INTERNET SECURITY SYSTEMS INC/GA - 10-K Annual Report

Back to GetFilings.com

- --------------------------------------------------------------------------------
- --------------------------------------------------------------------------------

UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, D.C. 20549

---------------------

FORM 10-K

(MARK ONE)
[X] ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE
SECURITIES EXCHANGE ACT OF 1934
FOR THE FISCAL YEAR ENDED DECEMBER 31, 2002
OR
[ ] TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE
SECURITIES EXCHANGE ACT OF 1934
FOR THE TRANSITION PERIOD FROM ____________TO ____________

Commission file number 0-23655

INTERNET SECURITY SYSTEMS, INC.
(Exact Name of Registrant as Specified in Its Charter)

DELAWARE 58-2362189
(State or other jurisdiction of (I.R.S. Employer Identification No.)
incorporation or organization)

6303 BARFIELD ROAD 30328
ATLANTA, GEORGIA (Zip code)
(Address of principal executive offices)

Registrant's telephone number, including area code: (404) 236-2600

Securities registered pursuant to Section 12(b) of the Act: None

Securities registered pursuant to Section 12(g) of the Act:
COMMON STOCK, $0.001 PAR VALUE
PREFERRED STOCK PURCHASE RIGHTS
(Title of Class)

Indicate by check mark whether the Registrant (1) has filed all reports
required to be filed by Section 13 or 15(d) of the Securities Exchange Act of
1934 during the preceding 12 months (or for such shorter period that the
Registrant was required to file such reports), and (2) has been subject to such
filing requirements for the past 90 days.

Yes [X] No [ ]

Indicate by check mark if disclosure of delinquent filers pursuant to Item
405 of Regulation S-K is not contained herein, and will not be contained, to the
best of Registrant's knowledge, in definitive proxy or information statements
incorporated by reference in Part III of this Form 10-K or any amendment to this
Form 10-K. [ ]

Indicate by check mark whether the registrant is an accelerated filer (as
defined in Exchange Act Rule 12b-2). Yes [X] No [ ]

The aggregate market value of the voting stock held by non-affiliates of the
Registrant, based upon the closing sale price of Common Stock on June 30, 2002
as reported on the NASDAQ National Market, was approximately $330 million
(affiliates being, for these purposes only, directors, executive officers and
holders of more than 5% of the Registrant's Common Stock).

As of March 12, 2003, the Registrant had 49,633,772 outstanding shares of
Common Stock.

DOCUMENTS INCORPORATED BY REFERENCE

Portions of the Proxy Statement for the Registrant's Annual Meeting of
Stockholders to be held on May 28, 2003 are incorporated by reference into Part
III of this Form 10-K.
- --------------------------------------------------------------------------------
- --------------------------------------------------------------------------------

FORWARD-LOOKING STATEMENTS

This report contains forward-looking statements that involve risks and
uncertainties. The statements contained in this report that are not historical
statements of fact are forward-looking statements within the meaning of Section
27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act
of 1934. Forward-looking statements include, among other things, statements
regarding our expectations, beliefs, intentions or strategies regarding the
future. All forward-looking statements included in this report are based on
information available to us up to and including the date of this document, and
we expressly disclaim any obligation to update or alter our forward-looking
statements, whether as a result of new information, future events or otherwise.
Our actual results could differ significantly from those anticipated in these
forward-looking statements as a result of certain factors, including those set
forth below, under "Management's Discussion and Analysis of Financial Condition
and Results of Operations -- Risk Factors" and elsewhere in this report.

PART I

ITEM 1. BUSINESS

INTRODUCTION

OVERVIEW

Internet Security Systems, Inc. ("ISS" or the "Company") is a security
software pioneer and global leader in information protection solutions dedicated
to protecting online assets. This proactive line of defense protects networks,
servers and desktops against an ever-changing spectrum of threats. Our security
management solutions include software products, managed security services,
professional services made up of both consulting and training services and
online security research, advisory and other knowledge services. We offer a
comprehensive line of products and services aimed primarily at enterprise
organizations and service providers. These threat protection solutions go beyond
basic access control to deliver multiple layers of defense that detect, prevent
and respond to threats to our customers' business operations.

Our products are designed to meet the need for comprehensive,
cost-effective detection, prevention and response arising from attacks, misuse
and security policy violations while promoting the confidentiality, privacy,
integrity and availability of proprietary information. Our family of software
products is a critical element of an active Internet and networking security
program within today's world of global connectivity, enabling organizations to
proactively monitor, detect and respond to risks to enterprise information. Our
managed services offerings focus primarily on remote management of our
best-of-breed security technology including security assessment and intrusion
protection systems. We focus on serving as the trusted security provider to our
customers by maintaining within our products the latest counter-measures to
security risks, creating new innovative products, and providing professional and
managed services.

ISS was founded in 1994 and is headquartered in Atlanta, Georgia. The
mailing address for our headquarters is 6303 Barfield Road, Atlanta, Georgia,
30328, and our telephone number at that location is (404) 236-2600. The ISS web
site can be found at www.iss.net.

INDUSTRY BACKGROUND

GROWTH OF ONLINE ASSETS AND RISKS

Online security is of growing importance to today's businesses, as
organizations of all sizes and markets become increasingly reliant on
Internet-based technology to conduct day-to-day operations. Businesses adopt
these Internet-based technologies to streamline operations and create new
business opportunities. To capitalize on the benefits of the Internet,
businesses must open their networks to business partners, customers and their
mobile workforce, significantly increasing the value and vulnerability of their
online assets.

The networks, servers and desktops that make online commerce work are
inherently vulnerable to online threats. A threat is any tool or technique that
can be used to damage the data stored on a network, server or

1

desktop, or to compromise those resources for unauthorized use. The tools used
to attack online resources and the sophistication of these threats continues to
increase. At the same time, the technological sophistication needed to launch an
attack continues to decrease.

The more that organizations and consumers depend on networks to conduct
business, the greater the risk of business interruption, negative publicity,
theft of proprietary or private information, liability for damages to others,
and other costly business losses. The Computer Security Institute reported in
the 2002 CSI/FBI Computer Crime and Security Survey conducted with the Federal
Bureau of Investigation that 90% of the 503 respondents (U.S. corporations,
government agencies, financial institutions, medical institutions and
universities) detected security breaches in a twelve-month period, with 80%
acknowledging financial losses due to computer breaches. Interestingly, 90% of
respondents reported using anti-virus software, 89% reported using firewalls and
60% reported using intrusion detection. The 223 respondents who were willing
and/or able to quantify financial losses as a result of computer breaches
reported approximately $455,848,000 in losses.

ISS PROTECTION SOLUTIONS

Our protection solutions protect against online threats. They provide
proactive detection of active attacks against information resources, prevent
unnecessary security vulnerabilities, and provide for rapid, appropriate
response when a security event takes place. Our protection solutions help
minimize our customers' risk from online threats.

We believe that there are three key processes to effectively manage online
risk:

- Identify security exposures and active threats, with responses
appropriate to the severity of the risk and the potential for loss;

- Implement scalable, centralized security management across complex
extended enterprise infrastructure of larger customers. For other
organizations, utilize either an internally managed software solution or
expert external managed security services (or both) to provide efficient
oversight and control; and

- Utilize a proactive source of security alerts, advisories and other
security information services to counteract the dynamic nature of risk.

These solutions can be managed internally by customer personnel, or can be
managed externally as part of a managed solution provided by ISS. Each solution
often includes professional services or an education component.

In response to this broad-based business need, we provide a wide range of
proactive protection that spans networks, servers and desktops, including fixed,
remote, mobile and wireless devices. All offerings are built around the need for
comprehensive, cost-effective detection, prevention and response. These flexible
solutions scale from individual PCs to multinational enterprises, with
detection, prevention and response across the breadth of the threat spectrum.

MARKETS

We provide products and services to a variety of customers. We view our
primary customer markets as enterprise, service provider, and risk management
customers. We also have products for consumers and small offices. Our primary
markets are addressed through our direct sales efforts and through various
partners, including system integrators, value-added resellers and distributors.
Consumer and small office markets are served through distribution channel
arrangements.

We provide enhanced levels of detection, protection and response to our
primary market through our DYNAMIC THREAT PROTECTION(TM) process. Dynamic Threat
Protection is based on the long-accepted industry knowledge that routine,
preventative maintenance is superior to the "break/fix" alternative. Dynamic
Threat Protection helps businesses transform from a reactive to a proactive
security posture. As a result, organizations that implement Dynamic Threat
Protection significantly reduce risk, simplify security and save substantial
time and money.

2

Dynamic Threat Protection delivers highly integrated operations that in
turn create faster response times, focus administrator attention on areas
needing the most immediate attention and anticipate security exposures before
they become business liabilities. In short, we believe that Dynamic Threat
Protection provides three distinct advantages for organizations looking for an
additional level of security:

Accuracy -- Dynamic Threat Protection rapidly and accurately detects
attacks and reduces false positives.

Performance -- Dynamic Threat Protection operates at increasingly
rapid line speeds across the network, and scales from workgroups to
multinational organizations with many locations.

Low Total Cost of Ownership (TCO) -- Dynamic Threat Protection
significantly lowers TCO by using advanced data collection, correlation and
analysis to minimize the need for manual intervention in the security
process and automate the discovery and repair of potential security
exposures.

In summary, we believe that Dynamic Threat Protection reduces the critical
time lag between when a new threat emerges and security staff is able to respond
to that threat. This key advantage gives security staff the ability to quickly
and easily concentrate their efforts on the most urgent issues first. In
addition, it extends protection over time from the most urgent risks on the most
important networks and systems to prevention and protection for less critical
areas.

ENTERPRISE

Enterprise market customers generally have annual revenues exceeding $100
million. Our enterprise software and services solutions provide proactive
centrally deployed and managed protection against online business interruption
and loss, all designed to operate with minimal administration or interference
with normal network operations. These comprehensive protection offerings merge
network, server and desktop protection into an integrated threat management
environment. This combination of software and services enables centralized
management across multiple locations and network segments, including wireless
networks, branch offices and mobile workers. Most importantly, our proactive
approach keeps staff informed about newly discovered security issues, ensuring
that the protection solution can be updated to account for newly evolved
threats.

Enterprise solutions include the REALSECURE(R) PROTECTION PLATFORM, a
unique software offering that encompasses vulnerability assessment and threat
detection, prevention and response across networks, servers and desktops, all
coordinated through the REALSECURE(R) SITEPROTECTOR(TM) centralized management
platform. In addition, our Managed Protection Services extends this protection
strategy through managed security offerings and expert 24/7 monitoring, support
and response management, for situations where additional flexibility and support
are required. Extensive professional services and emergency response services
provide an appropriate, effective security solution, regardless of business
environment.

SERVICE PROVIDER

We provide best-of-breed technology and a proven track record in network
security management for service providers looking to establish online security
as part of a broad-based, Internet-oriented business solution. We partner with
service providers that want to resell managed security services and are seeking
a well-known, credible and stable partner in the security industry, an
established ability to bring partners to market, and a comprehensive services
portfolio.

Our advanced security management software solutions, extensive experience
protecting customer networks, and unique ability to collect and analyze threat
trends from around the world in our Global Threat Operations Center (GTOC) allow
us to partner with organizations looking to bundle a security management
component within a broader set of business services.

3

RISK MANAGEMENT

Online business operations, like their physical counterparts, require
careful risk management practices. However, traditional security and insurance
offerings do not address unique online risks. Our SECURE STEPS(SM) program
provides scalable, affordable risk management solutions based on Internet
Security Systems' Managed Protection Services that are intended to establish the
security practices necessary to assist our customers in obtaining insurance
coverage for online business operations. Secure Steps includes a specialized set
of managed security services that adds comprehensive recovery and security
forensics to document and analyze security events should a breach occur. When
combined with cyber-insurance coverage, Secure Steps is an important component
of a broad-based enterprise risk management strategy.

Secure Steps delivers critical security solutions designed for
organizations needing an integrated, cost-efficient online risk management
solution. Participation in Secure Steps assists insurance underwriters with the
underwriting process and is intended to pre-qualify businesses for third-party
cyber-insurance coverage for online business operations. We do not ourselves
sell insurance coverage or any other insurance services. We also have other
specialized security assessment programs that help organizations with
self-managed security ascertain that their security practices are suitable for
cyber-insurance programs.

PRODUCTS AND SERVICES

ENTERPRISE PROTECTION

The RealSecure Protection Platform, the core of our enterprise protection
offerings, significantly improves protection across networks, servers and
desktops, while reducing complexity and cost. This unique solution integrates
intrusion detection and response, vulnerability assessment, policy compliance,
and data collection and analysis, all coordinated through the RealSecure
SiteProtector centralized management structure. Key components include:

REALSECURE NETWORK PROTECTION -- Provides a wide range of specialized
protection agents for networks and gateways, all tightly integrated into a
centralized operational and management framework.

RealSecure Network 10/100 -- Provides intelligent, automated
integration of threat assessment, intrusion detection, active blocking
and data analysis within a self-contained, centrally managed
application.

RealSecure Network Gigabit -- Provides intelligent, automated
integration of threat assessment, intrusion detection, active blocking
and data analysis within a self-contained, centrally managed application
for line operations at gigabit speed.

RealSecure for Nokia Appliance -- Provides powerful, automated,
real time intrusion protection for computer networks through an easily
deployed, appliance-style solution.

RealSecure Guard -- An inline intrusion protection filter designed
specifically for mission critical connections that protects across
network segments.

REALSECURE SERVER PROTECTION -- Defends servers and applications
against unauthorized access and a broad array of threats by combining
intrusion detection and response with firewall capabilities.

RealSecure Server -- Provides intelligent, automated integration of
threat assessment, intrusion detection, active blocking and data
analysis for servers within a self-contained, centrally managed
application.

REALSECURE DESKTOP PROTECTION -- Guards fixed, remote and mobile
corporate desktops against unauthorized access and a broad array of threats
by combining intrusion detection and response with firewall capabilities
and virtual private network (VPN) compatibility.

RealSecure Desktop -- Provides intelligent, automated integration
of threat assessment, intrusion detection, application protection,
active blocking and data analysis for desktops within a self-contained,
centrally managed application.

4

REALSECURE SITEPROTECTOR -- Scalable, centralized security deployment,
management and reporting for enterprise RealSecure deployments that
significantly reduce demands on staff and other operational resources.

REALSECURE SITEPROTECTOR SECURITY FUSION MODULE -- Uses advanced data
correlation and analysis to rapidly and automatically derive the likelihood
of a successful attack from aggregated vulnerability assessment
information.

PRE-EMPTIVE BEHAVIORAL INSPECTION TECHNOLOGY -- VCIS, INC. ACQUISITION

In October 2002, we acquired vCIS, Inc. ("vCIS"), a development stage
company focused on the development of patent-pending, next-generation,
pre-emptive behavioral inspection technology. This technological concept
prevents malicious code from executing and causing damage before it has an
opportunity to interact with the enterprise network.

The vCIS acquisition is consistent with our strategy of offering threat
protection solutions that actively detect, prevent and respond to security risks
at every potential point of compromise on desktops, servers and networks.
Specifically, vCIS technology is expected to enhance the application protection
feature in our desktop and server protection offerings. Combined with our
current offerings, customers will be able to control -- via policy -- how known
programs operate on their host systems while effectively preventing unknown or
untrusted applications from executing. The combination affords strong proactive
application controls, serving as an adjunct to deploying and managing
signatures, and dramatically reduces false positives. We identified three
potential applications for the technology that currently have completion time
tables in either the latter part of 2003 or the first half of 2004. These
assumptions have a degree of uncertainty given that this is new, unproven
technology.

