Scope and Emerging Trends

Transcription

1 The ASIS Foundation Security Report: Scope and Emerging Trends Executive Summary From research performed by the Justice and Safety Center, Eastern Kentucky University, with support from the National Institute of Justice

2 ASIS Foundation Security Report: Scope and Emerging Trends Sponsored by NIJ Pasek Corporation ASIS Boston Chapter Toepfer Security Corporation Robert D. Hulshouser, CPP International Association for Healthcare Security and Safety ASIS Calgary/Southern Alberta Chapter ASIS Phoenix Chapter ASIS Greater Milwaukee Chapter ASIS Columbus Chapter ASIS Greater San Antonio Chapter Michael R. Cummings, CPP

3 Eastern Kentucky University College of Justice and Safety Eastern Kentucky University s College of Justice and Safety, a Program of Distinction, houses the Justice and Safety Center, the Training Resource Center, and three academic departments that award degrees in assets protection and security, corrections and juvenile justice studies, criminal justice, emergency medical care, fire safety, loss prevention and safety, and police studies. Justice and Safety Center The Justice and Safety Center (JSC) was formed in 1998 in response to the state s designation of the College of Justice and Safety at EKU as a Program of Distinction. The JSC consists of a team of faculty and staff professionals dedicated to the advancement of public safety and security specializing in research/ evaluation, prototype development/testing, and training/technical assistance. The JSC engages in numerous federal and state funded projects and programs from agencies such as, but not limited to, the Department of Homeland Security, the Department of Justice, the Kentucky Department of Commercialization and Innovation, and the United States Department of Defense. Moreover, the JSC has strived to work collaboratively with various organizations and agencies to build upon the strengths of each partner and avoid duplicative efforts. Currently, the JSC manages approximately 70 public safety and security projects, as well as three regional, national, and international programs. It also leads the Safety and Security Initiative for the Kentucky Department of Commercialization and Innovation. Since its inception in 1998, the JSC has managed over $35 million in grant funding. Research Team Principal Investigators Pam Collins, Professor, College of Justice and Safety, Eastern Kentucky University Gary Cordner, Professor, College of Justice and Safety, Eastern Kentucky University Kay Scarborough, Professor, College of Justice and Safety, Eastern Kentucky University Data Collection Kelli Frakes, Sr. Research Associate, Justice & Safety Center, Eastern Kentucky University Jacinda Cockerham, Research Associate, Justice & Safety Center, Eastern Kentucky University Lou Martin, Research Assistant, Justice & Safety Center, Eastern Kentucky University Irina Soderstrom, Professor, Correctional and Juvenile Justice Studies, Eastern Kentucky University Funding Agencies ASIS International Foundation, Board of Trustees National Institute of Justice, Office of Research and Evaluation 1

4 Acknowledgements Special thanks to the following work group members for their contributions to the project: Lawrence Berenson, CPP Security Director L-3 Government Services, Inc. Chantilly, VA Steven K. Bucklin President/CEO Glenbrook Security Services Glenview, IL Michael A. Crane, CPP Senior Vice President General Counsel IPC International Corporation Bannockburn, IL Michael R. Cummings, CPP Director, Loss Prevention Services Aurora Health Care Milwaukee, WI Michael D. Gambrill Senior Vice President, Industry & Government Affairs Dunbar Armored Inc. Hunt Valley, MD F. Mark Geraci, CPP Senior Director, Corporate Security Bristol-Meyers Squibb Company New York, NY Martin L. Gill, Ph. D. Director PRCI Ltd Leicester, United Kingdom Rudy A. Wolter, CPP Deputy Director, North America Region Citigroup Tampa, FL Ronald Lander, CPP Chief Specialist Ultrasafe Security Solutions Norco, CA James P. Litchko President/CEO Litchko & Associates Kensington, MD Glen W. Kitteringham, CPP Senior Manager, Security & Life Safety Brookfield Properties Calgary, Alberta, Canada Raymond T. O Hara, CPP Senior Managing Director Vance Palm Desert, CA Dennis D. Shepp, CPP Senior Partner Shepp Johnman Inc Edmonton, Alberta, Canada Bonnie S. Michelman, CPP Director of Police and Security Massachusetts General Hospital Boston, MA Edward G. Hallen, CPP Manager, Safety & Security Services Occidental Petroleum Corporation Los Angeles, CA Kathleen L. Kiernan, Ed.D. CEO Kiernan Consulting Group Arlington, VA William J. McShane, CPP Director Affinia Hospitality New York, NY 2 Timothy L. Williams, CPP Vice President, Corporate & System Security Nortel Networks Brentwood, TN

5 Table of Contents Overview...7 Methods...8 Characteristics of Respondents...11 Section 1: Section 2: Section 3: Section 4: Section 5: Section 6: Section 7: The Security Industry in the United States Impacts of September 11th Impacts of Legislation Information Security Relationships with Law Enforcement Relationships with Other Business Units Emerging Trends in Security References

6 Tables Table 1. Table 2. Table 3. Table 4. Table 1.1. Table 1.2. Table 1.3. Table 1.4. Table 1.5. Table 1.6. Table 1.7. Table 1.8. Table 1.9. Table Table Table 1.12 Table Table 2.1. Table 2.2 Table 3.1. Table 4.1. Table 4.2. Table 4.3. Table 4.4 Characteristics of Organizations Responding to the Four Surveys. Characteristics of Responding U.S. Companies By Industry Sector (All U.S. Companies Survey). Characteristics of Security Operations in Companies Responding to the Surveys. Characteristics of Security Operations in U.S. Companies By Industry Sector (All U.S. Companies Survey). Similar Security-Related Concerns Between ASIS and non-asis Companies (percent selecting each concern among their top three). Differing Security-Related Concerns Between ASIS and non-asis Companies (percent selecting each concern among their top three). Top Three Security-Related Concerns By Industry Sector (All U.S. Companies Survey). Similar Degrees of Outsourcing Between ASIS and Non-ASIS Companies: Percent of Security Functions Contracted to Outside Firms (average percent of each service that is contracted out). Differing Degrees of Outsourcing Between ASIS and Non-ASIS Companies: Percent of Security Functions Contracted to Outside Firms (average percent of each service that is contracted out). Security Systems/Products the Company Has Purchased or Plans to Purchase (percent indicating yes). Percent of ASIS Security Services Companies Indicating That They Provide Specific Types of Security Systems and Products. ASIS Security Services Companies Expectations of Business Growth in Specific Industry Sectors Over the Next Five Years. Anticipated Changes to Company Security Budget/Revenue in the Next Fiscal Year. Annual Security Budgets Over A Four-Year Period (Company Averages). Distribution of Company Security Function Between Internal and External Providers. Position/Title of Survey Respondents. Educational Level and Security-Related Certifications. If 9/11 Affected Company Security Spending, How Was it Affected (percent indicating yes). If 9/11 Continues to Affect the Business, How is it Affected (percent indicating yes). Impact of New Statutes on Security Policies and Procedures (percent indicating moderate or major impact). Post-9/11 Information Security Measures Adopted by Companies. Internal/Insider Breaches of Information Security During the Past Year. Outsider/External Breaches of Information Security During the Past Year. Percent of Companies Implementing Information Security Projects for the Next Year. 4

7 Table 5.1. Table 5.2. Table 5.3. Table 5.4. Table 6.1. Percent of Respondents Indicating at Least One Company Contact Per Year With Federal, State, and Local Law Enforcement. Percent of Companies Indicating That They Have Specific Types of Security- Related Contacts With Law Enforcement. Problem Areas in Company Relationships With Law Enforcement (percent indicating moderate or serious problem). Extent of Contact Between ASIS Security Services Companies and Other (Non-Law Enforcement) Entities. Percent of Respondents Indicating Six (6) or More Security-Related Interactions Per Year With Other Company Units. Figures: Figure 1.1. Figure 1.2. Figure 1.3. Figure 1.4. Figure 1.5. Figure 2.1. Figure 2.2. Figure 2.3. Figure 2.4. Figure 4.1. Figure 5.1. Figure 5.2. Figure 5.3. Figure 5.4. Figure 5.5. Figure 5.6. Figure 7.1. Percent Likely to Expand Various Security Arrangements. Percent Likely to Invest More in Security Equipment. Percent Likely to Invest More in Contract Security Services. Percent Likely to Invest More in In-House Security Personnel/Overhead. Percent Likely to Expand An Existing Security Program. Percent Indicating That 9/11 Affected Security Spending in Their Company. Percent Indicating That 9/11 Continues to Affect Their Business. Response to Terrorism by Security Services Companies: Percent Indicating Yes. Continuing Impact of 9/11 on Security Services Companies: Percent Indicating Anticipated Increases in Percent Indicating Greater Concern About Specific Information Security Threats Post-9/11. Percent Indicating Increased Contact With Law Enforcement Post-9/11. Percent of Companies Indicating Six (6) or More Contacts Per Year With Different Types of Law Enforcement Agencies. Resources Made Available to Law Enforcement By ASIS Security Services Companies: Percent Indicating Occasionally or Frequently. Percent of ASIS Security Services Companies With Established Programs With Law Enforcement Agencies. Importance of Various Relationships With Law Enforcement: Percent of ASIS Security Services Companies Indicating Moderately or Very Important. Overall Relationship With Law Enforcement: Percent Indicating Satisfactory or Very Satisfactory. Percentage of Internal and External Attacks by Type of Attacker. 5

8 6

9 ASIS Foundation Security Report: Scope and Emerging Trends Overview This study represents one of the more current works describing the present status of security within organizations throughout the United States including what impacts, if any, 9/11 has had on security measures and budgets. Prior to this study the most noted and often quoted studies on the security industry have been the Private Security Task Force study which was conducted by the National Advisory Committee on Criminal Justice Standards and Goals in 1976 and the Hallcrest I and II Reports, the first published in 1985 and the second in Since that time there have been many other narrower studies, often of particular security sectors or individual security professionals. The current study differs from these other research efforts because the unit of analysis was companies of all sizes located in the United States. An important point to note is that in the survey of companies many of the respondents had no formal affiliation with the ASIS International and would not describe themselves as full time security staff. Therefore, this study provides a picture that may, in fact, be more generalizable to security within companies located throughout the United States than studies in which the ASIS membership was used as the primary sampling frame. Over the last 30 years there has been tremendous change in the security profession, which began primarily as an industrial security function strongly influenced by the Department of Defense but has evolved to a profession that is multi-faceted and present across all types of organizations and sectors. The profession has also begun a process of self examination in the wake of the tragic events of September 11th and the formation of the Department of Homeland Security. This study provides some insights as to the initial impacts of 9/11 along with the scope of security as well as emerging trends for the security profession through four surveys used to collect data and information on security within organizations throughout the United States. 7

10 Methods The Four Surveys This project utilized four different nationwide surveys. Three surveys were targeted at executives responsible for security functions, while the fourth was sent to law enforcement agencies. It is important here, however, to carefullly distinguish between the four surveys, since information from them is presented throughout the study s findings. 1. All U.S. Companies Surveys were sent to a stratified random sample of almost 4,000 U.S. companies listed in nine industry sectors in Ward s Business Directory. These companies ranged from small to large. Many did not have separate security managers or security departments. The responses to this survey are most representative of the entire population of U.S. companies. The companies listed in the Ward s Business Directory are subdivided into 9 categories (sectors) of industry type based on Standard Industrial Classification (SIC) codes designated by the U.S. Department of Labor Office of Occupational Safety and Health Administration (OSHA). The sectors are as follows: Agriculture, Forestry, and Fishing Mining Construction Manufacturing Transportation, Communications, Electric, Gas, and Sanitary Services Wholesale Trade Retail Trade Finance, Insurance, and Real Estate Services 2. ASIS Companies Surveys were sent to a random sample of 339 ASIS International members identified as security managers for companies. The responses to this survey are most representative of companies that are large enough to employ professional security managers. 3. ASIS Security Services Surveys were sent to a random sample of 302 ASIS International members identified as managers of companies that provide security services (e.g., alarm companies). The responses to this survey are most representative of the security services industry. 4. Law Enforcement Surveys were sent to a random sample of 375 local U.S. law enforcement agencies, proportionately assigned as 304 municipal and 71 county. This sample was drawn from the National Public Safety Information Bureau database of over 16,000 law enforcement chief administrators. 8

