OCR of the Document

View the Document >>

International City/County Management Association and the University of Maryland Baltimore County, “Cybersecurity 2016 Survey: Summary Report of Survey Results,” 2016. Not classified.

Cybersecurity 2016 Survey Summary Report of Survey Results Introduction In 2016 the International City County Management Association ICMA in partnership with the University of Maryland Baltimore County UMBC conducted a survey to better understand local government cybersecurity practices The results of this survey provide insights into the cybersecurity issues faced by U S local governments including what their capacities are what kind of barriers they face and what type of support they have to implement cybersecurity programs Methodology The survey was sent on paper via postal mail to the chief information officers of 3 423 U S local governments with populations of 25 000 or greater An online submission option was also made available to survey recipients Responses were received from 411 of the governments surveyed yielding a response rate of 12% Cities were overrepresented among respondents while counties were underrepresented Similarly higher percentage of responses received from larger communities compared to smaller communities Further jurisdictions in the Mountain region of the U S were overrepresented while jurisdictions in the Mid-Atlantic and East South-Central regions were underrepresented The following report reflects trends among the unweighted survey responses and should only be considered to be representative of the responding governments Weighting should be applied to achieve representation of the broader survey population Cybersecurity 2016 Survey Total Population Size Over 1 000 000 500 000 - 1 000 000 250 000 - 499 999 100 000 - 249 999 50 000 - 99 999 25 000 - 49 999 Geographic Division New England Mid-Atlantic East North-Central West North-Central South Atlantic East South-Central West South-Central Mountain Pacific Coast Type of Government Municipalities Counties Number Surveyed Number Responding Response Rate 3423 411 12 0% 42 98 168 532 939 1644 11 20 26 63 108 183 26 2% 20 4% 15 5% 11 8% 11 5% 11 1% 183 391 782 266 541 253 354 220 433 23 23 94 26 79 20 41 48 57 12 6% 5 9% 12 0% 9 8% 14 6% 7 9% 11 6% 21 8% 13 2% 1893 1530 267 144 14 1% 9 4% Page 1 of 12 Survey Highlights This survey provides insight into the cybersecurity practices among local governments in the U S Key topics explored include which departments are responsible for cybersecurity awareness of and support for cybersecurity what barriers local governments face to achieve higher levels of cybersecurity and what cybersecurity practices and tools local governments are using Highlights from the data are outlined below and responses to survey questions are summarized in the appendix Information Technology and Cybersecurity Primary responsibility for cybersecurity is located within the information technology IT departments in most of the responding local governments Only 1% of the responding local governments have a stand-alone cybersecurity department or unit Where is the primary responsibility for cybersecurity located in your local government’s organization 1% 3% 2% 5% Within IT department or related unit Within the elected chief executive ’s office Within the top appointed manager ’s office Stand-alone cybersecurity department or unit 89% Other department unit or office Most of the responding local governments do not outsource cybersecurity functions 61 8% For the ones that outsource 38 1% the contractors mostly report to the IT department 50 3% Does your local government outsource any of its cybersecurity functions 8 2% If outsourced to what office or official in your local government does the contractor s to whom you outsource cybersecurity report fully outsource 50 3% IT Department 32 0% CIO or IT Director 13 1% Other Department do not outsource 61 8% partially outsource 29 9% Top Appointed Manager’s Office 13 1% 9 8% Chief Information Security Officer Elected Chief Executive’s Office Chief Technology Officer 0% 4 6% 2 6% 10% 20% 30% 40% 50% 60% Cybersecurity Awareness Support Among the