Legacy IT makes federal agencies less secure, study says

On average, for each one percent of its spending that an agency shifts from maintaining legacy systems to buying new ones, it can expect a five percent reduction in the number of security incidents.
(Getty Images)

Federal agencies that shift money from maintaining outdated legacy IT systems to modernizing them can expect to see fewer cybersecurity incidents — as can the agencies that migrate legacy systems to the cloud or implement strict data governance policies, according to a new academic study.

On average, for each 1 percent of its spending that an agency shifts from maintaining legacy systems to buying new ones, it can expect a 5 percent reduction in the number of security incidents, found the authors of the study “Security Breaches in the U.S. Federal Government.” It was written by two academics from the Fox Business School at Temple University and the Red McCombs School of Business at the University of Texas at Austin and published last week by the Social Science Research Network.

The study also found that federal agencies that migrate their legacy IT systems to the cloud suffer fewer security incidents of improper access. And that strict IT governance, risk and control, or GRC, policies — such as network monitoring, access controls, continuous employee training and risk management systems — as measured by agency inspector-general audits, appear to mitigate the security risks of legacy systems.

“We wanted to dispel some widely held but incorrect ideas,” Min-Seok Pang, assistant professor of information systems at the Fox School told CyberScoop. He said the article crunched incident data from the annual reports agencies are required to submit under the Federal Information Systems Modernization Act, or FISMA, and spending data from the Federal IT Dashboard.


One idea the study challenges, he said, is the notion of “security through antiquity” — the idea that legacy IT is more secure, because there is so little documentation and knowledge about it for attackers to discover and comb through for potential vulnerabilities.

“‘Security through antiquity’ might be correct for a particular individual system,” said Pang, “But from the point of view of the whole enterprise, the whole organization” it definitely makes them more vulnerable. “Legacy systems make an IT enterprise more complex, more messy,” he said, “That may expose it to more risk.”

“Counterintuitively, we also found that agencies which are geographically centralized and functionally homogenous tend to suffer more security breaches,” Pang added. “We were surprised. We expected to find the opposite: That agencies which were geographically dispersed and functionally diverse would have poorer security outcomes.”

One theory to explain the finding, Pang said, was that “functional or geographic centralization makes them less costly for intruders to penetrate, and [therefore] a more attractive target because the information [the intruder wants to steal] is more concentrated.”

“We’re trying to show not just correlation, but causality,” he added.


He cautioned that the study was based on only four years worth of data: 2012-15, and that the 2016 incident data was compiled on a different basis, making comparison impossible. “Unfortunately, because the federal government changed the definitions relating to the reporting of cybersecurity incidents, we were not able to use [the] 2016 data [released last week] in our study,” he said.

Nonetheless, Pang said the study had a clear takeaway for policy makers: “Pass the [Modernizing Government Technology, or] MGT Act now,” he said.

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts