The Top Information Security Issues Facing Organizations: What

advertisement
INFORMATION
SECURITY AND
RISK MANAGEMENT
The Top Information
Security Issues Facing
Organizations: What Can
Government Do to Help?
Kenneth J. Knapp, Thomas E. Marshall, R. Kelly Rainer, Jr.,
and Dorsey W. Morrow
C
onsidering that many organizations
today are fully dependent on information technology for survival, 1
information security is one of the most
important concerns facing the modern organization. The increasing variety of threats
and ferociousness of attacks has made protecting information a complex challenge.2
Improved knowledge of the critical issues
underlying information security can help
practitioners, researchers, and government
employees alike to understand and solve the
biggest problems. To this end, the International Information Systems Security Certification Consortium [(ISC)2]® teamed up with
Auburn University researchers to identify
and rank the top information security issues
in two sequential, but related surveys. The
first survey involved a worldwide sample of
874 certified information system security
professionals (CISSPs)®, who ranked a list
of 25 information security issues based on
which ones were the most critical facing
organizations today. In a follow-on survey,
623 U.S.-based CISSPs then re-ranked the
same 25 issues based on which ones they
felt the U.S. federal government could help
the most in solving.
The survey results produced some interesting findings. In both surveys, the higher
KENNETH J. KNAPP is an assistant professor of management at the U.S. Air Force Academy, Colorado. He received his Ph.D. in MIS from Auburn University, Alabama. He has been published in Communications of the AIS and Information Systems Management and has a forthcoming article in
Information Management & Computer Security. He can be reached at kenneth.knapp@usafa.edu.
THOMAS E. MARSHALL is an associate professor of MIS, Department of Management, Auburn University, Alabama. He is a CPA and has been a consultant in the area of accounting information systems
for more than 20 years. His publications include Information & Management, Journal of Computer
Information Systems, Journal of End User Computing, and the Journal of Database Management. He
can be reached at marshall@business.auburn.edu.
R. KELLY RAINER, JR., is George Phillips Privett Professor of MIS, Department of Management,
Auburn University, Alabama. He has published in leading academic and practitioner journals. His most
recent book is Introduction to Information Systems (1st edition), co-authored with Efraim Turban and
Richard Potter.
DORSEY W. MORROW, CISSP-ISSMP, is the general counsel and corporate secretary of (ISC)2.
I N F O R M A T I O N
S E C U R I T Y
A N D
S E P T E M B E R / O C T O B E R
R I S K
2 0 0 6
M A N A G E M E N T
51
TABLE 1
Rank
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Issue Ranking Results (874 Respondents)
Issue Description
Suma
Top management support
User awareness training & education
Malware (e.g., viruses, Trojans, worms)
Patch management
Vulnerability & risk management
Policy related issues (e.g., enforcement)
Organizational culture
Access control & identity management
Internal threats
Business continuity & disaster preparation
Low funding & inadequate budgets
Protection of privileged information
Network security architecture
Security training for IT staff
Justifying security expenditures
Inherent insecurity of networks & information systems
Governance
Legal & regulatory issues
External connectivity to organizational networks
Lack of skilled security workforce
Systems development & life cycle support
Fighting spam
Firewall & IDS configurations
Wireless vulnerabilities
Standards issues
3,678
3,451
3,336
3,148
2,712
2,432
2,216
2,203
2,142
2,030
1,811
1,790
1,636
1,604
1,506
1,502
1,457
1,448
1,439
1,370
1,132
1,106
1,100
1,047
774
Countb
515
580
520
538
490
448
407
422
402
404
315
319
327
322
289
276
247
276
272
273
242
237
215
225
179
a
Sum is the summation of all the 874 participants’ rankings on a reverse scale. Example, a #1 ranked
issue received a score of ten, a #2 ranked issue received a score of nine, etc.
b Count is the number of participants who ranked the issue in their top ten.
ranked issues are of a managerial nature.
Managerial issues require management
involvement to solve. This message is
important because the protection of valuable information requires that executives
understand this. Among the worldwide participants of the first survey, a high level of
agreement exists on what the top issues are.
With few exceptions, the top issues are consistent across organizations regardless of
size, sector, or geographic region. Among
the U.S. participants in the second survey,
many commented that government should
take an active role in solving information
security issues through actions such as clearer
legislation along with stronger penalties.
FIRST SURVEY: RANKING THE TOP
INFORMATION SECURITY ISSUES
The Web-based survey asked respondents
to select ten issues from a randomized list of
25 and rank them from #1 to #10. The 25
52
I N F O R M A T I O N
issues came from a previous study we conducted involving 220 CISSPs who
responded to an open-ended question asking
for the top information security issues facing organizations today. Working with
those 220 CISSPs, we had identified 58
issue categories based on the keywords and
themes of the open-ended question
responses.3 We used the 25 most frequently
mentioned issues from that survey for this
Web survey. The present ranking survey ran
in early 2004, with 874 CISSPs from more
than 40 nations participating.4,5
Table 1 provides the survey results. Top
management support was the #1 ranked
issue and received the highest average ranking of those participants who ranked the
issue in their top ten. Although ranked #2,
user awareness training & education was the
most frequently ranked issue; an impressive
66 percent of the 874 survey respondents
ranked this issue in their top ten.
S Y S T E M S
S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
TABLE 2
Top Five Issues’ Rankings by Demographic Category
Small
Organization
(<250
employees)
Medium
Organization
(250–5,000
employees)
Large
Organization
(>5,000
employees)
North America
Europe
Pacific/Asia
Government
Banking & Finance
Manufacturing
Information Technology
Consultants
Healthcare
Industry
2
1
3
4
5
1
2
3
4
5
4
3
2
1
5
1
3
4
2
5
1
2
3
4
5
1
4
2
6
3
6
3
2
1
4
4
2
3
5
1
3
2
1
9
4
2
3
1
4
5
1
2
3
4
5
2
8
9
1
6
Location
Size
Ranked Issue
1. Management support
2. Awareness
3. Malware
4. Patch management
5. Vulnerability management
Agreement Concerning the Top Five Issues
Among Demographics Categories
The survey asked the 874 CISSPs about
their organization’s location, size, and
industry. A level of agreement concerning
the top five issues is apparent across the
demographics of survey participants. With
the exception of the healthcare industry, the
top five rankings in the larger demographic
categories are a reordering of the top five
issues as ranked by the entire sample of 874
respondents: top management support, user
awareness training & education, malware,
patch management, and vulnerability & risk
management. The modest variation in the
rankings among the demographics is not
entirely surprising considering the global
nature of many cyber-threats. Yet this finding is verification that many of the topranked issues are almost uniformly critical
across key demographics. Table 2 illustrates how the top five issues from the full
results fared across 12 major demographic
categories.
SECOND SURVEY: HOW CAN
GOVERNMENT HELP?
In the second survey, 623 U.S. CISSPs were
asked to rank their top five issues based on
what they believed were the most critical
issues for the U.S. federal government to
help solve. The motivation to conduct this
I N F O R M A T I O N
S E C U R I T Y
follow-on survey was generated from a specific request to (ISC)2 from a U.S. commercial company working on cyber-security
issues for the U.S. government. After considering the results of the first survey, the
company wanted to know which of the top
issues the government could (or should)
help solve. We were contacted to help
answer this question. To this end, we asked
each survey participant to select and rank
five issues from a randomized list of the 25
previously identified information security
issues. After ranking five issues, each participant provided general comments and
specific recommendations of actions the
U.S. federal government could take to help
solve each of their five selected issues. We
provide a sampling of the comments and
recommendations in the next section. This
second survey was conducted in late 2004.
Table 3 lists the results of the second survey. Top management support again was
the highest ranked issue; legal & regulatory
issues was ranked second, moving up 16
positions from the first survey.
Selected Comments from Survey
Participants
In Tables 4 through 8, we provide four representative comments for each of the top
five issues of the second survey. Although
the comments come exclusively from
A N D
S E P T E M B E R / O C T O B E R
R I S K
2 0 0 6
M A N A G E M E N T
53
TABLE 3
Rank
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Re-Ranking Based on How Government Can Help (623 Respondents)
Issue Description
Top management support
Legal & regulatory issues
Malware (e.g., viruses, Trojans, worms)
User awareness training & education
Protection of privileged information
Business continuity & disaster preparedness
Low funding & inadequate budgets
Lack of a skilled security workforce
Fighting spam
Inherent insecurity of networks & information systems
Standards issues
Vulnerability & risk management
Policy related issues (e.g., enforcement)
Security training for IT staff
Governance
Patch management
Access control & identity management
Justifying security expenditures
Network security architecture
Organizational culture
Internal threats
Systems development & life cycle support
Wireless vulnerabilities
External connectivity to organizational networks
Firewall & IDS configurations
Sum
Count
Previous
Rank
672
605
588
568
552
452
443
427
408
404
397
394
381
350
314
305
303
279
264
258
221
212
204
148
112
198
190
184
188
165
152
149
146
138
124
140
127
141
117
102
113
100
94
84
96
75
71
77
49
40
1
18
3
2
12
10
11
20
22
16
25
5
6
14
17
4
8
15
13
7
9
21
24
19
23
Rank
Change
0
16
0
–2
7
4
4
12
13
6
14
–7
–7
0
2
–12
–9
–3
–6
–13
–12
–1
1
–5
–2
Note: The U.S. company that requested the second survey asked that we design the survey Web site with the flexibility to allow
respondents to rank up to two of their own defined issues as a substitute for an issue from the list of 25 predefined issues. Thus,
the survey was open ended to the degree that it did not force respondents to select all of their five issues from the predefined
list. However, only 41 respondents used this option and there was very little agreement among the substitute issues provided.
TABLE 4
Issue: Top Management Support
Organizational
Position
Size of
Organization
Non-manager
>10,000
employees
Top management
250–1,000
employees
Non-management
250–1,000
employees
Non-management
<250
employees
54
Comment and/or Recommendation on Government Action
Management frequently does little but pay lip service to security; it is viewed as a
cost and a hindrance, not a critical business component. Clear legal duties
should be established that hold upper management accountable for funding and
supporting security.
It is imperative that top management set the example for information security
processes. I would like to see better clarity in laws like Sarbanes–Oxley that
require specific accountability for the implementation of adequate information
security processes. There also needs to be some federal legislation that holds
companies liable, regardless of their status (being public, private, or non-profit)
for their security processes.
Top management is not serious about security; otherwise they would commit the
funds necessary to accomplish real results. A top IT/InfoSec position should be
established in every company/organization/government agency reporting to the
CEO/agency head. This person should have extensive technical as well as
managerial experience. A lot of top jobs are given to people who have “people
skills” but are severely lacking in the technical knowledge to make the right
decisions.
If information security is truly a societal priority, then accountability must be
assigned. The most effective action that government can take on this issue is to
legislate accountability on the part of corporate management.
I N F O R M A T I O N
S Y S T E M S
S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
TABLE 5
Issue: Legal & Regulatory Issues
Organizational
Position
Size of
Organization
Top management
>10,000
employees
Middle
management
<250
employees
Top management
>10,000
employees
Top management
2,500–5,000
employees
TABLE 6
Comment and/or Recommendation on Government Action
I recommend the U.S. government take a more deliberate and measured approach
toward enacting regulatory and compliance requirements. Certainly, the
government has an obligation to provide “reasonable assurances” that business
is conducted in a legal, moral, and ethical manner. However, it appears that the
government routinely adopts a reactive approach, which, after in-depth analysis,
appears to be more of a hindrance to capitalism than a deterrent to illegal
behavior. I would propose the government aggressively prosecute company
executives AND board members, as well as pass more stringent, nonnegotiable
penalties for violators.
Well, what is the government if not laws and regulations? There are getting to be
a lot of security-related laws and regulations. They are not always consistent,
often overlap, don’t sufficiently clarify jurisdiction or applicability, and often result
in blurry lines between legal requirements and recommendations or guidelines.
With all of the recent emphasis on effective communications between security
agencies, shouldn’t there be some mechanism for vetting
regulations/directives/guidelines before they are loosed on the world?
From both a case law and a practical standpoint, the legislation associated with
information security is woefully inadequate. Privacy, confidentiality, and
availability, as well as prosecution for identity theft and denial of service attacks,
are impossible with the current morass of legislation. Regulations such as the
Common Criteria, HIPPA, and FISMA mandate audit compliance, but the
marketplace pays minimal attention or lip service to these requirements.
Although there are many regulations affecting security within certain markets such
as healthcare and financial, a common regulation governing the security of
critical infrastructure industries would help provide uniform protection across
multiple industries and could streamline the growing number of security-related
laws.
Issue: Malware (e.g., Viruses, Trojans, Worms)
Organizational
Position
Size of
Organization
Middle
management
250–1,000
employees
Middle
management
1,000–2,500
employees
Other
management
1,000–2,500
employees
Non-management
professional
>10,000
employees
I N F O R M A T I O N
Comment and/or Recommendation on Government Action
As I see it, the biggest problem in this area is the lack of any global standards for
enforcement and prosecution. It is very difficult to prosecute anyone outside of
the United States. Most of the work being done on malware seems to come from
outside U.S. borders. Because the Internet is a global community, it is important
to develop and support a global agency to combat this problem.
Just as the United States has a border patrol, our cyber-infrastructure should have
something similar. DHS should work with telecommunications companies to
monitor traffic coming into our borders using many of the same techniques
(firewalls, IDS/IPS, anti-virus) organizations use to protect their infrastructures.
This, of course, raises privacy issues and, if done incorrectly, could materially
limit the use of the Internet, but it should be considered.
By allowing lax laws to exist surrounding spam and by not addressing spyware, the
federal government is really hurting the efforts to stop this stuff. I foresee a
heavily regulated and controlled Internet simply because the initial attempts at
“governing” these malware issues are weak. History shows that the weak
attempts usually follow with an overboard response once it is realized the first
efforts are inadequate. So please don’t go overboard and regulate too many
areas, but make the current laws adequate by giving them some teeth.
Tougher laws for people creating malware. Find ways to prosecute offenders in
foreign countries where most malware is created. Work cross-borders to find and
prosecute these offenders.
S E C U R I T Y
A N D
S E P T E M B E R / O C T O B E R
R I S K
2 0 0 6
M A N A G E M E N T
55
TABLE 7
Issue: User Awareness Training & Education
Organizational
Position
Size of
Organization
Other
management
Non-management
>10,000
employees
>10,000
employees
Middle
management
2,500–5,000
employees
Middle
management
250–1,000
employees
TABLE 8
Comment and/or Recommendation on Government Action
Develop and fund a wider level of education programs beginning at elementary
school level and continuing through industry.
The main issue with end users is that they do not have a full understanding of what
they are doing with their computers. They think nothing of clicking on links
provided by mysterious senders without realizing the true end result of their
actions only due to the fact they are ill-equipped. There should be low-cost or
otherwise subsidized training programs for Mom and Pop users.
There should be a national awareness campaign promoting computer security.
There are now requirements for food labels; perhaps technology vendors should
be required to post security warnings on their products (e.g., wireless networks,
PDAs, USB thumb drives, etc.), not just marketing hype.
As related to security, one of the major functions of the government should be to
increase the overall security awareness of the general public. If the public is more
aware of what can happen — worms, viruses, DDoS attacks, phishing — then
maybe they will think twice about opening that e-mail attachment. And the best
way to start is teach the kids. Remember the old “Schoolhouse Rock”
commercials; create commercials like these that teach about computer security.
Let the kids go around singing the catchy jingles; the parents won’t be able to get
away from them. Further, for the adults, create an awareness training class that
they can take for free at the library or maybe at home on video (checked out from
the library).
Issue: Protection of Privileged Information
Organizational
Position
Size of
Organization
Non-management
2,500–5,000
employees
Middle
management
250–1,000
employees
Top management
<250
employees
Non-management
5,000–10,000
employees
Comment and/or Recommendation on Government Action
My primary concerns are in the area of outsourced services and support. Many
outsourcers have many more people accessing confidential/protected
information and are NOT required to inform their customers of these practices or
even to manage a complete list of resources with access. Business will drive
outsourcing, BUT the true costs to our security are not correctly represented.
Draft tougher laws designed to protect individuals’ non-public information (NPI),
including reducing who (government, state, local agencies, and private
corporations) can ask for Social Security numbers. Stiffer penalties for violators.
Strict enforcement of current regulations.
Increase penalties against those who misuse or fail to adequately take appropriate
measures to protect privileged information. Provide incentives for those who do
it well — perhaps if an organization can pass a federal audit about security then
that organization could receive a tax credit.
Although there are several different classes of privileged information, the class that
most concerns me is information about people — customers, employees, former
employees, etc. The government needs to strengthen laws and regulatory
policies to protect this type of information from becoming a “free-marketplace
commodity” without permission for further use by the person providing the
information.
CIS-SPs located in the United States, we
believe the comments may be valuable to
international readers as well because many
are written in a general fashion. We reproduced these comments verbatim to allow a
reading of the material without editorial
comment from the authors. Our intent is not
56
I N F O R M A T I O N
to provide an exhaustive analysis of these
five issues, but rather to offer insight into
how some security professionals perceive
them. As additional context for each comment, we provide the participant’s organizational position as well as the number of
employees in the organization.
S Y S T E M S
S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
TABLE 9
Frequency of Recommended Actions by the Top Five Issues
General Recommendation
for Government Action
Top
Management
Support
(#1)
Legal &
Regulatory
Issues
(#2)
23
5
14
3
2
8
33
16
11
0
12
0
31
12
4
0
36
14
7
6
7
8
1
4
Take statutory & legislation action
Increase penalties
Promote education
Promote awareness
Clarify and/or define regulations
Increase enforcement
Assign responsibility or accountability
Advance knowledge dissemination
Promote best practices model
Cooperate with international community
Provide economic incentives
Cooperate with software vendors
Frequency of the Recommended Actions
After reading the CISSP responses, the first
two authors conducted a content analysis of
the text. From this analysis, we identified 32
general actions that government can take to
help improve information security. We then
identified 718 places in the text where the
participants recommended a clear government action. Next, we cross-referenced the
recommendations to the top five issues of
the second survey. Table 9 summarizes this
analysis. Twelve of the 32 most frequently
recommended governmental actions are
listed in the left column. The number in
each cell identifies the frequency of each
recommendation. From this analysis, the
most frequently recommended actions fall
into the three general categories of taking
statutory and legislative action, increasing
penalties, and promoting education. From
Table 9, the reader can see how the respondents believed the government can contribute to a specific information security issue
(e.g., government can address issues such as
malware by increasing penalties).
CONCLUSION
Many organizations today are fully dependent on information technology for survival. This reality means that information
security will remain one of the top challenges facing modern organizations for at
I N F O R M A T I O N
S E C U R I T Y
Malware
(#3)
User
Awareness
Training &
Education
(#4)
Protection
of
Privileged
Information
(#5)
Total
8
40
7
1
0
18
0
6
0
14
0
15
2
1
49
46
2
1
1
12
3
1
10
0
23
20
4
4
12
7
3
0
4
2
1
0
87
78
78
54
52
48
44
40
25
25
24
19
least the near future. The results of this survey can help managers, practitioners,
researchers, and government employees
focus their efforts on the most vital security
issues. The top-ranked issue in both surveys
was the same: top management support. The
survey participants are saying that gaining
top management support is the most critical
issue of an information security program.
Perhaps an organization’s overall security
health can be accurately predicted by asking
a single question: Does top management
consider security important? If they do not,
it is unlikely the rest of the organization will
either. For practitioners, understanding and
then taking action on the top issues can go a
long way toward advancing the corporate
cyber-security environment. For researchers, the results of these surveys can be valuable from an educational and longitudinal
perspective because the top issues can be
tracked in future studies.
Governments can also help by creating a
legal environment that assists companies
and consumers in protecting their valuable
information. This research report provides a
sketch of how some CISSPs view the role of
government in helping information security.
Many survey participants suggested a need
for clearer and more consistent legislation
whereas others called for stiffer penalties for
violators. Considering that most governments
A N D
S E P T E M B E R / O C T O B E R
R I S K
2 0 0 6
M A N A G E M E N T
57
move slowly when addressing complex
issues such as cyber-security, the results of
this survey could remain relevant for years
to come.
Notes
1. President, National Strategy to Secure Cyberspace. (2003). Washington D.C., from
http://www.whitehouse.gov/pcipb
2. Knapp, K. J. and W. R. Boulton. (Spring 2006).
Cyber-warfare threatens corporations: Expansion
into commercial environments, Information Systems Management, 23(2), 76–87.
3. We used research techniques consistent with
grounded theory. Glaser, B. G. and A. L. Strauss.
(1967). The Discovery of Grounded Theory:
Strategies for Qualitative Research. New York:
Aldine Publishing Company.
4. We used many ranking techniques published in
previous studies. Luftman, J. and E. R. McLean.
(2004). Key issues for IT executives, MIS Quarterly Executive, 3(2): 89–104.
5. A comprehensive report of this survey is available, upon request, from the first or the second
author.
The opinions, conclusions, and recommendations
expressed or implied within are solely those of the
authors and do not necessarily represent the views of
USAFA, USAF, the DoD, or any other government
agency.
Start (or extend) my subscription to Information Systems Security
❑ 1 year (6 issues), $175
Name________________________________________________
❑ Bill my purchase order # ___________________ attached
Title _________________________________________________
❑ Check for $ _______ enclosed, payable to Taylor & Francis Company ____________________________________________
❑ Charge my: ❑ Visa ❑ Mastercard ❑ Amex
Street Address _______________________________________
Card No. ___________________________ Exp. Date ________
City, State, ZIP _______________________________________
Signature (required) ___________________________________
Country/Postal Code __________________________________
Phone your order to: 1-800-272-7737
Fax:
1-800-374-3401
Phone _______________________________________________
Mail:
E-mail Address _______________________________________
Taylor & Francis Group
6000 Broken Sound Pkwy, Suite 300
Boca Raton, FL 33487
E-mail: orders@crcpress.com
58
Customers in CA, DC, FL, GA, IL, MA, MO, NJ, NM, NY, and TX, please add
applicable sales tax. Canadian customers, please add GST.
I N F O R M A T I O N
S Y S T E M S
S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
Download