responding local governments a significant percentage of top appointed managers 61 7% and department managers 42 5% were either moderately or exceptionally aware of cybersecurity issues How would you rate the cybersecurity awareness of each of the following in your local government Top appointed manager Department managers Average end user Elected executive Staff of elected councilors commissioners etc Elected councilors commissioners etc Staff of local judiciary Local judges Average citizen 0% Exceptionally aware 10% Moderately aware 20% 30% 40% Somewhat aware 50% 60% Slightly aware 70% 80% Not aware 90% 100% Don’t know Page 2 of 12 More than half of top appointed managers 53 8% provide either strong or full support for cybersecurity while one-third of the elected executives 35 6% and department managers 33 3% provide either strong or full support How would you rate the amount of support that cybersecurity receives in your local government from each of the following Top appointed manager Elected executive Department managers Staff of elected councilors commissioners etc Elected councilors commissioners etc Average end user Local judges Staff of local judiciary Other Average citizen 0% Full support 10% 20% Strong support 30% 40% 50% Moderate support 60% Limited support 70% 80% No support 90% 100% Don’t know Barriers Inability to pay competitive salaries for cybersecurity personnel 58 3% insufficient number of cybersecurity staff 53 0% and lack of funds 52 3% were identified by responding local governments as severe or somewhat severe barriers to achieving the highest possible level of cybersecurity To what extent is each of the following a barrier for your local government to achieve the highest possible level of cybersecurity Inability to pay competitive salaries for cybersecurity personnel Insufficient number of cybersecurity staff Lack of funds Lack of adequately trained cybersecurity personnel in my local government Lack of end user accountability 0% Severe barrier 10% Somewhat severe barrier 20% 30% Modest barrier 40% 50% 60% Small barrier 70% 80% Not a barrier 90% 100% Don’t know Page 3 of 12 Cybersecurity Practices Policies and Tools A significant proportion of responding local governments developed rule s regarding how passwords can be made 77 4% a requirement for end users to change passwords periodically 77 1% and a formal policy governing the use of personally-owned devices by governmental officials and employees 61 8% Has your local government developed any of the following Formal written rule s regarding how passwords can be made 77 40% Formal written requirement for end users to change passwords periodically 77 10% Formal written policy governing the use of personally-owned devices by governmental officials and employees 61 80% 47 70% Formal written cybersecurity policy standards strategy or plan Formal written cybersecurity standards for contracts with vendors for cloud 35 70% Formal written plan for recovery from breaches 33 70% Formal written cybersecurity risk management plan 33 10% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Yes As a follow-up respondents rated the following three cybersecurity measures as the most effective ones formal requirement for end users to change passwords periodically formal rule s regarding how passwords can be made and formal policy governing the use of personally-owned devices by government officials and employees If your local goverment developed any of the following how would you rate the effectiveness of each Formal written requirement for end users to change passwords periodically Formal written rule s regarding how passwords can be made Formal written policy governing the use of personally-owned devices by governmental officials and employees Formal written cybersecurity standards for contracts with vendors for cloud-based services Formal written plan for recovery from breaches Formal written cybersecurity risk management plan Formal written cybersecurity policy standards strategy or plan 0% 20% Very high 40% High 60% Average 80% Low 100% Very low Page 4 of 12 Other local governments 42 5% vendors 40 8% and the FBI 40 1% were rated as extremely or very important by the responding local governments in terms of learning about cybersecurity problems and best practices Other local governments were rated more important among counties compared to municipalities in learning about problems and best practices Please rate the following in terms of their relative importance to your local government’s cybersecurity staff for learning about cybersecurity problems and best practices Other local governments Vendors FBI NIST CERT 0% Extremely important 10% Very important 20% 30% Moderately important 40% 50% 60% Slightly important 70% 80% 90% 100% Don’t know Not at all important Greater funding for cybersecurity better cybersecurity policies and greater cybersecurity awareness among local government employees were rated as the most important things to ensure the highest level of cybersecurity among responding local governments whereas consolidation of numerous IT networks systems was rated as the least important one Top 3 things that local governments need most to ensure the highest level of cybersecurity 1 02 Greater funding for cybersecurity 0 77 Better cybersecurity policies Greater cybersecurity awareness among local government employees 0 71 0 00 0 20 0 40 0 60 0 80 1 00 1 20 Average ranking Top 3 things that local governments need the least to ensure the highest level of cybersecurity 0 10 Greater support from department managers for cybersecurity 0 06 Greater support from top appointed officials or cybersecurity Consolidation of our numerous IT networks systems 0 00 0 03 0 02 0 04 0 06 0 08 0 10 0 12 Average ranking Page 5 of 12 Appendix Summary of Survey Results1 Where is the primary responsibility for cybersecurity located in your local government’s organization Please select one n 400 a Within the information technology department or related unit 89% b Within the elected chief executive’s office e g mayor county executive 2% c Within the top appointed manager’s office e g city or county manager or administrator 3% d Stand-alone cybersecurity department or unit 1% e Other department unit or office 5% Does your local government outsource any of its cybersecurity functions n 401 Yes we fully outsource cybersecurity 8 2% Yes we partially outsource cybersecurity 29 9% No we do not outsource cybersecurity 61 8% If yes to what office or official in your local government does the contractor s to whom you outsource cybersecurity report Select all that apply n 153 Information Technology Department 50 3% Chief Information Officer or Information Technology Director 32 0% Chief Information Security Officer 9 8% Chief Technology Officer 2 6% The elected chief executive’s office e g mayor county executive 4 6% The top appointed manager’s office e g city or county manager or administrator 13 1% Other department unit or office 13 1% See full dataset for open-ended responses for “Other department unit or office” option For the purposes of this survey we use the following terms attack security incident or incident and data breach or breach We define attack as an attempt by any party to gain unauthorized access to any component of your local government’s information technology system for the purpose of causing mischief or doing harm We use Verizon’s definitions of incident and breach 2015 Data Breach Investigations Report According to Verizon an incident is “Any event that compromises the confidentiality integrity or availability of an information asset ” A breach is “An incident that resulted in confirmed disclosure not just exposure to an unauthorized party ” Does your local government catalogue and count attacks incidents and breaches a Attacks n 377 b Incidents n 377 Yes 46 4% No 53 6% Yes 58 1% No 41 9% c Breaches n 373 Yes 60 1% No 39 9% If you answered yes to any of the options above please indicate whether your local government employs a formal system of cybersecurity management or if you catalogue and count the attacks incidents and breaches informally Please select all that apply n 244 Formal system Please name or describe the formal system 31 1% We do this informally Please briefly describe how you do this 66 4% How frequently is your local government’s information system subject to attacks incidents and breaches Please select one from each column a Attacks n 366 b Incidents n 367 c Breaches n 363 Hourly or more 26 0% Hourly or more 4 1% Hourly or more 2 8% At least once a day 18 0% At least once a day 4 9% At least once a day 2 2% At least once a week 7 7% At least once a week 5 7% At least once a week 1 1% At least once a month 6 6% At least once a month 10 4% At least once a month 0 8% At least once a quarter 4 6% At least once a quarter 13 4% At least once a quarter 3 3% At least once annually 3 8% At least once annually 16 3% At least once annually 14 0% Other 5 7% Other 15 5% Other 34 7% Don’t know 27 6% Don’t know 29 7% Don’t know 41 0% Certain questions were removed from the published report due to sensitivity and relevance to local government officials If you are interested in additional information please contact ICMA Survey Research at surveyresarch@icma org 1 Page 6 of 12 In the past 12 months has your local government’s information system experienced more less or about the same number of attacks incidents and breaches A lot fewer Fewer Same More A lot more Don’t know a Attacks n 368 3 8% 3 8% 34 2% 22 0% 10 3% 25 8% b Incidents n 365 4 7% 8 5% 41 1% 14 8% 3 3% 27 7% c Breaches n 363 8 0% 5 2% 45 7% 3 9% 1 7% 35 5% What percentage of attacks against your system in the past 12 months were initiated internally that is by employees or other persons from within your local government versus externally from outside your local government Combined internal and external total should equal 100% n 332 Average Internal Average External Don't know No % No % No % 226 11 24% 226 88 76% 106 31 9% What percentage of the breaches experienced by your local government in the past 12 months occurred because end users fell victim to a phishing or spearphishing attack and opened urls or attachments that contained malware n 371 No breaches N A No 167 % of n 45 0% Percentage known No % of n 128 34 5% Don’t know No 76 % of n 20 5% Average percentage reported 65 2% n 128 Is your local government able to determine the types of attackers that attack your system n 368 Yes can determine 41 8% No cannot determine 58 2% If yes please give the approximate percentage of total attacks in the past 12 months that were initiated by each type of attacker Combined total should equal 100% n 113 a Malicious insiders n 110 Mean Median Minimum Maximum 1 2% 0 0% 0 0% 40 0% b External actors - individuals n 109 Mean Median Minimum Maximum 34 8% 25 0% 0 0% 100 0% c External actors - organizations n 109 Mean Median Minimum Maximum 35 7% 25 0% 0 0% 100 0% d State actors - national governments n 109 Mean 11 2% Median 0 0% Minimum 0 0% Maximum 90 0% e Other n 112 Mean Median Minimum Maximum 14 0% 0 0% 0 0% 100 0% Page 7 of 12 If you know or can estimate the purposes of the attacks that your local government experienced in the past 12 months i e what the attackers were after please give the approximate percentage of total attacks for each category Combined total should equal 100% n 107 a Private sensitive confidential info n 103 Mean Median Minimum Maximum 12 4% 0 0% 0 0% 100 0% b Confidential records Mean 1 8% Median 0 0% n 103 Minimum 0 0% Maximum 25 0% c Employee records n 103 Mean 3 5% Median 0 0% Minimum 0 0% Maximum 100 0% d Customer citizen records n 103 Mean Median Minimum 2 5% 0 0% 0 0% e Theft of money n 103 Maximum 50 0% Mean Median Minimum Maximum 8 8% 0 0% 0 0% 100 0% f Terror n 103 Mean Median Minimum Maximum 0 1% 0 0% 0 0% 10 0% g Espionage - nation state industrial n 103 Mean 0 6% Median 0 0% Minimum 0 0% Maximum 30 0% h Hacktivism - i e Anonymous-group n 103 Mean Median Minimum Maximum 10 9% 0 0% 0 0% 100 0% i Mischief n 103 Mean Median Minimum Maximum 16 1% 0 0% 0 0% 100 0% Minimum 0 0% Maximum 5 0% j Revenge n 103 Mean 0 1% Median 0 0% k Ransom n 103 Mean Median Minimum Maximum 32 0% 10 0% 0 0% 100 0% l Other n 106 Mean Median Minimum Maximum 9 0% 0 0% 0 0% 100 0% Page 8 of 12 How would you rate the cybersecurity awareness of each of the following in your local government n Not aware Slightly aware Somewhat aware Moderately aware Exceptionally aware a Department managers 362 2 5% 19 1% 32 3% 33 7% 8 8% 3 6% b Elected executive if your local government has one 313 7 7% 20 1% 26 2% 24 6% 7 7% 13 7% c Elected councilors commissioners etc d Staff of elected councilors commissioners etc 359 324 9 7% 7 1% 30 9% 24 1% 26 5% 26 2% 20 9% 24 4% 4 7% 6 2% 7 2% 12 0% e Top appointed manager if your local government has one f Local judges if judiciary is part of your local government g Staff of local judiciary if judiciary is part of your local government h The average end user 342 271 2 9% 6 3% 11 1% 19 9% 19 0% 18 5% 42 7% 14 8% 19 0% 3 7% 5 3% 36 9% 269 6 3% 16 0% 20 4% 17 5% 4 5% 35 3% 361 5 0% 23 8% 33 2% 29 1% 5 0% 3 9% i The average citizen 357 10 6% 36 1% 24 4% 7 6% 0 8% 20 4% j Other 94 6 4% 7 4% 7 4% 3 2% 6 4% 69 1% Local Government Unit Citizens Don’t know How would you rate the amount of support that cybersecurity receives in your local government from each of the following n No support Limited support Moderate support Strong support Full support a Department managers 354 4 2% 22 6% 34 7% 21 2% 12 1% 5 1% b Elected executive if your local government has one 284 5 3% 19 7% 26 1% 16 2% 19 4% 13 4% c Elected councilors commissioners etc 349 6 3% 25 5% 28 4% 14 3% 16 0% 9 5% d Staff of elected councilors commissioners etc e Top appointed manager if your local government has one 305 329 7 2% 3 3% 21 6% 12 5% 26 6% 23 7% 15 1% 25 8% 15 7% 28 0% 13 8% 6 7% f Local judges if judiciary is part of your local government g Staff of local judiciary if judiciary is part of your local government 256 253 9 0% 8 3% 17 2% 17 4% 19 9% 20 9% 10 2% 10 3% 8 6% 8 3% 35 2% 34 8% h The average end user i The average citizen 351 341 6 8% 18 5% 28 2% 24 6% 36 8% 16 7% 16 0% 5 0% 6 0% 2 3% 6 3% 32 8% j Other 66 9 1% 3 0% 6 1% 6 1% 10 6% 65 2% Local Government Unit Citizens Don’t know How frequently does your local government take any of the following actions to improve its cybersecurity practice n Never At least monthly At least quarterly At least annually At least every 2 years Don’t know a Scanning and testing 351 7 4% 38 2% 19 4% 19 9% 10 0% 5 1% b Risk assessment 352 13 4% 9 9% 12 5% 40 9% 16 2% 7 1% c Technical security review 351 12 0% 8 5% 16 8% 38 2% 16 5% 8 0% d Cybersecurity exercises 348 40 8% 3 7% 6 3% 25 0% 12 4% 11 8% e Audit of our cybersecurity practices 345 26 7% 2 6% 5 5% 38 6% 17 7% 9 0% f Forensic services after incidents or breaches leave blank if no incidents or breaches 217 42 9% 8 8% 6 9% 17 5% 3 2% 20 7% g Cybersecurity staff training 349 20 9% 8 6% 10 3% 40 1% 12 0% 8 0% h End user training 346 29 5% 5 8% 9 5% 33 5% 11 8% 9 8% 350 31 7% 3 1% 10 0% 35 1% 10 9% 9 1% 347 50 1% 2 6% 3 2% 21 3% 8 9% 13 8% 347 23 3% 10 7% 10 1% 37 5% 11 0% 7 5% 339 25 1% 11 5% 13 0% 33 9% 7 1% 9 4% m Cybersecurity awareness training for citizens 339 71 4% 1 2% 0 3% 5 0% 1 5% 20 6% n Cybersecurity awareness training for contractors 341 61 9% 2 6% 1 8% 11 7% 2 1% 19 9% o Other 45 26 7% 0 0% 2 2% 4 4% 4 4% 62 2% Action i Cybersecurity awareness training for local government employees j Cybersecurity awareness training for local government elected officials k Cybersecurity awareness training for local government information technology personnel not including cybersecurity personnel l Cybersecurity awareness training for local government cybersecurity personnel Page 9 of 12 To what extent is each of the following a barrier for your local government to achieve the highest possible level of cybersecurity n Not a barrier Small barrier Modest barrier Somewhat severe barrier Severe barrier Don’t know a Lack of funds 348 7 5% 9 5% 27 9% 18 1% 34 2% 2 9% b Lack of support from top elected officials 345 36 8% 21 2% 20 0% 7 0% 6 7% 8 4% c Lack of support from top appointed officials 334 41 6% 20 7% 16 5% 8 1% 5 1% 8 1% d Lack of support from department managers 345 38 0% 23 5% 20 9% 9 6% 4 1% 4 1% e Lack of availability of trained cybersecurity personnel to hire 345 20 6% 15 1% 21 7% 15 7% 15 7% 11 3% f Inability to pay competitive salaries for cybersecurity personnel 343 10 5% 9 9% 12 2% 21 0% 37 3% 9 0% g Insufficient number of cybersecurity staff 342 8 8% 11 4% 21 3% 17 3% 35 7% 5 6% h Lack of adequately trained cybersecurity personnel in my local government 342 11 7% 13 7% 23 1% 19 6% 26 9% 5 0% i Lack of adequate cybersecurity awareness in organization 341 10 6% 24 3% 31 4% 16 7% 14 1% 2 9% j The federated nature of local government separation of powers executive legislative judicial 333 41 7% 13 8% 12 9% 8 4% 9 0% 14 1% k No end user training at all 340 32 6% 17 9% 20 0% 13 5% 12 1% 3 8% l Some but insufficient end user training 333 22 5% 24 9% 27 6% 11 4% 8 1% 5 4% m Lack of end user accountability 342 14 0% 21 6% 23 4% 20 5% 17 0% 3 5% n Too many IT networks systems within my local government 341 43 7% 1 17% 12 9% 9 4% 7 0% 5 0% o Other 31 22 6% 6 5% 6 5% 6 5% 9 7% 48 4% Barrier Has your local government developed any of the following Policy Plan Standard Rule n No not developed Yes developed a Formal written cybersecurity policy standards strategy or plan 346 52 3% 47 7% b Formal written cybersecurity risk management plan 344 66 9% 33 1% c Formal written plan for recovery from breaches 341 66 3% 33 7% d Formal written rule s regarding how passwords can be made e g strength length permitted characters etc e Formal written requirement for end users to change passwords periodically 349 22 6% 77 4% 349 22 9% 77 1% f Formal written policy governing the use of personally-owned devices by governmental officials and employees g Formal written cybersecurity standards for contracts with vendors for cloud-based services 346 38 2% 61 8% 339 64 3% 35 7% If so how would you rate the effectiveness of each Policy Plan Standard Rule n Very low Low Average High Very high a Formal written cybersecurity policy standards strategy or plan 151 13 2% 17 9% 46 4% 17 2% 5 3% b Formal written cybersecurity risk management plan 103 14 6% 16 5% 44 7% 19 4% 4 9% c Formal written plan for recovery from breaches 106 14 2% 14 2% 44 3% 21 7% 5 7% d Formal written rule s regarding how passwords can be made e g strength length permitted characters etc e Formal written requirement for end users to change passwords periodically f Formal written policy governing the use of personally-owned devices by governmental officials and employees g Formal written cybersecurity standards for contracts with vendors for cloud-based services 246 6 9% 5 3% 32 1% 37 4% 18 3% 248 6 0% 5 6% 29 0% 37 1% 22 2% 190 10 0% 11 1% 38 9% 29 5% 10 5% 112 14 3% 9 8% 41 1% 25 0% 9 8% Page 10 of 12 How does your local government evaluate risk and security when purchasing Software-as-a-Service SaaS or Cloud applications n 335 a We use the Cloud Control Matrix from the Cloud Security Alliance 2 4% b We use NIST recommendations from Special Publication 800-144 13 1% c We develop our own security and risk procedures for cloud 24 2% d We rely upon contracts to shift the responsibility and risk to the cloud vendor 47 5% e Not Applicable we do not purchase SaaS applications 24 8% f Other 5 4% How has your local government’s annual cybersecurity investment in any of the following changed over the past 5 years n Decreased greatly Decreased slightly About the same Increased slightly Increased greatly Don’t know a Investment in technology hardware software etc 347 2 3% 4 3% 31 1% 35 7% 23 1% 3 5% b Investment in additional staff 345 5 2% 6 4% 55 1% 20 6% 8 7% 4 1% c Investment in higher staff compensation d Investment in training for staff e Investment in policies and procedures 343 345 345 3 2% 4 1% 2 3% 7 9% 8 7% 5 2% 63 0% 49 0% 47 8% 18 4% 25 8% 31 0% 1 5% 7 2% 7 5% 6 1% 5 2% 6 1% Policy Plan Standard Rule Has your local government purchased cybersecurity insurance n 341 Yes 44 0% No 56 0% If yes to what extent does the insurance cover your cybersecurity exposure Please select one n 152 Very little coverage Limited coverage Moderate coverage Most coverage Full coverage 1 3% 19 7% 36 2% 17 1% 9 9% Don’t know 15 8% How would you rate your local government’s cybersecurity technology hardware software etc practices methods used etc and policies written or unwritten “rules” or procedures etc n State of the art Current best practice One generation behind current best practice More than one generation behind current best practice Don’t know a