An Information Systems Security Readiness Assessment for

An Information SystemsSecurity Readiness Assessment

for Municipalities in Rural Pennsylvania

This project was sponsored by a grant from the Center for Rural Pennsylvania, a legislative agency of thePennsylvania General Assembly.

The Center for Rural Pennsylvania is a bipartisan, bicameral legislative agency that serves as a resource forrural policy within the Pennsylvania General Assembly. It was created in 1987 under Act 16, the Rural Revital-ization Act, to promote and sustain the vitality of Pennsylvania’s rural and small communities.

Information contained in this report does not necessarily reflect the views of individual board members or theCenter for Rural Pennsylvania. For more information, contact the Center for Rural Pennsylvania, 625 ForsterSt., Room 902, Harrisburg, PA 17120, telephone (717) 787-9555, email: [email protected]

An Information Systems Security Readiness Assessment forMunicipalities in Rural Pennsylvania

ByJungwoo Ryoo, Ph.D., Tulay Girard, Ph.D., and Charlotte E. McConn, M.S., CDP.

Pennsylvania State University-Altoona

November 2009

EXECUTIVE SUMMARYThis research project, which is

the first of its kind for localgovernments, assessed the informa-tion systems security readiness ofmunicipalities in Pennsylvania,with an emphasis on rural munici-palities.

The researchers developed a setof survey instruments that mea-sured the following three majoraspects of a municipality’s informa-tion systems security readiness: (1)infrastructure, (2) computerliteracy, and (3) daily practices.

Among the 276 municipalitiesstatewide that participated in thestudy, 67 percent were rural and 33percent were urban. The respon-dents included individuals repre-senting Pennsylvania boroughs,townships and cities.

To assess the infrastructure of theparticipating municipalities, theresearchers measured variouscriteria in the areas of hardwareand software infrastructure,funding and human resources.From the evaluation, the research-ers identified the following factorsthat may challenge the securityreadiness of rural municipalities:

• Lack of human resources: 81percent of the rural municipalrespondents had no dedicated in-house information technology(IT) support personnel, and only46 percent outsourced theircomputer hardware/softwaresupport.• Insufficient budget for improv-ing information systems security:25 percent of rural municipalrespondents spent nothing oninformation systems securityduring the previous 5 years.• Increased vulnerability as moremunicipal computers are con-nected to the Internet: on aver-age, rural municipal respondentshad three desktop computersconnected to the Internet.

• Less than optimal installation ofsecurity software: a significantnumber of rural municipalrespondents said they did nothave any security softwareinstalled on their computers.To assess computer literacy, the

researchers measured variouscriteria in the areas of computertraining and knowledge and secu-rity training and knowledge. Fromthe evaluation, theyidentified the followingfactors as potentialweaknesses of ruralmunicipalities:

• Little computertraining provided to thecomputer users.• Little informationsystems securitytraining provided to thecomputer users.• Lack of securityknowledge among usersas almost one half ofrural municipal respon-dents said their infor-mation systems securityknowledge was belowaverage.Daily practices were

assessed by measuring awhole host of criteriaincluding computersharing among employ-ees, remotely accessingmunicipal computers,managing inventory,using various encryptionmethods, handling email,backing up and disposingof data, and disaster recovery. Theresearchers identified the followingas potential weaknesses of ruralmunicipalities:

• Lack of service agreementsaddressing security issues be-tween municipalities and infor-mation technology contractors:

Introduction ........................................... 4Related research ................................ 5

Goals and Objectives ............................ 5Infrastructure assessment ................. 5Computer literacy and securityliteracy assessment ........................... 5Daily practices assessment .............. 6First of a kind research related tolocal government assessment ........... 6

Methodology .......................................... 6Survey limitations .............................. 6

Results .................................................. 7Sample description ............................ 7Infrastructure assessment ................. 7Computer literacy assessment .......... 9Security literacy assessment .......... 10Daily practices assessment ............ 11

Conclusions ........................................ 15Policy Considerations .......................... 17

Local government action .................. 17State government action .................. 17Legislative support ........................... 17Federal funding ................................ 18

References .......................................... 19

Table of Contents

only 32 percent of rural munici-pal respondents had such agree-ments.• Relaxed access control: 63percent of rural respondentsadopted improper user name/password practices, such as notusing either a user name orpassword. Also, 64 percent ofrural respondents were neverasked to change their passwords.

• Unknown or no encryption usedfor a majority of municipalwireless local area networks.• Inappropriate data backups: themunicipalities backed up theirdata but did not verify it.• Insufficient physical security:the municipalities had only a bare

4 The Center for Rural Pennsylvania

In 2006, a foreign attacker invaded computers at awater filtering plant near Harrisburg, Pa. According topress reports, the intruder installed malicious softwarethat could have affected “the plant’s water treatmentoperation” (Esposito, 2006). In this particular case, anemployee’s home computer, which had remote accessto the water plant, was compromised.

In 2005, Russian hackers breached a Rhode Islandgovernment Web site and stole credit card information(Web Application Security Consortium, 2007).

In 2004, a Midwestern city police force lost its radiocommunications for five hours because of a virus onthe city’s computer system (Krouk, 2004).

As these incidents indicate, computer crimes target-ing local governments and computer security-relatedmishaps are not uncommon (Computer SecurityInstitute, 2006; Web Application Security Consortium,2007; Krouk, 2004). Rural municipalities may beparticularly vulnerable because they typically lacknecessary human and financial resources to adequatelymanage their information systems security.

The continuing push for e-government makes rurallocal governments even more vulnerable. E-govern-ment refers to the use of Information and Communica-tion Technology (ICT) by government organizations toprovide services to the general public, businesses, andother government organizations. Each day, more andmore municipalities go online and provide theirservices via the Internet. In an ideal e-governmentscenario, information only would be available toindividuals who need it and are authorized to access it.However, without careful planning and oversight,information can be abused easily and used against theinterests of those it was intended to serve.

INTRODUCTION

An online presence may pose other threats as well,especially when local governments host their own Webservers and allow other municipal computers to be partof the same network. When connected without propersecurity measures, these computers are potentiallyaccessible to anyone on the Internet. With sufficientcomputer expertise and malicious intent, hackers caninflict serious damage.

Even without a direct Internet connection in theirmunicipal offices, municipalities may be at riskbecause of widespread use of laptops and portablestorage devices, such as USB drives. These devicesmake sensitive data more susceptible to loss, abuse andhacking attempts. Workplace laptops or portablestorage devices are often connected to poorly guardedhome networks of local government employees, whichis as risky as the previous scenario in which officecomputers are networked to the Internet withoutadequate protection. Once plugged into inadequatelyprotected home computers, portable storage devicesmay become another source of vulnerability. The dataon them can now be stolen, damaged or changed byattackers. In addition, when the device is used again inthe municipal office, malware from a home computercan infect the entire office network.

