INFORMATION SECURITY AND RISK MANAGEMENT The Top Information Security Issues Facing Organizations: What Can Government Do to Help? Kenneth J. Knapp, Thomas E. Marshall, R. Kelly Rainer, Jr., and Dorsey W. Morrow C onsidering that many organizations today are fully dependent on information technology for survival, 1 information security is one of the most important concerns facing the modern organization. The increasing variety of threats and ferociousness of attacks has made protecting information a complex challenge.2 Improved knowledge of the critical issues underlying information security can help practitioners, researchers, and government employees alike to understand and solve the biggest problems. To this end, the International Information Systems Security Certification Consortium [(ISC)2]® teamed up with Auburn University researchers to identify and rank the top information security issues in two sequential, but related surveys. The first survey involved a worldwide sample of 874 certified information system security professionals (CISSPs)®, who ranked a list of 25 information security issues based on which ones were the most critical facing organizations today. In a follow-on survey, 623 U.S.-based CISSPs then re-ranked the same 25 issues based on which ones they felt the U.S. federal government could help the most in solving. The survey results produced some interesting findings. In both surveys, the higher KENNETH J. KNAPP is an assistant professor of management at the U.S. Air Force Academy, Colorado. He received his Ph.D. in MIS from Auburn University, Alabama. He has been published in Communications of the AIS and Information Systems Management and has a forthcoming article in Information Management & Computer Security. He can be reached at kenneth.knapp@usafa.edu. THOMAS E. MARSHALL is an associate professor of MIS, Department of Management, Auburn University, Alabama. He is a CPA and has been a consultant in the area of accounting information systems for more than 20 years. His publications include Information & Management, Journal of Computer Information Systems, Journal of End User Computing, and the Journal of Database Management. He can be reached at marshall@business.auburn.edu. R. KELLY RAINER, JR., is George Phillips Privett Professor of MIS, Department of Management, Auburn University, Alabama. He has published in leading academic and practitioner journals. His most recent book is Introduction to Information Systems (1st edition), co-authored with Efraim Turban and Richard Potter. DORSEY W. MORROW, CISSP-ISSMP, is the general counsel and corporate secretary of (ISC)2. I N F O R M A T I O N S E C U R I T Y A N D S E P T E M B E R / O C T O B E R R I S K 2 0 0 6 M A N A G E M E N T 51 TABLE 1 Rank 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Issue Ranking Results (874 Respondents) Issue Description Suma Top management support User awareness training & education Malware (e.g., viruses, Trojans, worms) Patch management Vulnerability & risk management Policy related issues (e.g., enforcement) Organizational culture Access control & identity management Internal threats Business continuity & disaster preparation Low funding & inadequate budgets Protection of privileged information Network security architecture Security training for IT staff Justifying security expenditures Inherent insecurity of networks & information systems Governance Legal & regulatory issues External connectivity to organizational networks Lack of skilled security workforce Systems development & life cycle support Fighting spam Firewall & IDS configurations Wireless vulnerabilities Standards issues 3,678 3,451 3,336 3,148 2,712 2,432 2,216 2,203 2,142 2,030 1,811 1,790 1,636 1,604 1,506 1,502 1,457 1,448 1,439 1,370 1,132 1,106 1,100 1,047 774 Countb 515 580 520 538 490 448 407 422 402 404 315 319 327 322 289 276 247 276 272 273 242 237 215 225 179 a Sum is the summation of all the 874 participants’ rankings on a reverse scale. Example, a #1 ranked issue received a score of ten, a #2 ranked issue received a score of nine, etc. b Count is the number of participants who ranked the issue in their top ten. ranked issues are of a managerial nature. Managerial issues require management involvement to solve. This message is important because the protection of valuable information requires that executives understand this. Among the worldwide participants of the first survey, a high level of agreement exists on what the top issues are. With few exceptions, the top issues are consistent across organizations regardless of size, sector, or geographic region. Among the U.S. participants in the second survey, many commented that government should take an active role in solving information security issues through actions such as clearer legislation along with stronger penalties. FIRST SURVEY: RANKING THE TOP INFORMATION SECURITY ISSUES The Web-based survey asked respondents to select ten issues from a randomized list of 25 and rank them from #1 to #10. The 25 52 I N F O R M A T I O N issues came from a previous study we conducted involving 220 CISSPs who responded to an open-ended question asking for the top information security issues facing organizations today. Working with those 220 CISSPs, we had identified 58 issue categories based on the keywords and themes of the open-ended question responses.3 We used the 25 most frequently mentioned issues from that survey for this Web survey. The present ranking survey ran in early 2004, with 874 CISSPs from more than 40 nations participating.4,5 Table 1 provides the survey results. Top management support was the #1 ranked issue and received the highest average ranking of those participants who ranked the issue in their top ten. Although ranked #2, user awareness training & education was the most frequently ranked issue; an impressive 66 percent of the 874 survey respondents ranked this issue in their top ten. S Y S T E M S S E C U R I T Y W W W . I N F O S E C T O D A Y . C O M TABLE 2 Top Five Issues’ Rankings by Demographic Category Small Organization (<250 employees) Medium Organization (250–5,000 employees) Large Organization (>5,000 employees) North America Europe Pacific/Asia Government Banking & Finance Manufacturing Information Technology Consultants Healthcare Industry 2 1 3 4 5 1 2 3 4 5 4 3 2 1 5 1 3 4 2 5 1 2 3 4 5 1 4 2 6 3 6 3 2 1 4 4 2 3 5 1 3 2 1 9 4 2 3 1 4 5 1 2 3 4 5 2 8 9 1 6 Location Size Ranked Issue 1. Management support 2. Awareness 3. Malware 4. Patch management 5. Vulnerability management Agreement Concerning the Top Five Issues Among Demographics Categories The survey asked the 874 CISSPs about their organization’s location, size, and industry. A level of agreement concerning the top five issues is apparent across the demographics of survey participants. With the exception of the healthcare industry, the top five rankings in the larger demographic categories are a reordering of the top five issues as ranked by the entire sample of 874 respondents: top management support, user awareness training & education, malware, patch management, and vulnerability & risk management. The modest variation in the rankings among the demographics is not entirely surprising considering the global nature of many cyber-threats. Yet this finding is verification that many of the topranked issues are almost uniformly critical across key demographics. Table 2 illustrates how the top five issues from the full results fared across 12 major demographic categories. SECOND SURVEY: HOW CAN GOVERNMENT HELP? In the second survey, 623 U.S. CISSPs were asked to rank their top five issues based on what they believed were the most critical issues for the U.S. federal government to help solve. The motivation to conduct this I N F O R M A T I O N S E C U R I T Y follow-on survey was generated from a specific request to (ISC)2 from a U.S. commercial company working on cyber-security issues for the U.S. government. After considering the results of the first survey, the company wanted to know which of the top issues the government could (or should) help solve. We were contacted to help answer this question. To this end, we asked each survey participant to select and rank five issues from a randomized list of the 25 previously identified information security issues. After ranking five issues, each participant provided general comments and specific recommendations of actions the U.S. federal government could take to help solve each of their five selected issues. We provide a sampling of the comments and recommendations in the next section. This second survey was conducted in late 2004. Table 3 lists the results of the second survey. Top management support again was the highest ranked issue; legal & regulatory issues was ranked second, moving up 16 positions from the first survey. Selected Comments from Survey Participants In Tables 4 through 8, we provide four representative comments for each of the top five issues of the second survey. Although the comments come exclusively from A N D S E P T E M B E R / O C T O B E R R I S K 2 0 0 6 M A N A G E M E N T 53 TABLE 3 Rank 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Re-Ranking Based on How Government Can Help (623 Respondents) Issue Description Top management support Legal & regulatory issues Malware (e.g., viruses, Trojans, worms) User awareness training & education Protection of privileged information Business continuity & disaster preparedness Low funding & inadequate budgets Lack of a skilled security workforce Fighting spam Inherent insecurity of networks & information systems Standards issues Vulnerability & risk management Policy related issues (e.g., enforcement) Security training for IT staff Governance Patch management Access control & identity management Justifying security expenditures Network security architecture Organizational culture Internal threats Systems development & life cycle support Wireless vulnerabilities External connectivity to organizational networks Firewall & IDS configurations Sum Count Previous Rank 672 605 588 568 552 452 443 427 408 404 397 394 381 350 314 305 303 279 264 258 221 212 204 148 112 198 190 184 188 165 152 149 146 138 124 140 127 141 117 102 113 100 94 84 96 75 71 77 49 40 1 18 3 2 12 10 11 20 22 16 25 5 6 14 17 4 8 15 13 7 9 21 24 19 23 Rank Change 0 16 0 –2 7 4 4 12 13 6 14 –7 –7 0 2 –12 –9 –3 –6 –13 –12 –1 1 –5 –2 Note: The U.S. company that requested the second survey asked that we design the survey Web site with the flexibility to allow respondents to rank up to two of their own defined issues as a substitute for an issue from the list of 25 predefined issues. Thus, the survey was open ended to the degree that it did not force respondents to select