The Top Information Security Issues Facing Organizations ...

1 Information Security AND RISK MANAGEMENTSEPTEMBER/OCTOBER 200651 The Top Information Security Issues Facing Organizations : What Can Government Do to Help?Kenneth J. Knapp, Thomas E. Marshall, R. Kelly Rainer, Jr., and Dorsey W. Morrowonsidering that many organizationstoday are fully dependent on infor-mation technology for survival,1information Security is one of the mostimportant concerns Facing the modern orga-nization. The increasing variety of threatsand ferociousness of attacks has made pro-tecting Information a complex knowledge of the critical issuesunderlying Information Security can helppractitioners, researchers, and governmentemployees alike to understand and solve thebiggest problems. To this end, the Interna-tional Information Systems Security Certifi-cation Consortium [(ISC)2] teamed up withAuburn University researchers to identifyand rank the top Information Security issuesin two sequential, but related surveys.

2 Thefirst survey involved a worldwide sample of874 certified Information system securityprofessionals (CISSPs) , who ranked a listof 25 Information Security Issues based onwhich ones were the most critical facingorganizations today. In a follow-on survey,623 CISSPs then re-ranked thesame 25 Issues based on which ones theyfelt the federal government could helpthe most in survey results produced some inter-esting findings. In both surveys, the higherCINFORMATION Security AND RISK MANAGEMENTKENNETH J. KNAPP is an assistant professor of management at the Air Force Academy, Colo-rado. He received his in MIS from Auburn University, Alabama. He has been published in Com-munications of the AIS and Information Systems Management and has a forthcoming article inInformation Management & Computer Security . He can be reached at E. MARSHALL is an associate professor of MIS, Department of Management, Auburn Uni-versity, Alabama.

3 He is a CPA and has been a consultant in the area of accounting Information systems for more than 20 years. His publications include Information & Management, Journal of Computer Information Systems, Journal of End User Computing, and the Journal of Database Management. He can be reached at KELLY RAINER, JR., is George Phillips Privett Professor of MIS, Department of Management, Auburn University, Alabama. He has published in leading academic and practitioner journals. His most recent book is Introduction to Information Systems (1st edition), co-authored with Efraim Turban and Richard W. MORROW, CISSP-ISSMP, is the general counsel and corporate secretary of (ISC) SYSTEMS Issues are of a managerial Issues require managementinvolvement to solve. This message isimportant because the protection of valu-able Information requires that executivesunderstand this. Among the worldwide par-ticipants of the first survey, a high level ofagreement exists on what the top Issues few exceptions, the top Issues are con-sistent across Organizations regardless ofsize, sector, or geographic region.

4 Amongthe participants in the second survey,many commented that government shouldtake an active role in solving informationsecurity Issues through actions such as clearerlegislation along with stronger SURVEY: RANKING THE TOP Information Security ISSUESThe Web-based survey asked respondentsto select ten Issues from a randomized list of25 and rank them from #1 to #10. The 25issues came from a previous study we con-ducted involving 220 CISSPs whoresponded to an open-ended question askingfor the top Information Security Issues fac-ing Organizations today. Working withthose 220 CISSPs, we had identified 58issue categories based on the keywords andthemes of the open-ended We used the 25 most frequentlymentioned Issues from that survey for thisWeb survey. The present ranking survey ranin early 2004, with 874 CISSPs from morethan 40 nations ,5 Table 1 provides the survey results. Topmanagement support was the #1 rankedissue and received the highest average rank-ing of those participants who ranked theissue in their top ten.

5 Although ranked #2,user awareness training & education was themost frequently ranked issue; an impressive66 percent of the 874 survey respondentsranked this issue in their top 1 Issue Ranking Results (874 Respondents)RankIssue DescriptionSumaCountb1 Top management support3,6785152 User awareness training & education3,4515803 Malware ( , viruses, Trojans, worms)3,3365204 Patch management3,1485385 Vulnerability & risk management2,7124906 Policy related Issues ( , enforcement)2,4324487 Organizational culture2,2164078 Access control & identity management2,2034229 Internal threats2,14240210 Business continuity & disaster preparation2,03040411 Low funding & inadequate budgets1,81131512 Protection of privileged information1,79031913 Network Security architecture1,63632714 Security training for IT staff1,60432215 Justifying Security expenditures1,50628916 Inherent insecurity of networks & Information systems1,50227617 Governance1,45724718 Legal & regulatory issues1,44827619 External connectivity to organizational networks1,43927220 Lack of skilled Security workforce1,37027321 Systems development & life cycle support1,13224222 Fighting spam1,10623723 Firewall & IDS configurations1,10021524 Wireless vulnerabilities1,04722525 Standards issues774179a Sum is the summation of all the 874 participants rankings on a reverse scale.

6 Example, a #1 ranked issue received a score of ten, a #2 ranked issue received a score of nine, Count is the number of participants who ranked the issue in their top Security AND RISK MANAGEMENTSEPTEMBER/OCTOBER 200653 Agreement Concerning the Top Five Issues Among Demographics CategoriesThe survey asked the 874 CISSPs abouttheir organization s location, size, andindustry. A level of agreement concerningthe top five Issues is apparent across thedemographics of survey participants. Withthe exception of the healthcare industry, thetop five rankings in the larger demographiccategories are a reordering of the top fiveissues as ranked by the entire sample of 874respondents: top management support, userawareness training & education, malware,patch management, and vulnerability & riskmanagement. The modest variation in therankings among the demographics is notentirely surprising considering the globalnature of many cyber-threats.

7 Yet this find-ing is verification that many of the top-ranked Issues are almost uniformly criticalacross key demographics. Table 2 illus-trates how the top five Issues from the fullresults fared across 12 major SURVEY: HOW CAN GOVERNMENT HELP?In the second survey, 623 CISSPs wereasked to rank their top five Issues based onwhat they believed were the most criticalissues for the federal government tohelp solve. The motivation to conduct thisfollow-on survey was generated from a spe-cific request to (ISC)2 from a commer-cial company working on cyber-securityissues for the government. After con-sidering the results of the first survey, thecompany wanted to know which of the topissues the government could (or should)help solve. We were contacted to helpanswer this question. To this end, we askedeach survey participant to select and rankfive Issues from a randomized list of the 25previously identified Information securityissues.

8 After ranking five Issues , each par-ticipant provided general comments andspecific recommendations of actions federal government could take to helpsolve each of their five selected Issues . Weprovide a sampling of the comments andrecommendations in the next section. Thissecond survey was conducted in late 3 lists the results of the second sur-vey. Top management support again wasthe highest ranked issue; legal & regulatoryissues was ranked second, moving up 16positions from the first Comments from Survey ParticipantsIn Tables 4 through 8, we provide four rep-resentative comments for each of the topfive Issues of the second survey. Althoughthe comments come exclusively fromTABLE 2 Top Five Issues Rankings by Demographic CategoryIndustryGovernmentBanking & FinanceManufacturingInformation TechnologyConsultantsHealthcareLocationN orth AmericaEuropePacific/AsiaSizeRanked IssueSmall Organization (<250 employees)Medium Organization (250 5,000 employees)Large Organization (>5,000 employees)1.

9 Management support2141116432122. Awareness1233243223283. Malware3324322311394. Patch management4412461594415. Vulnerability management55555341455654 Information SYSTEMS 3Re-Ranking Based on How Government Can Help (623 Respondents)RankIssue DescriptionSumCountPrevious RankRank Change1 Top management support672198102 Legal & regulatory issues60519018163 Malware ( , viruses, Trojans, worms)588184304 User awareness training & education5681882 25 Protection of privileged information5521651276 Business continuity & disaster preparedness4521521047 Low funding & inadequate budgets4431491148 Lack of a skilled Security workforce42714620129 Fighting spam408138221310 Inherent insecurity of networks & Information systems40412416611 Standards issues397140251412 Vulnerability & risk management3941275 713 Policy related Issues ( , enforcement)3811416 714 Security training for IT staff35011714015 Governance31410217216 Patch management3051134 1217 Access control & identity management3031008 918 Justifying Security expenditures2799415 319 Network Security architecture2648413 620 Organizational culture258967 1321 Internal threats221759 1222 Systems development & life cycle support2127121 123 Wireless vulnerabilities2047724124 External connectivity to organizational networks1484919 525 Firewall & IDS configurations1124023 2 Note: The company that requested the second survey asked that we design the survey Web site with the flexibility to allow respondents to rank up to two of their own defined Issues as a substitute for an issue from the list of 25 predefined Issues .

10 Thus, the survey was open ended to the degree that it did not force respondents to select all of their five Issues from the predefined list. However, only 41 respondents used this option and there was very little agreement among the substitute Issues 4 Issue: Top Management SupportOrganizational PositionSize of OrganizationComment and/or Recommendation on Government ActionNon-manager>10,000 employeesManagement frequently does little but pay lip service to Security ; it is viewed as a cost and a hindrance, not a critical business component. Clear legal duties should be established that hold upper management accountable for funding and supporting management250 1,000 employeesIt is imperative that top management set the example for Information Security processes. I would like to see better clarity in laws like Sarbanes Oxley that require specific accountability for the implementation of adequate Information Security processes.