11 Using these four national surveys and secondary data analysis, this work describes the present status of private security in the United States including what impacts, if any, 9/11 has had on practices and budgets. The research objectives were to describe: 1) The Security Industry in the United States: A description of security concerns, outsourcing of security functions, growth areas in security, purchasing of security systems and services, services provided by security services companies, and the size and economic strength of various industry sectors using the company as the unit of analysis. 2) Changes in Security Since 9/11: A comparison and contrast to changes in security pre- and post- 911 focusing on future trends and changes in security expenditures. 3) Impacts of Legislation: What, if any, impacts legislation such as the HIPAA, the Sarbanes-Oxley Act and the USA Patriot Act have had on U.S. Companies. 4) Information Security: A description of the level and type of information security that exists in various types of organizations including the number of staff dedicated to information security. 5) Relationship Between Private Security and Law Enforcement Agencies: A description of the relationship between security segments and law enforcement agencies. 6) Relationship with Other Business Units: The extent to which security interacts with other business units such as human resources, finance, operations and others to better describe how security works within an organization and the co-dependencies that exist. In addition to the survey research and secondary sources, a focus group was used to assist in the research design and identification of the research objectives referenced above. The focus group was held in September 2003, at the annual ASIS International meeting. The purpose of the focus group was to determine how the study would be conducted and to finalize the primary research objectives. Following this meeting, some members were asked to serve on the Security Study Working Group (SSWG). Throughout the study, members of this working group were asked to provide feedback on survey instruments and research methodology. All survey instruments were reviewed and approved by the ASIS SSWG. 9

12 Instrumentation All U.S. Companies The original survey instrument for industry sectors was made available in two forms. The first was a 41-item, self-report pen and paper survey intended to be administered by mail and accompanied by a cover letter describing the purpose and intent of the study, sponsorship of the survey, instructions, a promise of confidentiality, and notification of approval by the University Institutional Review Board. This survey was mailed to all companies identified for sample inclusion. A second, identical survey instrument was made available to all companies in the sample on the web. As a follow up to the mail and web versions of the survey, a shorter survey was used for administration by phone. That instrument included 27 items with modifications for appropriate phone delivery. ASIS Companies Because this group of members are affiliated with corporate America, they received the same surveys (paper, phone, and web) used for the industry sectors. This allowed for easy comparisons between ASIS Companies and All U.S. Companies. ASIS Security Services A different survey was created for the ASIS Security Services sample. This 37-question survey focused more on the unique aspects of their role in the security services industry. Questions consisted of economic strength, interaction with law enforcement, impact of 9/11, and legislation. The survey of ASIS Security Services was also available in web format. Law Enforcement Once again, a different survey was created for the Law Enforcement sample to focus more specifically on their relationships with corporate security and security services. The 14 questions focused on frequency and extent of contact with security, in addition to opinions on training and education for security officers. Law enforcement administrators were also able to complete the survey online. Response Rates From the very beginning of any survey research project, consideration is given to expected and desired sample sizes. Expectations for response rates must be considered within the context of response rates derived from similar survey efforts of a particular population and the specific topic of study. The final response rate for the survey of All U.S. Companies was 21.6%. According to previous studies, this rate falls within the acceptable range for surveys of the security industry. Similar response rates were seen for the survey of ASIS Security Services (20.6%) and ASIS Companies (27.9%). The Law Enforcement survey had the highest response rate at 35%. Data Analysis The data were analyzed using the Statistical Package for the Social Sciences (SPSS), version 13.0 for the PC. Many of the questions answered were measured on rank-order scales (e.g., none, minor, moderate, and major). Therefore, most of the statistical analyses involved generating frequencies, percentage distributions, and means. 10

13 Characteristics of Respondents The four surveys tapped the experiences and concerns of significantly different Top types Three of Security organizations (see Table 1). One difference is size. The median size of All U.S. Companies responding Concerns for all to the survey was 50 total employees, compared to a median for ASIS Companies of 950 employees. U.S. Companies: (Table 1 presents both means and medians. Because of a few very large companies in each sample that skew the means, the median is a better representation of the typical responding 1. Computer company. Network The median indicates the middle point in the distribution i.e., half of responding companies Security were bigger and half were smaller.) Clearly, ASIS Companies tend to be significantly larger 2. Liability than the Insurance normal or average company as represented by All U.S. Companies respondents. ASIS 3. Employee Security Theft Services companies also tend to be smaller; the median size of ASIS Security Services companies responding to the survey was 70 employees. Another measure of size is company revenue. The median annual company revenue for ASIS Companies responding to the survey was $51 million, compared to $4.2 million for All U.S. Companies and $3 million for ASIS Security Services companies. Table 1. Characteristics of Organizations Responding to the Four Surveys. All U.S. Companies ASIS Companies ASIS Security Services Law Enforcement Total employees range 1-200, , , Total employees mean 1,486 8, Total employees median Annual company revenue ( ) median $4.2 million $51.0 million $3.0 million --- Within the overall category of All U.S. Companies it is possible to examine differences between industry sectors (see Table 2). Median annual revenue was smallest for companies in the manufacturing and transportation-communication-utilities sectors and greatest for companies in the services and wholesale-retail trade sectors. Per company employment was highest in the financeinsurance-real estate sector (median of 200 employees) while the rest were in the range of median employees. Table 2. Characteristics of Responding U.S. Companies By Industry Sector (All U.S. Companies Survey). 11

14 Two of the four surveys also asked about the number of security employees and annual company security budgets. ASIS Security Services companies were not asked these questions because their whole staff and budget is security-related, albeit focused on providing security services to other companies and entities. Law Enforcement agencies were not asked these questions because, given their nature, most would not employ security staff or contract with others to provide security for their own organizations, although it is true that a few large police departments use security guards for facility protection and other duties. Top 3 Security Concerns for all U.S. Companies: 1. Computer Network Security 2. Liability Insurance 3. Employee Theft Top 3 Security Concerns for ASIS Companies: The number of security employees for ASIS Companies ranged from 0-3,200 with a mean of 97 and a median of 19. The median security budget was $755,000 (see Table 3). By contrast, All U.S. Companies had 0-4,000 security employees with a mean of 35 and a median of three (3) security employees and a median security budget of just $2,000. These latter figures are somewhat distorted, though, because numerous companies indicated that they had a few security employees but no security budget. This seemed to signify that several individuals in a company might have part-time security responsibilities without the existence of any specific security budget. If means rather than medians are compared, ASIS Companies had about three times as many security employees and about six times more security dollars, compared to All U.S. Companies. Table 3. Characteristics of Security Operations in Companies Responding to the Surveys. All U.S. Companies ASIS Companies 1. Access Control 2. Property Crime 3. Terrorism and Workplace Violence Total employees with security responsibilities range Total employees with security responsibilities mean Total employees with security responsibilities median 0 4, , Annual security budget ( ) range $0 $55 million $90,000 $85 million Annual security budget ( ) mean $1,031,309 $6,157,089 Annual security budget ( ) median $2,000 $755,000 Another indication of the peripheral role played by security in the typical company (as represented by the All U.S. Companies survey) is that the modal number of employees with security-related responsibilities was zero (0) that is, the most common specific number of security employees was none. Moreover, 27.4% of All U.S. companies had either zero or one employee with securityrelated responsibilities. The individuals who completed the surveys were also asked whether security was their primary responsibility. In ASIS Companies, 78.7% of respondents indicated yes, contrasted to only 15.6% of respondents from All U.S. Companies. This would seem to indicate that in smaller companies the individual who is responsible for security almost always wears other hats, and in fact security is not their primary job. Median security employment per sector ranged from 2-6 employees and median security budgets were miniscule across all sectors (see Table 4). Survey respondents in the manufacturing and agriculture-mining-construction sectors were least likely to indicate that security was their primary responsibility (10-11%). In the other sectors, 23-29% of respondents indicated that security was their primary responsibility. 12

15 Table 4. Characteristics of Security Operations in U.S. Companies By Industry Sector (All U.S. Companies Survey). Manufacturing Agriculture- Mining- Construction Transportation- Communication- Utilities Wholesale- Retail Trade Finance- Insurance- Real Estate Services Total employees with security responsibilities range , ,500 Total employees with security responsibilities mean Total employees with security responsibilities median Annual security budget ( ) range Annual security budget ( ) mean Annual security budget ( ) median 9 2 *** *** *** 30 3 $0 $1.4 million $54,086 $1, $0 $16.2 million $1,387,167 $6, $0 $2.0 million $135,329 $10, *** *** *** 90 3 $0 $30 million $2,724,038 $1,000 Terrorism ties with Workplace Violence as a top 3 concern for ASIS Companies. Section 1: The Security Industry in the United States 1.1 Top security-related concerns of All U.S. companies. Tables 1.1 and 1.2 provide information about the greatest security-related concerns expressed by survey respondents, who were asked to identify their top three concerns. Those concerns with similar significance for both All U.S. Companies and ASIS Companies are grouped in Table 1.1. Items on which the two categories of companies diverged substantially are presented in Table 1.2. The most frequently identified concern for All U.S. Companies was computer/network security. Concern about access control was cited most often by ASIS Companies. There was no overlap at all between the top three concerns of the two groups. The top three for All U.S. Companies were computer/network security, liability insurance, and employee theft. For ASIS Companies, the top three were access control, property crime, and a tie between workplace violence and terrorism. Interestingly, terrorism tied for third for ASIS Companies but was only 16th for All U.S. Companies. Similarly, violent crime was the 5th most commonly chosen concern of ASIS Companies but only 17th for All U.S. Companies. Table 1.1. Similar Security-Related Concerns Between ASIS and non-asis Companies (percent selecting each concern among their top three). Security-Related Concerns All U.S. Companies ASIS Companies Employee theft 26.6% 21.6% Property crime 25.4% 33.8% Information security 23.1% 14.9% Burglary 18.2% 13.5% Vandalism 14.4% 9.5% Substance abuse 14.2% 5.4% Privacy issues 7.7% 5.4% Identity theft 7.2% 9.5% Product tampering, counterfeiting, diversion 6.5% 8.1% Ethical misconduct 6.0% 4.1% White collar crime 3.5% 5.4% Corporate espionage 2.5% 2.7% 13

16 Table 1.2. Differing Security-Related Concerns Between ASIS and non-asis Companies (percent selecting each concern among their top three Security-Related Concerns All U.S. Companies ASIS Companies Computer/network security Liability insurance Access control Workplace violence Parking lot/garage security Terrorism Violent crime 46.5% 39.6% 12.4% 12.2% 10.4% 5.5% 5.2% 20.3% 5.4% 37.8% 27.0% 23.0% 27.0% 25.7% Proportionately, the two security-related concerns identified much more by All U.S. Companies than by ASIS Companies were liability insurance and substance abuse. From the other perspective, ASIS Companies were much more likely than All U.S. Companies to identify terrorism and violent crime as top security concerns. Among areas of general agreement, less than 10% of each group chose corporate espionage, white-collar crime, ethical misconduct, privacy issues, product tampering/ counterfeiting/diversion, and identity theft among their top three concerns. The top three security-related concerns for each of the industry sectors in the All U.S. Companies survey are presented in Table 1.3. Computer/network security was the top concern for three of the sectors and showed up in the top three for all six sectors. Liability insurance was the top concern for two sectors and rated in the top three for five of the six. Other common high-ranking concerns were property crime, employee theft, and information security. Perhaps most interesting, but not necessarily surprising, employee theft was the top concern for the wholesale/retail trade sector, substance abuse made the top group for the transportation/communication/utilities sector, and identity theft was in the top three for the finance/insurance/real estate sector. The concern for identity theft by the finance sector is understandable given the recent events of Citifinancial, a consumer finance division of Citigroup providing personal and home equity loans, which had to notify 3.9 million customers that computer tapes containing information about their accounts were missing. The missing data included customer Social Security numbers, loan account data, names and addresses. According to the Washington Post, this puts the number of U.S. consumers whose personal data having been lost or stolen, to more than 6 million in just the last six months (Jonathan Krim, Washington Post, June 7, 2005). 14