all of their five issues from the predefined list. However, only 41 respondents used this option and there was very little agreement among the substitute issues provided. TABLE 4 Issue: Top Management Support Organizational Position Size of Organization Non-manager >10,000 employees Top management 250–1,000 employees Non-management 250–1,000 employees Non-management <250 employees 54 Comment and/or Recommendation on Government Action Management frequently does little but pay lip service to security; it is viewed as a cost and a hindrance, not a critical business component. Clear legal duties should be established that hold upper management accountable for funding and supporting security. It is imperative that top management set the example for information security processes. I would like to see better clarity in laws like Sarbanes–Oxley that require specific accountability for the implementation of adequate information security processes. There also needs to be some federal legislation that holds companies liable, regardless of their status (being public, private, or non-profit) for their security processes. Top management is not serious about security; otherwise they would commit the funds necessary to accomplish real results. A top IT/InfoSec position should be established in every company/organization/government agency reporting to the CEO/agency head. This person should have extensive technical as well as managerial experience. A lot of top jobs are given to people who have “people skills” but are severely lacking in the technical knowledge to make the right decisions. If information security is truly a societal priority, then accountability must be assigned. The most effective action that government can take on this issue is to legislate accountability on the part of corporate management. I N F O R M A T I O N S Y S T E M S S E C U R I T Y W W W . I N F O S E C T O D A Y . C O M TABLE 5 Issue: Legal & Regulatory Issues Organizational Position Size of Organization Top management >10,000 employees Middle management <250 employees Top management >10,000 employees Top management 2,500–5,000 employees TABLE 6 Comment and/or Recommendation on Government Action I recommend the U.S. government take a more deliberate and measured approach toward enacting regulatory and compliance requirements. Certainly, the government has an obligation to provide “reasonable assurances” that business is conducted in a legal, moral, and ethical manner. However, it appears that the government routinely adopts a reactive approach, which, after in-depth analysis, appears to be more of a hindrance to capitalism than a deterrent to illegal behavior. I would propose the government aggressively prosecute company executives AND board members, as well as pass more stringent, nonnegotiable penalties for violators. Well, what is the government if not laws and regulations? There are getting to be a lot of security-related laws and regulations. They are not always consistent, often overlap, don’t sufficiently clarify jurisdiction or applicability, and often result in blurry lines between legal requirements and recommendations or guidelines. With all of the recent emphasis on effective communications between security agencies, shouldn’t there be some mechanism for vetting regulations/directives/guidelines before they are loosed on the world? From both a case law and a practical standpoint, the legislation associated with information security is woefully inadequate. Privacy, confidentiality, and availability, as well as prosecution for identity theft and denial of service attacks, are impossible with the current morass of legislation. Regulations such as the Common Criteria, HIPPA, and FISMA mandate audit compliance, but the marketplace pays minimal attention or lip service to these requirements. Although there are many regulations affecting security within certain markets such as healthcare and financial, a common regulation governing the security of critical infrastructure industries would help provide uniform protection across multiple industries and could streamline the growing number of security-related laws. Issue: Malware (e.g., Viruses, Trojans, Worms) Organizational Position Size of Organization Middle management 250–1,000 employees Middle management 1,000–2,500 employees Other management 1,000–2,500 employees Non-management professional >10,000 employees I N F O R M A T I O N Comment and/or Recommendation on Government Action As I see it, the biggest problem in this area is the lack of any global standards for enforcement and prosecution. It is very difficult to prosecute anyone outside of the United States. Most of the work being done on malware seems to come from outside U.S. borders. Because the Internet is a global community, it is important to develop and support a global agency to combat this problem. Just as the United States has a border patrol, our cyber-infrastructure should have something similar. DHS should work with telecommunications companies to monitor traffic coming into our borders using many of the same techniques (firewalls, IDS/IPS, anti-virus) organizations use to protect their infrastructures. This, of course, raises privacy issues and, if done incorrectly, could materially limit the use of the Internet, but it should be considered. By allowing lax laws to exist surrounding spam and