INFORMATION SECURITY AND RISK MANAGEMENT

The Top Information

Security Issues Facing
Organizations: What Can
Government Do to Help?

Kenneth J. Knapp, Thomas E. Marshall, R. Kelly Rainer, Jr.,

and Dorsey W. Morrow

Auburn University researchers to identify

C
onsidering that many organizations
today are fully dependent on infor-
mation technology for survival, 1
information security is one of the most
important concerns facing the modern orga-
nization. The increasing variety of threats
and ferociousness of attacks has made pro-
tecting information a complex challenge.2
Improved knowledge of the critical issues
underlying information security can help
practitioners, researchers, and government
employees alike to understand and solve the
biggest problems. To this end, the Interna-
tional Information Systems Security Certifi-
cation Consortium [(ISC)2]® teamed up with
and rank the top information security issues
in two sequential, but related surveys. The
first survey involved a worldwide sample of
874 certified information system security
professionals (CISSPs)®, who ranked a list
of 25 information security issues based on
which ones were the most critical facing
organizations today. In a follow-on survey,
623 U.S.-based CISSPs then re-ranked the
same 25 issues based on which ones they
felt the U.S. federal government could help
the most in solving.
The survey results produced some inter-
esting findings. In both surveys, the higher

KENNETH J. KNAPP is an assistant professor of management at the U.S. Air Force Academy, Colo-
rado. He received his Ph.D. in MIS from Auburn University, Alabama. He has been published in Com-
munications of the AIS and Information Systems Management and has a forthcoming article in
Information Management & Computer Security. He can be reached at kenneth.knapp@usafa.edu.
THOMAS E. MARSHALL is an associate professor of MIS, Department of Management, Auburn Uni-
versity, Alabama. He is a CPA and has been a consultant in the area of accounting information systems
for more than 20 years. His publications include Information & Management, Journal of Computer
Information Systems, Journal of End User Computing, and the Journal of Database Management. He
can be reached at marshall@business.auburn.edu.
R. KELLY RAINER, JR., is George Phillips Privett Professor of MIS, Department of Management,
Auburn University, Alabama. He has published in leading academic and practitioner journals. His most
recent book is Introduction to Information Systems (1st edition), co-authored with Efraim Turban and
Richard Potter.
DORSEY W. MORROW, CISSP-ISSMP, is the general counsel and corporate secretary of (ISC)2.

I N F O R M A T I O N S E C U R I T Y A N D R I S K M A N A G E M E N T 51
S E P T E M B E R / O C T O B E R 2 0 0 6
 TABLE 1 Issue Ranking Results (874 Respondents)

Rank Issue Description Suma Countb

1 Top management support 3,678 515

2 User awareness training & education 3,451 580
3 Malware (e.g., viruses, Trojans, worms) 3,336 520
4 Patch management 3,148 538
5 Vulnerability & risk management 2,712 490
6 Policy related issues (e.g., enforcement) 2,432 448
7 Organizational culture 2,216 407
8 Access control & identity management 2,203 422
9 Internal threats 2,142 402
10 Business continuity & disaster preparation 2,030 404
11 Low funding & inadequate budgets 1,811 315
12 Protection of privileged information 1,790 319
13 Network security architecture 1,636 327
14 Security training for IT staff 1,604 322
15 Justifying security expenditures 1,506 289
16 Inherent insecurity of networks & information systems 1,502 276
17 Governance 1,457 247
18 Legal & regulatory issues 1,448 276
19 External connectivity to organizational networks 1,439 272
20 Lack of skilled security workforce 1,370 273
21 Systems development & life cycle support 1,132 242
22 Fighting spam 1,106 237
23 Firewall & IDS configurations 1,100 215
24 Wireless vulnerabilities 1,047 225
25 Standards issues 774 179
a Sum is the summation of all the 874 participants’ rankings on a reverse scale. Example, a #1 ranked
issue received a score of ten, a #2 ranked issue received a score of nine, etc.
b Count is the number of participants who ranked the issue in their top ten.