17 Table 1.3. Top Three Security-Related Concerns By Industry Sector (All U.S. Companies Survey). Industry Sector Agriculture-Mining-Construction Manufacturing Transportation-Communication- Utilities Wholesale-Retail Trade Finance-Insurance-Real Estate Services 1.2 Outsourcing of security functions. Top Three Security-Related Concerns Liability insurance Property crime Computer/network security Computer/network security Liability insurance Employee theft Liability insurance Property crime Computer/network security and Substance abuse (tie) Employee theft Liability insurance Computer/network security Computer/network security Information security Identity theft Computer/network security Information security Liability insurance and Property crime (tie) One common security concern exists across all industry sectors: computer/network security. Companies sometimes provide their own security functions, often referred to as Proprietary Security and sometimes these functions, in whole or in part, are contracted to outside firms providing contract security services. Tables 1.4 and 1.5 summarize survey findings on this issue for All U.S. Companies and for ASIS Companies. Table 1.4 presents security functions for which the degree of outsourcing was similar between All U.S. Companies and ASIS Companies. Among these, the functions most commonly contracted out (60%+) were alarm monitoring and substance abuse testing. By contrast, the degree of outsourcing of investigations, information services, and disaster planning/recovery was less than 20% for both categories of firms. Table 1.4 Similar Degrees of Outsourcing Between ASIS and Non-ASIS Companies: Percent of Security Functions Contracted to Outside Firms (average percent of each service that is contracted out). Alarm monitoring services Substance abuse testing Training Investigations Badging services Information services Disaster planning/recovery U.S. Companies ASIS Companies 68.9% 61.6% 18.8% 18.7% 15.1% 12.1% 10.9% 68.0% 60.5% 26.8% 17.2% 22.4% 12.1% 15.8% 60% of All U.S. Companies and ASIS Companies contract out Alarm Monitoring and Substance Abuse Testing 15

18 Table 1.5 identifies the security functions for which the difference in the degree of outsourcing was greater than 10% between the two groups of firms. ASIS Companies outsourced armored courier services, shredding, off-site record storage, systems integration, and security engineering twice as much or more than All U.S. Companies. Only computer security was substantially more likely to be contracted out by All U.S. Companies compared to ASIS Companies. Table 1.5. Differing Degrees of Outsourcing Between ASIS and Non-ASIS Companies: Percent of Security Functions Contracted to Outside Firms (average percent of each service that is contracted out). Outsourcing of guard services is ranked 7th by both All U.S. Companies and ASIS Companies. ASIS Companies are much more likely than All U.S. Companies to expand security, with 80% saying they will invest more in security equipment and programs in the upcoming year. Security Functions All U.S. Companies ASIS Companies Alarm installation/maintenance/repair Background investigations Pre-employment/psychological testing Computer security Guard services Shredding Off-site record storage Systems integration services Armored courier services Security engineering 69.4% 43.8% 34.0% 31.6% 30.3% 25.0% 21.8% 18.0% 14.4% 9.7% 85.4% 62.4% 47.8% 12.5% 49.1% 63.2% 48.7% 38.2% 63.8% 22.8% Looking at the information in the two tables together, the security functions outsourced to the greatest degree were alarm installation/maintenance/repair, alarm monitoring, substance abuse testing, and background investigations. These are security functions that most companies need, regardless of size, and ones that are specialized enough to be logical candidates for contracting out. Other functions like training and investigations are universally needed too, but can often be provided in-house even by smaller companies. Those security functions that were outsourced to a greater degree by ASIS Companies probably fall into two categories. Some functions, such as shredding and off-site storage, are substantially more burdensome for bigger companies, and thus more susceptible to contracting out to other firms that have specialized equipment or facilities for those purposes. In other words, all companies do some shredding, but shredding for a big company is a big enough job to outsource. Other security functions are actually more likely to be needed by bigger companies, and thus probably more likely to be both contracted out and provided in-house. An example of this would be guard services. The information in Table 1.5 might seem to imply that non-asis companies are more likely to provide in-house guard services, because their degree of outsourcing is lower than for ASIS Companies. However, it is more likely that All U.S. Companies may be less likely to have any guards at all, because many of these firms are rather small. 1.3 Growth areas in company security. Respondents were asked about likely expansions in various security arrangements over the upcoming year. As Figure 1.1 indicates, ASIS Companies were much more likely than All U.S. Companies to anticipate security expansion. Over 80% of ASIS Companies said it was likely or very likely that they would invest more in security equipment and expand existing security programs, compared to 35% of All U.S. Companies. Compared to purchasing equipment and expanding existing programs, both groups indicated that it was less likely that they would be increasing in-house security personnel or investing more in contract security services. Given the choice between these two options, though, ASIS Companies were about twice as likely to favor in-house personnel increases over contract guard increases, and All U.S. Companies indicated a three-fold preference for increased in-house personnel over increased contract guard services. 16

19 Invest more in security equipment Figure 1.1. Percent Likely to Expand Various Security Arrangements 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Wholesale/ Retail Trade Companies were least likely to increase spending on security equipment. Invest more in contract security services Invest more in in-house security personnel/overhead Expand an existing security program All U.S. Companies ASIS Companies Among All U.S. Companies (see Figures ), those in the Finance/Insurance/Real Estate sector were especially likely to anticipate increased investments in security equipment and expansions in existing security programs. Wholesale/Retail Trade companies were least likely to expect increased spending on security equipment, while Manufacturing companies were least likely to anticipate expanding existing security programs. Figure 1.2. Percent Likely to Invest More in Security Equipment 0% 20% 40% 60% 80% 100% Ag/Mining/Const Manufacturing Trans/Comm/Utilities Whole/Retail Trade Fin/Ins/Real Estate Services Fewer respondents indicated that they anticipated cut-backs over the next year in any of these areas. Among All U.S. Companies, only 5-7% expected reductions in equipment spending, contract guard services, and in-house security personnel. The comparable figures for ASIS Companies were 8-12%. Less than 5% of each group anticipated cut-backs in existing security programs. 17

20 Finance / Insurance and Real Estate is much more likely than any other sector to increase investments in security equipment, services, and personnel. Figure 1.3. Percent Likely to Invest More in Contract Security Services Ag/Mining/Const Manufacturing Trans/Comm/Utilities Whole/Retail Trade 0% 20% 40% 60% 80% 100% Fin/Ins/Real Estate Services Figure 1.4. Percent Likely to Invest More in In-House Security Personnel/Overhead 0% 20% 40% 60% 80% 100% Ag/Mining/Const Manufacturing Trans/Comm/Utilities Whole/Retail Trade Fin/Ins/Real Estate Services Figure 1.5. Percent Likely to Expand An Existing Security Program 0% 20% 40% 60% 80% 100% Ag/Mining/Const Manufacturing Trans/Comm/Utilities Whole/Retail Trade Fin/Ins/Real Estate Services 18

21 1.4 Purchasing of security systems and services. Respondents were asked about specific types of security systems and services that had been purchased or for which purchases were planned. Table 1.6 presents these in descending order of likelihood for All U.S. Companies. The only items that over one-quarter of all U.S. Companies had purchased were computer/network security and burglar alarms. About one-fifth had purchased CCTV surveillance, fire protection systems, video cameras, security lighting, and background investigations. ASIS Companies, by contrast, were much more likely to have purchased almost every type of system and product, with the only exceptions being computer/network security and transmission systems (which less than 1% of each group had purchased). The anomaly for computer/network security is most likely attributed to the preparations previously taken by major corporations for the year 2000 (Y2K). For 17 of the items, ASIS Companies were three times more likely to have made purchases than All U.S. Companies, and for another 12 items they were twice as likely. There were six items that over 50% of ASIS Companies had purchased CCTV surveillance (83%), access control (76%), video cameras (71%), digital video storage/retrieval (69%), two-way radios, and electric/electromagnetic locks. Table 1.6. Security Systems/Products the Company Has Purchased or Plans to Purchase (percent indicating yes). Security Systems/Products All U.S. Co. ASIS Co. Security Systems/Products All U.S. Co. ASIS Co. Computer & network security 39.7% 34.7% Intercoms* 9.9% 24.0% Burglar alarms 26.3% 41.3% Outdoor perimeter protection* 9.9% 20.0% CCTV surveillance** 23.8% 82.7% Emergency/security telephone** 8.7% 30.7% Fire protection system* 23.8% 48.0% Vehicle/fleet monitor/tracking 7.7% 10.7% Video cameras* 23.6% 70.7% Photo ID/imaging ID system** 7.4% 26.7% Security lighting* 19.6% 45.3% Integrated security system** 6.5% 30.7% Background investigations 19.6% 28.0% Security glass** 4.7% 18.7% Access control** 19.1% 76.0% Incident analysis software* 4.2% 9.3% Sensors & detectors* 16.1% 37.3% Security equipment enclosures* 4.0% 12.0% Badging/ID card printers** 15.9% 48.0% Guard encl/booths/houses** 3.7% 24.0% Two-way radios** 13.9% 53.3% Telephone entry systems* 3.7% 8.0% Electric/electromagnetic locks** 13.9% 50.7% Integrated building system* 3.0% 8.0% Safes & vaults* 13.6% 33.3% Electronic article surveillance 3.0% 4.0% Web-based security monitoring 13.4% 24.0% Biometric access control** 2.5% 21.3% Information security 13.4% 18.7% Metal detection** 2.5% 13.3% Digital video storage/retrieval** 12.9% 69.3% Turnstiles** 1.5% 10.7% Electronic access control** 12.7% 48.0% Transmission systems 0.7% 0.0% Asset tracking* 10.7% 21.3% Night vision equipment** 0.2% 5.3% Gates/gate operators** 9.9% 42.7% * Indicates ASIS Companies response more than twice as high as All U.S. Companies. ** Indicates ASIS Companies response more than three times as high as All U.S. Companies. 19

22 1.5 Services provided by security services companies. The previous section pertained to security-related services and products that All U.S. Companies have purchased or plan to purchase. The separate survey of ASIS Security Services companies (i.e., guard companies, alarm companies, etc.) asked these types of companies about the kinds of services that they provide and sell. The average portions of the security companies services that fell into each of several categories are indicated below: 35.2% unarmed security guards 10.8% armed security guards 10.7% physical security systems (access control, intrusion detection, CCTV, alarms) 4.8% technical and security systems solutions (design physical security systems, etc.) 4.5% risk and vulnerability assessments 4.2% alarm systems and monitoring services 2.5% special security services (technical surveillance counter-measures, defensive driving, executive protection, etc.) 8.8% other Companies were also asked about the specific types of security systems and products that they provide (see Table 1.7). Over one-third of the companies provide access control, CCTV surveillance, and background investigations. There would seem to be a good bit of competition in the security services business, as 17 different products and systems were provided by at least 20% of the companies. Table 1.7. Percent of ASIS Security Services Companies Indicating That They Provide Specific Types of Security Systems and Products. 44.8% -- access control 41.8% -- CCTV surveillance 37.3% -- background investigations 32.8% -- outdoor perimeter protection 32.8% -- electric/electro-magnetic locks 29.9% -- gates/gate operators 29.9% -- video cameras 28.4% -- electronic access control system 28.4% -- badging/id card printers 23.9% -- biometric access control systems 23.9% -- digital video storage/retrieval 23.9% -- sensors and detectors 22.4% -- burglar alarms 22.4% -- fire protection system 22.4% -- integrated security system 22.4% -- photo ID/imaging ID system 20.9% -- asset tracking 19.4% -- emergency/security telephone 19.4% -- information security 19.4% -- intercoms 19.4% -- turnstiles 17.9% -- metal detection 16.4% -- integrated building system 14.9% -- two-way radios 14.9% -- transmission systems 13.4% -- web-based security monitoring 13.4% -- telephone entry systems 13.4% -- security equipment enclosures 13.4% -- computer and network security 11.9% -- electronic article surveillance 11.9% -- guard enclosures/booths/houses 11.9% -- vehicle/fleet monitoring/tracking 10.4% -- night vision equipment 9.0% -- security lighting 9.0% -- safes and vaults 6.0% -- security glass 4.5% -- incident analysis software 20

