next generation 9-1-1: examination of information security management in public safety...

NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY

MANAGEMENT IN PUBLIC SAFETY COMMUNICATIONS CENTERS

by

Natalie J. Yardley

A Thesis Presented in Partial Fulfillment

of the Requirements for the Degree

Master of Science

University of Advancing Technology

March 2012

NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY

MANAGEMENT IN PUBLIC SAFETY COMMUNICATION CENTERS

by

Natalie J. Yardley

has been approved

March 2012

APPROVED:

ROBERT MORSE, Ph.D, Chair

GREG MILES, Ph.D, Advisor

AL KELLY, Advisor

ACCEPTED AND SIGNED:

__________________________________________ ADD NAME OF CHAIR, CREDENTIALS (ALL CAPS)

Abstract

This research examines the current information security management landscape of 9-1-1 public

safety communication centers upon the beginning of nationwide Next Generation 9-1-1 initiated

through H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008, which is

the implementation of switching analog communication systems to Internet-Protocol (IP)

communication systems, . The study draws upon the National Emergency Number Association

Next Generation 9-1-1 security standards for a compliance survey for 9-1-1 agency information

security and technology management evaluation. Also, a literature review of the implementation

of managing Internet-protocol 9-1-1 communication technology and services will be presented.

As well as providing the security standards, the study will determined current 9-1-1 agency

status in terms of compliance or noncompliance to the of standards, as well as obstacles and

challenges agencies face in achieving compliance. The primary finding was that no public safety

answering point (PSAP) reported compliance and potentially serious barriers related to funding

exist.

i

Dedication

I would like to dedicate my thesis work to all the very dedicated 9-1-1 professionals, especially

from Atchison County Communications Center, Atchison, Kansas.

ii

Acknowledgments

I would like to thank my Thesis Committee, particularly my Chair, Dr. Morse, for continued

guidance during the graduate thesis process. Also I want to give many thanks to my family, for

their patience with my writing, reading, and proofing marathon sessions behind closed doors.

iii

Table of Contents

Acknowledgments ii

List of Tables v

List of Figures vii

CHAPTER 1. INTRODUCTION 1

Introduction to the Problem 1

Background of the Study 2

Statement of the Problem 3

Purpose of the Study 3

Research Questions 4

Significance of the Study 4

Definition of Terms 5

Assumptions and Limitations 5

Nature of the Study 6

Organization of the Remainder of the Study 8

CHAPTER 2. LITERATURE REVIEW 9

CHAPTER 3. METHODOLOGY 26

Research Design 26

Sample 27

Setting 28

Instrumentation / Measures 28

Data Collection 29

Data Analysis 30

iv

Validity and Reliability 30

Ethical Considerations 31

CHAPTER 4. RESULTS 32

CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS 63

REFERENCES 80

APPENDIX A. PRE-NEXT GENERATION 9-1-1 IMPLEMENATION INFORMATION SECURITY MANAGEMENT SURVEY 85

APPENDIX B. NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION

SECURITY MANAGEMENT PUBLIC SAFETY COMMUNICATIONS CENTER PARTICIPANT INFORMED CONSENT 90

v

List of Tables

Table A. Current agency 9-1-1 status/capability 36 Table B. Job title/role at agency 38 Table C. Current agency IT/Network administration description 41 Table D. Agency anticipation of employing/contracting an IT/Network administrator who currently have none 43 Table E. Reason or obstacles for not employing/contracting IT/Network administration if currently none 44 Table F. Type of IT descriptions and policies (first six categories) 45 Table G. Type of IT descriptions and policies (last six categories) 46 Table H. If Next Generation capable, reasons and/or obstacles for not having the descriptions and policies in Table F.1 and Table F.2 49 Table I. Virus and/or spyware detection software on all servers and end user computers 51 Table J. Reason and/or obstacles for agency not running anti-virus and/or spyware detection software 52

Table K. Current inventory, schematic, and audit documents on file 54 Table L. Reasons or obstacles for not having network inventory, schematic, and/or audit documents 56 Table M. Type of security awareness training and education standards currently in place 57 Table N. Reasons or obstacles for not having staff security training and/or current

training/certification for IT administration 60 Table O. Agencies reporting compliance with NG-SEC 66

vi

List of Figures

Figure 1. The population range of the agency's jurisdiction. 35 Figure 2. Current agency 9-1-1 status/capability. 37 Figure 3. Job title/role for small agencies. 38 Figure 4. Job title/role for medium agencies. 39 Figure 5. Job title/role for large agencies. 40 Figure 6. IT/Network Administration for small agencies. 41 Figure 7. IT/Network Administration for medium agencies. 42 Figure 8. Obstacles for not employing IT administration for small agencies. 44

Figure 9. IT descriptions and policies for small agencies. 47

Figure 10. IT descriptions and policies for medium agencies 47 Figure 11. IT descriptions and policies for large agencies. 48 Figure 12. Obstacles for not having the descriptions/policies for small agencies. 50

Figure 13. Obstacles for not having the descriptions/policies for small agencies. 50

Figure 14. Virus and/or spyware detection software for small agencies. 51 Figure 15. Virus and/or spyware detection software for medium agencies. 52 Figure 16. Obstacles for no anti-virus and/or spyware detection software for small agencies 53 Figure 17. Current IT documentation for small agencies. 54 Figure 18. Current IT documentation for medium agencies. 55 Figure 19. Current IT documentation for large agencies. 55 Figure 20. Obstacles for complete IT documentation for small agencies. 56 Figure 21. Obstacles for complete IT documentation for medium agencies. 57

vii

Figure 22. Security awareness and training for small agencies. 58 Figure 23. Security awareness and training for medium agencies. 58 Figure 24. Security awareness and training for large agencies. 59 Figure 25. Obstacles for security training and education for small agencies. 60 Figure 26. Obstacles for security training and education for medium agencies. 61 Figure 27. Reported NG-SEC compliance by agency size. 66 Figure 28. Part-time or no current network administration by agency size. 69

Figure 29. Obstacles for not having full-time network administration for small agencies. 72 Figure 30. Presence of malware in network traffic (Ponemon, 2009). 74

(Note: Do not remove the section break that follows this paragraph.)

1

CHAPTER 1. INTRODUCTION

Introduction to the Problem

Technology has expanded the way society communicates, particularly in the last few

decades (Barbour, 2008). Today, cell phones are prevalent and have expanded the tools available

for individuals to get help from public safety agencies. In addition to voice communications over

the telephone wires, individuals can easily conduct voice and video conversations using

computers on either wired or wireless Internet networks. People can instantly send and receive

text, photos, and video from their cell phones. With the additional communication options

available to the public, the technical capabilities of 9-1-1 public safety communications need to

expand.

Society’s expectations and the reality of what the 9-1-1 systems should be able to handle,

are wide apart. One example is the Virginia Tech shooting in April 2007 when students

attempted to send text messages to 9-1-1, they were unaware the call center was not equipped to

receive such communications (Luna, 2008). Many hearing impaired callers rely on newer modes

of communication available on smart phone devices, yet cannot utilize them during an

emergency to contact a 9-1-1 system that is analog based (Kimball, 2010).

Another example of the need to upgrade capability to meet expectations is the fact legacy

9-1-1 equipment is unable to provide accurate location services. Of course, that service is now

widely available and many mobile and social networking services currently provide it according

to the National E9-1-1 Implementation Coordination Office (2009). Due to this wide gap of

expectation verses capability, the need for public safety communications to upgrade to match

consumer technology advancements is vital if the system is to continue to keep citizens safe.

2

In July 2008, H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008

(also known as the NET 911 Improvement Act of 2008) was signed into law to promote and

enhance public safety by facilitating the rapid deployment of IP-enabled 911 and E-911 services,

and encouraging the nation’s transition to a national IP-enabled (Internet Protocol) emergency

network, and improve 911 and E-911 access to those with disabilities. The initiative of

advancing 9-1-1 systems to IP technologies nationwide is known as Next Generation 9-1-1 (or

NG9-1-1). Currently, there is no definite date of completion for nationwide NG9-1-1. Also,

public safety organizations are independently planning and implementing NG9-1-1 technologies

(Kimball, 2011). Because of the vast technological changes and requirement of nationwide

standards, this lack raises concern about the way IP-based 9-1-1 systems are managed to

maintain their security and integrity, which is also evolving due to converting the closed analog

system to a connected Internet system (NENA, 2011). Given the size and scope of the project,

there is a need to monitor compliance capability.

Background of the Study

In the United States, the current 9-1-1 system is going through a transformation from

analog based systems to IP-based (Internet Protocol) systems (NENA, 2011). The analog 9-1-1

systems are not compatible with most of the current consumer technologies and converting to

digital systems will allow the variety of available consumer communication devices to work

within public safety systems. Next Generation 9-1-1 will allow for IP-base communication

technologies to be used, such as text messages, voice, photos, and videos over security Internet

points. Prior to the introduction of Next Generation 9-1-1, public safety communication systems

were not connected to other networks, which provided stronger security barriers from attacks.

With Next Generation 9-1-1, the barriers are significantly decreased through the internet-

3

protocol connections, making 9-1-1 a potentially appealing and vulnerable target. Thus,

information security management standards were established in February 2010 by the National

Emergency Number Association in order to address the technological changes of 9-1-1

communications. The National Emergency Number Association (NENA) Security for Next-

Generation 9-1-1 Standards (NENA, 2010) was established and all Next Generation 9-1-1 status

agencies are to comply with the standards immediately (NENA, 2010, p. 8). Therefore, the

relevance of this research is to establish the progress towards achieving this requirement. In

general, potential reasons for noncompliance can range from high costs, privacy issues, business

disruption, even though there may be penalties and legal issues, national security, and welfare

and safety of citizens. For public safety communications, it is critical for agencies to be and

remain compliant to keep communication services available and safeguard lives and information.

Statement of the Problem

The problem that will be explored in this study is the level of compliance or non-

compliance with information security management standards in the public safety

communications environment.

Purpose of the Study

The purpose of the thesis study is to ascertain if public safety answering points (PSAPs)

have information security management standards in place that reveal compliance or non-

compliance with National Emergency Number Association (NENA) Security for Next-

Generation 9-1-1 Standards (NENA, 2010) prior to nationwide Next Generation 9-1-1

implementation and to identify any needed next steps to reach compliance.

4

Research Questions

1. What are the Next Generation 9-1-1 information security management standards and

policies?

2. What percentage of agencies have Next Generation 9-1-1 status?

3. What percentage of agencies are compliant or noncompliant?

4. What are the obstacles and/or challenges for public safety answering points (PSAPs)

that are not compliant with public safety communication information security

standards?

Significance of the Study

Every project must be planned and, where possible, kept on schedule. 9-1-1 is a vital

societal system. The National Emergency Number Association (NENA), estimated in October

2011, 240 million calls were made to 9-1-1 in the United States annually (NENA, 2011, sec. 2,

para. 1). From those annual calls, at least one-third are wireless, and it is estimated that 26.6% of

all United States households currently rely on wireless communication as their primary services

(NENA, 2011, sec. 8). NENA has provided the national security standards and best practices for

public safety answering points with the National Emergency Number Association (NENA)

Security for Next-Generation 9-1-1 Standards or NG-SEC (NENA, 2010). The next step in the

project is to implement those standards so that public safety communications adapt to advancing

technology and consumer needs without compromising security. But, projects do not guide

themselves. To meet the need for nationwide security standards compliance managers need up-

to-date data regularly available. The study of compliance is significant in providing updated data

of security readiness as public safety communication agencies move forward, making the

5

transition from closed to open systems with Next Generation 9-1-1 with its ability to continue to

provide the emergency services required for citizens.

Definition of Terms

Next Generation 9-1-1. Next Generation 9-1-1 is an Internet Protocol (IP) based system that will

allow 9-1-1 public safety entities to receive and send such communications as text

messages, video, photos, and voice through secured Internet points on 9-1-1

communication systems (NENA, 2011).

Public Safety Answering Points (PSAPs). Public Safety Answering Points are 9-1-1 emergency

call centers that are staffed with trained 9-1-1 operators that receive emergency telephone

communications for law enforcement, fire, ambulance, and/or rescue services (NENA,

2011).

Data Transience. The explanation that data can be ever changing and provide a momentary

snapshot of what may be true at one point in time but not necessarily true the next time

data is collected.

Assumptions and Limitations

The research is a "naturalistic" or applied study. There are assumptions surrounding the

questioning technique used in the sample. It was assumed the responders had an appropriate

level of knowledge due to being designated as contact points within their organizations. The

questioning utilizes vocabulary presented in the National Emergency Number Association

(NENA) Security for Next Generation 9-1-1 standards or NG-SEC, which the sample should

understand. The questioning links sufficiently to the participant’s experience, again due to

utilizing the national standards that were created by 9-1-1 leaders (NENA, 2010). The researcher

also assumed that each participant will answer willingly and truthfully since the study did not

6

publish names of contacts or agencies, assuring confidentiality of any information shared.

Limitations of the thesis are of practicality, such as, researcher experience, time limit of study,

and university rules.

Nature of the Study

It is vital that Next Generation 9-1-1 technologies are both implemented and accessible

nationally to insure the growing demands of consumer technology and consumer mobility for

emergency services. However it is also essential for public safety answering points (PSAPs) to

be in compliance with security standards because of the openness of the evolving technology.

The study revolves around the security standards and data collected from agencies. The thesis is

an empirical study. Empirical research can be defined as research gained on experimentation,

observation, or experience (Classroom Assessment, 2011). Leedy (2010) points out “the

significance of data depends on how the researcher extracts meaning…” and “underlying and

unifying any research project is its methodology” (p. 6).

The thesis is also an evaluation study. Such studies require a researcher to specify a

criteria which in this instance are the National Emergency Number Association (NENA) Security

for Next-Generation 9-1-1 Standards or NG-SEC. Measurement will involve collecting data via

survey of a cross sectional sample of agencies in the United States and conducting a review of

the literature. As Leedy (2010) states, “measurement is ultimately a comparison and it is a tool

by which data may be inspected, analyzed and interpreted” (p. 25). The survey utilizes the NG-

SEC and serves as the measurement scale for the purpose of comparison and analysis of research

questions. The data collected are ever changing and only provide a momentary look at the Next

Generation 9-1-1 status and compliance or non-compliance of agencies sampled. Time, evolving

7

technology, consumer needs, agency obstacles, and future laws and standards, will inevitably

change data. Therefore, the data are “transient” (Leedy, 2010, p. 89).

The objectives of empirical research go beyond reporting observations. They promote an

environment for improved understanding, combine extensive research with detailed case study,

and prove relevancy of theory by working in a real world environment (Experiment Resources,

2011). The study provides analysis of data collected from public safety answering points

(PSAPs) in order to provide an examination of the written standards in real life application. The

case study method, as explained by Zainal (2007, p. 1) “enables a research to closely examine

the date within a specific context”. Yin (1984) further defines the method “as an empirical

inquiry that investigates a contemporary phenomenon within its real-life context” (p. 23) and by

utilizing a case study method in this study, not only will the data be explored, but also show

complexities of the real-life situations (Zainal, 2007, p. 4). When researching human activities, it

is important to capture contextual data and situational complexity. According to Leedy (2010)

“research conducted in more naturalistic but invariable more complex environments – is more

useful for external validity; that is, it increases the chances that a study’s findings are

generalizable to other real-life situations and problems” (p. 100). The field of study may be

unique and the human activities in the project require complexity as part of the research. Lorino

(2008) explains the situatedness of research in that “it takes place in a specific situation which

influences the view of the complex system” (p. 8).

The study identified the collective experience of agencies implementing a key technology

in the field. Each agency surveyed is itself a potential case study. Thus, there are multiple

individual surveys available for analysis. According to replication logic, if findings are replicated

through out the different agencies, more confidence can be placed on the findings and

8

generalizing beyond the original participants becomes possible. The rationale for this type of

analysis is supported by Yin (2009), who explains that replication logic is where the researcher is

looking for congruence that indicates increased confidence in the overall finding. Identifying

congruence between a standard and a practice is the heart of criterion referenced evaluation

research. Such studies not only provide data on the subject, but to also serve data driven quality

improvement reviews used in assessments of the development process.

Organization of the Remainder of the Study

In the following chapters, the researcher provides a literature review, methodology,

presentation of survey results, and concluding study discussion and recommendations. The

literature review describes the evolution of 9-1-1 to its current transition of Next Generation 9-1-

1. It also presents and discusses the information security management standard set forth by

National Emergency Number Associations (NENA) for public safety communication

compliance. In Chapter 3, the researcher provides the survey study methodology in which the

data will be collected and analyzed to explore the research questions. Chapter 4 present the

results and description of the data collected, following with a conclusion and recommendations

based on the researcher’s findings in Chapter 5.

9

CHAPTER 2. LITERATURE REVIEW

9-1-1, in the United States, is the number to call if citizens need help (NENA, 2011).

Whether the emergency requires medical, fire, or law enforcement, the three digit number is

supposed to be the one Americans contact for a quick response to a particular emergency

(Barbour, 2008). For the most part of the last four decades that 9-1-1 has been in existence, the

way citizens communicated to emergency services, with the exception of showing up in person,

was through the use of pay phones and residential landlines (Barbour, 2008).

It was a very straightforward analog system that gradually incorporated the phone

number from which the call was coming, the location of the call, and even a list of appropriate

emergency response units based on jurisdiction of the call. However, now in the age of the

Internet and a mobile lifestyle, this traditional 9-1-1 communication has continued to fall behind

in meeting the needs of the consumers. Especially with the increasing disappearance of fixed-line

communications (Luna, 2008). A particularly tragic example took place in 2008. A woman from

Tampa, Florida was kidnapped and called the local public safety communication center on her

mobile phone while the incident was occurring. The public safety communications center’s 9-1-1

was an analog system and her GPS-enabled (global positioning system) phone did not register

her location. Later, police found the dead woman’s body in a vacant home in a nearby town

(Bruce, Newton, & Vaughan, 2011, p. 8). If the local 9-1-1 system had been equipped with

Internet-Protocol technologies, the public safety communications center may have been able to

track her location through GPS and her life may have been saved. Certainly, the system did not

even permit that possibility.

Enter Next Generation 9-1-1, which is based on transforming the currently analog 9-1-1

communications system with an Internet-Protocol or IP-based system to allow 9-1-1 call takers

10

to receive the same location and unit information as they do now with landline or fixed-line

telephone systems. Public safety communication personnel would be able to communicate with

citizens and emergency respond units via text and mobile, as well as, to exchange photos and

videos through Internet Protocol (IP)-based communication (Lipowicz, 2009).

The very scope of nationwide Next Generation 9-1-1 implementation will take time and

there are obstacles and issues to work around and resolve. In 2008, the state of New York

conducted a 911 project to enhance wireless communication with a grant from the United States

Department of Transportation and National Highway Traffic Safety Administration. The project

found that technology was not the major obstacle in enhanced wireless deployment. Though

some technical issues may slow the progress, funding for technological upgrades is the most

pressing obstacle (Bailey & Scott, 2008). Of course, this was the year when a major financial

problem engulfed many countries so it is understandable the study reported that many public

answering points did not have sufficient funds for enhanced wireless communication upgrades.

Ultimately this need for finances has prolonged the time needed to complete the project. The

New York study provided examples of obstacles for Enhanced Wireless technologies, which

involve cellular 9-1-1 communications for Wireless Phase I and Wireless Phase II

implementation and not Internet-Protocol technology that are the required for Next Generation 9-

1-1 (Bailey & Scott, 2008). However, the funding comparison can be made for obstacles 9-1-1

entities face in upgrading the national 9-1-1 system. If agencies have issues with funding for

cellular wireless technologies of Wireless Phase I and Wireless Phase II, which still utilize the

analog systems, they may have same issues with Next Generation 9-1-1 funding.

11

9-1-1: Past and Present

In order to understand and discuss the current changes of today’s 9-1-1 systems, it is best

to briefly review where and how 9-1-1 began and the current types of 9-1-1 services. Jason

Barbour’s article (2008) explained the first official 9-1-1 call was on February 16, 1968 in

Haleyville, Alabama and provided an overview of the 40 year history of 9-1-1, from the

inception in 1967 to the current day. Mr. Barbour’s historical perspective told how the

technological advances through out the years have benefited the profession of saving lives.

Barbour also observed that keeping up with consumer technology has always been a challenge

and that some of the difficulty has been with the lack of synchronicity between the public and

private sectors. It is also important to note the humble beginnings of the first 9-1-1 call in the

small town of Haleyville, Alabama. Barbour illustrated the importance of modest technological

strides from the thousands of public safety agencies nationwide.

According to the National Emergency Number Association or NENA’s website (2011),

the different types of 9-1-1 Systems readily used now are Basic, Enhanced, Wireless Phase I, and

Wireless Phase II. Basic 9-1-1 is when the three-digit number is used, and either a voice or a

Telecommunication Device for the Deaf (TDD) is received by the local public safety answering

point (NENA, 2011, sec. 3). Enhanced 9-1-1 builds on the basic service, but additionally

provides dispatchers the caller’s location, phone number, and the PSAP responder information

for the caller’s address (NENA, 2011, sec. 4). It is important to understand that both Basic and

Enhanced 9-1-1 only apply to landline phones, not wireless (NENA, 2011, sec. 4).

With wireless, the reality of what is displayed or the information available to the public

safety answering point (PSAP) can be different than that of the wireline or landline 9-1-1 call.

The National Emergency Number Association’s website (NENA, 2011) continued to explain the

12

next two phases, wireless Phase I and Phase II. Under Wireless Phase I only the cell phone

number displays (NENA, 2011, sec. 5) and Wireless Phase II provides the cell phone number

and the location of the caller (NENA, 2011, sec. 6). A critical point to remember regarding

Wireless Phase II, is that a caller’s location is based on the closest cell towers. Depending if the

caller is located in an urban or rural area. In rural areas there can be quite a distance between

towers.

Voice over Internet Protocol (VoIP) is spreading rapidly with consumers and the 9-1-1

communities have only begun to complete Enhanced 9-1-1 capabilities for VoIP 9-1-1 (NENA,

2011). The Federal Communications Commission or FCC websites’ (2008) discussion of VoIP

9-1-1 services explained that since the communication uses Internet protocol as opposed to

traditional analog systems, not all VoIP services connect through 9-1-1. Next Generation 9-1-1

or NG9-1-1 would address the issue of 9-1-1 and VoIP capability since NG9-1-1 provides public

safety communication agencies with Internet-Protocol based systems. According to the National

Emergency Number Association’s NG9-1-1 Transition Plan (NENA, February 24, 2011), NG9-

1-1 has begun with the prerequisite of deploying IP networks in some areas already occurring

and with vendors developing NG9-1-1 equipment. However, the organization does address

“NG9-1-1 will be a journey that will be realized at different rates within various parts of North

America, based upon state/province, local implementation and stakeholder environments” (p.

15).

Current 9-1-1 Usage

Current 9-1-1 statistics are provided by the National Emergency Number Association

(NENA) website under the category of Public & Media (2011, November 12):

United States has 6,130 primary and secondary public safety answering point (PSAP) and

13

3,135 Counties which include parishes, independent cities, boroughs and Census areas.

Based on NENA’s preliminary assessment of the most recent FCC quarterly filings:

97.7% of 6,130 PSAPs have some Phase I

96.0% of 6,130 PSAPs have some Phase II

94.1% of 3,135 Counties have some Phase I

91.8% of 3,135 Counties have some Phase II

98.1% of Population with some Phase I

97.4% of Population with some Phase II

Phase I and II is not provided 100 percent nationwide. It is estimated that about 20% of

households in the United States do not use landline phone services; instead they rely on wireless

services only (NENA, 2011, sec. 1).

There are a few agencies throughout the United States, such as King County in

Washington and Rochester in Monroe County, New York, that use portions of Next Generation

9-1-1 technologies by either working as a test public safety answering point (PSAP) or with a

very small percentage of Internet Protocol (IP)-based technologies working alongside the main

analog systems (Intelligent Transportation Systems, 2009). Black Hawk County, IA is the first

PSAP to allow text messages to be sent directly to 911, though it is only through one wireless

provider (Mannion, 2009). Charlotte County Florida received a Florida State grant and is using it

to begin implementing different Next Generation 9-1-1 capabilities (Hamilton, 2009). The U.S.

Department of Transportation (2009) tested various IP-based technologies with five public safety

answering points (PSAPs) who gathered the information that assisted the 9-1-1 communities like

National Emergency Number Association (NENA) and Association of Public Safety Officials

(APCO), along with the government officials to develop nationwide plans.

14

The United States government is a very important part of the development of regulations

for 9-1-1 technologies. From 9-1-1’s first inception in 1967, by the President’s Commission on

Law Enforcement Administration of Justice (Barbour, 2008), to continuous active pursuits of

legislations, through most recently, the ENHANCE 911 Act of 2004 and NET 911 Improvement

Act of 2008, which address the concerns raised by emerging technology and how it affects the

services of 9-1-1 (Moore, 2009). It is clear from these governmental actions that it has been

working to improve its 9-1-1 services with the evolving technology.

In February 2010, National Emergency Number Association (NENA) published the

NENA Security for Next-Generation 9-1-1 Standards or NG-SEC (NENA, 2010). Many industry

experts from a variety of private and government sectors contributed to the security standards to

address the needs of Next Generation 9-1-1 (NG9-1-1) technologies. The standards are in place

to “establish the minimal guidelines and requirements for the protection of NG9-1-1 assets or

elements within a changing business environment” and to “impact the operations of 9-1-1

systems and PSAPs as standardized security practices” (p. 1). Also, all NG9-1-1 entities will be

required to understand, implement and maintain the new standards and requirements, and that

requirement is effective immediately. Any vendor who presents devices, future applications or

technologies for 9-1-1 systems are also to be in compliance with NG-SEC. In August 2011, the

Federal Communications Commission (FCC) announced it still had to consider “how to ensure

adequate broadband infrastructure to deliver the bandwidth PSAPs will need to provide NG9-1-

1. As part of the NPRM, the FCC will examine interim solutions for ensuring that

carriers/service providers support transmission of text-to-911” (Genachowski, 2011, p. 1).

15

The Future: Next Generation 9-1-1 and Security Issues

At the moment, the technologies that may be used for Next Generation 9-1-1 capabilities

are Internet protocol (IP) voice, video, instant messaging (IM), short messaging (SMS), data, and

telematics (Luna, 2008). Although the Luna article was written in 2008, 9-1-1 systems remain

limited. The Federal Communications Commission (FCC, 2008), stated some of the issues with

voice-over Internet protocol (VoIP) 9-1-1 are those calls may not connect to the public safety

answering point (PSAP), or may improperly ring to the administrative line of the PSAP, which

may not be staffed after hours, or by trained 9-1-1 operators. VoIP calls may correctly connect to

the PSAP, but not automatically transmit the user’s phone number and/or location information.

VoIP service may not work during a power outage, or when the Internet connection fails or

becomes overloaded. This can be a problem for citizens, when many times emergencies occur in

masses or when the power is out. Because of these issues, there are efforts to include enhanced

VoIP (Kim, Song & Schulzrinne, 2006) that address things like language-based call routing, and

the ability for 9-1-1 operators to call back a disconnected call (FCC, 2008).

Further considerations with voice-over Internet protocol (VoIP) deal with the added

security required on networks that will need to accommodate VoIP and not just data-only

networks. Added cost to 9-1-1 agencies are the reality for additional power backup systems,

firewalls, 9-1-1 answering software for VoIP and other IP based communications. Not only

would new equipment and software need to be installed to accommodate IP-based technologies

specific to 9-1-1 communications, but also routine testing would need to take place to insure

system security and would require adequate staff to manage the systems to allow for 24/7

uptimes (NIST SP 800-58). 9-1-1 entities would need to continue to meet demands of evolving

16

technology for upgrades and possible loss of 9-1-1 service if a disaster were to occur within the

9-1-1 center. In short, there remain technical problems in addition to financing concerns.

A view of risk and security issues is through Lynette Luna (2008), who took the social

approach on how consumer technologies and the lack of integration with the current 9-1-1

systems, may effect emergency situations. She used well-known incidents, such as the Virginia

Tech shootings, to make a strong argument showing the ability of 9-1-1 centers to accept text

messages could have possibly saved lives. For the purpose of risk assessments to upgrading to

next generation 9-1-1, it is good to have a social perspective of 9-1-1 technologies, because

ultimately the point is to provide safety and security to citizens (Luna, 2008).

Hilton Collin’s (2008) states that a Next Generation 9-1-1 technology that is attractive to

public safety answering points (PSAPs) for cost savings and shared resource solutions is

virtualization. 9-1-1 agencies could consolidate servers and desktops, requiring less hardware

purchases and conserve energy. It also allows for network administrators to manage upgrades

and installs from one console, saving time and money. Also virtualization software can allow for

application testing before installing on a live system. This would benefit agencies by not

compromising 9-1-1 communication applications and save costs toward network administration

that would need to bring system and services back up immediately (TechSoup.org, 2011).

It is possible that this is another example of a solution that creates additional problems.

The savings imply fewer personnel needs as well. In addition, there are security risks that come

with a virtual environment. Hilton Collins (2008) discusses information about virtualized and

non-virtualized environments as a whole, as well as some best practices for protecting virtual

networks from cyber-attacks. The main concern is that virtualization in government agencies,

particularly public safety and law enforcement, will bring greater exposure for exploits and

17

security breaches by introducing “a new layer of software on top of the host machine or system,

which creates additional infrastructure to manage and secure” (Collins, 2008, para. 2). The

article elaborated the risks involved with virtual networks, like hackers, and illustrates that

attackers seek out poorly configured and exposed servers. Collins advised that potentially all

systems that are interconnected with the agency could be compromised. It only takes one open

network machine to be a possible threat of opening the door to a secured system or systems

(Collins, 2008). Costs that could be incurred with one breach of security could be limitless

depending on amount of staff to bring critical systems back up, amount and type of data loss, and

legal action costs as a few possibilities.

Another change from Next Generation 9-1-1 that Douglas (2008) discussed is that

dispatchers will need to use a whole other set of sensory skills in addition to what they use now

to perform duties. Currently the information received is heard, either by the caller’s actual voice

or from a relay service for the hearing impaired. In the future, it will rely more on visual

information, rather than audible. The visual format makes completing interactive functions while

multitasking by the dispatcher harder because the cognitive load or attention requirements of

human beings vary. The additional multitasking from staff can raise training cost and cost to

obtain and keep trained staff. Douglas (2008) also touched upon how 9-1-1 Centers will have to

re-evaluate their training curriculums and even hiring processes to adapt to the changes. These

personnel and training issues could be looked at as vulnerabilities and could then be exploited by

individuals or organized groups (Douglas, 2008). Many times the weakest link in security is the

people that use the system (Breithaupt & Merkow, 2006). If staff are not trained properly or do

not have the required skills to use Next Generation 9-1-1 technology systems and software, this

could create a vulnerability to the whole system.

18

Current Information Security Management

Information Technology implementation in 9-1-1 public safety communications can be

slow in adaptation especially when compared to consumers and the corporate sector (Barbour,

2008). As stated by Chairman Genachowski (2011), “no single governing entity has jurisdiction

over NG911…” and “the FCC will work with state 911 authorities, other Federal agencies, and

other governing entities to provide technical expertise and develop a coordinated approach to

NG911 governance” (sec. 3, para. 4). Lynette Luna (2008) stated in her article that an individual

“calling a catalog company to order goods such as clothing, the call-taker would have better tools

than the typical 911 call-taker — who is dealing with life and death situations” (p. 4). Luna noted

that one reason may be due to budgets and jurisdictional matters, such as funding issues,

regulatory amendments, and state regulations that stipulate 9-1-1 component usage. Luna (2008)

also mentioned that the transitioning to Next Generation 9-1-1 technologies would be an ongoing

process through changes in software, databases, and workers’ procedures. In October 2008 the

United States and global economy suffered and it continues to struggle over concerns over

American and European debt issues (Arizona State University, 2011). Local governments have

tightened their financial belts and the additional cost of upgrading 9-1-1 infrastructures and

maintenance, though a necessity, is none too appealing in the current economic climate. With

the country’s economic climate and with those changes that Luna mentioned (software,

databases, and workers’ procedures), the information security management would seem to also

need to adapt to the changes.

According to the publication “Principles of Information Security: Principles and

Practices”, the major categories of computer crimes are as follows: Military and Intelligence

Attacks, Business Attacks, Financial Attacks, Terrorist Attacks, Grudge Attacks, and “Fun”

19

Attacks. To break down each category, their definition (Breithaupt & Merkow, 2006) and how it

could apply to 9-1-1 IP systems are accordingly listed:

Military and intelligence attacks: Criminals and intelligence agents illegally obtain

classified and sensitive military and police files.

Business attacks: Increasing competition between companies frequently leads to illegal

access of proprietary information. As much as it may be hard to believe, this

could include competing public safety venders.

Financial attacks: Banks and other financial institutions provide attractive targets (p.

143).

Obviously 9-1-1 is not a bank or financial institution in the direct sense, but it is a government-

funded entity that could be attacked. Though financial gain would not be the end result, causing

significant financial harm could be a motive. Breithaupt & Merkow continue to list and explain

major categories of crimes:

Terrorist attacks: Terrorist attacks could be executed for either a direct or indirect attack

on a 9-1-1 system. An indirect example would be an attack targeted in one geographical

area to pull sources away, so the intended target would be vulnerable. It could also

involve one system or a large-scale attack of several systems either simultaneously or

consecutively.

Grudge attacks: This could come in the form of either a disgruntled employee or citizen

seeking revenge against the specific agency or even just against law enforcement or

government entities in general.

Thrill attacks: hackers penetrate the system just for the “fun of it”, bragging rights, or

simply for a challenge (2006, p. 143).

20

To conclude the risk portion, there, of course, is the continued threat of viruses and

malware as with any IP network. However, instead of only affecting a computer-aided dispatch

software program that could quickly be exchanged with an internal closed legacy system or even

a paper system for back up purposes, a 9-1-1 communications system would not be as easily

replaceable or have much allowances for any down-time, even temporarily, due to a virus or

malware issue. Daily vulnerabilities of network infection and system outage on a vital system

such as 9-1-1 make any loss of service an issue of public safety.

The National Emergency Number Association (NENA, 2011) website had a plethora of

documentation, guidelines, requirements and standards that addressed a variety of technology

and equipment implementation, connectivity, and functionality issues, which were more

appropriate for a systems administrator. Though system administrator policies and standards and

practices may include “security controls, information classification, employee management

issues, and corresponding administrative controls” (Berithraupt & Merkow, 2006, p. 43), which

apply to information security, none were specific to current 9-1-1 public safety communication

entities during an initial literature research. However, in February 2010, NENA organized and

published a set of national standards specific to Next Generation 9-1-1 security objectives for 9-

1-1 entities, titled National Emergency Number Association (NENA) Security for Next-

Generation 9-1-1 Standards (NENA, 2010) or also known as NG-SEC, which will be discussed

in more detailed in this chapter. Before the creation of NG-SEC, though, no national standard or

policy was in place for 9-1-1 agencies.

Next Generation 9-1-1 Information Security Management

The researcher investigated the literature specific to Next Generation 9-1-1 information

security management standards. The National Emergency Number Association advised the

21

purpose of the National Emergency Number Association (NENA) Security for Next-Generation

9-1-1 Standards was to “establish the minimal guidelines and requirements for the protection of

NG9-1-1 (Next Generation 9-1-1) assets or elements within a changing business environment”

(NENA, 2010, p. 7). The national public safety communication organization published the

document to provide standardized security practices for Next Generation 9-1-1 technologies, but

explained that it is a work in progress and the document is in its first version with revisions to

come to accommodate future issues (NENA, 2010). Technical requirements, upgrading and/or

replacing equipment, will incur costs to agencies. Readiness and available funds may also vary

with each 9-1-1 entity.

The document scope covered public safety answering points (PSAPs), Next Generation

9-1-1 ESINet, Next Generation 9-1-1 service providers, Next Generation 9-1-1 vendors,

contracted services, and any individual or group who use, design, have access to, or are

responsible for Next Generation 9-1-1 assets (NENA, 2010). Like Breithaupt and Merkow

(2006), the National Emergency Number Association (NENA) document listed roles and

responsibilities of individuals specific to NG9-1-1 security and similarly concluded that

ultimately security is “everyone’s responsibility” (NENA, 2010, p. 11). When it came to

security policies, NENA stated that it is the first step in any effective attempt in the

implementation of a security program (NENA, 2010).

The National Emergency Number Association (NENA) further explained the minimum

standards shall have a senior management statement (or an organizational security statement),

functional policies, and procedures. It continued to detail each section, starting with the senior

management statement policy. NENA emphasized that “senior management must be engaged

and committed to maintain highly effective security so the rest of the staff can be able to do their

22

part” (NENA, 2010, p. 11). As the National Emergency Number Association document stated,

security is “everyone’s responsibility” (NENA, 2010, p. 11) and senior management is not

exempted. The absolute minimum that should accompany the senior management statement is

two items: identify person responsible for security (even though it technically is everyone’s

responsibility) and provide a written description of the security goals and objectives of the Next

Generation 9-1-1 entity (NENA, 2010).

To compare this with information security management standard practices in realms

outside of 9-1-1 public safety communications, the book by Breithaupt and Merkow (2006),

provided an overview of information security management through security principles and a

common body of knowledge used in private and public industry. They explained that “setting a

successful security stage” with “effective security policies can rectify many of the weaknesses

from failures to understand the business direction and security mission and can help to prevent or

eliminate many of the faults and errors caused by a lack of security guidance” (Breithaupt &

Merkow, 2006, p. 60).

The Next Generation 9-1-1 information security management standards documentation

(NENA, NG-SEC, 2010) stated that it is to provide a “deeper level of granularity after creating

an executive management statement” (NENA, 2010, p. 12). The document gave a list of some

examples of what may be contained in it: “acceptable usage policy, authentication/password

polices, data protection policy, wireless policy, physical security policy, remote access policies,

hiring practices, security enhancements or technology, baseline configurations for workstations,

standards for technology selections, and incident response policy” (NENA, 2010, p. 12). The

procedures section included documentation that provided the “method of performing a specific

task” (NENA, 2010, p. 12), such as creating new user accounts or how vendors would be

23

allowed access to the server room. This complimented common body of knowledge (Breithaupt

& Merkow, 2006) and practices that private and government industries (ISO/IEC 27001, 2005),

outside of 9-1-1 public safety communications, utilized for information security management.

Obstacles and Solutions for Next Generation 9-1-1 Information Security Management

When information was collected for possible standards as they applied to various aspects

of Next Generation 9-1-1 operations, a mixture of obstacles and possible solutions were found.

In Merrill Douglas’ article (2008), she explained some problematic issues from the 9-1-1

operator’s perspective regarding Next Generation 9-1-1 and now 9-1-1 information will be

received in the future. Douglas explained that currently the information received is heard, either

by the caller’s actual voice or from a relay service for the hearing impaired. In the future, it will

rely more on visual information, rather than audible and a whole set of sensory skills will need to

be used and it makes performing interactive functions while multitasking much harder (Douglas,

2008). The article also discussed how 9-1-1 Centers will have to re-evaluate their training

curriculums and even hiring processes to adapt to the changes. Lack of training for staff creates

vulnerabilities and could then be exploited by individuals or organized groups (NIST SP-800-

50), as well as be related to the risk assessments of the future 9-1-1 systems and that the effects

of security are significant because people are usually the weakest link (Douglas, 2008).

Mary Rose Roberts (2009) brought up consolidation of Next Generation 9-1-1 enabled

public safety answering points (PSAPs) and illustrated both economical and shared resource

benefits. She explained that technology improvements are growing exponentially and even

though costs were lowering, still it behooved agencies to share resources to save money, as well

as the benefit of sharing intelligence. The year before the standards were developed, Robert

(2009) was asking, “if it's next generation compliant, what does that mean? We haven't defined

24

what next generation is totally, so how can you be compliant to a standard that may not even

exist yet…" and "as a result, we don't believe every PSAP in this country is going to go to an

NG911 environment any time in the very near future” (p. 23). Merrill Douglas (2009) also

addressed consolidation cost benefits for PSAPs, which then helps with the burden of costs and

provides better redundancy by switching to an IP network.

Craig Whittington (2009) explored the public's expectations of 9-1-1 services and the

difference in what is reality. In his article, he stressed if the public's perception and the reality of

9-1-1 do not agree, it can be more than a public relations problem; it can put lives at risk. From

that perception issue, the article illustrated what Next Generation 9-1-1 can provide. Like shared

networks, new and different ways to communicate with callers and responders, as well as an

increased capacity to transmit and disseminate information. Mr. Whittington additionally

emphasizes the most vital part of 9-1-1 systems (now and in the future), are the 9-1-1 Operators

and Dispatchers. It is a very important to make sure that personnel are well trained and at ease

with the new responsibilities and technologies. Not only will it be a challenge to re-evaluate

training curriculums, but also how to do it with continuing decreased budgets. The continued

significance of operators in the 9-1-1 center is that they can become the weakest link in the

overall network risk management. In order to acquire the benefits discussed earlier, this article

illustrates the importance of making sure competent employees are hired and retained, as well as,

trained in the most current technologies, important issues in risk assessments (Whittington,

2009).

Conclusion

As the technology of 9-1-1 continues to evolve into Next Generation 9-1-1 systems,

information security management in public safety communications will need to evolve as well to

25

meet the needs of various technologies, consumers, and 9-1-1 staff. Matters of funding,

governance, reliability, and security surround the project and the changes that current 9-1-1

public safety answering points (PSAPs) have and will be experiencing in the near future. It

provided a summary of the National Emergency Number Association (NENA) Security for Next-

Generation 9-1-1 Standards that agencies will be required to be compliant with Internet-protocol

based technologies. It also illustrated some challenges PSAPs will have due to the Next

Generation 9-1-1 evolution. Against this background the researcher delved into the real-life state

in which the PSAPs are currently compliant, either operating at Next Generation 9-1-1 status or

before utilizing Internet-protocol technologies.

26

CHAPTER 3. METHODOLOGY

Research Design

The study was a non-experimental, Mixed Method study because it included both verbal

and numerical data. The study had a two stage design. There was secondary data gathered in a

review of the literature as well as primary data collected to answer the research questions. The

research design was an evaluation study being conducted to evaluate compliance with security

standards of Public Safety Answer Points (PSAPs). The study was descriptive and illustrated

aspects of agencies considered to be representative. It was also exploratory because the standards

used to evaluate compliance were relatively new and the information collected was intended to

help develop future more focused understandings of PSAP needs required for support in

achieving compliance. The topic was new and little understood, so an exploratory project was

appropriate.

Published response data for the survey’s questions served as benchmarks for the purpose

of comparison and analysis of this study’s questions. Thus, a criterion-based design was used.

The standards were the criteria and in this design they provided the hypothesized situation

against which this study was performed, as well as the standard of judgment for success or

failure, and they provided a stable platform that enabled the researcher to decide whether the

conclusions of this and other studies were relevant so that a pattern matching strategy could be

employed, as explained by Yin (2009).

The study was field based using only publically available online membership contact

information of either state or regional chapters of Association of Public-Safety Communications

Officials (APCO) and National Emergency Number Association (NENA), both not-for- profit

professional organizations for public safety professionals. According to NENA (2011), the

27

United States has 6,130 primary and secondary public safety answering point (PSAP). For the

purpose of this study and based on the time and resources available to the researcher, obtaining

6,130 agency contacts would not have be feasible. However, utilizing an Internet search of

publically available members of state or regional APCO or NENA chapters to collect at least one

or more agency contacts, representing 50 states in order to examine the study nationwide was

achievable. The online search produced a list of 225 individual agency contacts, including a

name for point of contact, e-mail address, and agency phone number. The study consisted of a

one time survey, sent to each 225 agency contact and was a cross sectional study. The survey

was self administered by email and the researcher utilized survey services through Survey

Gizmo.

Sample

The study utilized a cluster sampling technique. Leedy (2010) explains this technique is

appropriate when “the population of interest is spread out over a large area” (p. 209). The 225

agencies were the population units, i.e. the clusters. They were classified by size of population

each agency serves utilizing 2010 United States Census information. The sample was stratified

into three segments: small (serving 1-99,999 population), medium (serving 100,000-499,999

population), and large (serving 500,00 or more population). Of the 225 agencies, the following

counts and percentages were present in this survey study: small (125 agencies, 55%), medium

(71 agencies, 32%), and large (29 agencies, 13%).

All survey methods have weaknesses in the survey method. For example, participants may

have wanted to reflect compliance, when in fact, they were not, or their responses may have been

based on their understanding of the question and standards, which could in fact be a

misunderstanding (Colorado State University, 2012). The survey referenced the industry

28

accepted security standards for the survey questions and the researcher had to trust that all

agencies were familiar with them and how it applied to their specific agency in order to

accurately provide information for the study. Another issue, non-response, was present for

possible reasons. (Cooper, 2008, p. 257) For example, the contact information may not have

been accurate or been addressed to the person in which the survey would have best able to

answer in the context of the compliance survey. Use of an official association was intended to

reduce issues related to contact information. Also it was difficult to secure a large amount of the

selected agencies to respond to the survey. First, the initial contact was through the e-mailed

survey and the researcher and educational institution, not representing a public safety

communications organization or government agency, was relatively unknown to the public safety

communication centers. Or, there may have been restrictions on the agency the researcher was

unaware of. A telephone follow-up to non-responders was used to increase the pool of available

responses.

Setting

The thesis study was conducted as a field setting. The 225 agencies consisted of city,

county, or state entities and were subject to a variety of regulations. They have been described

elsewhere.

Instrumentation / Measures

The instrumentation used was an online survey that was emailed to 225 individual agency

contacts. Measurement of the current 9-1-1 status/capability was categorical: Basic 9-1-1,

Enhanced 9-1-1, Wireless Phase I, Wireless Phase II, and Next Generation 9-1-1. Categorical

measurement was made of respondent job title/role within their agency through three categories,

9-1-1 Supervisor (middle management), 9-1-1 Manager (upper management), 9-1-1 IT/Network

29

Administrator (technical management). There was also an “Other” category for main job

title/role if the three did not apply to the individual. Other measures focused on compliance

standards.

The researcher used the National Emergency Number Associations (NENA) Security for

Next-Generation 9-1-1 Standards (National Emergency Number Association, 2010) to develop

the survey questions in order to gather information about the security landscape of 9-1-1 public

safety communication agencies at the dawn of Next Generation 9-1-1 nationwide

implementation. The first set of questions, questions 1 through 3, provided population range,

current 9-1-1 status/capabilities, and participant’s job tile/role. Questions 4 through 6 focused on

the agency’s Network Administration landscape. In questions 7 through 14, the participant

selected each security policy and standard that was currently in place at their agency and

provided obstacle explanations if applicable. Each security policy and standards question

reflected a security standard presented in the National Emergency Number Associations (NENA)

Security for Next-Generation 9-1-1 Standards (National Emergency Number Association, 2010).

Data Collection

Data collection in this study was subject to time constraints. Specifically, data collection

was limited to a three week period in November. Data collection included content from the

review of literature and survey agency sample. The literature provided the compliance standards

with the National Emergency Number Associations (NENA) Security for Next-Generation 9-1-1

Standards (National Emergency Number Association, 2010) and the NENA website of 9-1-1

basic statistics supplying amount of public safety answering points (PSAPs). An email was sent

to 225 9-1-1 public safety agencies from the list of Association of Public-Safety Communication

Official (APCO) and National Emergency Number Association (NENA) members. The

30

researcher followed up with a phone call to the agencies. The researcher exported survey data

from the Survey Gizmo report dashboard of all respondents for data review and analysis.

Data Analysis

Data was analyzed using both logical reasoning and descriptive statistics. The data

presented used a question format. The questions supplied agency size and current agency 9-1-1

status or capability, illustrated by pie charts showing percentage of small, medium, and large

agencies and bar graphs for 9-1-1 status. In addition, to various charts and graphs, tables were

used to further analyze the data from each survey question and provided total counts and

percentages of each agency population size and total agency responses.

Validity and Reliability

Classroom Assessment (2011) states that “reliability and validity are two concepts that

are important for defining and measuring bias and distortion” (sec. C, para. 1) with reliability

referring to the “extent in which assessments are consistent” (sec. C, para. 2) and validity as the

“accuracy of an assessment” (sec. C, para. 5) even if it does not measure what is to be measured.

The survey questions mirrored the compliance standards. This established the content validity of

the questions. Another way of determining validity was the use of expert judgment. Therefore,

the committee reviewing this research was another check on validity.

Another approach of validity was through triangulation. Leedy (2010) describes

triangulation as collecting data from multiple sources “with the hope they will all converge to

support a particular hypothesis or theory” (p. 99). It is common in qualitative designs to use

different sources of data as support for the researcher’s confidence in the conclusions presented

in Chapter 5.

31

Ethical Considerations

The researcher conducted the survey by questioning individuals managing 9-1-1

communication systems with the following ethical considerations. There are four categories of

ethical consideration in research studies (1) Do no harm (2) Informed Consent (3) Right to

Privacy (4) Honesty.

Do no harm is a broad ethical category. It includes not asking sensitive questions

that would possibly injure an individual’s employment status. Security is a sensitive issue

and a discussion of security issues under some circumstances might be interpreted as “sensitive”.

For that reason data is collected in ways that do not reveal the individual; replies and participants

are clearly informed about their right not to participate.

Specifically, to meet the need for full disclosure, each 9-1-1 participant was informed of

the intention of the study (copy in appendix B), which was to provide an academic snapshot of

compliance through literature review and a survey of public safety answering points (PSAPs) to

complement existing research and discussions of Next Generation 9-1-1 within the public safety

communication realm and provide a platform for further dialogue and study on specific Next

Generation 9-1-1 information security management goals and practices. The researcher was

aware of the ethical demand for honesty in data collection.

In addition, the participants who complete the survey did not have their personal identity

or the identity of the agency revealed. None of the questions in the survey requested information

that identified a specific person or agency, or put them in any harm. All information collected for

the study was confidential to the research through the Survey Gizmo data collection and used

only for the purpose of the academic thesis study.

32

CHAPTER 4. RESULTS

Introduction

This chapter presents the data gathered from the surveys from public safety answering

points (PSAPs). The survey was sent to 225 agencies stratified by population size. The purpose

of the survey was to gather data needed to answer these questions:

1. What percent of agencies have Next Generation 9-1-1 status?

2. What percent of agencies are compliant or noncompliant with standards?



standards?

Answering these questions will lead to the answer to the main question and reveal

compliance or non-compliance of PSAPs that are Next Generation 9-1-1 (NG9-1-1). The survey

categorized PSAPs as small (1-99,999), medium (100,000-499,999), and large (500,000 or

greater). It is an instrument of analysis to gauge the nationwide landscape of public safety

answering points (PSAPs) currently and identify possible issues and obstacles of where it is

heading.

The methodology the researcher followed entailed contacting 225 agencies by e-mail

utilizing Survey Gizmo survey online services. From 225 agencies, 4 agency e-mails were

rejected with no other contact information available to the researcher, leaving a total of 221

agencies receiving the survey for response. Of these 221, a total of 56 agencies responded as a

result of the survey process. In the first 3 days, 52 agencies responded. Three days after the

initial surveys were e-mailed; the researcher sent a reminder with a second wave of the surveys

to the 169 agencies that did not respond. According to StatPac, Internet surveys receive 90% of

33

the responses within three days after the e-mail invitation is sent (StatPac, 2011). In this instance

that proved a good ballpark estimate because 52/56 is 92%. The reminder did not produce

additional responses.

The next week, follow up phone calls were made to each of the 169 agencies that did not

respond. The researcher directly spoke with 52 agency contacts from those 169 agencies. The 52

contacts the researcher reached by phone, advised they were not sure if they received the email,

remembered the survey but had not taken the survey. The 117 agencies that direct contact was

not made, the researcher either left a message with the dispatcher or non-emergency personnel

answering the phone, or a message was left on the contact’s voicemail. The follow up phone

calls produced 4 responses, making the total survey study response 56.

Because the non-response rate was 75%, it is necessary to discuss response bias. Israel

(2009) notes strategies to deal with response bias with calling back non-respondents, which the

researcher did, and to “assume there is no response bias and to generalize the population” (p. 2,

para. 4). In addition, Israel suggests that the researcher’s previous public safety communication

experience offers expertise needed to make judgments regarding key information others might

benefit from and use as part of generalization. In addition, that experience would support their

confidence in conclusions drawn in discussion even with this response rate.

Interestingly, since the survey generated 56 responses, it is comparable to other results,

such as that in Deline, Ko, and Venolia (2007). They reported 55 responses on a sample of 250

(p. 7-8). The total population of this study’s survey was 221 with 56 responses and this

comparison supports the decision to consider the response rate sufficient for the analysis and

conclusions drawn in this study. Therefore, although there were time limitations on data

collection for the project, the researcher during the third week of data collection contacted the

34

agencies about reasons for survey non-responses. Of the 165 non-respondent agencies 33

provided reasons for non-response. During this follow up, three reasons were provided by

agencies for their decision. Although some mentioned time constraints, two other reasons

provided were: (1) they did not want to participate due to not being familiar with the researcher

or the graduate program institution and (2) they were not comfortable in sharing data with non-

governmental entities. Given that security really is a sensitive topic, the researcher could have

anticipated this response. In an e-mail to the researcher, Dr. Robert Morse confirmed other thesis

candidates had been told contracts with security providers restricted the release of data only to

authorized agents of that provider (R. Morse, personal communication, January 27, 2012).

One additional point mentioned by the Federal Communications Commission Chairman,

in August 2011:

We need a comprehensive, multi-pronged approach to NG911 implementation: If we do

nothing, to address NG911 requirements, timelines, costs, and governance, we will see

uncoordinated patchwork deployment of NG911 over the next five to ten years, leaving

much of the U.S. without any NG911 capability (Genachowski, 2011).

In other words the FCC chairman was in essence claiming a rudder to steer the project is still

needed. That fact and these additional reasons, time constraints on data collection and the cost of

multiple calls to agencies were considerations that influenced the decision to stop data collection

and make the judgment to report the data as collected. The researcher’s advisors pointed out self-

selection bias is always a possibility in this type of research and agreed with the decision to

report the results of the survey and follow-up conversations.

35

Data Analysis

Data is analyzed using both logical reasoning and statistics. The data is presented using a

question format. In addition to various pie charts and graphs, tables will be used to further

analyze the data from each survey question survey.

There were three possible categories of responses by the size of agency jurisdiction. The

distribution of response rates by agency size {small (38 agencies, 68%), medium (16 agencies,

29%), and large (2 agencies, 3%)}.

Figure 1. The population range of the agency's jurisdiction.

What is interesting is that the categories do not reflect an even distribution. Essentially

the three divisions can be considered in terms of x < 500,000 and x > 500,000. Out of the 56

respondents, 2 agencies select the Large category (3%), 16 selected the Medium category (29%),

and 38 respondents selected the Small category (68%). If the 16 Medium sized respondents are

considered in combination with the 38 small category respondents, then clearly the bulk or 97%

of respondents represented service areas of less than 500,000.

36

The next survey question: What is your agency's current 9-1-1 status/capability? This

question requested the agency current 9-1-1 status, noting to respond with their most advanced

level that applied to their agency. All 56 respondents selected Wireless Phase II as their current

9-1-1 status/capability, which allows for wireless 9-1-1 calls to display both latitude and

longitude of the caller’s location. A key finding is that all are at the same level of compliance

since all were at the same 9-1-1 status/capability.

Table A

Current agency 9-1-1 status/capability

Agency Size Basic Enhanced Wireless I Wireless II Next Generation

%

Large 0 0 0 2 0 3%

Medium 0 0 0 16 0 29%

Small 0 0 0 38 0 68%

Totals (%) 0% 0% 0% 100% 0% 100%

37

Figure 2. Current 9-1-1 status/capability.

The third survey question: Which best describes your main job title/role at your agency?

From the total responses, 23% selected 9-1-1 Supervisor (Middle Management), 61% selected 9-

1-1 Manager (Upper Management), and 8% selected IT/Network Administrator (Technical

Management). There were also a four agencies (2 Medium agencies and 2 Small agencies, or

8%) that selected the “Other” category. The descriptions given for “Other” were “Executive

Director”, “Communications Training Coordinator”, “Both Manager and IT Administrator”, and

“Trainer”. This shows the majority of responses were from upper management as requested with

the selection of 9-1-1 managers with the capability and knowledge of the compliance standards

and to provide accurate information about their specific agency.

38

Table B

Job title/role at agency

Size 9-1-1 Supervisor

9-1-1 Manager

IT/Network Administrator

Other %

Large 0 1 1 0 3%

Medium 1 10 3 2 29%

Small 12 23 1 2 68%

Totals (%) 23% 61% 8% 8%

Shown in Figure 3, the highest job title/role for Small agencies was “9-1-1 Manager”.

Second choice was “9-1-1 Supervisor”. The third and fourth selections were “Other” and

“IT/Network Administrator”. As with the overall response, the majority selected for job role was

9-1-1 manager category, showing that small agencies have designated and dedicated managers

for their entities, signifying upper management responsibilities and knowledge as with other size

agencies.

Figure 3. Job title/role for small agencies.

39

The Medium agencies selected “9-1-1 Manager” the most, “IT/Network Manager” next,

and then “Other” and “9-1-1 Supervisor” for the least two job titles/roles (shown in Figure 4).

The medium agencies had 19% of their responses from the IT category. If compared to the small

agencies’ 5% (see Figure 3.), this could illustrate small agencies having less network

administrative personnel on staff and that the 9-1-1 manager in small agencies could hold IT

administrative responsibilities even if it is a secondary role. Medium size agencies show to have

more network administration on staff with the higher main role responsibility percentage.

Figure 4. Job title/role for medium agencies.

Figure 5 illustrates the two choices selected by the Large agencies, which was two total in

responding. One selected “9-1-1 Manager” and one selected “IT/Network Administrator”. None

selected “9-1-1 Supervisor” or “Other”. Since only two large agencies responded, the division of

roles is 50%. What could be concluded is large agencies have levels of staff that are on upper

level management and/or have a dedicated network administration department.

40

Figure 5. Job title/role for large agencies.

In survey question 4: What best describes your current IT/Network Administration at

your agency? The two Large agencies both selected “Full-time internal IT/Network

Administrator”. The Medium agencies varied among three categories, 12 for ““Full-time internal

IT/Network Administrator”, 1 for “Part-time external IT/Network Administrator, and 3 for “Full-

time external IT/Network Administrator. The Small agencies provided a representation for all

five categories. For the “Part-time internal IT/Network Administrator”, 2 made that selection, 19

selected “Full-time internal IT/Network Administrator”, 1 selected “Part-time external

IT/Network Administrator”, and 13 chose “full-time external IT/Network Administrator”.

Finally, 3 Small agencies selected “No IT/Network Administrator”.

41

Table C

Current agency IT/Network administration description

Size None Part-Time internal

Full-time internal

Part-time external

Full-time external

%

Large 0 0 2 0 0 3%

Medium 0 0 12 1 3 29%

Small 3 2 19 1 13 68%

Totals (%) 5% 4% 60% 3% 28%

The small agencies had at least one selection in each of the current agency IT/Network

administration description category. The highest selected was “Full-time internal” and second

highest was “Full-time external”. The last three, in order of most selected, were “None”, “Part-

time internal”, and “Part-time external” (see Figure 6). Even though it is possible for small

agencies to have less budget allocation for a designated IT/Network Administrator, the data

illustrates small agencies are not necessarily at a disadvantage at staffing network administration.

Figure 6. IT/Network Administration for small agencies.

42

In Figure 7, the Medium agencies selected three total for their current IT/Network

administration description types. The most often selected response was “Full-time internal”, the

second was “Full-time external”, and the least selected was “Part-time external”. Large agencies

selected that their IT/Network administration was full-time, internal staff (see Table C). If

comparing all three jurisdiction sizes, it shows that the larger the agency size, the increase of

full-time network administrators and those that are internally staffed. But even though smaller

agencies have a lower percentage, they are apparently capable of having full-time administrators

even if they need to contract externally.

Figure 7. IT/Network Administration for medium agencies.

For survey question 5: If your agency has "No internal or external IT/Network

Administrator" does your agency anticipate in employing or contracting an IT/Network

Administrator? As shown in Table C, only 3 small agencies selected this category. The 3 that

selected “No internal or external IT/Network Administrator” in question 4 also selected “No” for

question 5. However, one agency that selected “Full-time external IT/Network Administrator” in

question 4, also selected “No” for question 5. This illustrates that smaller agencies, while some

43

having the ability to have network administration staff full-time as reflected in question 4, there

are some that yet need to overcome obstacles which will be explained in question 6 (see Table

E).

Table D

Agency anticipation of employing/contracting an IT/Network administrator who currently have

none.

Size Yes No %

Large 0 0 0%

Medium 0 0 0%

Small 0 4 100%

Totals (%) 0% 100%

For survey question 6: If you answered "No" to either question 5, please explain the

reason and/or obstacles of why your agency does not anticipate doing so? From Table D, it

shows that 4 Small agencies selected “No” and 4 Small agencies selected categories providing a

reason for their answers in Table E. Cost was selected by 3 Small agencies and Upper

Management had 1 selection. The “Other” category was selected by 2 Small agency with the

explanations of “I do it” and “we have a staff member currently enrolled in college to get his

degree for our IT, as the County only has 2 full time IT but they are for the entire county and we

have to wait on their availability. We have current State and Federal policies in place and try to

stay in compliance with NENA/APCO standards”.

44

Table E

Reason or obstacles for not employing/contracting IT/Network administration if currently none

Size Cost Upper management

High turnover

Lack of qualified resources

Other %

Large 0 0 0 0 0 0%

Medium 0 0 0 0 0 0%

Small 3 1 0 0 2 100%

Totals (%) 75% 25% 0% 0% 50%

Small agencies are the ones reporting obstacles when it comes to not employing or

contracting IT/Network administration, which would affect their compliancy with the established

security standards. With “Cost” receiving the majority of the obstacles, this could possibly be

elevated through future funding assistance, either by state or federal agencies, to allow them not

to be at a disadvantage with the were not have to supply sufficient revue for their budgets.

Figure 8. Obstacles for not employing IT administration for small agencies.

45

The survey question 7: What type of Information Technology (IT) descriptions and

policies does your agency currently have in place? The selection of all, with the exception of

“none apply”, would allow the agency to be compliant under the NENA Security for Next-

Generation 9-1-1 Standards or NG-SEC (NENA, 2010). Table F breaks down the first six

categories and Table G provides information for the last six of question 7. All but one agency

had at least one category selected. The agency that did not select any category was one Small

agency, making it a total of 55 responses for this question. Looking at both Table F and G, both

the large agencies selected all but two categories, “Wireless Policy” and “Incident Response”.

For the medium agencies, all selected “Acceptable Usage”, with many agencies in that category

also selecting “Password Policy”, “Data Protection”, “Wireless Policy”, “Physical Security”,

“Remote Access”, and “Access Control”. No Small agency had all policies selected, but many

agencies selected “Acceptable Usage”, “Password Policy”, and “Physical Security”. Also, one of

the large agencies selected everyone choice, including the “None apply” even when they selected

all of the previous policies.

Table F

Type of IT descriptions and policies (first six categories)

Size Acceptable Usage

Password Policy

Information Classification

Data Protection

Wireless Policy

Physical Security

Large 2 2 2 2 1 2

Medium 16 15 9 12 13 14

Small 33 34 16 27 17 33

Totals (%) 93% 93% 51% 74% 56% 91%

46

Table G

Type of IT descriptions and policies (last six categories)

Size Remote Access

Access Control

System Control

System Patching

Incident Response

None Apply

* %

Large 2 2 2 2 1 1 4%

Medium 13 10 9 8 9 0 29%

Small 16 22 6 9 23 1 67%

Totals (%) 54% 63% 31% 33% 62% 3%

* % both Table F and Table G

In Figure 9, it illustrates all of the IT descriptions and policies from both Table F.1 and

Table F.2 that were selected by Small agencies. The most selected was “Password Policy”.

Following the most, in order, “Acceptable Usage”, “Physical Security”, “Data Protection”,

“Incident Response”, “Access Control”, “Wireless Policy”, “Information Classification”,

“Remote Access”, “System Patching”, “System Control”, and last, with one agency selection,

“None Apply”. If compared to the following figures that illustrate medium and large agency

responses (figures 10 and 11), the most difference in IT policies are with system controls, system

patching, remote access, information classification, and wireless policies. For small agencies,

this lack of policies may be due to network administration staffing or even the capabilities of

their current database networks and they do not have those policies in place because it is not

applicable to their network yet. However, once they are Next Generation 9-1-1 capable, all

categories will need to be in place.

47

Figure 9. IT descriptions and policies for small agencies.

The medium agency selections are shown in Figure 11. The most selected was category

“Acceptable Usage” and last was “System Patching”. None of the medium agencies selected

“None Apply”. The medium agencies seem to have the more in compliance with many of the

policies. This may be with more evolved database networks and staffing.

Figure 10. IT descriptions and policies for medium agencies.

48

The Large agency selections of IT descriptions and policies from both Table F.1 and

Table F.2 are shown in Figure 12. Both Large agencies selected “Acceptable Usage”, “Password

Policy”, “Information Classification”, “Data Protection”, “Physical Security”, “Remote Access”,

“Access Control”, and “System Control”. However, one agency selected “Wireless Policy” and

“Incident Response”. Also, as noted previously, one agency also selected “None Apply”.

Surprisingly, incident response and wireless policies were not selected from one of the two large

agencies. Many metropolitan public safety communications centers communicate local

databases, such as computer aided dispatch (CAD) or records management systems (RMS)

wirelessly from laptops in vehicles and other mobile devices. It would also be thought that a

large agency would have incident response policies in place in case of natural, terrorist, or

technical disaster occurred.

Figure 11. IT descriptions and policies for large agencies.

The survey questions 8: If your agency is Next Generation 9-1-1 capable and any of the

following descriptions and policies listed in question 7 were not selected please select the

reason(s) and/or obstacle(s). The data in Table G received 32 survey responses at least one of the

49

selections regardless of all agencies reporting the highest 9-1-1 status/capability of Wireless

Phase II. None of the 56 responding agencies reported having Next Generation 9-1-1

status/capabilities for question two of the survey. None of the large agencies made selections for

question 8. However, 7 medium agencies and 25 small agencies made at least one selection,

making over half (57%) of the 56 total responses to the survey. The two “Other” categories

consisted of “IT department prefers to not to release information due to concerns over security”

and “we are NG9-1-1 capable, but state law prohibits implementation”.

Table H

If Next Generation capable, reasons and/or obstacles for not having the descriptions and policies

in Table F and Table G

Size Cost Time Upper Management

Staff Constraints

Other %

Large 0 0 0 0 0 0%

Medium 4 5 0 2 1 22%

Small 16 18 1 14 1 78%

Totals (%) 68% 75% 3% 53% 6%

Even though none of the responding agencies were Next Generation 9-1-1 capable, the

responses do shed light on current obstacles agencies face towards compliancy. Cost does reflect

over half of the obstacles, but “Time” is selected as 75% of the overall reason and is the highest

ranked obstacle in both medium and small agencies. This could indicate that agencies feel they

are spread thin in keeping up with standards and evolving technology even if they have the staff

and money.

50

Figure 12. Obstacles for not having the descriptions/policies for small agencies.

Figure 13. Obstacles for not having the descriptions/policies for medium agencies.

For survey question 9: Select the following software your agency currently runs on all

servers and end user computers? Anti-virus software and/or spyware detection software. All 56

agencies selected either one or both of the software selections. All agencies currently run Anti-

virus software on all servers and end user computers. Only a few in both the medium and small

51

agencies do not currently run Spyware detection software. Reasons where inquired in the

following survey question (see Table I).

Table I

Virus and/or spyware detection software on all servers and end user computers

Size Anti-virus Spyware detection %

Large 2 2 3%

Medium 16 13 29%

Small 38 34 68%

Totals (%) 100% 88%

Figure 14. Virus and/or spyware detection software for small agencies.

52

Figure 15. Virus and/or spyware detection software for medium agencies.

Survey question 10 asked: If you did not select one or both of the choices in question 10,

please advise the reason(s) and/or obstacle(s) your agency has for not running anti-virus and/or

spyware detection software on all server and end user computers? Table J show agency

responses.

Table J

Reason and/or obstacles for agency not running anti-virus and/or spyware detection software


Staff Constraints

Other %

Large 0 0 0 0 0 0%

Medium 0 0 0 0 0 0%

Small 0 1 0 1 0 1%

Totals (%) 0% 2% 0% 2% 0%

Only 1 small agency responded regarding a reason for not currently running a Spyware

detection program (see Table J). The two reasons selected were “Time” and “Staff constraints”.

53

Unlike previous obstacles for not complying with standards, this did not include “Cost”.

However, this may not be an initial cost concern, but with time and staff constraints, indirect

costs related to monitoring network traffic on a daily basis for smaller agencies by having to hire

or contract services to fulfill this requirement.

Figure 16. Obstacles for no anti-virus and/or spyware detection software for small

agencies.

Question 11 asked: Does the agency have the following on file: current inventory,

schematic, and audit documents?

Both of the large agencies reported having all three items on file. The other size agencies

responded with 15 medium and 36 small, making a total of 53 responses shown in Table J. Most

medium agencies had a current network inventory and many had a current network schematic.

Many small agencies reported having current network inventory and/or current network

schematic. Both medium and small agencies had some current annual internal audits on file.

Even both large agencies reported having all the required IT documentation; medium and small

agencies were not too far behind with network inventory and schematics.

54

Table K

Current inventory, schematic, and audit documents on file

Size Network inventory

Network schematic

Annual internal audits

%

Large 2 2 2 3%

Medium 15 13 9 28%

Small 21 17 9 67%

Totals (%) 71% 60% 38%

Figure 17. Current IT documentation for small agencies.

55

Figure 18. Current IT documentation for medium agencies.

Figure 19. Current IT documentation for large agencies. For survey questions 12: If you did not select any of the choices in question 11, please

advise the reason(s) and/or obstacle(s). There were 15 responses, both from Medium (7) and

Small (8) agencies. The two agency sizes responding selected “Cost”, “Time”, and/or “Staff

constraints”. Again, though cost may not be a direct obstacle, with medium and small agencies

56

reporting time and staff constraints, in direct cost could occur with hiring more staff to alleviate

those obstacles.

Table L

Reasons or obstacles for not having network inventory, schematic, and/or audit documents


Staff Constraints

Other %

Large 0 0 0 0 0 0%

Medium 3 2 0 3 0 46%

Small 2 4 0 5 0 53%

Totals (%) 33% 40% 0% 53% 0%

Figure 20. Obstacles for complete IT documentation for small agencies.

57

Figure 21. Obstacles for complete IT documentation for medium agencies.

The survey question 13: What type of security awareness training and education

standards does your agency currently require? Almost all agencies responded to question 13,

with a total of 54 responses. Most agencies reported having “Annual staff security training”

and/or “current training/certification for IT administration”. A few Medium and Small agencies

reported having “no staff training policy”.

Table M

Type of security awareness training and education standards currently in place

Size Annual staff

security training

Current training/certification

for IT administration

No staff training policy

No training/certification


%

Large 1 2 0 0 6%

Medium 11 12 2 0 43%

Small 11 12 3 0 51%

Total (%) 41% 46% 10% 0%

58

Figure 22. Security awareness and training for small agencies.

Figure 23. Security awareness and training for medium agencies.

59

Figure 24. Security awareness and training for large agencies

The final survey question, 14: If you did not select any of the choices in question 13,

please advise the reason(s) and/or obstacle(s). Ten agencies responded to question 14 with the

majority of responses from the small (9) agencies. Most of the selections were from the “Time”

and “Staff constraints” categories. The two “Other” explanations provided, both from two small

agencies, were “IT Department prefers not to release information due to concerns over security”

and “we have State and Federal forms and training to keep us in compliance”. The indirect cost

of both time and staff constraints could still be an obstacle for small and medium agencies. In the

case of the one response that state and federal forms and training keep the agency compliant,

even if the cost is free of charge for the training, they still may have to apply overtime to cover

shifts or staff shortage for employees to attend training and certification, as well as, if travel cost

may be involved.

60

Table N

Reasons or obstacles for not having staff security training and/or current training/certification



Staff Constraints

Other %

Large 0 0 0 0 0 0%

Medium 0 1 0 1 0 10%

Small 3 6 0 4 2 90%

Totals (%) 30% 70% 0% 50% 20%

Figure 25. Obstacles for security training and education for small agencies.

61

Figure 26. Obstacles for security training and education for medium agencies.

Conclusion

The purpose of the research was to reveal compliance or non-compliance of public safety

answering points (PSAPs) that are Next Generation 9-1-1 (NG9-1-1). Based on the survey, all

PSAPs were compliant at the Wireless II stage, Additionally, based on the job titles, respondent

agencies were primarily represented by management personnel who would be in a position to

comment on plans, policies, and obstacles as requested by the survey. Another finding was that a

high percentage of PSAPs had full time network support available. However, 12% had relied on

part time support. From a security perspective this seems to be an important finding. The follow

up question revealed there was no intent to hire and that expense was a key factor in that decision

for small service areas. Although agencies generally had policies for acceptable usage and

password protection, agencies were much less likely to have a wireless policy or an information

classification policy. The data showed that 12% of the agencies did not have a spyware policy.

Spyware can transmit and collect personal identifiable information and with 9-1-1 becoming

Internet-based, the public’s privacy and safety could be compromised if spyware detection

62

software is not only installed, but also monitored properly. Time constraints were also reported

by small, 40%, and medium, 50%, agencies as obstacles for security training and education.

Though sample responses did not report they were NG9-1-1 status yet, agencies working towards

compliance before rolling NG9-1-1 technologies would strengthen the security of the transition

of providing those technologies to the public they serve. This data shows a sample snap shot of

that transition to compliance.

63

CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS

The purpose of this thesis was to ascertain the status of public safety answering points

(PSAPs) have information security management standards in place prior to Next Generation 9-1-

1 and reveal compliance or non-compliance of National Emergency Number Association

(NENA) Security for Next-Generation 9-1-1 Standards (NENA, 2010) nationwide Next

Generation 9-1-1 implementation. Although all were compliant to Wireless II, the category just

below NG9-1-1, the clear answer to the primary research question is “no”. In the previous

chapters, the researcher presented the current literature on information security management for

Next Generation 9-1-1 and the results of a survey study from public safety answering points

(PSAPs) utilizing the National Emergency Number Association (NENA) Security for Next-

Generation 9-1-1 Standards or NG-SEC with reports of obstacles and reasons for certain areas of

noncompliance. This chapter offers an answer to each research question, provides implications

and contributions, and makes recommendations for future research in the field.

Discussion of Research Findings

The research questions presented in Chapter 1 asked:

1. What are the Next Generation 9-1-1 information security management standards and

policies?

2. What percent of agencies have Next Generation 9-1-1 status?

3. What percent of agencies are compliant or noncompliant?



standards?

64

In Chapter 2, the Next Generation 9-1-1 information security management compliant

standards were discussed with a summary of the National Emergency Number Association

(NENA) Security for Next-Generation 9-1-1 Standards. These standards provided the basic

content for the survey.

Question 1: What are the Next Generation 9-1-1 information security management

standards and policies?

The study found the Next Generation 9-1-1 information security management standards

and policies were established through the National Emergency Number Association (NENA)

Security for Next-Generation 9-1-1 Standards (NENA, 2010) or also known as NG-SEC and

expected compliance effective immediately to any agency with Next Generation 9-1-1 status.

The standards were presented and discussed in Chapter 2 literature review.

Question 2: What percent of agencies have Next Generation 9-1-1 status?

The study found that the sample population was not Next Generation 9-1-1 yet. The

literature review illustrated that for the past couple of years, some NG9-1-1 technologies where

in the process and that agencies were to begin implementation.

Question 3: What percent of agencies are compliant or noncompliant?

The study found the criteria of compliance in the NG-SEC standards and the survey

mirrored that criteria. Though agencies were not Next Generation 9-1-1 status yet, and not

explicitly required to comply with the NG-SEC standards, the results presented in Chapter 4

illustrate that some were either already compliant or were compliant in specific standard

requirements. It also showed areas in which they were not and provided reasons for not meeting

the standards.

65

Question 4: What are the obstacles and/or challenges for public safety answering points

(PSAPs) that are not compliant with public safety communication information security

standards?

The study found the areas in which agencies did not meet NG-SEC standards, cost, time,

and staff constraints were the majority of reported obstacles.

Overall, the information collected illustrated that agencies are still working on the Next

Generation 9-1-1 implementation with the majority not at compliant status with current National

Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards (NENA,

2010) or also known as NG-SEC. All agencies reported their current 9-1-1 status was Wireless

Phase II and not Next Generation 9-1-1. As noted by in Chapter 2, the outpacing of consumer

technology and needs to 9-1-1 capabilities and the sample illustrates that continued gap

(Barbour, 2008). However, the data shows some are already meeting standards or specific

security standards before they have Next Generation 9-1-1 status. This is an encouraging sign of

agencies beginning to think and act upon security policies before they are absolutely required

compliance when they open up their 9-1-1 systems to IP-based communications.

In Table O it shows the amount of compliant and noncompliant from each agency size.

The highest responding agencies were small, but only two reported they were compliant. In the

two other categories, 4 out of 16 total responses from medium sized agencies and 1 out of 2 large

agencies reported to be compliant. It also provides the percentage by each size and from the

overall sample response. Percentage wise, both medium and large agencies responded more

compliancy. This could be due to agencies already have network administration security policies

well established from years of computer-aided dispatch and records management database

networks and having more financial and staffing resources than agencies covering less populated

66

areas. Out of 56 agencies, 13% reported compliance. While it is a low percentage, again, this is

before agencies report Next Generation 9-1-1 status. From the 7 (13%) that reported compliance,

Figure 27 shows the percentage that responded from each agency size. Here it can be seen that

medium (57%) has over the majority of the compliance responses. This could illustrate that

medium agencies already have the funding, staff, and policies laid out from previous network

administration standards, either self imposed or state mandated, and they may be able to progress

quicker with Next Generation 9-1-1 security standards than the other populations because the

technology projects may not be as laboring or costly as larger entities, but yet they may have

local revenue sources and staffing capabilities that smaller entities may not.

Table O

Agencies reporting compliance with NG-SEC

Agency Size Compliant Noncompliant % Compliant by Size

Large 1 1 50%

Medium 4 12 25%

Small 2 36 5%

Total % 13% 87%

67

Figure 27. Reported NG-SEC compliance by agency size.

In Chapter 2, the researcher illustrated risk and attack exposures 9-1-1 entities are more

vulnerable through transforming from a closed analog system to an open Internet-Protocol based

systems. According to the publication “Principles of Information Security: Principles and

Practices”, some major categories of attacks are Military and Intelligence Attacks, Business

Attacks, Financial Attacks, Terrorist Attacks, Grudge Attacks, and “Fun” Attacks. There is also

the continued threat of malware as with any IP network. However, instead of only affecting a

computer-aided dispatch software program that could quickly be exchanged with an internal

closed legacy system or even a paper system for back up purposes, a 9-1-1 communications

system would not be as easily replaceable or have much allowances for any down-time, even

temporarily, due to a malware issue. Again, the burden could be greater for small agencies, who

would be required interconnectivity and comply with security standards due to financial and staff

resources. . Security is only as good as your weakest link.

The sample of 225 agencies was stratified into three segments by agency size. The range

of agencies within a group varied. Of the 225 agencies, the following number and percentages

68

were represented in the three segments, small (125 agencies, 55%), medium (71 agencies, 32%),

and large (29 agencies, 13%). Numerically most of the agencies serve smaller populations of less

than 100,000 than the larger agencies. Funding of upgrading and maintaining the current 9-1-1

infrastructures could impact smaller agencies more that may not have the financial resources.

The availability of staff, both time and amount of employees, could also impact the smaller

agencies more. Also, as indicated in Chapter 4, the large agencies had a low response rate (15%)

of the large agency strata and 3% of the sample responses. This contrasted sharply with the small

sample strata. In chapter 2, it was pointed out that since public safety agencies are connected to

extremely sensitive information such as criminal and medical records and filed or on-going

investigation reports, there is a tremendous need for confidentially to protect data, citizens, and

public safety officials. This can extend to providing security procedural information, regardless

of anonymity, for research study. Even though 9-1-1 is a public service, sharing information to

anyone outside known and trusted entities can be preceded with caution and the results of few

responses, this was a factor in the survey study.

When considering just the large agencies, there was an interesting result on question 7.

Only one selected all compliant standards and policies in the survey. However, on question 7,

that agency in addition to selecting all of the information technology (IT) descriptions and

policies, the agency also selected the last choice, “None apply, agency does not have IT

descriptions and policies”. Perhaps, that the agency simply selected the last choice by mistake

but it could have been purposeful to make all selections suspect. It is not possible to know for

sure. As for the other agencies, 4 Medium agencies and 2 Small agencies showed compliance.

In question 4 of the survey, all 56 respondents chose the category that best described their

current information technology (IT) or Network Administration. Majority selected “Full-time

69

internal” (60%) and the second most selected was “Full-time external” (28%), making full-time

network administration coverage 88% for agencies. Of the 12% that do not have full-time or no

current network administration, majority are small agencies. As the Michigan Next Generation 9-

1-1 Feasibility Study conducted by L.R. Kimball notes, “network management of an IP-based 9-

1-1 network is crucial in providing the level of service expected by the residents of PSAPs” and

it will be these networks will require an uptime of 99.999% availability or better (Kimball,

2010). Figure 30 below shows the percentage of the agencies that reported part-time or no

current network administration.

Figure 28. Part-time or no current network administration by agency size.

By the results, both large and medium size agencies have some type of internal or

external IT/Network Administration, either part-time or full-time. A few small agencies (5%)

still have no type of IT/Network Administration, however, from all three strata sizes, small

agencies replied the most (86%) to either part-time or no current network administration. It could

be concluded that small agencies are not able to have full-time network administration by both

the lack of financial and staff resources.

70

Most reported obstacles for areas not in line with NG-SEC were costs, time, and staff

constraints. Time and staff constraints could also be viewed as an indirect cost issue. Since it is

unlikely more demanding technology requirements would not alleviate time and staff issues,

more staff would need to be hired or services employed which again, amounts to cost. As

discussed in chapter 2, the New York state study involving Wireless Phase 1 and Wireless Phase

II cellular 9-1-1 communications showed funding as the biggest hurdle for technological

upgrades for their Enhanced Wireless technologies 9-1-1- project (Bailey & Scott, 2008). And

with the United States still recovering from the 2008 economic crisis, funding for the initial

transition of 9-1-1 technologies to Next Generation 9-1-1 and the continued expenditure for

maintenance and upgrading, cost factors heavily for public safety agencies.

In a 2009 article, Mary Rose Roberts discussed consolidation of Next Generation 9-1-1

enabled public safety answering points (PSAPs) and illustrated both economical and shared

resource benefits. She explained that technology improvements are growing exponentially and

even though costs were lowering in the consumer markets, still it behooved agencies to share

resources to save money, as well as the benefit of sharing intelligence. But it is still yet to remain

if cost for transitioning 9-1-1 systems and continued upgrades will be economically feasible for

agencies since each 9-1-1 entities needs vary, as well as their means for paying for all direct and

indirect costs. Also with sharing resources, agencies that may have political differences may not

find this alternative attractive, despite possible economic savings.

In question 6 of the survey, information was collected of the obstacles or reasons for

agencies not hiring network administration employees or services. The same four agencies that

responded to question 6, selected three categories, which were “Cost” (75%), “Other” (50%),

and “Upper Management” (25%). It is not surprising to see that “Cost” was selected the most.

71

Small agencies may have a difficult time with financial resources for network administration

services with smaller government budgets and the survey responses show promise that small

agencies are finding ways to provide this service. The “Other” category was selected twice and

the explanations for each were, “I do it” and “we have a staff member currently enrolled in

college to get his degree for our IT, as the County only has 2 full time IT but they are for the

entire county and we have to wait on their availability. We have current State and Federal

policies in place and try to stay in compliance with NENA/APCO standards”. The agency that

responded as “I do it” also responded to their role at the 9-1-1 Manager/Upper Management.

This illustrates that one person is fulfilling two roles, both 9-1-1 center manager and network

administration services. It could also be categorized as another cost or staff issue due having one

person doing two separate job roles. This could be problematic since both roles can be full time

responsibilities for an agency. The second “Other” response shows the agency has a 9-1-1 staff

member receiving technology educations to remedy their issue of not having a dedicated 9-1-1

network administrator. This is a forward thinking approach to the possible demands of network

administration once Next Generation 9-1-1 is full implemented. Figure 29 shows the percentages

of small agency responses to the obstacles and/or reasons for not having full-time network

administration on their systems.

72

Figure 29. Obstacles for not having full-time network administration for small

agencies.

The information technology (IT) descriptions and policies questions generated a lot of

variety of responses. There were a few that selected all and a few who advised they currently do

not have any IT policies. The two categories selected the least were, (with the exception of

“None apply”), “System Control” (31%) and “System Patching” (33%). The National

Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards (NENA,

2010), defines System Control is controlling changes and status within the system, hardware,

software, and backups (NENA, 2010, p. 46). NENA explains System Patching as updating

operating systems, other software, or hardware devices to address critical security vulnerabilities

(NENA, 2010, p. 46-47). All other categories had at least a 51% or higher response. The top two

categories selected were “Acceptable Usage” and “Password Policy” (both 93%). Not one

category had all 56 agencies responses. But the results did show that the 2 Large agencies

selected almost all categories, compared to the Medium and Small agencies. The “Wireless

Policy” and “Incident Response” category was the only one from a large agency that was not

73

selected. Even though only two large agency responded to the entire survey responses, it could

be shown with further research, that large agencies fulfill the IT description and policies for

NENA. However again, another study with more or all public safety answering points (PSAPs)

would need to be surveyed for further analysis.

The next question asked if an agency was Next Generation 9-1-1 capable and any of the

following descriptions and policies listed in question 7 were not selected please select the

reason(s) and/or obstacle(s). As the researcher already stated, all agencies advised their current

highest/most advanced status/capability was Wireless Phase II in question 1. None selected Next

Generation 9-1-1 status/capability. Yet in question 8, thirty-two agencies made one or more

selections to report obstacles. The majority of these responding were small agencies (78%) and

22% were from medium agencies. None of the large agencies responded. It is unclear to the

researcher why several of the agencies responded to this question when all had stated they were

not Next Generation 9-1-1 status and did not have to respond at all. It brings another uncertainty

of accuracy to the answers within the survey from the respondents, either from not reading the

questions completely, the questions not being worded properly, or not providing consistent

information, either intentionally or unintentionally.

Question 9 and 10 requested information about detection software and obstacles if both

were not currently used at the agency. All 56 agencies responded and selected they were

currently running Anti-virus software on all servers and end user computers. Spyware detection

software usage received an 88% response, with 81% of medium agencies and 90% of

small agencies selecting the category, leaving only 10-20% not utilizing anti-spyware software.

The obstacles and/or reasons stated were “Time” and “Staff Constraints”. Yet only one small

agency responded to that particular question. The other six did not reply.

74

In a study by Ponemon Institute in 2009, a summary of information security assessments

from 754 corporate respondents of network traffic for the presence of malware. The presence of

active malware infections showed to be 100%, Internet Relay Chat bots, 72%, network worms,

42%, generic malware 81% and information stealing malware, 56%. Figure 32 shows the bar

graph illustration of the study (Ponemon, 2009).

Figure 30. Presence of malware in network traffic (Ponemon, 2009).

Malware is a problem in corporate settings as shown the above figure, however, having

9-1-1 systems exposed to this type of malware problem can cause some serious issues to not only

the systems themselves, but to public safety. The medium and small agencies that responded to

not having either anti-virus and/or spyware detection already installed on their non-9-1-1 system

networks, are exposing their emergency networks to great risks. It can also be mentioned that

even with anti-malware software installed, the risk is there, especially since the corporations

involved in the Ponemon study were running anti-malware software on their systems.

Another set of inquiries dealt with current network inventory, schematics, and audit

documentation on file. A total of 53 agencies responded with both Large agencies having all

three documents on file. Network inventory documentation had the highest response (71%), with

75

the second most reported of network schematic (60%), and least selected, annual internal audit

documentation (38%). The obstacles and reasons provided by Medium and Small agencies as to

not have one or more of the three categories of documentation were mostly explained by “Staff

constraints (53%), “Time” (40%), and “Cost” (33%). With these responses, it could be

concluded that agency jurisdiction size under 500,000, have less staff to dedicate or funding to

provide and keep annually these type of documents.

The last two questions in the survey dealt with security training for both technical and

non-technical staff. Question 13 inquired what type of security awareness training and education

standards does the agency currently require and question 14 requested reasons and/or obstacles if

one or more of the categories in question 13 were not selected. None of the agencies selected

“No training/certification for IT administration”. Only 10% (2 from Medium and 3 from Small

agencies) selected “No staff training policy”. Many of the agencies responding reported they

conducted either or both annual staff security training and their network administration

employees or contractors were current with annual training and certifications.

Limitations

There are limitations to this thesis study. Some limitations have been presented in

Chapter 1. One limitation of the thesis is due to the study arrives at the genesis of Next

Generation 9-1-1 standards and implementation providing limitation in shared studies to

National Emergency Number Association (NENA) Security for Next-Generation 9-1-1

Standards (NENA, 2010) or NG-SEC compliance. Another limitation is the amount of Next

Generation 9-1-1 status entities nationwide. Specific to information technology (IT)

management, a limitation of the study is the wide scope of examining nationwide Next

Generation 9-1-1 IT management. An additional limitation is the population sampled was only a

76

small sample of the entire public safety answering points (PSAPs) in the nation. The amount of

responses was another limitation and the feedback received for lack of survey participation was

due to agencies not being familiar with the researcher or the school and not wanting to share

information with non-government or outside sources. The survey dealt with compliance of NG-

SEC standards and policies and possible participate bias with some respondents choosing more

or all compliant selections.

Implications and Contributions

The thesis study focused on National Emergency Number Association (NENA) Security

for Next-Generation 9-1-1 Standards (NENA, 2010). The overall responses resulted in some of

the questions producing very straightforward selections and feedback. Others generated

conflicting data. The most reported obstacles and/or reasons were cost and time for the not

selecting a particular standard section. With the current economy presenting financial

constraints, employee cutbacks or hiring freezes, along with continued added responsibilities to

9-1-1 and information technology management placed on public safety communication agencies

the obstacles do not appear to be relieved anytime soon. This may perhaps be the slowing of the

nationwide implementation of Next Generation 9-1-1 technologies in general and may prolong

the full implementation for several more years than expected. In an announcement made by the

Federal Communications Commission in November 2011, they identified seven states that divert

a portion of 9-1-1 fees for non 9-1-1 purposes in 2010. The report shows a decline from previous

years and that in future the federal government will require states to collect even more detailed 9-

1-1 collection fees in order to pay for Next Generation 9-1-1 technologies. Receiving accurate

information will also help in not only transparency, but making sure 9-1-1 entities that do not

77

have the capability to keep up with technologies based on their fees collected, may receive some

assistance in order to provide the same 9-1-1 services throughout the nation.

There is no specific public study at the time of this thesis examining compliance or non-

compliance of the National Emergency Number Association (NENA) Security for Next-

Generation 9-1-1 Standards (NG-SEC) and this research provides a study on this specific topic.

The findings also present the obstacles of why agencies are not compliant with NG-SEC

standards and policies. The results of the survey data analysis show some agencies are compliant

and or have some standards and policies already in place, despite having Wireless Phase II status

and not Next Generation 9-1-1 status. The thesis study is a foundation of further research, either

studying compliance and non-compliance in for public safety communication agencies or

examining more specific areas of compliance within each of the National Emergency Number

Association (NENA) Security for Next-Generation 9-1-1 standards.

Recommendation for Future Research

This thesis study focused on the National Emergency Number Association (NENA)

Security for Next-Generation 9-1-1 Standards compliance and non-compliance on a small scale

in which 225 public safety answering points (PSAPs) were contacted from a total of 6,130

primary and secondary PSAPs (NENA, 2011, October). A study that surveyed the entire public

agency population and allowed a better comparison of large, medium, and small agencies would

be beneficial. Also as stated previously, examining more specific areas of compliance within the

NENA Security for Next-Generation 9-1-1 standards, such as examining national or regional

physical security, acceptable usage, or incident response policies. Future studies comparing

compliance between agency size segments, rural verses metropolitan entities, or regional

sections within the United States (East, South, Midwest, Southwest, Pacific Northwest, West

78

state regions). Another recommendation would be to examine survey styles that work best with

government and/or public safety entities to allow a higher response rate. This study could also be

repeated in a few years time to see if any differences or changes have occurred.

Conclusion

Traditional 9-1-1 communications has continued to fall beyond in the needs of the

consumers’ Internet and mobile lifestyle and the increasing disappearance of fixed-line

communication (Luna, 2008). Next Generation 9-1-1 will transform the current analog 9-1-1

communications systems with an Internet-Protocol or IP-based systems to allow 9-1-1 call takers

to receive the same location and unit information as they do now with landline or fixed-line

telephone systems, as well as communicate with citizens and emergency response units via text

and mobile. Next Generation will also provide the capability to exchange photos and videos

through Internet Protocol (IP)-based communication (Lipowicz, 2009).

This research examined the current information security management landscape of 9-1-1

public safety communication centers upon the beginning stages of Next Generation 9-1-1, which

is the implementation of switching analog communication systems to Internet-Protocol (IP)

communication systems. The study utilized the National Emergency Number Association

(NENA) Security for Next-Generation 9-1-1 Standards for public safety communication

information security management policy and procedure compliance examination. The researcher

provided a literature review in Chapter 2 describing the evolution of 9-1-1, Next Generation 9-1-

1 technologies, and National Emergency Number Association (NENA) Security for Next-

Generation 9-1-1 Standards. In Chapter 3, the researcher provided a methodology for the survey

study of compliance and presented the results in Chapter 4. Conclusions of the result findings

were examined in Chapter 5, along with limitations and recommendations for further research.

79

This thesis serves to add to a body of work specifically targeted at Next Generation 9-1-1’s

information security management, both now and in the future.

80

REFERENCES

Arizona State University (2011, October 25). Debt crisis: Similarities, differences and lessons learned from the U.S. and Europe. Retrieved from http://knowledge.wpcarey.asu.edu/pdf.cfm?aid=1095.

Bailey, B., & Scott, J. (2008). The New York state wireless enhanced 911 project: lessons

learned. Informally published manuscript, Department of Emergency Medicine, Upstate Medical University, Syracuse, New York.

Barbour, J. (2008, March 1). What a 40 years it has been. Urgent Communications. Retrieved

from http://urgentcomm.com/mag/radio_years/ Breithaupt, J., & Merkow, M. (2006). Principles of information security: Principles and

practices. Upper Saddle River, NJ: Pearson Education, Inc. Bruce, G., Newton, J., & Vaughan, E. (2011). Next generation networks for public safety: Build

locally to achieve nationally. Digital Communities. Folsom, CA. Classroom Assessment. (2011). Reliability and validity. Retrieved from

http://fcit.usf.edu/assessment/basic/basicc.html Collins, H. (2008, April 18). Virtualization raises new cyber-security questions for government.

Government Technology. Retrieved from http://www.govtech.com/gt/381048 Colorado State University (2012). Advantages and disadvantages of the survey method.

Retrieved from http://writing.colostate.edu/guides/research/survey/com2d1.cfm DeLine, R., Ko, A., & Venolia, G. (2007). Information needs in collocated software development

teams. Microsoft Research. Retrieved from http://faculty.washington.edu/ajko/talks/ICSE2007InformationNeeds.pdf

Douglas, M. (2008, September 1). Not to worry. Urgent Communications. Retrieved from

http://urgentcomm.com/psap/mag/radio_not_worry/ Douglas, M. (2009, June 1). Route and roll. Urgent Communications. Retrieved from

http://urgentcomm.com/networks_and_systems/mag/psap-ip-technology-progress-200906/.

Experiment-Resources (2011). Retrieved from http://www.experiment-resources.com/empirical-

research.html Federal Communications Commission. (2008, September 17). FCC consumer advisory for VoIP

and 911 services. Retrieved from http://www.fcc.gov/cgb/consumerfacts/voip911.html

81

Federal Communications Commission (2011, November 8). FCC releases third annual report to congress on state collection and distribution of 911 and enhanced 911 fees and charges. Retrieved from http://transition.fcc.gov/Daily_Releases/Daily_Business/2011/db1108/DOC-310895A1.pdf

Federal Information Processing Standards Publication. (1994, November 9). Guideline for the

analysis local area network security (FIPS PUB 191). Washington, DC: U.S. Government Printing Office.

Gagner, Jr., R. P. (2005). Voice over internet protocol: Secure or not recommendations to the

business and private sector. (Informally published by Department of Management Information Systems, Bowie State University, Bowie, Maryland.) Retrieved from http://74.125.155.132/scholar?q=cache:hVNP3pz7Y4AJ:scholar.google.com/+9-1-1+VoIP&hl=en

Genachowski, J., (2011). Proceedings from 2011 APCO Conference August 20: Five step action

plan to improve the deployment of next generation 9-1-1(NG911). Philadelphia, PA. Retrieved from http://www.fcc.gov/document/fact-sheet-five-step-action-plan-improve-deployment-next-generation-9-1-1-ng911

Hamilton, J. (2009, April 22). Florida county uses next-generation 911 system to enhance public

safety. Emergency Management. Retrieved from http://www.emergencymgmt.com/safety/Florida-County-Uses-Next-Generation.html

H.R. 3403. 110th Congress: NET 911 Improvement Act of 2008. (2007). In GovTrack.us

(database of federal legislation). Retrieved November 17, 2011, from http://www.govtrack.us/congress/bill.xpd?bill=h110-3403

International Organization for Standardization. (2005, October 15). Information technology-

security techniques-information security management systems-requirements. (ISO/IEC 27001). Geneva, Switzerland. Retrieved from http://webstore.iec.ch/preview/info_isoiec27001%7Bed1.0%7Den.pdf

Intelligent Transportation Systems. (2009). Next generation 9-1-1 (NG 9-1-1) system initiative: Proof of concept testing report. Retrieved from http://www.its.dot.gov/ng911/pubs/NG911_POC_TestReport_FINAL091708.htm Israel, G. (2009). Sampling issues: Nonresponse. University of Florida. Retrieved from http://edis.ifas.ufl.edu/pdffiles/PD/PD00800.pdf Kim, J. Y., Song, W., & Schulzrinne, H. (2006). An enhanced VoIP emergency services prototype. Retrieved from

http://74.125.155.132/scholar?q=cache:-FXMTV-40UUJ:scholar.google.com/+9-1-1+VoIP&hl=en

82

Kimball, L. (2010). Next generation 9-1-1 feasibility study. Retrieved from

http://www.michigan.gov/documents/msp/Michigan_Next_Generation_9-1-1_Feasibility_Study_304211_7.pdf.

Kimball, L. (2011). The critical role of GIS in NG9-1-1. (White Paper CT.T79.2011-07.WP014)

Retrieved from http://www.lrkimball.com/forms/download.aspx?d=CT&at=WP&an=The%20Critical%20Role%20of%20GIS%20in%20NG9-1-1&e=457&r=/index.aspx&n=&m=M14,&cg=62,

Kotapati, K. (2008). Assessing security of mobile telecommunication networks. The Pennsylvania State University. ProQuest Dissertations and Theses, Retrieved from http://search.proquest.com/docview/807444193?accountid=38189 Leedy, P. (2010). Practical research: planning and design. Upper Saddle River, NJ: Pearson

Education, Inc. Lipowicz, A. (2009, August 11). Nextgen 911 shows versatility. Federal Computer Week.

Retrieved from http://www.fcw.com/Articles/2009/08/11/Vendor-demonstration-NextGen-911-calls.aspx

Lorino, P., (2008). Pragmatism-inspired methods for the study of complex situations: A dialogical and mediated inquiry approach. Retrieved from http://egosnet.org/jart/prj3/egosnet/data/uploads/OS_2008/W-102.doc.

Luna, L. (2008, August 1). Interlocking pieces. Urgent Communications. Retrieved from

http://urgentcomm.com/mag/radio_interlocking_pieces/index.html Mannion, A. (2009, September 1). The next generation of 911. The American City & County

124(9), 14. Mary, R. R. (2010). Cyber breaches threaten next-gen 911. Fire Chief. Retrieved from http://search.proquest.com/docview/216135858?accountid=38189 Moore, L. K. (2009, June 16). Emergency communications: The future of 911. Congressional

Research Service. Retrieved from http://pdf.911dispatch.com.s3.amazonaws.com/crs_911_june2009.pdf

National Emergency Number Association. (2011, November 12). NG 9-1-1 project: Overall

NG9-1-1 status. Retrieved from http://www.nena.org/?page=NG911_OverallStatus National Emergency Number Association. (2010, February 6). Nena security for next-generation

9-1-1 standards. Retrieved from http://www.nena.org/standard/NG9-1-1_Security

83

National Emergency Number Association. (2011, February 24). Nena ng9-1-1 transition plan considerations. Retrieved from http://www.nena.org/?page=NG911_TransPlanning

National Emergency Number Association (2011, November 12). 9-1-1 statistics. Retrieved from

http://www.nena.org/?page=911Statistics National Institute of Standards and Technology. (2003). Building an information technology

security awareness and training program (NIST SP-800-50). Washington, DC: U.S. Government Printing Office.

National Institute of Standards and Technology. (2005). Security considerations for voice over

IP systems (NIST SP 800-58). Washington, DC: U.S. Government Printing Office. Oscarson, P. (2007). Actual and perceived information systems security. (Doctoral dissertation,

Retrieved from http://sh.diva-portal.org/smash/get/diva2:16984/FULLTEXT01. Parker, S., & Wisely, S. (2009). Guide to information sharing and data interoperability for local

communication centers. Proceedings of the Apco international 75th annual conference (pp. 1-45). Washington, DC.

Peerbolte, S. (2010). A quantitative study of critical thinking skills amongst local emergency managers. Retrieved from ProQuest Digital Dissertations http://search.proquest.com/docview/305222946?accountid=38189 Ponemon Institute. (2009). Anatomy of data-stealing malware: a study of enterprise security & it

security practitioners. Retrieved from http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_data-stealing-malware.pdf.

Roberts, M. R. (2009, March 1). Under one roof. Urgent Communications. Retrieved from

http://urgentcomm.com/policy_and_law/mag/economy-drive-psap-consolidation-0301/index.html

Salkind, N. (2010). Statistics for people who (think they) hate statistics: Excel 2007 edition.

Thousand Oaks, CA: SAGE Publications, Inc. StatPac. (2011). Survey design, hosting, & analysis. Retrieved from http://www.statpac.com/tab-

house.htm Strebe, M. (2004). Network security foundations: Technology fundatmentals for it success.

Alameda, CA: Sybex. TechSoup.org. (2011, January 19). Virtualization 101. Retrieved from

http://www.techsoup.org/learningcenter/software/page4826.cfm

84

Tejay, G. (2008). Shaping strategic information systems security initiatives in organizations. (Doctoral dissertation). Virginia Commonwealth University. Richmond. The National E9-1-1 Implementation Coordination Office. (2009). A national plan for migrating

to ip-enabled 9-1-1 systems. Washington, DC: Government Printing Office. Retrieved from www.911.gov/pdf/National_NG911_Migration_Plan_FINAL.pdf

United States Census (2010). Retrieved from http://2010.census.gov/2010census/ Whittington, C. (2009, June 1). Money well spent. Urgent Communications. Retrieved from

http://urgentcomm.com/networks_and_systems/commentary/ng-911-training-200906/ Yin, R. K., (1984). Case study research: Design and methods. Beverly Hills, CA: Sage Publications. Zainal, Z. (2007). Case study as a research method. Retrieved from http://eprints.utm.my/8221/1/ZZainal2007-Case_study_as_a_Research.pdf.

85

APPENDIX A. PRE-NEXT GENERATION 9-1-1 IMPLEMENTATION INFORMATION

SECURITY MANAGEMENT SURVEY

1. What is the population range of your agency's jurisdiction? (Select ONE):

[ ]1-99,999

[ ] 100,000-499,999

[ ] 500,000 or greater

2. What is your agency's current 9-1-1 status/capability? (Select ONLY the highest/most

advanced that applies to your agency):

[ ] Basic 9-1-1

[ ] Enhanced 9-1-1

[ ] Wireless Phase I

[ ] Wireless Phase II

[ ] Next Generation 9-1-1

3. Which BEST describes your main job title/role at your agency? (Select ONE):

[ ] 9-1-1 Supervisor (middle management)

[ ] 9-1-1 Manager (upper management)

[ ] 9-1-1 IT/Network Administrator (technical management)

[ ] Other, explain

4. What BEST describes your current IT/Network Administration at your agency? (Select

ONE):

[ ] No internal or external IT/Network Administrator

[ ] Agency has a part-time (non-24/7/365) internal IT/Network Administrator

[ ] Agency has a full-time (24/7/365) internal IT/Network Administrator

86

[ ] Agency has a part-time (non-24/7/365) external IT/Network Administrator

[ ] Agency has a full-time (24/7/365) external IT/Network Administrator

5. If your agency has "No internal or external IT/Network Administrator" does your

agency anticipate in employing or contracting an IT/Network Administrator?

[ ] Yes

[ ] No

6. If you answered "No" to either question 5, please explain the reason and/or

obstacles of why your agency does not anticipate doing so?

[ ] Cost

[ ] Upper management

[ ] High turnover

[ ] Lack of qualified resources

[ ] Other, explain

7. What type of Information Technology (IT) descriptions and policies does your agency

currently have in place? (Select ALL that apply):

[ ] Acceptable Usage Policy

[ ] Password Policy

[ ] Information Classification Policy

[ ] Data Protection Policy

[ ] Wireless Policy

[ ] Physical Security Policy

[ ] Remote Access Policy

[ ] Access Control/Least Privilege Policy

87

[ ] System Change Policy

[ ] System Patching Policy

[ ] Incident Response Policy

[ ] None apply, agency does not have IT descriptions and policies

8. If your agency is Next Generation 9-1-1 capable and any of the following

descriptions and policies listed in question 7 were not selected please select the

reason(s) and/or obstacle(s). (Select ALL that apply):

[ ] Cost

[ ] Time


[ ] Staff constraints

[ ] Other, explain

9. Select the following software your agency currently runs on all servers and end user

computers?

[ ] Anti-virus software

[ ] Spyware detection software

10. If you did not select one or both of the choices in question 10, please advise the

reason(s) and/or obstacle(s) your agency has for not running anti-virus and/or spyware

detection software on all server and end user computers?

[ ] Cost

[ ] Time



88

[ ] Other, explain

11. Does the agency have the following on file (Select ALL that apply):

[ ] Current network inventory

[ ] Current network schematic

[ ] Current annual internal network audits

12. If you did not select any of the choices in question 11, please advise the reason(s)

and/or obstacle(s. (Select ALL that apply):

[ ] Cost

[ ] Time



[ ] Other, explain

13. What type of security awareness training and education standards does your agency

currently require? (Select ALL that apply):

[ ] Employees engage in annual security awareness training

[ ] Employees or contracted individuals responsible for system and security

administration receive current security training and certification on their assigned

system(s)

[ ] Agency does not have a security awareness training policy for employees

[ ] Agency does not have a security training and certification for employees or contracted

individuals responsible for assigned systems.

14. If you did not select any of the choices in question 13, please advise the reason(s)

and/or obstacle(s). (Select ALL that apply):

89

[ ] Cost

[ ] Time



[ ] Other, explain

90

APPENDIX B.

NEXT GENERATION 9-1-1: EXAMINIATION OF INFORMATION SECURITY

MANAGEMENT PUBLIC SAFETY COMMUNICATIONS CENTERS

Principal Investigator Natalie Yardley

PARTICIPANT INFORMED CONSENT

October 2011

Please read the following material that explains this research study. Completing this survey form will indicate that you have been informed about the study and that you want to participate. We want you to understand what you are being asked to do and what risks and benefits—if any—are associated with the study. This should help you decide whether or not you want to participate in the study. You are being asked to take part in a research project conducted by Natalie Yardley, a graduate student in the University of Advancing Technology program of Information Assurance. This project is being done under the direction of Dr. Robert Morse, Program of Thesis Studies. Natalie Yardley can be reached at 913-426-5328 or [email protected]. Project Description: This research study is about examining information security management in public safety centers. The survey will collect information from 9-1-1 center managers in the United States about the current information security management landscape for public safety answering points (PSAPs). The researcher will analyze the answers provided with the National Emergency Number Association (NENA) Security for Next-Generation 9-1-1 Standards. The information gathered will provide valuable data about the current information security management posture for 9-1-1 centers at the dawn of a nationwide Next-Generation 9-1-1 implementation. You are being asked to be in this study because of your leadership and management position at your agency. Your name and contact information was collected through your local Association of Public-Safety Communication Officials (APCO) chapter public website. It is entirely your choice whether or not to participate in this study. The benefit of your answers will provide vital information to the research. If you agree to take part in this study, you will be asked to click the SurveyMonkey.com link provided in the email and answer a set of 10 questions. The questions will consist of either multiple choice or Yes or No answers. You be required to answer all of the 10 questions to complete the survey. Once you have answered all questions, click the Done button at the bottom to submit your survey answers.

91

Participating should take approximately 10 minutes of your time. You will be asked questions about your agency’s 9-1-1 status/capabilities (e.g. Basic 9-1-1, Enhanced 9-1-1, Wireless Phase I) and if you have a designated IT/Network Administrator. The survey will ask if your agency has a written network security policy, computer security education training for employees, runs anti-virus and spyware software, conduct network back ups, and has a disaster plan. The answers you provide will be collected anonymously through SurveyMonkey.com and will not be associated with your agency or your name. The answers collected from the survey will be used for the purpose of the study described in the Project Description. Questions? If you have any questions regarding your participation in this research, you should ask the investigator before completing the survey. If you should have questions or concerns during or after your participation, please contact Natalie Yardley at 913-426-5328 or [email protected]. Authorization: I have read this project description about the study or it was read to me. I know that being in this study is voluntary. I choose to be in this study. I know that I can withdraw at any time. Thank you very much for consideration and participation. It is greatly appreciated.