Master's Thesis project. This research examines the current information security management landscape of 9-1-1 public safety communication centers upon the beginning of nationwide Next Generation 9-1-1 initiated through H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008, which is the implementation of switching analog communication systems to Internet-Protocol (IP) communication systems, . The study draws upon the National Emergency Number Association Next Generation 9-1-1 security standards for a compliance survey for 9-1-1 agency information security and technology management evaluation. Also, a literature review of the implementation of managing Internet-protocol 9-1-1 communication technology and services will be presented. As well as providing the security standards, the study will determined current 9-1-1 agency status in terms of compliance or noncompliance to the of standards, as well as obstacles and challenges agencies face in achieving compliance. The primary finding was that no public safety answering point (PSAP) reported compliance and potentially serious barriers related to funding exist.
Gen AI in Business - Global Trends Report 2024.pdf
Next Generation 9-1-1: Examination of Information Security Management in Public Safety Communications Centers
1. NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY
MANAGEMENT IN PUBLIC SAFETY COMMUNICATIONS CENTERS
by
Natalie J. Yardley
A Thesis Presented in Partial Fulfillment
of the Requirements for the Degree
Master of Science
University of Advancing Technology
March 2012
2. NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION SECURITY
MANAGEMENT IN PUBLIC SAFETY COMMUNICATION CENTERS
by
Natalie J. Yardley
has been approved
March 2012
APPROVED:
ROBERT MORSE, Ph.D, Chair
GREG MILES, Ph.D, Advisor
AL KELLY, Advisor
ACCEPTED AND SIGNED:
__________________________________________
ADD NAME OF CHAIR, CREDENTIALS (ALL
CAPS)
3. Abstract
This research examines the current information security management landscape of 9-1-1 public
safety communication centers upon the beginning of nationwide Next Generation 9-1-1 initiated
through H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008, which is
the implementation of switching analog communication systems to Internet-Protocol (IP)
communication systems, . The study draws upon the National Emergency Number Association
Next Generation 9-1-1 security standards for a compliance survey for 9-1-1 agency information
security and technology management evaluation. Also, a literature review of the implementation
of managing Internet-protocol 9-1-1 communication technology and services will be presented.
As well as providing the security standards, the study will determined current 9-1-1 agency
status in terms of compliance or noncompliance to the of standards, as well as obstacles and
challenges agencies face in achieving compliance. The primary finding was that no public safety
answering point (PSAP) reported compliance and potentially serious barriers related to funding
exist.
4. Dedication
I would like to dedicate my thesis work to all the very dedicated 9-1-1 professionals, especially
from Atchison County Communications Center, Atchison, Kansas.
i
5. Acknowledgments
I would like to thank my Thesis Committee, particularly my Chair, Dr. Morse, for continued
guidance during the graduate thesis process. Also I want to give many thanks to my family, for
their patience with my writing, reading, and proofing marathon sessions behind closed doors.
ii
6. Table of Contents
Acknowledgments ii
List of Tables v
List of Figures vii
CHAPTER 1. INTRODUCTION 1
Introduction to the Problem 1
Background of the Study 2
Statement of the Problem 3
Purpose of the Study 3
Research Questions 4
Significance of the Study 4
Definition of Terms 5
Assumptions and Limitations 5
Nature of the Study 6
Organization of the Remainder of the Study 8
CHAPTER 2. LITERATURE REVIEW 9
CHAPTER 3. METHODOLOGY 26
Research Design 26
Sample 27
Setting 28
Instrumentation / Measures 28
Data Collection 29
Data Analysis 30
iii
7. Validity and Reliability 30
Ethical Considerations 31
CHAPTER 4. RESULTS 32
CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS 63
REFERENCES 80
APPENDIX A. PRE-NEXT GENERATION 9-1-1 IMPLEMENATION INFORMATION
SECURITY MANAGEMENT SURVEY 85
APPENDIX B. NEXT GENERATION 9-1-1: EXAMINATION OF INFORMATION
SECURITY MANAGEMENT PUBLIC SAFETY COMMUNICATIONS
CENTER PARTICIPANT INFORMED CONSENT 90
iv
8. List of Tables
Table A. Current agency 9-1-1 status/capability 36
Table B. Job title/role at agency 38
Table C. Current agency IT/Network administration description 41
Table D. Agency anticipation of employing/contracting an IT/Network administrator
who currently have none 43
Table E. Reason or obstacles for not employing/contracting IT/Network administration
if currently none 44
Table F. Type of IT descriptions and policies (first six categories) 45
Table G. Type of IT descriptions and policies (last six categories) 46
Table H. If Next Generation capable, reasons and/or obstacles for not having the
descriptions and policies in Table F.1 and Table F.2 49
Table I. Virus and/or spyware detection software on all servers and end user
computers 51
Table J. Reason and/or obstacles for agency not running anti-virus and/or spyware
detection software 52
Table K. Current inventory, schematic, and audit documents on file 54
Table L. Reasons or obstacles for not having network inventory, schematic, and/or
audit documents 56
Table M. Type of security awareness training and education standards currently in
place 57
Table N. Reasons or obstacles for not having staff security training and/or current
training/certification for IT administration 60
Table O. Agencies reporting compliance with NG-SEC 66
v
9. List of Figures
Figure 1. The population range of the agency's jurisdiction. 35
Figure 2. Current agency 9-1-1 status/capability. 37
Figure 3. Job title/role for small agencies. 38
Figure 4. Job title/role for medium agencies. 39
Figure 5. Job title/role for large agencies. 40
Figure 6. IT/Network Administration for small agencies. 41
Figure 7. IT/Network Administration for medium agencies. 42
Figure 8. Obstacles for not employing IT administration for small agencies. 44
Figure 9. IT descriptions and policies for small agencies. 47
Figure 10. IT descriptions and policies for medium agencies 47
Figure 11. IT descriptions and policies for large agencies. 48
Figure 12. Obstacles for not having the descriptions/policies for small agencies. 50
Figure 13. Obstacles for not having the descriptions/policies for small agencies. 50
Figure 14. Virus and/or spyware detection software for small agencies. 51
Figure 15. Virus and/or spyware detection software for medium agencies. 52
Figure 16. Obstacles for no anti-virus and/or spyware detection software for small
agencies 53
Figure 17. Current IT documentation for small agencies. 54
Figure 18. Current IT documentation for medium agencies. 55
Figure 19. Current IT documentation for large agencies. 55
Figure 20. Obstacles for complete IT documentation for small agencies. 56
Figure 21. Obstacles for complete IT documentation for medium agencies. 57
vi
10. Figure 22. Security awareness and training for small agencies. 58
Figure 23. Security awareness and training for medium agencies. 58
Figure 24. Security awareness and training for large agencies. 59
Figure 25. Obstacles for security training and education for small agencies. 60
Figure 26. Obstacles for security training and education for medium agencies. 61
Figure 27. Reported NG-SEC compliance by agency size. 66
Figure 28. Part-time or no current network administration by agency size. 69
Figure 29. Obstacles for not having full-time network administration for small
agencies. 72
Figure 30. Presence of malware in network traffic (Ponemon, 2009). 74
(Note: Do not remove the section break that follows this paragraph.)
vii
11. CHAPTER 1. INTRODUCTION
Introduction to the Problem
Technology has expanded the way society communicates, particularly in the last few
decades (Barbour, 2008). Today, cell phones are prevalent and have expanded the tools available
for individuals to get help from public safety agencies. In addition to voice communications over
the telephone wires, individuals can easily conduct voice and video conversations using
computers on either wired or wireless Internet networks. People can instantly send and receive
text, photos, and video from their cell phones. With the additional communication options
available to the public, the technical capabilities of 9-1-1 public safety communications need to
expand.
Society’s expectations and the reality of what the 9-1-1 systems should be able to handle,
are wide apart. One example is the Virginia Tech shooting in April 2007 when students
attempted to send text messages to 9-1-1, they were unaware the call center was not equipped to
receive such communications (Luna, 2008). Many hearing impaired callers rely on newer modes
of communication available on smart phone devices, yet cannot utilize them during an
emergency to contact a 9-1-1 system that is analog based (Kimball, 2010).
Another example of the need to upgrade capability to meet expectations is the fact legacy
9-1-1 equipment is unable to provide accurate location services. Of course, that service is now
widely available and many mobile and social networking services currently provide it according
to the National E9-1-1 Implementation Coordination Office (2009). Due to this wide gap of
expectation verses capability, the need for public safety communications to upgrade to match
consumer technology advancements is vital if the system is to continue to keep citizens safe.
