I N F O R M A T I O N S E C U R I T Y A N D R I S K M A N A G E M E N T

S E P T E M B E R / O C T O B E R 2 0 0 6
51
The Top Information
Security Issues Facing
Organizations: What Can
Government Do to Help?
Kenneth J. Knapp, Thomas E. Marshall, R. Kelly Rainer, Jr.,
and Dorsey W. Morrow
onsidering that many organizations
today are fully dependent on infor-
mation technology for survival,
1
information security is one of the most
important concerns facing the modern orga-
nization. The increasing variety of threats
and ferociousness of attacks has made pro-
tecting information a complex challenge.
2
Improved knowledge of the critical issues
underlying information security can help
practitioners, researchers, and government
employees alike to understand and solve the
biggest problems. To this end, the Interna-
tional Information Systems Security Certifi-
cation Consortium [(ISC)
2
]

teamed up with
Auburn University researchers to identify
and rank the top information security issues
in two sequential, but related surveys. The
first survey involved a worldwide sample of
874 certified information system security
professionals (CISSPs)

, who ranked a list

of 25 information security issues based on
which ones were the most critical facing
organizations today. In a follow-on survey,
623 U.S.-based CISSPs then re-ranked the
same 25 issues based on which ones they
felt the U.S. federal government could help
the most in solving.
The survey results produced some inter-
esting findings. In both surveys, the higher
C
I N F O R M A T I O N S E C U R I T Y A N D R I S K M A N A G E M E N T
KENNETH J. KNAPP is an assistant professor of management at the U.S. Air Force Academy, Colo-
rado. He received his Ph.D. in MIS from Auburn University, Alabama. He has been published in Com-
munications of the AIS and Information Systems Management and has a forthcoming article in
Information Management & Computer Security. He can be reached at kenneth.knapp@usafa.edu.
THOMAS E. MARSHALL is an associate professor of MIS, Department of Management, Auburn Uni-
versity, Alabama. He is a CPA and has been a consultant in the area of accounting information systems
for more than 20 years. His publications include Information & Management, Journal of Computer
Information Systems, Journal of End User Computing, and the Journal of Database Management. He
can be reached at marshall@business.auburn.edu.
R. KELLY RAINER, JR., is George Phillips Privett Professor of MIS, Department of Management,
Auburn University, Alabama. He has published in leading academic and practitioner journals. His most
recent book is Introduction to Information Systems (1st edition), co-authored with Efraim Turban and
Richard Potter.
DORSEY W. MORROW, CISSP-ISSMP, is the general counsel and corporate secretary of (ISC)
2
.
52 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
ranked issues are of a managerial nature.
Managerial issues require management
involvement to solve. This message is
important because the protection of valu-
able information requires that executives
understand this. Among the worldwide par-
ticipants of the first survey, a high level of
agreement exists on what the top issues are.
With few exceptions, the top issues are con-
sistent across organizations regardless of
size, sector, or geographic region. Among
the U.S. participants in the second survey,
many commented that government should
take an active role in solving information
security issues through actions such as clearer
legislation along with stronger penalties.
FIRST SURVEY: RANKING THE TOP
INFORMATION SECURITY ISSUES
The Web-based survey asked respondents
to select ten issues from a randomized list of
25 and rank them from #1 to #10. The 25
issues came from a previous study we con-
duct ed i nvol vi ng 220 CI SSPs who
responded to an open-ended question asking
for the top information security issues fac-
ing organizations today. Working with
those 220 CISSPs, we had identified 58
issue categories based on the keywords and
t hemes of t he open- ended quest i on
responses.
3
We used the 25 most frequently
mentioned issues from that survey for this
Web survey. The present ranking survey ran
in early 2004, with 874 CISSPs from more
than 40 nations participating.
4,5
Table 1 provides the survey results. Top
management support was the #1 ranked
issue and received the highest average rank-
ing of those participants who ranked the
issue in their top ten. Although ranked #2,
user awareness training & education was the
most frequently ranked issue; an impressive
66 percent of the 874 survey respondents
ranked this issue in their top ten.
TABLE 1 Issue Ranking Results (874 Respondents)
Rank Issue Description Sum
a
Count
b
1 Top management support 3,678 515
2 User awareness training & education 3,451 580
3 Malware (e.g., viruses, Trojans, worms) 3,336 520
4 Patch management 3,148 538
5 Vulnerability & risk management 2,712 490
6 Policy related issues (e.g., enforcement) 2,432 448
7 Organizational culture 2,216 407
8 Access control & identity management 2,203 422
9 Internal threats 2,142 402
10 Business continuity & disaster preparation 2,030 404
11 Low funding & inadequate budgets 1,811 315
12 Protection of privileged information 1,790 319
13 Network security architecture 1,636 327
14 Security training for IT staff 1,604 322
15 Justifying security expenditures 1,506 289
16 Inherent insecurity of networks & information systems 1,502 276
17 Governance 1,457 247
18 Legal & regulatory issues 1,448 276
19 External connectivity to organizational networks 1,439 272
20 Lack of skilled security workforce 1,370 273
21 Systems development & life cycle support 1,132 242
22 Fighting spam 1,106 237
23 Firewall & IDS congurations 1,100 215
24 Wireless vulnerabilities 1,047 225
25 Standards issues 774 179
a
Sum is the summation of all the 874 participants rankings on a reverse scale. Example, a #1 ranked
issue received a score of ten, a #2 ranked issue received a score of nine, etc.
b
Count is the number of participants who ranked the issue in their top ten.
I N F O R M A T I O N S E C U R I T Y A N D R I S K M A N A G E M E N T
S E P T E M B E R / O C T O B E R 2 0 0 6
53
Agreement Concerning the Top Five Issues
Among Demographics Categories
The survey asked the 874 CISSPs about
their organizations location, size, and
industry. A level of agreement concerning
the top five issues is apparent across the
demographics of survey participants. With
the exception of the healthcare industry, the
top five rankings in the larger demographic
categories are a reordering of the top five
issues as ranked by the entire sample of 874
respondents: top management support, user
awareness training & education, malware,
patch management, and vulnerability & risk
management. The modest variation in the
rankings among the demographics is not
entirely surprising considering the global
nature of many cyber-threats. Yet this find-
ing is verification that many of the top-
ranked issues are almost uniformly critical
across key demographics. Table 2 illus-
trates how the top five issues from the full
results fared across 12 major demographic
categories.
SECOND SURVEY: HOW CAN
GOVERNMENT HELP?
In the second survey, 623 U.S. CISSPs were
asked to rank their top five issues based on
what they believed were the most critical
issues for the U.S. federal government to
help solve. The motivation to conduct this
follow-on survey was generated from a spe-
cific request to (ISC)
2
from a U.S. commer-
cial company working on cyber-security
issues for the U.S. government. After con-
sidering the results of the first survey, the
company wanted to know which of the top
issues the government could (or should)
help solve. We were contacted to help
answer this question. To this end, we asked
each survey participant to select and rank
five issues from a randomized list of the 25
previously identified information security
issues. After ranking five issues, each par-
ticipant provided general comments and
specific recommendations of actions the
U.S. federal government could take to help
solve each of their five selected issues. We
provide a sampling of the comments and
recommendations in the next section. This
second survey was conducted in late 2004.
Table 3 lists the results of the second sur-
vey. Top management support again was
the highest ranked issue; legal & regulatory
issues was ranked second, moving up 16
positions from the first survey.
Selected Comments from Survey
Participants
In Tables 4 through 8, we provide four rep-
resentative comments for each of the top
five issues of the second survey. Although
the comments come exclusively from
TABLE 2 Top Five Issues Rankings by Demographic Category
Industry
G
o
v
e
r
n
m
e
n
t
B
a
n
k
i
n
g

&

F
i
n
a
n
c
e
M
a
n
u
f
a
c
t
u
r
i
n
g
I
n
f
o
r
m
a
t
i
o
n

T
e
c
h
n
o
l
o
g
y
C
o
n
s
u
l
t
a
n
t
s
H
e
a
l
t
h
c
a
r
e
Location
N
o
r
t
h

A
m
e
r
i
c
a
E
u
r
o
p
e
P
a
c
i

c
/
A
s
i
a
Size
Ranked Issue
Small
Organization
(<250
employees)
Medium
Organization
(2505,000
employees)
Large
Organization
(>5,000
employees)
1. Management support 2 1 4 1 1 1 6 4 3 2 1 2
2. Awareness 1 2 3 3 2 4 3 2 2 3 2 8
3. Malware 3 3 2 4 3 2 2 3 1 1 3 9
4. Patch management 4 4 1 2 4 6 1 5 9 4 4 1
5. Vulnerability management 5 5 5 5 5 3 4 1 4 5 5 6
54 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
TABLE 3 Re-Ranking Based on How Government Can Help (623 Respondents)
Rank Issue Description Sum Count
Previous
Rank
Rank
Change
1 Top management support 672 198 1 0
2 Legal & regulatory issues 605 190 18 16
3 Malware (e.g., viruses, Trojans, worms) 588 184 3 0
4 User awareness training & education 568 188 2 2
5 Protection of privileged information 552 165 12 7
6 Business continuity & disaster preparedness 452 152 10 4
7 Low funding & inadequate budgets 443 149 11 4
8 Lack of a skilled security workforce 427 146 20 12
9 Fighting spam 408 138 22 13
10 Inherent insecurity of networks & information systems 404 124 16 6
11 Standards issues 397 140 25 14
12 Vulnerability & risk management 394 127 5 7
13 Policy related issues (e.g., enforcement) 381 141 6 7
14 Security training for IT staff 350 117 14 0
15 Governance 314 102 17 2
16 Patch management 305 113 4 12
17 Access control & identity management 303 100 8 9
18 Justifying security expenditures 279 94 15 3
19 Network security architecture 264 84 13 6
20 Organizational culture 258 96 7 13
21 Internal threats 221 75 9 12
22 Systems development & life cycle support 212 71 21 1
23 Wireless vulnerabilities 204 77 24 1
24 External connectivity to organizational networks 148 49 19 5
25 Firewall & IDS congurations 112 40 23 2
Note: The U.S. company that requested the second survey asked that we design the survey Web site with the exibility to allow
respondents to rank up to two of their own dened issues as a substitute for an issue from the list of 25 predened issues. Thus,
the survey was open ended to the degree that it did not force respondents to select all of their ve issues from the predened
list. However, only 41 respondents used this option and there was very little agreement among the substitute issues provided.
TABLE 4 Issue: Top Management Support
Organizational
Position
Size of
Organization Comment and/or Recommendation on Government Action
Non-manager >10,000
employees
Management frequently does little but pay lip service to security; it is viewed as a
cost and a hindrance, not a critical business component. Clear legal duties
should be established that hold upper management accountable for funding and
supporting security.
Top management 2501,000
employees
It is imperative that top management set the example for information security
processes. I would like to see better clarity in laws like SarbanesOxley that
require specic accountability for the implementation of adequate information
security processes. There also needs to be some federal legislation that holds
companies liable, regardless of their status (being public, private, or non-prot)
for their security processes.
Non-management 2501,000
employees
Top management is not serious about security; otherwise they would commit the
funds necessary to accomplish real results. A top IT/InfoSec position should be
established in every company/organization/government agency reporting to the
CEO/agency head. This person should have extensive technical as well as
managerial experience. A lot of top jobs are given to people who have people
skills but are severely lacking in the technical knowledge to make the right
decisions.
Non-management <250
employees
If information security is truly a societal priority, then accountability must be
assigned. The most effective action that government can take on this issue is to
legislate accountability on the part of corporate management.
I N F O R M A T I O N S E C U R I T Y A N D R I S K M A N A G E M E N T
S E P T E M B E R / O C T O B E R 2 0 0 6
55
TABLE 5 Issue: Legal & Regulatory Issues
Organizational
Position
Size of
Organization Comment and/or Recommendation on Government Action
Top management >10,000
employees
I recommend the U.S. government take a more deliberate and measured approach
toward enacting regulatory and compliance requirements. Certainly, the
government has an obligation to provide reasonable assurances that business
is conducted in a legal, moral, and ethical manner. However, it appears that the
government routinely adopts a reactive approach, which, after in-depth analysis,
appears to be more of a hindrance to capitalism than a deterrent to illegal
behavior. I would propose the government aggressively prosecute company
executives AND board members, as well as pass more stringent, nonnegotiable
penalties for violators.
Middle
management
<250
employees
Well, what is the government if not laws and regulations? There are getting to be
a lot of security-related laws and regulations. They are not always consistent,
often overlap, dont sufciently clarify jurisdiction or applicability, and often result
in blurry lines between legal requirements and recommendations or guidelines.
With all of the recent emphasis on effective communications between security
agencies, shouldnt there be some mechanism for vetting
regulations/directives/guidelines before they are loosed on the world?
Top management >10,000
employees
From both a case law and a practical standpoint, the legislation associated with
information security is woefully inadequate. Privacy, condentiality, and
availability, as well as prosecution for identity theft and denial of service attacks,
are impossible with the current morass of legislation. Regulations such as the
Common Criteria, HIPPA, and FISMA mandate audit compliance, but the
marketplace pays minimal attention or lip service to these requirements.
Top management 2,5005,000
employees
Although there are many regulations affecting security within certain markets such
as healthcare and nancial, a common regulation governing the security of
critical infrastructure industries would help provide uniform protection across
multiple industries and could streamline the growing number of security-related
laws.
TABLE 6 Issue: Malware (e.g., Viruses, Trojans, Worms)
Organizational
Position
Size of
Organization Comment and/or Recommendation on Government Action
Middle
management
2501,000
employees
As I see it, the biggest problem in this area is the lack of any global standards for
enforcement and prosecution. It is very difcult to prosecute anyone outside of
the United States. Most of the work being done on malware seems to come from
outside U.S. borders. Because the Internet is a global community, it is important
to develop and support a global agency to combat this problem.
Middle
management
1,0002,500
employees
Just as the United States has a border patrol, our cyber-infrastructure should have
something similar. DHS should work with telecommunications companies to
monitor trafc coming into our borders using many of the same techniques
(rewalls, IDS/IPS, anti-virus) organizations use to protect their infrastructures.
This, of course, raises privacy issues and, if done incorrectly, could materially
limit the use of the Internet, but it should be considered.
Other
management
1,0002,500
employees
By allowing lax laws to exist surrounding spam and by not addressing spyware, the
federal government is really hurting the efforts to stop this stuff. I foresee a
heavily regulated and controlled Internet simply because the initial attempts at
governing these malware issues are weak. History shows that the weak
attempts usually follow with an overboard response once it is realized the rst
efforts are inadequate. So please dont go overboard and regulate too many
areas, but make the current laws adequate by giving them some teeth.
Non-management
professional
>10,000
employees
Tougher laws for people creating malware. Find ways to prosecute offenders in
foreign countries where most malware is created. Work cross-borders to nd and
prosecute these offenders.
56 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
CIS-SPs located in the United States, we
believe the comments may be valuable to
international readers as well because many
are written in a general fashion. We repro-
duced these comments verbatim to allow a
reading of the material without editorial
comment from the authors. Our intent is not
to provide an exhaustive analysis of these
five issues, but rather to offer insight into
how some security professionals perceive
them. As additional context for each com-
ment, we provide the participants organiza-
tional position as well as the number of
employees in the organization.
TABLE 7 Issue: User Awareness Training & Education
Organizational
Position
Size of
Organization Comment and/or Recommendation on Government Action
Other
management
>10,000
employees
Develop and fund a wider level of education programs beginning at elementary
school level and continuing through industry.
Non-management >10,000
employees
The main issue with end users is that they do not have a full understanding of what
they are doing with their computers. They think nothing of clicking on links
provided by mysterious senders without realizing the true end result of their
actions only due to the fact they are ill-equipped. There should be low-cost or
otherwise subsidized training programs for Mom and Pop users.
Middle
management
2,5005,000
employees
There should be a national awareness campaign promoting computer security.
There are now requirements for food labels; perhaps technology vendors should
be required to post security warnings on their products (e.g., wireless networks,
PDAs, USB thumb drives, etc.), not just marketing hype.
Middle
management
2501,000
employees
As related to security, one of the major functions of the government should be to
increase the overall security awareness of the general public. If the public is more
aware of what can happen worms, viruses, DDoS attacks, phishing then
maybe they will think twice about opening that e-mail attachment. And the best
way to start is teach the kids. Remember the old Schoolhouse Rock
commercials; create commercials like these that teach about computer security.
Let the kids go around singing the catchy jingles; the parents wont be able to get
away from them. Further, for the adults, create an awareness training class that
they can take for free at the library or maybe at home on video (checked out from
the library).
TABLE 8 Issue: Protection of Privileged Information
Organizational
Position
Size of
Organization Comment and/or Recommendation on Government Action
Non-management 2,5005,000
employees
My primary concerns are in the area of outsourced services and support. Many
outsourcers have many more people accessing condential/protected
information and are NOT required to inform their customers of these practices or
even to manage a complete list of resources with access. Business will drive
outsourcing, BUT the true costs to our security are not correctly represented.
Middle
management
2501,000
employees
Draft tougher laws designed to protect individuals non-public information (NPI),
including reducing who (government, state, local agencies, and private
corporations) can ask for Social Security numbers. Stiffer penalties for violators.
Strict enforcement of current regulations.
Top management <250
employees
Increase penalties against those who misuse or fail to adequately take appropriate
measures to protect privileged information. Provide incentives for those who do
it well perhaps if an organization can pass a federal audit about security then
that organization could receive a tax credit.
Non-management 5,00010,000
employees
Although there are several different classes of privileged information, the class that
most concerns me is information about people customers, employees, former
employees, etc. The government needs to strengthen laws and regulatory
policies to protect this type of information from becoming a free-marketplace
commodity without permission for further use by the person providing the
information.
I N F O R M A T I O N S E C U R I T Y A N D R I S K M A N A G E M E N T
S E P T E M B E R / O C T O B E R 2 0 0 6
57
Frequency of the Recommended Actions
After reading the CISSP responses, the first
two authors conducted a content analysis of
the text. From this analysis, we identified 32
general actions that government can take to
help improve information security. We then
identified 718 places in the text where the
participants recommended a clear govern-
ment action. Next, we cross-referenced the
recommendations to the top five issues of
the second survey. Table 9 summarizes this
analysis. Twelve of the 32 most frequently
recommended governmental actions are
listed in the left column. The number in
each cell identifies the frequency of each
recommendation. From this analysis, the
most frequently recommended actions fall
into the three general categories of taking
statutory and legislative action, increasing
penalties, and promoting education. From
Table 9, the reader can see how the respon-
dents believed the government can contrib-
ute to a specific information security issue
(e.g., government can address issues such as
malware by increasing penalties).
CONCLUSION
Many organizations today are fully depen-
dent on information technology for sur-
vival. This reality means that information
security will remain one of the top chal-
lenges facing modern organizations for at
least the near future. The results of this sur-
vey can help managers, practitioners,
researchers, and government employees
focus their efforts on the most vital security
issues. The top-ranked issue in both surveys
was the same: top management support. The
survey participants are saying that gaining
top management support is the most critical
issue of an information security program.
Perhaps an organizations overall security
health can be accurately predicted by asking
a single question: Does top management
consider security important? If they do not,
it is unlikely the rest of the organization will
either. For practitioners, understanding and
then taking action on the top issues can go a
long way toward advancing the corporate
cyber-security environment. For research-
ers, the results of these surveys can be valu-
able from an educational and longitudinal
perspective because the top issues can be
tracked in future studies.
Governments can also help by creating a
legal environment that assists companies
and consumers in protecting their valuable
information. This research report provides a
sketch of how some CISSPs view the role of
government in helping information security.
Many survey participants suggested a need
for clearer and more consistent legislation
whereas others called for stiffer penalties for
violators. Considering that most governments
TABLE 9 Frequency of Recommended Actions by the Top Five Issues
General Recommendation
for Government Action
Top
Management
Support
(#1)
Legal &
Regulatory
Issues
(#2)
Malware
(#3)
User
Awareness
Training &
Education
(#4)
Protection
of
Privileged
Information
(#5) Total
Take statutory & legislation action 23 31 8 2 23 87
Increase penalties 5 12 40 1 20 78
Promote education 14 4 7 49 4 78
Promote awareness 3 0 1 46 4 54
Clarify and/or dene regulations 2 36 0 2 12 52
Increase enforcement 8 14 18 1 7 48
Assign responsibility or accountability 33 7 0 1 3 44
Advance knowledge dissemination 16 6 6 12 0 40
Promote best practices model 11 7 0 3 4 25
Cooperate with international community 0 8 14 1 2 25
Provide economic incentives 12 1 0 10 1 24
Cooperate with software vendors 0 4 15 0 0 19
58 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
Name________________________________________________
Title _________________________________________________
Company ____________________________________________
Street Address _______________________________________
City, State, ZIP _______________________________________
Country/Postal Code __________________________________
Phone _______________________________________________
E-mail Address _______________________________________
Customers in CA, DC, FL, GA, IL, MA, MO, NJ, NM, NY, and TX, please add
applicable sales tax. Canadian customers, please add GST.
1 year (6 issues), $175
Bill my purchase order # ___________________ attached
Check for $ _______ enclosed, payable to Taylor & Francis
Charge my: Visa Mastercard Amex
Card No. ___________________________ Exp. Date ________
Signature (required) ___________________________________
Phone your order to: 1-800-272-7737
Fax: 1-800-374-3401
Mail: Taylor & Francis Group
6000 Broken Sound Pkwy, Suite 300
Boca Raton, FL 33487
E-mail: orders@crcpress.com
Start (or extend) my subscription to Information Systems Security
move slowly when addressing complex
issues such as cyber-security, the results of
this survey could remain relevant for years
to come.
Notes
1. President, National Strategy to Secure Cyber-
space. (2003). Washington D.C., from
http://www.whitehouse.gov/pcipb
2. Knapp, K. J. and W. R. Boulton. (Spring 2006).
Cyber-warfare threatens corporations: Expansion
into commercial environments, Information Sys-
tems Management, 23(2), 7687.
3. We used research techniques consistent with
grounded theory. Glaser, B. G. and A. L. Strauss.
(1967). The Discovery of Grounded Theory:
Strategies for Qualitative Research. New York:
Aldine Publishing Company.
4. We used many ranking techniques published in
previous studies. Luftman, J. and E. R. McLean.
(2004). Key issues for IT executives, MIS Quar-
terly Executive, 3(2): 89104.
5. A comprehensive report of this survey is avail-
able, upon request, from the first or the second
author.
The opinions, conclusions, and recommendations
expressed or implied within are solely those of the
authors and do not necessarily represent the views of
USAFA, USAF, the DoD, or any other government
agency.