Outsourcing computer services can be another areaof concern for some rural municipalities that hireconsultants to install and manage computer hardwareand software. There may be a tendency for municipali-ties to overlook whether necessary security precautionshave been taken during the contract work. It is alsocommon that consultants develop software or processdata for the municipalities. In these situations, mon-etary constraints and a lack of expertise make itdifficult for municipalities to test the software for

minimum of physical security tools.• Inadequate disposal of computers and other mediacontaining sensitive information.• Lack of security policies for a majority of munici-palities.• Loose network monitoring: 63 percent of ruralrespondents did not monitor the logs of networkconnection activities.Based on the research findings, the researchers

offered a variety of practice and policy considerationsfor both local governments and state government.These considerations include:

• Encouraging resource pooling among municipali-ties to share IT staff with security expertise;

• Encouraging periodic assessment of informationsystems security readiness among rural municipalitiesto monitor progress or any potential deterioration;• Encouraging the development of written policiesfor enforcing sound, daily information systemssecurity practices;• Providing awareness training and security educa-tion for rural municipal employees;• Providing a centralized incident managementsystem that keeps track of security breaches andrecognizes patterns, if any, that surface; and• Developing a Web site that promotes community-driven exchanges of ideas and local-government-specific information systems security best practices.

An Information Systems Security Readiness Assessment for Municipalities in Rural Pennsylvania 5

security and to check whether the data are securelyhandled during the outsourced processing.

The researchers’ pilot study that laid the groundworkfor this research project included interviews withofficials at urban and rural municipalities in centralPennsylvania (McConn et al., 2007) and confirmed theconcerns listed above. The researchers recognized theneed for a comprehensive assessment to better under-stand the status quo of information systems securityreadiness in small rural municipalities.

This report describes the research conducted in 2008to assess the level of security readiness in terms ofhardware and software infrastructures, computer andsecurity literacy, and daily information technology(IT) practices within Pennsylvania’s municipalities.The researchers believe that the findings will eventu-ally lead to concrete efforts at both the state and localgovernment levels to prevent future computer securitybreaches.

Related researchA comprehensive literature review reveals that this

research project is the first of its kind. Few studieshave targeted rural local governments and scrutinizedtheir information systems security readiness. Nofederal government agency has commissioned suchresearch. Prior to this work, no state governments,including Pennsylvania, have commissioned suchresearch, although some attempts have been made to

understand the degree of computer use among localgovernments (The Center for Rural Pennsylvania,2005).

Realizing the lack of research in this area, theresearchers conducted an exploratory study andpublished their initial findings in 2007 (McConn et al.,2007).

The Computer Security Institute (CSI), a profes-sional society for serving the needs of computersecurity workers, has conducted studies that includelocal governments, but the number of respondents isvery limited (4 percent in 2008). In addition, thesurveys do not differentiate between urban and ruralmunicipalities.

Most other assessment efforts have focused mainlyon federal and state governments as demonstrated inthe 2006 National Association of State Chief Informa-tion Officer (NASCIO) survey (NASCIO, 2006). Thesurvey concentrated on measuring how the chiefinformation officers of each state perceived theinformation systems security readiness of their state.

At the federal level, existing laws, rules, and regula-tions require government agencies to have IT securityperformance measurements regularly (Chew et al,2006). These include the Clinger-Cohen Act, Govern-ment Performance and Result Act (GPRA), andFederal Information Security Management Act(FISMA).

GOALS AND OBJECTIVESThis research project assessed the information

systems security readiness of rural municipal govern-ments in Pennsylvania using the following evaluationcriteria: hardware and software infrastructures, com-puter and security literacy, and the daily practices ofusing existing infrastructures and knowledge. Theseevaluation criteria allowed the researchers to quantifydifferent aspects of security readiness.

Infrastructure assessmentThe first objective was to investigate the software

and hardware solutions rural municipalities use to:control both incoming and outgoing data traffic;encrypt and decrypt confidential information; limitaccess to computer systems and their resources; detectand remove malware including viruses, Spyware,Adware, worms, and Trojan horses; back up andrestore data; and recover from disasters.

Computer literacy and security literacyassessment

The second objective was to measure both thecomputer literacy and security literacy of municipalemployees. Computer literacy refers to how knowl-edgeable employees are about the municipality’sinformation systems while security literacy refers tothe level of computer-security-specific knowledge thateach employee has in addition to computer literacy.

Rural local government workers were evaluated forthe degree of their computer knowledge of: installingand configuring software and hardware; using softwarepackages and hardware; installing, configuring andmanaging a network; and developing software.

For security literacy, municipal workers wereevaluated for their knowledge of: security planning;the presence of internal threats, such as employeesdeleting important data, and external threats, such ashackers sending e-mails containing viruses and worms;security software and hardware features and their uses;


proper configuration and management of networks forimproving security; methods to monitor suspiciousactivities on their computers; application of physicalsecurity principles, such as using computer locks; andaccess control. In cases where significant IT tasks wereoutsourced, the computer and security knowledge ofthe contractor were also assessed.

Daily practices assessmentThe third objective was to measure the actual use or

daily practices of the existing infrastructures andknowledge. The researchers assessed the local govern-ments’ enforcement efforts including access control toinformation systems, such as password policies, andaccountability practices, such as monitoring employeeactivities.

METHODOLOGY

First of a kind research related to localgovernment assessment

Since this research is the first of its kind, there wereno benchmarks (or absolute numbers) that could beused to compare the results against. However, theresearchers did compare the results between rural andurban municipalities to analyze their similarities anddifferences.

While the National Institute of Standards andTechnology (NIST) offers assessment frameworks andtools to measure security readiness, their main focus ison federal agencies. Currently, there is no governmentstandard that specifically addresses the security readi-ness of local governments.

Therefore, this project can serve as a solid baselinefor follow-up studies.

For the study, the researchers defined local govern-ments as counties, cities, boroughs, townships, andauthorities (Martin, 1997). Of these 2,576 municipali-ties, 1,655 are regarded as rural based on the Centerfor Rural Pennsylvania’s definition as follows (TheCenter for Rural Pennsylvania, 2007): a municipalityis rural when the population density within the munici-pality is less than 274 persons per square mile or themunicipality’s total population is less than 2,500 unlessmore than 50 percent of the population lives in anurbanized area, as defined by the U.S. Census Bureau.All other municipalities are considered urban.

The research project focused primarily on ruralmunicipalities but collected data from urban munici-palities for comparison purposes1.

To promote a balanced representation of all ruralcounties, the researchers made considerable attempts tosurvey at least 10 municipalities in each of the state’s46 rural counties with 10 or more municipalities. Thesurveys were sent to all municipalities in the ruralcounties of Cameron and Forest, as Cameron has sevenmunicipalities and Forest has nine municipalities.

The researchers developed four surveys: one each formanagers, clerical staff, in-house, and outside ITtechnicians.

The researchers invited all 2,576 local governmentsin Pennsylvania (out of which 1,655 are rural) toparticipate in the survey. Respondents from 276municipalities, including counties, boroughs, cities andtownships, participated in the study: 67 percent (184)

were rural municipalities and 33 percent (92) wereurban municipalities (See Map 1). A total of 379individuals responded. Although this response rate waslower than expected, there was adequate representationof the population in the sample at the 95 percentconfidence level.

Survey limitationsOne limitation of the study is the relatively small

sample size of 379 respondents from both urban andrural municipalities. Originally, the researchers aimedto obtain participation from a total of 476 municipali-ties, from each of which a manager, a clerical person,and possibly an in-house IT technician would partici-pate. However, only 191 managers, 161 clerical staff,and 27 in-house IT technicians participated. Becauseone of the goals of this study was to compare the ruraland urban municipalities rather than managers, clericalstaff and IT technicians, the data analysis was per-formed with all of the data combined from the 379respondents.

One of the reasons for the lower-than-expectedresponse rate may be the length of the survey. Thesurvey contained a total of 59 questions with some ofthem having multiple statements and many questionsrequiring open-ended answers. Another reason for thelower response rate may be that the respondents wereconcerned about the confidentiality of their informa-tion and how the information would be used, onceobtained. This may be the case although the coverletter sent to the municipalities and informed consentform contained the statements of confidentiality.1 Computers used for police business were not included in the

study.


Sample descriptionThe average population of the rural municipalities

that responded to the survey was 2,463 in 2008; theaverage for the urban municipalities that respondedwas 7,580.

A total of 249 rural (66 percent) and 130 urbanmunicipal employees (34 percent) took the survey.Out of the 379 people who responded to the survey, 65percent were full-time and 35 percent were part-timeemployees. Table 1 provides more details about thesample population.

Infrastructure assessmentInfrastructure readiness was assessed using the

following criteria: human resources, total budget,security-relevant budget, general hardware infrastruc-ture, security-relevant hardware infrastruc-ture, general software infrastructure, andsecurity-relevant software infrastructure. Thedefinition of each infrastructure readinessmeasurement is provided in Table 2.

Human resourcesIn-house IT personnel

Among the rural municipal respondents,about 81 percent indicated they had no in-house IT personnel while about 19 percenthad one or more in-house IT personnel.Among the urban municipal respondents, 76percent said they had no in-house IT person-

RESULTS

Table 2: Infrastructure Readiness Measurements Definitions

Table 1: Characteristics ofRespondents and Their Municipalities

Map 1: Location of Rural and Urban Municipalitiesthat Responded to the Survey


percent) thantheir urbancounterparts (26percent) tomaintain theirWeb sites. Thedifferences weresignificant.• A majority ofrural (64 per-cent) and urban(77 percent) municipalities with Web sitesoutsourced their Web site hosting.• A majority of rural (64 percent) and urban (77percent) municipalities outsourced their softwaredevelopment.• A majority of rural (66 percent) municipalities usedin-house resources to install software whereas urbanmunicipalities used almost an equal percentage of in-house (40 percent) and outsourced (43 percent)software installation.• A majority of rural (55 percent) municipalities usedin-house and a majority of urban (54 percent)municipalities outsourced their software mainte-nance. The differences were statistically significant.

Total budgetThe research found significant differences between

rural and urban municipalities in their estimatedaverage total budgets in the past 5 years. Approxi-mately, 49 percent of rural municipalities had budgetsranging between $100,001 and $1 million whereasapproximately 57 percent of urban municipalities hadbudgets ranging between $1,000,001 and $100 million.Table 4 shows a summary of the survey results on totalbudgets.

nel while 24 percent had one or more in-house ITpersonnel. There were no statistically significantdifferences in the number of in-house IT personnelbetween rural and urban municipalities. Therefore, theresearchers concluded that a majority of both rural (81percent) and urban municipalities (76 percent), ingeneral, lack dedicated IT personnel.

Third-party contractorsAbout 54 percent of rural respondents and 14 percent

of urban respondents did not outsource their computerhardware and software support. Approximately 52percent of urban municipalities outsourced more than75 percent of their computer hardware and softwaresupport compared to 28 percent of rural municipalities.The differences between rural and urban municipalitieswere significant. Since most of the rural municipalrespondents did not have dedicated IT personnel, thissignificantly low outsourcing rate for rural municipali-ties implies they rely heavily on non-IT personnel fortheir hardware and software support. Table 3 shows asummary of the survey results on the use of third-partycontractors.

When comparing the percentages of respondents whodid and did not outsource for IT support with thosewho did or did not have in-house IT support, theresearchers found no statistically significant differ-ences. Out of the 80 respondents in both rural andurban municipalities who did not have in-house ITpersonnel, 65 percent outsourced their IT support and35 percent did not.

More information on the details of outsourcedhardware and software support follows.

• Among rural municipal respondents, 41 percentused in-house network administrators and 39 percentoutsourced their network administration. Amongurban respondents, 45 percent used in-house networkadministrators and 37 percent outsourced.• A majority of rural and urban municipal respon-dents (88 percent rural and 88 percent urban)performed the data backup function in-house.However, significant differences in the percentage ofthe in-house and outsourced Web site developmentand maintenance functions were observed withinrural and urban municipalities. Almost 44 percent ofthe rural municipalities used in-house administrationand 30 percent outsourced administration of theirWeb site development. About 52 percent of urbanmunicipalities used in-house administration and 30percent outsourced their Web site development.• Urban municipalities used significantly more in-house resources (59 percent) than rural municipali-ties (46 percent) to maintain their Web site. Simi-larly, rural municipalities outsourced more (31

Table 3: Use ofThird-Party Contractors

Table 4: Total Budgets


Security-relevant budgetThe study found significant differences between

rural and urban municipalities in the average totaldollar amount spent on security hardware and softwareduring the past 5 years. Approximately 25 percent ofrural municipalities and 7 percent of urban municipali-ties spent nothing on information systems securityhardware and software during the past 5 years. Almost64 percent of rural municipalities spent between $1and $10,000 compared to 68 percent of urban munici-palities. This was an encouraging sign, showing thatboth rural and urban municipalities were makinginvestments toward information systems security.Approximately, 21 percent of urban municipalitiesspent between $10,001 and $100,000 on informationsystems security compared to 11 percent of ruralmunicipalities. No rural municipality spent over$100,000 and no urban municipality spent over$150,000 on information systems security.

General hardware infrastructureComputing devices

In rural municipalities, the average number ofdesktop computers reported by 143 respondents wasabout three, the average number of laptop computersreported by 82 respondents was slightly less than one,and the average number of handheld devices reportedby 52 respondents was less than one. In urban munici-palities, the average number of desktop computersreported by 93 respondents was about 16, the averagenumber of laptop computers reported by 83 respon-dents was about five, and the average number ofhandheld devices reported by 64 respondents was aboutone. The differences between rural and urban munici-palities were significant.

Security-relevant hardware infrastructureComputing devices with Internet access

In rural municipalities, the average number ofdesktop computers with Internet access reported by141 respondents was about three, the average numberof laptop computers with Internet access reported by59 respondents was about one, and the average numberof handheld devices with Internet access reported by31 respondents was less than one. In urban municipali-ties, the average number of desktop computers re-ported by 93 respondents was about 15, the averagenumber of laptop computers reported by 74 respon-dents was about five, and the average number ofhandheld devices reported by 52 respondents was lessthan one. The differences among rural and urbanmunicipalities were significant. From these findings,the researchers conclude that a good portion of the

municipal-owned desktop computers and laptops wereconnected to the Internet, which could mean a higherpossibility of attacks via the Internet.

General software infrastructureOperating systems

The survey results showed that Windows XP was thedominant Operating System among all municipalities:61 percent for rural and 40 percent for urban munici-palities. The widespread use of Windows XP wasencouraging since the Operating System was matureand supported by Microsoft in terms of security fixes.The support will end, however, in 2014.

Security-relevant software infrastructureThe survey results showed that anti-virus software

was the most widely used security software: 86 percentof both rural and urban municipalities had the anti-virus software installed on all of their computers.However, there were five rural municipalities and twourban municipalities that had no anti-virus softwareinstalled on any of their computers.

Both rural and urban municipalities also had otherwell-known types of security software such as firewalls(68 percent) and pop-up blockers (73 percent). About40 percent of all municipalities had adware removerinstalled, 40 percent had intrusion detection softwareand 52 percent had spam filters installed on all theircomputers. As expected, the adoption rate was fairlylow for more advanced types of security softwareincluding e-mail monitoring software (9 percent),Virtual Private Network (VPN: allows a secure remoteconnection between two hosts) (9 percent), and theInternet content filtering software (19 percent).

Computer literacy assessmentComputer literacy readiness was assessed by measur-

ing the following criteria: computer training, computerknowledge, self-assessment of computer knowledge,security training, security knowledge, and self-assessment of security knowledge.

Computer trainingRespondents were asked to list all the information-

systems-related training, certification, and degrees theyhad obtained in a class or a self-paced course withinthe past 5 years. Of the 141 respondents who answeredthe question, 43 percent said they received no training.About 4 percent had an associate’s degree or higher incomputer information systems, 33 percent took somecourses to learn how to use various software programsincluding accounting/payroll software such asQuickBooks, Peachtree, the Microsoft Office suite


(consisting of Excel, Word, and Access), Web designsoftware, Adobe, and Exchange 2000. Another 4percent attended job-related seminars, and 7 percentreceived a certificate or training in computer software,such as GIS, computer forensics, emergency manage-ment, and Web site design/maintenance. About 2percent were self-taught, and 7 percent received job-related training. In general, it appears that the level ofcomputer training among municipal employees waslow.

To collect more detailed information on computertraining, the researchers asked respondents how manyhours of computer training they completed during thepast 12 months in each of the following categories:Microsoft Office applications, accounting software,network software, programming, and Web design.

A majority of the employees in both rural (84 to 99percent) and urban (74 to 99 percent) municipalitiesdid not receive any training in these areas in the last 12months. Other training received included wirelesssecurity (40 hours), GIS (10 to 16 hours), propertyrecords system (8 hours), Caselle (8 hours), payroll (4to 6 hours), Operating Systems (3 hours), utilitybilling software (2 to 32 hours), U.S. Census Bureausoftware (16 hours), Permit-n-Force (8 hours), andstate reports (4 hours).

Computer knowledgeA majority of respondents in both rural and urban

municipalities knew, on average, the terms: OperatingSystems, client, server, portal, router, CPU, mainmemory, hard drive, Ethernet, Wi-Fi, and bandwidth.Employees in urban municipalities understood all ofthese terms significantly more than their rural counter-parts.

The researchers concluded that both rural and urbanmunicipal officials were knowledgeable about basiccomputer and networking terms although urbanrespondents knew significantly more about these terms.

Self-assessment of computer knowledgeOf the 365 respondents who rated their own com-

puter knowledge, 1 percent said they had no knowl-edge, 22 percent indicated very low to low knowledge,58 percent indicated average knowledge, and 19percent indicated high to very high knowledge. Thereported knowledge of urban respondents was signifi-cantly higher than their rural counterparts.

Security literacy assessmentSecurity training

For this assessment, respondents were asked aboutthe number of information systems security training

hours they completed during the past 12 months. Thistraining would have covered password use policies,data access and authorization policies, computersecurity attack precautions, proper disposal of sensitivedata, policies for proper Internet use, and transportingcomputers or data from authorized locations.

A majority of both rural (more than 92 percent) andurban (more than 89 percent) respondents did notreceive any training on password use policies, dataaccess and authorization policies, computer securityattack precautions, proper disposal of sensitive data,policies for proper Internet use, and transportingcomputers or data from authorized locations in the past12 months.

Security knowledgeRespondents were asked about their level of knowl-

edge of terms such as Phishing, malware, spyware,botnet, rootkit, computer virus, SQL injection, Denialof Service (DoS), computer worm, wardriving, spam,identity theft, encryption, Virtual Private Network(VPN), anti-virus software, spam filter, adware,intrusion detection system, system log, and firewalls.

Significantly more urban respondents knew the termsPhishing, malware, spyware, computer virus, SQLInjection, DoS, wardriving, spam, identity theft,encryption, VPN, spam filter, adware, system log, andfirewalls. Knowledge of the terms botnet, rootkit,computer worm, anti-virus Software, and intrusiondetection system was not significantly differentbetween rural and urban respondents. A majority ofrespondents in both rural and urban municipalitiesindicated that their knowledge on these terms wasbelow average. A majority of rural respondents statedtheir knowledge on Phishing, SQL injection, DoS,wardriving, VPN, and system log was below average.This lack of knowledge among rural respondents wasconcerning since these security threats are so pervasive.

Self assessment of security knowledgeRespondents were asked to describe their information

systems security knowledge on a six-point scaleranging from none to very high. Urban respondents’(self-assessed) knowledge of information systemssecurity was significantly higher than that of ruralrespondents.

Overall, all respondents seemed to be more confidentin their computer knowledge than their securityknowledge. About 26 percent of rural and 18 percentof urban respondents said their computer knowledgewas below average whereas 49 percent of rural and 29percent of urban respondents said their informationsystems security knowledge was below average. Out of363 respondents, 3 percent indicated no knowledge of


information systems security, 39 percent indicated verylow to low knowledge, 48 percent indicated averageknowledge, and 10 percent indicated high to very highknowledge.

Daily practices assessmentDaily practices were assessed by measuring the

following criteria: service agreement policies, com-puter sharing, remote access, inventory management,Operating System patch updates, definition fileupdates, use of encryption methods, informationsystems security training provided, e-mail handling,data backups, data disposal, physical security, disasterrecovery, general security policies, access control, andaccountability practices.

Service agreement policiesRespondents were asked whether their service

agreement required information systems securityprecautions, such as regular data back-ups, automatedupdates of Operating Systems and virus definitionfiles, and if they outsourced to a third-party contractorfor computer hardware and software support.

Among urban respondents who contracted with athird-party contractor, 75 percent had service agree-ments that required information systems securityprecautions. Among rural respondents with a third-party contractor, 32 percent had service agreementsthat required information systems security precautions.Sixty percent of rural respondents did not have aservice agreement with a third-party contractorcompared to 16 percent of urban respondents. This wasdisconcerting (especially for rural respondents) becauseservice agreements with security precautions aregenerally recommended for better security. Thedifferences between rural and urban respondents weresignificant. (See Table 5)

A majority of both rural (75 percent) and urbanrespondents (80 percent) did not share computers with

other employees in their municipality. About 25percent of rural and 20 percent of urban respondentsshared their computers with others. This was encourag-ing since avoiding computer sharing is more desirablefor information systems security although sharing itselfdoes not necessarily mean bad security. The respon-dents were also asked how they logged onto their workcomputers. Most respondents used both a user ID and apassword to log on to their computers (57 percenturban and 35 percent rural). Eleven percent of ruralrespondents and 4 percent of urban respondents did notuse a user ID, a password, or other means to log on totheir computers. For 25 respondents who providedreasons for other log-in methods, the responsesincluded no log-on required, fingerprint reader on anew laptop, do not use the computer, use a personalcomputer for work, e-token, and homepage. About 63percent of rural and 46 percent of urban respondentsadopted insecure user name/password practices (i.e.,not using anything at all or using only a user ID orpassword).

The researchers concluded that computer sharing inrural (24 percent) and urban (21 percent) municipali-ties was done in an insecure manner without the properuse of a user ID and a password.

Amount of Internet useRural respondents spent an average of 1.5 hours per

day and urban respondents spent an average of 1.9hours per day on the Internet while at work. Thedifference was not significant. This implied that bothrural and urban municipal employees used the Internetalmost equally every day.

Remote accessSignificantly more urban respondents than rural

respondents remotely connected to their municipalities’computers from home, a café, or other off-site loca-tion. A majority of both rural and urban respondents(92 percent rural and 72 percent urban) did notremotely connect to their municipalities’ computers.

Inventory managementA majority of both rural and urban respondents said

their municipalities kept an inventory of their desktopcomputers (74 percent rural and 83 percent urban).However, significantly more urban municipalities keptan inventory of their laptop computers (75 percenturban vs. 43 percent rural), handheld devices (53percent urban vs. 22 percent rural), and other devices,such as faxes and printers (40 percent urban vs. 0percent rural).

Table 5: Use of Third-PartyService Agreements


Operating system patch updatesIn both rural and urban municipalities, most Operat-

ing System patches, which are software upgrades thatfix a specific problem with the Operating System,were installed automatically (48 percent rural and 43percent urban). However, some were installed manu-ally (18 percent rural vs. 15 percent urban), and otherswere installed both manually and automatically (7percent rural and 20 percent urban).

Definition file updatesThe research found significant differences between

rural and urban respondents in their practices ofupdating definition files, which are lists of knownmalicious software used by security software when itscans a computer system. In both rural and urbanmunicipalities, definition files were updated mostlyautomatically (62 percent rural and 53 percent urban).However, a higher percent of urban municipalitiesupdated their definition files both manually andautomatically (18.5 percent urban and 3.5 percentrural).

Use of encryption methodsNo significant differences were found between rural

and urban respondents in terms of encryption methodsused. A majority of all respondents did not know whatencryption method was used in their municipalities (63percent rural and 57 percent urban). This was concern-ing since encryption is critical in protecting data sentwirelessly.

Information system security training providedA majority of both rural and urban respondents

provided no training on password use policies, dataaccess and authorization policies, computer securityattack precautions, proper disposal of sensitive data,policies for proper Internet use, and transportingcomputer and data from authorized locations. How-ever, the percentage was significantly higher amongrural respondents than urban respondents.

The percent of training on password use policies (16percent rural and 24 percent urban), data access andauthorization policies (14 percent rural and 25 percenturban), computer security attack precautions (8 percentrural and 17 percent urban), proper disposal of sensi-tive data (11 percent rural and 18 percent urban),policies for proper Internet use (14 percent rural and30 percent urban), and transporting computer and datafrom authorized locations (9 percent rural and 16percent urban) provided in urban municipalities fornew hires was significantly higher than that of rural.

E-mail handlingA majority of both rural and urban respondents said

they did not open e-mails and attachments from astranger (76 percent rural and 71 percent urban) anddid not click on any hyperlinks in a suspicious email (9percent rural and 16 percent urban). Other actionsreported by the respondents included the use of aspam/sender blocker, disable image preview, anti-virussoftware, downloaded an AVG free version, andpreferences set to the highest level. This finding wasencouraging since a majority of respondents seemed totake proper actions when receiving suspicious e-mails.However, even the small number of respondents whodid not take proper actions could create vulnerabilitiesfor municipal information systems security. (See Table6)

Data back-upsSignificant differences in the data back-up practices

were found between rural and urban respondents, as ahigher percentage of urban respondents backed up theirdata daily (42 percent rural and 73 percent urban). Ahigher percentage of rural municipalities backed uptheir data monthly (17 percent rural and 3 percenturban). The researchers concluded that both rural andurban respondents backed up their data regularlyalthough there were differences in frequencies.

Almost 29 percent of rural respondents never testedtheir backup data to see if it worked compared toalmost 19 percent of urban respondents. Approxi-mately 23 percent of rural respondents said they checktheir backup data monthly compared to 17 percent ofurban respondents and 19 percent of rural respondentsand 25 percent of urban respondents said they did notknow the answer to this question. Lastly, the respon-dents were asked where their municipality storedbackup files. A majority of both rural and urban

Table 6: Summary of E-mail Handling


respondents said their municipalities kept their backupfiles mostly onsite (reported as in a safe, server harddrive, flash drive, CDRW & multiple hard drives, fire-proof filing cabinet, locked cabinet, shelf, drawer,municipal building, on each other’s PC, and alwayswith themselves). Approximately 31 percent of bothrural and urban respondents kept their backup files atan offsite location (reported as employees’ home, safedeposit box, another building, and online backup).This finding was alarming because storing backup fileson site is not a recommended security practice.

Data disposalRespondents were asked what methods their munici-

palities used to dispose of paper documents thatcontained sensitive and confidential information. Amajority of both rural (80 percent) and urban (91percent) respondents said their municipalities usedshredders. However, a higher percentage of rural (10percent) respondents cited burning as a means ofdisposal than urban (1 percent) respondents.

Respondents were also asked how their municipali-ties disposed of devices containing sensitive andconfidential information, such as old computers,external hard drives, USB drives, and CD/DVD.

Many respondents did not know the disposal methodsfor electronic media with data. Among those who didknow, a high percentage said they first erased the dataand then either trashed or recycled the device. Otherserased the data and then destroyed the device. Somenever had to dispose of electronics and a small percent-age said disposal was handled by a third-party profes-sional company/person.

From these responses, the researchers concluded thatmunicipalities adopted good practices when disposingof paper documents, but not when disposing of elec-tronics and their media.

Physical securityA majority of both rural and urban respondents did

not use locks on their computers, surveillance cameras,burglar alarms, key card systems, or key pad systemsfor entry. However, a majority of both respondentsused door locks and had backup power supplies. Thepercent of urban respondents using backup powersupplies (85 percent) was higher than rural (58 per-cent).

Approximately 25 percent of rural and 29 percent ofurban respondents used other types of physical securitytools, including password-protected computers,biometric access systems, and cameras. A majority ofrural respondents (64 percent rural and 29 percenturban) did not use other physical security tools, and a

majority of the urban respondents (11 percent ruraland 43 percent urban) did not know of other security-related tools that were being used.

These results indicated that a majority of municipali-ties were equipped with a bare minimum set of physi-cal security tools and that there is much room forimprovement in introducing more advanced physicalsecurity equipment.

Disaster recoveryRespondents were asked whether they had an alter-

nate site to keep their municipality operational if theiroffice building was damaged or became unusable dueto fire, flood, or other reasons. A majority of bothrural (57 percent) and urban (67 percent) respondentssaid their municipalities had an alternate site.

General security policiesA majority of both rural and urban respondents said

their municipalities did not have policies in writtenform on the proper disposal of sensitive data (84percent rural and 66 percent urban), disaster recovery(82 percent rural and 68 percent urban), and databackup (82 percent rural and 68 percent urban).

Access ControlTake home equipment

A majority of both rural (78 percent for laptops and54 percent for storage devices) and urban (53 percentfor laptops and 48 percent for storage devices) respon-dents were not permitted to take equipment off-site.However, a significantly higher percentage of urbanrespondents (45 percent) were permitted to takelaptops off-site than rural respondents (17 percent).

A majority of both rural (72 percent for laptops and63 percent for storage devices) and urban (50 percentfor laptops and 52 percent for storage devices) respon-dents did not connect their laptops and data storagedevices to their home network. However, a signifi-cantly higher percentage of urban respondents (38percent) connected their laptops (37 percent) and datastorage devices (37 percent) to their home networkthan rural (18 percent laptops and 31 percent datastorage devices).

Password managementA majority of the rural (64 percent) and urban (57

percent) respondents said they were never required tochange passwords. There was no daily or weeklyrequirement for changing passwords. A smallerpercentage of both rural and urban respondents wererequired to change passwords either monthly orquarterly. Some of the open-ended answers to this


question included: passwords are changed when a newemployee is hired, passwords are changed when anemployee feels it’s necessary, the computer is set up tochange passwords every 90 days, and I am the onlyone using the township computer. Responses to thisquestion were alarming since periodically changingpasswords is a recommended security practice.

Management of sensitive resident informationRespondents indicated they did not store any credit

card numbers of residents. Typically, municipalitiesstore names and addresses of residents, followed byphone numbers, other types of information, tax IDnumbers, and Social Security Numbers (SSN: 4percent rural and 2 percent urban). Other types ofinformation included utility billing information,property ID numbers, tax parcel/permit numbers, andhome assessed values. This finding was encouragingbecause the information stored on municipal computerswas minimal.

PoliciesA majority of rural (91 percent) and urban (81

percent) respondents said their municipalities did nothave a password expiration policy. However, a signifi-cantly higher percentage of urban respondents saidtheir municipality had a strong password use (5 percentrural and 15 percent urban) and password expiration (4percent rural and 8 percent urban), and data access andauthorization (8 percent rural and 21 percent urban)policies than rural municipalities. Almost equalpercentages of both rural (89 percent) and urban(81percent) respondents said their municipalities didnot have a policy on transporting computers/datastorage devices from authorized locations.

Accountability PracticesNetwork monitoring

A majority of both rural (63 percent) and urban (51percent) respondents said their municipalities did notmonitor the logs of network connection activities. Thiswas unexpected since network monitoring is a recom-mended security practice.

Personal use of computersApproximately one- half of both rural (51 percent)

and urban (50 percent) respondents said they wereaware or very aware of how the employees in theirmunicipality were using computer systems for theirpersonal uses.

PoliciesA majority of rural (82 percent) and urban (48

percent) respondents said there were no writtenpolicies on Internet use.

Respondents were also asked about the number ofinformation systems security-related incidents thatoccurred due to a computer security attack that mayhave resulted in the loss of sensitive and confidentialdata, data corruption, computer system malfunction,and other incidents. Regarding the loss of sensitive andconfidential data, only one incident was reported fromthe 119 rural respondents who answered the question.The incident involved a virus that was downloadedfrom an email; however, files were recovered from abackup device. Among the 86 urban respondents whoanswered this question, no incidents were listed.

Few incidents due to data corruption, computersystem malfunction, and other issues were reported.

Perceived readinessRespondents were asked how they would rate (1) the

overall preparedness of their municipality for prevent-ing hacking attempts from the Internet, which couldcompromise information systems at work, (2) theoverall physical security of their office building forpreventing the theft of their computers, data storagedevices, and/or paper documents that contain sensitiveinformation, and (3) the overall preparedness of theiroffice building for its ability to recover and becomeoperational after a disaster, such as fire, floods, andterrorist attacks.

Significant differences were found between rural andurban respondents in their perceptions of preparednessfor preventing hacking attempts and the theft of theircomputers, data storage devices and/or paper docu-ments, and their ability to recover and become opera-tional after a disaster. Among urban respondents, 67percent said their municipality was somewhat to veryprepared compared to 54 percent of rural respondents.Almost 75 percent of urban respondents said theirmunicipal buildings were somewhat to very preparedfor preventing theft compared to approximately 71percent of rural respondents. Almost 70 percent ofurban respondents said their municipal building wassomewhat to very prepared to recover and becomeoperational after a disaster compared to almost 61percent of rural respondents.


CONCLUSIONSIn terms of infrastructure readiness, the researchers

identified the following factors that may challenge thesecurity readiness of rural municipalities

• Human resources: both rural and urban municipali-ties, in general, lacked dedicated IT personnel. Mosturban respondents outsourced their computer hard-ware and software support, which was significantlymore than rural respondents. Considering that mostrural respondents did not have dedicated IT person-nel, the researchers concluded that many ruralmunicipalities relied heavily on non-IT experts forcomputer hardware and software support. The surveyresults indicated that approximately half of the ruralmunicipalities had neither in-house nor outsourcedcomputer hardware/software support. Regarding thequestion of what was done in-house and what wasoutsourced, the responses from both rural and urbanrespondents were very similar, especially in terms ofnetwork administration (both done in-house), Website hosting (both outsourced), and software develop-ment (both outsourced). They differed, however, inother functions, such as Web site development andmaintenance (rural outsource, urban in-house), andsoftware installation and maintenance (rural in-house, urban outsource).• Security-relevant budget: overall, rural respondentssaid their municipalities spent much less money oninformation systems security. Approximately 25percent of rural respondents spent nothing oninformation systems security compared to 7 percentof urban respondents who spent nothing in the past 5years.• Security-relevant hardware infrastructure: most ofthe municipality-owned desktop computers andlaptops were connected to the Internet, whichincreased the possibility of attacks via the Internet.Both rural and urban municipalities commonly usedthe Internet for e-mail, searches, and online pur-chases. Both rural and urban municipal employeesused the Internet every day.• Security-relevant software infrastructure: asexpected, the adoption rate was low for moreadvanced types of security software including spamfilters, intrusion detection systems, adware removers,Internet content filtering software, Virtual PrivateNetworks (VPN), and e-mail monitoring software.Some security software, such as anti-virus software,pop-up blockers, firewalls, and adware removers, ismore effective when it is installed on all the comput-ers in a network. It was concerning that many

respondents, especially rural respondents, indicatedthat their municipalities had a number of unprotectedcomputers.The researchers identified the following areas as

relative infrastructure readiness strengths of ruralmunicipalities:

• Software infrastructure: 61 percent of rural and 40percent of urban respondents said their municipalitiesused Windows XP. The widespread use of WindowsXP was encouraging since the Operating System ismature and still supported by Microsoft throughvarious security fixes.• Security-relevant software infrastructure: thesurvey results showed that anti-virus software wasthe most widely used security software. Around 83percent of rural and 90 percent of urban respondentssaid their municipalities had the anti-virus softwareinstalled on all of their computers. This trendcontinued with other well known types of securitysoftware, such as firewalls and pop-up blockers. Themost common anti-virus software used was Nortonand McAfee.In terms of literacy readiness, the researchers

identified the following factors as potential weaknessesof rural municipalities.

• Computer training: in general, the level of com-puter training among municipal employees was low.A majority of rural respondents (84 to 99 percent)and urban respondents (74 to 99 percent) had notreceived any computer training (on Microsoft Officeapplications, accounting software, network software,programming, and Web design) for 12 months priorto the survey.• Security training: a majority of respondents fromboth rural and urban municipalities had not receivedany training on password use policies, data accessand authorization policies, computer security attackprecautions, proper disposal of sensitive data,policies for proper Internet use, and transportingcomputers or data from authorized locations for the12 months prior to the survey.• Security knowledge: a majority of respondentsfrom both rural and urban municipalities indicatedtheir knowledge on basic security terms, particularly,Phishing, SQL injection, DoS, wardriving, VPN,and system log, was below average. However, urbanrespondents knew significantly more about theseterms.• Self-assessment of security knowledge: unlike themore confident answers to the self-assessment of


computer knowledge question, 71 percent of urbanand 51 percent of rural respondents stated that theirinformation systems security knowledge was aboveaverage.The following two areas were identified as relative

literacy readiness strengths of rural municipalities.• Computer knowledge: both rural and urban respon-dents were knowledgeable about basic computer andnetworking terms, although urban respondents knewsignificantly more about the same terms.• Self-assessment of computer knowledge: a majorityof rural respondents (73 percent) said their computerknowledge was average or above average. However,urban respondents’ self-assessment of their computerknowledge was significantly higher.For daily practices readiness, the researchers identi-

fied the following areas as potential weaknesses ofrural municipalities.

• Service agreement policies: only 32 percent of thecontracts between rural municipalities and a third-party contractor required information systemssecurity precautions, such as regular data backups,automated updates of Operating Systems, and anti-virus definition files. Almost 60 percent of ruralrespondents indicated their municipalities did nothave a service agreement with a third-party at all.This was alarming since creating a service agreementand ensuring that security precautions are part of thedocument are recommended for better security.• Access control: a majority of rural respondents (63percent) adopted insecure user name/passwordpractices, such as not using anything at all or usingonly one of them. Although relatively rare, computersharing in rural municipalities (24 percent) wasconducted in an insecure manner without the properuse of a user ID and a password. In addition, amajority of rural respondents (64 percent) indicatedthey were never required to change passwords.• Use of encryption methods: A majority of ruralrespondents did not know what encryption methodwas used in their wireless local area networks.• Information systems security training provided: amajority of rural respondents said their municipali-ties did not provide information systems securitytraining on password use policies, data access andauthorization policies, computer security attackprecautions, proper disposal of sensitive data,policies for proper Internet use, and transportingcomputer and data from authorized locations.• Data backup: a majority of rural respondents saidtheir municipalities backed up their data but did notverify the backup as often as necessary.• Physical security: a majority of rural respondents

said their municipalities were equipped with a bareminimum set of physical security tools, such as doorlocks and backup power supplies. There was muchroom for improvement in introducing more ad-vanced physical security equipment to these munici-palities, however.• Data disposal: a majority of rural respondents saidtheir municipalities adopted good practices whendisposing of paper documents but not when disposingof computers and their media.• General security policies: a majority of ruralrespondents said their municipalities did not havepolicies in written form on the proper disposal ofsensitive data, Internet use, disaster recovery, databackup, strong password use policy, passwordexpiration policy, data access and authorizationpolicy, and transporting computers/data storagedevices from authorized locations.• Accountability practices: a majority of ruralrespondents said their municipalities did not monitorthe logs of network connection activities. It alsoappeared that more work needed to be done toimprove management’s awareness of employees’ useof their computers for personal purposes.The following areas were identified as relative daily

practice strengths of rural municipalities:• Computer sharing: a majority of respondents didnot share computers.• Remote access: a majority of respondents did notremotely connect to their municipalities’ computers.• Inventory management: a majority of respondentskept an inventory of their desktop computers al-though laptops and hand-held devices were notmanaged as well as the desktops in rural municipali-ties.• Operating System patch updates: Operating Systempatches were installed mostly automatically.• Definition files updates: definition files wereupdated mostly automatically.• E-mail handling: a majority of respondents tookproper actions when receiving suspicious e-mails.• Data backup: a majority of respondents said theirmunicipalities backed up their computer data regu-larly.• Disaster recovery: a majority of respondents saidtheir municipalities had an alternate site to keep theirmunicipality operational if their office building wasdamaged or became unusable. However, almost one-third indicated they did not have an alternate site.• Access control: a majority of respondents were notpermitted to take laptops off-site. A majority also didnot connect their laptops and data storage devices totheir home network. These findings were encourag-


ing for rural municipalities since having less take-home equipment connected to one’s home network isbetter for security.• Management of sensitive residential information:the respondents indicated they did not store creditcard numbers. Names and addresses of residents werethe most commonly stored information, followed by

phone numbers, other types of information, tax IDnumbers, and Social Security Numbers.From these findings, the researchers concluded that,

while there were positive signs of security readiness,there were many aspects of information systemssecurity that required the attention of rural municipali-ties.

Pennsylvania state government recognizes theimportance of computer information systems security.Led by the Chief Information Officer (CIO) of thestate, the Pennsylvania Information Sharing andAnalysis Center (PA-ISAC) embodies this awarenessand promotes enhancing the state’s “cyber securityreadiness and response”(Commonwealth of Pennsylva-nia, 2007). In regard to local governments, the pri-mary focus of PA-ISAC has been on raising awarenessand providing educational materials rather thandeveloping and imposing policies.

Conversations with officials from rural Pennsylvaniamunicipalities and representatives of county, borough,and township associations indicated that there were fewstatewide policies or programs in place that monitored,regulated, or trained local government employees incomputer information systems security technologiesand best practices.

Local government actionBased on their findings, the researchers recommend

the following considerations for rural municipalities:• Resource pooling: one of the major findings of thisresearch was that rural municipalities lacked in-houseIT support, not to mention personnel with informa-tion systems security expertise. It may be advanta-geous for small, rural municipalities to pool humanresources in both IT and security since the cost ofemploying IT and security personnel may be prohibi-tive to these municipalities.• Periodic assessments: assessing information systemssecurity readiness should not be a one-time exercise.Assessment efforts need to be continuous to ensurethat progress is made toward better security environ-ments.• Written policies on sound security practices: fewrural municipalities had written security policies.Creating security policies is the very first step thatneeds to be taken before anything can be done toimprove security. The researchers strongly recom-mend that municipalities adopt documented securitypolices.

POLICY CONSIDERATIONSState government action

• Awareness training and security education: thisstudy found that insufficient training was provided tomunicipal employees for both computer and infor-mation systems security topics. The researchers offerthat raising awareness and providing education iscritical to significantly increase information systemssecurity readiness and to address many undesirabledaily practices pointed out in this study.• Incident management: the researchers found that,currently, there is no central reporting mechanismthat keeps track of information systems securityincidents occurring in small municipalities. Having asingle incident repository would be highly beneficial,since it would allow municipal officials to quicklyidentify common information systems securitythreats specific to their municipalities and to respondto these threats more effectively.• A Web portal specializing in local governmentinformation systems security: the researchers recom-mend the development of a Web 2.0 style onlineportal to exchange information and ideas on how totackle daily information systems security challengesfacing small, rural municipalities. This portal wouldbe a thematic Web site that has a collection of linksleading to other Internet sites concerning computersecurity in local governments. Web 2.0 means Webpages built to accommodate user-generated contents,such as blogs, Wikis, and YouTube.

Legislative supportAs with many other states, Pennsylvania has its own

laws on computer offenses, as described in the Penn-sylvania Consolidated Statues on Crimes and Offenses(also called Title 18). More specifically, Sub-chapterB, section 33 of Chapter 39 (Theft and RelatedOffenses) of the statutes defines unlawful use ofcomputers. Act 226 of 2002 amended Title 18 byadding Chapter 76 (Computer Offenses) that is muchmore concrete on describing the types of possiblecomputer crimes and penalties. The laws define what


constitutes computer crimes such as disruption ofservice, computer theft, unlawful duplication, distribu-tion of computer virus, and Internet child pornogra-phy.

Also in 2005, the Breach of Personal InformationNotification Act (Act 94) imposed a penalty for notnotifying residents whose personal information mayhave been disclosed as the result of a security breach.And in 2006, the Privacy of Social Security NumberAct (Act 60), made it illegal to “intentionally commu-nicate or otherwise make available to the generalpublic” any individual’s Social Security Number.

These efforts in the legislature show that statelawmakers are concerned about citizens’ computersecurity and privacy. However, all these laws are verygeneric and do not address local-government-specificconcerns. Other states have laws particularly gearedtoward local governments. For example, in Illinois, theCompiled Statute 5/16D-4 (Aggravated ComputerTempering) states that “a person commits aggravatedcomputer tempering when he knowingly causesdisruption of or interference with vital services oroperations of state or local government.” The findingsfrom this research may well suggest the need forsimilar legislation in Pennsylvania.

Despite their vagueness, the state laws mentionedabove do have a potential to be used to make ruralmunicipalities liable to negligence law suits. After all,each local government is ultimately responsible for theinformation systems, data, and actions of its employeesunder its control if proper actions were not taken tominimize the possibility of computer security attacks.

At the federal government level, there are twocomputer information systems security laws that mayaffect rural municipalities. One of these laws is theSarbanes-Oxley Act of 2002, which requires organiza-tions “to establish, monitor, and report on the effec-tiveness of controls that ensure the integrity andaccuracy of financial data.” The other is the FederalInformation Security Management Act (FISMA) thatmandates information systems security protectionamong federal agencies and their partners.

Federal fundingThe Computer Crime Enforcement Act (Public Law

106-572) was enacted in December 2000. The lawestablishes “a grant program to assist state and locallaw enforcement in deterring, investigating, andprosecuting computer crimes.” The findings from thisresearch project may help Pennsylvania win such afederal grant by providing concrete evidence for thenecessity of more funding.


ReferencesChew, E., A. Clay, J. Hash, N. Bartol, and A. Brown. (2006) “A Guide for Developing Performance Metrics for

Information Security.” National Institute of Standards and Technology (NIST) Special Publication 800-80.

Technical Report, U.S. Department of Commerce, May 2006.

Commonwealth of Pennsylvania. (2007) PA-ISAC. Accessed at http://www.cybersecurity.state.pa.us/portal/

server.pt?open=512&objID=337&&PageID=195784&mode=2, July 2007.

Computer Security Institute. (2008) 2006 CSI Computer Crime and Security Survey. Accessed at http://

i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf.

Esposito, R. (2006) “Hackers Penetrate Water System Computers.” Accessed at http://blogs.abcnews.com/

theblotter/2006/10/hackers_penetra.html, July 2006.

Krouk, D. (2004) “Cyber Security at the Grass Roots.” Planning, 70, July 2004.

Martin, J. (1997) Pennsylvania Almanac. Stackpole Books, Mechanicsburg, PA, 1997.

McConn, C.E., J. Ryoo, and T. Girard. (2007) “Assessing the Computer Information Systems Security: Three

Case Studies of Local Governments in Central Pennsylvania.” Journal of International Business Research,

6(1): 55-75, 2007.

National Association of State Chief Information Officers (NASCIO). (2006) Findings from NASCIO’s Strategic

Cyber Security Survey, January 2006.

The Center for Rural Pennsylvania. (2007) Rural/Urban PA. Accessed at http://www.ruralpa.org/

rural_urban.html, July 2007.

The Center for Rural Pennsylvania. (2003) Municipal Computer Use. Accessed at http://www.ruralpa.org.

Web Application Security Consortium. (2007) List of Incidents of Class SQL Injection. Accessed July 2007 at

http://www.webappsec.org/projects/whid/list_class_sql_injection.shtml.

The Center for Rural Pennsylvania625 Forster St., Room 902Harrisburg, PA 17120Phone (717) 787-9555Fax (717) 772-3587www.rural.palegislature.us1P1109-400

The Center for Rural PennsylvaniaBoard of Directors

Senator John R. GordnerChairman

Representative Tina PickettVice Chairman

Senator John WozniakTreasurer

Dr. Nancy FalvoClarion University

Secretary

Representative Tim Seip

Dr. Theodore R. AlterPennsylvania State University

Dr. Stephan J. GoetzNortheast Regional Center

for Rural Development

Dr. Keith T. MillerLock Haven University

Dr. Robert F. PackUniversity of Pittsburgh

William SturgesGovernor’s Representative

Documents

An Information Systems Security Readiness Assessment for