1
12. In July 2008, H.R. 3403: New and Emerging Technologies 911 Improvement Act of 2008
(also known as the NET 911 Improvement Act of 2008) was signed into law to promote and
enhance public safety by facilitating the rapid deployment of IP-enabled 911 and E-911 services,
and encouraging the nation’s transition to a national IP-enabled (Internet Protocol) emergency
network, and improve 911 and E-911 access to those with disabilities. The initiative of
advancing 9-1-1 systems to IP technologies nationwide is known as Next Generation 9-1-1 (or
NG9-1-1). Currently, there is no definite date of completion for nationwide NG9-1-1. Also,
public safety organizations are independently planning and implementing NG9-1-1 technologies
(Kimball, 2011). Because of the vast technological changes and requirement of nationwide
standards, this lack raises concern about the way IP-based 9-1-1 systems are managed to
maintain their security and integrity, which is also evolving due to converting the closed analog
system to a connected Internet system (NENA, 2011). Given the size and scope of the project,
there is a need to monitor compliance capability.
Background of the Study
In the United States, the current 9-1-1 system is going through a transformation from
analog based systems to IP-based (Internet Protocol) systems (NENA, 2011). The analog 9-1-1
systems are not compatible with most of the current consumer technologies and converting to
digital systems will allow the variety of available consumer communication devices to work
within public safety systems. Next Generation 9-1-1 will allow for IP-base communication
technologies to be used, such as text messages, voice, photos, and videos over security Internet
points. Prior to the introduction of Next Generation 9-1-1, public safety communication systems
were not connected to other networks, which provided stronger security barriers from attacks.
With Next Generation 9-1-1, the barriers are significantly decreased through the internet-
2
13. protocol connections, making 9-1-1 a potentially appealing and vulnerable target. Thus,
information security management standards were established in February 2010 by the National
Emergency Number Association in order to address the technological changes of 9-1-1
communications. The National Emergency Number Association (NENA) Security for Next-
Generation 9-1-1 Standards (NENA, 2010) was established and all Next Generation 9-1-1 status
agencies are to comply with the standards immediately (NENA, 2010, p. 8). Therefore, the
relevance of this research is to establish the progress towards achieving this requirement. In
general, potential reasons for noncompliance can range from high costs, privacy issues, business
disruption, even though there may be penalties and legal issues, national security, and welfare
and safety of citizens. For public safety communications, it is critical for agencies to be and
remain compliant to keep communication services available and safeguard lives and information.
Statement of the Problem
The problem that will be explored in this study is the level of compliance or non-
compliance with information security management standards in the public safety
communications environment.
Purpose of the Study
The purpose of the thesis study is to ascertain if public safety answering points (PSAPs)
have information security management standards in place that reveal compliance or non-
compliance with National Emergency Number Association (NENA) Security for Next-
Generation 9-1-1 Standards (NENA, 2010) prior to nationwide Next Generation 9-1-1
implementation and to identify any needed next steps to reach compliance.
3
14. Research Questions
1. What are the Next Generation 9-1-1 information security management standards and
policies?
2. What percentage of agencies have Next Generation 9-1-1 status?
3. What percentage of agencies are compliant or noncompliant?
4. What are the obstacles and/or challenges for public safety answering points (PSAPs)
that are not compliant with public safety communication information security
standards?
Significance of the Study
Every project must be planned and, where possible, kept on schedule. 9-1-1 is a vital
societal system. The National Emergency Number Association (NENA), estimated in October
2011, 240 million calls were made to 9-1-1 in the United States annually (NENA, 2011, sec. 2,
para. 1). From those annual calls, at least one-third are wireless, and it is estimated that 26.6% of
all United States households currently rely on wireless communication as their primary services
(NENA, 2011, sec. 8). NENA has provided the national security standards and best practices for
public safety answering points with the National Emergency Number Association (NENA)
Security for Next-Generation 9-1-1 Standards or NG-SEC (NENA, 2010). The next step in the
project is to implement those standards so that public safety communications adapt to advancing
technology and consumer needs without compromising security. But, projects do not guide
themselves. To meet the need for nationwide security standards compliance managers need up-
to-date data regularly available. The study of compliance is significant in providing updated data
of security readiness as public safety communication agencies move forward, making the
4
15. transition from closed to open systems with Next Generation 9-1-1 with its ability to continue to
provide the emergency services required for citizens.
Definition of Terms
Next Generation 9-1-1. Next Generation 9-1-1 is an Internet Protocol (IP) based system that will
allow 9-1-1 public safety entities to receive and send such communications as text
messages, video, photos, and voice through secured Internet points on 9-1-1
communication systems (NENA, 2011).
Public Safety Answering Points (PSAPs). Public Safety Answering Points are 9-1-1 emergency
call centers that are staffed with trained 9-1-1 operators that receive emergency telephone
communications for law enforcement, fire, ambulance, and/or rescue services (NENA,
2011).
Data Transience. The explanation that data can be ever changing and provide a momentary
snapshot of what may be true at one point in time but not necessarily true the next time
data is collected.
Assumptions and Limitations
The research is a "naturalistic" or applied study. There are assumptions surrounding the
questioning technique used in the sample. It was assumed the responders had an appropriate
level of knowledge due to being designated as contact points within their organizations. The
questioning utilizes vocabulary presented in the National Emergency Number Association
(NENA) Security for Next Generation 9-1-1 standards or NG-SEC, which the sample should
understand. The questioning links sufficiently to the participant’s experience, again due to
utilizing the national standards that were created by 9-1-1 leaders (NENA, 2010). The researcher
also assumed that each participant will answer willingly and truthfully since the study did not
5
16. publish names of contacts or agencies, assuring confidentiality of any information shared.
Limitations of the thesis are of practicality, such as, researcher experience, time limit of study,
and university rules.
Nature of the Study
It is vital that Next Generation 9-1-1 technologies are both implemented and accessible
nationally to insure the growing demands of consumer technology and consumer mobility for
emergency services. However it is also essential for public safety answering points (PSAPs) to
be in compliance with security standards because of the openness of the evolving technology.
The study revolves around the security standards and data collected from agencies. The thesis is
an empirical study. Empirical research can be defined as research gained on experimentation,
observation, or experience (Classroom Assessment, 2011). Leedy (2010) points out “the
significance of data depends on how the researcher extracts meaning…” and “underlying and
unifying any research project is its methodology” (p. 6).
The thesis is also an evaluation study. Such studies require a researcher to specify a
criteria which in this instance are the National Emergency Number Association (NENA) Security
for Next-Generation 9-1-1 Standards or NG-SEC. Measurement will involve collecting data via
survey of a cross sectional sample of agencies in the United States and conducting a review of
the literature. As Leedy (2010) states, “measurement is ultimately a comparison and it is a tool
by which data may be inspected, analyzed and interpreted” (p. 25). The survey utilizes the NG-
SEC and serves as the measurement scale for the purpose of comparison and analysis of research
questions. The data collected are ever changing and only provide a momentary look at the Next
Generation 9-1-1 status and compliance or non-compliance of agencies sampled. Time, evolving
6
17. technology, consumer needs, agency obstacles, and future laws and standards, will inevitably
change data. Therefore, the data are “transient” (Leedy, 2010, p. 89).
The objectives of empirical research go beyond reporting observations. They promote an
environment for improved understanding, combine extensive research with detailed case study,
and prove relevancy of theory by working in a real world environment (Experiment Resources,
2011). The study provides analysis of data collected from public safety answering points
(PSAPs) in order to provide an examination of the written standards in real life application. The
case study method, as explained by Zainal (2007, p. 1) “enables a research to closely examine
the date within a specific context”. Yin (1984) further defines the method “as an empirical
inquiry that investigates a contemporary phenomenon within its real-life context” (p. 23) and by
utilizing a case study method in this study, not only will the data be explored, but also show
complexities of the real-life situations (Zainal, 2007, p. 4). When researching human activities, it
is important to capture contextual data and situational complexity. According to Leedy (2010)
“research conducted in more naturalistic but invariable more complex environments – is more
useful for external validity; that is, it increases the chances that a study’s findings are
generalizable to other real-life situations and problems” (p. 100). The field of study may be
unique and the human activities in the project require complexity as part of the research. Lorino
(2008) explains the situatedness of research in that “it takes place in a specific situation which
influences the view of the complex system” (p. 8).
The study identified the collective experience of agencies implementing a key technology
in the field. Each agency surveyed is itself a potential case study. Thus, there are multiple
individual surveys available for analysis. According to replication logic, if findings are replicated
through out the different agencies, more confidence can be placed on the findings and
7
18. generalizing beyond the original participants becomes possible. The rationale for this type of
analysis is supported by Yin (2009), who explains that replication logic is where the researcher is
looking for congruence that indicates increased confidence in the overall finding. Identifying
congruence between a standard and a practice is the heart of criterion referenced evaluation
research. Such studies not only provide data on the subject, but to also serve data driven quality
improvement reviews used in assessments of the development process.
Organization of the Remainder of the Study
In the following chapters, the researcher provides a literature review, methodology,
presentation of survey results, and concluding study discussion and recommendations. The
literature review describes the evolution of 9-1-1 to its current transition of Next Generation 9-1-
1. It also presents and discusses the information security management standard set forth by
National Emergency Number Associations (NENA) for public safety communication
compliance. In Chapter 3, the researcher provides the survey study methodology in which the
data will be collected and analyzed to explore the research questions. Chapter 4 present the
results and description of the data collected, following with a conclusion and recommendations
based on the researcher’s findings in Chapter 5.
8
19. CHAPTER 2. LITERATURE REVIEW
9-1-1, in the United States, is the number to call if citizens need help (NENA, 2011).
Whether the emergency requires medical, fire, or law enforcement, the three digit number is
supposed to be the one Americans contact for a quick response to a particular emergency
(Barbour, 2008). For the most part of the last four decades that 9-1-1 has been in existence, the
way citizens communicated to emergency services, with the exception of showing up in person,
was through the use of pay phones and residential landlines (Barbour, 2008).
It was a very straightforward analog system that gradually incorporated the phone
number from which the call was coming, the location of the call, and even a list of appropriate
emergency response units based on jurisdiction of the call. However, now in the age of the
Internet and a mobile lifestyle, this traditional 9-1-1 communication has continued to fall behind
in meeting the needs of the consumers. Especially with the increasing disappearance of fixed-line
communications (Luna, 2008). A particularly tragic example took place in 2008. A woman from
Tampa, Florida was kidnapped and called the local public safety communication center on her
mobile phone while the incident was occurring. The public safety communications center’s 9-1-1
was an analog system and her GPS-enabled (global positioning system) phone did not register
her location. Later, police found the dead woman’s body in a vacant home in a nearby town
(Bruce, Newton, & Vaughan, 2011, p. 8). If the local 9-1-1 system had been equipped with
Internet-Protocol technologies, the public safety communications center may have been able to
track her location through GPS and her life may have been saved. Certainly, the system did not
even permit that possibility.
Enter Next Generation 9-1-1, which is based on transforming the currently analog 9-1-1
communications system with an Internet-Protocol or IP-based system to allow 9-1-1 call takers
9
20. to receive the same location and unit information as they do now with landline or fixed-line
telephone systems. Public safety communication personnel would be able to communicate with
citizens and emergency respond units via text and mobile, as well as, to exchange photos and
videos through Internet Protocol (IP)-based communication (Lipowicz, 2009).
The very scope of nationwide Next Generation 9-1-1 implementation will take time and
there are obstacles and issues to work around and resolve. In 2008, the state of New York
conducted a 911 project to enhance wireless communication with a grant from the United States
Department of Transportation and National Highway Traffic Safety Administration. The project
found that technology was not the major obstacle in enhanced wireless deployment. Though
some technical issues may slow the progress, funding for technological upgrades is the most
pressing obstacle (Bailey & Scott, 2008). Of course, this was the year when a major financial
problem engulfed many countries so it is understandable the study reported that many public
answering points did not have sufficient funds for enhanced wireless communication upgrades.
Ultimately this need for finances has prolonged the time needed to complete the project. The
New York study provided examples of obstacles for Enhanced Wireless technologies, which
involve cellular 9-1-1 communications for Wireless Phase I and Wireless Phase II
implementation and not Internet-Protocol technology that are the required for Next Generation 9-
1-1 (Bailey & Scott, 2008). However, the funding comparison can be made for obstacles 9-1-1
entities face in upgrading the national 9-1-1 system. If agencies have issues with funding for
cellular wireless technologies of Wireless Phase I and Wireless Phase II, which still utilize the
analog systems, they may have same issues with Next Generation 9-1-1 funding.
10
21. 9-1-1: Past and Present
In order to understand and discuss the current changes of today’s 9-1-1 systems, it is best
to briefly review where and how 9-1-1 began and the current types of 9-1-1 services. Jason
Barbour’s article (2008) explained the first official 9-1-1 call was on February 16, 1968 in
Haleyville, Alabama and provided an overview of the 40 year history of 9-1-1, from the
inception in 1967 to the current day. Mr. Barbour’s historical perspective told how the
technological advances through out the years have benefited the profession of saving lives.
Barbour also observed that keeping up with consumer technology has always been a challenge
and that some of the difficulty has been with the lack of synchronicity between the public and
private sectors. It is also important to note the humble beginnings of the first 9-1-1 call in the
small town of Haleyville, Alabama. Barbour illustrated the importance of modest technological
strides from the thousands of public safety agencies nationwide.
According to the National Emergency Number Association or NENA’s website (2011),
the different types of 9-1-1 Systems readily used now are Basic, Enhanced, Wireless Phase I, and
Wireless Phase II. Basic 9-1-1 is when the three-digit number is used, and either a voice or a
Telecommunication Device for the Deaf (TDD) is received by the local public safety answering
point (NENA, 2011, sec. 3). Enhanced 9-1-1 builds on the basic service, but additionally
provides dispatchers the caller’s location, phone number, and the PSAP responder information
for the caller’s address (NENA, 2011, sec. 4). It is important to understand that both Basic and
Enhanced 9-1-1 only apply to landline phones, not wireless (NENA, 2011, sec. 4).
With wireless, the reality of what is displayed or the information available to the public
safety answering point (PSAP) can be different than that of the wireline or landline 9-1-1 call.
The National Emergency Number Association’s website (NENA, 2011) continued to explain the
11
22. next two phases, wireless Phase I and Phase II. Under Wireless Phase I only the cell phone
number displays (NENA, 2011, sec. 5) and Wireless Phase II provides the cell phone number
and the location of the caller (NENA, 2011, sec. 6). A critical point to remember regarding
Wireless Phase II, is that a caller’s location is based on the closest cell towers. Depending if the
caller is located in an urban or rural area. In rural areas there can be quite a distance between
towers.
Voice over Internet Protocol (VoIP) is spreading rapidly with consumers and the 9-1-1
communities have only begun to complete Enhanced 9-1-1 capabilities for VoIP 9-1-1 (NENA,
2011). The Federal Communications Commission or FCC websites’ (2008) discussion of VoIP
9-1-1 services explained that since the communication uses Internet protocol as opposed to
traditional analog systems, not all VoIP services connect through 9-1-1. Next Generation 9-1-1
or NG9-1-1 would address the issue of 9-1-1 and VoIP capability since NG9-1-1 provides public
safety communication agencies with Internet-Protocol based systems. According to the National
Emergency Number Association’s NG9-1-1 Transition Plan (NENA, February 24, 2011), NG9-
1-1 has begun with the prerequisite of deploying IP networks in some areas already occurring
and with vendors developing NG9-1-1 equipment. However, the organization does address
“NG9-1-1 will be a journey that will be realized at different rates within various parts of North
America, based upon state/province, local implementation and stakeholder environments” (p.
15).
Current 9-1-1 Usage
Current 9-1-1 statistics are provided by the National Emergency Number Association
(NENA) website under the category of Public & Media (2011, November 12):
United States has 6,130 primary and secondary public safety answering point (PSAP) and
12
23. 3,135 Counties which include parishes, independent cities, boroughs and Census areas.
Based on NENA’s preliminary assessment of the most recent FCC quarterly filings:
97.7% of 6,130 PSAPs have some Phase I
96.0% of 6,130 PSAPs have some Phase II
94.1% of 3,135 Counties have some Phase I
91.8% of 3,135 Counties have some Phase II
98.1% of Population with some Phase I
97.4% of Population with some Phase II
Phase I and II is not provided 100 percent nationwide. It is estimated that about 20% of
households in the United States do not use landline phone services; instead they rely on wireless
services only (NENA, 2011, sec. 1).
There are a few agencies throughout the United States, such as King County in
Washington and Rochester in Monroe County, New York, that use portions of Next Generation
9-1-1 technologies by either working as a test public safety answering point (PSAP) or with a
very small percentage of Internet Protocol (IP)-based technologies working alongside the main
analog systems (Intelligent Transportation Systems, 2009). Black Hawk County, IA is the first
PSAP to allow text messages to be sent directly to 911, though it is only through one wireless
provider (Mannion, 2009). Charlotte County Florida received a Florida State grant and is using it
to begin implementing different Next Generation 9-1-1 capabilities (Hamilton, 2009). The U.S.
Department of Transportation (2009) tested various IP-based technologies with five public safety
answering points (PSAPs) who gathered the information that assisted the 9-1-1 communities like
National Emergency Number Association (NENA) and Association of Public Safety Officials
(APCO), along with the government officials to develop nationwide plans.
13
24. The United States government is a very important part of the development of regulations
for 9-1-1 technologies. From 9-1-1’s first inception in 1967, by the President’s Commission on
Law Enforcement Administration of Justice (Barbour, 2008), to continuous active pursuits of
legislations, through most recently, the ENHANCE 911 Act of 2004 and NET 911 Improvement
Act of 2008, which address the concerns raised by emerging technology and how it affects the
services of 9-1-1 (Moore, 2009). It is clear from these governmental actions that it has been
working to improve its 9-1-1 services with the evolving technology.
In February 2010, National Emergency Number Association (NENA) published the
NENA Security for Next-Generation 9-1-1 Standards or NG-SEC (NENA, 2010). Many industry
experts from a variety of private and government sectors contributed to the security standards to
address the needs of Next Generation 9-1-1 (NG9-1-1) technologies. The standards are in place
to “establish the minimal guidelines and requirements for the protection of NG9-1-1 assets or
elements within a changing business environment” and to “impact the operations of 9-1-1
systems and PSAPs as standardized security practices” (p. 1). Also, all NG9-1-1 entities will be
required to understand, implement and maintain the new standards and requirements, and that
requirement is effective immediately. Any vendor who presents devices, future applications or
technologies for 9-1-1 systems are also to be in compliance with NG-SEC. In August 2011, the
Federal Communications Commission (FCC) announced it still had to consider “how to ensure
adequate broadband infrastructure to deliver the bandwidth PSAPs will need to provide NG9-1-
1. As part of the NPRM, the FCC will examine interim solutions for ensuring that
carriers/service providers support transmission of text-to-911” (Genachowski, 2011, p. 1).
14
25. The Future: Next Generation 9-1-1 and Security Issues
At the moment, the technologies that may be used for Next Generation 9-1-1 capabilities
are Internet protocol (IP) voice, video, instant messaging (IM), short messaging (SMS), data, and
telematics (Luna, 2008). Although the Luna article was written in 2008, 9-1-1 systems remain
limited. The Federal Communications Commission (FCC, 2008), stated some of the issues with
voice-over Internet protocol (VoIP) 9-1-1 are those calls may not connect to the public safety
answering point (PSAP), or may improperly ring to the administrative line of the PSAP, which
may not be staffed after hours, or by trained 9-1-1 operators. VoIP calls may correctly connect to
the PSAP, but not automatically transmit the user’s phone number and/or location information.
VoIP service may not work during a power outage, or when the Internet connection fails or
becomes overloaded. This can be a problem for citizens, when many times emergencies occur in
masses or when the power is out. Because of these issues, there are efforts to include enhanced
VoIP (Kim, Song & Schulzrinne, 2006) that address things like language-based call routing, and
the ability for 9-1-1 operators to call back a disconnected call (FCC, 2008).
Further considerations with voice-over Internet protocol (VoIP) deal with the added
security required on networks that will need to accommodate VoIP and not just data-only
networks. Added cost to 9-1-1 agencies are the reality for additional power backup systems,
firewalls, 9-1-1 answering software for VoIP and other IP based communications. Not only
would new equipment and software need to be installed to accommodate IP-based technologies
specific to 9-1-1 communications, but also routine testing would need to take place to insure
system security and would require adequate staff to manage the systems to allow for 24/7
uptimes (NIST SP 800-58). 9-1-1 entities would need to continue to meet demands of evolving
15
26. technology for upgrades and possible loss of 9-1-1 service if a disaster were to occur within the
9-1-1 center. In short, there remain technical problems in addition to financing concerns.
A view of risk and security issues is through Lynette Luna (2008), who took the social
approach on how consumer technologies and the lack of integration with the current 9-1-1
systems, may effect emergency situations. She used well-known incidents, such as the Virginia
Tech shootings, to make a strong argument showing the ability of 9-1-1 centers to accept text
messages could have possibly saved lives. For the purpose of risk assessments to upgrading to
next generation 9-1-1, it is good to have a social perspective of 9-1-1 technologies, because
ultimately the point is to provide safety and security to citizens (Luna, 2008).
Hilton Collin’s (2008) states that a Next Generation 9-1-1 technology that is attractive to
public safety answering points (PSAPs) for cost savings and shared resource solutions is
virtualization. 9-1-1 agencies could consolidate servers and desktops, requiring less hardware
purchases and conserve energy. It also allows for network administrators to manage upgrades
and installs from one console, saving time and money. Also virtualization software can allow for
application testing before installing on a live system. This would benefit agencies by not
compromising 9-1-1 communication applications and save costs toward network administration
that would need to bring system and services back up immediately (TechSoup.org, 2011).
It is possible that this is another example of a solution that creates additional problems.
The savings imply fewer personnel needs as well. In addition, there are security risks that come
with a virtual environment. Hilton Collins (2008) discusses information about virtualized and
non-virtualized environments as a whole, as well as some best practices for protecting virtual
networks from cyber-attacks. The main concern is that virtualization in government agencies,
particularly public safety and law enforcement, will bring greater exposure for exploits and
16
27. security breaches by introducing “a new layer of software on top of the host machine or system,
which creates additional infrastructure to manage and secure” (Collins, 2008, para. 2). The
article elaborated the risks involved with virtual networks, like hackers, and illustrates that
attackers seek out poorly configured and exposed servers. Collins advised that potentially all
systems that are interconnected with the agency could be compromised. It only takes one open
network machine to be a possible threat of opening the door to a secured system or systems
(Collins, 2008). Costs that could be incurred with one breach of security could be limitless
depending on amount of staff to bring critical systems back up, amount and type of data loss, and
legal action costs as a few possibilities.
Another change from Next Generation 9-1-1 that Douglas (2008) discussed is that
dispatchers will need to use a whole other set of sensory skills in addition to what they use now
to perform duties. Currently the information received is heard, either by the caller’s actual voice
or from a relay service for the hearing impaired. In the future, it will rely more on visual
information, rather than audible. The visual format makes completing interactive functions while
multitasking by the dispatcher harder because the cognitive load or attention requirements of
human beings vary. The additional multitasking from staff can raise training cost and cost to
obtain and keep trained staff. Douglas (2008) also touched upon how 9-1-1 Centers will have to
re-evaluate their training curriculums and even hiring processes to adapt to the changes. These
personnel and training issues could be looked at as vulnerabilities and could then be exploited by
individuals or organized groups (Douglas, 2008). Many times the weakest link in security is the
people that use the system (Breithaupt & Merkow, 2006). If staff are not trained properly or do
not have the required skills to use Next Generation 9-1-1 technology systems and software, this
could create a vulnerability to the whole system.
17
28. Current Information Security Management
Information Technology implementation in 9-1-1 public safety communications can be
slow in adaptation especially when compared to consumers and the corporate sector (Barbour,
2008). As stated by Chairman Genachowski (2011), “no single governing entity has jurisdiction
over NG911…” and “the FCC will work with state 911 authorities, other Federal agencies, and
other governing entities to provide technical expertise and develop a coordinated approach to
NG911 governance” (sec. 3, para. 4). Lynette Luna (2008) stated in her article that an individual
“calling a catalog company to order goods such as clothing, the call-taker would have better tools
than the typical 911 call-taker — who is dealing with life and death situations” (p. 4). Luna noted
that one reason may be due to budgets and jurisdictional matters, such as funding issues,
regulatory amendments, and state regulations that stipulate 9-1-1 component usage. Luna (2008)
also mentioned that the transitioning to Next Generation 9-1-1 technologies would be an ongoing
process through changes in software, databases, and workers’ procedures. In October 2008 the
United States and global economy suffered and it continues to struggle over concerns over
American and European debt issues (Arizona State University, 2011). Local governments have
tightened their financial belts and the additional cost of upgrading 9-1-1 infrastructures and
maintenance, though a necessity, is none too appealing in the current economic climate. With
the country’s economic climate and with those changes that Luna mentioned (software,
databases, and workers’ procedures), the information security management would seem to also
need to adapt to the changes.
According to the publication “Principles of Information Security: Principles and
Practices”, the major categories of computer crimes are as follows: Military and Intelligence
Attacks, Business Attacks, Financial Attacks, Terrorist Attacks, Grudge Attacks, and “Fun”
18
29. Attacks. To break down each category, their definition (Breithaupt & Merkow, 2006) and how it
could apply to 9-1-1 IP systems are accordingly listed:
Military and intelligence attacks: Criminals and intelligence agents illegally obtain
classified and sensitive military and police files.
Business attacks: Increasing competition between companies frequently leads to illegal
access of proprietary information. As much as it may be hard to believe, this
could include competing public safety venders.
Financial attacks: Banks and other financial institutions provide attractive targets (p.
143).
Obviously 9-1-1 is not a bank or financial institution in the direct sense, but it is a government-
funded entity that could be attacked. Though financial gain would not be the end result, causing
significant financial harm could be a motive. Breithaupt & Merkow continue to list and explain
major categories of crimes:
Terrorist attacks: Terrorist attacks could be executed for either a direct or indirect attack
on a 9-1-1 system. An indirect example would be an attack targeted in one geographical
area to pull sources away, so the intended target would be vulnerable. It could also
involve one system or a large-scale attack of several systems either simultaneously or
consecutively.
Grudge attacks: This could come in the form of either a disgruntled employee or citizen
seeking revenge against the specific agency or even just against law enforcement or
government entities in general.
Thrill attacks: hackers penetrate the system just for the “fun of it”, bragging rights, or
simply for a challenge (2006, p. 143).
19
30. To conclude the risk portion, there, of course, is the continued threat of viruses and
malware as with any IP network. However, instead of only affecting a computer-aided dispatch
software program that could quickly be exchanged with an internal closed legacy system or even
a paper system for back up purposes, a 9-1-1 communications system would not be as easily
replaceable or have much allowances for any down-time, even temporarily, due to a virus or
malware issue. Daily vulnerabilities of network infection and system outage on a vital system
such as 9-1-1 make any loss of service an issue of public safety.
The National Emergency Number Association (NENA, 2011) website had a plethora of
documentation, guidelines, requirements and standards that addressed a variety of technology
and equipment implementation, connectivity, and functionality issues, which were more
appropriate for a systems administrator. Though system administrator policies and standards and
practices may include “security controls, information classification, employee management
issues, and corresponding administrative controls” (Berithraupt & Merkow, 2006, p. 43), which
apply to information security, none were specific to current 9-1-1 public safety communication
entities during an initial literature research. However, in February 2010, NENA organized and
published a set of national standards specific to Next Generation 9-1-1 security objectives for 9-
1-1 entities, titled National Emergency Number Association (NENA) Security for Next-
Generation 9-1-1 Standards (NENA, 2010) or also known as NG-SEC, which will be discussed
in more detailed in this chapter. Before the creation of NG-SEC, though, no national standard or
policy was in place for 9-1-1 agencies.
Next Generation 9-1-1 Information Security Management
The researcher investigated the literature specific to Next Generation 9-1-1 information
security management standards. The National Emergency Number Association advised the
20
31. purpose of the National Emergency Number Association (NENA) Security for Next-Generation
9-1-1 Standards was to “establish the minimal guidelines and requirements for the protection of
NG9-1-1 (Next Generation 9-1-1) assets or elements within a changing business environment”
(NENA, 2010, p. 7). The national public safety communication organization published the
document to provide standardized security practices for Next Generation 9-1-1 technologies, but
explained that it is a work in progress and the document is in its first version with revisions to
come to accommodate future issues (NENA, 2010). Technical requirements, upgrading and/or
replacing equipment, will incur costs to agencies. Readiness and available funds may also vary
with each 9-1-1 entity.
The document scope covered public safety answering points (PSAPs), Next Generation
9-1-1 ESINet, Next Generation 9-1-1 service providers, Next Generation 9-1-1 vendors,
contracted services, and any individual or group who use, design, have access to, or are
responsible for Next Generation 9-1-1 assets (NENA, 2010). Like Breithaupt and Merkow
(2006), the National Emergency Number Association (NENA) document listed roles and
responsibilities of individuals specific to NG9-1-1 security and similarly concluded that
ultimately security is “everyone’s responsibility” (NENA, 2010, p. 11). When it came to
security policies, NENA stated that it is the first step in any effective attempt in the
implementation of a security program (NENA, 2010).
The National Emergency Number Association (NENA) further explained the minimum
standards shall have a senior management statement (or an organizational security statement),
functional policies, and procedures. It continued to detail each section, starting with the senior
management statement policy. NENA emphasized that “senior management must be engaged
and committed to maintain highly effective security so the rest of the staff can be able to do their
21
32. part” (NENA, 2010, p. 11). As the National Emergency Number Association document stated,
security is “everyone’s responsibility” (NENA, 2010, p. 11) and senior management is not
exempted. The absolute minimum that should accompany the senior management statement is
two items: identify person responsible for security (even though it technically is everyone’s
responsibility) and provide a written description of the security goals and objectives of the Next
Generation 9-1-1 entity (NENA, 2010).
To compare this with information security management standard practices in realms
outside of 9-1-1 public safety communications, the book by Breithaupt and Merkow (2006),
provided an overview of information security management through security principles and a
common body of knowledge used in private and public industry. They explained that “setting a
successful security stage” with “effective security policies can rectify many of the weaknesses
from failures to understand the business direction and security mission and can help to prevent or
eliminate many of the faults and errors caused by a lack of security guidance” (Breithaupt &
Merkow, 2006, p. 60).
The Next Generation 9-1-1 information security management standards documentation
(NENA, NG-SEC, 2010) stated that it is to provide a “deeper level of granularity after creating
an executive management statement” (NENA, 2010, p. 12). The document gave a list of some
examples of what may be contained in it: “acceptable usage policy, authentication/password
polices, data protection policy, wireless policy, physical security policy, remote access policies,
hiring practices, security enhancements or technology, baseline configurations for workstations,
standards for technology selections, and incident response policy” (NENA, 2010, p. 12). The
procedures section included documentation that provided the “method of performing a specific
task” (NENA, 2010, p. 12), such as creating new user accounts or how vendors would be
22
33. allowed access to the server room. This complimented common body of knowledge (Breithaupt
& Merkow, 2006) and practices that private and government industries (ISO/IEC 27001, 2005),
outside of 9-1-1 public safety communications, utilized for information security management.
Obstacles and Solutions for Next Generation 9-1-1 Information Security Management
When information was collected for possible standards as they applied to various aspects
of Next Generation 9-1-1 operations, a mixture of obstacles and possible solutions were found.
In Merrill Douglas’ article (2008), she explained some problematic issues from the 9-1-1
operator’s perspective regarding Next Generation 9-1-1 and now 9-1-1 information will be
received in the future. Douglas explained that currently the information received is heard, either
by the caller’s actual voice or from a relay service for the hearing impaired. In the future, it will
rely more on visual information, rather than audible and a whole set of sensory skills will need to
be used and it makes performing interactive functions while multitasking much harder (Douglas,
2008). The article also discussed how 9-1-1 Centers will have to re-evaluate their training
curriculums and even hiring processes to adapt to the changes. Lack of training for staff creates
vulnerabilities and could then be exploited by individuals or organized groups (NIST SP-800-
50), as well as be related to the risk assessments of the future 9-1-1 systems and that the effects
of security are significant because people are usually the weakest link (Douglas, 2008).
Mary Rose Roberts (2009) brought up consolidation of Next Generation 9-1-1 enabled
public safety answering points (PSAPs) and illustrated both economical and shared resource
benefits. She explained that technology improvements are growing exponentially and even
though costs were lowering, still it behooved agencies to share resources to save money, as well
as the benefit of sharing intelligence. The year before the standards were developed, Robert
(2009) was asking, “if it's next generation compliant, what does that mean? We haven't defined
23
34. what next generation is totally, so how can you be compliant to a standard that may not even
exist yet…" and "as a result, we don't believe every PSAP in this country is going to go to an
NG911 environment any time in the very near future” (p. 23). Merrill Douglas (2009) also
addressed consolidation cost benefits for PSAPs, which then helps with the burden of costs and
provides better redundancy by switching to an IP network.
Craig Whittington (2009) explored the public's expectations of 9-1-1 services and the
difference in what is reality. In his article, he stressed if the public's perception and the reality of
9-1-1 do not agree, it can be more than a public relations problem; it can put lives at risk. From
that perception issue, the article illustrated what Next Generation 9-1-1 can provide. Like shared
networks, new and different ways to communicate with callers and responders, as well as an
increased capacity to transmit and disseminate information. Mr. Whittington additionally
emphasizes the most vital part of 9-1-1 systems (now and in the future), are the 9-1-1 Operators
and Dispatchers. It is a very important to make sure that personnel are well trained and at ease
with the new responsibilities and technologies. Not only will it be a challenge to re-evaluate
training curriculums, but also how to do it with continuing decreased budgets. The continued
significance of operators in the 9-1-1 center is that they can become the weakest link in the
overall network risk management. In order to acquire the benefits discussed earlier, this article
illustrates the importance of making sure competent employees are hired and retained, as well as,
trained in the most current technologies, important issues in risk assessments (Whittington,
2009).
Conclusion
As the technology of 9-1-1 continues to evolve into Next Generation 9-1-1 systems,
information security management in public safety communications will need to evolve as well to
24
35. meet the needs of various technologies, consumers, and 9-1-1 staff. Matters of funding,
governance, reliability, and security surround the project and the changes that current 9-1-1
public safety answering points (PSAPs) have and will be experiencing in the near future. It
provided a summary of the National Emergency Number Association (NENA) Security for Next-
Generation 9-1-1 Standards that agencies will be required to be compliant with Internet-protocol
based technologies. It also illustrated some challenges PSAPs will have due to the Next
Generation 9-1-1 evolution. Against this background the researcher delved into the real-life state
in which the PSAPs are currently compliant, either operating at Next Generation 9-1-1 status or
before utilizing Internet-protocol technologies.
25
36. CHAPTER 3. METHODOLOGY
Research Design
The study was a non-experimental, Mixed Method study because it included both verbal
and numerical data. The study had a two stage design. There was secondary data gathered in a
review of the literature as well as primary data collected to answer the research questions. The
research design was an evaluation study being conducted to evaluate compliance with security
standards of Public Safety Answer Points (PSAPs). The study was descriptive and illustrated
aspects of agencies considered to be representative. It was also exploratory because the standards
used to evaluate compliance were relatively new and the information collected was intended to
help develop future more focused understandings of PSAP needs required for support in
achieving compliance. The topic was new and little understood, so an exploratory project was
appropriate.
Published response data for the survey’s questions served as benchmarks for the purpose
of comparison and analysis of this study’s questions. Thus, a criterion-based design was used.
The standards were the criteria and in this design they provided the hypothesized situation
against which this study was performed, as well as the standard of judgment for success or
failure, and they provided a stable platform that enabled the researcher to decide whether the
conclusions of this and other studies were relevant so that a pattern matching strategy could be
employed, as explained by Yin (2009).
The study was field based using only publically available online membership contact
information of either state or regional chapters of Association of Public-Safety Communications
Officials (APCO) and National Emergency Number Association (NENA), both not-for- profit
professional organizations for public safety professionals. According to NENA (2011), the
26
37. United States has 6,130 primary and secondary public safety answering point (PSAP). For the
purpose of this study and based on the time and resources available to the researcher, obtaining
6,130 agency contacts would not have be feasible. However, utilizing an Internet search of
publically available members of state or regional APCO or NENA chapters to collect at least one
or more agency contacts, representing 50 states in order to examine the study nationwide was
achievable. The online search produced a list of 225 individual agency contacts, including a
name for point of contact, e-mail address, and agency phone number. The study consisted of a
one time survey, sent to each 225 agency contact and was a cross sectional study. The survey
was self administered by email and the researcher utilized survey services through Survey
Gizmo.
Sample
The study utilized a cluster sampling technique. Leedy (2010) explains this technique is
appropriate when “the population of interest is spread out over a large area” (p. 209). The 225
agencies were the population units, i.e. the clusters. They were classified by size of population
each agency serves utilizing 2010 United States Census information. The sample was stratified
into three segments: small (serving 1-99,999 population), medium (serving 100,000-499,999
population), and large (serving 500,00 or more population). Of the 225 agencies, the following
counts and percentages were present in this survey study: small (125 agencies, 55%), medium
(71 agencies, 32%), and large (29 agencies, 13%).
All survey methods have weaknesses in the survey method. For example, participants may
have wanted to reflect compliance, when in fact, they were not, or their responses may have been
based on their understanding of the question and standards, which could in fact be a
misunderstanding (Colorado State University, 2012). The survey referenced the industry
27
38. accepted security standards for the survey questions and the researcher had to trust that all
agencies were familiar with them and how it applied to their specific agency in order to
accurately provide information for the study. Another issue, non-response, was present for
possible reasons. (Cooper, 2008, p. 257) For example, the contact information may not have
been accurate or been addressed to the person in which the survey would have best able to
answer in the context of the compliance survey. Use of an official association was intended to
reduce issues related to contact information. Also it was difficult to secure a large amount of the
selected agencies to respond to the survey. First, the initial contact was through the e-mailed
survey and the researcher and educational institution, not representing a public safety
communications organization or government agency, was relatively unknown to the public safety
communication centers. Or, there may have been restrictions on the agency the researcher was
unaware of. A telephone follow-up to non-responders was used to increase the pool of available
responses.
Setting
The thesis study was conducted as a field setting. The 225 agencies consisted of city,
county, or state entities and were subject to a variety of regulations. They have been described
elsewhere.
Instrumentation / Measures
The instrumentation used was an online survey that was emailed to 225 individual agency
contacts. Measurement of the current 9-1-1 status/capability was categorical: Basic 9-1-1,
Enhanced 9-1-1, Wireless Phase I, Wireless Phase II, and Next Generation 9-1-1. Categorical
measurement was made of respondent job title/role within their agency through three categories,
9-1-1 Supervisor (middle management), 9-1-1 Manager (upper management), 9-1-1 IT/Network
28
39. Administrator (technical management). There was also an “Other” category for main job
title/role if the three did not apply to the individual. Other measures focused on compliance
standards.
The researcher used the National Emergency Number Associations (NENA) Security for
Next-Generation 9-1-1 Standards (National Emergency Number Association, 2010) to develop
the survey questions in order to gather information about the security landscape of 9-1-1 public
safety communication agencies at the dawn of Next Generation 9-1-1 nationwide
implementation. The first set of questions, questions 1 through 3, provided population range,
current 9-1-1 status/capabilities, and participant’s job tile/role. Questions 4 through 6 focused on
the agency’s Network Administration landscape. In questions 7 through 14, the participant
selected each security policy and standard that was currently in place at their agency and
provided obstacle explanations if applicable. Each security policy and standards question
reflected a security standard presented in the National Emergency Number Associations (NENA)
Security for Next-Generation 9-1-1 Standards (National Emergency Number Association, 2010).
Data Collection
Data collection in this study was subject to time constraints. Specifically, data collection
was limited to a three week period in November. Data collection included content from the
review of literature and survey agency sample. The literature provided the compliance standards
with the National Emergency Number Associations (NENA) Security for Next-Generation 9-1-1
Standards (National Emergency Number Association, 2010) and the NENA website of 9-1-1
basic statistics supplying amount of public safety answering points (PSAPs). An email was sent
to 225 9-1-1 public safety agencies from the list of Association of Public-Safety Communication
Official (APCO) and National Emergency Number Association (NENA) members. The
29
40. researcher followed up with a phone call to the agencies. The researcher exported survey data
from the Survey Gizmo report dashboard of all respondents for data review and analysis.
Data Analysis
Data was analyzed using both logical reasoning and descriptive statistics. The data
presented used a question format. The questions supplied agency size and current agency 9-1-1
status or capability, illustrated by pie charts showing percentage of small, medium, and large
agencies and bar graphs for 9-1-1 status. In addition, to various charts and graphs, tables were
used to further analyze the data from each survey question and provided total counts and
percentages of each agency population size and total agency responses.
Validity and Reliability
Classroom Assessment (2011) states that “reliability and validity are two concepts that
are important for defining and measuring bias and distortion” (sec. C, para. 1) with reliability
referring to the “extent in which assessments are consistent” (sec. C, para. 2) and validity as the
“accuracy of an assessment” (sec. C, para. 5) even if it does not measure what is to be measured.
The survey questions mirrored the compliance standards. This established the content validity of
the questions. Another way of determining validity was the use of expert judgment. Therefore,
the committee reviewing this research was another check on validity.
Another approach of validity was through triangulation. Leedy (2010) describes
triangulation as collecting data from multiple sources “with the hope they will all converge to
support a particular hypothesis or theory” (p. 99). It is common in qualitative designs to use
different sources of data as support for the researcher’s confidence in the conclusions presented
in Chapter 5.
30
41. Ethical Considerations
The researcher conducted the survey by questioning individuals managing 9-1-1
communication systems with the following ethical considerations. There are four categories of
ethical consideration in research studies (1) Do no harm (2) Informed Consent (3) Right to
Privacy (4) Honesty.
Do no harm is a broad ethical category. It includes not asking sensitive questions
that would possibly injure an individual’s employment status. Security is a sensitive issue
and a discussion of security issues under some circumstances might be interpreted as “sensitive”.
For that reason data is collected in ways that do not reveal the individual; replies and participants
are clearly informed about their right not to participate.
Specifically, to meet the need for full disclosure, each 9-1-1 participant was informed of
the intention of the study (copy in appendix B), which was to provide an academic snapshot of
compliance through literature review and a survey of public safety answering points (PSAPs) to
complement existing research and discussions of Next Generation 9-1-1 within the public safety
communication realm and provide a platform for further dialogue and study on specific Next
Generation 9-1-1 information security management goals and practices. The researcher was
aware of the ethical demand for honesty in data collection.
In addition, the participants who complete the survey did not have their personal identity
or the identity of the agency revealed. None of the questions in the survey requested information
that identified a specific person or agency, or put them in any harm. All information collected for
the study was confidential to the research through the Survey Gizmo data collection and used
only for the purpose of the academic thesis study.
31
42. CHAPTER 4. RESULTS
Introduction
This chapter presents the data gathered from the surveys from public safety answering
points (PSAPs). The survey was sent to 225 agencies stratified by population size. The purpose
of the survey was to gather data needed to answer these questions:
1. What percent of agencies have Next Generation 9-1-1 status?
2. What percent of agencies are compliant or noncompliant with standards?
3. What are the obstacles and/or challenges for public safety answering points (PSAPs)
that are not compliant with public safety communication information security
standards?
Answering these questions will lead to the answer to the main question and reveal
compliance or non-compliance of PSAPs that are Next Generation 9-1-1 (NG9-1-1). The survey
categorized PSAPs as small (1-99,999), medium (100,000-499,999), and large (500,000 or
greater). It is an instrument of analysis to gauge the nationwide landscape of public safety
answering points (PSAPs) currently and identify possible issues and obstacles of where it is
heading.
The methodology the researcher followed entailed contacting 225 agencies by e-mail
utilizing Survey Gizmo survey online services. From 225 agencies, 4 agency e-mails were
rejected with no other contact information available to the researcher, leaving a total of 221
agencies receiving the survey for response. Of these 221, a total of 56 agencies responded as a
result of the survey process. In the first 3 days, 52 agencies responded. Three days after the
initial surveys were e-mailed; the researcher sent a reminder with a second wave of the surveys
to the 169 agencies that did not respond. According to StatPac, Internet surveys receive 90% of
32
43. the responses within three days after the e-mail invitation is sent (StatPac, 2011). In this instance
that proved a good ballpark estimate because 52/56 is 92%. The reminder did not produce
additional responses.
The next week, follow up phone calls were made to each of the 169 agencies that did not
respond. The researcher directly spoke with 52 agency contacts from those 169 agencies. The 52
contacts the researcher reached by phone, advised they were not sure if they received the email,
remembered the survey but had not taken the survey. The 117 agencies that direct contact was
not made, the researcher either left a message with the dispatcher or non-emergency personnel
answering the phone, or a message was left on the contact’s voicemail. The follow up phone
calls produced 4 responses, making the total survey study response 56.
Because the non-response rate was 75%, it is necessary to discuss response bias. Israel
(2009) notes strategies to deal with response bias with calling back non-respondents, which the
researcher did, and to “assume there is no response bias and to generalize the population” (p. 2,
para. 4). In addition, Israel suggests that the researcher’s previous public safety communication
experience offers expertise needed to make judgments regarding key information others might
benefit from and use as part of generalization. In addition, that experience would support their
confidence in conclusions drawn in discussion even with this response rate.
Interestingly, since the survey generated 56 responses, it is comparable to other results,
such as that in Deline, Ko, and Venolia (2007). They reported 55 responses on a sample of 250
(p. 7-8). The total population of this study’s survey was 221 with 56 responses and this
comparison supports the decision to consider the response rate sufficient for the analysis and
conclusions drawn in this study. Therefore, although there were time limitations on data
collection for the project, the researcher during the third week of data collection contacted the
33
44. agencies about reasons for survey non-responses. Of the 165 non-respondent agencies 33
provided reasons for non-response. During this follow up, three reasons were provided by
agencies for their decision. Although some mentioned time constraints, two other reasons
provided were: (1) they did not want to participate due to not being familiar with the researcher
or the graduate program institution and (2) they were not comfortable in sharing data with non-
governmental entities. Given that security really is a sensitive topic, the researcher could have
anticipated this response. In an e-mail to the researcher, Dr. Robert Morse confirmed other thesis
candidates had been told contracts with security providers restricted the release of data only to
authorized agents of that provider (R. Morse, personal communication, January 27, 2012).
One additional point mentioned by the Federal Communications Commission Chairman,
in August 2011:
We need a comprehensive, multi-pronged approach to NG911 implementation: If we do
nothing, to address NG911 requirements, timelines, costs, and governance, we will see
uncoordinated patchwork deployment of NG911 over the next five to ten years, leaving
much of the U.S. without any NG911 capability (Genachowski, 2011).
In other words the FCC chairman was in essence claiming a rudder to steer the project is still
needed. That fact and these additional reasons, time constraints on data collection and the cost of
multiple calls to agencies were considerations that influenced the decision to stop data collection
and make the judgment to report the data as collected. The researcher’s advisors pointed out self-
selection bias is always a possibility in this type of research and agreed with the decision to
report the results of the survey and follow-up conversations.
34
45. Data Analysis
Data is analyzed using both logical reasoning and statistics. The data is presented using a
question format. In addition to various pie charts and graphs, tables will be used to further
analyze the data from each survey question survey.
There were three possible categories of responses by the size of agency jurisdiction. The
distribution of response rates by agency size {small (38 agencies, 68%), medium (16 agencies,
29%), and large (2 agencies, 3%)}.
Figure 1. The population range of the agency's jurisdiction.
What is interesting is that the categories do not reflect an even distribution. Essentially
the three divisions can be considered in terms of x < 500,000 and x > 500,000. Out of the 56
respondents, 2 agencies select the Large category (3%), 16 selected the Medium category (29%),
and 38 respondents selected the Small category (68%). If the 16 Medium sized respondents are
considered in combination with the 38 small category respondents, then clearly the bulk or 97%
of respondents represented service areas of less than 500,000.
35
46. The next survey question: What is your agency's current 9-1-1 status/capability? This
question requested the agency current 9-1-1 status, noting to respond with their most advanced
level that applied to their agency. All 56 respondents selected Wireless Phase II as their current
9-1-1 status/capability, which allows for wireless 9-1-1 calls to display both latitude and
longitude of the caller’s location. A key finding is that all are at the same level of compliance
since all were at the same 9-1-1 status/capability.
Table A
Current agency 9-1-1 status/capability
Agency Size Basic Enhanced Wireless I Wireless II Next %
Generation
Large 0 0 0 2 0 3%
Medium 0 0 0 16 0 29%
Small 0 0 0 38 0 68%
Totals (%) 0% 0% 0% 100% 0% 100%
36
47. Figure 2. Current 9-1-1 status/capability.
The third survey question: Which best describes your main job title/role at your agency?
From the total responses, 23% selected 9-1-1 Supervisor (Middle Management), 61% selected 9-
1-1 Manager (Upper Management), and 8% selected IT/Network Administrator (Technical
Management). There were also a four agencies (2 Medium agencies and 2 Small agencies, or
8%) that selected the “Other” category. The descriptions given for “Other” were “Executive
Director”, “Communications Training Coordinator”, “Both Manager and IT Administrator”, and
“Trainer”. This shows the majority of responses were from upper management as requested with
the selection of 9-1-1 managers with the capability and knowledge of the compliance standards
and to provide accurate information about their specific agency.
37
48. Table B
Job title/role at agency
Size 9-1-1 9-1-1 IT/Network Other %
Supervisor Manager Administrator
Large 0 1 1 0 3%
Medium 1 10 3 2 29%
Small 12 23 1 2 68%
Totals (%) 23% 61% 8% 8%
Shown in Figure 3, the highest job title/role for Small agencies was “9-1-1 Manager”.
Second choice was “9-1-1 Supervisor”. The third and fourth selections were “Other” and
“IT/Network Administrator”. As with the overall response, the majority selected for job role was
9-1-1 manager category, showing that small agencies have designated and dedicated managers
for their entities, signifying upper management responsibilities and knowledge as with other size
agencies.
Figure 3. Job title/role for small agencies.
38
49. The Medium agencies selected “9-1-1 Manager” the most, “IT/Network Manager” next,
and then “Other” and “9-1-1 Supervisor” for the least two job titles/roles (shown in Figure 4).
The medium agencies had 19% of their responses from the IT category. If compared to the small
agencies’ 5% (see Figure 3.), this could illustrate small agencies having less network
administrative personnel on staff and that the 9-1-1 manager in small agencies could hold IT
administrative responsibilities even if it is a secondary role. Medium size agencies show to have
more network administration on staff with the higher main role responsibility percentage.
Figure 4. Job title/role for medium agencies.
Figure 5 illustrates the two choices selected by the Large agencies, which was two total in
responding. One selected “9-1-1 Manager” and one selected “IT/Network Administrator”. None
selected “9-1-1 Supervisor” or “Other”. Since only two large agencies responded, the division of
roles is 50%. What could be concluded is large agencies have levels of staff that are on upper
level management and/or have a dedicated network administration department.
39
50. Figure 5. Job title/role for large agencies.
In survey question 4: What best describes your current IT/Network Administration at
your agency? The two Large agencies both selected “Full-time internal IT/Network
Administrator”. The Medium agencies varied among three categories, 12 for ““Full-time internal
IT/Network Administrator”, 1 for “Part-time external IT/Network Administrator, and 3 for “Full-
time external IT/Network Administrator. The Small agencies provided a representation for all
five categories. For the “Part-time internal IT/Network Administrator”, 2 made that selection, 19
selected “Full-time internal IT/Network Administrator”, 1 selected “Part-time external
IT/Network Administrator”, and 13 chose “full-time external IT/Network Administrator”.
Finally, 3 Small agencies selected “No IT/Network Administrator”.
40
51. Table C
Current agency IT/Network administration description
Size None Part-Time Full-time Part-time Full-time %
internal internal external external
Large 0 0 2 0 0 3%
Medium 0 0 12 1 3 29%
Small 3 2 19 1 13 68%
Totals (%) 5% 4% 60% 3% 28%
The small agencies had at least one selection in each of the current agency IT/Network
administration description category. The highest selected was “Full-time internal” and second
highest was “Full-time external”. The last three, in order of most selected, were “None”, “Part-
time internal”, and “Part-time external” (see Figure 6). Even though it is possible for small
agencies to have less budget allocation for a designated IT/Network Administrator, the data
illustrates small agencies are not necessarily at a disadvantage at staffing network administration.
Figure 6. IT/Network Administration for small agencies.
41
52. In Figure 7, the Medium agencies selected three total for their current IT/Network
administration description types. The most often selected response was “Full-time internal”, the
second was “Full-time external”, and the least selected was “Part-time external”. Large agencies
selected that their IT/Network administration was full-time, internal staff (see Table C). If
comparing all three jurisdiction sizes, it shows that the larger the agency size, the increase of
full-time network administrators and those that are internally staffed. But even though smaller
agencies have a lower percentage, they are apparently capable of having full-time administrators
even if they need to contract externally.
Figure 7. IT/Network Administration for medium agencies.
For survey question 5: If your agency has "No internal or external IT/Network
Administrator" does your agency anticipate in employing or contracting an IT/Network
Administrator? As shown in Table C, only 3 small agencies selected this category. The 3 that
selected “No internal or external IT/Network Administrator” in question 4 also selected “No” for
question 5. However, one agency that selected “Full-time external IT/Network Administrator” in
question 4, also selected “No” for question 5. This illustrates that smaller agencies, while some
42
53. having the ability to have network administration staff full-time as reflected in question 4, there
are some that yet need to overcome obstacles which will be explained in question 6 (see Table
E).
Table D
Agency anticipation of employing/contracting an IT/Network administrator who currently have
none.
Size Yes No %
Large 0 0 0%
Medium 0 0 0%
Small 0 4 100%
Totals (%) 0% 100%
For survey question 6: If you answered "No" to either question 5, please explain the
reason and/or obstacles of why your agency does not anticipate doing so? From Table D, it
shows that 4 Small agencies selected “No” and 4 Small agencies selected categories providing a
reason for their answers in Table E. Cost was selected by 3 Small agencies and Upper
Management had 1 selection. The “Other” category was selected by 2 Small agency with the
explanations of “I do it” and “we have a staff member currently enrolled in college to get his
degree for our IT, as the County only has 2 full time IT but they are for the entire county and we
have to wait on their availability. We have current State and Federal policies in place and try to
stay in compliance with NENA/APCO standards”.
43
54. Table E
Reason or obstacles for not employing/contracting IT/Network administration if currently none
Size Cost Upper High Lack of Other %
management turnover qualified
resources
Large 0 0 0 0 0 0%
Medium 0 0 0 0 0 0%
Small 3 1 0 0 2 100%
Totals (%) 75% 25% 0% 0% 50%
Small agencies are the ones reporting obstacles when it comes to not employing or
contracting IT/Network administration, which would affect their compliancy with the established
security standards. With “Cost” receiving the majority of the obstacles, this could possibly be
elevated through future funding assistance, either by state or federal agencies, to allow them not
to be at a disadvantage with the were not have to supply sufficient revue for their budgets.
Figure 8. Obstacles for not employing IT administration for small agencies.
44
55. The survey question 7: What type of Information Technology (IT) descriptions and
policies does your agency currently have in place? The selection of all, with the exception of
“none apply”, would allow the agency to be compliant under the NENA Security for Next-
Generation 9-1-1 Standards or NG-SEC (NENA, 2010). Table F breaks down the first six
categories and Table G provides information for the last six of question 7. All but one agency
had at least one category selected. The agency that did not select any category was one Small
agency, making it a total of 55 responses for this question. Looking at both Table F and G, both
the large agencies selected all but two categories, “Wireless Policy” and “Incident Response”.
For the medium agencies, all selected “Acceptable Usage”, with many agencies in that category
also selecting “Password Policy”, “Data Protection”, “Wireless Policy”, “Physical Security”,
“Remote Access”, and “Access Control”. No Small agency had all policies selected, but many
agencies selected “Acceptable Usage”, “Password Policy”, and “Physical Security”. Also, one of
the large agencies selected everyone choice, including the “None apply” even when they selected
all of the previous policies.
Table F
Type of IT descriptions and policies (first six categories)
Size Acceptable Password Information Data Wireless Physical
Usage Policy Classification Protection Policy Security
Large 2 2 2 2 1 2
Medium 16 15 9 12 13 14
Small 33 34 16 27 17 33
Totals (%) 93% 93% 51% 74% 56% 91%
45
56. Table G
Type of IT descriptions and policies (last six categories)
Size Remote Access System System Incident None *%
Access Control Control Patching Response Apply
Large 2 2 2 2 1 1 4%
Medium 13 10 9 8 9 0 29%
Small 16 22 6 9 23 1 67%
Totals (%) 54% 63% 31% 33% 62% 3%
* % both Table F and Table G
In Figure 9, it illustrates all of the IT descriptions and policies from both Table F.1 and
Table F.2 that were selected by Small agencies. The most selected was “Password Policy”.
Following the most, in order, “Acceptable Usage”, “Physical Security”, “Data Protection”,
“Incident Response”, “Access Control”, “Wireless Policy”, “Information Classification”,
“Remote Access”, “System Patching”, “System Control”, and last, with one agency selection,
“None Apply”. If compared to the following figures that illustrate medium and large agency
responses (figures 10 and 11), the most difference in IT policies are with system controls, system
patching, remote access, information classification, and wireless policies. For small agencies,
this lack of policies may be due to network administration staffing or even the capabilities of
their current database networks and they do not have those policies in place because it is not
applicable to their network yet. However, once they are Next Generation 9-1-1 capable, all
categories will need to be in place.
46
57. Figure 9. IT descriptions and policies for small agencies.
The medium agency selections are shown in Figure 11. The most selected was category
“Acceptable Usage” and last was “System Patching”. None of the medium agencies selected
“None Apply”. The medium agencies seem to have the more in compliance with many of the
policies. This may be with more evolved database networks and staffing.
Figure 10. IT descriptions and policies for medium agencies.
47
58. The Large agency selections of IT descriptions and policies from both Table F.1 and
Table F.2 are shown in Figure 12. Both Large agencies selected “Acceptable Usage”, “Password
Policy”, “Information Classification”, “Data Protection”, “Physical Security”, “Remote Access”,
“Access Control”, and “System Control”. However, one agency selected “Wireless Policy” and
“Incident Response”. Also, as noted previously, one agency also selected “None Apply”.
Surprisingly, incident response and wireless policies were not selected from one of the two large
agencies. Many metropolitan public safety communications centers communicate local
databases, such as computer aided dispatch (CAD) or records management systems (RMS)
wirelessly from laptops in vehicles and other mobile devices. It would also be thought that a
large agency would have incident response policies in place in case of natural, terrorist, or
technical disaster occurred.
Figure 11. IT descriptions and policies for large agencies.
The survey questions 8: If your agency is Next Generation 9-1-1 capable and any of the
following descriptions and policies listed in question 7 were not selected please select the
reason(s) and/or obstacle(s). The data in Table G received 32 survey responses at least one of the
48
59. selections regardless of all agencies reporting the highest 9-1-1 status/capability of Wireless
Phase II. None of the 56 responding agencies reported having Next Generation 9-1-1
status/capabilities for question two of the survey. None of the large agencies made selections for
question 8. However, 7 medium agencies and 25 small agencies made at least one selection,
making over half (57%) of the 56 total responses to the survey. The two “Other” categories
consisted of “IT department prefers to not to release information due to concerns over security”
and “we are NG9-1-1 capable, but state law prohibits implementation”.
Table H
If Next Generation capable, reasons and/or obstacles for not having the descriptions and policies
in Table F and Table G
Size Cost Time Upper Staff Other %
Management Constraints
Large 0 0 0 0 0 0%
Medium 4 5 0 2 1 22%
Small 16 18 1 14 1 78%
Totals (%) 68% 75% 3% 53% 6%
Even though none of the responding agencies were Next Generation 9-1-1 capable, the
responses do shed light on current obstacles agencies face towards compliancy. Cost does reflect
over half of the obstacles, but “Time” is selected as 75% of the overall reason and is the highest
ranked obstacle in both medium and small agencies. This could indicate that agencies feel they
are spread thin in keeping up with standards and evolving technology even if they have the staff
and money.
49
60. Figure 12. Obstacles for not having the descriptions/policies for small agencies.
Figure 13. Obstacles for not having the descriptions/policies for medium agencies.
For survey question 9: Select the following software your agency currently runs on all
servers and end user computers? Anti-virus software and/or spyware detection software. All 56
agencies selected either one or both of the software selections. All agencies currently run Anti-
virus software on all servers and end user computers. Only a few in both the medium and small
50
61. agencies do not currently run Spyware detection software. Reasons where inquired in the
following survey question (see Table I).
Table I
Virus and/or spyware detection software on all servers and end user computers
Size Anti-virus Spyware detection %
Large 2 2 3%
Medium 16 13 29%
Small 38 34 68%
Totals (%) 100% 88%
Figure 14. Virus and/or spyware detection software for small agencies.
51