"While we're now emerging from the economic downturn, certainly here in the U.S. at least, there has been reduced investment across the enterprise and in information security in particular," Durbin says. "Enterprises are now playing catch up. Cybercrime, the malspace, those guys didn't suffer from the downturn."

"While individual threats will continue to pose a risk, there is even more danger when they combine, such as when organized criminals adopt techniques developed by online activists," he adds. "Traditional risk management is insufficiently agile to deal with the potential impacts from activity in cyberspace. While executives recognize the benefits and opportunities cyberspace offers, their organizations must extend risk management to become more resilient, based on a foundation of preparedness."

The ISF is a nonprofit association that researches and analyzes security and risk management issues on behalf of its members, many of whom are counted among the Fortune Global 500 and Fortune Global 1000. The ISF recently released Threat Horizon 2014, the latest in an annual series of Threat Horizon reports that forecasts the changing nature of the information security landscape. The ISF has predicted that both the range and complexity of information security threats will increase significantly over the next two years, and organizations must prepare now.

Durbin notes that security is no longer just a matter of protecting data and IP. Data breaches can have a material impact on brand and reputation--and ultimately stock price--Durbin says, making security a top-level matter for the business as a whole.

The report identifies three primary drivers of risk that organizations should focus upon over the next two years.