23 There is general correspondence between the systems and products most commonly provided by these security services companies and the reported security-related purchasing plans of All U.S. and ASIS Companies (as presented in Table 1.6). The correlation coefficient between the purchasing plans of All U.S. Companies and the systems and products provided by the security services companies was.38, a moderately strong degree of association. Even stronger, though, was the correlation coefficient of.65 between the purchasing plans of ASIS Companies and the systems and products provided by ASIS Security Services companies. While this is a rough analysis, it suggests that ASIS Security Services companies tend to tailor their businesses to the needs of larger customers (as represented by ASIS Companies), and/or that it is simply harder for them to anticipate and respond to the more diverse and perhaps less predictable needs of smaller companies. In other words, smaller companies may represent a more fragmented and challenging market for security services companies whereas larger firms such as ASIS Companies represent a more stable and reliable market. ASIS Security Services companies were asked in the past fiscal year, how has revenue changed as a result of the U.S. business and economic environment? More spending on security by clients and customers was reported by 54% of the respondents, whereas 28% indicated less spending. In the upcoming fiscal year, 76% of the security services companies expected their revenue to increase, while only 4.5% expected decreased company revenue. When these companies were further queried about specific spending plans for the next fiscal year, they indicated the following: 45% indicated that they were somewhat or very likely to invest more in advertising/marketing, versus 5% who were somewhat or very likely to cut back. 53% indicated that they were somewhat or very likely to invest more in personnel, versus 5% who were somewhat or very likely to cut back. 60% indicated that they were somewhat or very likely to expand security services and products, versus 5% who were somewhat or very likely to cut back. One additional question was asked of these ASIS Security Services companies regarding their expectations for security business growth over the next five years in 15 industry sectors (see Table 1.8). The only sector in which more respondents forecasted 10% or greater growth versus no growth was construction. Two other sectors for which at least one out of five respondents expected 10% growth or greater were healthcare and government (non-military). The weakest growth forecasts were for gaming/wagering, agriculture, food services, and lodging. 21

24 Table 1.8. ASIS Security Services Companies Expectations of Business Growth in Specific Industry Sectors Over the Next Five Years. Healthcare Construction Government (non-military) Banking/Finance Utilities Military Insurance/Real Estate Transportation Manufacturing Wholesale/Retail Trade Communications Lodging Food Services Agriculture Gaming/Wagering No Growth 31.9% 18.9% 40.0% 37.5% 46.9% 77.3% 41.3% 44.7% 18.0% 39.2% 48.9% 56.5% 75.0% 82.9% 67.4% 10% or more Growth 23.4% 20.8% 20.0% 16.7% 16.3% 13.6% 13.0% 10.6% 10.0% 9.8% 8.9% 6.5% 5.0% 4.9% 4.7% 1.6 Size and Economic Strength of Security. Security budget and revenue forecasts. As indicated in Table 1.9, about five times as many companies anticipated increases in security budgets as decreases in the next fiscal year, while about 15 times more ASIS Security Services companies expected increased revenues compared to decreases. For All U.S. Companies, the most common expectation was for security budgets to stay the same three-quarters expected stable budgets while 22% expected increases. For ASIS Companies, the majority expected budget increases, while 10% expected deceases. For ASIS Security Services companies, over three-quarters expected increased revenues, while less than 5% expected decreased revenues. Table 1.9 Anticipated Changes to Company Security Budget/Revenue in the Next Fiscal Year. All U.S. Companies ASIS Companies ASIS Security Services Decrease 3.9% 10.1% 4.5% Stay the same 73.9% 37.7% 19.4% Increase 22.2% 52.1% 76.2% When the magnitude of expected changes in the following year s security budget/revenue picture is examined, the same pattern emerges all three categories of companies anticipated increases, with ASIS Security Services companies most optimistic, followed by ASIS Companies and then All U.S. Companies. ASIS Security Services 16.2% average increase in revenues expected. ASIS Companies 8.7% average increase in security budgets expected. All U.S. Companies 3.4% average increase in security budgets expected. 22

25 Companies were also asked to provide some historical security-related budget data (see Table 1.10). Both All U.S. Companies and ASIS Companies showed average security budget increases in two out of three years covered by the data. Both groups registered significant increases from to , perhaps due to the events of September 11th. Overall, security budgets for All U.S. Companies increased an average of 22% from to , compared to an average increase of 14% for ASIS Companies. This may suggest that while ASIS Companies experienced increases, there is greater growth potential for security in All U.S. Companies who, prior to September 11th, had not historically invested as much in security operations. Table 1.10 Annual Security Budgets Over A Four-Year Period (Company Averages). All U.S. Companies ASIS Companies $844,982 $966,414 $924,219 $1,031,309 $5,388,411 $6,167,451 $6,325,460 $6,157,089 Status of the security function. The surveys asked respondents to summarize how the security function was handled in their company (see Table 1.11). In ASIS Companies, about three-quarters of the security function was handled internally by a security department and/or company personnel, compared to slightly over one-half for All U.S. Companies. The latter contracted out about one-third of their security functions, compared to about 20% contracting out for ASIS Companies. Table Distribution of Company Security Function Between Internal and External Providers. Security department/company personnel Contract/outside firm Other All U.S. Companies 56.5% 34.5% 9.0% ASIS Companies 77.3% 19.2% 3.5% The differing status of the security function between All U.S. Companies and ASIS Companies is dramatically illustrated in Table In about two-thirds of All U.S. Companies, the person responsible for the security function is a generalist manager with multiple duties, whereas in 84% of ASIS Companies there is an individual with the title of Chief Security Officer or Security Manager/Director/ Vice-President. These generalist managers in non-asis companies represent a potential market for training and education on security-related topics and are less likely to have heard of organizations such as ASIS International. Table Position/Title of Survey Respondents. Survey Respondents All U.S. Companies ASIS Companies Chief security officer Security management Security services/products Security supervisor Consultant Architect/engineer Executive/financial management Other 4.7% 13.2% 0.2% 9.4% 1.0% 2.7% 38.7% 27.3% 25.3% 58.7% % 2.7% % 9.3% 23

26 Survey respondents were asked about their education levels and security-related certifications (see Table 1.13). About two-thirds of those responsible for security in All U.S. Companies and ASIS Companies possessed at least a 4-year college degree, compared to about one-half of executives in ASIS Security Services companies. The security services executives were by far most likely to have attained the Certified Protection Professional (CPP) certification, whereas respondents from ASIS Companies were just as likely to have achieved the Certified Fraud Examiner (CFE) designation as they were the CPP certification. Managers responsible for security functions in All U.S. Companies were very unlikely to have obtained any of the security-related certifications. Table 1.13 Educational Level and Security-Related Certifications. Section 2: Impacts of September 11th 2.1 Investments in security. An important objective of the project was to determine the impact of the September 11th tragedies on security operations in U.S. companies. As indicated in Figure 2.1, ASIS Companies indicated a much greater impact of 9/11 on security spending than did All U.S. Companies. Twothirds of ASIS Companies reported that 9/11 affected their security spending versus only 21% of All U.S. Companies. Figure 2.1. Percent Indicating That 9/11 Affected Security Spending in Their Company. 80% 70% 60% 50% 40% 30% 20% 10% 0% All U.S. Companies ASIS Companies 24

27 Among All U.S. Companies, the impact of 9/11 on security spending seems to have varied substantially by industry sector. The figures below indicate the percent of respondents reporting that 9/11 affected security spending in their companies. 53.3% finance-insurance-real estate 33.3% transportation-communication-utilities 27.9% services 20.8% wholesale-retail trade 20.0% agriculture-mining-construction 15.7% manufacturing Over one-half of finance-insurance-real estate companies reported increased security-related spending compared to only 15.7% of manufacturing companies. It can be noted that in the insurance sector alone the losses from the terrorist attack on 9/11 are estimated at between $30 billion and $58 billion dollars. The attacks represent the largest insurance event in history, dwarfing the $21 billion of losses incurred when Hurricane Andrew hit Florida in 1992 (OECD Economic Outlook No. 71, June 2002). Table 2.1 indicates some of the specific ways in which security spending was affected in those companies that reported an impact due to 9/11. The most common response was to re-evaluate existing security programs. Developing new security policies, upgrading existing security programs/ systems, and implementing new security programs were also fairly common. The least common responses to 9/11 were to increase either in-house or outside/contracted security staff. Table 2.1. How was Security Spending Effected by 9/11 (percent indicating yes). Effects of 9/11 on Company Security Spending Re-evaluated existing security programs Developed new/additional security policies Spent money to upgrade existing security programs/systems Implemented security programs Spent money on new security systems Increased in-house security staff Increased outside or contracted security staff All U.S. Companies 64.1% 57.6% 48.9% 43.5% 37.0% 16.1% 12.0% ASIS Companies 92.2% 74.5% 78.4% 47.1% 72.5% 33.3% 27.5% ASIS Companies were more likely than All U.S. Companies to report each type of impact of 9/11 on security spending. The difference was marginal for implementing new security programs, modest for developing new policies, and pronounced for re-evaluating existing security programs, upgrading existing programs/systems, spending on new security systems, and increasing both in-house and outside security staff. On average, ASIS Companies were about 20% more likely than All U.S. Companies to report increased investments in security as a result of 9/11. 25

28 A related survey item asked respondents if the events of September 11th continue to affect their business. Figure 2.2 presents the responses of All U.S. Companies and ASIS Companies. The pattern closely parallels the discussion above regarding the initial impact of 9/11 on company security spending. ASIS Companies were much more likely than All U.S. Companies to report a continuing impact, by a margin of 69% to 34%. Figure 2.2. Percent Indicating That 9/11 Continues to Affect Their Business. 80% 70% 60% 50% 40% 30% 20% 10% 0% All U.S. Companies ASIS Companies The continuing impact of 9/11 on companies and business seems to vary across different industry sectors, according to responses to the All U.S. Companies survey. The figures below indicate the percent of respondents by sector reporting that 9/11 continues to affect their business. Once again the finance-insurance-real estate sector is most likely to report effects from 9/11. Nearly one-half of the services and transportation-communications-utilities companies also indicate continuing impact, while the least affected, several years later, seem to be the manufacturing and wholesale-retail trade sectors. Finance, Insurance and Real Estate continue to be most impacted by 9/11. Impacts of 9/11 on Business by Industry Sector 71.4% 47.6% 45.5% 33.3% 27.4% 25.8% finance-insurance-real estate service transportation-communication-utilities agriculture-mining-construction manufacturing wholesale-retail trade Table 2.2 presents responses regarding some of the specific continuing effects of 9/11. The most common continuing impact is increased spending on security technology, followed by increased spending on physical security and an increased overall security budget. The least common continuing effect is increased security staff. As above, ASIS Companies were substantially more likely than All U.S. Companies to report each of these continuing impacts, by an average margin of over 20%. The survey also asked whether companies had experienced decreased spending in each of these categories. Very few respondents from either ASIS Companies or All U.S. Companies indicated that security spending had decreased as a result of a continuing impact from the events of 9/11. 26

29 Table 2.2. If 9/11 Continues to Affect the Business, How is it Affected (percent indicating yes). All U.S. Companies ASIS Companies Increased spending on security technology 43.0% 69.2% Increased spending on physical security 32.0% 57.7% Increased security budget 26.0% 50.0% Increased security staff 12.0% 25.0% 2.2 Impact on security services companies. ASIS Security Services companies were asked slightly different questions regarding the impact of the events of September 11th on their companies. When asked if the events of 9/11 had a noticeable impact on sales, 75% of these companies said yes. One set of items asked how they had responded to the new threat of terrorism. Responses to these items are presented in Figure 2.3. A strong majority indicated that they had re-evaluated existing security services provided by their company and increased training for security staff on terrorism-related topics. About one-third had contacted the Department of Homeland Security about business opportunities, but only 10% had actually received any funding. About one-third of the ASIS Security Services companies also reported that they had updated their marketing materials, begun marketing to new business sectors, and begun providing new security services. Most common continuing impact of 9/11 is increased spending on security technology. Security spending has increased follwing 9/11. Figure 2.3. Response to Terrorism by Security Services Companies: Percent Indicating Yes. Re-evaluated existing security services Increased training for security staff Contacted DHS for business/contracts Updated existing marketing material Marketed to new business sectors Provided new security services Implemented new marketing programs Added counter-terrorism to services Received DHS funding/contracts 0% 10% 20% 30% 40% 50% 60% 70% These companies were also asked whether they expected the continuing impact of 9/11 to influence their business in Responses were as follows: 48.5% yes 25.0% not sure 26.5% no 27

30 A series of questions probed specific types of continuing impact of 9/11 on ASIS Security Services companies. Figure 2.4 presents the percent of respondents indicating yes to several specific impacts expected in The most common continuing impact was increased spending to expand the security services offered by the company. About 30% of companies also expected to increase attendance at conferences and marketing, while one-quarter expected to increase training for security staff. Only about one in five companies expected to hire additional security staff in as a result of the continuing impact of 9/11. Figure 2.4. Continuing Impact of 9/11 on Security Services Companies: Percent Indicating Anticipated Increases in Security staff hiring Staff training Attend homeland security conferences Marketing company services Attend security-related conferences Spending to expand services 0% 10% 20% 30% 40% 50% ASIS Security Services companies were also asked whether they expected spending to decrease in any of these areas in due to the continuing impact of 9/11. On each item, fewer than 10% indicated that they expected decreased spending which would indicate that the security service providers are continuing to experience an increased business impact from 9/11 and are making adjustments or changes to their marketing and operations strategies. 28

31 Section 3: Impacts of Legislation 3.1 Extent of impact from recent legislation. Private security operations have been affected in recent years by new legislation and regulation. The surveys asked respondents how much impact specific statutes had on their security policies and procedures. Table 3.1 indicates the percent of All U.S. Companies, ASIS Companies, and ASIS Security Services companies that reported a moderate or major impact from each statute. Table 3.1. Impact of Statutes on Security Policies and Procedures HIPAA Sarbanes-Oxley Act USA Patriot Act Federal Information Security Management Act Notice Law Financial Modernization Act Chemical Security Act Public Safety/Protection Investment Act PSO Employment Authorization Act Restore FOIA EU Privacy Laws Impact of Statutes on Security Policies and Procedures (percent indicating moderate or major impact). All U.S. Companies 34.6% 21.1% 19.0% 15.8% 12.8% 12.1% 10.0% 9.1% 8.3% 7.5% 4.8% ASIS Companies 45.2% 48.1% 53.8% 32.1% 23.0% 17.0% 23.8% 23.2% 17.7% 10.6% 13.4% ASIS Security Services 21.6% 14.5% 34.4% % 10.2% % Legislation requirements continue to be under-funded by most companies. The three statutes with the most impact on all types of companies were Health Insurance Portability And Accountability Act (HIPAA), the Sarbanes-Oxley Act, and the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA Patriot). ASIS Companies reported more impact than other types of companies on each and every one of the eleven statutes, and about one-half of the ASIS Companies indicated moderate or major impact from the top three statutes. The degree of impact for All U.S. Companies and ASIS Security Services companies was smaller. HIPAA was cited by All U.S. Companies as having the greatest impact on them, whereas the USA Patriot Act was rated most influential by ASIS Companies and ASIS Security Services companies. Survey respondents were asked whether the effects of this new legislation have led to increased security budgets. The percent of respondents indicating yes were: All U.S. Companies % ASIS Companies % ASIS Security Services % This indicates that overall, only about one in eight companies have received security budget increases to help offset the effects of these new federal statutes. In ASIS Companies the picture is twice as good, in that one in four companies have gotten increased security budgets. However, that still means that three out of every four ASIS Companies have not gotten such increases to help cover the impact of this new legislation. 29

32 Respondents were also asked if their companies had established Sarbanes-Oxley audit-steering committees. The percent indicating yes on this item were: All U.S. Companies % ASIS Companies % ASIS Security Services - 3.3% Clearly, there is a rather big difference between ASIS Companies and others on this specific response to Sarbanes-Oxley, perhaps owing to the fact that ASIS Companies tended to be larger than All U.S. Companies, or ASIS Security Services companies and Sarbanes-Oxley has been a focus of many training sessions and workshops by ASIS International. This suggests that ASIS members tend to have more training and awareness of the Sarbanes-Oxley Act and the compliance requirements associated with it, however, it would appear that the majority of companies (68%) are still not in compliance with regard to the Sarbanes-Oxley compliance requirements. 30

33 Section 4: Information Security 4.1 Staff dedicated to Information Security. One of the growing concerns in the field is information security, including computer security. Survey respondents indicated that most companies only have a few specialists dedicated to information security, but some companies have a much larger staff devoted to this activity. For ASIS Companies, 53% had 1-3 dedicated staff in this area, while 14% had 10+ information security staff and 11% had no staff dedicated to information security. For All U.S. Companies, 52% had 1-3 staff dedicated to information security, 6% had 10+ dedicated staff and 29% had no dedicated staff. The biggest difference was that All U.S. Companies were almost three times more likely not to have any staff dedicated to information security. This is in spite of the fact that, as noted earlier, computer/ network security is the top rated concern of All U. S. Companies. 4.2 Impact of 9/11 on Information Security. Companies were asked whether the events of September 11th had affected their emphasis on information security. Over one-half of ASIS Companies (52%) indicated an increased emphasis on information security post-9/11, compared to 31% of All U.S. Companies. Table 4.1 presents information on specific information security measures that companies reported implementing after September 11th. Table 4.1. Post-9/11 Information Security Measures Adopted by Companies. All U.S. Companies ASIS Companies Anti-virus products 35.8% 46.6% Firewalls 35.1% 60.3% Password security/sso 14.2% 39.7% Web access control/authentication 11.8% 30.1% File/document access control 10.8% 26.0% Laptop security 10.8% 30.1% Authentication software/servers 9.4% 23.3% VPNs 8.7% 15.1% Web content filters 8.0% 19.2% Smart cards/physical access 6.6% 23.3% Data/ encryption 6.6% 12.3% Vulnerability assessment 6.3% 41.1% Network sniffers 6.3% 23.3% Wireless security 4.5% 20.5% IS audit tools 4.2% 23.3% Port scanners 3.5% 15.1% Enterprise security management 2.1% 8.2% DOS prevention tools 2.1% 6.8% Biometrics 1.7% 12.3% Authentication tokens 1.4% 9.6% PKI/digital certs 1.4% 4.1% OS/app hardening/vaults 1.4% 9.6% 31

34 One-third of All U.S. Companies reported implementing anti-virus products and firewalls; the percent adopting any of the other information security measures was less than 15%. By contrast, over one-third of ASIS Companies indicated that they had implemented firewalls, anti-virus products, IT vulnerability assessments, and password security, and at least 25% had also adopted web access control/authentication, laptop security, and file/document access control. ASIS Companies were more likely than All U.S. Companies to have adopted every one of the information security measures. They were at least twice as likely to have implemented 18 of the 22 measures. One possible explanation is that respondents from ASIS Companies are more likely to have attended seminars and workshops as well as received information from ASIS International on these types of issues, and respondents tend to be more knowledgeable about the dangers and possible countermeasures necessary to protect their organization from information security threats. ASIS Companies are much more prepared for information security threats. ASIS Companies were much more likely than All U.S. Companies to have experienced each type of information security breach. Figure 4.1 presents information about company concerns regarding specific threats to information security in the post-9/11 environment. All U.S. Companies reported being most concerned about spam, and at least 25% also indicated great concern about privacy/confidentiality and the physical security of IT systems. ASIS Companies indicated greater concern about every specific threat. These companies were most concerned about IT physical security, with over one-half registering great concern. About 40% of ASIS Companies also reported great concern about spam and privacy/ confidentiality, one-third about web surfing, and over one-quarter about malicious code infection and system unavailability. The percent of ASIS Companies indicating great concern about electronic exploits and denial of service was almost 25%. 60% 50% 40% 30% Figure 4.1. Percent Indicating Greater Concern About Specific Information Security Threats Post-9/11. 20% 10% 0% Denial of service Electronic exploits System unavailability Malicious code infection Web surfing Physical security Privacy/confidentiality Spam A ll U.S. Companies ASIS Companies 4.3 Internal and external security breaches. 32 Respondents were asked to indicate the types of information security breaches they had recently experienced. Table 4.2 reports insider/internal types of breaches experienced by All U.S. Companies and ASIS Companies during the past year. ASIS Companies were much more likely than All U.S. Companies to have experienced each type of information security breach since they tend to be larger companies, this would be expected, even without taking into consideration the possibility of more sophisticated ability to detect such breaches. For both categories of companies, the most common type of internal breach was the installation or use of unauthorized software. About onequarter of ASIS Companies had also experienced abuse of computer access controls, use of company computing resources for illegal or illicit activities, and physical theft, sabotage, or intentional destruction of computing equipment.

35 Table 4.2. Internal/Insider Breaches of Information Security During the Past Year. Internal Breaches Installation/use of unauthorized software Physical theft, sabotage, or intentional destruction of computing equipment Use of company computing resources for illegal/illicit communication/activities Abuse of computer access controls Installation/use of unauthorized hardware/peripherals Use of company computing resources for personal profit Fraud Physical theft, sabotage, or intentional destruction/disclosure of proprietary information All U.S. Companies 19.4% 9.7% 8.7% 7.3% 5.9% 4.5% 3.1% 2.4% ASIS Companies 41.1% 23.3% 24.7% 30.1% 16.4% 13.7% 13.7% 8.2% Outsider/external breaches of information security are presented in Table 4.3. By far, the most common experience of both All U.S. Companies and ASIS Companies was a computer virus, Trojan, or worm. As above, ASIS Companies were more likely to have experienced each type of external breach, but the differences between the two categories of companies were less dramatic than for internal/insider breaches of information security. Table 4.3. Outsider/External Breaches of Information Security During the Past Year. 4.4 Implementation of information security projects. Companies were also asked about the types of information security projects they planned to implement during the upcoming year. Responses from All U.S. Companies and ASIS Companies are compared in Table 4.4. Projects related to spam control headed the list for All U.S. Companies versus strengthening the network perimeter for ASIS Companies. ASIS Companies were more likely to be planning to implement each type of information security project over the next year. The differences were greatest in favor of ASIS Companies for projects aimed at inappropriate web surfing, strengthening the network perimeter, preventing employees from abusing other people s rights, and centralizing information security management, policy, controls, and alerts. 33

36 Table 4.4. Percent of Companies Implementing Information Security Projects for the Next Year. Percent Implementing Information Security Projects All U.S. Companies ASIS Companies Spam 36.8% 41.7% Strengthening the network perimeter to prevent external intrusions 35.2% 61.1% Messaging/ security 29.5% 41.7% ASIS Companies were much more likely to form private / public partnerships with law enforcement. Security and availability for web site and/or e-commerce operations Preventing employees/insiders from abusing rights Securing remote access for traveling employees/telecommuters/remote offices Inappropriate web surfing Centralized management/correlation of security policy/controls/alert data Section 5: Relationships With Law Enforcement 24.3% 18.8% 17.0% 15.6% 6.6% 29.2% 43.1% 29.2% 44.4% 23.6% 5.1 Extent of contacts with law enforcement. Several survey questions probed the relationship between private security and public law enforcement. One matter of interest was whether security officials are having more contacts with law enforcement in the aftermath of September 11, First, it should be emphasized that almost no security respondents indicated that they were now having fewer contacts with law enforcement. Figure 5.1 compares the percent of All U.S. Companies and ASIS Companies that reported increased contacts with law enforcement post-9/11. Figure 5.1. Percent Indicating Increased Contact With Law Enforcement Post-9/11 60% 50% 40% 30% 20% 10% 0% All U.S. Companies ASIS Companies One-half of ASIS Companies reported increased contact with law enforcement since 9/11, with almost all the rest indicating no change. By contrast, only 10% of All U.S. Companies reported increased contact. Clearly, larger companies and those with professional security operations have been much more likely to move toward public-private partnerships and other collaborative efforts with law enforcement than the average (typically smaller) company. 34

37 Responses by industry sector on the All U.S. Companies survey showed wide variation with respect to increased contact with law enforcement since September 11th, as indicated below. Nearly one-half of finance-insurance-real estate companies reported increased contact with law enforcement, versus less than 8% of manufacturing, wholesale-retail trade, and services companies. 46.7% finance-insurance-real estate 20.8% transportation-communication-utilities 10.0% agriculture-mining-construction 7.8% manufacturing 7.5% wholesale-retail trade 5.1% services The Law Enforcement survey asked a similar question about whether the frequency of contacts with private security had changed since 9/11. Responses were consistent with those from security officials, as 23% of law enforcement respondents said they now had increased contacts with private security. Only 1% indicated decreased contacts with private security post-9/11. A related set of items on the Law Enforcement survey asked respondents in your agency s relationships with the private sector today whether certain types of interactions had increased or decreased. The figures below report the percent of law enforcement respondents who indicated that each type of interaction with the private sector had increased or significantly increased. Interactions related to personnel and physical security seem to have increased the most. Very few law enforcement respondents (1-3%) indicated any decreased contact with the private sector or private security. Finance, Insurance, and Real Estate sectors were more likely to have increased contact with law enforcement. 29.4% 28.7% 24.1% 21.1% 20.5% interactions with private companies about their workers (background checks, security concerns, etc.) interactions with private companies about the security of their facilities interactions with representatives of corporate security interactions with security services companies (alarms, armored cars, etc.) interactions with contract security guard companies Security respondents were also asked to report the frequency of their contacts with federal, state, and local law enforcement agencies. Table 5.1 reports the percent of respondents who indicated that their companies had at least one (1) contact per year with each type of law enforcement agency. The vast majority of All U.S. Companies (around 85%) have no annual contacts with federal or state law enforcement agencies, while about one-half have yearly contacts with local law enforcement. Contacts with local law enforcement are also most common for ASIS Companies and ASIS Security Services companies, but their frequencies are much higher across the board. Two-thirds of these companies have annual contacts with federal law enforcement, 70-80% have yearly contacts with state law enforcement, and 89%+ have at least one contact a year with local law enforcement. Table 5.1. Percent of Respondents Indicating at Least One Company Contact Per Year With Federal, State, and Local Law Enforcement. All U.S. Companies ASIS Companies ASIS Security Services Federal law enforcement 15.5% 66.7% 68.7% State law enforcement 17.5% 70.6% 82.5% Local law enforcement 54.4% 98.6% 89.4% 35

38 Another way of looking at extent of contacts is presented in Figure 5.2. The bars on this chart indicate the percent of companies in each category that reported six (6) or more contacts per year with each type of law enforcement agency. Roughly one-third of ASIS Companies and ASIS Security Services companies had six or more annual contacts with both federal and state law enforcement agencies, compared to less than 5% of All U.S. Companies. Each type of company was more likely to have had frequent contacts with local law enforcement. Even with regard to local law enforcement agencies, though, ASIS Security Services companies were five times more likely than All U.S. Companies to report this frequency of contacts per year, while ASIS Companies were seven times more likely. Patrol officers are most likely to interact with security personnel. The Law Enforcement survey asked about the frequency with which different components of police agencies interact with private security. The figures below illustrate the percent of law enforcement respondents who indicated that contacts with security personnel occurred at least monthly. Clearly, operational-level law enforcement personnel have more frequent contact with security personnel than do administrative-level personnel. Patrol officers 40.7% Detectives 35.0% Supervisors 25.2% Managers 19.4% Figure 5.2. Percent of Companies Indicating Six (6) or More Contacts Per Year With Different Types of Law Enforcement Agencies. 100% 80% 60% 40% 20% All U.S. Companies ASIS Companies ASIS Security Services 0% Federal LE State LE Local LE Law Enforcement respondents were also asked about their frequency of contact with specific types of security services providers. The percent indicating that their agency had six (6) or more contacts per year with each category of security services provider is presented below. Contacts with alarm companies were easily the most common, followed by contact with physical security providers and guard companies % 24.3% 14.3% 4.3% Provider of alarm systems and monitoring services Provider of physical security systems (access control,intrusion detection, CCTV) Provider of armed and unarmed security guards Provider of special security services (technical surveillance counter measures, defensive driving, executive protection, etc.)

39 5.2 Nature of contacts with law enforcement. Survey respondents were asked about the nature of their contacts with law enforcement agencies. All U.S. Companies reported that the primary reasons for their contacts with local law enforcement were alarms, theft, and vandalism. No primary reasons stood out for their infrequent contacts with state or federal law enforcement. For ASIS Companies, no primary reasons for contacts with any of the types of law enforcement agencies stood out. For ASIS Security Services companies, the primary reasons for contacts with law enforcement agencies were alarms, investigations, and information sharing. Another approach was to ask companies about the types of contacts they have with law enforcement (without differentiating among types of law enforcement agencies). Responses to these items are summarized in Table 5.2. The one type of contact with law enforcement that All U.S. Companies and ASIS Companies had to about the same extent was alarm response. This was by far the most common type of law enforcement contact for All U.S. Companies, but only the third most common for ASIS Companies, following conducting investigations and information sharing. Interestingly, the least common type of contact with law enforcement for both groups was cyber crimes. This could be attributed to the fact that law enforcement agencies have a limited knowledge of cyber crime and previous responses by law enforcement may have been inadequate. Also, often there is confusion about which law enforcement agency to call, e.g., state, local or federal. Contacts with state and federal law enforcement would likely increase if security personnel knew that these agencies were well equipped to handle cyber crime. However, there are still some thresholds that must be met, e.g., extensive monetary loss, before an agency will pursue a case. Table 5.2. Percent of Companies Indicating That They Have Specific Types of Security- Related Contacts with Law Enforcement. All U.S. Companies ASIS Companies Alarm response Conducting investigations Information sharing Training Homeland security Terrorism Transporting suspects Cyber crimes 64.0% 25.2% 16.0% 9.9% 9.4% 6.7% 4.4% 3.2% 60.0% 72.0% 68.0% 41.3% 53.3% 40.0% 29.3% 17.3% With the exception of alarm response, ASIS Companies had more frequent contacts of each type with law enforcement than All U.S. Companies. The differences were substantial. ASIS Companies were three to six times more likely to have each type of contact, with the greatest proportional differences for transporting suspects, cyber crimes, homeland security, and terrorism. 37

40 The Law Enforcement survey asked respondents about the degree to which they worked with private security on various types of problems and issues. The figures below indicate the percent of law enforcement respondents indicating that their agency works with private security occasionally or frequently on each topic. Alarm response and property crime were cited most often by law enforcement respondents as the basis for regular contacts with private security, followed by event security, employee theft, information sharing, and conducting investigations. At the other end of the scale, the least frequent reasons for contact with private security were corporate espionage, terrorism, and cyber crime. 57.2% alarm response 50.7% property crime 41.9% event security 41.9% employee theft 40.0% information sharing 39.6% conducting investigations 37.9% vandalism 31.8% identity theft 31.7% burglary 31.4% training 27.7% transporting suspects 22.3% homeland security 21.8% information security 20.0% workplace violence 18.9% white collar crime 18.4% violent crime 17.4% product tampering, counterfeiting, diversion 15.2% computer crime/forensics 10.8% cyber crime 8.5% terrorism 4.2% corporate espionage ASIS Security Services companies were asked additional questions about the extent to which they actively collaborate with law enforcement agencies. Figure 5.3 indicates the percent of these companies that reported making certain types of resources available to law enforcement agencies. Nearly one-half of the companies indicated that they occasionally or frequently provide personnel to assist law enforcement, nearly 40% said the same for guards and intelligence, one-third for equipment, and one-quarter for investigators. At the other end of the scale, less than 10% said they occasionally or frequently provide cyber crime or computer security assistance to law enforcement agencies. Again, a possible explanation is simply that law enforcement has not in the past been able to adequately respond to requests for assistance with cyber crime incidents. 38

41 5.3 Collaboration with law enforcement. Figure 5.3. Resources Made Available to Law Enforcement By ASIS Security Services Companies: Percent Indicating Occasionally or Frequently. Cyber Crime Computer Security Funding Investigators Equipment Intelligence Guards Personnel 0% 10% 20% 30% 40% 50% These ASIS Security Services companies were also asked whether they had certain types of established programs with law enforcement agencies. Figure 5.4 indicates the percent of ASIS Security Services companies reporting that they had each type of established program. In the range of 21-27% of these companies had established programs with law enforcement related to traffic control, vulnerability/risk assessment, VIP/executive protection, and disaster management. Less than 10%, however, had established programs with law enforcement related to cyber crime, precious metals movement, and hazardous materials movement. Figure 5.4. Percent of ASIS Security Services Companies With Established Programs With Law Enforcement Agencies. Precious Metals Movement Cyber Crime Hazardous Materials Movement Identity Theft Economic Crime/Fraud Disaster Management VIP/Executive Protection Vulnerability/Risk Assessment Traffic Control 0% 10% 20% 30% 39

42 ASIS Security Services companies were also asked how important they thought it was to have different types of working relationships with law enforcement. The percent indicating that each type of relationship was moderately or very important is presented in Figure 5.5. The most important was understanding and education regarding the differing roles of private security and law enforcement 81% rated that item as moderately or very important. Also high on the importance scale were access to police criminal history record information, joint task forces/groups, and joint associations/seminars. Over 50% also rated working relationships related to information exchange, cross training of personnel, statutes on police moonlighting/owning of firms, and radio communications with police headquarters as moderately or very important. The lowest rated item was deputizing residential security patrols. Figure 5.5. Importance of Various Relationships With Law Enforcement: Percent of ASIS Security Services Companies Indicating Moderately or Very Important Deputize residential security patrol Radio communication w ith police HQ Statutes on police moonlighting etc. Cross-training of personnel Information exchange at low est levels Joint associations/seminars Joint task forces/groups Criminal history record access Education re security & police roles 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 5.4 Satisfaction with relationships with law enforcement. Survey respondents were asked about the seriousness of a number of possible problems in their relationships with law enforcement agencies. As indicated in Table 5.3, inability to access criminal records information was the top rated problem for all three sets of respondents, followed fairly closely by lack of police sharing of criminal intelligence and lack of police expertise about high-tech crime. Easily the lowest rated problem was competition with police departments over job applicants. ASIS Companies and ASIS Security Services companies were two to three times more likely to identify moderate or serious problems than were All U.S. Companies. 40

43 Table 5.3. Problem Areas in Company Relationships With Law Enforcement (percent indicating moderate or serious problem). Problem Areas All U.S. Companies ASIS Companies ASIS Security Services Inability to access criminal record information 10.6% 31.5% 31.3% Lack of police expertise about high-tech crime 8.7% 25.0% 19.4% Lack of police sharing of criminal intelligence 8.0% 27.4% 28.1% Lack of police interest in collaboration 6.0% 20.6% 17.5% Slow or non-response of police to alarms 4.9% 12.3% 15.6% Competition with police over job applicants 1.9% 9.6% 6.3% The Law Enforcement survey asked about the seriousness of similar problems. The figures below indicate the percent of law enforcement officials who rated each issue as a moderate or serious problem. Overall, few respondents rated the problems as very serious. Law enforcement respondents tended to rate the problems as somewhat more serious than did All U.S. Companies but less serious than ASIS Companies or ASIS Security Services companies. The most consistent single problem area across security and law enforcement respondents was the lack of expertise (on both sides) about high-tech crime. 15.7% lack of security expertise about high-tech crime 13.6% lack of security interest in collaboration 12.1% slow or non-response of security to alarms 9.7% lack of security sharing of intelligence 6.7% unwillingness of security to report crimes 1.5% competition with security over job applicants Figure 5.6 presents overall satisfaction ratings for All U.S. Companies, ASIS Companies, and ASIS Security Services companies regarding their relationships with law enforcement. As shown, the vast majority of all three groups of companies indicate that their relationships with law enforcement are satisfactory or very satisfactory. ASIS Companies are the most satisfied with their relationships with law enforcement, but even in the lowest scoring group, All U.S. Companies, over 70% report being satisfied or very satisfied. Figure 5.6. Overall Relationship With Law Enforcement: Percent Indicating Satisfactory or Very Satisfactory 100% 80% 60% 40% 20% 0% All U.S. Companies ASIS Companies ASIS Security Services 41

44 Satisfaction with relationships with law enforcement is fairly stable across different industry sectors, according to responses to the All U.S. Companies survey. The percent of respondents by sector indicating that their companies relationships with law enforcement were satisfactory or very satisfactory are presented below. Training of security personnel is an area of concern for law enforcement. 90.0% agriculture-mining-construction 79.1% transportation-communication-utilities 78.6% finance-insurance-real estate 75.0% wholesale-retail trade 69.5% services 69.3% manufacturing The Law Enforcement survey asked respondents how they would rate the overall operating relationship between their agency and private security in their jurisdiction. Good or excellent relationships with private security were reported by 87.8% of the law enforcement respondents, exceeding the satisfaction levels reported above by security respondents. These law enforcement respondents were also asked to rate private security performance on specific topics. The figures below indicate the percent of law enforcement respondents who rated private security performance as good or very good on each dimension. The only condition not rated as good or very good by a majority of law enforcement respondents was the training received by private security personnel. 86.1% reporting criminal incidents 78.5% responding to alarms 78.2% personal appearance in uniform 77.3% quality of personnel 72.9% reasonable use of force 68.3% proper use of weapons 58.3% supervision 54.1% pre-employment background checks 50.9% familiarity with legal powers 48.0% training received 5.5 Contacts with other entities (non-law enforcement). ASIS Security Services companies were also asked about the frequency of their contacts with other public safety and related types of organizations. Table 5.4 indicates the percent of these companies that have at least one contact per year with each type of entity, and the percent that report having six or more contacts per year. Perhaps not surprisingly, the most common contacts are with other security professionals and business leaders. The least frequent contacts are with emergency management officials and the military. 42

45 Table 5.4. Extent of Contact Between ASIS Security Services Companies and Other (Non-Law Enforcement) Entities. Section 6: Relationships With Other Business Units 6.1 Amount of security-related interaction with other company units. A longstanding issue in the security field is the relationship between the security function and other company functions. Table 6.1 summarizes responses from All U.S. Companies and ASIS Companies on this issue. The most obvious point is that respondents from ASIS Companies reported much more frequent security-related interactions with other business units. These companies were 5-6 times more likely to report frequent security-related interactions with facilities, risk management/ auditing, legal, and financial units, and 3-4 times more likely to report such interactions with human resources and operations, compared to All U.S. Companies. Both ASIS Companies and All U.S. Companies interacted most with human resources and had the least interation with Financial, Legal, and Risk Management/ Auditing Units. Table 6.1. Percent of Respondents Indicating Six (6) or More Security-Related Interactions Per Year With Other Company Units. All U.S. Companies ASIS Companies Human Resources Operations Facilities Risk Management/Auditing Legal Financial 25.0% 17.6% 12.6% 9.9% 9.4% 9.2% 71.8% 70.1% 72.5% 52.2% 53.7% 45.5% For All U.S. Companies, security-related interactions with human resources were most frequent, while less than 10% had six or more interactions per year with financial, legal, and risk management/ auditing units. For ASIS Companies, about 70% had six or more security-related interactions annually with facilities, human resources, and operations, while 50% had that frequency of interaction with legal, risk management/auditing, and financial units. 43

46 Section 7: Emerging Trends in Security The following section provides the reader with a comparison of these results to those of other recent studies to see if there are consistent findings. This comparison is useful in identifying possible trends and patterns which contribute to describing relationships of one (usually) or more variables (infrequent) over time. Trend, for purposes of this report, is used to describe any consistent pattern in the condition of the security industry as can be determined by similarities across a number of different studies. A trend is useful to better understand the subject under review as well as to estimate near- term future events. While the direction and path of a series of data points is usually thought of as a positive trend or negative trend, trends do not have to be linear. Of course, as is the case in any type of prediction, these are to some extent subjective assessments based upon findings from several similar studies and are only as good as the data that supports them. 7.1 The Security Industry Security Concerns: Workplace violence and violent crimes continue to be among the most significant concerns for over a quarter of ASIS Companies surveyed. These topics have dominated the literature for over a decade and continue to hold a place of importance, at least for ASIS members and their organizations. Conversely, identity theft, which is a popular media topic and an increasing law enforcement and security challenge, does not appear to be of any significant concern for many ASIS Companies or All U.S. Companies, although it did make the top three for companies in the Finance-Insurance-Real Estate sector. One possible explanation is that identity theft is targeted more at individuals than corporations. As would be expected, terrorism has moved to the top three concerns for ASIS Companies but interestingly it is of much less concern to All U.S. Companies. This would tend to suggest that the majority of U.S. organizations, especially small to medium size companies, do not view terrorism as an immediate threat to their day-to-day operations. However, what is of concern to All U.S. Companies is computer and network security, which could represent a growth industry for many of those companies providing these types of security services. The International Security Managers Association (ISMA), an organization for the most seniorlevel Global 200 and Fortune 500 corporate security executives, surveyed their membership in 2003 (300 + members with a response rate of 37%). These executives indicated that their top concerns were business continuity, employee safety, property crime, political unrest, and terrorism (Survey executive summary, 2003). This is consistent with the data from the ASIS Companies (which would include a much broader representation of members by size of organization, but not as representative as All U.S. Companies), which indicated property crime and terrorism as two of their concerns as well. A similar study conducted by Security in its 2003 Industry Forecast Study of 14,985 Security subscribers and other industry professionals (response rate of 5%) indicated that access control, computer/information security and property crime were their top three security concerns (Security, 2002). These findings are also consistent with the current study. Security Spending: 44 There is a trend toward increasing spending for the following types of security equipment by the majority of ASIS Companies and a smaller percentage of All U.S. Companies: Computer & Network Security Software Protection Systems, Intrusion Detection Systems (IDS), Closed Circuit Television (CCTV), Fire Protection Systems, Access Control Systems (Access Control and Electric/ Electromagnetic Locks), Security Lighting, Badging/ID Card Printers, Video Cameras, Safes & Vaults, Radio Communications, Digital Video Storage/Retrieval, and Web-Based Security Monitoring. These

47 represent growth areas for providers of these types of security equipment and according to respondents from the Finance/Insurance/Real Estate sector, they are much more likely to increase spending in these areas as compared to the other sectors. While these three sub-sectors were treated as one unit or sector for purposes of this survey they each represent different types of organizations with varied explanations as to why they are increasing their security spending on security equipment. The single most logical explanation that would apply to all three is that each have experienced significant growth over the decade of the 1990 s, and due to their physical expansion have recognized the need for new and improved physical security. The most frequently identified concern for All U.S. Companies was computer/network security while access control was cited most often by ASIS Companies suggesting a correlation between spending by these organizations and their top areas of concern. In a similar study by Security in its 2003 Industry Forecast Study (response rate 5%), the majority of respondents (52%) plan on spending less than $250,000 on security products and services. Approximately 36% plan on spending between $250,000 up to $1,000,000 and 12% plan on more than $1,000,000. This represents an increase in the security budget for 39% of the respondents with 44% remaining the same as the previous year. The top security purchases for these respondents were CCTV surveillance, Access Control and Video Cameras, all of which are consistent with the current study (Security, 2002). The ISMA study (2003) found that 68% of the respondents indicated that they expected additional funding for their security budgets. Of those responding, 77% expected an increase in domestic security with 52% expecting funding to be directed at physical security, and 26% on technology security spending (Survey executive summary, 2003). Given these projections this data would also suggest a trend toward an increase in physical and technology-related security spending. While the percentage increase is less than that for security equipment, both All U.S. Companies and ASIS Companies indicated that they would spend more on contract and proprietary security services. Contract security refers to services that are purchased from a firm outside the organization, generally for a rate per guard hour. Proprietary security is often referred to as in-house security because the security personnel are employees of the organization being protected. An interesting response by both of these sets of respondents is that they would prefer to increase spending on proprietary security personnel rather than contract security, which may suggest a difficult future for contract security. However, while this is the preference, often cost wins out and most companies realize that contract security is much more cost effective than proprietary. A case in point is the Transportation Security Agency (TSA) which took over airport security following 9/11 and converted a contract security system to an all proprietary security system with more than 55,000 airport security screeners as of Now, nearly four years later, they have begun to move back toward the use of contract security through their Screening Partnership Program which allows for contract security to be used in place of the TSA Federal Screeners. The area of computer & network security was listed as important to both All U.S. Companies and ASIS Companies, and the top security concern for All U.S. Companies. This finding is consistent with results from a 2001 IDC Research study which found that the global market for information security will reach $21 billion by the end of 2005 up from $6.7 billion as reported in the 2001 study. These services include: remote LAN, Internet, extranet/intranet, and wireless services. Small businesses are expected to account for the fastest-growing group of customers for information security services (Information security market growing, 2001). (Note: information regarding the research design and sampling frame for the IDC Research study were not available). 45

48 Similar studies such as the Information Security Industry Study, a 2001 study of 2,545 Information Security Professionals from North America, Europe, and the Far East indicate healthy increases in information security budgets for: Financial Sector, Insurance Companies, and Manufacturers. These three sectors indicate that 54% of respondents experienced an increase in budgets from FY2000 to 2001 (Briney, 2001). Additionally, in a 2001 study by Porter Research of Atlanta of the Healthcare Sector (based on a survey of 100 Healthcare IT personnel) the chief decision maker on security IT purchases was the Chief Information Officer followed by the Chief Financial Officer, and the Chief Executive Officer. Respondents indicated that they currently use antivirus software (100% of respondents), firewalls (96%), virtual private networks (83%), encryption technology (65%), and intrusion detection technology (60%). The top three criteria for selecting IT security vendors were: 1.) Vendor s Technical Knowledge, 2.) Service Reputation, and 3.) Integration Ability and Experience. The respondents from this study indicate the top three security systems to be purchased included: public key infrastructure, password security/single sign on and wireless security (Porter, 2002). Security Services: The trend is that ASIS Security Services companies tend to tailor their businesses to the needs of larger customers and subsequently have not focused on the majority of companies in the United States. Therefore, this is a potentially untapped market for providers of security services for medium to small organizations, which make up the majority of companies needing security-related products and services. The trend by ASIS Security Services providers is toward spending more on advertising and marketing and to expand the services and products they currently provide. Based upon the responses of this study, these service providers may want to consider intrusion detection systems (IDS), video cameras, and digital video storage and retrieval systems as new areas to either expand into or increase current efforts. Moreover, when ASIS Security Services were asked about anticipated industry sector growth over the next five years they tended to focus on Healthcare, Construction and Government (Non- Military). However, responses from All U.S. Companies suggested that the greatest growth in security spending will most likely occur in the Finance, Insurance and Real Estate sector. These service providers may want to consider re-examining their marketing strategy and providing a more targeted approach to this sector which is expected to experience the greatest growth for security services and products. 7.2 Impacts of 9/11 The data indicate that ASIS Companies were able to respond much more quickly to the events of 9/11 and assess the full impact of this event, as opposed to All U.S. Companies that often did not have full-time personnel responsible for security and, therefore, were more likely to be delayed in determining to what extent their organization was affected by 9/11. Therefore, it is not surprising to find that ASIS Companies tended to report an increase in security spending following the terrorist attacks because they had personnel dedicated to security and access to budgets that could be directed towards these efforts. Those sectors reporting the greatest impact were Finance, Insurance/ Real Estate, Transportation, Communications, and Utilities. The most significant outcome from this will be the changes made in the Insurance sector which will experience a movement toward the pricing of terrorism risk. The trend will be toward the development of a system of pricing risks related to terrorism that involves modeling of patterns and risks of terrorist attacks, similar to what is now done for national disasters. There is already movement toward this system in Europe. 46