ranked issues are of a managerial nature.
Managerial issues require management
involvement to solve. This message is
important because the protection of valu-
able information requires that executives
understand this. Among the worldwide par-
ticipants of the first survey, a high level of
agreement exists on what the top issues are.
With few exceptions, the top issues are con-
sistent across organizations regardless of
size, sector, or geographic region. Among
the U.S. participants in the second survey,
many commented that government should
take an active role in solving information
security issues through actions such as clearer
legislation along with stronger penalties.
FIRST SURVEY: RANKING THE TOP
INFORMATION SECURITY ISSUES
The Web-based survey asked respondents
to select ten issues from a randomized list of
25 and rank them from #1 to #10. The 25
issues came from a previous study we con-
ducted involving 220 CISSPs who
responded to an open-ended question asking
for the top information security issues fac-
ing organizations today. Working with
those 220 CISSPs, we had identified 58
issue categories based on the keywords and
themes of the open-ended question
responses.3 We used the 25 most frequently
mentioned issues from that survey for this
Web survey. The present ranking survey ran
in early 2004, with 874 CISSPs from more
than 40 nations participating.4,5
Table 1 provides the survey results. Top
management support was the #1 ranked
issue and received the highest average rank-
ing of those participants who ranked the
issue in their top ten. Although ranked #2,
user awareness training & education was the
most frequently ranked issue; an impressive
66 percent of the 874 survey respondents
ranked this issue in their top ten.

52 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
 TABLE 2 Top Five Issues’ Rankings by Demographic Category

Industry

Information Technology
Banking & Finance
Location

North America

Manufacturing
Size

Government

Consultants
Pacific/Asia

Healthcare
Small Medium Large

Europe
Organization Organization Organization
(<250 (250–5,000 (>5,000
Ranked Issue employees) employees) employees)

1. Management support 2 1 4 1 1 1 6 4 3 2 1 2
2. Awareness 1 2 3 3 2 4 3 2 2 3 2 8
3. Malware 3 3 2 4 3 2 2 3 1 1 3 9
4. Patch management 4 4 1 2 4 6 1 5 9 4 4 1
5. Vulnerability management 5 5 5 5 5 3 4 1 4 5 5 6

Agreement Concerning the Top Five Issues
Among Demographics Categories
The survey asked the 874 CISSPs about
their organization’s location, size, and
industry. A level of agreement concerning
the top five issues is apparent across the
demographics of survey participants. With
the exception of the healthcare industry, the
top five rankings in the larger demographic
categories are a reordering of the top five
issues as ranked by the entire sample of 874
respondents: top management support, user
awareness training & education, malware,
patch management, and vulnerability & risk
management. The modest variation in the
rankings among the demographics is not
entirely surprising considering the global
nature of many cyber-threats. Yet this find-
ing is verification that many of the top-
ranked issues are almost uniformly critical
across key demographics. Table 2 illus-
trates how the top five issues from the full
results fared across 12 major demographic
categories.
SECOND SURVEY: HOW CAN
GOVERNMENT HELP?
In the second survey, 623 U.S. CISSPs were
asked to rank their top five issues based on
what they believed were the most critical
issues for the U.S. federal government to
help solve. The motivation to conduct this
follow-on survey was generated from a spe-
cific request to (ISC)2 from a U.S. commer-
cial company working on cyber-security
issues for the U.S. government. After con-
sidering the results of the first survey, the
company wanted to know which of the top
issues the government could (or should)
help solve. We were contacted to help
answer this question. To this end, we asked
each survey participant to select and rank
five issues from a randomized list of the 25
previously identified information security
issues. After ranking five issues, each par-
ticipant provided general comments and
specific recommendations of actions the
U.S. federal government could take to help
solve each of their five selected issues. We
provide a sampling of the comments and
recommendations in the next section. This
second survey was conducted in late 2004.
Table 3 lists the results of the second sur-
vey. Top management support again was
the highest ranked issue; legal & regulatory
issues was ranked second, moving up 16
positions from the first survey.
Selected Comments from Survey
Participants
In Tables 4 through 8, we provide four rep-
resentative comments for each of the top
five issues of the second survey. Although
the comments come exclusively from

I N F O R M A T I O N S E C U R I T Y A N D R I S K M A N A G E M E N T 53
S E P T E M B E R / O C T O B E R 2 0 0 6
 TABLE 3 Re-Ranking Based on How Government Can Help (623 Respondents)

Previous Rank
Rank Issue Description Sum Count Rank Change

1 Top management support 672 198 1 0

2 Legal & regulatory issues 605 190 18 16
3 Malware (e.g., viruses, Trojans, worms) 588 184 3 0
4 User awareness training & education 568 188 2 –2
5 Protection of privileged information 552 165 12 7
6 Business continuity & disaster preparedness 452 152 10 4
7 Low funding & inadequate budgets 443 149 11 4
8 Lack of a skilled security workforce 427 146 20 12
9 Fighting spam 408 138 22 13
10 Inherent insecurity of networks & information systems 404 124 16 6
11 Standards issues 397 140 25 14
12 Vulnerability & risk management 394 127 5 –7
13 Policy related issues (e.g., enforcement) 381 141 6 –7
14 Security training for IT staff 350 117 14 0
15 Governance 314 102 17 2
16 Patch management 305 113 4 –12
17 Access control & identity management 303 100 8 –9
18 Justifying security expenditures 279 94 15 –3
19 Network security architecture 264 84 13 –6
20 Organizational culture 258 96 7 –13
21 Internal threats 221 75 9 –12
22 Systems development & life cycle support 212 71 21 –1
23 Wireless vulnerabilities 204 77 24 1
24 External connectivity to organizational networks 148 49 19 –5
25 Firewall & IDS configurations 112 40 23 –2
Note: The U.S. company that requested the second survey asked that we design the survey Web site with the flexibility to allow
respondents to rank up to two of their own defined issues as a substitute for an issue from the list of 25 predefined issues. Thus,
the survey was open ended to the degree that it did not force respondents to select all of their five issues from the predefined
list. However, only 41 respondents used this option and there was very little agreement among the substitute issues provided.

TABLE 4 Issue: Top Management Support

Organizational Size of
Position Organization Comment and/or Recommendation on Government Action

Non-manager >10,000 Management frequently does little but pay lip service to security; it is viewed as a
employees cost and a hindrance, not a critical business component. Clear legal duties
should be established that hold upper management accountable for funding and
supporting security.
Top management 250–1,000 It is imperative that top management set the example for information security
employees processes. I would like to see better clarity in laws like Sarbanes–Oxley that
require specific accountability for the implementation of adequate information
security processes. There also needs to be some federal legislation that holds
companies liable, regardless of their status (being public, private, or non-profit)
for their security processes.
Non-management 250–1,000 Top management is not serious about security; otherwise they would commit the
employees funds necessary to accomplish real results. A top IT/InfoSec position should be
established in every company/organization/government agency reporting to the
CEO/agency head. This person should have extensive technical as well as
managerial experience. A lot of top jobs are given to people who have “people
skills” but are severely lacking in the technical knowledge to make the right
decisions.
Non-management <250 If information security is truly a societal priority, then accountability must be
employees assigned. The most effective action that government can take on this issue is to
legislate accountability on the part of corporate management.

54 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
 TABLE 5 Issue: Legal & Regulatory Issues

Organizational Size of
Position Organization Comment and/or Recommendation on Government Action

Top management >10,000 I recommend the U.S. government take a more deliberate and measured approach
employees toward enacting regulatory and compliance requirements. Certainly, the
government has an obligation to provide “reasonable assurances” that business
is conducted in a legal, moral, and ethical manner. However, it appears that the
government routinely adopts a reactive approach, which, after in-depth analysis,
appears to be more of a hindrance to capitalism than a deterrent to illegal
behavior. I would propose the government aggressively prosecute company
executives AND board members, as well as pass more stringent, nonnegotiable
penalties for violators.
Middle <250 Well, what is the government if not laws and regulations? There are getting to be
management employees a lot of security-related laws and regulations. They are not always consistent,
often overlap, don’t sufficiently clarify jurisdiction or applicability, and often result
in blurry lines between legal requirements and recommendations or guidelines.
With all of the recent emphasis on effective communications between security
agencies, shouldn’t there be some mechanism for vetting
regulations/directives/guidelines before they are loosed on the world?
Top management >10,000 From both a case law and a practical standpoint, the legislation associated with
employees information security is woefully inadequate. Privacy, confidentiality, and
availability, as well as prosecution for identity theft and denial of service attacks,
are impossible with the current morass of legislation. Regulations such as the
Common Criteria, HIPPA, and FISMA mandate audit compliance, but the
marketplace pays minimal attention or lip service to these requirements.
Top management 2,500–5,000 Although there are many regulations affecting security within certain markets such
employees as healthcare and financial, a common regulation governing the security of
critical infrastructure industries would help provide uniform protection across
multiple industries and could streamline the growing number of security-related
laws.

TABLE 6 Issue: Malware (e.g., Viruses, Trojans, Worms)

Organizational Size of
Position Organization Comment and/or Recommendation on Government Action

Middle 250–1,000 As I see it, the biggest problem in this area is the lack of any global standards for
management employees enforcement and prosecution. It is very difficult to prosecute anyone outside of
the United States. Most of the work being done on malware seems to come from
outside U.S. borders. Because the Internet is a global community, it is important
to develop and support a global agency to combat this problem.
Middle 1,000–2,500 Just as the United States has a border patrol, our cyber-infrastructure should have
management employees something similar. DHS should work with telecommunications companies to
monitor traffic coming into our borders using many of the same techniques
(firewalls, IDS/IPS, anti-virus) organizations use to protect their infrastructures.
This, of course, raises privacy issues and, if done incorrectly, could materially
limit the use of the Internet, but it should be considered.
Other 1,000–2,500 By allowing lax laws to exist surrounding spam and by not addressing spyware, the
management employees federal government is really hurting the efforts to stop this stuff. I foresee a
heavily regulated and controlled Internet simply because the initial attempts at
“governing” these malware issues are weak. History shows that the weak
attempts usually follow with an overboard response once it is realized the first
efforts are inadequate. So please don’t go overboard and regulate too many
areas, but make the current laws adequate by giving them some teeth.
Non-management >10,000 Tougher laws for people creating malware. Find ways to prosecute offenders in
professional employees foreign countries where most malware is created. Work cross-borders to find and
prosecute these offenders.

I N F O R M A T I O N S E C U R I T Y A N D R I S K M A N A G E M E N T 55
S E P T E M B E R / O C T O B E R 2 0 0 6
 TABLE 7 Issue: User Awareness Training & Education

Organizational Size of
Position Organization Comment and/or Recommendation on Government Action

Other >10,000 Develop and fund a wider level of education programs beginning at elementary
management employees school level and continuing through industry.
Non-management >10,000 The main issue with end users is that they do not have a full understanding of what
employees they are doing with their computers. They think nothing of clicking on links
provided by mysterious senders without realizing the true end result of their
actions only due to the fact they are ill-equipped. There should be low-cost or
otherwise subsidized training programs for Mom and Pop users.
Middle 2,500–5,000 There should be a national awareness campaign promoting computer security.
management employees There are now requirements for food labels; perhaps technology vendors should
be required to post security warnings on their products (e.g., wireless networks,
PDAs, USB thumb drives, etc.), not just marketing hype.
Middle 250–1,000 As related to security, one of the major functions of the government should be to
management employees increase the overall security awareness of the general public. If the public is more
aware of what can happen — worms, viruses, DDoS attacks, phishing — then
maybe they will think twice about opening that e-mail attachment. And the best
way to start is teach the kids. Remember the old “Schoolhouse Rock”
commercials; create commercials like these that teach about computer security.
Let the kids go around singing the catchy jingles; the parents won’t be able to get
away from them. Further, for the adults, create an awareness training class that
they can take for free at the library or maybe at home on video (checked out from
the library).

TABLE 8 Issue: Protection of Privileged Information

Organizational Size of
Position Organization Comment and/or Recommendation on Government Action

Non-management 2,500–5,000 My primary concerns are in the area of outsourced services and support. Many
employees outsourcers have many more people accessing confidential/protected
information and are NOT required to inform their customers of these practices or
even to manage a complete list of resources with access. Business will drive
outsourcing, BUT the true costs to our security are not correctly represented.
Middle 250–1,000 Draft tougher laws designed to protect individuals’ non-public information (NPI),
management employees including reducing who (government, state, local agencies, and private
corporations) can ask for Social Security numbers. Stiffer penalties for violators.
Strict enforcement of current regulations.
Top management <250 Increase penalties against those who misuse or fail to adequately take appropriate
employees measures to protect privileged information. Provide incentives for those who do
it well — perhaps if an organization can pass a federal audit about security then
that organization could receive a tax credit.
Non-management 5,000–10,000 Although there are several different classes of privileged information, the class that
employees most concerns me is information about people — customers, employees, former
employees, etc. The government needs to strengthen laws and regulatory
policies to protect this type of information from becoming a “free-marketplace
commodity” without permission for further use by the person providing the
information.

CIS-SPs located in the United States, we to provide an exhaustive analysis of these

believe the comments may be valuable to
international readers as well because many
are written in a general fashion. We repro-
duced these comments verbatim to allow a
reading of the material without editorial
comment from the authors. Our intent is not
five issues, but rather to offer insight into
how some security professionals perceive
them. As additional context for each com-
ment, we provide the participant’s organiza-
tional position as well as the number of
employees in the organization.

56 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M
 TABLE 9 Frequency of Recommended Actions by the Top Five Issues

User Protection
Top Legal & Awareness of
Management Regulatory Training & Privileged
General Recommendation Support Issues Malware Education Information
for Government Action (#1) (#2) (#3) (#4) (#5) Total

Take statutory & legislation action 23 31 8 2 23 87

Increase penalties 5 12 40 1 20 78
Promote education 14 4 7 49 4 78
Promote awareness 3 0 1 46 4 54
Clarify and/or define regulations 2 36 0 2 12 52
Increase enforcement 8 14 18 1 7 48
Assign responsibility or accountability 33 7 0 1 3 44
Advance knowledge dissemination 16 6 6 12 0 40
Promote best practices model 11 7 0 3 4 25
Cooperate with international community 0 8 14 1 2 25
Provide economic incentives 12 1 0 10 1 24
Cooperate with software vendors 0 4 15 0 0 19

Frequency of the Recommended Actions
After reading the CISSP responses, the first
two authors conducted a content analysis of
the text. From this analysis, we identified 32
general actions that government can take to
help improve information security. We then
identified 718 places in the text where the
participants recommended a clear govern-
ment action. Next, we cross-referenced the
recommendations to the top five issues of
the second survey. Table 9 summarizes this
analysis. Twelve of the 32 most frequently
recommended governmental actions are
listed in the left column. The number in
each cell identifies the frequency of each
recommendation. From this analysis, the
most frequently recommended actions fall
into the three general categories of taking
statutory and legislative action, increasing
penalties, and promoting education. From
Table 9, the reader can see how the respon-
dents believed the government can contrib-
ute to a specific information security issue
(e.g., government can address issues such as
malware by increasing penalties).
CONCLUSION
Many organizations today are fully depen-
dent on information technology for sur-
vival. This reality means that information
security will remain one of the top chal-
lenges facing modern organizations for at
least the near future. The results of this sur-
vey can help managers, practitioners,
researchers, and government employees
focus their efforts on the most vital security
issues. The top-ranked issue in both surveys
was the same: top management support. The
survey participants are saying that gaining
top management support is the most critical
issue of an information security program.
Perhaps an organization’s overall security
health can be accurately predicted by asking
a single question: Does top management
consider security important? If they do not,
it is unlikely the rest of the organization will
either. For practitioners, understanding and
then taking action on the top issues can go a
long way toward advancing the corporate
cyber-security environment. For research-
ers, the results of these surveys can be valu-
able from an educational and longitudinal
perspective because the top issues can be
tracked in future studies.
Governments can also help by creating a
legal environment that assists companies
and consumers in protecting their valuable
information. This research report provides a
sketch of how some CISSPs view the role of
government in helping information security.
Many survey participants suggested a need
for clearer and more consistent legislation
whereas others called for stiffer penalties for
violators. Considering that most governments

I N F O R M A T I O N S E C U R I T Y A N D R I S K M A N A G E M E N T 57
S E P T E M B E R / O C T O B E R 2 0 0 6
 move slowly when addressing complex
issues such as cyber-security, the results of
this survey could remain relevant for years
to come.
Notes
1. President, National Strategy to Secure Cyber-
space. (2003). Washington D.C., from
http://www.whitehouse.gov/pcipb
2. Knapp, K. J. and W. R. Boulton. (Spring 2006).
Cyber-warfare threatens corporations: Expansion
into commercial environments, Information Sys-
tems Management, 23(2), 76–87.
3. We used research techniques consistent with
grounded theory. Glaser, B. G. and A. L. Strauss.
(1967). The Discovery of Grounded Theory:
Strategies for Qualitative Research. New York:
Aldine Publishing Company.
4. We used many ranking techniques published in
previous studies. Luftman, J. and E. R. McLean.
(2004). Key issues for IT executives, MIS Quar-
terly Executive, 3(2): 89–104.
5. A comprehensive report of this survey is avail-
able, upon request, from the first or the second
author.
The opinions, conclusions, and recommendations
expressed or implied within are solely those of the
authors and do not necessarily represent the views of
USAFA, USAF, the DoD, or any other government
agency.

Start (or extend) my subscription to Information Systems Security

❑ 1 year (6 issues), $175 Name________________________________________________

❑ Bill my purchase order # ___________________ attached
❑ Check for $ _______ enclosed, payable to Taylor & Francis Company ____________________________________________
❑ Charge my: ❑ Visa ❑ Mastercard ❑ Amex
Card No. ___________________________ Exp. Date ________
Signature (required) ___________________________________
Phone your order to: 1-800-272-7737
Fax: 1-800-374-3401
Mail: Taylor & Francis Group
6000 Broken Sound Pkwy, Suite 300
Boca Raton, FL 33487
E-mail: orders@crcpress.com
Title _________________________________________________
Street Address _______________________________________
City, State, ZIP _______________________________________
Country/Postal Code __________________________________
Phone _______________________________________________
E-mail Address _______________________________________
Customers in CA, DC, FL, GA, IL, MA, MO, NJ, NM, NY, and TX, please add
applicable sales tax. Canadian customers, please add GST.

58 I N F O R M A T I O N S Y S T E M S S E C U R I T Y
W W W . I N F O S E C T O D A Y . C O M