Results of the Hong Kong Information Security Annual Survey were announced at a press conference in Hong Kong last month, with over 63 percent of IT professionals saying they feel that the general development of information security (IS) in Hong Kong is unsatisfactory, according to the survey authors.

The survey was jointly conducted by five IS-related professional bodies together with Sin Chung Kai, the Legislative Councillor representing the IT sector. The assemblage represents an ad hoc task force that was established in October 2004, and now operates under the auspices of the OGCIO and includes members from government bodies as well as Digital 21 Advisory Com members.

Frustration, confusion on IS front

Described as the first survey of its kind in Hong Kong to analyze IT professionals" views on local IS development, the survey was conducted from mid-April to June 2005 and polled over 170 members of the IT industry with IS professional qualifications, said the authors.

The scope of the survey covered the Hong Kong government"s IS policy and initiatives, IT governance and IS standards, level of IS awareness in public and private sectors, as well as the development in computer forensics and law enforcement.

As outlined by representatives of the five bodies and Sin-who appeared together at the press conference-the survey reflects confusion and frustration for IT professionals on the government"s efforts to promote IS within the HKSAR.

The highest marks for the Hong Kong government came when measured against other "regional economies," perhaps indicating that respondents were more confident in their neighbors" inabilities to handle similar problems than their own government"s capacity to provide leadership.

Industry/govt cooperation

Frank Yam, chairperson of the Information Security Specialist Group of the Hong Kong Computer Society (HKCS-ISSG), highlighted the importance of communication between the HKSAR government and the IS industry. "The survey provided valuable information in understanding the needs and desires of IS professionals in Hong Kong," said Yam, who emphasized that the results could be used by the government as a basis to formulate corresponding IS strategies and policies.

"The security issue that concerned most of the [surveyed] IS professionals (91 percent) is the limited actions [taken to] promote the adoption of IT governance and IS standards," said Andy Ho, chairperson of the Professional Information Security Association (PISA). "Most companies and public organizations in Hong Kong, in particular, are not keen to deploy security standards. Over 90 percent of IT professionals believe that internationally recognized IT governance and IS standards, such as COBIT and ISO17799, are not well adopted in [either] the public [or] private sectors."

Ho said that given the role of Hong Kong as an international financial center, and the heavy reliance on information by corporations, it"s alarming that the need for security standards has been overlooked. "An information security incident in one organization could very likely have a ripple effect across other critical infrastructures and systems," he said. "Any cyberattack can seriously damage our economy if current IS capabilities are not kept up-to-date with international practices."

IS professionals are also aware of the community"s low level of IS awareness although IS training and education opportunities are widely available in Hong Kong. "Some 59 percent and 69 percent of the respondents viewed that security awareness remains at a low level in business sector and in the community respectively," said Ho. "Over 85 percent of IT professionals think that there is much room for improvement in raising security awareness."

The survey found that over 60 percent of the respondents do not think that Hong Kong has sufficient computer forensics facilities and law to cope with the current growth of computer-related crime. Ho commented that preventive measures on information security were substantially inadequate. "Nearly 80 percent of IS professionals consider current resources allocated by the government insufficient," he said. "Some 66 percent of respondents even think that there is no comprehensive and long-term IS policy in Hong Kong."

To improve the situation, Susanna Chiu, the president of Information Systems Audit and Control Association (ISACA) Hong Kong Chapter, urged the government to take an active role in building a safe and secure IT environment for both the local community and overseas investors. "Hong Kong"s future success, as a leader in information security, requires a focused and dedicated approach," she said. "We believe the government should be an architect of IS infrastructure so that local critical infrastructure will be better coordinated and managed."

Chiu also called for stepped-up efforts to increase security awareness in the face of increasing phishing scams and security threats. "We think that it is of paramount importance for the government to promote actively the value of information security as the key in achieving Hong Kong"s prosperity in the long run," she said, making the crucial link between the HKSAR"s economic position and info security. "In particular, the government should be competitive in international involvement to enhance Hong Kong"s branding as a leader in the area of information security," said Chiu.

"As professionals in the IS industry, we have an important role to play in lending our expertise and be the opinion leader to the government, business sector and local community to look at security issues and challenges," concluded Chiu.

Call for cybertraining

The five leading IS-related organizations-with the support of Sin Chung Kai-submitted a joint discussion paper to the government in Hong Kong in January 2005. The paper addresses IS issues across a broad range of topics, including: the role of government, IT governance and IS standards, R&D, forensics, collaboration with mainland China, and other crucial issues.

On the subject of security awareness, training and education, the paper said that most training and education opportunities available in Hong Kong are designed for IT professionals and IS practitioners and thus were not suitable for SMEs or the general public. "General awareness initiatives on how to take preventative measures to protect and individual or organization"s sensitive/critical information and the way to react to IS-related issues in daily life are considered to be inadequate," it said.

The paper recommended that the HKSAR government: "Implant basic IS concepts through ethical education in primary and secondary schools. This can be achieved by including cyber ethics in the school curriculums, and will provide an established path for every citizen to build up a security sense and accountability from an early age."

Another recommendation: "Organize campaigns targeted to the general public, on a regular basis, to promote the need and importance of protecting information security assets. This can be achieved through producing more radio or TV program series."

Mainland collaboration

The paper declared that one of Hong Kong"s competitive strengths is IT, especially in the area of IS. "At a time when investment growth in mainland China is accelerating and the reliance on IT is growing, Hong Kong companies in the IS industry can gain access to the massive China market by leveraging their strengths," it said.

According to the paper, IS can "serve as a bridge to add value to professional and business transactions between Hong Kong and mainland China, to enhance prosperity" on both sides of the border..

"With the concerted efforts of the government and the industry," concluded Sin, "I believe we will create a better IS environment in Hong Kong."