49 According to a study commissioned by Lloyd s of London and conducted by Harris Interactive of U.S. chief financial officers (no information on sample size or response rates provided), 66% of respondents believed their companies domestic assets were more of a target for terrorism than their assets overseas. The majority (64%) of respondents also indicated they had little or no confidence in the insurance industry s ability to provide a comprehensive package to protect against any future terrorist attacks. Prior to 9/11, the U.S. accounted for as little as 1% of the typical terrorism insurer s book of business, but following the attacks, North America accounted for 80% of Lloyd s terrorism business (Taub, 2002). According to a similar study by RIMS: Risk and Insurance Management Society and Ernst & Young (2000) of risk management executives at 837 organizations in the U.S. and Canada, company outlays for insurance, retained losses, and risk management administration & services were at a 10 year low in Following 9/11, this was reversed when losses were estimated to exceed $70 billion (Katz, 2001). Some of the initial changes were that 26% of respondents had installed Enterprise Risk Management (ERM), a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (Applying COSO s enterprise risk management- Integrated framework, 2004), and that 38% were taking steps to develop one, which would suggest a trend toward the purchase of these types of systems (Katz, 2001). In a similar 2002 annual study by Network World of 500 IT executives at companies with 1,000 or more employees, IT security spending was described to be at a minimum and there was a perceived over-reliance on third-party service providers resulting in many of the organizations surveyed re-evaluating their business continuity strategies. A number of these IT executives representing corporations such as Eastman Chemical and Krispy Crème Doughnut were evaluating their business continuity planning. In particular CNF Inc., a Palo Alto, California, based company, a $4.9 billon provider of global supply chain services, had put aside a portion of their IT budget to build an emergency operations center about 25 miles away from its main campus in Portland, Oregon, to be utilized in the event of a disaster such as fire or power outage. They were also working with another Fortune 500 Company to create a reciprocal agreement in case one firm suffers a fire or a facility-specific disaster so that they would be able to move people and operations to the other s facilities (Hoffman, 2002). This study suggests a trend for companies either developing new business continuity plans or needing to improve upon the current plan, which in turn could result in a growth area for providers of business continuity services and for those companies providing emergency operations center resources and facilities. In the 2003 Industry Forecast Study, completed by Security, respondents indicated that following 9/11 the greatest changes in the companies operations were to re-evaluate security programs (71%), upgrade existing security systems (39%), purchase new systems (33%), increase contract and proprietary security staff (20%), and established a new security program (18%). The respondents (60%) also indicated that 9/11 is likely to continue to influence their business, resulting in spending on electronic security (69%), increasing their security budget (43%), and increasing their security staff (20%) (Security, 2002). While some of these findings are consistent with those from the current study, the low response rate (4%) in the Industry Forecast Study limits the ability to use this data for comparison or to generalize to the larger population. The ISMA also found that there was a shift following 9/11 from a focus on traditional security concerns to an increased emphasis on threats that have the potential of seriously undermining the ability of a company to protect its employees and continue to do business. While 35% already had a biological/chemical/nuclear contamination plan in place, 39% of the respondents indicated they have since initiated such a plan. One-third (33%) of the respondents also indicated they have implemented or updated their evacuation plans, crisis communications, travel security, hazmat, and executive protection plans (Survey executive summary, 2003). 47

50 Following 9/11, the air transportation system was shut down for four days and the Port Authority of New York and New Jersey closed its operations for two days. The U.S. transportation system was subject to severe disruptions resulting from the tightening of security at our borders with the most severe disruption occurring between the U.S. and Canada land border where, on average, half a million vehicles and $1.4 billion in trade occur daily. The impact was reversed within six months of the attacks resulting in a minimal increase in shipping costs. Maritime shipping rates increased by 5 to 10 percent on average immediately following the attack, but have since returned to rates in place prior to 9/11. Airfreight rates, however, increased by about 10% and did not return to pre-9/11 levels, as was the case in most of the other transportation areas, which may suggest that there were other costs associated with air transportation that increased (Lenain, Bonturi, & Koen, 2002). Another possible trend, due to the impact on transportation, would be that companies would hold larger inventories as a precaution against possible disruptions in the supply chain. While this is not likely a trend across the Overnight Delivery Services (ODS) sector, it is interesting to note that FedEx is the only major ODS that has become a member of the Federal Bureau of Investigation s Joint Terrorism Task Force after forming a 10-man sworn police force (Fields, 2003). They have positioned themselves in quite a unique place to have access to information that their competitors will not have, giving them a competitive advantage over other overnight delivery services. It will be interesting to see if others try to develop similar programs or, in time, if FedEx eliminates its police force due to cost and issues of liability. 7.3 Impacts of Legislation The current study indicates that while recent legislation has significantly affected security operations in most organizations, companies fail to provide adequate funding to support compliance. The likely result could be increased fines by the federal government and a rise in legal fees to defend and respond to legal cases relating to an organization s failure to implement appropriate policies and procedures. Both ASIS Companies and All U.S. Companies rated the Sarbanes-Oxley Act of 2002 as the second most important legislation having a moderate or major impact on their organization. The Act requires public companies to disclose more financial information, holds corporate directors/officers more accountable for the accuracy of disclosures, and requires top officers to assess and certify the effectiveness of the internal controls they use for financial reporting. However, it would appear that most corporations are not in full compliance and lack adequate funding and resources to become compliant. In a study by Tillinghast-Towers Perrin, a risk management firm of finance chiefs at life insurance companies (30 Life Insurance CFO s responding, sample size not provided), 53% of these CFO s are anticipating the additional costs associated with compliance of the Sarbanes-Oxley Act by putting a charge into their companies ERM efforts (Katz, 2003). This is also consistent with a study by Gartner, Inc., in which they surveyed companies publicly traded on the U.S. stock exchanges (sample size not provided), and found that 85% of the respondents (n=75) indicated they do not have a defined budget to finance the changes called for by the Sarbanes-Oxley Act. This study identifies the total estimated costs for implementation of the act to vary among companies, depending on size and complexity, from $15,000 to $4 million and respondents also found that on average a company with $1 billion in revenue can expect to pay about $2 million in consulting, internal and external auditing, personnel, insurance and software (Lee, 2003). This would suggest a growth opportunity for those companies providing the Sarbanes-Oxley Act and other legislative compliance and implementation services. For example, there are a number of companies providing so-called Sarbanes-Oxley compliance software. These products consist mostly of business process management applications which are based on a standard framework that the Committee of Sponsoring Organization, a group of public-accounting firms, developed to provide the processes needed to monitor, evaluate, and report on internatinoal reporting controls, including the policies and procedures that ensure that management directives are implemented (Marlin, 2003). 48

51 7.4 Information Security Both ASIS Companies and All U.S. Companies were asked about the types of information security projects they planned to implement during the upcoming year and based upon these responses, providers of information security services and products can expect increased demand for products that provide enhanced spam control and software that strengthens the network perimeter. While ASIS Companies were more likely to be planning to implement each type of information security project over the next year, focus on these two areas would cover the greatest number of users. There is also consensus by both ASIS and All U.S. respondents that they are most concerned about Viruses, Trojan Horses and Worms as an outside or external threat and products that provide protection against these types of attacks would be of most interest to these users. These findings are consistent with similar studies such as the 2001 Information Security Industry Study which indicated that the top three security concerns were insider theft and sabotage along with a doubling of external hacks and a 33% rise in buffer-overflow attacks. Nearly all respondents (90%) reported Viruses/Trojans/Worms. The result is increased spending for the following computer security systems: public key infrastructure, password security/single sign on, and wireless security (Briney, 2001). Insider attacks were the greatest threat to organizations in 2000 but fell slightly to external threats from hackers as illustrated by the 2003 CSI/FBI Computer Crime and Security Survey. As illustrated by Figure 7.1, companies have more to fear from their own employees as well as external hackers than from either U.S. or foreign competitors. The data indicate that employees and hackers represented the greatest information and computer security threats to organizations over a four year period (Reason, 2003). Figure 7.1 Percentage of internal and external attacks by type of attacker Employees U.S. Competitors Hackers Foreign Competitors 49

52 According to a 2001 survey of 174 information technology (IT) managers performed by Computerworld and J.P. Morgan Securities, Inc., (response rates not provided), the majority of respondents (53%) plan on spending more on security. Companies with more than $500 million in revenues will spend, on average, 11% of their budget towards security-related investments. The IT respondents indicated that they planned to purchase Secure Sockets Layer Products, Antivirus Software, Virtual Private Networks, Intrusion Detection Tools and Firewall Software (King, 2001). Again, this is consistent with the current study which projects spending on information security in all of the following areas by both ASIS Companies and All U.S. Companies: spam, strengthening the network perimeter to prevent external intrusions, messaging/ security, security and availability for web site and/or e-commerce operations, preventing employees/insiders from abusing rights, securing remote access for traveling employees/ telecommuters/remote offices, inappropriate web surfing, centralized management/correlation of security policy/controls/alert data. This supports the trend that information security continues to be an area of concern and that a significant percentage of security budgets will be dedicated to supporting these initiatives within organizations. While spending on information security has been consistent for ASIS Companies the interesting trend from this study is that, according to responses from All U.S. Companies, this appears to be a growth area for security spending. 50

53 References Applying COSO s enterprise risk management- Integrated framework (2004, September 29). Retrieved June 14, 2004 from Briney, A. (2001, October) industry survey [Magazine Source]. Information Security, Fields, G. (2003, October 09). FedEx takes direct approach to terrorism. Wall Street Journal. Hoffman, T. (2002). Economy caps security spending. Computerworld, 36(37), 48. Information security market growing (2001). Retrieved April 22, 2004 from reshome.jsp;jsessionid=lbg4sormhyxswcqjaficffakbeaumiwd Katz, D. M. (2001, December 12). Cost of mitigating risk fell last year, survey says. Retrieved December, from Katz, D. M. (2003, February 05). Sarbanes-Oxley spurs ERM. Retrieved December 22, 2003 from King, J. (2001). Survey: Security technology gets bigger slice of IT budgets. Computerworld, 35(47), 8. Lee, R. (2003, November). Study finds many firms not budgeting for increased compliance costs. [Newspaper Source]. The Advocate (Stamford, CT). Lenain, P., Bonturi, M. & Koen, V. (2002, June). Security and the economy: Transportation. Retrieved June 14, 2005 from Marlin, S. (2003, October 06). Absolutely accountable. Retrieved December 22, 2003 from Porter, W. (2002). Fertile fields. Retrieved December 23, 2003 from Reason, T. (2003, September 01). Stopping the flow. Retrieved December 22, 2003 from Security: 2003 Industry forecast study. Business News Publishing (2002). Survey executive summary. (2003). Retrieved December 23, 2003 from Taub, S. (2002, April 16). Reversal of fortune: Terror risk comes home. Retrieved December 23, 2003 from 51

54 ASIS Foundation Board of Trustees 2005 President Michael R. Cummings, CPP Aurora Health Care Milwaukee, WI Vice President Peter J. Mazzaroni, CPP Roche Carolina Florence, SC Secretary/Treasurer Loretta Woodward Veney, CPP Superior Training Solutions Clinton, MD Linda F. Florence, CPP Soaring Eagle Enterprises Las Vegas, NV Timothy L. Williams, CPP Nortel Networks Brentwood, TN 52

55 ASIS Foundation Board of Trustees 2004 President Bonnie S. Michelman, CPP Massachusetts General Hospital Boston, MA Vice President David J. Gibbs, CPP On Line Consulting Services Okland, CA Secretary/Treasurer Allan R. Wick, CPP Preventure Security Acworth, GA Douglas J. Blaine, Sr Penn Services Exton, PA Albert S. Bueno General Information Services Chapin, SC Michael R. Cummings, CPP Aurora Health Care Milwaukee, WI Forrest P. Franklin, CPP The Focus Group Carson City, NV Professor Martin L. Gill Perpetuity Research & Consultancy International Leicester, United Kingdom Timothy L. Williams, CPP Nortel Networks Brentwood, TN

56 1625 Prince Street Alexandria, VA USA Fax: