produce one of three types of biometric data: raw images, encrypted images, and encrypted partial data. Raw images consist of recognizable images (i.e., face), while encrypted images store data which can be used to create an image, and encrypted partial data stores partial data from an image which is encrypted and cannot be used to recreate the complete original image.

Fingerprint Recognition

Figure 21: Fingerprint Characteristics

Sources: www.biometrics.gov.

Fingerprint technology is the most established and widespread form of biometrics and will likely dominate the residential and commercial security product marketplace. Biometric Research Group, in a report published in September 2012, projected that fingerprint technology will represent $3 billion of revenue within the residential and commercial security product marketplace by 2017. While that seems like large growth from a little over $1 billion today, it still represents only 15% of the total biometric market estimated by Biometric Research Group.

54 March 2014

Security Industry Monitor Identity Solutions Sector

Facial Recognition

Figure 22: Elastic Bunch Map Graphing

Sources: www.biometrics.gov.

Facial recognition continues to become more refined as it evolves from the early days of using simple geometric models to morphing into something which takes many images of the face to extract uniquely identifiable facial features, while accounting for the distances from-to-and between the eyes, nose, ears, mouth, etc. Facial recognition is now used to prevent passport fraud, support law enforcement, access control, etc.

Hand Geometry Recognition

Figure 23: Distance Measurement

Sources: www.biometrics.gov.

Hand geometry recognition entails looking for unique features on the structure of the hand. The length, width, thickness, and distances between joints joints are all distinguishing characteristics that are noted when taking a 3D image of the hand. We note that the human hand does not contain as many uniquely identifiable characteristics as the other biometric-based identifiers.

March 2014 55

Identity Solutions Sector Security Industry Monitor

Iris Recognition

Figure 24: Iris Recognition

Sources: www.biometrics.gov.

Iris recognition is the process via which the iris is analyzed for distinct and random patterns. The iris is a thin, circular structure in the eye responsible for controlling the diameter and size of the pupil and thus the amount of light reaching the retina. It is the colored part of the eye.

Though the color of the eye may be genetically linked, the patterns are unique and developed during the prenatal growth.

Voice Recognition

Figure 25: Voice Sample

Sources: www.biometrics.gov.

Voice recognition (not to be confused with speech recognition) is the process by which the unique patterns of an individual’s voice are analyzed. The physiological component of the voice recognition is related to the physical shape of an individual’s vocal tract, and the voice/speaker recognition software analyzes the frequency content of the speech and compares the quality, duration, intensity, dynamics, and pitch of the signal.

56 March 2014

Security Industry Monitor Identity Solutions Sector

Vascular Recognition

Vascular recognition (or Vein Pattern Recognition) may likely be the newest addition to the suite of available biometrics technologies. Much like the way retina recognition is done; vascular recognition looks for unique patterns within the blood vessels. The uniqueness of this arises since this process does not involve any contact with the actual examination machine, but is done via the use of infrared light.

Signature Recognition

Signature recognition analyzes the way in which a person signs his/her name. The pressure applied to the object, timing, and speed of signing something are all examined to identify a person with their handwriting. We note that “signature recognition” is not limited to a person’s signature, but encompasses the full breadth of the way a person writes.

Biometrics in Schools and Colleges: Is It A Comfort or Concern?

We have seen an increase in the number of companies that are innovating products which could make it safer, easier, and faster for kids to not only safely pay for their school lunches, but be able to access doors to which they have granted permission, and to be able to easily identify themselves. In order to be able to introduce a biometric system within a school or college, we believe that two key elements need to take place: consent by both students and parents (when appropriate), and a legitimate interest of the school or college.

Universities. Universities across the nation (and very likely in other parts of the world) are routinely introducing new and more secure technologies, and it appears to us that they are starting to consider biometrics as a form to identify the students and to also use this technology as a way to pay for certain items in the same way in which the students would be able to pay with their student card (e.g. food, books). Access control (e.g., door locks) companies such as Assa Abloy (ASAZY), Brivo Systems, or Honeywell International (HON) have long had a presence on college campuses, but the use of biometrics to pay for items and as a means of identification is now gaining popularity.

What Has Been Holding Back Biometrics?

We believe that students, parents, and administrators have not been properly informed about the benefits and risks associated with the use of biometric systems. Apple’s acquisition of AuthenTec in October 2012 sparked market observations that the maker of the iPhone and iPad could integrate fingerprint identification into future devices. With the introduction of the iPhone 5S on September 10, 2013, that possibility became reality. We believe that Apple's evident validation of this technology may force other manufacturers of mobile devices to provide a similar option. Whereas biometrics have generally been focused on government and enterprise applications, we believe Apple’s adoption could be the “tipping point” for mainstream adoption that may create entirely new ecosystems for mobile payment, e-wallets, and e-commerce.

In our view, the administrators may be far more concerned than the current students are. Whereas the students at younger and younger ages are being introduced to these systems and growing up with some form of technology, the older generation may not be as comfortable with the use of it and may be more reluctant to adopt it. We believe that properly-integrated biometrics have the potential to dramatically increase the security of point-of-sale and online transactions made through mobile devices.

March 2014 57

Identity Solutions Sector Security Industry Monitor

We recognize that spoofing (e.g., using fake fingerprints), and accuracy are two of the primary concerns for both the end users and the administrators. False rejections can cause the user significant inconvenience and interfere with timely processing and access. Even more problematic are false acceptances, instances in which a non-approved user gains access to sensitive information or valuable assets.

Solutions to the Biometric Backlog.

Multispectral Imaging. Vastly improved technologies are being developed for fingerprint at the commercial/ industrial/institutional level, most notably, multispectral imaging (MSI), which has already been on the market for several years. A MSI sensor captures multiple images of the finger under varied conditions such as different wavelengths, different illumination orientations, and different polarization conditions. This data is processed to obtain a composite fingerprint image. The advantage of a multi-spectral fingerprint reader over others is that the functioning is not affected by external factors such as contaminants, improper contact, or bright ambient lights. MSI is also able to identify whether the fingerprint is genuine or a fake. This process thus captures data on both the surface and subsurface features of the skin, as opposed to TIR sensors, which cannot retrieve subsurface features, and also produces inferior surface images. Unlike TIR sensors, MSI technology also allows for the imaging of a fingerprint without direct contact with the sensor. An MSI sensor will always acquire a fingerprint image whether or not there is direct contact with the sensor or an appropriate amount of pressure is applied to the sensor. Two-Factor Authentication. We have seen instances in which biometric information is stored on an ID token so the user can be authenticated and identified, but the data stored on the card cannot be copied. The way this works is fairly straightforward: the cardholder swipes the card in the system to be authenticated, and then a live scan of the cardholder’s finger is taken and compared against the sample on file. Two-factor (or multi-factor) authentication can also be used with online transactions, where the user inputs their credit card information or username and password, but will then have to enter a PIN number (i.e., located on a key fob or cellphone) that continuously changes. Increasing the number of authentication factors has a direct impact on the accuracy and thus the overall security (albeit at a slightly reduced speed). As credit card and identify fraud continues to haunt the consumers, it will likely make way for biometric systems (and likely multi-factor authentication) that are more secure.

58 March 2014

Security Industry Monitor Identity Solutions Sector

Figure 26: Multi-Factor vs. Layered Security

Sources: Wallstreet Journal. .

Biometric Data Not Being Stored. Based on our observations, parents of students, and maybe the students, are reluctant to try this new and more secure (in our opinion) technology because they believe that the scanning systems will store their biometrics. We want to put this issue to rest and explain that these biometric systems are not storing images of a fingerprint, iris, or other body part, but instead are creating mathematical representations (templates) with the true image never being stored in the system. When a person enrolls into a biometric system, the algorithm selects several points and transfers that into a mathematical representation. The data is generally encrypted, the template is smaller in size and makes it easier to store biometric information on a smart card or other memory restricted system, and it safeguards the actual image from being reverse engineered. Biometrics Uses in Different Verticals ° Healthcare and Biometrics We believe that the healthcare biometric vertical will go through a great deal of growth in mitigating healthcare fraud, while providing increased and improved patient care and document privacy. Our recent discussions with healthcare professionals has indicated to us that document duplication is an issue which needs to be resolved, and we believe that biometric technology can be a viable and efficient solution. Many times a patient will go to a doctor’s office and check in with his legal/official name; for instance, the patient’s legal name is Robert J. Smith, but at times, the patient may use the shortened version of his name, which, in our example, is Rob J. Smith. If the system is unable to decipher if the two are in fact the same, therein lies the issue of document duplication, misplaced documents, etc. The use of biometric will aid in making sure that the person signing in as “Robert” or “Rob” are in fact the same person and aid towards better managing patient documents, and thus better and more efficient treatment. ° A View Into the RSA Conference, Held in San Francisco on February 24-28; Review of Select Companies At the recent RSA Conference, which was held at The Moscone Center in San Francisco, California from February 24 through February 28, 2014, we spoke with several security companies that are finding ways to merge physical and IT security. The RSA Conference is one of the leading security industry conferences which includes select security executives as well as leading and emerging IT security companies. Attendees have the opportunity to learn and converse about some of the most important issues facing the security industry.

March 2014 59

Identity Solutions Sector Security Industry Monitor

Select List of Exhibitors

° Entrust

Based in Dallas, Texas, Entrust is a leading provider of identity-based security solutions, authentication, credentialing, physical and logical access, mobile security, digital certificates, single socket layer (SSL-protocols for providing secure communications over the internet), and public key infrastructure (PKI). During the conference, we spoke with Entrust about its recently announced collaboration with 3M Cogent to integrate biometric fingerprint authentication into Entrust IdentityGuard software. The partnership will allow organizations to leverage fingerprint biometrics to authenticate users for logical access to workstations. We find that there is a need for second factor authentication to protect sensitive data, and this partnership will help users streamline secure access to both cloud and internal systems. In addition to our conversations at RSA, Entrust previously pointed out a long-standing obstacle to converged credentials between logical and physical access: divergent budgets and goals that result as a function of logical and physical groups often being siloed within the enterprise. The relatively early state of smartphone enabled ID technologies, such as NFC or Bluetooth Low Energy, deployment in mobile devices is an additional limiting factor, yet is expected to play an important role in smart card credential spawning. Entrust has previously noted that in the U.S., mobile operators and manufacturers have control over NFC capabilities, so agreements between consumers and their chosen application providers must materialize for NFC to integrate into the corporate environment.

° HID (part of Assa Abloy)

Assa Abloy is, by a factor of three, the largest lock and access control company, and recently exhibited at RSA from February 24 to 28, 2014 at the Moscone Center in San Francisco, California. The lock business is undergoing a steady shift from mechanical to electro-mechanical and electronic locks that “think” for themselves. The company is also a leader in wireless locking infrastructure, and through its HID division, the leader in contactless card access control systems, several smartphone enabled credentials, such as near-field communications (NFC) systems. Assa Abloy’s leading competitor is the security division of Ingersoll Rand, which is being spun off under the name of Allegion later this year. Earlier, at the Securing New Ground Conference in November 2013, management noted the three catalysts which could lead to smartphone enabled platform devices taking a larger piece of the Security market: 1) the business model of how mobile devices live within the Security industry, 2) privacy, which is a major issue which the industry is currently facing, and 3) security, as it relates to where the identity will reside (in the device, cloud, or elsewhere). The Threat of Counterfeit Electronics to the Industry. Also at the Securing New Ground Conference, both Don Erickson (President of the Security Industry Association), and Denis Hebert (President and CEO of HID Global Technologies, part of Assa Abloy) stated that counterfeiting of electronic and electro-mechanical items are the most significant threats to the security industry. They also stated that billions of dollars are being shifted away from the industry, which could be better deployed towards profitable growth. Assa Abloy/HID Global is actively addressing the counterfeit issue; Mr. Hebert stated that most manufacturers do not pay enough attention to or realize the impact of counterfeiting on the Security industry. We have already identified this issue as a key problem and HID now has a staff of people that are dedicated to dealing with this matter.

60 March 2014

Security Industry Monitor Identity Solutions Sector

° NagraID

NagraID, a privately held company based out of Switzerland, produces contactless cards using a variety of materials (i.e., PVC, PC, ABS Blends, Melinez, etc.), as well as tags, key fobs, and other similar security products through the use of technology. We were able to experience first-hand the single and multi-touch display cards. A single button display card provides a simple and secure solution for remote access with strong authentication such as VPNs. The multi-touch card (which looks identical to the dual-interface card displayed below) provides a 12-button keypad and can provide features which include PIN activation, and challenge question. The dual interface display card (below) gives the user the account balance, transactions history, reward points, payment due dates, etc. This is one of the most advanced payment display cards with contact and contactless communication which we have seen. The Dual one-time password (OTP) enables generation of two different passcodes on a single device and protects two different services such as e-banking and e-commerce. The standard Europay (EMV) chip technology is used to update the information every time the card is authorized online. EMV is the global standard for interoperation of integrated circuit cards and point of sale terminals and ATM’s for authenticating credit and debit card transactions. The cardholder swipes the card (same as before), the terminal requests the payment authorization (same as before), the card issuer processes the request and replies back with an approval (same as before), and the terminal at the store receives the approval code and executes the EMV script to update the information on the cardholder’s display card.

Figure 27: Single Button vs. Dual Interface/Information Display Card

Sources: nidsecurity.com.

Acquisition of Fingerprint Technology Leader Opens Up Further Markets for HID Global

On 2/10/14, Assa Abloy announced that its $950 million HID Global division had acquired Lumidigm, a global leader in authentication solutions that use multispectral imaging (MSI) technology, software, and biometric fingerprint sensors to authenticate identities with a high degree of certainty—and cannot be spoofed. We believe the acquisition significantly expands the addressable market for the company’s ID solutions capabilities.

Lumidigm’s fingerprint technology offers substantially improved speed and accuracy over traditional systems by scanning under the skin rather than only the surface. We believe the commercial/industrial/institutional market has a potential market of more than double the government market if and when security, durability, cost, and ease of operation issues are solved. The immediate markets that could be secured with biometrics (versus, passwords, keys, or RFID cards) include:

March 2014 61

Identity Solutions Sector Security Industry Monitor

° Physical access and logical access—border control, amusement parks, commercial/institutional buildings, driver recognition, fleet management, medical dispensing, point-of-sale, single-sign on, civil ID, e-Prescribing, and process control ° Self-service kiosks—ATMS, medical dispensing, financial services ° Time and attendance ° Mobile/hand-held—public (deliver goods), civil (verify citizens), secure financial services Lumidigm’s advancements could enable numerous commercial and industrial applications, such as high throughput physical access (e.g., theme parks), electronic medical records and pharmaceuticals access, ATM authentication, automotive “push-to-start” systems, time and attendance solutions, and manufacturing systems access. We believe biometrics will broaden far beyond traditional government identity programs, border control, and criminal forensics and into these new applications over the next several years.

Is Lumidigm’s Multi-Spectral Imaging a Silver Bullet for Fingerprint?

Lumidigm, Inc. is currently the only company that is offering MSI technology in its sensors. The advantage of Lumidgim’s multi-spectral (MSI) fingerprint reader over others is that it is not affected by external factors such as harsh environments, contaminants or improper contact or bright ambient lights. For example, biometric identification typically has not been used in areas of high throughput because confirmation was significantly slower than visual inspection or PINs Contact fingerprint systems are particularly sensitive to less than ideal skin conditions (e.g., too dirty, too sweaty, too dry, too worn, etc.). Importantly, Lumidigm’s MSI technology is also uniquely able to identify whether the fingerprint is genuine or a spoof.

The Lumidigm acquisition comes on the heels of its 1/17/14 acquisition of IdenTrust, Inc., a provider of solutions for globally interoperable digital identities that can authenticate, encrypt, and create electronic signatures for virtually every type of transaction activity where proof of identity is essential. IdenTrust is the largest supplier of digital identities for the Department of Defense’s External Certification Authority (ECA) program and General Services Administration’s Access Certificates for Electronic Services (ACES) program. The company provides identity management solutions in 175 countries for over 20 of the world’s largest financial institutions.

In our opinion, Assa Abloy has made a concerted effort to become the undisputed leader in higher technology access control and identification solutions for not just enterprises and institutions, but for government as well—the latter is an area in which it did not have a lot of traction until 2011. However, a series of acquisitions have turned the company into the leader in this segment from a revenue perspective. This is unlike Safran (which purchased L-1 in 2010), which is primarily involved in registration and border identification. The challenge remains for Assa Abloy and HID to integrate these acquired technologies and companies carefully, to let some of the more creative sectors provide both competitive advantage to Assa Abloy, yet still remain the leading providers of software and identity solutions to other companies in the industry as well. These acquisitions include:

2011—ActiveIdentity, a leader in authentication, credential management, security client services, and authentication device products and technologies.

2012—Codebench, the leading provider of software for physical identity management credentialing systems, particularly for federal standards-based verification systems for government agencies and projects. The acquisition was highly complementary with ActiveIdentity in which both companies provided leading solutions for “identity at the door” which could be monitored from servers inside the premises.

62 March 2014

Security Industry Monitor Identity Solutions Sector

2014—IdenTrust, a leading provider of solution for global/interoperable digital identities that can authenticate, encrypt, and create electronic signatures for virtually any type of transaction activity where proof of identity is essential.

2014—Lumidigm, the most advanced fingerprint biometric technology available—multi-spectral imaging, which we believe creates “spoof-proof” fingerprint readings. Because this technology takes into account subdermal distinctions, it extracts the correct identity regardless of the condition of the ridges on the finger, contaminants, or the harsh environment in which some fingerprint readers must work.

With these acquisitions, we believe Assa Abloy now possesses networked, digital identity leadership for both commercial/institutional and government programs and installations. These technologies include 1) cloud-based employee authentication and identification; 2) mobile access solutions, including Near-Field Communications (NFC); 3) the entire suite of software, services, and products needed to address every aspect of identification solutions from cards, readers, and printers to an identification and authentication ecosystem in the cloud. Companies with Well-Regarded Positions in the Physical-to-Logical Access Control Market and Physical ID Solutions Market AlertEnterprise, Inc. AlertEnterprise provisions both physical and logical access control across multiple card access systems, video surveillance systems, and sensor networks.

Bridgepoint Systems. Bridgepoint Systems is a well-known provider of authentication solutions, primarily for the federal government, based on public key infrastructure for physical access control.

Entrust Inc. Based in Dallas, Texas, Entrust is a leading provider of identity-based security solutions, authentication, credentialing, physical and logical access, mobile security, digital certificates, single socket layer (SSL-protocols for providing secure communications over the Internet), and public key infrastructure (PKI).

*HID Global. HID, a division of Assa Abloy, is the leading physical access card and reader company. Through its acquisitions of ActivIdentity and LaserCard in early 2010, and Codebench in 2012, HID now can manage the issuance and administration requirements of large scale smart card deployments and provide a suite of GSA-listed PKI products and services. HID recently acquired Codebench, a small, but respected leader in software and software kits that allow other software manufacturers to customize their applications to communicate with PIV, TWIC, and CAC cards, speeding up the interoperability process. Through ActiveIdentity and Codebench, HID has become the undisputed leader for being able to provide “Identity at the Door.” One area the company is increasingly stretching into is the “government-to-citizen” identity solutions vertical, where it supports national ID programs and electronic passports, for instance. The company is currently the prime contractor on the U.S. government’s “Green Card” program.

Certipath. Certipath provides PKI-based high assurance credentials to industry participants for both physical and logical access and control.

*Identive Group. Identive is a leading provider of ID card readers and software, chips, card firmware, RFID, and tracking solutions. Identive has been a major supplier to the federal government and international ID programs.

NXT-ID (NXTD). NXT-ID develops products and solutions for consumers and commercial entities that are seeking a biometric secure access control. The company is creating the next generation of advanced biometric technology to facilitate secure transactions, identity management, and access control. NXT-ID has four Marquee products: Wocket, Biocloud, Facematch, and Voicematch.

March 2014 63

Identity Solutions Sector Security Industry Monitor

Quantum Secure. Quantum Secure is the leading solution provider for managing and securing identities and compliance across disparate physical security infrastructures. Quantum Secure has coined the acronym PIAMS, for Physical Identity Access Management Services.

RightCrowd Software. Another company with a directive to bring Physical Security into the Enterprise is RightCrowd, based in Australia. RightCrowd, originally spun out of, and staffed by the team that developed SAP’s global physical security convergence strategy, provides software that is web-based, and tasked with implementing automated workforce management solutions (HR, IT, Finance) to provide the glue between the existing physical security system and the Enterprise systems. The main RightCrowd functions consist of range from cardholder processes, through to implementing visitor management and occupational health & safety solutions, to full integration with SAP or other Enterprise systems.

*Widepoint’s ORC division. The ORC division of Widepoint provides flexible integration of identity management, authentication, authorization for access, and automating the ID workflow across devices such as identity tokens, credit cards, cell phones, and personal computers.

*Publicly held or a division of a publicly-held company.

Anti-Counterfeiting Update

° More Agencies Asking for Broader Anti-Counterfeiting Coverage—Counterfeits in the DoD Supply Chain May Be as Bad as Cyber Threats

We are getting very close to formalized rules and penalties and formalized ecosystems for DNA marking as a way to secure the critical supply chain (and to avoid those penalties) regarding counterfeit, “cloned,” and grey market parts to be used in critical military infrastructure and weapons programs. The combination of intolerable incursions into our national defense infrastructure by counterfeit devices and the impending final report and codification of penalties by the National Defense Authorization Act, Section 818 is in process Indeed, the DoD is hosting a public meeting on March 27, 2014 to obtain the views of experts and interested parties in government and the private sector regarding further implementation of the requirement for detection and avoidance of counterfeit electronic parts, as required by a section of the National Defense Authorization Act for Fiscal Year 2012.

Since we published our Anti-Counterfeiting White Paper in February 2011, we have continued to provide quarterly updates on a problem that is estimated at $650 billion to $1 trillion of economic losses annually. The U.S. Chamber of Commerce estimates that nearly 10% of all goods and services are counterfeited, with examples including 40% of all U.S. footwear being seized to 7-10% of pharmaceuticals. Our last update was extensive, and can be found in the October 2013 Security Monitor.

° The Most Recent DoD Counterfeit Incident and the Impending Implementation of Section 818

On March 10, 2014, Reuters reported that two years after discovering China-made components in the F-35 fighter jet, a Pentagon investigation has now uncovered Chinese materials in other major U.S. weaponry, as well as Boeing Co's B-1B bomber and certain Lockheed Martin Corp F-16 fighters, the U.S. Defense Department said.

Titanium mined in China may also have been used to build part of a new Standard Missile-3 IIA being developed jointly by Raytheon Co and Japan, said a senior U.S. defense official, who said the incidents raised fresh concerns about lax controls by U.S. contractors.

64 March 2014

Security Industry Monitor Identity Solutions Sector

U.S. law bans weapons makers from using raw materials from China and a number of other countries, amid concerns that reliance on foreign suppliers could leave the U.S. military vulnerable in some future conflict. Raytheon and Lockheed Martin had to obtain special waivers to avoid specified penalties for these violations.

The U.S. Government Accountability Office is expected to brief Congress in April on its comprehensive audit of the issue of Chinese specialty metals on U.S. weapons systems.

A separate issue involving thermal sensors built for the F-35 by a Chinese subsidiary of Honeywell International Inc. did not require a formal waiver because it involved a unit of a U.S. company, the official said. Honeywell now builds that part in Michigan. However, Honeywell acknowledged in January that the U.S. Justice Department was investigating import and export procedures at the company after the incident.

Officials at Lockheed, Northrop, Boeing and Raytheon referred all questions to the U.S. government. Without the waivers noted above, the companies could have faced stiff penalties for violating U.S. laws; instead the Pentagon is likely to seek compensation from the companies.

The defense official said temporary waivers were granted in each of these cases under the explicit expectation that the companies would tighten up their buying procedures to reflect changes in procurement rules.

"It's not a 'get out of jail' free card. This is something we should be good at. We shouldn't be caught short on these," said a Pentagon official in a Reuters article. "Hundreds of regulations change yearly and there's a whole group of folks whose job it is to make sure that those (changes) are properly implemented in contracts.

On March 27, 2014, the Defense Department hosted a public meeting aimed at providing input for government implementation of new anti-counterfeiting requirements for defense suppliers. Over two years ago, the DOD proposed several rules meant to partially implement the strict anti-counterfeiting language in the National Defense Authorization Act for Fiscal Year 2012 (NDAA FY12). The DOD says that the March 27 public hearing was meant consider "in particular, the definition and implementation of trusted suppliers." At least one rule is very close to coming online, an event which we believe will heavily impact defense suppliers of electronics with regard to counterfeit and “cloned” electronics for the DoD supply chain. That rule was proposed under DFARS Case 2012-D055. The DOD says that it is now preparing to publish the final rule under that case, meaning that for the first time the new regulations will begin to take effect.

° So Where Are we On Regulating Counterfeit Technology in the Supply Chain?

Two years ago, Congress passed the The National Defense Authorization Act for Fiscal Year 2012: Section 818, Detection and Avoidance of Counterfeit Electronic Parts, provides new rules regarding counterfeit electronic parts. This policy requires contractors to provide items that have been marked with organically-generated DNA marking material produced by Applied DNA Sciences and any of its authorized licensees. Suppliers were notified of the new requirement by special notices from the DLA Internet Bid Board System, the Supplier Information Resource Center, and the Federal Business Opportunities websites.

March 2014 65

Identity Solutions Sector Security Industry Monitor

The rule was published by the Office of the Secretary of Defense (OSD) in September 2012 as an amendment to the overall Defense Acquisition Regulations System, and reached partial implementation in March 2012. In July 2013, the OMB received comments from industry participants. Unless the date is pushed back (which is a possibility), the OSD will consider these comments, and then write a rule that is expected to be finalized in March 2014. At that point, companies will be unreimbursed or fined for not complying with directives trying to drive counterfeit parts out of critical defense systems.

In October 2013, in its Annual Industrial Capabilities Report to Congress, the Office of the Deputy Assistant Secretary of Defense for Manufacturing and Industrial Base Policy came out with a damning statement on page B-41, noting that “One of the worst trends to emerge in military systems spare parts involves counterfeit electronic parts—those that appear genuine, but which actually are substandard, altogether different, or simply empty packages. With Logistics Technology R&D investment (PE-0603712S), DLA demonstrated a capability to assure the source of microcircuits, which will be a considerable step in defeating counterfeiters, and will be far less expensive than the current approaches to guarantee the source of parts. Known as DNA marking, the technique uses custom botanical DNA marks, tags, or codes that are applied to parts during normal business operations.”

As of March 11, 2014, the OSD had noted that its will continue to accept comments on Section 818, but only until April of 2014. In other words, the extensions for comments keep getting shorter, and now there is only one more month.

This pressure by the DLA has increased the population of users. In December 2013, Applied DNA Sciences introduced its “Counterfeit Prevention Authentication (CPA) Program.” In short, the program:

° Allows anyone procuring parts to have authenticity (if DNA mark is applied by the manufacturer) or traceability on the part level (if DNA mark is applied further down the supply chain).

° Allows other agencies and defense contractors to leverage the DLA's effort by procuring DNA marked parts from the current 29 DNA marking companies.

° Presents the opportunity for other agencies and defense contractors to flow down requirements (as DLA did) to additional suppliers.

Twenty-six companies are currently licensed to mark parts with APDN’s SigNature DNA, including two primes, six component manufacturers, and both authorized and independent distributors.

What has happened in the last several months not only reinforces our belief that the DoD will not back down from its position of intolerance for counterfeit devices in critical infrastructure, but instead will actually expand the definition of what it perceives to be at risk—using the same DNA technology it has already mandated.

Originally, counterfeiting was the main concern. Now, however, the government and Congress has moved beyond simply stopping counterfeiting to what is termed Supply Chain Risk Management, or SCRM. SCRM is a broader term encompassing separate items such as counterfeits (often engaged by economically motivated individuals, etc.) but now also includes “Clones” ( new, qualifying items that are manufactured out of a foreign “fab” facility which increasingly is being funded at a foreign nation state level and which make it into our military supply chains). These clones may initially pass inspection, but their mean time between failure might be a tiny fraction of qualifying devices.

In our opinion, there is a compelling case for not underestimating the harm that supply chain sloppiness caused, due the foreign facilities or devices not being produced according to certain standards. This leaves us both physically and logically vulnerable to equipment failure and espionage. can cause the national interest when it comes to military and infrastructure technology has just been made by Robert S. Metzger in Bloomberg’s Federal Contracts Report (Spring 2014), who states that the line between national security, counterfeit parts in the DoD supply chain, and cybersecurity had blurred.

66 March 2014

Security Industry Monitor Identity Solutions Sector

Mr. Metzger, a partner/shareholder in the law firm of Joseph O’Donnell, P.C., is considered the leading advisor on government contract and compliance challenges. He represents and advises prominent U.S. and international firms in aerospace, defense, electronics, information technology, infrastructure, professional services, software, and telecommunications. Mr. Metzger’s message is essentially that foreign counterfeit parts coming into critical U.S. infrastructure and military programs are becoming just as significant of a cybersecurity problem as they are a mean-time failure problem. In addition, Mr. Metzger notes in his fourth article in Federal Contracts Reports, published in the spring 2014 issue, that since enactment of Section 818 in late 2011, the federal government’s perception of the threat has changed and so too has the emphasis of policy and regulatory initiatives being taken in response. He believes that the increasing emphasis of DoD and other federal agencies (including the GSA) will be on protection against those counterfeits that present cyber risks.

Mr. Metzger is concerned that evidence is piling up that “marked” counterfeit items from abroad go hand-in-hand with cybersecurity breaches and that the government is already directing special attention to avoidance of parts which harbor malicious code and which, if installed in military equipment, in a secure network, or in a key system used for information processing or telecommunications, for example, could have disabling effects upon such ‘‘trusted systems and networks’’ and other ‘‘critical functions’’ of government. Parts that carry a cyber threat are ‘‘counterfeit,’’ in the sense that they are not what they purport to be, and have been modified or subjected to ‘‘tampering’’ without authorization.

He adds: “The nexus between counterfeit parts and cyber risk has recently been recognized in a Joint Report, Improving Cybersecurity and Resilience through Acquisitions, issued by the Department of Defense and the General Services Administration on January 23, 2014. This report implements Section 8(e) of Executive Order (EO) 13656. The Joint Report observes that counterfeit components can be introduced during both initial acquisition and sustainment, and that such nonconforming parts create vulnerabilities that include premature system failure and latent security gaps that could be exploited by an adversary.”

When one combines security “sloppiness” of many logistics and channel players in the U.S. with the dire warnings that cyber warfare is being fought just as much through “marked” counterfeit parts as phishing of DDoS attacks over the Internet, this becomes worrisome and has dramatically hardened the DLA’s and Congress’ attitude toward those distributors who still complain about having to implement “costly new technology” or that “they can’t afford” to DNA mark the items they receive for provenance and certification.

Our view of this article by Metzger lead us to believe that in his opinion, the national interest in achieving greater supply chain and cyber security is so compelling that, the federal government will act irrespective of industry’s doubts. The pace of implementation of supply chain and cyber actions is likely to accelerate this year and the breadth of such actions likely will encompass most or all federal procurement functions. Companies that ignore or resist these trends do so at the peril of their businesses.

The legislation (DFARS—Defense Acquisition Regulations Systems) in place appears to be at the same time focusing on the joint counterfeit/cyber threat, and at the same time broadening in scope in response to the above to put the onus on defense contractors to manage their own supply chains. This means that the government will impose rework charges, but also much farther reaching penalties and fixes (some are expensive), in theory reaching up to and including de-barring, although that would be a last resort, in our view.

March 2014 67

Identity Solutions Sector Security Industry Monitor

Other Counterfeit Breaches

Chinese Seizures in 2013

On March 11, 2014, an article in The Washington Post reported that in 2013, Chinese police seized almost 60,000 suspects involved in intellectual property infringement cases with a total estimated value of 173 billion yuan ($28 billion), citing the state media (Xinhua News Agency).

According to the report, more than 90 million tons of counterfeit and substandard goods were confiscated last year, and 1,260 criminal networks “smashed,” the official Xinhua News Agency said, citing Ministry of Public Security official Gao Feng. Gao also said that during a campaign against the sale of fake drugs online, police seized a record 300 million pills worth 2.2 billion yuan ($360 million).

Aston Martin Sports Cars

A report published by Reuters on February 10, 2014, stated that Aston Martin put out a recall on to cover most of its sports cars built since late 2007 after discovering a Chinese sub-supplier was using counterfeit plastic material in a part supplied to the British luxury sports carmaker. Aston Martin said it would recall 17,590 cars, including all of its left-hand drive models built since November 2007 and all right-hand drive models built since May 2012, which affects about 75% of all vehicles built in that period, a spokeswoman said.

Outfit7 Entertainment

Outfit7, the entertainment company behind the global phenomenon Talking Tom and Friends, won a legal case against Chinese app company, NanJing oooo3d Ltd. NanJing oooo3d has been ordered to pay compensation to Outfit7 for the loss of goodwill and significant value suffered to the brand. In one of the first lawsuits filed in the U.S. courts against mobile app IP infringement, NanJing oooo3d was found guilty of copying the Talking Tom virtual character as well as the look and feel of the globally successful Talking Tom mobile apps.

French Wines

According to the Atlantic Monthly, China is one of the world's biggest wine consumers, importing nearly $1 billion worth of wine (67.9 million gallons) from the European Union last year and that its growing appetite for wine has brought with it a booming counterfeit market. The magazine noted that one sales director told Reuters that most wine counterfeiting happens "in secondary or third-tier cities where they don't have much wine knowledge." Expensive European wine, particularly French varieties, are popular with counterfeiters.

Spirits companies are eager to crack down on the frauds. Some companies have begun to use tamper-proof caps and authentication technologies; others even established bottle buyback programs, and some have begun testing an advanced DNA marker; some can even provide provenances for the wine. Some winemakers have their bottles smashed after tastings to prevent them from being illegally refilled. Wine counterfeits may increase even more now that China has announced it will investigate wine imports from the EU, threatening anti-dumping tariffs or import curbs in response to Europe's anti-dumping duties on Chinese solar panels.

68 March 2014

Security Industry Monitor Identity Solutions Sector

Busted: Fake Health and Beauty Supplies Ring Biggest Known Counterfeiting Enterprise in U.S.

Acccording to a CNN report on March 9, 2014, the largest known counterfeit enterprise in the U.S. has been broken up. A pair of New York men were booked on charges of running a multimillion-dollar ring that peddled fake products that were distributed throughout the East Coast, including everyday health and beauty items such as ChapStick, Johnson's Baby Oil, Vaseline, and Always sanitary pads. Authorities seized more than $2 million worth of products and were looking at bank accounts to determine the size of the enterprise. Law enforcement authorities seized four tractor-trailers filled with knockoff health products from five locations on Long Island on March 6, 2014. Brothers Pardeep Malik, 59, and Hamant Mullick, 60, are accused of running an enterprise whose products also turned up in Pennsylvania and Florida, according to the Nassau County District Attorney's Office.

A manufacturer described the operation as the biggest known counterfeit enterprise in the U.S., while another company called it the only known such manufacturing operation in the country for its products, prosecutors said.

Malik and Mullick, both charged with felony trademark counterfeiting, were being held on bond of $100,000 each, the district attorney's office said.

A Review of the Rules That Will Govern the DoD Supply Chain

The National Defense Authorization Act for Fiscal Year 2012: Section 818, Detection and Avoidance of Counterfeit Electronic Parts, provided new rules regarding counterfeit electronic parts. This policy requires contractors to provide items that have been marked with organically-generated DNA marking material produced by Applied DNA Sciences and any of its authorized licensees. Suppliers were notified of the new requirement by special notices from the DLA Internet Bid Board System, the Supplier Information Resource Center, and the Federal Business Opportunities websites. The rule was published by the Office of the Secretary of Defense (OSD) in September 2012, as an amendment to the overall Defense Acquisition Regulations System, and reached partial implementation in March 2012. In July 2013, the OMB received comments from industry participants. Unless the date is pushed back (which is a possibility), the OSD will consider these comments, and then write a rule that is expected to be finalized in April 2014. At that point, companies will be unreimbursed or fined for not complying with directives trying to drive counterfeit parts out of critical defense systems.

The intent of the updated rule is to hold contractors responsible for detecting and avoiding the use or inclusion of counterfeit electronic parts or suspect counterfeit electronic parts. Approximately 400 to 1,200 prime contractors covered by the rule will have to change their existing purchasing system—a mix of computer applications and manual procedures required to do business with the government that document purchases from a chain of suppliers. Most, but not all, of the prime contractors (some of the largest ones claim they will be in compliance), agree with the intent of the mandate, but want more time to comply with what they deem to be not enough clarity on the rules coming out of the Pentagon.

Separate from the National Defense Authorization Act, the Defense Logistics Agency (DLA), on August 1, 2012, the DoD’s Defense Logistics Agency (DLA) began requiring the use of DNA authentication marking for future procurements of items falling within Federal Supply Class 5962, Electronic Microcircuits. The requirement only applies to procurements associated with the DLA. In an effort to enhance existing safeguards to prevent counterfeit parts from entering the DLA supply chain, the DLA introduced this new marking requirement for the electronic microcircuits supply class. The contractors covered under the rule have been in most cases distributors. However, certain prime contractors and manufacturers also supply 5962 parts to the DLA and are covered under the rule.

March 2014 69

Identity Solutions Sector Security Industry Monitor

M&A Review and Outlook

° Identity Solutions product and service companies experienced a significant improvement in M&A activity in the second half of 2013 compared to the first half of 2013

The third and fourth quarters of 2013 saw significant improvement in ID security M&A activity with more than 40 transactions taking place.

Figure 28: M&A Transactions in the Identity Solutions Sector, Fourth Quarter 2010 to Fourth Quarter 2013

20 18 16 14 12 10 8 6 4 2 0 Q4 2010 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Q3 2013 Q4 2013

Identity Solutions Services Identity Solutions Products

Sources: Imperial Capital, LLC and Capital IQ.

Notable Middle Market Transactions

° Symantec bought PasswordBank on July 23, 2013

On July 23, 2013, Symantec bought enterprise-focused authentication software start-up PasswordBank in a move aimed at beefing up its enterprise security software roster.

° Assurant Expands Global Mobile Services by Acquiring Lifestyle Services Group from Phones 4u Finance plc

On September 5, 2013, Assurant, INC. announced an agreement to purchase Lifestyle Services Group, a mobile phone insurance provider, for up to $160 million (£107 million) in cash from Phones 4u Finance plc.

° F5 Networks, Inc. announced that it agreed to acquire Versafe Ltd for $92 million

On September 19, 2013, F5 Networks, Inc. (NASDAQ: FFIV) announced that it has agreed to acquire Versafe Ltd., an Israeli provider of web anti-fraud, anti-phishing, and anti-malware solutions.

° Experian purchased 41st Parameter, Inc for $324 million

On October 1, 2013, Experian plc announced that it had signed a definitive agreement to acquire 41st Parameter, Inc, a leading provider of fraud detection services based in the U.S., for $324 million.

70 March 2014

Security Industry Monitor Identity Solutions Sector

° CACI announced intent to acquire Six3 Systems, Inc for $820 million

On October 9, 2013, CACI International Inc announced that it had signed a definitive agreement to acquire Six3 Systems, Inc., a provider of highly specialized support to the national security community in the areas of cyber and signals intelligence; intelligence, surveillance, and reconnaissance; and intelligence operations, from private equity firm GTCR for $820 million.

° Synaptics closes acquisition of Validity Sensors for $255 million

On November 7, 2013, Synaptics Inc. announced it had completed its acquisition of Validity Sensors, Inc., designer and developer of biometric fingerprint sensors for information, communication, and entertainment devices, for $255 million.

° First American Financial announced agreement to acquire Interthinx, Inc for $155 million

On February 7, 2014, First American Financial Corporation announced the signing of an agreement with Verisk Analytics, Inc. to acquire Interthinx, Inc., provider of fraud-prevention solutions and decision-support tools for the mortgage industry, for $155 million.

° HID Global Acquires Biometric Leader Lumidigm in February 2014

On February 10, 2014, HID Global, announced the acquisition of Lumidigm, a global leader in authentication solutions that use multispectral imaging technology, software, and biometric fingerprint sensors to authenticate identities with a high degree of certainty.

Imperial Capital served as the sole financial advisor to Lumidigm on the transaction.

Registered Direct and Private Placement Snapshot The fourth quarter of 2013 experienced an improvement over the first quarter of 2013.

° Applied DNA Sciences, Inc. announced a private placement of 5,500 series B convertible preferred shares, 10,695,187 common shares, and 10,695,187 series A warrants for gross proceeds of $7.5 million

On July 19, 2013, Applied DNA Sciences, Inc. issued $7.5 million dollars worth of convertible preferred stock, common shares, and Series A, B, and C warrants. The preferred stock is convertible into common shares at a fixed conversion price of $0.187. Applied DNA Sciences, Inc. provides botanical-DNA based security and authentication solutions in Europe and the U.S.

° Payfone, Inc. announced that it will receive $10 million in an equity round of funding

On October 7, 2013, the company announced that it will receive $10 million in an equity round of funding from one investor under Reg D. Payfone, Inc. a provider of mobile authentication services.

March 2014 71

Identity Solutions Sector Security Industry Monitor

° i-Sprint Innovations Pte. Ltd. executed a private placement of its common shares to raise $10 million

On January 28, 2014, the company announced that it will issue 118,973,914 common shares at HKD 0.6458 ($0.08) per share to new investor, Peregrine Greater China Capital Appreciation Fund, L.P., a fund managed by Bull Capital Partners Limited for gross proceeds of HKD 76,833,073 ($10 million). The investor will acquire 41.67% stake in the company through this transaction. i-Sprint Innovations Pte. Ltd. provides credential and access management solutions for banking and financial, government, and telecom sectors in Singapore and internationally.

° Xceedium Inc announced that it will receive $6.5 million in funding

On February 20, 2014, Xceedium Inc, developer of privileged access management solutions, announced that it will receive $6.5 million in funding through a convertible debt transaction.

Public Debt and Equity Offering Snapshot There were two notable public offerings YTD 2014, an improvement from the previous two quarters.

° Fingerprint Cards AB executed a follow-on offering of its Class B Shares

On January 22, 2014, Fingerprint Cards AB executed a follow-on offering of its Class B Shares for total gross proceeds of $21.3 million.

° RX Safes, Inc. announced IPO on February 6, 2014

RX Safes, Inc. is a maker of fingerprint medical security storage solutions for consumers and healthcare professionals. It focuses on identity-based security utilizing biometric fingerprint recognition technology. The company offers medication lock boxes for consumers to address the problem of unauthorized access to prescription pain and other dangerous medications stored in the home.

Bankruptcies There were no significant Identity Solutions bankruptcies through the second quarter of 2013.

72 March 2014

Security Industry Monitor Identity Solutions Sector

Notable Transactions

Figure 29: Select M&A Transactions in the Identity Solutions Sector, 2013 and YTD 2014 Announced Target Closed TEV / TEV / / Filing Target Business Description Buyer Implied TEV Date Revenue EBITDA Date ($mm) Lumidigm, Inc. designs and develops biometric identity 2/10/2014 02/10/2014 Lumidigm, Inc. HID Global Corporation NA NA NA management and authentication solutions.

Interthinx, Inc. provides fraud-prevention solutions and First American Financial 2/5/2014 NA Interthinx, Inc. $155 NA NA decision-support tools for the mortgage industry. Corporation

Validity Sensors, Inc. designs and develops biometric 10/9/2013 11/07/2013 Validity Sensors, Inc. fingerprint sensors for information, communication, and Synaptics Inc. $255 NA NA entertainment devices.

Six3 Systems Inc. designs and develops intelligence, defense, 10/8/2013 11/15/2013 Six3 Systems Inc. and civilian solutions for government agencies in the United CACI International Inc. $820 1.8x 13.5x States.

The 41st Parameter The 41st Parameter Inc., a fraud detection softw are company, 10/1/2013 10/01/2013 Experian plc $324 NA NA Inc. provides fraud detection and intervention solutions.

Versafe Ltd. develops security applications for identity theft 9/17/2013 09/17/2013 Versafe Ltd. F5 Netw orks, Inc. $88 NA NA and online fraud prevention applications.

Lifestyle Services Group Limited provides mobile device Lifestyle Services 9/5/2013 10/25/2013 protection solutions, packaged account products, and bespoke Assurant Inc. $107 0.9x NA Group Limited services to the retail banking and telecommunications sectors.

Passw ordBank Passw ordBank Technologies, S.L. operates as an information 7/18/2013 07/18/2013 Symantec Corporation $19 NA NA Technologies, S.L. and communications technology firm.

LPI Level Platforms Inc. provides remote monitoring, Avg Netherlands B.V.; LPI Level Platforms 6/12/2013 06/28/2013 management, and automation softw are for information AVG Technologies NA NA NA Inc. technology (IT) solution providers. Canada Inc.

5/14/2013 05/14/2013 PrivacyChoice LLC PrivacyChoice LLC provides online privacy scanning solutions. AVG Technologies N.V. NA NA NA

Sense Technologies Inc. engages in the design, development, Sense Security manufacture, and marketing of biometric identification products Homeland Security 5/14/2013 05/14/2013 NA NA NA Technologies Inc. and systems for time and attendance, and homeland security Corporation markets.

Know ledge Based Authentication of RSA Know ledge Based RSA Security, Inc., Authentication of RSA Security, Inc. comprises the consumer LexisNexis Risk 4/3/2013 04/03/2013 Know ledge Based Know ledge Based Authentication (KBA) technology, w hich NA NA NA Solutions, Inc. Authentication utilizes know ledge-based authentication to validate user identities in real-time.

Infoglide Softw are Corporation develops and markets identity Infoglide Softw are 4/1/2013 04/01/2013 resolution softw are for government, financial services, Fair Isaac Corporation $7 NA NA Corporation healthcare, insurance, retail, and telecommunications markets.

Genesys Angel.com Angel.com Incorporated offers cloud-based customer 2/25/2013 03/15/2013 Telecommunications $111 3.8x NA Incorporated experience management (CEM) solutions. Laboratories, Inc.

Codebench, Inc. develops physical security and identity 01/07/2013 01/07/2013 Codebench, Inc. HID Global Corporation NA NA NA management softw are solutions.

Sources: Capital IQ and Imperial Capital, LLC.

March 2014 73

Identity Solutions Sector Security Industry Monitor

[This page intentionally left blank.]

74 March 2014

Security Industry Monitor Information Security Sector

Section IV Information Security Sector

March 2014 75

Information Security Sector Security Industry Monitor

[This page intentionally left blank.]

76 March 2014

Security Industry Monitor Information Security Sector

Information Security Sector Sector Outlook and Commentary Information security gained significant attention recently with the well-publicized data breach at national retailer Target in December 2013. This breach, one of the largest in history, resulted in the exposure of 40 million credit card and debit card numbers and the personal information of 70 million people. The attack impacted a substantial portion of the American public and continues to make news headlines, elevating security from an “IT” problem to a strategic issue for the executive leadership and boards of a numerous consumer-facing organizations. In this monitor, we discuss the details of this breach, which was notable for the initial execution of the attack though a third-party vendor. It also highlighted the security challenges facing large organizations with complex IT infrastructures—even those with top-tier defenses. This attack was a major topic at this year’s RSA Conference, one of the premier annual industry events, which saw strong expansion in attendance to approximately 30,000 people, from 24,000 in 2013. The escalation in the volume and sophistication of attacks continues to drive broadening market demand for more effective security solutions beyond traditional, signature-based defenses.

This year’s event generated considerable controversy due to a reported payment to RSA (a division of EMC and host of the conference) from the National Security Agency (NSA) to weaken the default algorithm used in many of RSA’s toolkits. Rebuilding trust will be a major focus within the security industry and between the industry and government in 2014 and beyond. Other key themes at the conference included the increasing skills shortage in IT security, intelligence-driven security, the security of hybrid cloud environments, the evolution of mobile security toward data and application management, shared threat intelligence, and incident response. We also highlight increased prioritization of cybersecurity by the federal government based on details of President Obama’s budget request for FY15. The recent budget deal represents a breakthrough on the funding of key cybersecurity programs, following multi-year political gridlock. This includes significant expansion of the EINSTEIN and Continuous Diagnostics and Mitigation (CDM) programs which aim to provide ongoing situational awareness to protect federal civilian agencies and “.gov” networks.

In addition, industry consolidation has been gaining strong momentum in recent months, with two major transactions since the beginning of the year. We highlight FireEye’s acquisition of privately-held Mandiant, a leading provider of incident response services, for approximately $1 billion in cash and stock. We also note VMware’s acquisition of privately-held AirWatch, an early leader in the Enterprise Mobility Management (EMM) sector, for approximately $1.5 billion. We expect further strategic acquisition activity over the coming quarters, as larger technology companies and security vendors seek to integrate new security technologies and achieve early penetration of emerging market categories. Until the cost of breaches is raised for attackers, there will likely be continued high-profile attacks, driving a healthy demand environment for new security solutions. Market researcher and vendor HP Security Research reported a 20% increase in threats and breaches in 2013, with breach-associated damages rising 30%.

March 2014 77

Information Security Sector Security Industry Monitor

Federal Cybersecurity Gaining Higher Prioritization in FY 2015 Cybersecurity remains a critical priority across the federal government, with continued attacks by highly-resourced and sophisticated attackers, including adversarial nation-states. The president’s budget request for FY15 calls for overall information technology (IT) spending of $43.655 billion for the major civilian agencies, essentially flat with the previous fiscal year. In contrast, the proposal for the Department of Defense (DoD) is 6% lower at $35.370 billion, driving the overall federal IT proposal down 2.9% to $79.025 billion compared with the enacted budget for FY14. Notwithstanding this reduction, partially from data center consolidation savings, DoD indicated plans to substantially increase spending for cybersecurity to $5.1 billion in FY 2015, up from $4.7 billion in the prior fiscal year. Although the definition of what constitutes “cybersecurity” related spending is not consistent in the federal sector, we believe there is a significant overall uptrend for initiatives associated with U.S. Cyber Command, as well as spending by the various military services and specific areas such as encryption, information assurance, as well as research and development for cyber attack and cyber defense. For example, Secretary of Defense Chuck Hagel indicated plans to substantially expand U.S. Cyber Command to 4,900 personnel by year-end 2016, up from 900 last year. This relatively new command will build both offensive and defensive capabilities, and will address a comprehensive array of cyber contingencies. The president’s request calls for a discretionary budget of $38.2 billion for the Department of Homeland Security (DHS), representing a 2.5% decline from the enacted budget for FY14. However, cybersecurity was allocated $1.25 billion, up substantially from $792 million approved in the current fiscal year, according to DHS Secretary Jeh Johnson. One of the key priorities is Network Security Deployment which was budgeted for $377.7 million, with expanded implementation of the EINSTEIN3 Accelerated (E3A) program, a core cybersecurity initiative. This program is focused on detecting malicious traffic coming into the networks of federal civilian agencies, as well as preventing any adverse impact. Another major priority is the Continuous Diagnostics and Mitigation (CDM) program, which was budgeted for $143.5 million. This program is managed by DHS and aims to “defend federal IT networks from cybersecurity threats by providing continuous monitoring sensors, diagnosis, mitigation tools, and CMaaS (Continuous Monitoring-as-a-Service) to strengthen the security posture of government networks.” A third key priority is cyber and cyber-related investigations, such as identity theft, economic cybercrime, export-controlled data theft, and child exploitation, which was budgeted for $173.5 million. Other priorities included cybersecurity/information analysis research and development ($67.5 million), the Homeland Secure Data Network ($28 million), enhanced cybersecurity services supporting the president’s cybersecurity executive order 13636 ($8.5 million), and U.S. Secret Service Cybersecurity Presidential Protection Measures ($3.9 million).

Figure 30: Federal IT Budget, FY01 to FY15(1)

(in $ billions) 90.0

80.0

70.0

60.0

50.0

40.0

30.0

20.0

10.0

0.0 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015*

Major Civilian Agencies Dept of Defense Total for Major Agencies

(1) President’s Budget Request. Sources: U.S. Government.

78 March 2014

Security Industry Monitor Information Security Sector

EINSTEIN Program Evolving to Next Major Phase

The EINSTEIN program initially involved the deployment of a detection system at the Internet access points of participating federal agencies, spurred by the rapid escalation of attacks against federal civilian agencies in early 2000s. EINSTEIN is a multi-phase program that has evolved significantly since 2004 and is now on its third iteration. The first version of EINSTEIN was intended to provide real-time detection of incoming network traffic anomalies by analyzing network flow records, which were then passed on to US-CERT (United States Computer Emergency Readiness Team). One of the early challenges was real-time information sharing because, at that time, agencies had thousands of connections to the Internet and the program was voluntary, resulting in limited agency participation. The program subsequently evolved into EINSTEIN 2 in 2008, which provided monitoring of both incoming and outgoing network traffic and would alert US-CERT if there was a match with any signatures. EINSTEIN 2 utilized passive intrusion detection systems with custom signatures. By the end of FY13, about 70% of executive branch agencies had deployed EINSTEIN 2. The latest iteration of the program, called EINSTEIN 3, represents a major advancement, as it additionally incorporates intrusion prevention systems (IPS) to keep malicious traffic from impacting agencies’ networks. EINSTEIN 3 was launched in July 2013 and utilizes deep packet inspection tools to analyze content and block suspicious traffic. Critically, EINSTEIN 3 is capable of analyzing electronic content (e.g., emails), which has raised privacy concerns because it can collect personally identifiable information (PII). DHS issued a privacy impact assessment on 4/19/13, which indicates procedures to “minimize (i.e., overwrite, redact, or replace) PII data that is not necessary to understand the cyber threat.” Of particular note, E3A is delivered by federal agencies’ Internet Service Providers (ISPs) as a managed security service under the DHS, which allows monitoring of “.gov” traffic entering and leaving federal civilian executive branch agency networks. Threat indicators (based on traffic metadata such as IP addresses and packet payload) developed by DHS’ Office of Cybersecurity and Communications are provided to ISPs to enable them to automatically block both incoming and outgoing malicious traffic. These indicators are focused on specific types of traffic and DHS intends to maintain the privacy of legitimate traffic by avoiding overly broad data collection. ISPs are also required to segregate “.gov” traffic. According to a report by the U.S. General Accountability Office in February 2013, EINSTEIN has improved situational awareness, but needs to significantly develop its predictive analysis and real-time information sharing capabilities. DHS responded to the inspector general report and indicated that it does not expect the latter capability will be fully operational until FY18. Continuous monitoring represents a significant evolution in the security of federal civilian agencies and the Department of Defense, in our view. While this capability potentially offers rapid detection of threats, agencies have discovered implementation challenges due to the massive quantity of network data and log files that need to be analyzed. For example, according to the Commerce Department’s Chief Information Security Officer (CISO) Rod Turk, it has proven difficult to discover malicious activity and generate actionable intelligence, given the agency’s substantial volume of data and array of systems. Mr. Turk also highlighted the morphing of malicious activities, representing another key challenge. He indicated that the Commerce Department, which has tens of thousands of active end-users, is considering the implementation of various tools to recognize malicious patterns to improve security. This methodology analyzes the entire lifecycle of threats, from initial entry to exfiltration. However, it creates significant storage problems because it is necessary to keep this traffic data for a period of time. The United States Air Force (USAF) stores this data for three months, though certain records are retained beyond this timeframe, according to the USAF’s chief technology officer Frank Konieczny. USAF additionally aims to gain visibility on all its applications, extending beyond the collection of network data. By tagging these applications, USAF can compare the actual flow traffic of applications with their expected behavior to detect suspicious activity. An offline analytical cloud is currently under development by USAF, in collaboration with the Defense Information Systems Agency (DISA), which will be used to analyze this transaction data and it eventually could generate regional-level alerts.

March 2014 79

Information Security Sector Security Industry Monitor

RSA Conference USA 2014 Highlights

We attended the RSA Conference USA 2014, which is one of the premier annual events for the information security industry. The conference was held February 24–28, 2014 in San Francisco, California. There was record attendance this year, which reached an estimated 30,000 people, up substantially from 24,000 people in 2013. We attribute this strong expansion to the urgent need for more effective defenses due to the rapid escalation in volume and sophistication of threats. We believe these threats could potentially impact all types of organization across multiple vertical markets, driven by the increasing complexity of IT infrastructures. There were over 350 exhibitors at the conference, encompassing numerous security vendors offering solutions for a broad array of problems. This year’s event sparked significant controversy in the security community due to reported collaboration between RSA (a division of EMC and host of the conference) and the National Security Agency (NSA), including a payment to weaken the default algorithm used in many of RSA’s toolkits. While several prominent security experts boycotted the RSA Conference and instead held a rival conference called TrustyCon at a nearby location, there was nominal overall impact this year.

Art Coviello, Executive Chairman of RSA, indirectly addressed the controversy in his opening keynote and indicated that this algorithm was used because of RSA’s trust in key standards bodies (e.g., National Institute of Standards and Technology [NIST]), which enabled RSA to meet government certification requirements. However, he also expressed his support for separating the NSA’s roles of foreign intelligence collection and the development of defenses for data security. Mr. Coviello’s comments were obliquely echoed by Richard Clarke, former special advisor to the president on cybersecurity, who emphasized that security stakeholders should be focused on fixing vulnerabilities in encryption software rather than exploiting them. We believe rebuilding trust within the security industry and between the industry and government will likely remain a major focus of the security industry far beyond the RSA Conference, as participants pursue a more optimal balance between national security and privacy rights.

Key Themes at RSA ° Increasing Skills Shortage in IT Security The escalation of threats in recent years has created a significant shortage of talent with strong IT security skills, which is putting increasing pressure across the industry, including vendors, enterprises, academia, and government agencies. In response to this skills shortage, vendors are making their products easier to use and manage in order to help IT security teams become more efficient. Several vendors have emphasized improving the graphical user interface (GUI) of their products, while others have focused on providing greater security operations automation. Approximately 25% of enterprise and mid-market organizations (>250 employees) reported that there is “problematic shortage” of IT security skills, according to market researcher ESG Research. Many organizations are experiencing impact from staffing shortages, as well as security personnel without the necessary set of skills. ESG recommended organizations assess their IT team to identify gaps in the skills of the security staff and examine their day-to-day activities to uncover inefficient processes. Organizations should also seek to leverage third-party resources and outsource to service providers wherever possible, including areas such as email security, web security, continuous monitoring, incident detection, and security investigations. Given the shortage of IT security skills, it has also become increasingly critical for organizations to consider this factor when contemplating new IT initiatives, not just when purchasing new security technologies. Organizations significantly raise their risk exposure without sufficient security resources to support a new IT initiative. Also, recruitment and retention of skilled security professionals is another key issue for many organizations. While competitive compensation is important, organizations can offer other benefits, such as continuing education

80 March 2014

Security Industry Monitor Information Security Sector

and training, greater opportunity for exposure to partners, and a career development path in IT security. Of particular note, certain organizations have begun taking a proactive approach to the skills shortage, such as offering scholarships and creating internship programs with leading universities. ° Intelligence-Driven Security Beyond the NSA controversy, there was significant focus at the RSA Conference on the recent attack on Target and other major retailers, which has gained C-level and Board-level attention at numerous consumer-facing organizations. We believe the high-profile nature of this attack could spur accelerated spending for more effective security solutions across the supply chain, particularly as traditional signature-based defenses are generally ineffective against targeted attacks, zero day exploits, and advanced persistent threats (APTs). One key approach highlighted by Mr. Coviello was intelligence-driven security, which involves the application of “Big Data” analytics to generate timely and actionable information and the usage of predictive analytics and pattern recognition to implement agile controls. This type of security system benefits from the sharing of information, though it still requires skilled personnel and comprehensive risk assessment. The ultimate objectives are rapid breach detection and response in order to avoid the loss of critical data. ° Cloud Security While security spending remains primarily focused on perimeter-based technologies and prevention solutions, these have proven inadequate against the rapid innovation of highly motivated and well-funded attackers. Given the rising demand for cloud-based services, one topical theme was the shift by organizations toward hybrid cloud environments, with many security vendors highlighting their cloud strategies and extending their products to address this emerging opportunity. Organizations may increasingly focus their security resources on protecting their most critical data, while leveraging public cloud providers for a larger part of their IT infrastructure. However, technology solutions alone are not the answer to a comprehensive security program. In his keynote, Art Gilliland, SVP and GM of Enterprise Security Products at HP, indicated the need for greater investment in people and processes, given the perpetual arms race with attackers. He noted that information security professionals place too much emphasis on deploying technology solutions, with approximately 86% of security budgets focused on the infiltration stage. HP Security Research recently reported a 20% increase in threats and breaches in 2013, with breach-associated damages rising 30%. Given these trends, he recommended organizations focus on prioritizing their security based on core business needs, instead of attempting to protect the entire enterprise against all risks. He additionally highlighted the transition to cloud and mobile, with numerous companies rewriting applications to minimize coding weaknesses. HP identified security vulnerabilities and/or encryption problems with substantially most of 2,000 applications in the enterprise application stores of Fortune 1000 companies.

° Mobile Security

Mobile devices in the enterprise remained a core theme at this year’s conference, with ongoing focus on the Bring-Your-Own-Device (BYOD) trend. Enterprises are gradually looking to enable personal mobile devices to interact with applications needed for specific business lines, in addition to email, calendar, and contacts. While past years at the RSA Conference emphasized the implementation of mobile device management (MDM) tools to control devices, there was greater emphasis this year on data and application management, though it is increasingly challenging to effectively “blacklist” or “whitelist” mobile applications due to their short popularity, sometimes within six months. The rapid escalation of mobile malware was a particular concern at the conference, with demonstrations on “touchlogging” of Android and iOS devices, which is malware that allows the observation of logs on where the screen was touched by the user.

March 2014 81

Information Security Sector Security Industry Monitor

° Threat Intelligence

Another major theme was the need to leverage threat intelligence, which was highlighted by several speakers and vendors at the conference. This was a core focus of the keynote by James Comey, the new FBI Director, who emphasized the need for collaboration between the commercial information security community and law enforcement agencies. He called for public-private partnerships to share threat intelligence to develop more comprehensive security visibility. Highlighting the urgency, he indicated that cybersecurity was the number one domestic security priority, ahead of terrorism and weapons of mass destruction. Notwithstanding, he acknowledged the challenges of sharing threat intelligence, citing mistrust in the government and reluctance of companies to provide information that could potentially impact their competitive advantage or privacy rights. He also noted the absence of any unilateral threat reporting infrastructure and lack of verified threat intelligence.

One possible solution is the implementation of incentives to foster collaboration and ensure government agencies address the business concerns of enterprises. He envisioned a national registry of cyber criminals based on patterns and behaviors derived from the combined intelligence of a multitude of sources, which could be shared instantly with all stakeholders—a core requirement due to the scale and speed of attacks. Art Gilliland similarly highlighted the need for the industry to share actionable, real-time threat intelligence, which he advocated could be achieved through automated integration with different vendors based on open standards such as STIX (Structured Threat Information Expression) and OTX (Open Threat Exchange).

° Incident Response

Incident response (IR) was another topical theme, following the Target attack and acquisition of industry leader Mandiant by FireEye in January 2014. Most organizations discover that they have been comprised through notification by third parties, and Mandiant previously reported the median number of days to detection was 243 days. While certain vertical markets are more open to sharing threat intelligence to improve incident response, such as financial services, others remain cautious despite the mutual benefit. However, organizations are increasingly sharing data with third-party services, which “anonymize” this information. Given the need for faster IR to an attack, automation represents a potential solution, though at this stage, it appears beneficial primarily as a tool to assist IR professionals by speeding certain workflow steps rather than the replacement of experienced personnel.

82 March 2014

Security Industry Monitor Information Security Sector

Analysis of the Target Data Breach

In December 2013, national retailer Target reported one of the largest and highest profile data breaches in history, resulting in the exposure of 110 million records, including 40 million credit card and debit card numbers and the personal information of 70 million people. The attackers did not initially penetrate Target itself, but instead focused on a third-party vendor that was connected to Target’s network. The attack was initiated by a “spearphishing” email sent to an employee of this vendor, a heating and refrigeration company. While this message appeared legitimate to the employee, it actually possessed malware that enabled the attacker to steal the network credentials of this vendor. This attack was launched almost two months prior to the theft of card data from Target’s point-of-sales (POS) terminals. Industry sources suggest that the malware, called Citadel, is a bot program that steals passwords. Investigators reportedly focused on this vendor’s inability to quickly detect this email malware infection and discovered that the vendor relied primarily on the free version of Malwarebytes Anti-Malware for its internal systems. This version was designed for individual users and does not provide real-time protection as an “on demand” scanner.

This third party vendor was connected to Target’s network exclusively for functions such as billing, project management, and contract submission. However, it is not publicly known how the attackers were able to move laterally from one of these external systems to Target’s internal network and specifically the portions encompassing its payment system (and POS terminals) and databases of customer information. Target may have believed that it had properly segmented its network, and did not therefore mandate ancillary vendors to implement more secure two-factor authentication for remote network access. This is usually required of vendors with need for direct access to critical information, for whom Target would issue a one-time token or other authentication solution. Industry sources believe the attackers could have bridged Target’s network segmentation by escalating their Active Directory (AD) privileges. AD credentials are typically used by internal administrators to access systems, perform maintenance, and provide login credential for vendors. It is not yet clear if the vendor possessed any AD credentials; though it is likely the vendor had active access to the Target server running external applications.

Target’s POS terminals in nearly every U.S store were confirmed to possess malware, which ultimately enabled the attacker to extract customers’ payment card data. According to security vendor and market researcher McAfee Labs (Intel), this was not a particularly advanced attack as the malware used in this attack was based on the BlackPOS malware family, an “off-the-shelf” exploit kit. This kit can be purchased online and then modified for a specific environment, even by attackers with limited programming skills. The attackers likely tested this modification against common anti-malware applications to ensure they would not be detected, a standard evasion practice. Indeed, attackers can readily purchase software that test the defenses of a specific organization, as well as exploit kits that facilitate evasion. Ultimately, the attacker was successfully able to upload this malware to Target’s POS terminals and capture payment card data using a method known as RAM (memory) scraping. This type of POS malware emerged around 2009 and exploits the moment when a card is swiped at a POS terminal and the data from the card’s magnetic stripe is briefly stored in plain-text format in the memory of the system just prior to encryption. (Encryption of data in POS system memory is not a feasible solution because the system needs to process data that is decrypted.)

March 2014 83

Information Security Sector Security Industry Monitor

Stolen data was collected and stored on a compromised Target server and then sent outside the network to three staging servers in the U.S. and then downloaded to a virtual private server in Russia. The stolen data was reportedly sent from Target between the hours of 10:00 a.m. and 6:00 p.m. Central Standard Time in order to mask it with other legitimate traffic during normal business hours. After successful exfiltration, the attackers soon began selling the stolen data such as credit card numbers on various online “carding” marketplaces, typically in large batches of 1-4 million numbers. The largest online black markets have become well established and highly organized, with buyers typically paying with anonymous virtual currencies (e.g., Bitcoin). According to Chief Financial Officer John Mulligan, Target invests “hundreds of millions of dollars” in various security technologies, such as firewalls, intrusion detection, and malware detection, but its defenses were inadequate against this attack. Mr. Mulligan also indicated that Target performs ongoing assessments and penetration testing by third parties to benchmark the company and assess compliance with Target’s processes and control standards.

Recent industry reports suggested that Target actually received early warning of the attack with its FireEye malware detection system, which detected the uploading of exfiltration malware. However, this alert was ignored by Target’s security team. It is possible that the team did not fully interpret or evaluate this activity without the benefit of hindsight, according to a response from Target. Effective security requires organizations to combine technology with processes and policies, given the substantial volume of alerts on a daily basis (including numerous false positives) from different parts of their security systems. To better prioritize and respond to these alerts, Target likely needs to improve its security escalation procedures, including incident ownership, incident hand-off, and incident closure. Security is especially challenging for large organizations with complex IT infrastructures and Target may not have had a sufficient number of security specialists to adequately review and respond to these alerts. Target recently announced that it was in the process of hiring a new chief information officer (CIO) and chief information security officer (CISO), a newly-created position.

In addition to Target, several other major retailers were impacted by similar POS attacks in 2013, including Neiman Marcus, Michaels Stores, Harbor Freight Tools, White Lodging, ‘witchcraft, and Easton-Bell Sports. While these retailers were compliant with PCI-DSS (Payment Card Industry Data Security Standard) and Target itself was certified as recently as September 2013, POS RAM scraper malware is able to circumvent PCI-DSS (which requires the encryption of payment data when stored on media or transmitted). Target is already taking steps to strengthen its payment security, including accelerated adoption of the EMV (Europay, MasterCard, Visa) standard by January 2015. However, we note EMV would not have prevented this specific attack which exploited the system memory of Target’s POS terminals (not the cards directly).

EMV cards (also known as “chip and pin” cards) have embedded chips with encrypted data and cardholders must enter a PIN (personal identification number) to authenticate transactions at a POS terminal. While the EMV standard is embraced globally, there has been nominal adoption in the US, as the entire payment ecosystem remains primarily tied to PCI-DSS. Also, EMV cards offer no advantage for securing online or phone (i.e., “card not present”) transactions. One possible solution, though not announced by Target, would be the implementation of tokens for authentication. An alternative solution could monitor for changes on POS terminals even if custom POS malware is able successfully evade detection from other security systems.

84 March 2014

Security Industry Monitor Information Security Sector

Figure 31: EMV Card and POS Terminal

Sources: Marvin Technology and Shoreline Solutions.

As of yet, it is not publicly known if these retailer attacks originated from the same attacker, though off-the-shelf malware was used to execute many of these attacks. While POS malware has existed for several years, the frequency and scale of these recent data breaches have substantially raised the awareness of the risks by consumer-facing organizations which could drive increased prioritization of IT security budgets. Many organizations will likely enhance their security posture to more effectively address these types of attacks, and we could see new compliance mandates in the near future. There is now a global infrastructure supporting the cybercrime industry, from the sale of exploit kits to online black markets, which continues to expand due to the escalating volumes of highly valuable data and attractive profit motive for attackers. Until this equation becomes more balanced by raising the cost of attacks, it appears that future data breaches, both announced and unannounced, will remain a regular occurrence.

Mobile Security Shifting Focus Toward Applications and Data

Perimeters continue to become more opaque with the rapid proliferation of mobile devices, which represents a major security challenge for most enterprises and organizations. According to market researcher Gartner, the global smartphone market grew 42.3% to 967.8 million units in 2013, compared with 680.1 million in 2012. Of particular note, smartphones unit sales eclipsed the number of basic feature phones and constituted the majority of the 1.8 billion global mobile phone market in 2013. Users are now broadly embracing smartphones and tablets for personal and work applications, which offer compelling productivity and convenience benefits. Mobile devices have become powerful tools that leverage high-speed wireless connectivity to enable users to untether from their desktops and engage with customers, partners, colleagues, or other constituents anywhere.

Regardless of formal policies, users are increasingly employing their personal mobile devices for work purposes, a trend commonly known as Bring-Your-Own-Device or BYOD. However, unlike corporate-owned devices, these personal devices are typically outside the control of their organization’s IT department. Given the surge of mobile malware and the urgent need to protect corporate data on these devices, organizations are widely seeking to implement new mobile security capabilities. Although adoption is still relatively early stage, organizations initially turned to mobile device management (MDM) tools which have since evolved into enterprise mobility management (EMM) suites. According to market researcher Aberdeen Group, 75% of IT organizations indicated having a BYOD program, but half of this group only nominally manages their mobile environment—implying the substantial majority have not yet formalized a mobile security strategy.

March 2014 85

Information Security Sector Security Industry Monitor

Figure 32: Worldwide Smartphone Sales to End Users by Operating System

Operating System 2013 2013 2012 2012 (in thousands) Units Mkt Sh Units Mkt Sh Android 758,719.9 78.4% 451,621.0 66.4% iOS 150,785.9 15.6% 130,133.2 19.1% Microsoft 30,842.9 3.2% 16,940.7 2.5% BlackBerry 18,605.9 1.9% 34,210.3 5.0% Other OS 8,821.2 0.9% 47,203.0 6.9% Total 967,775.8 100.0% 680,108.2 100.0% Sources: Gartner.

MDM software manages, monitors, secures, and supports the mobile devices of an organization. It commonly handles enrollment, device registration (typically over-the-air), device and application settings, authentication and access, remote monitoring, blacklisting (or whitelisting) of applications, software distribution, and can disable the device. It sets up a common configuration for every mobile device in the organization (such as settings for email, Wi-Fi, VPM, etc.) and enforces policies. These policies can be stricter or more lenient depending on the organization; policy examples include minimum password requirements and screen auto-lock time. In order to secure these devices and protect corporate data, IT staff can use their MDM to lock out devices or even wipe the entire device if it is no longer in the control of the user. MDM is particularly useful in managing multiple mobile operating systems, which is typical of BYOD environments. Key issues for organizations include deployment considerations, cost, and adaptability. However, users are not universally accepting of the restrictive nature of MDM, which impedes the convenience and flexibility of their mobile devices. As a result, organizations re-examined their security problems and broadly realized that their key security priorities were not device security, but rather the protection of critical corporate applications and their associated data. As a result, moving beyond MDM, a number of mobile security product categories emerged to focus on this core problem. These categories are now broadly referred to as EMM. Initially, a number of vendors (included MDM vendors) developed the mobile application management (MAM) category. Early MAM vendors included companies such as Apperian, Good Technology, MobileIron (acquired AppCenter), and Zenprise (acquired by Citrix). MAM can restrict the abilities of a mobile application by wrapping a security layer around it. Additional EMM categories that have subsequently emerged include content management, network management, service management, and device policy control. According to market researcher Radicati Group, the worldwide EMM market is estimated to reach $3.1 billion in 2017, up from $838 million in 2013.

Figure 33: Worldwide EMM Revenue, 2013 to 2017

in $ millions 3,500

3,000

2,500

2,000

1,500

1,000

500

0 - 2013 2014 2015 2016 2017

Sources: Radicati Group.

86 March 2014

Security Industry Monitor Information Security Sector

With MAM, users have the flexibility to keep personal content on their mobile device, while also having the ability to securely use their corporate applications. Moreover, the IT department can distribute, manage, and secure these applications through an enterprise application store, regardless of whether or not the mobile device is user-owned (i.e., BYOD) or corporate-owned/personally-enabled (COPE). In order to protect corporate data but segregate personal data, organizations can employ secure containers which are device agnostic and managed by the IT department. If necessary, containers that are governed by corporate security policies can be wiped. The key advantage is the delineation between personal and corporate data. However, this “containerization” approach can be circumvented if an attacker gains root access to the mobile device, which generally cannot be detected by the container. In addition, as an application must be linked to a container, it is necessary during the development of the application that it uses a vendor’s application programming interface (API) and software development kit (SDK). Market researcher Gartner notes container vendors include companies such as AirWatch (acquired by VMware), Divide (formerly called Enterproid), Excitor, Fixmo, Good Technology, LRW Technologies, MobileIron, NitroDesk, and Zenprise (Citrix).

As organizations continue to refine their requirements and supported business tasks, they will likely evaluate different EMM vendors based on the feature set that most closely matches the organization’s use case, such as support for certain mobile platforms. In addition, certain organizations may not need one or more EMM categories, such as application management or content management. Other considerations include the mobile environment (BYOD or COPE), international policy enforcement, non-employee devices (e.g., contractors, partners, etc.), and device types. Organizations also need to plan for potential changes in the mobile market beyond the most commonly supported mobile operating systems, iOS (Apple) and Android (Google). For example, according to Gartner, unit sales of Microsoft Windows Phone devices achieved the highest growth of all mobile operating systems, climbing 82% in 2013. Although Microsoft had only a 3.2% share of the global smartphone market, we believe it, or other emerging operating systems, could see wider enterprise adoption over the next several years.

EMM suites offer simpler deployment and management than using multiple point solutions (i.e., “best-of-breed”), though organizations typically prioritize certain features based on their requirements. The delivery and integration of these core features, such as a secure email client or containerization technology, represent key considerations when organizations evaluate different EMM suites. In some cases, vendors add new features through acquisitions or partnerships, which may not be as closely integrated as natively developed capabilities. From a security perspective, it is preferable to deploy an integrated EMM suite, though organizations can add a handful of products without materially impacting manageability or security. For example, one notable vendor (Good Technology) has gained strong penetration into regulated industries due to its secure mobile messaging capabilities; however, organizations may not necessarily choose this same vendor for their EMM suites. Organizations will balance the benefits of using “best-of-breed” tools with deploying an EMM suite from a major vendor (e.g., IBM, SAP), which can provide enterprise support and other services. To reduce the burden on constrained IT teams, enterprises may increasingly adopt cloud-based EMM services and managed service providers, given the potential benefits of pricing flexibility, regular updates, and efficient delivery of key features (e.g., MAM). Ultimately, however, the success of any EMM deployment will be determined by the quality of the user experience, evolving far beyond from the constrained model of MDM.

March 2014 87

Information Security Sector Security Industry Monitor

According to Gartner, the MDM market totaled $784 million in 2012, with market penetration of less than 30%. However, the MDM market became crowded with approximately 125 vendors and Gartner has reported significant pricing pressure. MDM has increasingly become a commodity because of its limited functionality and the shift away from managing devices to managing application security. Pricing has fallen to below $30 per device, down from as high as $60 to $150 per device in 2010. With the need to innovate, the early vendors of the MDM market, such as AirWatch (VMware), Fiberlink (IBM), Good Technology, MobileIron, SAP, and Zenprise (Citrix), have either developed “containerization” capabilities or partnered with MAM vendors. While customer organizations will continue to need basic MDM functionality, albeit at lower prices, there is increasing demand for the ability to apply corporate security policies to mobile devices, whether through application containers or other approaches such as application shielding. One nascent technology is mobile device virtualization, which appears similar to containerization but enables the use of multiple operating systems on the same hardware. Virtualization allows users to have two separate environments for work and personal usage on their mobile device. However, the technology is still immature and not yet device agnostic, with additional concerns about performance. Vendors also need to collaborate with device OEMs (original equipment manufacturers) during the design process in order to use hypervisors. Of particular note, Apple has not yet allowed mobile virtualization vendors to enable “dual persona” iPhones or iPads, which could become a major hindrance to broad industry adoption.

Industry Consolidation

VMware Acquires Privately-Held AirWatch

On 1/22/14, virtualization provider VMware (VMW) announced the acquisition of privately-held AirWatch, a leading provider of enterprise mobile management (EMM) and security solutions. VMW paid approximately $1.175 billion in cash and $365 millionn of installment payments and assumed unvested equity. The boards of directors of both companies approved the transaction.

We believe this acquisition could significantly expand VMW’s market position in mobile security and could enable VMW to strongly capitalize on the BYOD opportunity.

Based in Atlanta, Georgia, AirWatch primarily serves enterprises and mid-sized organizations and it offers MDM, MAM, and Mobile Content Management (MCM) solutions. These solutions enable enterprises to securely manage the plethora of mobile devices used by their employees. AirWatch possesses over 10,000 customers worldwide and has more than 1,600 employees. AirWatch is considered a top-tier vendor in the MDM software market and was ranked in the “Leaders Quadrant” by Gartner (in a market report published May 2013). Other notable market leaders in the report included MobileIron, Citrix, Good Technology, Fiberlink, and SAP.

We highlight the active strategic consolidation of the EMM market over the past year, most notably IBM/Fiberlink (December 2013), Oracle/Blitzer Mobile (November 2013), and Citrix/Zenprise (1 year ago). We think VMW’s acquisition of AirWatch could accelerate the pace of acquisitions in the sector and sets the valuation bar at a new level. We believe the remaining EMM/MDM leaders, Good Technology and MobileIron, and other smaller vendors are potential acquisition candidates.

At this stage of the market, we think MAM and MCM offer greater opportunity for technical differentiation than MDM. Given the significant growth potential of the BYOD market, we see greater urgency to achieve faster time-to-market through strategic acquisitions rather than internal development. We also highlight strong opportunities for larger security and technology vendors to integrate new and innovative capabilities that can leverage their expansive go-to-market resources and global distribution channels.

88 March 2014

Security Industry Monitor Information Security Sector

FireEye Acquires Privately-Held Mandiant On 1/2/14, threat detection innovator FireEye (FEYE) began the New Year by announcing the acquisition of privately-held Mandiant for approximately $1 billion in cash and stock. Management hosted a conference call to discuss the transaction, which closed on 12/30/13. FEYE paid approximately $106.5 million of net cash and issued 21.5 million shares and options.

From a technology perspective, one of the key drivers for the acquisition was Mandiant’s endpoint-based threat detection capabilities, with particular expertise around incident response and endpoint forensics. FireEye indicated that it intends to combine its network-based virtual machine advanced threat detection capabilities with Mandiant’s endpoint expertise to offer a comprehensive platform to detect, prevent, and respond/contain advanced attacks, with potentially significantly reduced time to remediation.

We believe customer organizations widely possess limited visibility of their endpoints, save the first day of issuance to the employee or end-user. As such, we believe there is substantial market need for real-time endpoint forensic data capture and analysis tools for threat detection and response. According to Gartner, specific vendors include companies such as Mandiant, Guidance Software (GUID), Bit9/Carbon Black (recently merged), RSA (EMC), ManTech/HBGary (MANT), CounterTack, and Crowdstrike.

We anticipate the increasingly sophisticated threat environment and the escalating complexity of IT infrastructures will continue to drive strong market demand for innovative security solutions, particularly on the endpoint. We believe customer organizations remain highly vulnerable and have critical need to bolster their security posture.

Akamai Acquires Privately-Held Prolexic Technologies On 12/2/13, Akamai announced a definitive agreement to acquire Prolexic Technologies, a privately-held provider of cloud-based Distributed Denial of Service (DDoS) mitigation services, for approximately $370 million in cash.

Prolexic was founded in 2003 and possesses a customer base exceeding 400 enterprises worldwide across multiple industries. While Akamai did not indicate Prolexic’s historic growth rate, we highlight Prolexic’s previously reported achieving revenue growth of 63% in 2012, following 45% growth in 2011. Akamai estimates Prolexic will benefit its organic growth rate by approximately 4 percentage points in the first year as a combined company.

Based on various industry sources, we believe DDoS attacks are escalating in frequency, size, and sophistication, with measurable business impact from downtime and lost revenue and traffic. For example, we highlight the recent DDoS attack on social website Meetup, which disrupted operations for several days and cost “hundreds of thousands of dollars” according to CEO. Reportedly, the attacker demanded an initial ransom of $300, but the company would not negotiate due to almost certain escalation in the final price without any assurances.

March 2014 89

Information Security Sector Security Industry Monitor

M&A Review and Outlook

° M&A activity in the Information Security sector remained constant in the second half of 2013 versus the preceding three quarters and rose significantly year over year

Figure 34: M&A Transactions in the Information Security Sector, Fourth Quarter 2010 to Second Fourth 2013

0 Q4 2010 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 Q3 2013 Q4 2013

IT Security Services IT Security Products

Sources: Imperial Capital, LLC and Capital IQ.

Notable Middle Market Transactions

° Proofpoint, Inc. acquired Sendmail, Inc.

On October 1, 2013, Proofpoint announced that it acquired Silicon Valley based Sendmail, Inc., a leading provider of solutions that simplify business messaging complexity and reduce IT infrastructure costs for enterprises throughout the world.

° Cisco completed acquisition of Sourcefire for $2.7 billion

On October 7, 2013, Cisco announced it completed the acquisition of Sourcefire, a leader in intelligent cybersecurity solutions, for $76 per share for a total of $2.7 billion.

° Oracle bought Bitzer Mobile

On November 15, 2013, Oracle recently announced the acquisition of enterprise mobile security startup Bitzer Mobile, a provider of mobile applications management solutions designed to allow companies to provide employees with access to corporate data and applications from their mobile devices.

° IBM closed its acquisition of Fiberlink Communications

On December 18, 2013, IBM announced it completed the acquisition of Fiberlink Communications, a privately held mobile management and security company based in Blue Bell, Pennsylvania.

90 March 2014

Security Industry Monitor Information Security Sector

° FireEye computer security firm acquired Mandiant

On December 30, 2013, FireEye, a provider of security software, acquired Mandiant, a company known for emergency responses to computer network breaches for $826.5 million.

° Avigilon signed definitive agreement to acquire video analytics company VideoIQ

On December 31, 2013, Avigilon Corporation, a leader in high-definition (HD) surveillance solutions, announced it signed a definitive agreement to acquire the video analytics company VideoIQ, Inc. for cash consideration of $32 million.

° Google acquired IT security startup Imperium on January 15, 2014

On January 15, 2014, Google acquired Indian cyber security startup Imperium. Terms of the transaction were not disclosed.

° VMware acquired mobile security firm AirWatch for $1.54 billion

On January 24, 2014, Under the terms of the deal, VMware purchased AirWatch, an Atlanta-based provider of enterprise mobile management and security solutions, for approximately $1.175 billion in cash and around $365 million in installment payments and assumed unvested equity.

° Akamai Technologies, Inc. bought Prolexic for $402 million

On February 18, 2014, Akamai Technologies announced it completed its acquisition of Prolexic Technologies, Inc., a privately held company based in Hollywood, Florida that provides cloud-based security solutions for protecting data centers and enterprise IP applications from distributed denial of service (DDoS) attacks.

° Synopsys entered software quality and security market with Coverity acquisition

On February 19, 2014, Synopsys acquired Coverity for $375 million. Coverity products reduce the risk of quality and security defects, which can lead to the catastrophic failures that plague many of today's large software systems.

° Lockheed Martin announces its intent to acquire Industrial Defender

On March 12, 2014, Lockheed Martin entered into a definitive agreement to acquire Industrial Defender, a leading provider of cyber security solutions for control systems in the oil and gas, utility and chemical industries.

Registered Direct and Private Placement Snapshot

Private Placement activity in the second quarter of 2013 declined from the second quarter of 2012.

° ClearDATA Networks, Inc raised $7.0 million in Series B funding

On August 6, 2013, ClearDATA Networks, Inc., provider of cloud computing and IT security services for health care providers, announced $7.0 million in Series B financing to fund marketing and sales initiatives.

March 2014 91

Information Security Sector Security Industry Monitor

° Cyvera announced it received €11 million in a round of funding on August 13, 2013

On August 13, 2013, Cyvera Ltd, developer and provider of cyber defense solutions that protect organizations from targeted cyber-attacks and mass attacks, announced that it has received €11 million in its second round of funding led by Battery Ventures IX, L.P.

° Taasera, Inc. announced that it will receive $10 million in a round of funding

On October 11, 2013, Taasera, Inc., developer of cloud based security solutions, announced that it will receive $10 million in a round of funding. the company issued common shares and option, warrant or other right to acquire another security to the investors.

° Bit9, Inc. announced that it will receive $38.2 million in equity funding on February 10, 2014

On February 10, 2014, Bit9, Inc. announced that it will receive $38,235,562 in equity funding on February 10, 2014. Bit9, Inc. provides threat protection solutions for endpoints and servers.

° Shape Security, Inc. announced that it will receive $40 million in funding

On February 21, 2014, Shape Security, developer of web defense products announced that it will receive $40,000,163 in funding to nine investors.

Public Debt and Equity Offering Snapshot

The Information Security sector saw a decrease in the second quarter of 2013 over the second quarter of 2012.

° FireEye went public on September 20, 2013, raising $304 million On September 20, 2013, FireEye priced its IPO at $20 per share raising $304 million. FireEye provides companies with technology and services to protect against malware and cyber-attacks. ° Barracuda Networks raised $75 million November 12, 2013 in its initial public offering On November 12, 2013, Barracuda Networks, Inc. priced its IPO at $18 per share raising $75 million. Barracuda Networks provides an array of security and storage solutions primarily for mid-market customers. ° Varonis Systems, Inc. raised $95 million in an initial public offering on February 28, 2014 On February 28, 2013, Varonis Systems sold 4.8 million shares at an IPO price of $22, raising $95 million. Varonis makes a software platform that large enterprises can use to manage their unstructured data, such as letters, memos and emails

Bankruptcies

There were no major Information Security bankruptcies in the second half of 2013.

92 March 2014

Security Industry Monitor Information Security Sector

Notable Transactions Figure 35: Select M&A Transactions in the Information Security Sector, 2013 and YTD 2014 Target Announce Closed Implied TEV / TEV / d / Filing Target Business Description Buyer Date TEV Revenue EBITDA Date ($mm)

Industrial Defender, Inc. provides defense-in-depth security, sustainable Lockheed Martin 3/12/2014 NA Industrial Defender, Inc. compliance management, and policy and reporting solutions to monitor, NA NA NA Corporation manage, and protect assets.

Coverity, Inc. provides source code analysis tools for identifying software 2/19/2014 03/25/2014 Coverity, Inc. Synopsys Inc. $350.0 NA NA defects and security vulnerabilities in the software development lifecycle.

AirWatch, LLC develops mobile security and enterprise mobility 1/21/2014 02/24/2014 AirWatch, LLC VMware, Inc. $1,540.0 NA NA management solutions.

As of January 15, 2014, Impermium Corporation was acquired by Google Inc. Impermium Corporation provides subscription-based social content 1/15/2014 01/15/2014 Impermium Corporation cleaning services for Web sites and social networks defending them Google Inc. NA NA NA against social spam, fake registrations, racist and inappropriate language, and other forms of abuse.

12/31/2013 01/13/2014 VideoIQ, Inc. VideoIQ, Inc. manufactures and sells video surveillance systems. Avigilon Corporation $32.0 2.9x NA

Mandiant, LLC, an information security company, provides security incident response management solutions to Fortune 500 companies, 12/30/2013 12/30/2013 Mandiant Corporation FireEye, Inc. $826.5 8.1x NM financial institutions, government agencies, the U.S. and foreign police departments, and law firms.

Prolexic Technologies Inc. provides managed distributed denial of service Akamai Technologies, 12/2/2013 02/18/2014 Prolexic Technologies Inc. $402.6 NA NA (DDoS) detection and protection services. Inc.

Fiberlink Communications Fiberlink Communications Corporation provides mobile computing International Business 11/13/2013 12/18/2013 NA NA NA Corporation solutions. Machines Corporation

As of November 15, 2013, Bitzer Mobile, Inc. was acquired by Oracle 11/15/2013 11/15/2013 Bitzer Mobile, Inc. Oracle Corporation NA NA NA Corporation.

7/22/2013 10/07/2013 Sourcefire, Inc. Sourcefire, Inc. provides intelligent cybersecurity technologies worldwide. Cisco Systems, Inc. $2,193.6 8.9x NM

Sendmail, Inc. provides solutions for email connectivity, routing, and 10/1/2013 10/01/2013 Sendmail, Inc. message delivery between people, systems, and applications located on- Proofpoint, Inc. $23.0 NA NA premises, in-cloud, an on mobile devices.

Palisade Systems, Inc. provides enterprise content security and data Absolute Software 6/25/2013 06/25/2013 Palisade Systems, Inc. NA NA NA protection solutions. Corporation

Perlego Systems, Inc. Fixmo Carrier Services provides Software-as-a-Service based solutions 6/20/2013 06/20/2013 (nka:Fixmo Carrier Fixmo Inc. NA NA NA for smartphones. Services)

As of June 20, 2013, ZeroVulnerabilityLabs, Inc. was acquired by Malwarebytes 6/20/2013 06/20/2013 ZeroVulnerabilityLabs, Inc. NA NA NA Malwarebytes Corporation. Corporation

Fox Technologies, Inc. provides enterprise access management solutions Parallax Capital Partners, 6/10/2013 06/10/2013 Fox Technologies, Inc. that centralize administration, enforcement, and auditing of granular LLC; Parallax Capital NA NA NA authentication and authorization policies for privileged and end users. Fund, L.P.

Managed Security Services Division of Latis Networks, Inc. offers managed firewall, client-owned unified threat management (UTM), file Latis Networks, Inc., integrity monitoring, log management, managed high-speed intrusion 6/5/2013 06/05/2013 Managed Security Services SilverSky, Inc. NA NA NA detection/prevention, vulnerability scanning, managed virtual private Division network (VPN), managed Web application firewall, and managed Web security.

Solera Networks, Inc. operates as a network forensics and security 5/21/2013 05/31/2013 Solera Networks, Inc. Blue Coat Systems Inc. $225 18.8x NA analytics platform provider.

5/14/2013 05/14/2013 PrivacyChoice LLC PrivacyChoice LLC provides online privacy scanning solutions. AVG Technologies N.V. NA NA NA

Websense, Inc. provides Web, email, and data security solutions to Vista Equity Partners; 5/19/2013 06/25/2013 Websense, Inc. protect an organization’s data and users from cyber-threats, malware $971.1 2.7x 16.6x Vista Equity Fund 4 attacks, information leaks, legal liability, and productivity loss worldwide.

FuGen Solutions, Inc. provides cloud-based identity federation services for 8K Miles Software 5/14/2013 05/14/2013 FuGen Solutions, Inc. $7.5 NA NA governments, enterprises, service providers, and vendors. Services Ltd

Feedback Data plc designs and manufactures access control, and time Belgravium Technologies 5/13/2013 05/31/2013 Feedback Data plc $0.6 0.3x NA and attendance products. PLC Continued on next page.

March 2014 93

Information Security Sector Security Industry Monitor

Figure 36: Select M&A Transactions in the Information Security Sector, 2013 and YTD 2014, continued Target Announce Closed Implied TEV / TEV / d / Filing Target Business Description Buyer Date TEV Revenue EBITDA Date ($mm)

As of May 9, 2013, Third Defense Inc. was acquired by Caliber Security Partners LLC. Third Defense Inc. provides Security Program Management Caliber Security Partners 5/9/2013 05/09/2013 Third Defense Inc. (SPM) software, a suite of various Web applications that include risk NA NA NA LLC communicator, risk register, metrics manager, vuln tracker, and service manager applications.

As of May 9, 2013, SSL Appliance Product Line of Netronome Systems, Inc. was acquired by Blue Coat Systems Inc. Netronome Systems, Inc., Netronome Systems, Inc., 5/9/2013 05/09/2013 SSL Appliance Product Line comprises SSL inspection appliances that Blue Coat Systems Inc. NA NA NA SSL Appliance Product Line allow SSL decryption in networks ranging from 100 Mbps to 10 Gbps full duplex.

Stonesoft Corporation delivers software based information security 5/5/2013 07/10/2013 Stonesoft Oyj McAfee, Inc. $389.0 7.4x NA solutions to secure information flow and enhance security management.

Arkoon Network Security provides information technology security 4/26/2013 05/17/2013 Arkoon Network Security solutions for protecting sensitive data and infrastructures to companies Cassidian SAS $19 1.1x 7.7x and public entities in France and internationally.

Mail Distiller, Ltd. provides managed email filtering services to eradicate 4/9/2013 04/09/2013 Mail Distiller Ltd Proofpoint, Inc. NA NA NA viruses and abolish spam and time-wasting e-mail content.

Shavlik Technologies, LLC provides cloud-based IT management 4/8/2013 04/08/2013 Shavlik Technologies, LLC LANDesk Software, Inc. NA NA NA solutions for small and medium businesses.

3LM, Inc. provides android mobile application management solutions for 4/3/2013 04/03/2013 3LM, Inc. BoxTone Inc. NA NA NA IT administrators to manage devices and mobilize their enterprise.

Websense, Inc. provides Web, email, and data security solutions to Vista Equity Partners; 09/13/2012 06/25/2013 Websense, Inc. protect an organization’s data and users from cyber-threats, malware $971 2.7x 17.9x Vista Equity Fund 4 attacks, information leaks, legal liability, and productivity loss worldwide.

Earthwave Corporation Pty Earthwave Corporation Pty Limited provides managed and in-cloud Dimension Data Holdings 09/13/2012 05/10/2013 NA NA NA Limited security services. plc

SecureConnect Inc. provides Internet security and payment card industry 09/13/2012 04/03/2013 SecureConnect Inc. TrustWave Holdings, Inc. NA NA NA (PCI) compliance services to businesses in the United States.

1/29/2013 01/31/2013 Cognitive Security s.r.o. Cognitive Security s. Cisco Systems, Inc. NA NA NA

BitSec Global Forensics, BitSec Global Forensics, Inc. provides computer forensics and information 1/23/2013 01/23/2013 Network Designs, Inc. NA NA NA Inc. security training services. Sources: Capital IQ, Imperial Capital, LLC.

94 March 2014

Security Industry Monitor Appendix

Section V Appendix

March 2014 95

Appendix Security Industry Monitor

[This page intentionally left blank.]

96 March 2014

Security Industry Monitor Appendix

Comparable Companies Figure 36: Select Security Industry Comparable Companies Ticker Company Name Ticker Company Name NASDAQNM:ACXM Acxiom Corporation NYSE:EMC EMC Corporation TASE:AFHL AFCON Holdings Ltd. TSEC:5484 EverFocus Electronics Corporation NasdaqGS:AKAM Akamai Technologies, Inc. LSE:EXPN Experian plc TSX:AF AlarmForce Industries Inc. NASDAQGS:FFIV F5 Networks, Inc. NYSE:ALLE Allegion Plc NYSE:FSS Federal Signal Corp. NASDAQNM:ASEI American Science & Engineering Inc. NasdaqGS:FEYE FireEye, Inc. NASDAQNM:ALOG Analogic Corporation NASDAQNM:FLIR FLIR Systems, Inc. NYSE:AXE Anixter International Inc. NasdaqGS:FTNT Fortinet Inc. OTCBB:ANVS ANV Security Group, Inc. NYSE:FBHS Fortune Brands Home & Security, Inc. OTCPK:APDN Applied DNA Sciences Inc. LSE:GFS G4S plc NasdaqGM:ARTX Arotech Corporation ENXTAM:GTO Gemalto NV NASDAQGS:ARUN Aruba Networks, Inc. TSEC:3356 Geovision, Inc. NASDAQGS:ASCM.A Ascent Capital Group, Inc. AMEX:GSB GlobalSCAPE, Inc. OM:ASSA B Assa Abloy AB OTCPK:GRDH Guardian 8 Holdings TSEC:8072 Av Tech Corporation NasdaqGM:GUID Guidance Software, Inc. TSEC:3669 AVer Information Inc. OM:GUNN Gunnebo AB NYSE:AVG AVG Technologies N.V. SZSE:002415 Hangzhou Hikvision Digital Technology Co., Ltd. TSX:AVO Avigilon Corporation NYSE:HPQ Hewlett-Packard Company OM:AXIS Axis AB (publ) NYSE:HON Honeywell International Inc. NYSE:CUDA Barracuda Networks, Inc. NASDAQ:IDSY ID Systems Inc. XTRA:BSL Basler AG NasdaqCM:INVE Identive Group, Inc. NASDAQNM:CA CA Technologies NASDAQCM:ISNS Image Sensing Systems, Inc. NASDAQGS:CAVM Cavium, Inc. OTCPK:IWSY ImageWare Systems Inc. NASDAQNM:CHKP Check Point Software Technologies Ltd. NYSE:IMPV Imperva Inc. NYSE:CKP Checkpoint Systems Inc. OTCPK:IMSC Implant Sciences Corp. NYSE:CBR Ciber, Inc. AIM:IND IndigoVision Group plc NasdaqGS:CSCO Cisco Systems, Inc. NYSE:BLOX Infoblox Inc. AMEX:API Advanced Photonix Inc. NYSE:IR Ingersoll-Rand Plc NasdaqGS:CTXS Citrix Systems, Inc. ENXTPA:INSD INSIDE Secure AMEX:MOC Command Security Corp. NasdaqGS:INTC Intel Corporation TSX:CSU Constellation Software Inc. NYSE:IBM International Business Machines Corporation NasdaqGS:CTRL Control4 Corporation NASDAQNM:INTX Intersections Inc. NYSE:CXW Corrections Corporation of America OTCBB:ISCI ISC8 Inc. OTCPK:CSTI Costar Technologies, Inc AMEX:ITI Iteris, Inc. NYSE:CTS CTS Corporation TASE:ITRN Ituran Location & Control Ltd. NasdaqCM:CYRN CYREN Ltd. NASDAQGS:JDSU JDS Uniphase Corporation NYSE:DHR Danaher Corp. NYSE:JCI Johnson Controls Inc. NYSE:DBD Diebold, Incorporated GTSM:5251 JSW Pacific Corporation NASDAQNM:DMRC Digimarc Corporation NYSE:JNPR Juniper Networks, Inc. NasdaqCM:DGLY Digital Ally Inc. SWX:KABN Kaba Holding AG GTSM:5489 DynaColor, Inc. NasdaqGS:KTOS Kratos Defense & Security Solutions, Inc. XTRA:ELN Electronics Line 3000 Ltd. NYSE:LLL L-3 Communications Holdings Inc. NASDAQNM:LOJN LoJack Corporation NYSE:SSNI Silver Spring Networks, Inc. OM:LOOM B Loomis AB NASDAQGS:SWHC Smith & Wesson Holding Corporation OTCPK:MACE Mace Security International Inc. LSE:SMIN Smiths Group plc NASDAQNM:MAGS Magal Security Systems Ltd. NYSE:SWI SolarWinds, Inc. XTRA:D7S Matica Technologies AG NasdaqGS:SPLK Splunk, Inc. DB:MBQ Mobotix AG NYSE:SWK Stanley Black & Decker, Inc. NYSE:MSI Motorola Solutions, Inc. OTCBB:SFOR StrikeForce Technologies, Inc. NYSE:MSA MSA Safety Incorporated NasdaqGS:SYMC Symantec Corporation NASDAQNM:NSSC Napco Security Technologies, Inc. TSEC:9925 Taiwan Shin Kong Security Co. Ltd. TSE:6701 NEC Corporation NASDAQNM:TSYS TeleCommunication Systems Inc. NASDAQNM:UEPS Net 1 Ueps Technologies Inc. SEHK:8051 TeleEye Holdings Ltd. AIM:NWT Newmark Security plc NYSE:ADT The ADT Corporation TASE:NICE NICE Systems Ltd. NYSE:BCO The Brink's Company NASDAQGS:OVTI OmniVision Technologies, Inc. NYSE:GEO The GEO Group, Inc. NASDAQNM:OTIV On Track Innovations Ltd. NasdaqGS:KEYW The KEYW Holding Corporation TASE:ORAD Orad Ltd. NYSE:TMO Thermo Fisher Scientific, Inc. NASDAQNM:OSIS OSI Systems, Inc. TSE:4704 Trend Micro Inc. NYSE:PANW Palo Alto Networks, Inc. NASDAQNM:TRMB Trimble Navigation Limited NASDAQ:PNTR Pointer Telocation Ltd. NYSE:TYC Tyco International Ltd. OM:PREC Precise Biometrics AB NYSE:TYL Tyler Technologies, Inc. NASDAQGS:PKT Procera Networks, Inc. NASDAQGS:UBNT Ubiquiti Networks, Inc. NasdaqGM:PFPT Proofpoint, Inc. NYSE:UTX United Technologies Corp. CATS:PSG Prosegur Compañía de Seguridad, S.A. NasdaqGS:VRNS Varonis Systems, Inc. ASX:QTG Q Technology Group Limited NASDAQSC:VDSI VASCO Data Security International Inc. LSE:QQ. QinetiQ Group Plc NASDAQGS:VRNT Verint Systems Inc. NasdaqGS:QLYS Qualys, Inc. AMEX:VSR Versar Inc. NasdaqGS:RDWR Radware Ltd. AMEX:VII Vicon Industries Inc. AMEX:RWC RELM Wireless Corp. TSEC:3454 Vivotek Inc NasdaqGS:RVBD Riverbed Technology, Inc. NYSE:VMW VMware, Inc. NYSE:ROP Roper Industries Inc. NASDAQCM:WAVX Wave Systems Corp. Continued on next page.

March 2014 97

Appendix Security Industry Monitor

Figure 36: Select Security Industry Comparable Companies continued Ticker Company Name Ticker Company Name ENXTPA:SAF Safran SA SZSE:002414 Wuhan Guide Infrared Co., Ltd. ENXTPA:SU Schneider Electric S.A. NZSE:WYN Wynyard Group Limited TSE:9735 Secom Co. Ltd. TSEC:6131 Yoko Technology Corp. OM:SECU B Securitas AB NASDAQNM:ZBRA Zebra Technologies Corp. LSE:SEPU Sepura PLC SZSE:002236 Zhejiang Dahua Technology Co.,Ltd. SZSE:002528 Shenzhen Infinova Limited BSE:531404 Zicom Electronic Security Systems Limited DB:SIE Siemens Aktiengesellschaft NasdaqGS:ZIXI Zix Corporation Sources: Imperial Capital, LLC.

Figure 37: Physical Security Sector—Select Comparable Companies Ticker Company Name Ticker Company Name AMEX:API Advanced Photonix Inc. NasdaqGS:KTOS Kratos Defense & Security Solutions, Inc. TASE:AFHL AFCON Holdings Ltd. NYSE:LLL L-3 Communications Holdings Inc. TSX:AF AlarmForce Industries Inc. NASDAQNM:LOJN LoJack Corporation NYSE:ALLE Allegion Plc OM:LOOM B Loomis AB NASDAQNM:ASEI American Science & Engineering Inc. OTCPK:MACE Mace Security International Inc. NASDAQNM:ALOG Analogic Corporation NASDAQNM:MAGS Magal Security Systems Ltd. NYSE:AXE Anixter International Inc. DB:MBQ Mobotix AG OTCBB:ANVS ANV Security Group, Inc. NYSE:MSA MSA Safety Incorporated NasdaqGM:ARTX Arotech Corporation NASDAQNM:NSSC Napco Security Technologies, Inc. NASDAQGS:ASCM.A Ascent Capital Group, Inc. AIM:NWT Newmark Security plc OM:ASSA B Assa Abloy AB TASE:NICE NICE Systems Ltd. TSEC:8072 Av Tech Corporation NASDAQGS:OVTI OmniVision Technologies, Inc. TSEC:3669 AVer Information Inc. TASE:ORAD Orad Ltd. TSX:AVO Avigilon Corporation NASDAQNM:OSIS OSI Systems, Inc. OM:AXIS Axis AB (publ) NASDAQ:PNTR Pointer Telocation Ltd. XTRA:BSL Basler AG CATS:PSG Prosegur Compañía de Seguridad, S.A. NYSE:CKP Checkpoint Systems Inc. ASX:QTG Q Technology Group Limited AMEX:MOC Command Security Corp. LSE:QQ. QinetiQ Group Plc TSX:CSU Constellation Software Inc. AMEX:RWC RELM Wireless Corp. NasdaqGS:CTRL Control4 Corporation NYSE:ROP Roper Industries Inc. NYSE:CXW Corrections Corporation of America ENXTPA:SU Schneider Electric S.A. OTCPK:CSTI Costar Technologies, Inc TS E :9735 Secom Co. Ltd. NYSE:CTS CTS Corporation OM:S E C U B Securitas AB NYSE:DHR Danaher Corp. LSE:SEPU Sepura PLC NYSE:DBD Diebold, Incorporated SZSE:002528 Shenzhen Infinova Limited NasdaqCM:DGLY Digital Ally Inc. DB:SIE Siemens Aktiengesellschaft GTSM:5489 DynaColor, Inc. NASDAQGS:SWHC Smith & Wesson Holding Corporation XTRA:ELN Electronics Line 3000 Ltd. LSE:SMIN Smiths Group plc TSEC:5484 EverFocus Electronics Corporation NYSE:SWK Stanley Black & Decker, Inc. NYSE:FSS Federal Signal Corp. TS E C :9925 Taiwan Shin Kong Security Co. Ltd. NASDAQNM:FLIR FLIR Systems, Inc. NASDAQNM:TSYS TeleCommunication Systems Inc. NYSE:FBHS Fortune Brands Home & Security, Inc. S E HK:8051 TeleEye Holdings Ltd. LSE:GFS G4S plc NYSE:ADT The ADT Corporation TSEC:3356 Geovision, Inc. NYSE:BCO The Brink's Company OTCPK:GRDH Guardian 8 Holdings NYSE:GEO The GEO Group, Inc. OM:GUNN Gunnebo AB NYSE:TMO Thermo Fisher Scientific, Inc. SZSE:002415 Hangzhou Hikvision Digital Technology Co., Ltd. NASDAQNM:TRMB Trimble Navigation Limited NYSE:HON Honeywell International Inc. NYSE:TYC Tyco International Ltd. NASDAQ:IDSY ID Systems Inc. NYSE:TYL Tyler Technologies, Inc. NASDAQCM:ISNS Image Sensing Systems, Inc. NASDAQGS:UBNT Ubiquiti Networks, Inc. OTCPK:IMSC Implant Sciences Corp. NYSE:UTX United Technologies Corp. AIM:IND IndigoVision Group plc NASDAQGS:VRNT Verint Systems Inc. NYSE:IR Ingersoll-Rand Plc AMEX:VSR Versar Inc. OTCBB:ISCI ISC8 Inc. AMEX:VII Vicon Industries Inc. AMEX:ITI Iteris, Inc. TS E C :3454 Vivotek Inc TASE:ITRN Ituran Location & Control Ltd. SZSE:002414 Wuhan Guide Infrared Co., Ltd. NYSE:JCI Johnson Controls Inc. TS E C :6131 Yoko Technology Corp. GTSM:5251 JSW Pacific Corporation SZSE:002236 Zhejiang Dahua Technology Co.,Ltd. SWX:KABN Kaba Holding AG BS E :531404 Zicom Electronic Security Systems Limited Sources: Imperial Capital, LLC.

98 March 2014

Security Industry Monitor Appendix

Figure 38: Identity Solutions Sector—Select Comparable Companies Ticker Company Name Ticker Company Name NASDAQNM:ACXM Acxiom Corporation ENXTPA:INSD INSIDE Secure OTCPK:APDN Applied DNA Sciences Inc. NASDAQNM:INTX Intersections Inc. TSX:AVO Avigilon Corporation XTRA:D7S Matica Technologies AG NYSE:CKP Checkpoint Systems Inc. NASDAQNM:UEPS Net 1 Ueps Technologies Inc. NASDAQNM:DMRC Digimarc Corporation NASDAQNM:OTIV On Track Innovations Ltd. LSE:EXPN Experian plc OM:PREC Precise Biometrics AB ENXTAM:GTO Gemalto NV ENXTPA:SAF Safran SA NasdaqCM:INVE Identive Group, Inc. NASDAQSC:VDSI VASCO Data Security International Inc. OTCPK:IWSY ImageWare Systems Inc. NASDAQNM:ZBRA Zebra Technologies Corp. Sources: Imperial Capital, LLC.

Figure 39: Information Security Sector—Select Comparable Companies Ticker Company Name Ticker Company Name NasdaqGS:AKAM Akamai Technologies, Inc. OTCPK:ISCI ISC8 Inc. NASDAQGS:ARUN Aruba Networks, Inc. NASDAQGS:JDSU JDS Uniphase Corporation NYSE:AVG AVG Technologies N.V. NYSE:JNPR Juniper Networks, Inc. NYSE:CUDA Barracuda Networks, Inc. NYSE:MSI Motorola Solutions, Inc. NASDAQNM:CA CA Technologies TSE:6701 NEC Corporation NASDAQGS:CAVM Cavium, Inc. NYSE:PANW Palo Alto Networks, Inc. NASDAQNM:CHKP Check Point Software Technologies Ltd. NASDAQGS:PKT Procera Networks, Inc. NYSE:CKP Checkpoint Systems Inc. NasdaqGM:PFPT Proofpoint, Inc. NYSE:CBR Ciber, Inc. NasdaqGS:QLYS Qualys, Inc. NasdaqGS:CSCO Cisco Systems, Inc. NasdaqGS:RDWR Radware Ltd. NasdaqGS:CTXS Citrix Systems, Inc. NasdaqGS:RVBD Riverbed Technology, Inc. NasdaqCM:CYRN CYREN Ltd. NYSE:SSNI Silver Spring Networks, Inc. NYSE:EMC EMC Corporation NYSE:SWI SolarWinds, Inc. NASDAQGS:FFIV F5 Networks, Inc. NasdaqGS:SPLK Splunk, Inc. NasdaqGS:FEYE FireEye, Inc. OTCBB:SFOR StrikeForce Technologies, Inc. NasdaqGS:FTNT Fortinet Inc. NasdaqGS:SYMC Symantec Corporation AMEX:GSB GlobalSCAPE, Inc. NasdaqGS:KEYW The KEYW Holding Corporation NasdaqGM:GUID Guidance Software, Inc. TSE:4704 Trend Micro Inc. NYSE:HPQ Hewlett-Packard Company NasdaqGS:VRNS Varonis Systems, Inc. NYSE:IMPV Imperva Inc. NYSE:VMW VMware, Inc. NYSE:BLOX Infoblox Inc. NASDAQCM:WAVX Wave Systems Corp. NasdaqGS:INTC Intel Corporation NZSE:WYN Wynyard Group Limited NYSE:IBM International Business Machines Corporation NasdaqGS:ZIXI Zix Corporation Sources: Imperial Capital, LLC.

March 2014 99

Security Industry Monitor Appendix

Valuations—Security Industry Companies

Physical Security Companies

Figure 40: Large Industrials ($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Physical Security - Large Industrials SIE Siemens AG $130.34 92.5% $110,061.4 $122,454.1 $103,672.8 27.7% 10.3% 1.2x 1.6x 1.6x 11.5x 14.0x 11.1x 18.6x 1.1x 1.1 UTX United Technologies Corp. 114.24 96.5 104,552.3 121,638.3 62,626.0 28.0 17.8 1.9 1.9 1.9 10.9 11.1 10.1 18.5 1.4 1.4 HON Honeywell International Inc. 93.38 97.4 73,022.5 74,114.5 39,055.0 27.4 16.6 1.9 1.9 1.8 11.4 10.4 9.8 18.9 0.1 1.6 DHR Danaher Corp. 74.92 95.1 52,330.3 52,780.2 19,118.0 52.1 21.8 2.8 2.8 2.6 12.7 12.7 11.6 22.0 0.1 1.5 SU Schneider Electric SA 87.82 94.2 50,182.4 54,939.0 32,432.7 37.8 16.0 1.7 2.3 2.1 10.6 14.1 13.3 16.5 0.9 2.5 JCI Johnson Controls Inc. 46.35 88.3 30,777.7 37,612.7 43,216.0 16.0 9.0 0.9 0.9 0.9 9.7 9.4 9.4 16.3 1.7 0.9 TYC Tyco International Ltd. 43.32 98.2 19,940.6 21,076.6 10,694.0 36.7 14.2 2.0 2.0 1.9 13.9 12.9 12.2 22.7 0.7 1.4 ASSA B Assa Abloy AB 51.58 95.3 19,097.3 21,872.6 7,541.2 38.0 16.1 2.9 3.2 3.1 18.0 17.8 16.3 24.4 2.3 1.5 IR Ingersoll-Rand Co. Ltd. 57.87 80.7 16,090.5 17,736.9 12,350.5 29.9 12.0 1.4 1.4 1.4 12.0 11.3 10.2 22.1 1.1 1.3 ROP Roper Industries Inc. 136.46 95.7 13,584.3 15,589.5 3,238.1 58.1 32.0 4.8 4.8 4.4 15.1 14.7 13.3 24.4 1.9 1.6 SWK Stanley Black & Decker, Inc. 80.31 86.6 12,507.5 16,415.5 11,001.2 36.0 13.9 1.5 1.5 1.4 10.7 10.5 9.7 16.3 2.5 1.6 TRMB Trimble Navigation Limited 38.59 96.1 10,027.4 10,651.7 2,288.1 56.3 20.2 4.7 4.7 4.2 23.0 23.1 20.0 25.7 1.3 1.4 VRNT Verint Systems Inc. 46.56 95.0 2,488.9 2,765.0 880.5 68.3 20.1 3.1 3.1 2.7 15.6 12.6 9.8 16.6 1.5 1.6

Mean 93.2% 39.4% 16.9% 2.0x 2.2x 2.0x 12.4x 12.4x 11.0x 20.2x 1.3x 1.5 Median 95.1% 36.7% 16.1% 1.9x 2.0x 1.9x 11.8x 12.6x 10.2x 18.9x 1.3x 1.5 Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

March 2014 100

Security Industry Monitor Appendix

Figure 41: Public Safety and Justice ($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Physical Security - Public Safety & Justice CSU Constellation Software Inc. $233.81 95.3% $4,954.8 $5,353.2 $1,210.8 32.3% 12.8% 4.4x 4.5x 3.1x 34.6x 23.4x 15.8x 26.0x 2.6x 0.6 LLL L-3 Communications Holdings Inc. 116.39 98.2 9,991.8 13,211.8 12,629.0 10.2 11.9 1.0 1.1 1.1 8.8 9.1 8.9 13.9 2.1 5.4 CXW Corrections Corporation of America 32.96 79.6 3,821.8 4,948.9 1,694.3 28.0 21.9 2.9 2.9 3.0 13.3 13.3 12.5 16.2 3.0 2.6 TYL Tyler Technologies Inc. 90.93 84.2 2,993.9 2,915.0 416.6 46.4 18.9 7.0 7.0 6.2 37.0 33.5 27.2 N/M N/M 2.0 QQ. QinetiQ Group Plc 3.71 93.6 2,413.6 2,220.1 2,010.7 16.9 18.6 1.1 1.8 1.8 5.9 13.0 13.8 14.3 N/M 39.0 OSIS OSI Systems, Inc. 63.98 81.5 1,275.2 1,310.0 869.0 35.4 15.3 1.5 1.5 1.4 9.8 10.1 7.2 21.3 0.3 0.8 FSS Federal Signal Corp. 14.90 93.8 935.5 1,003.8 851.3 24.1 10.0 1.2 1.2 1.1 11.7 12.2 10.0 17.1 0.8 1.2 ASEI American Science & Engineering Inc. 66.94 89.6 521.1 372.0 167.0 41.6 13.9 2.2 2.2 2.2 16.1 16.1 16.5 N/M N/M 15.7 KTOS Kratos Defense & Security Solutions, Inc. 7.10 77.3 407.4 996.4 950.6 25.2 8.3 1.0 1.0 1.0 12.6 9.7 10.1 N/M 7.5 3.7 SEPU Sepura PLC 2.29 88.3 316.2 320.7 145.3 47.2 10.0 2.2 3.5 3.2 22.1 27.5 24.0 20.1 0.3 N/A TSYS TeleCommunication Systems Inc. 2.15 67.0 128.1 213.7 362.3 38.4 5.9 0.6 0.6 0.6 10.0 6.1 6.0 N/M 4.0 1.4 ARTX Arotech Corp. 4.36 73.8 81.6 82.4 89.8 25.9 6.2 0.9 0.9 0.9 14.7 12.3 12.1 15.6 0.1 N/A ITI Iteris, Inc. 2.15 86.0 70.5 50.0 66.5 38.5 5.7 0.8 0.8 0.7 13.2 15.4 9.1 N/M N/M 2.2 ORAD Orad Ltd. 0.51 99.1 21.5 41.2 43.5 29.4 12.2 0.9 N/A N/A 7.8 N/A N/A N/M 3.7 N/A

Mean 85.2% 31.4% 12.3% 1.4x 1.6x 1.7x 12.7x 13.5x 11.6x 18.1x 2.4x 6.8 Median 86.0% 30.8% 12.0% 1.1x 1.2x 1.3x 12.6x 12.7x 11.1x 17.3x 2.3x 2.2 Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

March 2014 101

Security Industry Monitor Appendix

Physical Security Companies, continued

Figure 42: Security Equipment

($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Physical Security - Security Equipment IR Ingersoll-Rand Plc $57.87 80.7% $16,090.5 $17,736.9 $12,350.5 29.9% 12.0% 1.4x 1.4x 1.4x 12.0x 11.3x 10.2x 22.1x 1.1x 1.3 002415 Hangzhou Hikvision Digital Technology 3.39 73.5 13,605.2 12,861.4 1,774.1 100.0 28.0 7.2 1.2 0.9 25.9 4.6 2.3 24.4 N/M 0.5 SMIN Smiths Group plc 22.22 87.1 8,763.1 9,905.0 4,720.4 45.5 19.5 2.1 3.2 3.1 10.7 15.8 14.9 14.6 1.2 3.8 FBHS Fortune Brands Home & Security, Inc. 43.47 90.7 7,205.5 7,323.8 4,157.4 34.6 11.4 1.8 1.8 1.6 15.5 15.1 11.9 29.2 0.2 1.6 002236 Zhejiang Dahua Technology Co.,Ltd. 5.04 65.2 5,774.9 5,537.5 893.6 100.0 17.9 6.2 1.1 0.7 34.6 4.7 3.3 N/M N/M 0.5 ALLE Allegion Plc 53.63 96.1 5,174.7 6,322.3 2,093.5 41.2 19.7 3.0 3.0 2.9 15.3 14.6 14.6 27.2 2.7 N/A FLIR FLIR Systems, Inc. 34.45 97.2 4,853.2 4,699.3 1,496.4 49.4 22.1 3.1 3.2 3.1 14.2 13.9 13.2 24.5 N/M 1.9 UBNT Ubiquiti Networks, Inc. 52.67 95.9 4,623.7 4,391.8 452.5 43.9 33.6 9.7 9.7 7.3 28.8 30.3 20.7 N/M N/M 0.8 AXE Anixter International Inc. 103.40 89.3 3,366.3 4,145.0 6,226.5 22.8 6.2 0.7 0.7 0.6 10.8 10.9 10.1 18.3 2.0 1.2 DBD Diebold, Incorporated 40.31 100.0 2,591.5 2,665.9 2,857.5 23.4 7.0 0.9 0.9 0.9 13.4 12.5 11.3 29.6 0.3 2.2 AXIS Axis AB (publ) 33.81 86.1 2,348.6 2,296.1 733.7 51.5 14.7 3.1 0.5 N/A 21.2 2.9 N/A N/M N/M N/A MSA Mine Safety Appliances 53.61 96.8 1,994.8 2,176.2 1,112.1 44.7 15.5 2.0 1.9 1.8 12.6 12.7 11.1 23.2 1.0 1.1 002414 Wuhan Guide Infrared Co., Ltd. 3.17 73.6 1,902.3 1,863.6 58.8 100.0 14.0 31.7 N/A N/A N/M N/A N/A N/M N/M N/A KABN Kaba Holding AG 485.00 95.2 1,843.7 1,836.9 1,109.8 68.5 14.7 1.7 1.8 1.8 11.3 11.1 10.6 19.2 N/M 1.8 AVO Avigilon Corporation 27.44 88.3 1,178.8 1,080.0 167.9 54.2 17.1 6.4 6.0 3.9 37.7 32.0 19.9 N/M N/M 0.7 002528 Infinova 2.94 81.0 1,040.3 937.3 158.7 100.0 7.1 5.9 N/A N/A N/M N/A N/A N/M N/M N/A ALOG Analogic Corporation 80.00 80.0 993.1 882.1 543.5 41.2 11.3 1.6 1.6 1.5 14.4 10.9 9.9 22.7 N/M 0.9 OVTI OmniVision Technologies, Inc. 17.34 84.7 971.5 601.5 1,459.2 18.4 7.0 0.4 0.4 0.5 5.9 4.7 5.4 8.1 N/M 0.8 SWHC Smith & Wesson Holding Corporation 13.85 89.0 761.0 818.6 634.9 40.8 27.7 1.3 1.3 1.3 4.7 4.5 5.2 9.4 0.3 0.5 CTS CTS Corporation 20.89 97.9 704.4 655.7 409.5 30.1 11.5 1.6 1.2 1.5 13.9 12.0 10.4 26.4 N/M 1.4 CKP Checkpoint Systems Inc. 13.96 76.5 578.4 571.5 695.5 39.2 8.4 0.8 0.8 0.8 9.8 7.7 6.2 N/M N/M 0.6 CTRL Control4 Corporation 23.37 71.9 535.3 453.7 128.5 50.3 6.4 3.5 3.5 3.0 N/M 41.2 29.6 N/M N/M 1.5 3454 Vivotek Inc 6.37 90.0 449.2 416.3 136.7 46.2 24.1 3.0 N/A N/A 12.6 N/A N/A N/M N/M N/A GUNN Gunnebo AB 5.65 86.6 429.0 545.7 819.8 30.6 7.3 0.7 0.7 0.7 9.1 8.9 8.0 22.5 1.9 0.3 3356 Geovision, Inc. 6.53 93.2 415.7 381.8 76.8 55.5 31.0 5.0 0.2 0.1 16.0 0.6 0.4 21.2 N/M 0.6 SEPU Sepura PLC 2.29 88.3 316.2 320.7 145.3 47.2 10.0 2.2 3.5 3.2 22.1 27.5 24.0 20.1 0.3 N/A 5489 DynaColor, Inc. 2.78 97.5 277.1 262.5 75.3 42.3 23.3 3.5 0.1 0.1 15.0 0.5 0.4 18.6 N/M 0.9 8072 Av Tech Corporation 2.77 88.1 276.5 165.5 94.9 37.9 27.6 1.7 N/A N/A 6.3 N/A N/A 12.6 N/M N/A MBQ Mobotix AG 20.13 78.2 264.6 265.7 118.2 74.9 25.0 2.2 3.0 2.7 9.0 11.6 10.5 14.9 0.0 1.1 NSSC Napco Security Systems Inc. 6.65 86.4 129.1 138.8 74.6 30.9 8.7 1.9 N/A N/A 21.4 N/A N/A N/M 1.5 N/A 3669 AVer Information Inc. 0.90 95.5 87.2 58.2 55.2 52.7 6.0 1.1 N/A N/A 17.4 N/A N/A N/M N/M N/A AFHL AFCON Holdings Ltd. 15.88 81.5 72.7 129.8 287.2 18.1 5.3 0.5 N/A N/A 8.5 N/A N/A N/M 3.8 N/A IDSY ID Systems Inc. 5.76 84.2 70.2 59.9 39.9 44.8 N/M 1.5 1.5 1.2 N/M N/M 12.6 N/M N/M 48.0 MAGS Magal Security Systems Ltd. 3.94 78.1 63.7 28.0 60.8 43.0 3.8 0.5 N/A N/A 12.3 N/A N/A N/M N/M N/A 5251 JSW Pacific Corporation 2.36 78.0 60.0 46.9 43.4 29.8 17.0 1.1 N/A N/A 6.4 N/A N/A N/M N/M N/A IMSC Implant Sciences Corp. 0.87 62.1 53.8 98.4 8.0 29.9 N/M 12.3 12.3 3.9 N/M N/M N/M N/M N/M NM 5484 EverFocus Electronics Corporation 0.46 96.2 53.4 46.7 74.9 29.2 N/M 0.6 N/A N/A N/M N/A N/A N/M N/M N/A 6131 Yoko Technology Corp. 0.55 98.8 53.3 43.4 32.9 18.2 N/M 1.3 0.0 0.1 N/M N/A N/A N/M N/M N/A Continued on Next Page.

March 2014 102

Security Industry Monitor Appendix

Figure 43: Security Equipment, continued ($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Physical Security - Security Equipment IR Ingersoll-Rand Plc $57.87 80.7% $16,090.5 $17,736.9 $12,350.5 29.9% 12.0% 1.4x 1.4x 1.4x 12.0x 11.3x 10.2x 22.1x 1.1x 1.3 IND IndigoVision Group plc 7.15 97.7 53.8 50.9 56.4 57.7 7.9 0.9 1.5 0.9 11.4 17.7 11.3 16.7 N/M N/A RWC RELM Wireless Corp. 3.33 81.4 45.4 37.4 27.0 43.5 7.6 1.4 N/A N/A 18.3 N/A N/A N/M N/M N/A ISNS Image Sensing Systems, Inc. 5.49 66.3 27.3 21.1 26.3 62.4 N/M 0.8 0.8 0.7 N/M N/A N/A N/M N/M NM MACE Mace Security International Inc. 0.36 61.0 21.2 19.2 12.3 36.0 N/M 1.6 N/A N/A N/M N/A N/A N/M N/M N/A API Advanced Photonix Inc. 0.63 71.7 19.7 23.5 28.1 34.8 N/M 0.8 0.8 0.7 N/M N/M 18.3 N/M N/M N/A DGLY Digital Ally Inc. 8.28 47.4 18.4 20.7 19.0 56.7 N/M 1.1 N/A N/A N/M N/A N/A N/M N/M N/A GRDH Guardian 8 Corp Holdings 0.46 46.0 16.6 17.5 0.0 73.9 N/M N/M 33.2 4.1 N/M N/A N/A N/M N/M N/A CSTI Costar Technologies, Inc 11.60 90.3 16.6 14.0 26.4 29.4 8.3 0.5 N/A N/A 6.4 N/A N/A N/M N/M N/A 531404 Zicom Electronic Security Systems Limited 0.94 61.3 16.6 69.2 134.0 23.2 12.4 0.5 N/A 0.0 4.2 N/A 0.1 N/M 3.2 N/A NWT Newmark Security plc 0.03 92.8 13.5 10.9 30.5 39.8 19.9 0.4 0.6 0.6 1.8 3.7 4.0 4.8 N/M N/A ELN Electronics Line 3000 0.73 55.9 10.0 7.7 16.1 38.8 6.0 0.5 0.7 0.6 8.0 4.6 5.1 3.8 N/M 0.2 QTG Q Technology Group Limited 0.02 67.9 3.3 5.2 20.7 17.6 N/M 0.3 N/A N/A N/M N/A N/A N/M N/M N/A ANVS ANV Security Group, Inc. 0.01 10.0 0.6 0.5 0.4 93.9 N/M 1.5 N/A N/A N/M N/A N/A N/M N/M N/A

Mean 81.0% 46.8% 14.7% 2.0x 1.6x 1.5x 13.0x 9.8x 9.8x 18.7x 1.4x 3.2 Median 86.2% 42.7% 12.4% 1.5x 1.2x 1.2x 12.6x 10.9x 10.5x 19.6x 1.2x 0.9 Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

Figure 43: Explosives Detection and Security Sensors ($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Physical Security - Explosives Detection & Security Sensors TMO Thermo Fisher Scientific, Inc. $123.12 96.5% $48,237.4 $52,899.4 $13,090.3 42.5% 21.3% 4.0x 4.1x 3.2x 19.0x 19.3x 13.1x 23.0x 1.7x 1.3 LLL L-3 Communications Holdings Inc. 116.39 98.2 9,991.8 13,211.8 12,629.0 10.2 11.9 1.0 1.1 1.1 8.8 9.1 8.9 13.9 2.1 5.4 SMIN Smiths Group plc 22.22 87.1 8,763.1 9,905.0 4,720.4 45.5 19.5 2.1 2.1 2.0 10.7 10.4 9.4 14.6 1.2 3.8 QQ. QinetiQ Group Plc 3.71 93.6 2,413.6 2,220.1 2,010.7 16.9 18.6 1.1 1.0 1.0 5.9 8.3 8.3 14.3 N/M 39.0 MSA Mine Safety Appliances Co. 53.61 96.8 1,994.8 2,176.2 1,112.1 44.7 15.5 2.0 1.9 1.8 12.6 12.7 11.1 23.2 1.0 1.1 OSIS OSI Systems, Inc. 63.49 80.9 1,265.5 1,300.3 869.0 35.4 15.3 1.5 1.5 1.4 9.8 10.0 7.1 21.2 0.3 0.8 ALOG Analogic Corporation 79.66 79.7 988.9 877.9 543.5 41.2 11.3 1.6 1.6 1.5 14.3 10.9 9.8 22.6 N/M 0.9 ASEI American Science & Engineering Inc. 66.80 89.4 520.0 370.9 167.0 41.6 13.9 2.2 2.2 2.2 16.0 16.0 16.5 N/M N/M 15.7 IMSC Implant Sciences Corp. 0.87 62.1 53.8 98.4 8.0 29.9 N/M 12.3 12.3 3.9 N/M N/M N/M N/M N/M NM APC Advanced Power Components plc 0.89 76.9 51.9 50.3 33.5 30.3 2.5 1.5 2.2 1.9 N/M N/M 28.5 N/M N/M N/A API Advanced Photonix Inc. 0.63 71.7 19.7 23.5 28.1 34.8 N/M 0.8 0.8 0.7 N/M N/M 18.3 N/M N/M N/A QTG Q Technology Group 0.02 67.9 3.3 5.2 20.7 17.6 N/M 0.3 N/A N/A N/M N/A N/A N/M N/M N/A

Mean 83.4% 32.5% 14.4% 1.7x 1.9x 1.6x 12.0x 10.2x 11.4x 19.0x 1.2x 8.5 Median 84.0% 35.1% 15.3% 1.5x 1.8x 1.7x 11.7x 10.2x 9.8x 21.2x 1.2x 2.6 Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

March 2014 103

Security Industry Monitor Appendix

Physical Security Companies, continued

Figure 44: Alarm Monitoring ($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Physical Security - Alarm Monitoring ADT The ADT Corporation $28.53 56.7% $5,228.9 $9,585.9 $3,339.0 58.0% 41.2% 2.9x 2.9x 2.8x 7.0x 5.6x 5.4x 15.6x 3.2x 1.6 PSG Prosegur Compania de Seguridad SA 5.93 82.7 3,398.8 4,452.9 5,088.7 23.4 12.4 0.9 1.1 1.0 7.1 8.6 7.8 15.7 1.7 1.4 ASCM.A Ascent Capital Group, Inc. 75.36 84.6 1,060.7 2,469.8 451.0 83.6 64.0 5.5 0.6 0.5 8.6 4.8 4.3 N/M 4.9 NM AF AlarmForce Industries Inc. 9.78 87.9 116.7 103.9 45.1 76.5 28.8 2.3 2.1 1.9 8.0 5.2 5.6 22.2 N/M N/A VII Vicon Industries Inc. 3.41 78.4 15.4 7.1 36.9 38.2 N/M 0.2 0.0 0.0 N/M 0.0 0.0 N/M N/M N/A

Mean 78.1% 55.9% 36.6% 2.3x 1.3x 1.2x 7.6x 4.9x 4.6x 17.8x 3.2x 1.5 Median 82.7% 58.0% 35.0% 2.3x 1.1x 1.0x 7.5x 5.2x 5.4x 15.7x 3.2x 1.5 Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

Figure 45: Guard Services / Cash-in-Transit Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Physical Security - Guard Services 9735 Secom Co. Ltd. $54.35 85.7% $11,862.2 $11,002.5 $7,731.2 33.6% 19.6% 1.4x 0.0x 0.0x 7.3x 0.1x 0.1x 18.5x N/M 1.6 GFS G4S plc 3.93 74.9 6,068.2 8,836.4 12,305.1 18.3 7.3 0.7 0.7 0.7 9.9 7.9 7.5 14.5 3.0 1.6 SECU B Securitas AB 11.34 96.6 4,141.5 5,671.5 10,219.6 17.4 6.5 0.6 0.6 0.6 8.5 9.0 8.5 14.4 2.3 1.1 PSG Prosegur Compania de Seguridad SA 5.93 82.7 3,398.8 4,452.9 5,088.7 23.4 12.4 0.9 1.1 1.0 7.1 8.6 7.8 15.7 1.7 1.4 NICE NICE Systems Ltd. 40.57 94.2 2,503.1 2,300.7 949.3 61.6 18.4 2.4 2.4 2.3 13.2 9.7 9.4 15.8 N/M 1.2 GEO The GEO Group, Inc. 31.99 81.3 2,305.9 3,839.0 1,522.1 26.1 18.4 2.5 2.5 2.4 13.7 13.2 12.1 19.8 5.5 2.1 LOOM B Loomis AB 24.18 92.8 1,817.7 2,157.7 1,767.7 23.2 16.3 1.2 0.2 0.2 7.5 1.2 1.1 15.6 1.2 2.0 BCO Brinks Co. 29.32 82.1 1,420.0 1,686.1 3,942.2 18.9 8.6 0.4 N/A 0.4 5.0 N/A N/A N/M 0.5 1.1 ITRN Ituran Location & Control Ltd. 24.08 96.4 505.0 467.9 170.2 52.5 31.9 2.7 0.8 0.7 8.6 N/A N/A 18.0 N/M N/A LOJN LoJack Corporation 6.51 95.0 122.4 96.7 140.2 55.0 2.5 0.7 0.7 0.6 27.1 17.0 7.1 N/M N/M 2.4 PNTR Pointer Telocation Ltd. 9.88 74.7 76.0 99.4 97.9 32.3 10.7 1.0 N/A N/A 9.5 N/A N/A N/M 1.7 N/A MOC Command Security Corp. 2.05 78.8 19.0 26.5 156.0 13.0 2.5 0.2 0.2 N/A 6.9 N/A N/A 15.5 1.9 N/A

Mean 86.3% 31.3% 12.9% 0.9x 0.6x 0.6x 8.8x 9.7x 8.1x 16.4x 2.2x 1.6 Median 84.2% 24.8% 11.6% 0.8x 0.7x 0.6x 8.5x 9.0x 7.8x 15.7x 1.8x 1.6 Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

March 2014 104

Security Industry Monitor Appendix

Identity Solutions Companies

Figure 46: Intelligent Video ($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Identity Solutions - Intelligent Video 002415 Hangzhou HIKvision Digital Technology $3.37 73.5% $13,533.3 $12,789.5 $1,774.1 NA 28.0% 7.2x N/M N/M 25.8x N/M N/M 4.4x N/M 0.5 002236 Zhejiang Dahua Technology Co.,Ltd. 5.01 65.2 5,744.4 5,507.0 893.6 NA 17.9 6.2 1.0 0.7 34.4 4.7 3.3 5.0 N/M 0.5 FLIR FLIR Systems Inc. 34.34 96.9 4,837.8 4,683.8 1,496.4 49.4 22.1 3.1 3.2 3.1 14.1 13.9 13.1 28.1 N/M 1.9 NICE NICE Systems Ltd. 41.17 95.5 2,540.2 2,337.9 949.3 61.6 18.4 2.5 2.5 2.3 13.4 9.9 9.6 N/M N/M 1.2 VRNT Verint Systems Inc. 46.19 94.3 2,469.1 2,745.2 880.5 68.3 20.1 3.1 3.0 2.6 15.5 12.5 9.8 N/M 1.5 1.6 AXIS Axis AB 33.88 85.8 2,353.6 2,301.1 733.7 51.5 14.7 3.1 3.7 3.0 21.3 23.7 18.1 4.9 N/M N/A 002414 Wuhan Guide Infrared Co., Ltd. 3.15 73.6 1,892.2 1,853.5 58.8 100.0 14.0 31.5 N/A N/A N/M N/A N/A N/M N/M N/A AVO Avigilon Corporation 27.75 88.9 1,192.0 1,093.2 167.9 54.2 17.1 6.5 1.7 1.4 38.2 11.3 8.6 N/M N/M 0.7 002528 Infinova 2.93 81.0 1,034.8 931.8 158.7 100.0 7.1 5.9 8.5 7.0 N/M 31.3 25.5 14.6 N/M N/A 3454 Vivotek Inc 6.38 90.0 449.8 416.9 136.7 46.2 24.1 3.1 N/A N/A 12.6 N/A N/A 0.6 N/M N/A 3356 Geovision, Inc. 6.54 93.2 416.3 382.3 76.8 55.5 31.0 5.0 0.2 0.1 16.1 0.6 0.4 0.7 N/M 0.7 MBQ Mobotix AG 20.22 78.5 265.7 266.9 118.2 74.9 25.0 2.3 2.4 2.0 9.0 9.0 7.3 21.4 0.0 1.1 BSL Balsar AG 45.25 93.1 147.9 166.3 85.5 50.8 18.1 1.9 2.6 2.3 10.7 46.3 29.7 27.7 1.2 0.8 IND IndigoVision Group plc 7.11 97.2 53.6 50.6 56.4 57.7 7.9 0.9 1.5 0.9 11.3 14.1 9.0 25.0 N/M N/A ISNS Image Sensing Systems 5.40 65.2 26.9 20.7 26.3 62.4 N/M 0.8 0.8 0.7 N/M 5.8 3.7 N/M N/M NM DGLY Digital Ally Inc. 8.15 46.7 18.1 20.4 19.0 56.7 N/M 1.1 N/A N/A N/M N/A N/A N/M N/M N/A CSTI Costar Technologies, Inc 11.50 89.5 16.4 13.8 26.4 29.4 8.3 0.5 N/A N/A 6.3 N/A N/A 8.2 N/M N/A VII Vicon Industries Inc. 3.46 79.5 15.6 7.3 36.9 38.2 N/M 0.2 N/A N/A N/M N/M N/A N/M N/M N/A

Mean 82.6% 59.8% 18.3% 3.1x 2.2x 1.9x 15.0x 11.6x 9.2x 12.8x 0.9x 1.0 Median 87.4% 56.1% 18.1% 3.1x 2.5x 2.1x 13.8x 11.3x 9.0x 8.2x 1.2x 0.8 Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

March 2014 105

Security Industry Monitor Appendix

Identity Solutions Companies, continued

Figure 47: Chinese Video Companies ($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM EBITDA EV / Sales EV / EBITDA Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 Identity Solutions - Intelligent Video 002415 Hangzhou HIKvision Digital Technology $3.39 73.5% $13,605.2 $12,861.4 $1,774.1 28.0% 7.2x N/M N/M 25.9x N/M N/M 002236 Zhejiang Dahua Technology Co.,Ltd. 5.04 65.2 5,774.9 5,537.5 893.6 17.9 6.2 1.1 0.7 34.6 4.7 3.3 002414 Wuhan Guide Infrared Co., Ltd. 3.17 73.6 1,902.3 1,863.6 58.8 14.0 31.7 N/A N/A N/M N/A N/A 002528 Infinova 2.94 81.0 1,040.3 937.3 158.7 7.1 5.9 8.6 7.0 N/M 31.5 25.7 9925 Taiwan Shin Kong Security Co. Ltd. 1.38 95.4 519.5 399.1 245.3 19.2 1.6 N/A N/A 8.5 N/A N/A 5388 Sercomm 2.29 96.9 469.6 414.0 638.5 6.5 0.6 0.0 0.0 9.9 0.4 0.2 3454 Vivotek Inc 6.37 90.0 449.2 416.3 136.7 24.1 3.0 N/A N/A 12.6 N/A N/A 3356 Geovision, Inc. 6.53 93.2 415.7 381.8 76.8 31.0 5.0 0.2 0.1 16.0 0.6 0.4 5489 DynaColor, Inc. 2.78 97.5 277.1 262.5 75.3 23.3 3.5 0.1 0.1 15.0 0.5 0.4 8072 AV Tech Corporation 2.77 88.1 276.5 165.5 94.9 27.6 1.7 N/A N/A 6.3 N/A N/A 3669 AVer Information Inc. 0.90 95.5 87.2 58.2 55.2 6.0 1.1 N/A N/A 17.4 N/A N/A 5251 JSW Pacific Corporation 2.36 78.0 60.0 46.9 43.4 17.0 1.1 N/A N/A 6.4 N/A N/A 5484 EverFocus Electronics Corporation 0.46 96.2 53.4 46.7 74.9 N/M 0.6 N/A N/A N/M N/A N/A 6131 Yoko Technology Corp. 0.55 98.8 53.3 43.4 32.9 N/M 1.3 0.0 0.1 N/M N/A N/A 8051 TeleEye Holdings Ltd. 0.55 88.3 7.4 5.7 5.3 N/M 1.1 N/A N/A N/M N/A N/A ANVS ANV Security Group, Inc. 0.01 10.0 0.6 0.5 0.4 N/M 1.5 N/A N/A N/M N/A N/A

Mean 82.2% 18.5% 2.8x 0.3x 0.2x 15.1x 1.5x 1.1x Median 81.0% 18.5% 1.6x 0.1x 0.1x 15.0x 0.5x 0.4x Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

March 2014 106

Security Industry Monitor Appendix

Identity Solutions Companies, continued

Figure 48: Products ($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Identity Solutions - Products MMM 3M Company $132.07 94.0% $87,521.7 $90,697.7 $30,871.0 47.8% 26.0% 2.9x 2.9x 2.8x 11.3x 11.3x 10.7x 19.6x 0.3x 1.6 ITW Illinois Tool Works 81.82 97.0 34,762.7 37,494.7 14,135.0 39.5 21.5 2.7 2.6 2.5 12.4 11.9 11.0 22.2 0.9 3.2 SAF Safran SA 66.51 87.6 27,698.5 30,372.9 20,265.8 47.2 13.9 1.5 2.1 1.9 10.7 12.2 11.6 18.0 0.9 1.2 ASSA B Assa Abloy AB 51.58 95.3 19,097.3 21,872.6 7,541.2 38.0 16.1 2.9 0.5 0.4 18.0 2.5 2.2 24.4 2.3 1.5 GTO Gemalto 113.86 89.8 9,823.4 9,211.4 3,289.4 38.9 15.7 2.8 3.8 3.5 17.8 22.0 18.4 26.3 N/M 1.2 ZBRA Zebra Technologies 69.25 95.2 3,488.1 3,074.8 1,038.2 48.5 18.7 3.0 3.0 2.7 15.8 15.7 12.4 26.0 N/M 2.0 BRC Brady Corp. 27.11 75.8 1,413.7 1,622.9 1,206.1 50.8 14.6 1.3 1.3 1.3 9.2 9.7 8.6 15.5 1.2 1.3 DLAR De La Rue 13.19 75.4 1,315.2 1,466.1 762.0 56.8 20.6 1.9 2.9 2.8 9.4 13.3 12.2 13.7 0.9 N/A UEPS Net 1 Ueps Technologies 10.12 77.8 463.2 536.7 489.8 53.3 17.1 1.1 1.1 1.0 6.4 6.1 4.6 9.2 0.9 0.7 VDSI VASCO Data Security 8.05 89.0 315.5 216.9 155.0 64.4 10.6 1.4 1.4 1.3 13.2 13.2 9.3 N/M N/M N/A DMRC Digimarc 31.23 84.6 232.1 202.5 35.0 73.3 N/M 5.8 N/A N/A N/M N/A N/A N/M N/M N/A IWSY ImageWare Systems 2.25 78.9 190.8 187.4 5.3 79.2 N/M 35.4 36.6 15.9 N/M N/A N/A N/M N/M NM IGP Intercede Group 3.19 100.0 155.4 143.4 12.7 99.7 N/M 11.3 17.3 12.7 N/M N/M N/M N/M N/M N/A INSD INSIDE Secure 4.31 89.9 146.5 120.5 154.6 31.2 N/M 0.8 0.8 0.8 N/M 23.3 43.2 N/M N/M NM HOL Hologram Industries 0.79 84.6 141.8 365.0 304.2 20.1 28.8 1.2 N/A N/A 4.2 N/A N/A N/M 2.5 N/A APDN Applied DNA Sciences Inc. 0.14 49.3 109.5 105.3 2.3 100.0 N/M 45.5 44.3 23.8 N/M N/A N/A N/M N/M N/A OTIV On Track Innovations 3.02 68.9 98.7 96.6 41.1 49.8 N/M 2.4 3.0 3.1 N/M N/M N/M N/M N/M N/A PREC Precise Biometrics AB 0.26 31.3 88.1 72.4 5.4 54.3 N/M 13.3 1.9 1.2 N/M N/A N/M N/M N/M N/A DSS Document Security Systems 1.61 65.4 79.3 80.4 0.6 NA N/M N/M N/A N/A N/M N/A N/A N/M N/M N/A PREC Precia Société Anonyme 119.93 95.8 66.8 56.0 116.3 76.1 11.2 0.5 0.6 0.6 4.3 N/A N/A 12.0 N/M N/A INVE Identive Group 0.90 58.0 66.7 65.7 97.5 40.0 N/M 0.7 N/A N/A N/M N/A N/A N/M N/M N/A OSG OpSec Security Group 0.59 63.7 45.7 65.7 86.9 36.1 5.7 0.8 N/A N/A 13.2 N/A N/A N/M 4.0 N/A D7S Matica Technologies AG 1.64 69.5 12.1 8.1 41.9 34.0 5.5 0.2 N/A N/A 3.5 N/A N/A N/M N/M N/A

Mean 81.3% 56.3% 17.9% 3.3x 3.0x 1.9x 10.4x 12.5x 11.0x 18.7x 1.2x 1.6 Median 86.1% 50.8% 16.6% 2.4x 2.1x 1.6x 10.7x 12.2x 11.0x 18.8x 0.9x 1.4 Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

March 2014 107

Security Industry Monitor Appendix

Identity Solutions Companies, continued

Figure 49: Location Technologies ($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Identity Solutions - Location & Tracking GRMN Garmin Ltd. $53.46 97.1% $10,432.7 $9,103.7 $2,631.9 53.5% 24.8% 3.5x 3.5x 3.5x 13.9x 14.6x 14.0x 21.3x N/M 2.8 TRMB Trimble Navigation Ltd. 38.50 95.8 10,004.0 10,628.3 2,288.1 56.3 20.2 4.6 4.7 4.2 22.9 23.0 19.9 25.6 1.3 1.4 MANH Manhattan Associates, Inc. 40.33 100.0 3,083.1 2,950.1 414.5 56.3 25.8 7.1 7.2 6.5 27.5 25.7 23.0 N/M N/M N/A TOM2 TomTom NV 6.41 73.8 1,424.7 1,310.9 1,326.8 54.1 12.5 1.0 1.4 1.4 7.9 9.0 10.3 18.6 N/M NM CAMP CalAmp Corp. 32.70 93.8 1,128.5 1,099.8 224.4 33.1 10.7 4.9 4.9 4.1 45.8 41.1 28.3 N/M N/M 1.3 CKP Checkpoint Systems Inc. 13.96 76.5 578.4 571.5 695.5 39.2 8.4 0.8 0.8 0.8 9.8 7.7 6.2 N/M N/M 0.6 ITRN Ituran Location & Control Ltd. 24.08 96.4 505.0 467.9 170.2 52.5 31.9 2.7 0.8 0.7 8.6 N/A N/A 18.0 N/M N/A ABT Absolute Software Corporation 6.43 88.0 278.3 222.2 86.4 77.1 20.3 2.6 2.5 2.2 12.7 17.2 14.1 N/M N/M N/A DGII Digi International 9.99 78.4 258.5 160.7 195.7 50.4 8.6 0.8 0.8 0.8 9.6 10.1 8.0 N/M N/M 2.2 NMRX Numerex 12.77 79.9 241.4 217.3 77.8 41.3 4.9 2.8 2.8 2.3 N/M 29.0 19.1 N/M N/M 2.3 TSYS TeleCommunication Systems 2.16 67.3 128.7 214.3 362.3 38.4 5.9 0.6 0.6 0.6 10.0 6.1 6.1 N/M 4.0 1.4 LOJN LoJack Corp. 6.51 95.0 122.4 96.7 140.2 55.0 2.5 0.7 0.7 0.6 27.1 17.0 7.1 N/M N/M 2.4 GPS BSM Technologies 2.12 68.1 98.2 95.5 21.0 60.6 14.1 4.6 4.3 3.4 32.3 23.0 15.0 N/M N/M N/A UBI Ubisense Group 4.20 90.2 96.8 96.8 37.6 36.4 N/M 2.6 3.5 2.7 N/M N/M 36.7 N/M N/M N/A PNTR Pointer Telocation Ltd. 9.88 74.7 76.0 99.4 97.9 32.3 10.7 1.0 N/A N/A 9.5 N/A N/A N/M 1.7 N/A USAT USA Technologies 2.04 76.7 72.5 73.3 39.4 37.5 15.7 1.9 1.9 1.6 11.8 11.0 8.1 N/M N/M 1.9 IDSY ID Systems 5.76 84.2 70.2 59.9 39.9 44.8 N/M 1.5 1.5 1.2 N/M N/M 12.6 N/M N/M 48.0 NVTL Novatel Wireless 2.00 45.2 68.4 51.5 335.1 20.4 N/M 0.2 0.2 0.2 N/M N/M N/M N/M N/M NM ESYS Elecsys 13.80 79.1 52.7 55.1 29.3 37.3 14.3 1.9 N/A 1.8 13.2 N/A N/A N/M 0.6 1.4 LTRX Lantronix 2.22 67.1 32.5 26.5 45.1 47.5 N/M 0.6 0.6 0.6 N/M N/M 18.9 N/M N/M 2.7 IMP Intermap Technologies Corp. 0.28 56.4 25.7 23.7 27.9 21.6 17.2 0.8 N/A N/A 4.9 N/A N/A N/M N/M N/A ACT Active Control Technology, Inc. 0.05 83.3 0.8 0.6 4.2 35.8 N/M 0.2 N/A N/A N/M N/A N/A N/M N/M N/A

Mean 79.5% 44.2% 14.0% 1.5x 1.7x 1.5x 14.2x 17.0x 14.2x 20.7x 1.9x 6.0 Median 79.1% 41.3% 13.3% 1.0x 1.4x 1.3x 10.9x 17.1x 14.1x 18.6x 1.5x 1.9 Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

March 2014 108

Security Industry Monitor Appendix

Identity Solutions Companies, continued

Figure 50: Services ($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Identity Solutions - Services EXPN Experian $17.50 81.6% $17,377.9 $20,691.9 $4,784.0 45.1% 34.2% 4.3x 4.3x 4.0x 12.7x 12.4x 11.6x 19.7x 2.0x 1.8 VRSN VeriSign 50.65 80.4 6,770.0 6,420.8 965.1 80.6 61.0 6.7 6.7 6.3 10.9 10.4 9.8 21.6 N/M 1.4 PAY VeriFone Systems 32.86 96.6 3,651.1 4,439.9 1,709.5 37.6 10.3 2.6 2.6 2.4 25.2 14.3 13.5 26.5 4.3 7.2 ACXM Acxiom Corporation 36.63 93.2 2,797.8 2,740.2 1,097.5 23.8 16.6 2.5 2.5 2.5 15.1 13.3 12.3 N/M N/M 3.8 FICO Fair Isaac Corporation 53.43 84.2 1,865.4 2,247.5 737.8 68.7 25.9 3.0 3.0 2.9 11.8 11.8 10.7 16.7 2.0 1.2 HPY Heartland Payment Systems 44.05 87.3 1,616.7 1,697.2 2,135.4 15.0 7.6 0.8 2.8 2.6 10.5 11.6 10.7 19.5 0.5 1.2 EGOV NIC 19.00 73.1 1,235.7 1,161.4 249.3 42.9 25.8 4.7 4.6 4.3 18.1 17.2 15.8 N/M N/M 1.5 WYY WidePoint 1.67 85.6 121.9 123.4 49.9 27.8 0.8 2.5 2.6 2.0 N/M N/M 30.4 N/M 4.0 2.6 INTX Intersections 6.45 58.1 116.7 97.8 324.0 66.5 8.2 0.3 N/A N/A 3.7 N/A N/A N/M N/M N/A ADAT Authentidate Holding Corp. 1.03 54.8 39.5 36.2 6.1 31.8 N/M 5.9 2.8 2.1 N/M N/M 15.6 N/M N/M N/A

Mean 79.5% 44.0% 21.1% 3.3x 3.2x 2.9x 13.2x 12.7x 12.5x 20.8x 2.5x 2.6 Median 82.9% 40.3% 16.6% 2.8x 2.8x 2.6x 12.2x 12.4x 12.0x 19.7x 2.0x 1.7 Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

March 2014 109

Security Industry Monitor Appendix

Information Security Companies

Figure 51: Information Security Pure Plays ($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Information Security Pure Plays SYMC Symantec $20.30 74.9% $14,038.5 $12,242.5 $6,799.0 83.6% 28.8% 1.8x 1.8x 1.8x 6.2x 5.9x 5.9x 10.7x N/M 1.4 CHKP Check Point Software 68.38 97.8 13,150.3 11,983.5 1,394.1 88.4 55.4 8.6 8.6 8.1 15.5 14.6 14.1 20.1 N/M 2.0 WYN Wynyard Group Limited 72.73 94.9 9,319.8 13,981.8 5,009.0 52.2 22.9 2.8 2.8 2.6 12.2 12.1 11.3 19.1 4.1 1.8 FFIV F5 Networks 109.94 94.2 8,294.2 7,716.0 1,522.3 82.6 30.8 5.1 5.1 4.4 16.4 13.1 11.4 23.5 N/M 1.3 PANW Palo Alto Networks 78.25 97.8 5,795.6 5,357.4 482.9 73.2 N/M 11.1 11.1 8.1 N/M N/M N/M N/M N/M 3.2 4704 Trend Micro 31.02 75.2 4,183.5 2,846.5 1,030.1 82.1 33.9 2.8 0.0 0.0 8.2 0.1 0.1 23.4 N/M 1.7 FTNT Fortinet 23.08 94.1 3,757.8 3,266.5 615.3 70.7 14.1 5.3 5.4 4.7 37.7 25.5 23.8 N/M N/M 2.7 RVBD Riverbed Technology 19.73 86.7 3,156.6 3,222.2 1,041.0 72.9 14.2 3.1 3.1 2.8 21.8 9.9 9.4 19.6 0.4 1.2 CAVM Cavium 43.10 94.5 2,266.6 2,174.0 304.0 62.3 10.9 7.2 7.2 6.1 N/M N/M 21.3 N/M N/M 1.1 ARUN Aruba Networks 19.44 75.3 2,075.6 1,797.4 637.5 69.9 1.7 2.8 1.5 1.4 N/M 4.5 4.1 N/M N/M 1.1 IMPV Imperva 61.10 91.0 1,594.1 1,476.4 137.8 78.4 N/M 10.7 10.8 8.3 N/M N/M N/M N/M N/M NM PFPT Proofpoint 42.71 93.5 1,570.1 1,473.5 137.9 69.9 N/M 10.7 11.1 8.4 N/M N/M N/M N/M N/M NM AVG AVG Technologies 20.84 78.5 1,134.6 1,122.2 407.1 83.1 33.2 2.8 2.8 2.9 8.3 7.9 8.6 10.2 N/M N/A PKT Qualys 27.76 92.7 900.9 804.5 108.0 77.2 11.0 7.5 7.5 6.2 N/M 44.4 37.4 N/M N/M 4.5 SSNI Silver Spring Networks 17.00 50.3 811.8 667.5 326.9 35.3 N/M 2.0 2.0 1.8 N/M N/M 42.0 N/M N/M 8.3 RDWR Radware 17.46 89.7 782.6 647.7 193.0 81.0 14.2 3.4 3.4 3.0 23.6 22.3 15.8 25.5 N/M 1.1 GUID Guidance Software 10.60 93.0 307.4 287.8 110.5 66.1 N/M 2.6 2.6 2.5 N/M N/M 28.6 N/M N/M 26.3 ZIXI Zix 4.29 85.4 255.9 228.3 48.1 84.2 22.4 4.7 4.7 4.3 21.2 16.8 15.8 22.6 N/M 1.3 PKT Procera Networks 11.74 71.2 238.9 132.3 74.7 54.7 N/M 1.8 1.8 1.5 N/M N/M N/M N/M N/M 5.0 ARTX Arotech Corporation 4.36 73.1 81.6 82.4 89.8 25.9 6.2 0.9 0.9 0.9 14.7 12.3 12.1 15.6 0.1 N/A GSB GlobalSCAPE 2.35 60.3 44.1 39.1 24.3 95.8 19.2 1.6 1.6 1.5 8.3 N/A N/A 14.7 N/M 1.2 VSR Versar Inc. 4.12 72.9 40.0 38.2 113.3 10.2 5.0 0.3 0.3 N/A 6.7 4.5 N/A N/M N/M N/A WAVX Wave Systems 0.98 28.3 39.4 38.7 24.4 91.5 N/M 1.6 N/A N/A N/M N/A N/A N/M N/M N/A BMC BMC Software 2.02 64.9 25.0 22.6 16.6 N/A 32.5 1.4 N/A N/A 4.2 N/A N/A N/M N/M N/A FIRE Sourcefire 3.52 86.5 21.1 20.4 18.9 38.5 9.3 1.1 N/A N/A 11.6 N/M N/A N/M N/M N/A ISCI ISC8 Inc. 0.03 22.6 6.1 12.1 0.5 66.3 N/M 24.1 N/A N/A N/M N/A N/A N/M N/M N/A SFOR StrikeForce Technologies 0.00 2.4 0.7 7.0 0.5 96.9 N/M 13.1 N/A N/A N/M N/A N/A N/M N/M N/A

Mean 75.6% 69.0% 20.3% 3.2x 3.4x 3.2x 12.6x 11.3x 13.6x 18.6x 1.6x 3.8 Median 85.4% 73.1% 16.7% 2.8x 2.8x 2.8x 11.9x 12.1x 12.1x 19.6x 0.4x 1.7 Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

March 2014 110

Security Industry Monitor Appendix

Information Security Companies, continued

Figure 52: Diversified Technology Leaders ($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Diversified Technology Leaders IBM International Business Machines Corp. $185.37 85.9% $193,033.4 $221,835.4 $99,751.0 48.6% 25.1% 2.2x 2.2x 2.2x 8.9x 7.9x 8.0x 11.0x 1.1x 1.0 ORCL Oracle Corp. 38.33 96.2 172,385.7 160,055.7 37,552.0 81.6 43.4 4.3 4.3 4.1 9.8 8.7 8.2 13.7 N/M 1.2 CSCO Cisco Systems, Inc. 21.58 81.5 111,164.6 81,271.6 47,873.0 59.4 27.1 1.7 1.7 1.7 6.3 5.1 5.0 10.6 N/M 1.4 HPQ Hewlett-Packard Company 29.53 96.2 55,962.9 64,886.9 112,093.0 23.4 11.8 0.6 0.6 0.6 4.9 4.6 4.7 8.1 0.6 2.0 EMC EMC Corporation 27.49 99.3 55,691.9 53,671.9 23,222.0 62.3 24.2 2.3 2.3 2.2 9.6 7.9 7.2 15.3 N/M 1.2 MSI Motorola Inc. 64.71 95.6 16,427.6 15,691.6 8,696.0 49.1 18.1 1.8 1.8 1.8 10.0 9.0 8.6 13.8 N/M 3.0 CA CA Technologies 31.74 87.6 14,212.2 13,129.2 4,582.0 85.8 34.2 2.9 2.9 3.0 8.4 7.1 7.6 10.0 N/M 1.4 JNPR Juniper Networks, Inc. 25.28 87.9 12,668.3 10,821.7 4,669.1 63.2 17.0 2.3 2.3 2.2 13.6 10.0 8.6 20.6 N/M 1.1 6701 NEC Corp. 2.95 84.2 7,662.9 13,494.4 28,390.7 29.7 5.7 0.5 0.3 0.3 8.4 6.2 5.9 N/M 3.0 3.3 JDSU JDS Uniphase Corp. 14.27 85.9 3,332.0 2,822.9 1,703.2 46.2 8.8 1.7 1.7 1.5 18.8 13.3 10.6 25.9 N/M 1.5 CBR CIBER, Inc. 4.72 94.6 361.5 317.6 877.3 25.4 2.9 0.4 0.4 0.4 12.3 N/M 6.8 N/M N/M 1.1

Mean 90.4% 52.3% 19.8% 2.1x 2.1x 1.9x 10.1x 8.1x 7.6x 14.3x 1.6x 1.7 Median 87.9% 49.1% 18.1% 2.2x 2.2x 2.0x 9.7x 7.9x 7.8x 13.7x 1.1x 1.4 Enterprise value is defined as market capitalization plus net debt, minority interest, and preferred equity. Since the March 2011 Security Monitor, the following companies have been acquired: Novell Inc. Italicized, NA, and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC filings.

March 2014 111

Security Industry Monitor Appendix

Government and Integration Services Companies

Figure 53: Government Services ($ in thousands except stock price) Stock Price % of 52 Market Enterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Government Services LMT Lockheed Martin Corporation $163.90 97.3% $52,326.6 $55,861.6 $45,358.0 10.1% 11.8% 1.2x 1.2x 1.2x 10.5x 9.9x 8.8x 17.3x 0.7 2.1 GD General Dynamics Corp 108.27 95.3 37,055.4 35,662.4 31,218.0 18.5 13.6 1.1 1.1 1.2 8.4 8.4 8.5 15.4 N/M 2.0 RTN Raytheon Corp 100.48 98.4 31,601.0 32,200.0 23,706.0 21.8 14.1 1.4 1.4 1.4 9.7 9.6 8.8 17.2 0.1 1.5 SAF Safran SA 66.55 87.6 27,713.0 30,387.4 20,265.8 47.2 13.9 1.5 2.1 1.9 10.8 12.2 11.6 18.0 0.9 1.2 NOC Northrop Grumman Corp 121.56 97.0 26,346.5 27,126.5 24,661.0 21.8 14.7 1.1 1.1 1.1 7.5 7.6 7.5 14.9 0.2 2.2 HRS Harris Corp 73.35 97.4 7,833.6 9,174.3 4,978.4 34.9 21.8 1.8 1.8 1.8 8.5 9.1 8.5 14.7 1.2 4.8 MMS MAXIMUS Inc 45.93 90.9 3,116.9 2,997.7 1,451.6 28.6 16.6 2.1 2.1 1.7 12.5 12.8 10.6 26.0 N/M 1.1 QQ. QinetiQ Group plc 3.71 93.6 2,413.6 2,220.1 2,010.7 16.9 18.6 1.1 1.0 1.0 5.9 8.3 8.3 14.3 N/M 39.0 CACI CACI International Inc 75.99 94.1 1,783.1 3,139.6 3,577.6 31.3 9.2 0.9 0.9 0.8 9.5 9.8 8.5 12.4 4.1 1.2 UIS Unisys Corp 30.10 83.5 1,330.1 1,186.6 3,456.5 24.5 7.7 0.3 0.3 0.3 4.5 3.4 3.0 11.6 N/M 0.8 MANT ManTech International Corp 29.51 94.9 1,093.1 1,024.1 2,310.1 13.6 7.4 0.4 0.4 0.5 6.0 6.2 7.4 14.6 N/M 3.0 ICFI ICF International Inc 40.98 92.4 810.3 841.3 949.3 37.7 9.0 0.9 0.9 0.8 9.9 9.7 8.3 20.7 0.4 1.3 KEYW The KEYW Holding Corporation 20.65 89.4 769.4 852.0 298.7 33.3 7.0 2.9 2.8 2.7 40.9 33.6 25.2 N/M 4.0 4.4 EGL Engility Holdings, Inc. 43.85 96.8 760.5 941.8 1,407.4 13.7 9.1 0.7 0.7 0.6 7.3 7.0 7.2 14.9 1.3 3.5 KTOS Kratos Defense & Security Solutions 7.10 77.3 407.4 996.4 950.6 25.2 8.3 1.0 1.0 1.0 12.6 9.7 10.1 N/M 7.5 3.7 NCIT NCI, Inc. 11.30 86.2 146.1 147.1 332.3 12.9 5.9 0.4 0.5 0.5 7.5 7.6 8.5 21.1 0.0 3.6 VSR Versar, Inc. 4.12 72.9 40.0 38.2 113.3 10.2 5.0 0.3 0.3 N/A 6.7 4.5 N/A N/M N/M N/A

Mean 92.0% 24.5% 11.8% 1.1x 1.1x 1.1x 8.7x 9.1x 8.8x 16.6x 1.9x 4.7 Median 93.9% 23.2% 10.5% 1.1x 1.1x 1.1x 8.5x 9.3x 8.5x 15.2x 0.9x 2.2 Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

March 2014 112

Security Industry Monitor Appendix

Government and Integration Services Companies, continued

Figure 54: Security Systems Integration—Diversified ($ in thousands except stock price) Stock Price % of 52 Market E nterprise LTM LTM Gross LTM EBITDA EV / Sales EV / EBITDA P/E Net Debt / PEG Ticker Company (3/17/2014) Week High Cap Value (EV) Revenue Margin % Margin % LTM CY2013 CY2014 LTM CY2013 CY2014 CY2013 LTM EBITDA CY2014 Security Systems Integration - Diversified SIE Siemens AG $130.07 92.3% $109,832.3 $118,831.3 $75,282.0 27.7% 10.3% 1.6x 1.6x 1.5x 15.4x 13.6x 10.7x 18.6x 1.1x 1.1 UTX United Technologies Corp. 114.23 96.5 104,547.4 121,633.4 62,626.0 28.0 17.8 1.9 1.9 1.9 10.9 11.1 10.1 18.5 1.4 1.4 JCI Johnson Controls Inc. 46.26 88.1 30,718.0 37,553.0 43,216.0 16.0 9.0 0.9 0.9 0.9 9.7 9.4 9.4 16.3 1.7 0.9 TYC Tyco International Ltd. 43.36 98.3 19,960.1 21,096.1 10,694.0 36.7 14.2 2.0 2.0 1.9 13.9 12.9 12.2 22.7 0.7 1.4 SWK Stanley Black & Decker, Inc. 80.30 86.6 12,505.9 16,413.9 11,001.2 36.0 13.9 1.5 1.5 1.4 10.7 10.4 9.7 16.3 2.5 1.6 TYL Tyler Technologies, Inc. 90.72 84.0 2,987.0 2,908.1 416.6 46.4 18.9 7.0 7.0 6.2 36.9 33.4 27.2 N/M N/M 2.0 DBD Diebold Inc. 40.22 100.0 2,585.7 2,660.1 2,857.5 23.4 7.0 0.9 0.9 0.9 13.4 12.4 11.3 29.5 0.3 2.2 KTOS Kratos Defense & Security Solutions, Inc 7.14 77.8 410.0 999.0 950.6 25.2 8.3 1.1 1.0 1.0 12.6 9.8 10.1 N/M 7.5 3.7 CBR CIBER, Inc. 4.72 94.6 361.5 317.6 877.3 25.4 2.9 0.4 0.4 0.4 12.3 13.1 6.8 N/M N/M 1.1

Mean 90.7% 29.6% 11.5% 1.2x 1.2x 1.2x 11.9x 11.3x 9.9x 20.7x 2.3x 1.8 Median 91.4% 26.7% 11.4% 1.1x 1.0x 1.0x 12.3x 11.1x 10.1x 18.5x 1.5x 1.5 Enterprise Value is defined as market capitalization plus net debt, minority interest and preferred equity. NA and NM values are excluded from mean and median calculations. Any foreign securities are converted to USD for historical LTM figures as of the filing date, and for the equity price as of the most recent closing date. Sources: Imperial Capital, LLC, Capital IQ, and Company SEC Filings.

March 2014 113

Glossary of Terms SeSecurityndustry Monitor

[This page intentionally left blank.]

114 March 2014

Important Disclosures

The information contained herein represents a summary of public information. Imperial Capital, LLC neither makes any projections with regard to outcome nor makes any recommendation with respect to investment in or transferability of the securities discussed herein. The information contained herein does not necessarily reflect the independent views of the research department of Imperial Capital, LLC, or any research analyst, which may have contrary views or opinions. This is a collaborative product of Imperial Capital, LLC and may reflect contributions from all departments within the Firm, including the Firm’s corporate finance, institutional research and sales and trading departments. This is not solely a product of the Firm’s institutional research department.

This summary is for information purposes only. Under no circumstances is it to be used or considered as an offer to sell, or a solicitation of an offer to buy any security. While the information contained in this report has been obtained from sources believed to be reliable, we do not represent or guarantee that the summary is accurate or complete, and it should not be relied upon as such. Any references or citations to, or excerpts from, third-party information or data sources (including, but not limited to, Bloomberg, Capital IQ and IBISWorld) do not and are not intended to provide financial or investment advice and are not to be relied upon by anyone as providing financial or investment advice. Based on information available to us, prices and opinions expressed in this report reflect judgments as of the date hereof and are subject to change without notice. The securities covered by or mentioned in this report involve substantial risk and should generally be purchased only by investors able to accept such risk. Any opinions expressed assume that this type of investment is suitable for the investor. While this is in circulation, Imperial Capital, LLC or its affiliates may, from time to time, make or quote a market in or make purchases or sales for their own accounts of securities of the issuers described herein. Imperial Capital, LLC or its affiliates may from time to time perform investment banking or other services for, or solicit investment banking or other business from, any company mentioned in this report, and therefore Imperial Capital, LLC may have a conflict of interest that could affect the objectivity of this monitor report.

Los Angeles 2000 Avenue of the Stars Los Angeles, CA 90067 Office: (310) 246-3700

New York 277 Park Avenue New York, NY 10172 Office: (212) 351-9700

London Imperial Capital (International) LLP 4th Floor, Princes House 38 Jermyn Street London SW1Y6DN Office: +44 0 207 650 5400

Boston 101 Arch Street Boston, MA 02110 Office: (617) 478-7600

Chicago 200 South Wacker Drive Chicago, IL 60606 Office: (312) 674-4713

Houston 1200 Smith Street Houston, TX 77002 Office: (713) 353-3923

Minneapolis 60 South Sixth Street Minneapolis, MN 55402 Office: (612) 692-6900

San Francisco One California Street San Francisco, CA 94111 Office: (415) 615-4000