by not addressing spyware, the federal government is really hurting the efforts to stop this stuff. I foresee a heavily regulated and controlled Internet simply because the initial attempts at “governing” these malware issues are weak. History shows that the weak attempts usually follow with an overboard response once it is realized the first efforts are inadequate. So please don’t go overboard and regulate too many areas, but make the current laws adequate by giving them some teeth. Tougher laws for people creating malware. Find ways to prosecute offenders in foreign countries where most malware is created. Work cross-borders to find and prosecute these offenders. S E C U R I T Y A N D S E P T E M B E R / O C T O B E R R I S K 2 0 0 6 M A N A G E M E N T 55 TABLE 7 Issue: User Awareness Training & Education Organizational Position Size of Organization Other management Non-management >10,000 employees >10,000 employees Middle management 2,500–5,000 employees Middle management 250–1,000 employees TABLE 8 Comment and/or Recommendation on Government Action Develop and fund a wider level of education programs beginning at elementary school level and continuing through industry. The main issue with end users is that they do not have a full understanding of what they are doing with their computers. They think nothing of clicking on links provided by mysterious senders without realizing the true end result of their actions only due to the fact they are ill-equipped. There should be low-cost or otherwise subsidized training programs for Mom and Pop users. There should be a national awareness campaign promoting computer security. There are now requirements for food labels; perhaps technology vendors should be required to post security warnings on their products (e.g., wireless networks, PDAs, USB thumb drives, etc.), not just marketing hype. As related to security, one of the major functions of the government should be to increase the overall security awareness of the general public. If the public is more aware of what can happen — worms, viruses, DDoS attacks, phishing — then maybe they will think twice about opening that e-mail attachment. And the best way to start is teach the kids. Remember the old “Schoolhouse Rock” commercials; create commercials like these that teach about computer security. Let the kids go around singing the catchy jingles; the parents won’t be able to get away from them. Further, for the adults, create an awareness training class that they can take for free at the library or maybe at home on video (checked out from the library). Issue: Protection of Privileged Information Organizational Position Size of Organization Non-management 2,500–5,000 employees Middle management 250–1,000 employees Top management <250 employees Non-management 5,000–10,000 employees Comment and/or Recommendation on Government Action My primary concerns are in the area of outsourced services and support. Many outsourcers have many more people accessing confidential/protected information and are NOT required to inform their customers of these practices or even to manage a complete list of resources with access. Business will drive outsourcing, BUT the true costs to our security are not correctly represented. Draft tougher laws designed to protect individuals’ non-public information (NPI), including reducing who (government, state, local agencies, and private corporations) can ask for Social Security numbers. Stiffer penalties for violators. Strict enforcement of current regulations. Increase penalties against those who misuse or fail to adequately take appropriate measures to protect privileged information. Provide incentives for those who do it well — perhaps if an organization can pass a federal audit about security then that organization could receive a tax credit. Although there are several different classes of privileged information, the class that most concerns me is information about people — customers, employees, former employees, etc. The government needs to strengthen laws and regulatory policies to protect this type of information from becoming a “free-marketplace commodity” without permission for further use by the person providing the information. CIS-SPs located in the United States, we believe the comments may be valuable to international readers as well because many are written in a general fashion. We reproduced these comments verbatim to allow a reading of the material without editorial comment from the authors. Our intent is not 56 I N F O R M A T I O N to provide an exhaustive analysis of these five issues, but rather to offer insight into how some security professionals perceive them. As additional context for each comment, we provide the participant’s organizational position as well as the number of employees in the organization. S Y S T E M S S E C U R I T Y W W W . I N F O S E C T O D A Y . C O M TABLE 9 Frequency of Recommended Actions by the Top Five Issues General Recommendation for Government Action Top Management Support (#1) Legal & Regulatory Issues (#2) 23 5 14 3 2 8 33 16 11 0 12 0 31 12 4 0 36 14 7 6 7 8 1 4 Take statutory & legislation action Increase penalties Promote education Promote awareness Clarify and/or define regulations Increase enforcement Assign responsibility or accountability Advance knowledge dissemination Promote best practices model Cooperate with international community Provide economic incentives Cooperate with software vendors Frequency of the Recommended Actions After reading the CISSP responses, the first two authors conducted a content analysis of the text. From this analysis, we identified 32 general actions that government can take to help improve information security. We then identified 718 places in the text where the participants recommended a clear government action. Next, we cross-referenced the recommendations to the top five issues of the second survey. Table 9 summarizes this analysis. Twelve of the 32 most frequently recommended governmental actions are listed in the left column. The number in each cell identifies the frequency of each recommendation. From this analysis, the most frequently recommended actions fall into the three general categories of taking statutory and legislative action, increasing penalties, and promoting education. From Table 9, the reader can see how the respondents believed the government can contribute to a specific information security issue (e.g., government can address issues such as malware by increasing penalties). CONCLUSION Many organizations today are fully dependent on information technology for survival. This reality means that information security will remain one of the top challenges facing modern organizations for at I N F O R M A T I O N S E C U R I T Y Malware (#3) User Awareness Training & Education (#4) Protection of Privileged Information (#5) Total 8 40 7 1 0 18 0 6 0 14 0 15 2 1 49 46 2 1 1 12 3 1 10 0 23 20 4 4 12 7 3 0 4 2 1 0 87 78 78 54 52 48 44 40 25 25 24 19 least the near future. The results of this survey can help managers, practitioners, researchers, and government employees focus their efforts on the most vital security issues. The top-ranked issue in both surveys was the same: top management support. The survey participants are saying that gaining top management support is the most critical issue of an information security program. Perhaps an organization’s overall security health can be accurately predicted by asking a single question: Does top management consider security important? If they do not, it is unlikely the rest of the organization will either. For practitioners, understanding and then taking action on the top issues can go a long way toward advancing the corporate cyber-security environment. For researchers, the results of these surveys can be valuable from an educational and longitudinal perspective because the top issues can be tracked in future studies. Governments can also help by creating a legal environment that assists companies and consumers in protecting their valuable information. This research report provides a sketch of how some CISSPs view the role of government in helping information security. Many survey participants suggested a need for clearer and more consistent legislation whereas others called for stiffer penalties for violators. Considering that most governments A N D S E P T E M B E R / O C T O B E R R I S K 2 0 0 6 M A N A G E M E N T 57 move slowly when addressing complex issues such as cyber-security, the results of this survey could remain relevant for years to come. Notes 1. President, National Strategy to Secure Cyberspace. (2003). Washington D.C., from http://www.whitehouse.gov/pcipb 2. Knapp, K. J. and W. R. Boulton. (Spring 2006). Cyber-warfare threatens corporations: Expansion into commercial environments, Information Systems Management, 23(2), 76–87. 3. We used research techniques consistent with grounded theory. Glaser, B. G. and A. L. Strauss. (1967). The Discovery of Grounded Theory: Strategies for Qualitative Research. New York: Aldine Publishing Company. 4. We used many ranking techniques published in previous studies. Luftman, J. and E. R. McLean. (2004). Key issues for IT executives, MIS Quarterly Executive, 3(2): 89–104. 5. A comprehensive report of this survey is available, upon request, from the first or the second author. The opinions, conclusions, and recommendations expressed or implied within are solely those of the authors and do not necessarily represent the views of USAFA, USAF, the DoD, or any other government agency. Start (or extend) my subscription to Information Systems Security ❑ 1 year (6 issues), $175 Name________________________________________________ ❑ Bill my purchase order # ___________________ attached Title _________________________________________________ ❑ Check for $ _______ enclosed, payable to Taylor & Francis Company ____________________________________________ ❑ Charge my: ❑ Visa ❑ Mastercard ❑ Amex Street Address _______________________________________ Card No. ___________________________ Exp. Date ________ City, State, ZIP _______________________________________ Signature (required) ___________________________________ Country/Postal Code __________________________________ Phone your order to: 1-800-272-7737 Fax: 1-800-374-3401 Phone _______________________________________________ Mail: E-mail Address _______________________________________ Taylor & Francis Group 6000 Broken Sound Pkwy, Suite 300 Boca Raton, FL 33487 E-mail: orders@crcpress.com 58 Customers in CA, DC, FL, GA, IL, MA, MO, NJ, NM, NY, and TX, please add applicable sales tax. Canadian customers, please add GST. I N F O R M A T I O N S Y S T E M S S E C U R I T Y W W W . I N F O S E C T O D A Y . C O M