Technology 344 4 9% 50 6% 29 4% 8 7% 6 4% b Practices 344 1 2% 41 9% 32 3% 18 0% 6 7% c Policies 344 0 9% 30 5% 32 0% 26 2% 10 5% Technology Practice Policy In deploying cybersecurity in your local government are you aware of either the ISO 27000 series or the 2014 NIST Framework for Improving Critical Infrastructure Cybersecurity and do you employ either Framework 53 3% Yes aware and employ it substantially 2 4% Yes aware and employ it partially 21 7% Yes aware and don’t employ it 22 6% 47 2% 5 0% 28 5% 19 3% n No not aware a ISO 27000 336 b 2014 NIST Framework 337 Please rate the following in terms of their relative importance to your local government’s cybersecurity staff for learning about cybersecurity problems and best practices a NIST National Institute of Standards and Technology 335 Not at all important 7 8% b FBI Federal Bureau of Investigation c CERT The CERT Program of the Software Engineering Institute Carnegie Mellon University d DoD Department of Defense 332 8 4% 11 7% 22 9% 24 7% 15 4% 16 9% 332 12 7% 13 3% 18 1% 23 2% 9 3% 23 5% 328 19 5% 19 8% 16 2% 17 1% 7 0% 20 4% e f g h i Vendors Other local governments Our state government Other state governments ISO International Organization for Standardization 336 334 333 326 331 3 3% 3 9% 6 9% 23 0% 14 5% 15 5% 12 0% 18 3% 21 5% 18 4% 28 9% 29 6% 24 3% 21 5% 23 9% 26 8% 27 5% 22 5% 13 5% 15 1% 14 0% 15 0% 13 8% 4 3% 7 6% 11 6% 12 0% 14 1% 16 3% 20 5% j IT-ISAC IT - Information Sharing and Analysis Center 325 14 5% 15 1% 15 4% 13 2% 10 5% 31 4% k OWASP Open Web Application Security Project l MSiSAC Multi-State Information Sharing and Analysis Center m Other 327 20 8% 18 7% 13 5% 10 1% 4 0% 33 0% 328 14 0% 14 9% 14 0% 12 5% 15 5% 29 0% 65 7 7% 3 1% 4 6% 3 1% 20 0% 61 5% Institution n Slightly important 9 3% Moderately important 21 8% Very important 24 2% Extremely important 13 1% Don’t know 23 9% Page 11 of 12 In your experience do the top elected and appointed officials in your local government feel that responsibility for cybersecurity belongs mostly to the technologists or do top elected and appointed officials believe that they also have to play an important role in cybersecurity Please answer on a scale of 1 to 5 where 1 means officials believe responsibility belongs mostly to technologists and 5 means officials believe they have an important role to play Framework a Top elected officials n 337 1 51 3% 2 15 4% 3 10 7% 4 6 8% 5 2 7% Don’t know 13 1% b Top appointed officials 334 42 2% 14 7% 13 8% 13 5% 3 9% 12 0% In your opinion what are the top three things that you need most to ensure the highest level of cybersecurity in your local government Please select ONLY 3 and rank them in order of importance 1 most important 2 second most important and 3 third most important n 319 Support a Improved cybersecurity hardware b Better cybersecurity policies c Better enforcement of existing cybersecurity policies d Greater funding for cybersecurity e Greater support from top elected officials for cybersecurity f Greater support from top appointed officials for cybersecurity g Greater support from department managers for cybersecurity h The ability to pay competitive salaries for cybersecurity personnel i More cybersecurity personnel j More training for cybersecurity personnel k Greater cybersecurity awareness among employees in my local government l More end user training m Greater end user accountability n Consolidation of our numerous IT networks systems o Other Average ranking 0 58 0 77 0 29 1 02 0 16 0 10 0 14 0 38 0 54 0 42 0 71 0 48 0 32 0 06 0 03 How confident are you that consistent implementation of the best available cybersecurity technologies policies and practices will enable your local government to prevent all breaches n 334 Not confident at all Slightly confident Somewhat confident Confident Highly confident Don’t know 13 2% 16 8% 31 1% 24 0% 11 4% 3 6% Please share any additional information about cybersecurity in your local government See full dataset for open-ended responses for this question For additional information about the Cybersecurity 2016 Survey please contact ICMA Survey Research at surveyresearch@icma org Page 12 of 12