VULNERABILITY ASSESSMENT

In addition to the RealSecure Protection Platform, we also offer security
assessment and policy compliance solutions for proactive measurement of online
risk. These comprehensive and complimentary offerings include:

INTERNET SCANNER(R) -- Provides comprehensive network vulnerability
assessment for measuring online risk.

SYSTEM SCANNER(TM) -- Ensures policy compliance and detects
vulnerabilities that leave servers open to compromise.

DATABASE SCANNER(R) -- Assesses online business risks by identifying
security exposures in leading database applications.

WIRELESS SCANNER(TM) -- Provides automated detection and security
analyses of mobile networks utilizing 802.11b WLAN (Wi-Fi) access points
and clients.

CONSUMER AND SMALL OFFICE PRODUCTS

We offer powerful, affordable solutions providing fast, accurate protection
for a wide range of information protection needs for the consumer and small
office product market. Our products include:

BLACKICE(TM) PC PROTECTION -- Provides comprehensive personal firewall
and intrusion protection for individual PCs.

BLACKICE(TM) SERVER PROTECTION -- Provides comprehensive firewall and
intrusion protection capabilities for individual servers.

X-FORCE(TM) SERVICES

The X-Force organization, our industry leading group of security experts
dedicated to proactive counter intelligence and public education, delivers
timely, accurate information for anyone interested in protecting

5

online assets against attack or misuse. This proactive approach suffuses all our
offerings, from research and development to products and services, including
publicly available information and product support.

Our X-Force organization delivers breaking information on threats through
three complementary online publications:

- Security Advisories contain new vulnerability research developed by the
X-Force itself, as well as solutions to manage or resolve the threat.

- Security Alerts are timely compilations of threat information, both from
us and from other, external resources.

- Security Alert Summaries are weekly publications containing short
descriptions of security issues identified and researched during the past
week. Each issue in the Alert Summary is linked to detailed information
in the online X-Force Database.

The X-Force organization begins this process through our Global Threat
Operations Center. This specialized threat intelligence facility collects
security trend information from five state-of-the-art Security Operations
Centers operating on three continents to analyze the nature and severity of any
threat in real-time. The X-Force then proactively helps deliver our solutions to
market via alerts, advisories, product updates, professional services, emergency
response services and 24/7 remotely managed security services. In addition, we
provide the fee based X-Force Threat Analysis Service for customers needing
immediate, comprehensive notification of the breaking security events.

X-Force threat intelligence consists of both global and local primary
source overviews of evolving threats. This information may be sorted by specific
geography, business sector, operating system or attack technique, allowing
anyone interested in information protection to evaluate global threat conditions
as part of their own security operations. All our service offerings use X-Force
threat intelligence as a differentiator, whether as part of a professional
services consulting engagement, managed security services, X-FORCE(TM) EDUCATION
SERVICES education offerings or customer support. In addition, X-Force research
and development quickly and easily integrates into Internet Security Systems'
software solutions via self-installing X-PRESS UPDATE(TM) product enhancements.

MANAGED SECURITY SERVICES

ISS Managed Security Services offers online protection for organizations
lacking the time, expertise or appropriate internal resources to secure critical
information resources. Our services include:

MANAGED INTRUSION PROTECTION SERVICE -- Unobtrusively monitors client
servers and network traffic for potential threats, and responds to attacks
or misuse that can damage online information resources.

MANAGED FIREWALL SERVICE -- Flexible, remotely managed firewall
service that delivers cost-effective protection that reduces customer staff
requirements. Optional features include High Availability capabilities,
Monitored Firewall, Client VPN enablement and Site-to-Site VPN.

HIGH AVAILABILITY MANAGED FIREWALL SERVICE -- Remotely managed
firewall that utilizes a robust architecture to maximize uptime for
critical business operations.

CLIENT VPN SERVICE -- Extends our managed firewall offerings by
establishing secured network resources for remote operations including
users, partners, vendors and customers.

MANAGED SITE-TO-SITE VPN SERVICE -- Leverages our managed firewall
services to create efficient trust relationships for online business
operations acting across multiple networks.

MANAGED REMOTE SCANNING -- Performs remotely managed, scheduled and
on-demand assessments of the network perimeter. Uses the Internet
Scanner(TM) application to identify vulnerabilities and recommend fixes.

6

MANAGED SECURITY SERVICES CUSTOMER PORTAL -- Complements our Managed
Security Services offerings by providing customers with a powerful,
interactive information reporting and analysis tool for maintaining
effective security practices.

PROFESSIONAL SECURITY SERVICES

Our professional security services combine our extensive intellectual
capital, best-of-breed technology and experienced security experts to help
organizations plan and implement sound security management solutions. Our
standards-based methodology covers the complete security management lifecycle,
including assessment, design, deployment, management, and support.

ASSESS

X-Force Penetration Test -- A network attack simulation event in which
security experts attempt to break into a network mimicking the techniques
used by malicious attackers. Available in three variations: Light
Perimeter, Full Perimeter and Internal.

Information Security Assessment -- Comprehensive evaluation of
security posture from an external and internal perspective, including an
in-depth evaluation of a client's security architecture, policies and
procedures, threats and vulnerabilities, and technical security controls
and mechanisms.

Wireless Network Security Assessment -- Security assessment of
wireless network environments including both assessment and penetration
testing.

Application Security Assessment -- Review and evaluation of
application security from the client and server perspectives.

DESIGN

Protection Policy Development -- Helps a client design and adopt an
information protection policy that reflects its business objectives,
environment and culture.

Solutions Deployment Planning -- Help a client understand the
architecture of its existing and future networks. Our security specialists
work with client staff to determine and plan the most effective and
strategic locations in which to install our solutions, how to best
implement them with minimal impact on current network operations, and how
to plan for the ongoing management and maintenance of the security
solution.

Network Security Architecture Design -- Our security professionals
assist clients in developing a network security architecture design based
on assessment requirements and industry best practices.

DEPLOY

Internet Security Systems Solutions Deployment -- Installation,
configuration and tuning for our vulnerability assessment, intrusion
detection and enterprise security management solutions which we encourage
to be a competency of our security partners that can be delivered into our
customer base.

MANAGE

Emergency Response Services -- Our professional services staff
combines leading security research with real-world incident response
experience to help organizations prepare for, and respond immediately to,
information security breaches.

Vulnerability Remediation Services -- Our experienced professional
services staff work with a client to plan and implement vulnerability
remediation.

7

Staff Augmentation & Support -- Designed for organizations in which:

- A fully managed solution is not an option, but onsite management from
a security expert is needed.

- Security engagement needs are not clearly defined, but onsite
management from a security expert would be beneficial.

- Additional support is needed while the organization is in the process
of hiring an individual for a security role.

SUPPORT

Technical Support

ISS Technical Support provides ongoing product support services under
license agreements. Maintenance contracts are sold to customers for a one-year
term, or longer periods, at the time of the initial product license and may be
renewed for additional periods. Under our maintenance agreements with our
customers, we provide, without additional charge, telephone support, electronic
support, documentation, our X-Force Security Alerts and Advisories, X-Press
Updates, access to an online Knowledgebase, and other product updates and error
corrections, as available. Customers with current maintenance agreements may
download available product updates from our Web site.

We believe that providing a high level of customer service and technical
support is necessary to achieve rapid product implementation, which, in turn, is
essential to customer satisfaction and continued license sales and revenue
growth. Accordingly, we are committed to recruiting and maintaining a
high-quality technical support team. A team of dedicated certified engineers
trained to answer questions on the usage of our products provides telephone and
email support worldwide, 24 hours a day, seven days a week (including holidays),
from our corporate office in Atlanta. Customers in Asia can also contact ISS
Technical Support in the Philippines or Tokyo during local business hours. The
ISS Technical Support Team located in Mountain View, California provides email
support to our consumer customer base. In the United States and internationally,
our resellers and distributors provide telephone support to their customers with
additional technical assistance from us. For our managed services security
solutions, customer support is available for several offerings up to 24 hours a
day, seven days a week. Technical support is offered via phone, email or secure
Web form and includes access to an online knowledge base as well as direct
contact with qualified support personnel.

Education

Our X-Force Education Services organization offers hands-on, real-world
security management and certification training. Our content rich materials and
experienced instructors educate security professionals with courses delivered in
classrooms located around the world as well as through on-site, customized
programs. By developing and maintaining internal staff knowledge, organizations
can maximize the return on their security investments.

During 2003, we will begin offering classes through our X-Force Education
Services Authorized Training Center Program in addition to continuing to provide
such courses at our Atlanta headquarters training center and on-site at customer
locations. The Authorized Training Center Program will offer quality education
to customers from certified facilities located across the U.S. By working with
training facilities throughout the country, the ISS Authorized Training Center
Program provides education consistent with ISS standards, but now available at
additional locations. All Authorized Training Centers will be ISS-certified to
verify the quality of the courses as part of the X-Force Protection
Certification program.

GEOGRAPHIC SEGMENTS

We provide our security management solutions in three geographic areas: the
Americas (United States, Canada, Latin America and South America), EMEA (Europe,
Middle East and Africa) and Asia/Pacific. These geographic areas represent our
three reportable segments. The accounting policies of the reportable

8

geographic segments are the same as described in the summary of our critical
accounting policies in Management's Discussion and Analysis of Financial
Condition and Results of Operations and significant accounting policies in our
financial statements and are applied consistently across the segments. Revenues,
as a percent of total revenues, for each segment are as follows:

PRODUCT DEVELOPMENT

We develop our products to operate in heterogeneous computing environments.
Products are compatible with other vendors' products across a broad range of
platforms, including HP-UX, IBM AIX, Linux, Sun Solaris and Microsoft Windows.
Our network sensor software products are also offered for specific hardware
vendor platforms like the Nokia appliance and the recently announced RealSecure
network protection software for the Crossbeam appliance. The Nokia appliance is
a proven platform for RealSecure Network Protection, providing for rapid
deployment. The appliance from Crossbeam Systems, Inc. provides a single, high
availability, multi-segment application platform, while also offering expansion
options for firewalling, antivirus, and web content filtering applications. In
addition, we are planning the release of ISS branded network appliances,
beginning in the first half of 2003, using the Linux operating system and
incorporating network protection software. We have incorporated a modular design
in our software products to permit plug-and-play capabilities, although
customers often use our professional services or our strategic partners to
install and configure products for use in larger or more complex network
systems.

We employ a three-pronged product development strategy to achieve our goal
of providing comprehensive security coverage for monitoring, detection and
response. First, we provide regular security updates to our products that are
based on our vulnerability and threat database. These updates are usually
provided as part of separate maintenance agreements sold with the product
license.

Second, we continue to develop new best-of-breed security products to
protect networks, servers and desktops. Historically, existing products are
updated to add new features and improve functionality. These enhancements are
available to customers through our software maintenance program.

Third, to complement our network, server and desktop products and provide
more comprehensive network security coverage, we continue expanding existing
products by developing additional enterprise-level security management products,
including our RealSecure SiteProtector and Security Fusion products. These
products are intended to help customers protect their networks, servers and
desktops by continuously measuring and analyzing the status of their security,
monitoring and protecting from security risks in real time across the enterprise
network. These RealSecure enterprise management products operate with our
network, server and desktop products, allowing modular implementation.

Expenses for product development were $31.3 million, $35.4 million, and
$35.3 million in 2000, 2001 and 2002, respectively. All product development
activities are conducted at either our principal offices in Atlanta or at our
research and development facilities in Mountainview, California, Reading,
England and Sydney, Australia. At December 31, 2002, 297 personnel were employed
in product development teams. Our personnel include members of the Computer
Security Institute, Forum for Incident Response and Security Technicians
(FIRST), Georgia Tech Industrial Partners Association, Georgia Tech Information
Security Center and the International Computer Security Association (ICSA),
enabling us to actively participate in the development of industry standards in
the emerging market for network and Internet security systems and products.

PRICING

We use a range of fee structures to license our products, depending on the
type of product and the intended use. We license our vulnerability assessment
products, Internet Scanner, System Scanner, Wireless Scanner and Database
Scanner based on the number of devices being assessed. The pricing provides low
entry points for departmental users without limiting our revenue potential from
customers with large networks.

9

Pricing for our threat detection and response products, including the RealSecure
line of software agents, is based on the number of copies deployed on the
network. Thus, licensing fees for our products are ultimately determined by the
size of the customer's network, as size dictates the number of devices to be
assessed or the number of copies to be deployed. Management software is sold on
a capacity basis. The license fee for the management software is determined by
the size of the sensor/detector and scanner purchase. This capacity-based
pricing structure provides customers with the ability to license as much
management as they require.

In addition to license fees, customers purchase maintenance agreements in
conjunction with their initial purchase of a software license, with annual
maintenance fees typically equal to 20% of the product's license fee.
Maintenance agreements include annually renewable telephone support, product
updates, access to our X-Force Security Alerts and error corrections. Our
continuing research into new security risks and resulting product updates
provide significant ongoing value. We provide customers with a regular stream of
security updates, known as X-Press Updates, as part of this maintenance
agreement. X-Press Updates serve to keep our products up to date with the latest
vulnerabilities and threats that are present in Internet environments. As a
result, a substantial majority of our customers renew their maintenance
agreements. We have historically sold fully-paid perpetual licenses with a
renewable annual maintenance agreement and, have licensed our products on a
subscription basis, including maintenance, for one or two year periods and are
exploring other alternatives for customers desiring longer term arrangements or
multi-year commitments. Customers who use our products to provide information
technology assessment services are offered subscription license agreements,
typically with a one-year term.

Monitoring fees for managed security services are determined by the
complexity of the monitoring arrangement and by the number of devices being
monitored. The pricing is scalable, allowing for customers to start with basic
security monitoring services and expand as the business grows. Contracts are for
a minimum one-year term and are typically billed monthly as services are
performed.

Our professional services fees are calculated either on a fixed-fee basis
or an hourly rate per consultant based on the scope of the engagement, market
sector and geographical territory. Educational services are calculated on a
per-class basis.

CUSTOMERS

As of December 31, 2002, Internet Security Systems had more than 11,000
business customers, and maintained operations in 22 countries. No customer
accounted for more than 10% of our consolidated revenues in 2000, 2001 or 2002.
Target customers include both public and private sector organizations, as well
as consumers, that use Internet protocol enabled information systems. Business
customers represent a broad spectrum of organizations within diverse sectors,
including financial services, technology, telecommunications, government, and
information technology services.

SALES AND MARKETING

Sales Organization

Our sales organization is divided regionally among the Americas, EMEA and
the Asia/Pacific regions. In the Americas, we market our products through our
direct sales organization and through various partners, including system
integrators, value-added resellers and distributors. The direct sales
organization for the Americas consists of regionally based sales representatives
and sales engineers, and a telesales organization, located in Atlanta. We
maintain a number of domestic sales offices in various cities throughout the
United States and in Canada, Mexico and Brazil. As of December 31, 2002, we
employed approximately 172 people in the Americas sales organization. The
regionally based direct sales representatives focus on opportunities with large
organizations. Included as part of the sales organization is a channel
management group that drives incremental revenue through selected channel
partners and acts as the liaison between the direct sales representatives and
the channel partners.

In the EMEA and Asia/Pacific regions, the substantial portion of our sales
occurs through authorized resellers. Internationally we have established
regional sales offices in several countries in Europe as well as in Egypt,
Japan, Australia and Singapore. Personnel in these offices are responsible for
market development,

10

including managing our relationships with resellers, assisting them in winning
and supporting key customer accounts, acting as a liaison between the end user
and our marketing and product development organizations and providing consulting
and training services. As of December 31, 2002, approximately 376 employees were
located in our European and Asia/Pacific regional offices. We expect to continue
to expand our field organization into additional countries in these regions.

SecurePartner(TM) Program Channel Sales

A key element of our marketing strategy is to establish our products,
services and information security methodologies as the leading approach for
information protection and security management for the enterprise, service
provider and risk management markets. We have implemented a multi-faceted
awareness program to leverage the use of corporate, product and service brands
to increase acceptance of our offerings through relationships with various
distribution and reseller channel partners. We typically enter into written
agreements with resellers, distributors, managed service providers, Internet
service providers and OEMs. These agreements generally do not provide for firm
dollar commitments from the parties, but are intended to establish the basis
upon which the parties will work together to achieve mutually beneficial
objectives.

Distributors

To accommodate the large number of smaller resellers that cannot qualify
under the SecurePartner Program, a two-tier distribution model has been
established to ensure appropriate access to ISS products and support. ISS
provides direct, focused support to these distributors, who in turn, support an
extensive community of smaller resellers and consultancies as well as provide
product to our resellers.

Resellers

We maintain the SECUREPARTNER(TM) program to train and support security
consulting practices, systems integrators and product and service resellers who
match our offerings with their own complementary products and services. By
reselling our solutions, our resellers provide additional value for specific
market and industry segments, while maintaining our ongoing commitment to
quality software and customer satisfaction. There are three different levels of
reseller opportunities:

- Premier Partners. Premier Partners are typically security consultants,
value-added resellers (VARs) and systems integrators with focused
security practices. Many Premier Partners are experienced in the sales
and implementation of leading firewall, authentication and encryption
technologies. Premier Partners maintain the highest level of resale.
These partners leverage their expertise with our vulnerability assessment
and enterprise protection products. Premier Partners receive direct
distribution of our products, sales and technical training, access to
market development funds, use of our Web site for placing orders, monthly
regular SecurePartner email newsletters, security information from the
ISS X-Force and other partner-only communications and, access to the ISS
Partner Resource Center Web site and a listing on our Partner Web
page(s).

- Authorized Partners. Authorized Partners generally consist of
organizations that provide security focused consulting and/or integration
services. Authorized Partners are also required to maintain a specified
level of resale, although at a more modest level than Premier Partners.
Authorized Partners can take advantage of many of the same benefits that
Premier Partners enjoy, including purchasing products directly from ISS,
sales and technical training, Web site access in order to place orders
and partner-only communications and a listing on our Partner Web page(s).

- Corporate Resellers. Although we have numerous reseller partners,
certain of these relationships generate unique and significant leverage
for us in targeted markets. Our corporate resellers provide broad
awareness of our brands through enhanced marketing activity, access to
large sales forces and access to larger, more strategic customer
opportunities.

Service Providers

Internet Security Systems works closely with leading global organizations
to expand the breadth and depth of their offerings to include product and
service solutions from ISS. Each of these providers integrates

11

and manages one or more ISS technology products as part of a larger service
offering, or resells ISS' Managed Security Services as an extension of its core
offerings.

Original Equipment Manufacturers

Agreements with OEMs enable them to incorporate our products into their own
product offerings to enhance their security features and functionality. We
receive royalties or other consideration from OEM vendors and increased
acceptance of our products under these arrangements, which, in turn, are
intended to promote sales of our other products to the OEM's customers.

Marketing Programs

We conduct a number of marketing programs to support the sale and
distribution of our products. These programs are designed to inform existing and
potential end-user customers and resellers about the capabilities and benefits
of our products. Marketing activities include:

- Press relations, industry analyst relations and education;

- Publication of technical and educational articles in both print and
online media, through our white papers, and through our own print and
online newsletters and/or magazines;

- Direct mail and email;

- Participation in industry tradeshows;

- Product/technology conferences, seminars, and web casts;

- Competitive analysis;

- Sales training;

- Advertising and development and distribution of marketing literature; and

- Maintenance of our Web site.

COMPETITION

The market for network security monitoring, detection and response
solutions is intensely competitive, and we expect competition to increase in the
future. We believe that the principal competitive factors affecting the market
for information security include security effectiveness, manageability,
technical features, performance, ease of use, price, scope of product offerings,
professional services capabilities, distribution relationships and customer
service and support. Although we believe that our solutions generally compete
favorably with respect to such factors, we cannot guarantee that we will compete
successfully against current or potential competitors, especially those with
significantly greater financial resources or brand name recognition.

INTELLECTUAL PROPERTY AND TRADEMARKS

We rely primarily on copyright, trademark, patent and trade secret laws,
confidentiality procedures and contractual provisions to protect our
intellectual property and other proprietary rights. We have obtained one United
States patent and have a number of patent applications pending in the United
States and certain foreign jurisdictions. We believe that the technological and
creative skills of our personnel, new product developments, frequent product
enhancements, our name recognition, our professional services capabilities and
delivery of reliable product maintenance are essential to establishing and
maintaining a technology leadership position. We cannot assure you that our
competitors will not develop technologies that are similar to ours. We generally
license our software products to end users in object code (machine-readable)
format. Some of our customers have required us to maintain a source-code escrow
account with a third-party software escrow agent, and a failure by us to perform
our obligations under any of the related license and maintenance agreements, or
our insolvency, could result in the release of our product source code to such
customers. The standard form license agreement for our software products allows
the end user to use our products solely on the end user's computer equipment for
the end user's internal purposes, and the end user is generally prohibited from
sublicensing or transferring the products.

12

Despite our efforts to protect our intellectual property, unauthorized
parties may attempt to copy aspects of our products or to obtain and use
information that we regard as proprietary. Policing unauthorized use of our
products is difficult. While we cannot determine the extent to which piracy of
our software products occurs, we expect software piracy to be a persistent
problem. In addition, the laws of some foreign countries do not protect our
proprietary rights to as great an extent as do the laws of the United States and
many foreign countries do not enforce these laws as diligently as U.S.
government agencies and private parties.

Internet Security Systems, the Internet Security Systems logo, Network ICE,
ICEpac, System Scanner, Wireless Scanner, SiteProtector, ADDME, AlertCon,
ActiveAlert, FireCell, FlexCheck, SecurePartner, SecureU, X-Force and X-Press
Update are trademarks and service marks, BlackICE is a licensed trademark and
Secure Steps, SAFEsuite, RealSecure, Internet Scanner, Database Scanner, Online
Scanner, the Network ICE logo and ICEcap are registered trademarks and service
marks, of Internet Security Systems, Inc. or its wholly-owned subsidiaries.

EMPLOYEES

As of December 31, 2002, we had 1,215 employees, of whom 297 were engaged
in product research and development, 326 were engaged in sales and marketing,
271 were engaged in customer service and support, 141 were engaged in
professional services, and 180 were engaged in administrative functions. We
believe that we have good relations with our employees.

ITEM 2. PROPERTIES

We currently lease two buildings totaling approximately 240,000 square feet
in Atlanta, Georgia for our headquarters and research and development facility.
A third building totaling approximately 62,000 square feet is currently under
construction and is scheduled for completion in June of 2003. The lease on these
three buildings expires in May 2013.

We lease additional office space in Chicago, Illinois; Mountainview,
California; Southfield, Michigan; New York, New York; and Washington, D.C., as
well as small executive suites in a number of United States cities. In addition,
we lease office space in Sao Paulo and Rio, Brazil; Brussels, Belgium; London
and Reading, England; Paris, France; Stuttgart, Germany; Stockholm and
Helsinborg, Sweden; Milan, Rome and Padova, Italy; Madrid, Spain; Zurich,
Switzerland; Amsterdam, Netherlands; Warsaw, Poland; Cairo, Egypt; Manila,
Philippines; Seoul, Korea; Sydney and Brisbane, Australia; Singapore; Osaka,
Japan; and Tokyo, Japan.

We believe that our existing facilities are adequate for our current needs
and that additional space will be available as needed.

ITEM 3. LEGAL PROCEEDINGS

Beginning on September 28, 2001, the Company and certain of its officers
and directors were named as defendants in several lawsuits alleging violations
of the federal securities laws, including Sections 10(b) and 20(a) of the
Securities Exchange Act of 1934, as amended, and Rule 10b-5 thereunder. Six such
actions were filed in the United States District Court for the Northern District
of Georgia. All six actions have been consolidated into a single case and the
court has appointed lead plaintiffs and lead plaintiff's counsel. The
consolidated amended complaint was filed October 9, 2002 and purports to be
brought on behalf of a class of investors who purchased the Company's stock
during the period from April 5, 2001 through August 14, 2001 (the "Class
Period"). The complaint generally alleges that the Company and the individual
defendants violated the anti-fraud provisions of the federal securities laws and
caused the Company's stock to trade at artificially high prices by making
misrepresentations relating to the Company's financial condition and prospects
during the Class Period. The complaint seeks damages in an unspecified amount.
On December 11, 2002, the Company and the individual defendants moved to dismiss
the consolidated amended complaint under the Private Securities Litigation
Reform Act of 1995. The Court has not yet ruled on that motion. The Company
believes that it has meritorious defenses and intends to defend the actions
vigorously.

ITEM 4. SUBMISSION OF MATTERS TO A VOTE OF SECURITY HOLDERS

No matter was submitted to a vote of our stockholders during the fourth
quarter of 2002.

13

PART II

ITEM 5. MARKET FOR REGISTRANT'S COMMON EQUITY AND RELATED STOCKHOLDER MATTERS

Our Common Stock is quoted on the NASDAQ National Market under the symbol
"ISSX". The following table lists the high and low per share sales prices for
the Common Stock as reported by the NASDAQ National Market for the periods
indicated:

As of March 12, 2003, there were 49,633,772 shares of our Common Stock
outstanding held by 289 stockholders of record.

We have never declared nor paid cash dividends on our capital stock. We
intend to retain any earnings for use in our business and do not anticipate
paying any cash dividends in the foreseeable future. Our Board of Directors will
determine future dividends, if any.

In October 2002, we issued approximately 966,000 shares of Common Stock as
consideration for all the issued and outstanding stock of privately held vCIS.
We also assumed all of the outstanding vCIS stock options, which totaled
approximately 35,000 shares of ISS common stock. These shares were issued in a
transaction exempt from registration under the Securities Act of 1933, as
amended.

In June 2001, we issued approximately 4,311,000 shares of Common Stock as
consideration for all the issued and outstanding stock of privately held Network
ICE Corporation. We also assumed all of the outstanding Network ICE stock
options, which totaled approximately 289,000 shares of ISS common stock. These
shares were issued in a transaction exempt from registration under the
Securities Act of 1933, as amended.

In August 2000, we issued approximately 29,100 shares of Common Stock as
consideration for all the issued and outstanding stock of privately held ISYI,
Inc. These shares were issued in a transaction exempt from registration under
the Securities Act of 1933, as amended.

On July 18, 2002 we announced our plan to repurchase up to $50 million of
Common Stock utilizing cash on hand and cash flow generated from operations over
the next twelve months. As of December 31, 2002 we had repurchased approximately
133,000 shares of Common Stock at a cost of approximately $2,034,000.

On July 11, 2002, the Board of Directors adopted a shareholder rights plan
and authorized and declared a dividend of one preferred share purchase right (a
"Right") for each outstanding share of Common Stock of the Company. The dividend
was paid on July 29, 2002 to the stockholders of record on that date. Stock
issued subsequent to July 29, 2002 will be issued with an attached Right. Each
Right will initially represent the right, under certain circumstances, to
purchase one one-thousandth of a share of Series A Junior Participating
Preferred Stock (the "Junior Preferred Stock") at a purchase price of $80 per
one one-thousandth of a share. If a person or group acquires beneficial
ownership of 20% or more of the then outstanding shares of the Company's Common
Stock (an "Acquiring Person"), the holder of a Right, upon exercise of the
Right, will thereafter have the right to receive, in lieu of shares of Junior
Preferred Stock, shares of the Company's Common Stock (or, in certain
circumstances, cash, property or other securities of the Company) having a value
equal to twice the purchase price of the Right.

14

The Rights expire on July 11, 2012. Generally, the Board of Directors may
redeem the Rights at a price of $.001 per Right (subject to adjustment) at any
time prior to the earlier of (i) the close of business on the tenth business day
following the date a person becomes an Acquiring Person or (ii) the expiration
date of the Rights. Prior to any person or group becoming an Acquiring Person,
the Company may amend the Rights Agreement at any time.

15

ITEM 6. SELECTED CONSOLIDATED FINANCIAL DATA

The financial data set forth below for each of the three years in the
period ended December 31, 2002 and as of December 31, 2001 and 2002 has been
derived from the audited consolidated financial statements appearing elsewhere
in this Annual Report on Form 10-K. The financial data for the years ended
December 31, 1998 and 1999 and as of December 31, 1998, 1999 and 2000, has been
derived from audited financial statements not included herein. This data should
be read in conjunction with the consolidated financial statements and notes
thereto, and with Item 7, Management's Discussion and Analysis of Financial
Condition and Results of Operations.

16

ITEM 7. MANAGEMENT'S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS
OF OPERATIONS

The following discussion should be read in conjunction with the
Consolidated Financial Statements and related Notes thereto included elsewhere
in this Annual Report on Form 10-K. Except for the historical financial
information, the matters discussed in this document may be considered
"forward-looking" statements. Such statements include declarations regarding our
current intent, belief or expectations. Such forward-looking statements are not
guarantees of future performance and involve a number of risks and
uncertainties. Actual results may differ materially from those indicated by such
forward-looking statements. Among the important factors that could cause actual
results to differ materially from those indicated by such forward-looking
statements as a result of certain factors, including, but not limited to, those
set forth under the "Risk Factors" heading below.

OVERVIEW

We are a global leader in information protection solutions dedicated to
protecting online assets. Our proactive line of defense solutions protects
networks, servers and desktops against an ever-changing spectrum of threats,
with a comprehensive line of products and services designed specifically for the
particular needs of enterprise, service provider and risk management markets.
These threat protection solutions go beyond basic access control to deliver
multiple layers of defense that detect, prevent and respond to threats prior to
those threats causing damage to our customers' business operations.

We provide a wide range of proactive protection solutions that spans
networks, servers and desktops, built around the need for comprehensive,
cost-effective detection, prevention and response arising from attacks, misuse
and security policy violations, all while promoting the confidentiality,
privacy, integrity and availability of proprietary information.

Our family of products is a critical element of an active Internet and
networking security program within today's world of global connectivity,
enabling organizations to proactively monitor, detect and respond to risks to
enterprise information. Our line of products is designed specifically for the
particular needs of enterprise, service provider, risk management, small
business and consumer markets.

Our managed services offerings currently provide remote management of our
best-of-breed security technology, focusing on security assessment and intrusion
detection systems, and include firewalls, VPNs, anti-virus and URL filtering
software. We focus on serving as the trusted security provider to our customers
by maintaining within our existing products the latest counter-measures to
security risks, creating new innovative products based on our customers' needs
and providing professional and managed services.

Many factors affect financial performance, and past performance is no
assurance of similar future performance. We expect, in the long-term, to
continue to expand our domestic and international sales and marketing
operations; increase our investment in product development including our
proprietary threat and vulnerability database and managed services capabilities;
seek acquisition candidates and alliances with partners whose products,
technologies or services capabilities are complementary to our solutions; and
improve our internal operating and financial infrastructure in support of our
strategic goals and objectives. At the same time, we expect to adjust our
organization size in light of changing economic conditions and maintain emphasis
on controlling discretionary spending and capital expenditures. While we believe
in the long-term success of our business solutions, our prospects must be
considered in light of the recent experience, risks and difficulties that are
frequently encountered by companies in new and rapidly evolving markets. See
"Risk Factors".

CRITICAL ACCOUNTING POLICIES

The consolidated financial statements were prepared in conformity with
accounting principles generally accepted in the United States. As such,
management is required to make certain estimates, judgments and assumptions it
believes are reasonable based upon the information available. These estimates
and assumptions affect the reported amounts of assets and liabilities at the
date of the financial statements and the reported amounts of revenues and
expenses during the periods presented. The significant accounting policies which

17

management believes are the most critical to aid in fully understanding and
evaluating our reported financial results include the following:

Revenue recognition

Revenue is recognized under Statement of Position ("SOP") 97-2 as modified
by SOP 98-9, when the following criteria have been met:

- persuasive evidence of an arrangement exists;

- delivery has occurred or services have been rendered;

- price is fixed or determinable; and

- collection is probable.

We recognize perpetual license revenues upon (1) delivery of software or,
if the customer has evaluation software, delivery of the software key and (2)
issuance of the related license, assuming that no significant vendor obligations
or customer acceptance rights exist. Where payment terms are extended over
periods greater than 12 months, revenue is recognized as such amounts become due
and payable. Product sales consist of (1) appliances sold in conjunction with
ISS licensed software and (2) software developed by third-party partners,
combined in some instances with associated hardware appliances and partner
maintenance services. These sales are recognized upon shipment to the customer
provided all other revenue recognition criteria are met.

License sales of enterprise products are generated both through a direct
sales force and through various partners, including system integrators,
value-added resellers and distributors. License revenue is recognized when the
end user sale has occurred, provided all other revenue recognition criteria are
met, which is identified through electronic delivery of a software key that is
necessary to operate the product. At the point of key delivery, the end-user has
no right of return.

License sales of consumer and small office products are made through a
distributor to retail establishments and are sold directly to customers via the
Internet. License revenue for sales made through resellers and distributors are
recognized only when the product is delivered to the end user provided all other
revenue recognition criteria are met.

Subscription revenues include maintenance, term licenses, and managed
service arrangements. Annual renewable maintenance is a separate component of
each perpetual license agreement for ISS products with revenue recognized
ratably over the maintenance term. Term licenses allow customers to use our
products and receive maintenance coverage for a specified period, generally 12
months. We recognize revenues from these term agreements ratably over the
subscription term. Security monitoring services of information assets and
systems are part of managed services and revenues are recognized as such
services are provided.

Professional services revenues include fee-based service engagements and
training. Service engagements, typically billed on a time-and-materials basis,
primarily focus on security assessments of customer networks and the development
of customers' security policies. We recognize such professional services
revenues as the related services are rendered.

Multiple element arrangements can include any combination of hardware,
software or services. When some elements are delivered prior to others in an
arrangement, revenue is deferred until the delivery of the last element unless
there is all of the following:

- vendor specific objective evidence (VSOE) of fair value of the
undelivered elements;

- the functionality of the delivered elements is not dependent on the
undelivered elements; and

- delivery of the delivered elements represents the culmination of the
earnings process.

Our historical rate of return for our software products is negligible. We
offer demonstration software available via download from our website that allows
potential customers to see the functionality of the

18

products on their own networks. We did not have any transactions in 2000, 2001
or 2002 involving reciprocal arrangements where goods or services were purchased
from an organization at the same time that we licensed software or provided
services to that organization.

Allowance for doubtful accounts

Our sales are global, with customers located in the United States, Europe,
Latin America and the Asia/Pacific regions. We perform periodic credit
evaluations of our customer's financial condition and do not require collateral.
Credit risk with respect to trade accounts receivable are limited due to the
large number of entities that comprise the Company's customer base. We provide
for estimated credit losses as such losses become probable. We evaluate specific
accounts when we become aware of a situation where a customer may not be able to
meet its financial obligations due to deterioration of its liquidity or
financial viability, credit ratings or bankruptcy. The allowance for doubtful
accounts is established based on the best facts available to us and is
reevaluated and adjusted as additional information is received. At December 31,
the 2002 allowance for doubtful accounts totals 4.7% of the $56.7 million of net
trade receivables.

Our provision for doubtful accounts for the year ended December 31, 2002
amounted to $2.1 million. This was an increase from $600,000 in 2000 and $1.6
million in 2001. Weakness in overall global economic conditions in 2001
increased our exposure to uncollectible accounts, explaining the increase in the
provision from 2000. The economic conditions in the Asia/Pacific region,
primarily in the northeast Asian markets of Japan, Korea and China, increased
our exposure to uncollectible accounts in 2002. We performed an internal
evaluation of the outstanding receivables in this region and increased our
provision by approximately $500,000 at December 31, 2002 for such estimated
losses. During 2002, we decreased the provision by $400,000 for allowances
specifically established for two customers that were successfully collected in
2002. Finally during 2002, in response to the difficult current economic
conditions, we wrote off approximately $1.9 million of receivables that were
deemed uncollectible due to the deteriorating condition of certain customers.

While actual credit losses have historically been within management's
expectations and the provisions established, we cannot guarantee that we will
continue to experience the same credit loss rates we have in the past. If the
financial condition of our customers were to deteriorate, resulting in an
impairment of their ability to make payments, additional allowances may be
required.

Impairment of goodwill

In July 2001, the Financial Accounting Standards Board issued Statement of
Financial Accounting Standards No. 142 ("SFAS No. 142"), Goodwill and Other
Intangible Assets. The Company adopted SFAS No. 142 as of January 1, 2002. SFAS
No. 142 requires companies to cease amortizing goodwill and establish a new
method for testing goodwill for impairment.

We review goodwill for impairment on an annual basis or on an interim basis
whenever events or changes in circumstances indicate that the carrying amount of
an asset may not be recoverable. All other long-lived and intangible assets are
reviewed for impairment whenever events or circumstances indicate that the
carrying amount of an asset may not be recoverable. Such impairment loss would
be measured as the difference between the carrying amount of the asset and its
fair value based on the present value of estimated future cash flows.
Significant judgment is required in the forecasting of future operating results,
which are used in the preparation of projected cash flows. Due to uncertain
market conditions and potential changes in our strategy and products, it is
possible that forecasts used to support our intangible assets may change in the
future which could result in significant non-cash charges that would adversely
affect our results of operations and financial condition.

We currently have intangible assets related to goodwill of approximately
$200 million, with $195 million related to our June 2001 acquisition of Network
ICE. The determination of whether or not this asset is impaired involves
significant judgments based upon short and long-term projections of future
performance. We have concluded that this amount is realizable based on
forecasted discounted cash flows through 2006 and on our stock market valuation.
Neither method indicated that our goodwill had been impaired and as a result, we
did not record any impairment losses related to goodwill during the year ended
December 31, 2002.

19

ACQUISITIONS

We believe that our total solutions approach will positively impact all of
our revenue categories. This includes our products and managed services
offerings, as well as maintenance and professional services and training. While
we expect the expansion of these product and service offerings to originate
primarily from internal development, our strategy includes acquiring products,
technologies and service capabilities that fit within our strategy and
potentially accelerate the timing of the commercial introduction of such
products and technologies.

On October 30, 2002, we completed the acquisition of privately held vCIS of
Santa Clara, California, a developer of patent-pending, next-generation,
pre-emptive behavioral inspection technology. The technology prevents malicious
code from executing and causing damage before it has an opportunity to interact
with the enterprise network. The aggregate purchase price was $19.6 million and
was primarily allocated to in-process research and development. In-process
research and development had not yet reached technological feasibility and was
required to be expensed at the time of acquisition under generally accepted
accounting principles ("GAAP"). As a result we incurred an expense of $18.5
million in the fourth quarter of 2002. Of the remaining purchase price, $1.2
million was allocated to the assembled workforce, which is being amortized over
3 years, $200,000 was allocated to net tangible assets, principally fixed
assets, and $300,000 of liabilities were assumed.

In August 2002, Internet Security Systems KK ("ISS KK"), our Asia-Pacific
subsidiary, acquired a distributor in Singapore, TriSecurity Holdings Pte Ltd.
("TriSecurity"). TriSecurity was the sole distributor for ISS KK in Southeast
Asia, including India, and its business was almost exclusively focused on ISS
solutions. This acquisition provides our Asia-Pacific subsidiary direct support
capabilities for their customers in Southeast Asia and allows ISS KK to expand
its capabilities in this growing market. The consideration consisted of 1,000
shares of ISS KK stock and approximately $1.2 million of cash. Goodwill of
approximately $4.0 million related to the purchase was recorded. There is
additional annual contingent consideration dependent on the achievement of
specified increasing levels of revenues and operating profits through 2004. The
total maximum additional consideration at December 31, 2002 is 490 shares of ISS
KK stock and any shares issued will be recorded as additional purchase price.

On June 5, 2001, we acquired 100% of the outstanding stock of Network ICE
Corporation, a privately held corporation based in San Mateo, California.
Network ICE was a leading developer of desktop intrusion protection technology
and highly scalable security management systems. The merger was accounted for as
a purchase and, accordingly, the operating results of Network ICE are included
in the consolidated financial statements of ISS from the date of acquisition.
Substantially all of the aggregate purchase price of $237.6 million was
allocated to goodwill, with the remainder allocated to identified intangibles,
including in-process research and development, developed technology, customer
relationships, and to deferred compensation related to stock options assumed.

20

RESULTS OF OPERATIONS

The following table sets forth our consolidated historical operating
information, as a percentage of total revenues, for the periods indicated:

REVENUES

Product licenses and sales

Product licenses and sales, including perpetual licenses and sales of
partner software and hardware appliances, have been relatively flat at between
$119 million and $122 million for the last three years. They continue to be the
primary, but decreasing, source of revenue generation at 62% of total revenues
in 2000, 55% in 2001 and 50% in 2002 as subscription revenues have grown
significantly. Within this revenue category, perpetual licenses of our products
have grown each year, but the increase has been offset by the decrease in sales
of third-party products.

The movement away from direct sales of third-party products was a conscious
effort to simplify our business by focusing on our own ISS solutions. The
business of selling third-party products arose from our Netrex acquisition in
1999. We continue the sales of third-party products as part of our managed
services offerings, otherwise de-emphasizing the direct sales of third party
products. Third-party product revenues decreased as a percentage of total
revenues from 16% in 2000 to 8% in 2001 and 3% in 2002. It is our intent to
limit future third-party sales to current MSS related offerings or delivery of
ISS solutions in appliance offerings that are planned for 2003.

Subscriptions

Subscriptions revenue represented 21% of total revenues in 2000 and
increased to 30% of total revenues in 2001 and to 38% in 2002. Subscription
revenues consist of maintenance, term licenses of product usage and
security-monitoring fees for managed services offerings. The increase in
subscriptions revenue as a percentage of total revenues was primarily due to an
increase in maintenance revenues, the largest component, which grew from 13% of
total revenues in 2000 to 20% in 2001 and to 27% in 2002. We continue to
increase our software client base that generates maintenance revenues, through a
combination of maintenance contracts associated with new product licenses and a
high renewal rate of existing contracts.

21

Managed services revenues accounted for 8% of total revenues in the year
2002, as compared with 6% in the year 2001 and 4% in the year 2000. This
increase was a result of our continued focus on our intrusion protection
offerings, partially offset by decreasing non-core service offerings during
2001. Specifically, we eliminated a security offering combined with internet
service provider services in the last quarter of 2001, and eliminated contracts
where the partner contracted for capacity, but did not achieve the underlying
end-user contracts. In addition, we have had some customers bring firewall
management in-house. As a result, management of our products is a larger portion
of our managed services business, which we perceive as providing long-term value
to our customers.

Professional services

Professional services revenue decreased both in absolute dollars and as a
percentage of total revenue from 15% in 2001 to 12% in 2002. This followed an
increase in absolute dollars in 2001, but a decrease from 17% of revenues in
2000 to 15% in 2001. During 2001 we began narrowing our consulting offerings to
focus on services that directly contribute to our protection platform strategy.
This strategy continued in 2002 as we focused on high-value offerings that
utilize our X-Force expertise, and choose to use partners to provide deployment
and other offerings where appropriate. At the same time, services were impacted
by decreased customer spending as entities curtailed costs in the second half of
2001 and continued to limit discretionary dollars on professional services in
2002.

Over the past three years we have also decreased the number of education
classes related to third-party products and increased our emphasis on courses
related to ISS solutions. In the future, we intend to have more of our developed
course materials delivered to our customers through authorized training centers
rather than at our locations.

Geographic regions

Geographically, we derived the majority of our revenues from sales to
customers within the Americas region. Revenues by region represented the
following percentages of total revenues:

Revenues in EMEA and Asia/Pacific for 2002 remained consistent with 2001,
with Asia/Pacific down minimally due to difficult economic conditions in
portions of the region in the latter part of 2002. The financial data for each
segment can be found in Note 10 to the Consolidated Financial Statements in Item
14.

COSTS AND EXPENSES

Personnel and related costs represent our largest expense category. We
consistently increased our quarterly headcount for several years until July
2001, when we resized the business as the result of disappointing sales results
in the quarter ended June 30, 2001. This resizing included personnel reductions
in all areas of the business and decreases in various operating expenses, with
emphasis also on controlling discretionary spending and capital expenditures.

Cost of product licenses and sales

Cost of product licenses and sales consists of several components. Costs
associated with licensing our products are minor. Substantially all of the cost
of product licenses and sales represents payments to partners for their products
that we integrate with our products or directly provide to our customers as part
of a single solution source. Costs of product revenues as a percentage of total
revenues decreased from 12% in 2000 to 6% in 2001 and to 3% in 2002, as sales of
partner software and hardware appliances represented a lower percentage of total
revenues. The continued decrease as a percent of revenue is consistent with our
movement

22

away from the direct sales of third-party products, except where related to ISS
managed services or associated with the delivery of ISS products, such as future
appliance offerings.

Cost of subscriptions and professional services

Cost of subscriptions and services includes the cost of our technical
support personnel who provide assistance to customers under maintenance
agreements, the security operations center ("SOC") costs of providing managed
security monitoring services and the costs related to our professional services
and training. These costs as a percentage of total revenues were 19% in 2000,
23% in 2001 and 21% in 2002.

The percentage increase in cost of subscriptions and professional services
from 19% in 2000 to 23% in 2001 is a result of our significant commitment to
subscription and professional services revenues. We expanded our managed
security offering capabilities in terms of automated systems, number of managed
security operations centers and personnel resources. We made an increased
investment in automated systems and personnel resources for our Asia/Pacific
SOC, which began operating in the third quarter of 2001. We added professional
services capabilities and more automated technical support programs throughout
2000 and early 2001. As we narrowed the scope of our professional service and
educational offerings in the latter half of 2001, we reduced personnel in the
consulting and education groups to achieve appropriate gross margins at expected
revenue levels.

As a result of our effort to focus on core professional services combined
with the difficult economic conditions, costs associated with our professional
services and education services decreased as a percentage of total revenues from
2001 to 2002. Costs were controlled through a reduction in personnel that began
in the third quarter of 2001, a narrowing of our consulting offerings to focus
on services that directly contribute to our protection platform strategy, and a
decrease in the number of training classes related to third party products.

Costs associated with our technical support personnel and our security
operations centers increased in 2002 to handle our increasing customer base. As
our subscription revenue base increased we added personnel to handle additional
customers under maintenance agreements and under managed security monitoring
services, but at a much lower rate than revenue growth. We gained efficiencies
in our security operations centers and restructured our support groups to be
more productive. While we continue to seek increased productivity, we do expect
to increase costs with a continued increase in revenues in the future.

Research and development

Research and development expenses consist of salary and related costs of
research and development personnel, including costs for employee benefits, and
depreciation on computer equipment. These costs include those associated with
maintaining and expanding the X-Force, our internal team of security experts. We
believe our primary research and product development and managed service
offerings are important to retaining our leadership position in the market.

We continue to add functionality to our product family, providing network,
server and desktop-based solutions, as well as to our security management
applications. In 2002, we provided enhancements to our RealSecure Protection
platform by releasing RealSecure Network Protector 7.0, RealSecure Server Sensor
3.5 and RealSecure Desktop Protector 3.5. These releases provided several
enhancements, including the combining of signature-based and anomaly detection
technologies, improved scalability and the ability to block network traffic as
well as new protection from malicious application execution. In the first
quarter of 2002, we released RealSecure SiteProtector 1.0, an integrated
centralized enterprise management console system of our network, server and
desktop protection agents. We also provided enhancements to our vulnerability
assessment products as well as RealSecure Guard, RealSecure Sentry and
RealSecure Gigabit Sentry. These improvements as well as new offerings are
intended to provide our customers with more powerful and easier-to-use solutions
for security management across the enterprise.

Research and development expenses increased in absolute dollars from $31.3
million in 2000 to $35.4 million in 2001 and remained constant at 16% of total
revenues in both fiscal years. This increase in absolute dollars is primarily
due to the increase in the number of our development personnel focused on our

23

best-of-breed products, enterprise applications, managed services offerings and
research for future product offerings, including the addition of approximately
20 engineers from the June 2001 Network ICE acquisition. In 2002, these expenses
decreased slightly in absolute dollars to $35.3 million, and decreased to 15% of
total revenues as we were able to gain leverage by continuing to provide new
product offerings and enhancements without an increase in research and
development expenses. Our development group headcount increased in the fourth
quarter of 2002 due to the addition of 20 engineers from the vCIS acquisition.

While we are committed to continue our investment in X-Force research
capabilities that we believe to be a differentiator for ISS, we intend to
continue to seek more leverage in the research and development area while
enhancing current technologies and developing new technologies.

Sales and marketing

Sales and marketing expenses consist of salaries, travel expenses,
commissions, advertising, maintenance of our website, trade show expenses, costs
of recruiting sales and marketing personnel and costs of marketing materials.
Sales and marketing expenses were $68.0 million in 2000, $92.0 million in 2001
and $93.7 million in 2002.

Sales and marketing expenses increased to 41% of total revenues in 2001
from 35% in 2000 due to several factors. More difficult economic conditions in
2001 resulted in increased sales and marketing efforts in order to achieve our
targets, especially after our disappointing results for the second quarter of
2001. Additionally, we incurred severance costs in the third quarter of 2001 as
a result of our headcount reduction.

Gaining leverage in sales and marketing was a key objective for us in 2002,
and we were able to decrease these expenses as a percentage of total revenues to
39% in 2002. This occurred partly because we resized our operations in the third
quarter of 2001, resulting in personnel reductions and decreases in various
operating expenses. In areas where revenue demand did not support our cost base,
such as Latin America and Europe, we reduced headcount further in the third
quarter of 2002. At the same time, we have increased headcount where we believe
there are near-term opportunities, such as our United States public sector,
which handles opportunities on the federal, state and local levels. We also
continue to achieve leverage in our sales and marketing efforts by focusing our
direct sales force and continued expansion of the channel as a source of product
sales. The channel continues to be an important source of global revenue for us
as we use its capabilities to reach not just departmental and small companies,
but larger customers as well. Although we decreased our sales and marketing
expenses as a percentage of total revenues, we did increase our advertising
costs. In the first half of 2002, we launched our first television and print
advertising campaign designed to demonstrate the multitude of threats that can
compromise the security of a company's networks, servers or desktops. This
campaign was aimed at increasing awareness of the ISS brand, especially at the
mainstream business market.

We intend to continue to expand our channel sales capabilities, focus on
controlling discretionary spending and capital expenditures and adjust our
organization in light of economic conditions. While we expect to continue to
gain leverage in our sales and marketing costs in the future, our ability to do
so will be largely dependent on economic and competitive conditions in future
periods.

General and administrative

General and administrative expenses of $14.5 million in 2000, $20.4 million
in 2001 and $24.3 million in 2002, represented approximately 7% of our total
revenues in 2000, 9% in 2001 and 10% in 2002. General and administrative
expenses consist of personnel-related costs for executive, administrative,
finance and human resources, internal information systems and other support
services costs, and legal, accounting and other professional service fees.

The increase in these expenses from 2000 to 2001 is partially attributable
to our efforts, through additional employees and systems, to enhance our
management's ability to obtain and analyze information about our domestic and
international operations, and to support a larger employee base, as well as the
expansion of our facilities. In November 2000 we began occupying our corporate
headquarters in Atlanta and

24

moved the balance of our Atlanta personnel in the first quarter of 2001,
incurring expenses associated with the move. The third quarter of 2001 included
severance, contract termination and office consolidation costs that caused
general and administrative costs to increase in this period.

The increase in general and administrative expenses from 2001 to 2002
includes non-recurring expenses associated with a relocation of our Asia/Pacific
headquarters in Tokyo during the second quarter of 2002. Costs included lease
termination costs, including remaining rent payments, write-off of leasehold
improvements and moving costs. Excluding this impact, general and administrative
expenses remained at 9% of total revenues in 2002.

Write-off of lease obligation

In the first quarter of 2001, we completed the relocation of our Atlanta
personnel into our corporate headquarters. We recorded a $1.1 million charge
resulting from the write-off of the remaining lease obligation through June 2002
on our previous Atlanta headquarters office space. This non-recurring expense
originated in the first quarter of 2001, as available subleased space in the
area grew substantially in the quarter as the result of layoffs, closures and
consolidations, reducing the prospects of subleasing our old space.

Charge for in-process research and development

We have reflected charges of $2.9 million in 2001 and $18.5 million in 2002
for the write-offs of in-process research and development costs associated with
the Network ICE acquisition in June 2001 and the vCIS acquisition in October
2002. In-process research and development had not reached technological
feasibility based on identifiable technological risk factors which indicated
that even though successful completion was expected, it was not assured at the
acquisition date and was immediately charged to operations.

vCIS was developing a protection kernel that uses behavior analysis
technology to identify viruses, Trojans, worms, and other forms of malicious
code. The technology operates on classes of viruses rather than on individual
viruses. It conducts real time assessments of all executable program files, in a
safe environment, and cleans the files before they are allowed to execute within
an actual system. At the time the merger transaction was concluded, the vCIS
technology had not reached technological feasibility. vCIS had no marketable
product and several key components of the technology had not been completed.
Furthermore, the company has not identified any alternative uses for the
technology at its current stage of development.

The value of the vCIS in-process technology was estimated using the
excess-earnings method, a form of the income approach that quantifies the cash
flow attributable to intangible assets. The excess-earnings method captures the
value of an intangible asset by discounting to present value the earnings of the
asset that remain after a deduction for a return on contributory assets.
Contributory assets normally include working capital, fixed assets, and other
intangible assets.

After a fair return on tangible and other intangible assets is subtracted,
the remaining excess cash flow is attributed to the intangible asset being
valued. The excess-earnings method explicitly recognizes that the current value
of an investment is premised upon the expected receipt of future economic
benefits, such as cost savings, periodic income, or sale proceeds. Indications
of value are developed by discounting future net cash flows attributed to the
technologies to their present value at a rate that reflects the current return
requirements of the market and, in the case of the in-process technology, the
risks inherent in the completion of the development efforts.

For purposes of valuing the in-process research and development, ISS
management projected revenue and costs for the vCIS business.

The company identified three potential applications for the technology that
had differing time tables for completion. In identifying the potential future
cash flow from the technology, the first two applications were assumed to be
generally available in early to mid 2003, while the last of the three was
assumed to be generally available at the beginning of 2004. Total cost to
complete the technology for use in all three applications was assumed to be $3.5
million. These assumptions have a degree of uncertainty given that this is new,
unproven

25

technology. As evidence of such uncertainty, the timing of the availability of
these applications has been extended to either the latter part of 2003 or the
first half of 2004.

The technology was assumed to have a total life of 15 years, however,
revenue attributable to the technology was assumed to begin decreasing after
approximately 8 years. Revenue attributable to the technology was assumed to be
$4.9 million for 2003 and is assumed to grow at various rates averaging
approximately 40% until 2011 when it begins decreasing. We have assumed costs of
goods sold, including cost of providing support, to be 15% of revenue. In
addition, general and administrative expenses are assumed to be 7.5% of revenue
and selling and marketing expenses are assumed to be 30% of revenue. When
computing the discounted cash flows associated with each potential application,
we adjusted the discount rate to reflect the different level of risk associated
with longer development cycle. In other words, because the third application
required more additional development that the other two, there is a higher level
of risk that this project will ultimately be successful. An independent investor
would require a higher rate of return to compensate for this additional risk.
The discount rate used to determine present value was 42% for the two earlier
applications, and 55% for the last application.

Amortization

We incurred amortization expense related to intangible assets and
stock-based compensation of $674,000 in 2000, $5.2 million in 2001 and $5.7
million in 2002. These intangible assets and stock-based compensation resulted
from acquisitions accounted for under the purchase method of accounting and are
amortized over their useful lives. The increase from 2000 to 2001 resulted from
our June 2001 acquisition of Network ICE. Intangibles from acquisitions will
continue to be amortized over their useful lives.

Effective January 1, 2002, under the provisions of SFAS 142 goodwill will
no longer be amortized, but will be subject to annual tests for impairment.
Based on the results of our impairment analysis for 2002, amortization charges
related to goodwill were eliminated in 2002 after totaling $26.5 million in
2001.

Interest income

Net interest income decreased from $8.4 million in 2000 to $6.3 million in
2001 and to $3.2 million in 2002. The decrease in interest income year over year
resulted from lower market rates of interest on debt securities. The market rate
of interest paid on investment quality commercial paper and similar investments
dropped from approximately 6.5% during 2000 to approximately 4.5% during 2001
and dropped to approximately 2% for 2002. As a result, interest income decreased
despite an increase in cash and cash equivalents and interest-bearing marketable
securities.

Minority interest

Minority interest totaled $336,000 in 2001 and $187,000 in 2002. Minority
interest represents the portion of earnings that would be distributed to shares
not held by us if the Asia-Pacific subsidiary declared a dividend equal to its
earnings. This minority interest was created from the March 2001 sales of
approximately 2% of the outstanding shares of the Asia-Pacific Rim subsidiary to
employees and key partners and the September 2001 sales of newly issued shares
equal to approximately 10% of its previously outstanding shares in an initial
public offering on the Japan over-the counter market.

Other income, net

Other income of $15.1 million in 2001 includes a gain of $13.6 million from
an initial public offering on the Japan over-the-counter market by our
subsidiary responsible for Asia/Pacific operations. Proceeds of the IPO were
retained by the subsidiary. The gain represents the amount by which the offering
price exceeded the carrying amount of subsidiary stock in accordance with Staff
Accounting Bulletin No. 51 ("SAB 51"). It also includes a $1.6 million gain from
the sale of approximately 2% of the outstanding shares of our Asia/Pacific
subsidiary that was recorded in March 2001 in accordance with SAB 51. As part of
the planning for an IPO in Japan of a minority interest in our Asia/Pacific
subsidiary, which was completed in September 2001, options were granted in the
subsidiary as a means of key employee retention and approximately 2% of the
outstanding

26

shares were sold to employees and key partners. The gain represents the
difference between proceeds received and the underlying basis in the stock.

In 2002, other income of $3.9 million includes a third quarter gain of $2.6
million related to the issuance of subsidiary shares in connection with the
acquisition of TriSecurity Holdings Pte Ltd. The Company reported a gain on the
difference between the fair market value of the shares issued and the book value
of those shares in accordance with SAB 51 adopted by the company. It also
includes a $1.9 million gain recorded in the second quarter of 2002 on the sale
of an investment in an ISS distributor in Japan. The shares of the publicly
traded company were acquired when the distributor was privately held and were
subsequently sold on the open market.

Foreign currency exchange gain (loss)

The exchange loss of $331,000 in 2000 and $82,000 in 2002 and the exchange
gain of $175,000 in 2001 are a result of fluctuations in currency exchange rates
between the U.S. Dollar and other currencies, primarily the Euro and the
Japanese Yen and changes in value of assets and liabilities that are denominated
in foreign currencies.

Provision for income taxes

We recorded a provision for income taxes of $10.3 million in 2000, $12.5
million in 2001, and $13.1 million in 2002. While income tax expense was
recorded on domestic income for each year, taxes payable were reduced by
deductions related to the value of employee exercise of stock options. The tax
benefit for the use of these stock option deductions was recorded as additional
paid-in capital. Taxes paid generally relate to foreign operations.

The effective tax rate was 36%, (426)%, and 88% for 2000, 2001, and 2002,
respectively. The effective rates for 2001 and 2002 differ from the statutory
rate due to the impact of acquisition related intangibles that are not
deductible for income tax purposes.

As of December 31, 2002, we had net operating loss carryforwards of
approximately $53 million related to stock option deductions that expire in
varying amounts between 2011 and 2021. The tax benefit for this carryforward
will be recorded as additional paid-in-capital when it is realized. We also have
approximately $6 million of research and development tax credit carryforwards,
which expire between 2011 and 2022 and foreign tax credit carryforwards of $1.9
million that expire between 2006 and 2007.

LIQUIDITY AND CAPITAL RESOURCES

Our financial position remained strong throughout 2002 despite a general
economic downturn. Our cash and cash equivalents and marketable security
investments increased from $163.1 million at December 31, 2001 to $202.3 million
at December 31, 2002. Our investments in marketable securities consist solely of
highly rated debt obligations with maturities of 12 months or less.

During 2002, we met our working capital needs and capital equipment needs
with cash provided by operations. Cash provided by operations in 2002 totaled
$48.9 million compared to $39.4 million in 2001 and $20.5 million in 2000.
Accounts receivable, net of acquisitions, increased $5.2 million in 2002
compared to a decrease of $9.3 million in 2001 and an increase of $28.7 million
in 2000. These changes were primarily the result of changes in sales levels in
the fourth quarter of the respective periods, decreasing from 2000 to 2001 and
increasing from 2001 to 2002. We measure our accounts receivable management by
our daily sales outstanding (DSO). This is a measurement of accounts receivable
divided by billings in the quarter, represented by the sum of revenues plus the
change in the deferred revenues liability account balance. This measurement was
77, 78 and 77 days at December 31, 2000, 2001 and 2002, respectively.

Our investing activities of $15.6 million in 2002 included the purchase of
$81.1 million of intermediate term marketable securities, primarily
interest-bearing government obligations and commercial paper, offset by net
proceeds from the maturity of marketable securities of $82.0 million. These
assets have quality characteristics similar to cash equivalents, except their
maturities when we acquire them are longer than three

27

months. Since the initial phase of our Atlanta headquarters facility was
completed in 2001 and the growth in our employment has slowed, we were able to
decrease our equipment investment. We invested in equipment totaling $10.9
million in 2002 compared to $31.7 million in 2001, as we provided existing and
new personnel with improved computer hardware and incurred leasehold improvement
costs related primarily to a new Asia/Pacific headquarters in Tokyo.

Our financing activities provided $3.7 million of cash in 2002. Our
financing activities consisted of proceeds from the exercise of stock options by
our employees and from the issuance of common stock through our Employee Stock
Purchase Plan, and the use of cash to repurchase shares of our common stock. In
July 2002 we announced our plan to repurchase up to $50 million of our common
stock over the following twelve months utilizing cash on hand and cash flow
generated from operations. In 2002 we purchased 133,000 shares of our common
stock on the open market at an aggregate cost of $2.0 million.

Other than our non-cancelable operating leases for office space, we have no
off-balance sheet financing arrangements, any relationships with "structured
finance" or "special purpose" entities, or any contractual obligations that
would impact our liquidity. Payments for certain operating leases are secured by
three collateralized stand-by letters of credit totaling approximately $11.3
million. The stand-by letters of credit are annually renewable over the duration
of the applicable leases. We do not anticipate utilizing these stand-by letters
of credit to provide any liquidity needs.

At December 31, 2002, we had $202.3 million of cash and cash equivalents
and marketable securities, consisting primarily of money market accounts and
investment grade commercial paper. An additional $14.7 million of commercial
paper investments are pledged as collateral for stand-by letters of credit
related to the operating leases of our facilities and are shown on the balance
sheet as restricted marketable securities. We believe that such cash and cash
equivalents and marketable securities will be sufficient to meet our working
capital needs and capital expenditures for the foreseeable future. Furthermore,
we are not aware of any trends, events, or uncertainties that are reasonably
likely to result in any significant change to our liquidity. From time to time,
we evaluate possible acquisition and investment opportunities in businesses,
products or technologies that are complementary to ours. In the event we
determine to pursue such opportunities, we may use our available cash and cash
equivalents and marketable securities for this purpose. Pending such uses, we
will continue to invest our available cash in investment grade, interest-bearing
investments.

RISK FACTORS

Forward-looking statements are inherently uncertain as they are based on
various expectations and assumptions concerning future events and are subject to
known and unknown risks and uncertainties. Our forward-looking statements
contained in this Annual Report and elsewhere should be considered in light of
the following important risk factors. Variations from our stated intentions or
failure to achieve objectives could cause actual results to differ from those
projected in our forward-looking statements. With respect to our business
outlook published in our earnings press release each quarter, you may continue
to rely on the revenue and earnings expectations prior to the start of our
"quiet period" unless we have published a notice stating otherwise. Toward the
end of each quarter, we have a "quiet period" when we will not comment
concerning the previously published financial expectations, and we disclaim any
obligation to update during the quiet period. The public should not rely on
previously published expectations during the "quiet period". The "quiet period"
runs from the 15th of the last month of the quarter until our earnings release
during the first month of the following quarter. We otherwise undertake no
obligation to update publicly any forward-looking statements for any reason,
even if new information becomes available or other events occur in the future.

We Operate in a Rapidly Evolving Market

We operate in a new and rapidly evolving market and must, among other
things:

- respond to competitive developments;

- continue to upgrade and expand our product and services offerings; and

- continue to attract, retain and motivate our employees.

28

We cannot be certain that we will successfully address these issues. As a
result, we cannot assure our investors that we will be able to continue to
operate profitably in the future.

Our Future Operating Results Will Likely Fluctuate Significantly

We cannot predict our future revenues and operating results with certainty.
However, we do expect our future revenues and operating results to fluctuate due
to a combination of factors, including:

- the growth in the acceptance of, and activity on, the Internet and the
world wide web, particularly by corporate, institutional and government
users;

- the extent to which the public perceives that unauthorized access to and
use of online information are threats to network security;

- the volume and timing of orders, including seasonal trends in customer
purchasing;

- our ability to develop new and enhanced product and managed service
offerings and expand our professional services capabilities;

- the introduction of ISS branded appliances, including increased cost of
goods sold;

- our ability to provide scalable managed services offerings through our
partners in a cost effective manner;

- foreign currency exchange rates that affect our international operations;

- product and price competition in our markets; and

- general economic conditions, both domestically and in our foreign
markets.

We increasingly focus our efforts on sales of enterprise-wide security
solutions, which consist of our entire product suite and related professional
services, and managed security services, rather than on the sale of component
products. As a result, each sale requires substantial time and effort from our
sales and support staff. In addition, the revenues associated with particular
sales vary significantly depending on the number of products licensed by a
customer, the number of devices used by the customer and the customer's relative
need for our professional services. Large individual sales, or even small delays
in customer orders, can cause significant variation in our license revenues and
results of operations for a particular period. The timing of large orders is
usually difficult to predict and, like many software and services companies,
many of our customers typically complete transactions in the last month of a
quarter.

We cannot predict our operating expenses based on our past results.
Instead, we establish our spending levels based in large part on our expected
future revenues. As a result, if our actual revenues in any future period fall
below our expectations, our operating results likely will be adversely affected
because very few of our expenses vary with our revenues. Because of the factors
listed above, we believe that our quarterly and annual revenues, expenses and
operating results likely will vary significantly in the future.

Our ability to provide timely guidance and meet the expectations of
investors with respect to our operating and financial results is impacted by the
tendency of a majority of our sales to be completed in the last month of a
quarter. We may not be able to determine whether we will experience material
deviations from guidance or expectations until the end of a quarter.

We Face Intense Competition in Our Market

The market for network security monitoring, detection and response
solutions is intensely competitive, and we expect competition to increase in the
future. We cannot guarantee that we will compete successfully against our
current or potential competitors, especially those with significantly greater
financial resources or brand name recognition. Our chief competitors generally
fall within one of five categories:

- internal information technology departments of our customers and the
consulting firms that assist them in formulating security systems;

29

- relatively smaller software companies offering relatively limited
applications for network and Internet security;

- large companies, including Symantec Corp. and Cisco Systems, Inc., that
sell competitive products and offerings, as well as other large software
companies that have the technical capability and resources to develop
competitive products;

- software or hardware companies like Cisco Systems, Inc. that could
integrate features that are similar to our products into their own
products; and

- small and large companies with competitive offerings to components of our
managed services offerings.

Mergers or consolidations among these competitors, or acquisitions of small
competitors by larger companies, represent risks. For example, Symantec's
acquired Recourse Technologies and Riptech Inc. in the third quarter of 2002 and
Cisco recently announced agreements to acquire Psionic Software, Inc. and Okena,
Inc. These acquisitions will make these entities potentially more formidable
competitors to us if such products and offerings are effectively integrated.
Large companies may have advantages over us because of their longer operating
histories, greater name recognition, larger customer bases or greater financial,
technical and marketing resources. As a result, they may be able to adapt more
quickly to new or emerging technologies and changes in customer requirements.
They can also devote greater resources to the promotion and sale of their
products than we can. In addition, these companies have reduced and could
continue to reduce, the price of their security monitoring, detection and
response products and managed security services, which increases pricing
pressures within our market.

Several companies currently sell software products (such as encryption,
firewall, operating system security and virus detection software) that our
customers and potential customers have broadly adopted. Some of these companies
sell products that perform the same functions as some of our products. In
addition, the vendors of operating system software or networking hardware may
enhance their products to include the same kinds of functions that our products
currently provide. The widespread inclusion of comparable features to our
software in operating system software or networking hardware could render our
products obsolete, particularly if such features are of a high quality. Even if
security functions integrated into operating system software or networking
hardware are more limited than those of our software, a significant number of
customers may accept more limited functionality to avoid purchasing additional
software.

For the above reasons, we may not be able to compete successfully against
our current and future competitors. Increased competition may result in price
reductions, reduced gross margins and loss of market share.

We Face Rapid Technological Change in Our Industry and Frequent Introductions
of New Products

Rapid changes in technology pose significant risks to us. We do not control
nor can we influence the forces behind these changes, which include:

- the extent to which businesses and others seek to establish more secure
networks;

- the extent to which hackers and others seek to compromise secure systems;

- evolving computer hardware and software standards;

- changing customer requirements; and

- frequent introductions of new products and product enhancements.

To remain successful, we must continue to change, adapt and improve our
products in response to these and other changes in technology. Our future
success hinges on our ability to both continue to enhance our current line of
products and professional services and to introduce new products and services
that address and respond to innovations in computer hacking, computer technology
and customer requirements. We cannot be sure that we will successfully develop
and market new products that do this. Any failure by us to timely develop and
introduce new products, to enhance our current products or to expand our
professional services

30

capabilities in response to these changes could adversely affect our business,
operating results and financial condition.

Our products involve very complex technology, and as a consequence, major
new products and product enhancements require a long time to develop and test
before going to market. Because this amount of time is difficult to estimate, we
have had to delay the scheduled introduction of new and enhanced products in the
past and may have to delay the introduction of new and enhanced products in the
future.

The techniques computer hackers use to gain unauthorized access to, or to
sabotage, networks and intranets are constantly evolving and increasingly
sophisticated. Furthermore, because new hacking techniques are usually not
recognized until used against one or more targets, we are unable to anticipate
most new hacking techniques. To the extent that new hacking techniques harm our
customers' computer systems or businesses, affected or prospective customers may
believe that our products are ineffective, which may cause them or prospective
customers to reduce or avoid purchases of our products.

Risks Associated with Our Global Operations

The expansion of our international operations includes our presence in
dispersed locations throughout the world, including throughout Europe and the
Asia/Pacific and Latin America regions. Our international presence and expansion
exposes us to risks not present in our U.S. operations, such as:

- the difficulty in managing an organization spread over various countries
located across the world;

- compliance with, and unexpected changes in, a wide range of complex
regulatory requirements in countries where we do business;

- increased financial accounting and reporting burdens and complexities and
potentially adverse tax consequences;

- excess taxation due to overlapping tax structures;

- fluctuations in foreign currency exchange rates resulting in losses or
gains from transactions and expenses denominated in foreign currencies;

- reduced protection for intellectual property rights in some countries;

- reduced protection for enforcement of creditor and contractual rights in
some countries; and

- import and export license requirements and restrictions on the import and
export of certain technology, especially encryption technology and trade
restrictions.

We rely on distributors extensively in the Asia/Pacific region for the sale
and distribution of our products. Further, countries in the Asia/Pacific region,
particularly China, Japan and Korea, have experienced weakness in their
currency, banking and equity markets. These weaknesses could continue to
adversely affect our distributors' ability to pay us and adversely affect demand
for our products in the Asia/Pacific region. Despite these risks, we believe
that we must continue to expand our operations in international markets to
support our growth. To this end, we intend to establish additional foreign sales
operations, expand our existing offices, hire additional personnel, expand our
international sales channels and customize our products for local markets. If we
fail to execute this strategy, our international sales growth will be limited.

Our Networks, Products and Services May be Targeted by Hackers

Like other companies, our websites, networks, information systems, products
and services may be targets for sabotage, disruption or misappropriation by
hackers. As a leading network security solutions company, we are a high profile
target. Although we believe we have sufficient controls in place to prevent
disruption and misappropriation, and to respond to such situations, we expect
these efforts by hackers to continue. If these efforts are successful, our
operations, reputation and sales could be adversely affected.

31

We Must Successfully Integrate Acquisitions

As part of our growth strategy, we have and may continue to acquire or make
investments in companies with products, technologies or professional services
capabilities complementary to our solutions. When engaging in acquisitions, we
could encounter difficulties in assimilating or completing the development of
the technologies, new personnel and operations into our company. These
difficulties may disrupt our ongoing business, distract our management and
employees, increase our expenses and adversely affect our results of operations.
These difficulties could also include accounting requirements, such as
impairment charges related to goodwill or expensing in-process research and
development costs as occurred in the fourth quarter of 2002 related to the
acquisition of vCIS. We cannot be certain that we will successfully overcome
these risks with respect to any future acquisitions or that we will not
encounter other problems in connection with our recent or any future
acquisitions. In addition, any future acquisitions may require us to incur debt
or issue equity securities. The issuance of equity securities could dilute the
investment of our existing stockholders.

We Depend on Our Intellectual Property Rights and Use Licensed Technology

We rely primarily on copyright, trademark, patent and trade secrets laws,
confidentiality procedures and contractual provisions to protect our proprietary
rights. We have obtained one United States patent and have a number of patent
applications pending, as well as numerous trademarks and trademark applications
pending. We believe that the technological and creative skills of our personnel,
new product developments, frequent product enhancements, our name recognition,
our professional services capabilities and delivery of reliable product
maintenance are essential to establishing and maintaining our technology
leadership position. We cannot assure you that our competitors will not develop
technologies that are similar to ours.

Despite our efforts to protect our proprietary rights, unauthorized parties
may attempt to copy aspects of our products or to obtain and use information
that we regard as proprietary. Policing unauthorized use of our products is
difficult. While we cannot determine the extent to which piracy of our software
products occurs, we expect software piracy to be a persistent problem. In
addition, the laws of some foreign countries do not protect our proprietary
rights to as great an extent as do the laws of the United States, and many
foreign countries do not enforce these laws as diligently as U.S. government
agencies and private parties.

Some Provisions in the ISS Certificate of Incorporation and Bylaws Make a
Takeover of ISS Difficult

Our certificate of incorporation and bylaws contain provisions that could
have the effect of making it more difficult for a third party to acquire, or of
discouraging a third party from attempting to acquire, control of ISS. These
provisions:

- establish a classified board of directors;

- create preferred stock purchase rights that grant to holders of common
stock the right to purchase shares of Series A Junior Preferred Stock in
the event that a third party acquires 20% or more of the voting power of
our outstanding common stock;

- prohibit the right of our stockholders to act by written consent;

- limit calling special meetings of stockholders; and

- impose a requirement that holders of 66 2/3% of the outstanding shares of
common stock are required to amend the provisions relating to the
classification of our board of directors and action by written consent of
stockholders.

ITEM 7A. QUANTITATIVE AND QUALITATIVE DISCLOSURES ABOUT MARKET RISK

INTEREST RATE SENSITIVITY

The primary objective of our investment activities is to preserve principal
while at the same time maximizing the income we receive from our investments
without significantly increasing risk. Some of the securities in which we invest
may be subject to market risk. This means that a change in prevailing interest

32

rates may cause the principal amount of the investment to fluctuate. For
example, if we hold a security that was issued with a fixed interest rate at the
then-prevailing rate and the prevailing interest rate later rises, the market
value of our investment will probably decline. To minimize this risk, we
maintain our portfolio of cash equivalents and marketable securities in a
variety of high-quality relatively short-term investments, including commercial
paper and overnight repurchase agreements. As of December 31, 2002, $16.2
million of our securities mature in more than three months and $14.8 million of
our securities mature in more than six months, but in all cases less than one
year.

RISK ASSOCIATED WITH FOREIGN EXCHANGE RATES

ISS is subject to foreign exchange risk as a result of exposures to changes
in currency exchange rates. Our foreign operations are, for the most part,
naturally hedged against exchange rate fluctuations since both revenues and
expenses of each foreign affiliate are denominated in the same currency.
Therefore, we do not engage in formal hedging activities, but we do periodically
review the potential impact of this risk to ensure that the risk of significant
potential losses remains minimal. As a result, an unfavorable change in the
exchange rate for any particular foreign subsidiary would result in lower
revenues and expenses with regards to operating results, and lower assets and
liabilities with regards to the balance sheet.

The Company's operating results are affected by changes in exchange rates
between the U.S. Dollar and the Euro and the Japanese Yen. When the U.S. Dollar
strengthens against these foreign currencies, the value of our non-functional
currency revenues decreases. When the U.S. Dollar weakens, the value of our
functional currency revenues increases. Since much of our international
operating expenses are also incurred in local currencies, which is the foreign
subsidiaries functional currency, the impact of exchange rates on net income or
loss is relatively less than the impact on revenue. Although our operating and
pricing strategies take into account changes in exchange rates over time, our
results of operations may be affected significantly in the short term by
fluctuations in foreign currency exchange rates.

During 2002, the Company recorded a net foreign exchange loss of $82,000.
The nature and extent of the foreign currency risk faced by the Company depends
on many factors that cannot be accurately predicted. These factors include
significant changes in foreign currency market conditions, the Company's
inability to match foreign currency denominated revenues with costs denominated
in the same currency, and changes in the amount or mix of revenues denominated
in various foreign currencies. As a result of material unforeseen changes in
these factors, the Company's foreign currency risk could have a greater impact
on the Company's results of operations in the future.

ITEM 8. CONSOLIDATED FINANCIAL STATEMENTS AND SUPPLEMENTARY DATA

See the index to Consolidated Financial Statements at Item 15.

ITEM 9. CHANGES IN AND DISAGREEMENTS WITH ACCOUNTANTS ON ACCOUNTING AND
FINANCIAL DISCLOSURE

None.

33

PART III

ITEM 10. DIRECTORS AND EXECUTIVE OFFICERS OF THE REGISTRANT

The information required by this Item is incorporated by reference to our
definitive Proxy Statement for the annual meeting of stockholders to be held on
May 28, 2003 (the "Proxy Statement") under the sections captioned "Proposal
1 -- Election of Directors," "Executive Compensation -- Directors and Executive
Officers" and "Compliance with Section 16(a) of the Securities Exchange Act of
1934."

ITEM 11. EXECUTIVE COMPENSATION

The information required by this Item is incorporated by reference to the
Proxy Statement under the section captioned "Executive Compensation."

ITEM 12. SECURITY OWNERSHIP OF CERTAIN BENEFICIAL OWNERS AND MANAGEMENT

The information required by this Item is incorporated by reference to the
Proxy Statement under the section captioned "Principal Stockholders."

EQUITY COMPENSATION PLANS

A summary of our stockholder approved and non-approved equity compensation
plans as of December 31, 2002 was as follows (in thousands, except exercise
price):

- ---------------

* Our Restated 1995 Stock Incentive Plan contains an "evergreen" provision
whereby the number of shares available for issuance increases automatically on
the first trading day of each calendar year by 4% of the shares of our common
stock outstanding on the last trading day of the immediately preceding
calendar year, subject to a maximum annual increase of 2,600,000 shares.

Our non-stockholder approved equity compensation plans include the
following:

- 1999 Employee Stock Purchase Plan

- Non-qualified stock options granted to non-employee directors

- Options assumed in connection with our acquisition of Netrex, Inc

- Options assumed in connection with our acquisition of Network ICE,
Corporation

- Options assumed in connection with our acquisition of vCIS, Inc.

The following is a description of the material features of each of these
plans:

1999 Employee Stock Purchase Plan

Effective July 1, 1999 ISS implemented an employee stock purchase plan for
all eligible employees. Under this plan, shares of ISS Common Stock may be
purchased at six-month intervals at 85% of the lower of the fair market value on
the first or last day of each six-month period. Employees may purchase shares
with aggregate fair value up to 10% of their gross compensation during a
six-month period.

34

A total of 400,000 shares of common stock are authorized and reserved for
issuance under the plan. The share reserve will increase on the first trading
day of each calendar year, beginning in 2000, by 50,000 shares. At December 31,
2002 240,000 shares of ISS Common Stock had been issued and 310,000 shares
remained available under the plan.

Non-qualified stock options granted to non-employee directors

On December 8, 1997 the Board of Directors granted to each of the four
non-employee directors a non-statutory option to purchase 40,000 shares of
Common Stock outside of the Restated 1995 Stock Incentive Plan, on the same
terms as if those options had been granted under the Restated 1995 Stock
Incentive Plan. ISS reserved 160,000 shares of Common Stock for issuance under
these options. As of December 31, 2002, 80,000 of these options remained
outstanding.

Options assumed in connection with our acquisition of Netrex, Inc.

In August 1999, as a result of our acquisition of Netrex, Inc. we assumed
all outstanding Netrex, Inc. stock options. As a result approximately 510,000
shares of ISS Common Stock were reserved for outstanding grants under the Netrex
Stock Plan. Each option is subject to the same terms and conditions of the
original grant and generally vest over four years and expire ten years from the
date of grant. No further options may be granted under the Netrex plan. As of
December 31, 2002, approximately 14,000 options were outstanding.

Options assumed in connection with our acquisition of Network ICE Corporation

In June 2001, as a result of our acquisition of Network ICE, we assumed all
outstanding Network ICE stock options. As a result approximately 289,000 shares
of ISS Common Stock were reserved for outstanding grants under the Network ICE
Stock Plan. Each option is otherwise subject to the same terms and conditions of
the original grant and generally vest over four years and expire ten years from
the date of grant. No further options may be granted under the Network ICE plan.
As of December 31, 2002, approximately 113,000 options were outstanding.

Options assumed in connection with our acquisition of vCIS, Inc.

In October 2002, as a result of our acquisition of vCIS, Inc. we assumed
all outstanding vCIS, Inc. stock options. As a result approximately 35,000
shares of ISS Common Stock were reserved for outstanding grants under the vCIS
Stock Plan. Each option is otherwise subject to the same terms and conditions of
the original grant and generally vest over four years and expire ten years from
the date of grant. No further options may be granted under the vCIS plan. As of
December 31, 2002, approximately 27,000 options were outstanding.

ITEM 13. CERTAIN RELATIONSHIPS AND RELATED TRANSACTIONS

The information required by this Item is incorporated by reference to the
Proxy Statement under the section captioned "Executive Compensation -- Certain
Transactions with Management."

ITEM 14. CONTROLS AND PROCEDURES

ISS' Chief Executive Officer and Chief Financial Officer have evaluated the
effectiveness of ISS' disclosure controls and procedures (as such term is
defined in Rules 13a-14(c) and 15d-14(c) under the Securities Exchange Act of
1934, as amended (the "Exchange Act)) as of a date within 90 days prior to the
filing date of this annual report (the "Evaluation Date"). Based on such
evaluation, such officers have concluded that, as of the Evaluation Date, ISS'
disclosure controls and procedures are effective in alerting them on a timely
basis to material information relating to ISS required to be included in ISS'
periodic filings under the Exchange Act.

Since the Evaluation Date, there have not been any significant changes in
ISS' internal controls or in other factors that could significantly affect such
controls.

35

PART IV

ITEM 15. EXHIBITS, FINANCIAL STATEMENT SCHEDULES AND REPORTS ON FORM 8-K

(a) The following documents are filed as part of this Form 10-K:

1. Consolidated Financial Statements. The following consolidated
financial statements of Internet Security Systems, Inc. are filed as part
of this Form 10-K on the pages indicated:

Schedules other than the one listed above are omitted as the required
information is inapplicable or the information is presented in the
consolidated financial statements or related notes.

3. Exhibits. The exhibits to this Annual Report on Form 10-K have
been included only with the copy of this Annual Report on Form 10-K filed
with the Securities and Exchange Commission. Copies of individual exhibits
will be furnished to stockholders upon written request to the Company and
payment of a reasonable fee.

- ---------------

* Identifies those filed with this Form 10-K.

(b) Reports on Form 8-K

ISS filed a report on Form 8-K on November 4, 2002, as amended on January
13, 2003, with respect to the acquisition of vCIS Inc.

37

REPORT OF INDEPENDENT AUDITORS

The Board of Directors and Stockholders
Internet Security Systems, Inc.

We have audited the accompanying consolidated balance sheets of Internet
Security Systems, Inc. as of December 31, 2001 and 2002, and the related
consolidated statements of operations, stockholders' equity, and cash flows for
each of the three years in the period ended December 31, 2002. Our audits also
included the financial statement schedule listed in the Index at Item 15(a).
These financial statements and schedule are the responsibility of the Company's
management. Our responsibility is to express an opinion on these financial
statements and schedule based on our audits.

We conducted our audits in accordance with auditing standards generally
accepted in the United States. Those standards require that we plan and perform
the audit to obtain reasonable assurance about whether the financial statements
are free of material misstatement. An audit includes examining, on a test basis,
evidence supporting the amounts and disclosures in the financial statements. An
audit also includes assessing the accounting principles used and significant
estimates made by management, as well as evaluating the overall financial
statement presentation. We believe that our audits provide a reasonable basis
for our opinion.

In our opinion, the financial statements referred to above present fairly,
in all material respects, the consolidated financial position of Internet
Security Systems, Inc. as of December 31, 2001 and 2002, and the consolidated
results of its operations and its cash flows for each of the three years in the
period ended December 31, 2002, in conformity with accounting principles
generally accepted in the United States. Also, in our opinion, the related
financial statement schedule, when considered in relation to the basic financial
statements taken as a whole, presents fairly in all material respects the
information set forth therein.

As discussed in Note 1 to the consolidated financial statements, in 2002
the Company ceased amortization of goodwill in accordance with Statement of
Financial Accounting Standards No. 142, Goodwill and Other Intangible Assets.

/s/ Ernst & Young LLP

Atlanta, Georgia
January 21, 2003

38

INTERNET SECURITY SYSTEMS, INC.

CONSOLIDATED BALANCE SHEETS

See accompanying notes.

39

INTERNET SECURITY SYSTEMS, INC.

CONSOLIDATED STATEMENTS OF OPERATIONS

See accompanying notes.

40

INTERNET SECURITY SYSTEMS, INC.

CONSOLIDATED STATEMENTS OF STOCKHOLDERS' EQUITY

See accompanying notes.

41

INTERNET SECURITY SYSTEMS, INC.

CONSOLIDATED STATEMENTS OF CASH FLOWS

42

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
DECEMBER 31, 2002

1. SIGNIFICANT ACCOUNTING POLICIES

DESCRIPTION OF BUSINESS

The business of Internet Security Systems, Inc. and its subsidiaries
("ISS") is focused on protecting networks, servers and desktops against an
ever-changing spectrum of threats, with a comprehensive line of products and
services designed specifically for the particular needs of enterprise, consumer
and service provider markets.

Internet Security Systems, Inc. was incorporated in the State of Delaware
on December 8, 1997 to be a holding company for Internet Security Systems, Inc.,
a Georgia company incorporated in 1994 to design, market, and sell computer
network security assessment software. ISS's shares are traded on the NASDAQ
National Market under the ticker symbol "ISSX". In addition, ISS has various
other subsidiaries in the Americas, Europe and the Asia/Pacific regions with
primary marketing and sales responsibilities for ISS's products and services in
their respective markets. ISS is organized as, and operates in, a single
business segment that provides products, technical support, managed security
services, professional security services and education services as components of
providing security management solutions. ISS is organized around geographic
areas: the Americas (United States, Canada, South America and Latin America),
EMEA (Europe, Middle East and Africa) and Asia/Pacific. These geographic areas
represent ISS' three reportable segments (see Note 11).

BASIS OF CONSOLIDATION

The consolidated financial statements include the accounts of Internet
Security Systems, Inc. and its majority-owned subsidiaries. All significant
intercompany and investment accounts and transactions have been eliminated in
consolidation.

FOREIGN CURRENCY TRANSLATIONS

The functional currency of ISS' foreign subsidiaries is the local currency.
Assets and liabilities denominated in foreign currencies are translated using
the exchange rate on the balance sheet dates. The translation adjustments
resulting from this process are shown separately as a component of stockholders'
equity. Revenues and expenses are translated using average exchange rates for
the period. Transaction gains and losses are included in results of operations.

USE OF ESTIMATES

The preparation of financial statements in conformity with accounting
principles generally accepted in the United States requires management to make
estimates and assumptions that affect the amounts reported in the financial
statements and accompanying notes. Actual results may differ from those
estimates, and such differences may be material to the consolidated financial
statements.

REVENUE RECOGNITION

Revenue is recognized under Statement of Position ("SOP") 97-2 as modified
by SOP 98-9, when the following criteria have been met:

- persuasive evidence of an arrangement exists;

- delivery has occurred or services have been rendered;

- price is fixed or determinable; and

- collection is probable.

43

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

ISS recognizes perpetual license revenue upon (1) delivery of software or,
if the customer has evaluation software, delivery of the software key and (2)
issuance of the related license, assuming that no significant vendor obligations
or customer acceptance rights exist. Where payment terms are extended over
periods greater than 12 months, revenue is recognized as such amounts become due
and payable. Product sales consist of (1) appliances sold in conjunction with
ISS licensed software and (2) software developed by third-party partners,
combined in some instances with associated hardware appliances and partner
maintenance services. These sales are recognized upon shipment to the customer
provided all other revenue recognition criteria are met.

License sales of enterprise products are generated both through a direct
sales force and through various partners, including system integrators,
value-added resellers and distributors. License revenue is recognized when the
end user sale has occurred, provided all other revenue recognition criteria are
met, which is identified through electronic delivery of a software key that is
necessary to operate the product. At the point of key delivery, the end-user has
no right of return.

License sales of consumer and small office products are made through a
distributor to retail establishments and are sold directly to customers via the
Internet. License revenue for sales made through resellers and distributors are
recognized only when the product is delivered to the end user provided all other
revenue recognition criteria are met.

Subscription revenues include maintenance, term licenses, and managed
service arrangements. Annual renewable maintenance is a separate component of
each perpetual license agreement for ISS products with revenue recognized
ratably over the maintenance term. Term licenses allow customers to use our
products and receive maintenance coverage for a specified period, generally 12
months. We recognize revenues from these term agreements ratably over the
subscription term. Security monitoring services of information assets and
systems are part of managed services and revenues are recognized as such
services are provided.

Professional services revenues include fee-based service engagements and
training. Service engagements, typically billed on a time-and-materials basis,
primarily focus on security assessments of customer networks and the development
of customers' security policies. We recognize such professional services
revenues as the related services are rendered.

Multiple element arrangements can include any combination of hardware,
software or services. When some elements are delivered prior to others in an
arrangement, revenue is deferred until the delivery of the last element unless
there is all of the following:

- vendor specific objective evidence (VSOE) of fair value of the
undelivered elements;

- the functionality of the delivered elements is not dependent on the
undelivered elements; and

- delivery of the delivered elements represents the culmination of the
earnings process.

COST OF REVENUES

Cost of revenues includes the cost of product licenses and sales and the
cost of subscriptions and professional services. Cost of product licenses and
sales are incurred upon recognition of the associated product revenues. Cost of
subscriptions and professional services includes the cost of the technical
support group that provides assistance to customers with maintenance agreements,
the operations center costs of providing managed services and the costs related
to the professional services and training staff.

44

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

CASH AND CASH EQUIVALENTS

Cash equivalents include all highly liquid investments with original
maturities of three months or less when purchased. Such amounts are stated at
cost, which approximates market value.

MARKETABLE SECURITIES

Marketable securities consist of debt instruments of U.S. government
agencies and corporate commercial paper. All such marketable securities have a
maturity of less than twelve months. These investments are classified as
available-for-sale and reported at fair market value. The amortized cost of
securities classified as available-for-sale is adjusted for amortization of
premiums and accretion of discounts to maturity. Such amortization is included
in interest income. Unrealized gains and losses on available-for-sale securities
were immaterial for 2001 and 2002. Realized gains and losses, and declines in
value judged to be other-than-temporary are included in net securities gains
(losses) and are included in results of operations. Interest on securities
classified as available-for-sale is included in interest income (see Note 3).

CONCENTRATIONS OF CREDIT RISK

Product revenues are concentrated in the software industry, which is highly
competitive and rapidly changing. Significant technological changes in the
industry or customer requirements, or the emergence of competitive products with
new technologies or capabilities could adversely affect operating results. In
addition, fluctuations of the U.S. dollar against foreign currencies or changes
in local regulatory or economic conditions could adversely affect operating
results.

Financial instruments that potentially subject ISS to significant
concentrations of credit risk consist principally of cash and cash equivalents,
marketable securities and accounts receivable. ISS maintains cash and cash
equivalents in short-term money market accounts with three financial
institutions and in short-term, investment grade commercial paper. Marketable
securities consist of United States government agency securities and investment
grade commercial paper. ISS's sales are global, primarily to companies located
in the Americas, Europe, and the Asia/Pacific regions. ISS performs periodic
credit evaluations of its customer's financial condition and does not require
collateral. Accounts receivable are due principally from large U.S. companies
under stated contract terms. ISS also has receivables from its European and
Asia/Pacific operations, which are principally from its partners in such
regions. This includes partners in the Northeast Asia markets, which includes
China, Japan and Korea, and current economic weakness and difficulties
associated with doing business in these markets exposes the Company to
associated credit risk. ISS provides for estimated credit losses as such losses
become probable. Such losses have been within management's expectations.

FAIR VALUE OF FINANCIAL INSTRUMENTS

The carrying amounts reported in the balance sheets for cash and cash
equivalents, marketable securities, accounts receivable and accounts payable
approximate their fair values.

PROPERTY AND EQUIPMENT

Property and equipment are stated at cost less accumulated depreciation.
Depreciation is computed using the straight-line method for financial reporting
purposes on the basis of the following estimated useful lives: three years for
computer equipment, five to seven years for office furniture and equipment and
over the term of the lease for leasehold improvements.

45

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

INVENTORY

Inventory consists of finished goods purchased for resale and is recorded
at the lower of cost or market. Cost is determined using the first-in, first-out
(FIFO) method.

GOODWILL AND INTANGIBLES

Goodwill represents the excess acquisition cost over the fair value of net
assets acquired. On January 1, 2002, ISS adopted SFAS No. 142, Goodwill and
Other Intangible Assets ("SFAS 142"). Under this statement, goodwill is no
longer amortized but is subject to annual impairment tests (or more frequent
tests if impairment indicators arise). The Company performed impairment tests of
goodwill as required, evaluating recoverability based on a combination of
forecasted discounted cash flows and stock market valuation. Goodwill was
determined not to be impaired in 2002 based on such tests. Prior to the adoption
of SFAS 142 the Company amortized the Network ICE goodwill over five years and
other goodwill over periods ranging from 2 to 10 years.

Goodwill and intangible assets are comprised of the following, as of the
dates indicated:

The Company amortizes intangible assets over their estimated useful lives
of eight years for core technology, five years for developed technology, three
to six years for work force and three years for customer relationships.
Amortization expense of intangible assets is as follows:

46

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

The estimated future amortization expense of intangible assets as of
December 31, 2002 is as follows:

The following table presents a reconciliation of previously reported net
income (loss) and net income (loss) per share to the amounts adjusted for the
exclusion of the amortization of goodwill:

RESEARCH AND DEVELOPMENT COSTS

Research and development costs are charged to expense as incurred. ISS has
not capitalized any such development costs under Statement of Financial
Accounting Standards ("SFAS") No. 86, Accounting for the Costs of Computer
Software to Be Sold, Leased, or Otherwise Marketed, because the costs incurred
between the attainment of technological feasibility for the related software
product through the date when the product is available for general release to
customers has been insignificant.

ADVERTISING COSTS

ISS incurred advertising costs of $2,175,000 in 2000, $2,636,000 in 2001
and $6,265,000 in 2002, which are expensed as incurred and are included in sales
and marketing expense in the statements of operations.

STOCK BASED COMPENSATION

SFAS 123, Accounting for Stock-Based Compensation ("SFAS 123"), establishes
accounting and reporting standards for stock-based employee compensation plans.
As permitted by SFAS 123, ISS continues to account for stock-based compensation
in accordance with APB Opinion No. 25, Accounting for Stock Issued to Employees,
and has elected the pro forma disclosure alternative of SFAS 123.

47

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

Although SFAS 123 allows the Company to continue to follow APB 25
guidelines, the following is pro forma net loss and pro forma net loss per share
as if the Company had adopted SFAS 123. The pro forma impact of applying SFAS
123 in fiscal 2002, 2001 and 2000 will not necessarily be representative of the
pro forma impact in future years. Pro forma information is as follows:

Inputs used for the fair value method for our employee stock options are as
follows:

The Black-Scholes option valuation model was developed for use in
estimating the fair value of traded options that have no vesting restrictions
and are fully transferable. In addition, option valuation models require the
input of highly subjective assumptions including the expected stock price
volatility. Because employee stock options have characteristics different from
those of traded options, and because the changes in the subjective input
assumptions can materially affect the fair value estimate, in management's
opinion, the existing models do not necessarily provide a reliable single
measure of the fair value of its employee stock options.

ACCOUNTING FOR ISSUANCES OF STOCK BY A SUBSIDIARY

When a subsidiary of the Company issues shares of its stock at an amount
different than the Company's carrying value for the subsidiary's stock, the
Company records the difference as a gain or loss in the consolidated statements
of operations, in accordance with SEC Staff Accounting Bulletin No. 51, if the
transaction meets the following conditions: (1) the sale of such shares is not a
part of a broader corporate reorganization contemplated or planned by the
Company; (2) the Company does not intend to spin-off the related subsidiary to
stockholders; (3) reacquisition of shares is not contemplated at the time of
issuance; and (4) the subsidiary is not a newly-formed, non-operating entity, a
research and development start-up or development stage entity, or an entity
whose ability to continue in existence is in question. The Company accounts for
sales that do not meet these criteria as capital transactions.

48

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

INCOME (LOSS) PER SHARE

Basic net income (loss) per share (see Note 10) was computed by dividing
net income (loss) by the weighted average number of shares outstanding of Common
Stock. Diluted net income per share was computed by dividing net income by the
weighted average shares outstanding, including common equivalents (when
dilutive).

RECENTLY ISSUED ACCOUNTING STANDARDS

In June 2002, the FASB issued Statement No. 146, Accounting for Costs
Associated with Exit or Disposal Activities. This Statement addresses financial
accounting and reporting for costs associated with exit or disposal activities
and nullifies Emerging Issues Task Force (EITF) Issue No. 94-3, Liability
Recognition for Certain Employee Termination Benefits and Other Costs to Exit an
Activity (including Certain Costs Incurred in a Restructuring). The provisions
of this Statement are effective for exit or disposal activities that are
initiated after December 31, 2002, with early application encouraged. The
Company does not expect the adoption to have a material impact on the Company's
financial position or results of operations.

In December 2002, the FASB issued Statement No. 148, Accounting for
Stock-Based Compensation-Transition and Disclosure ("SFAS 148"), which amends
SFAS 123, to provide alternative methods of transition for a voluntary change to
the fair value based method of accounting for stock-based employee compensation.
In addition, SFAS 148 amends the disclosure requirements of SFAS 123 to require
prominent disclosures in both annual and interim financial statements about the
method of accounting for stock-based employee compensation and the effect of the
method used on reported results. The transition guidance and annual disclosure
provisions of SFAS 148 are effective for fiscal years ending after December 15,
2002, with earlier application permitted in certain circumstances. The adoption
of this statement did not have a material impact on the Company's financial
position or results of operations as the Company has not elected to change to
the fair value based method of accounting for stock-based employee compensation.

2. BUSINESS COMBINATIONS AND ASSET ACQUISITIONS

On October 30, 2002, ISS acquired 100% of the outstanding stock of vCIS,
Inc., a privately held corporation based in Santa Clara, California. vCIS is a
development-stage company focused on the development of software designed to
enhance the security of a computing environment by detecting and defeating
malicious code, including viruses, worms and trojans, in real-time using
behavior analysis technology. ISS issued approximately 966,000 shares of ISS
Common Stock for all of the outstanding vCIS stock and assumed all of the
outstanding vCIS stock options resulting in approximately 35,000 additional ISS
shares being reserved for outstanding grants under the vCIS stock option plan.
In addition, ISS made a series of cash investments in vCIS prior to the date of
merger totaling $1,945,000. The investments were in the form of a convertible
line of credit note that allowed ISS to convert the balance due to equity in
vCIS at a rate consistent with the lowest price offered to other investors in
any new equity financing offered by vCIS. The combined fair value of common
stock issued, options assumed, cash investments and acquisition costs,
consisting of approximately $800,000 of legal and accounting fees, is
approximately $19.6 million. The fair value of common stock issued was
determined based on the average closing price of ISS stock on August 23, 2002
and the two trading days before and after this date.

49

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

2. BUSINESS COMBINATIONS AND ASSET ACQUISITIONS -- (CONTINUED)

The merger was accounted for as a purchase and, accordingly, the operating
results of vCIS are included in the consolidated financial statements of ISS
from the date of acquisition. The aggregate purchase price was allocated based
on a valuation of the vCIS assets, intangibles and in-process research and
development. vCIS does not meet the definition of a business under EITF 98-3,
Determining Whether a Nonmonetary Transaction Involves Receipt of Productive
Assets or of a Business. As required by paragraph 9 of SFAS 142, the excess
purchase price is allocated to the assets acquired in proportion to their
relative values. The final allocation is as follows:

Net liabilities of vCIS..................................... $ (100,000)
In-process research and development......................... 18,500,000
Assembled workforce......................................... 1,200,000
-----------
$19,600,000
===========

The tangible assets of vCIS acquired in the merger consist primarily of
cash and fixed assets. The liabilities of vCIS assumed in the merger consist
primarily of accounts payable and accrued expenses. In-process research and
development valued at approximately $18.5 million had not reached technological
feasibility based on identifiable risk factors, which indicated that even though
successful completion was expected, it was not assured as of the acquisition
date and was immediately charged to operations. Accordingly, under current
accounting standards, such amount was expensed.

On August 1, 2002 Internet Security Systems KK acquired privately held
TriSecurity Holdings Pte Ltd. ("TriSecurity"), a primary ISS KK distributor in
Singapore. In exchange for all of the outstanding shares of TriSecurity, ISS KK
issued approximately 1,000 shares of ISS KK stock and paid approximately $1.2
million of cash. Goodwill of approximately $4.0 million related to the purchase
was recorded. There is additional annual contingent consideration dependent on
the achievement of specified increasing levels of revenues and operating profits
through 2004. The total maximum additional consideration at December 31, 2002 is
490 shares of ISS KK stock, which had a fair value of approximately $806,000 at
December 31, 2002, and any shares issued will be recorded as additional purchase
price. The operating results of ISS include the operating results of TriSecurity
Holdings Pte Ltd. since the date of acquisition.

On June 5, 2001, ISS acquired 100% of the outstanding stock of Network ICE
Corporation, a privately held corporation based in San Mateo, California
("Network ICE"). Network ICE is a leading developer of desktop intrusion
protection technology and highly scalable security management systems. ISS
issued approximately 4,311,000 shares of ISS common stock for all of the
outstanding Network ICE common stock and assumed all of the outstanding Network
ICE stock options resulting in approximately 289,000 additional ISS shares being
reserved for outstanding grants under the Network ICE Stock Plan. The combined
fair value of common stock issued, options assumed and acquisition costs was
approximately $237.6 million based on the average closing price of our common
stock on the merger agreement date of April 30, 2001 and the two days before and
after April 30, 2001. Acquisition costs of approximately $8 million consist
primarily of financial advisory, legal and accounting fees. The Company adopted
a plan to restructure Network ICE whereby 46 Network ICE employees were
terminated over a six-month period following the acquisition. As such $1.8
million of severance costs were included in the acquisition costs for severance
related to these terminations. At December 31, 2001 all such terminations and
related severance payments had been completed.

50

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

2. BUSINESS COMBINATIONS AND ASSET ACQUISITIONS -- (CONTINUED)

The merger was accounted for as a purchase and, accordingly, the operating
results of Network ICE are included in the consolidated financial statements of
ISS from the date of acquisition. The adjusted aggregate purchase price was
allocated based on a valuation report of the Network ICE intangibles and
in-process research and development as follows:

Net tangible liabilities of Network ICE..................... $ (4,020,000)
In-process research and development......................... 2,910,000
Customer relationships...................................... 2,490,000
Technology.................................................. 17,030,000
Deferred income taxes....................................... (7,418,000)
Deferred compensation....................................... 6,231,000
Goodwill.................................................... 220,398,000
------------
$237,621,000
============

The tangible assets of Network ICE acquired in the merger consisted
primarily of cash, accounts receivable and fixed assets. The liabilities of
Network ICE assumed in the merger consisted primarily of accounts payable and
accrued expenses and deferred revenue.

In-process research and development of approximately $2.9 million had not
reached technological feasibility based on identifiable technological risk
factors, which indicated that even though successful completion was expected, it
was not assured as of the acquisition date and was immediately charged to
operations.

The following table summarizes unaudited pro forma results of operations as
if the acquisitions of vCIS and Network ICE were concluded as of the beginning
of the periods presented. The adjustments to the historical data reflect the
following (i) amortization of goodwill and intangibles, (ii) write off of
in-process research and development, and (iii) deferred stock compensation. This
pro forma information is not necessarily indicative of what combined operations
would have been if ISS had control of such combined businesses for the periods
presented.

In August 2000, ISS acquired privately held ISYI of Padova, Italy. ISYI is
a leader in advanced network security services in the Italian market place and
an early provider of remote security monitoring services. In exchange for all
the outstanding stock of ISYI, approximately 29,100 shares of ISS common stock
were issued in a transaction exempt from registration under the Securities Act
of 1933. The transaction was accounted for using the pooling-of-interests method
of accounting; however, this transaction was not material to ISS's consolidated
operations and financial position and, therefore, the operating results of ISS
have not been restated for this transaction. The operating results of ISS
include the results of operations of ISYI since the date of acquisition.

51

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

3. MARKETABLE SECURITIES

The following is a summary of available-for-sale marketable securities as
of December 31:

As of December 31, 2001 and 2002 the cost of marketable securities
approximated fair value. The contractual maturities of all of these investments
were less than one year as of December 31, 2002. Marketable securities of
$14,690,000 at December 31, 2002 and $12,500,000 at December 31, 2001 are
restricted as collateral for letters of credit issued in relation to operating
leases for facilities and classified as restricted marketable securities.

4. STOCK OPTION PLANS

ISS's Incentive Stock Plan (the "Plan") provides for the granting of
qualified or nonqualified options to purchase shares of ISS's Common Stock.
Under the Plan, at December 31, 2002 there are 14,454,122 shares reserved for
future issuance which increases automatically on the first trading day of each
year by an amount equal to 4% of the number of shares of Common Stock
outstanding on the last trading day of the preceding year. An additional 160,000
shares have been reserved for non-statutory options issued in 1997 to non-
employee directors.

In October 2002, as a result of the acquisition of vCIS, the Company
assumed all outstanding vCIS stock options. Each vCIS stock option assumed is
subject to the same terms and conditions as the original grant and generally
vest over three to four years and expires ten years from the date of grant. Each
option was adjusted at a ratio of 0.04770 shares of ISS common stock for each
one share of vCIS common stock. In June 2001, as a result of the acquisition of
Network ICE, the Company assumed all outstanding Network ICE stock options. Each
Network ICE stock option assumed is subject to the same terms and conditions as
the original grant and generally vests over four years and expires ten years
from the date of grant. Each option was adjusted at a ratio of 0.13529 shares of
ISS common stock for each one share of Network ICE common stock.

A summary of ISS's stock option activity is as follows:

All vCIS and Network ICE options assumed by ISS were included in the
purchase price based on their fair value. The intrinsic value of the unvested
options has been allocated to deferred compensation and is being

52

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

4. STOCK OPTION PLANS -- (CONTINUED)

amortized over the remaining vesting periods of the related options. The Company
recorded deferred compensation of approximately $6.2 million for the Network ICE
options in June 2001 and approximately $153,000 in October 2002 for the vCIS
options. Amortization of deferred compensation was $2.1 million in 2001 and $1.1
million in 2002.

The following table summarizes information about stock options outstanding
at December 31, 2002:

5. ADOPTION OF SHAREHOLDER RIGHTS PLAN

On July 11, 2002, the Board of Directors adopted a shareholder rights plan
and authorized and declared a dividend of one preferred share purchase right (a
"Right") for each outstanding share of Common Stock, par value $.001 per share,
of the Company. The dividend was paid on July 29, 2002 to the stockholders of
record on that date. Stock issued subsequent to July 29, 2002 will be issued
with an attached Right. Each Right will initially represent the right, under
certain circumstances, to purchase one one-thousandth of a share of Series A
Junior Participating Preferred Stock (the "Junior Preferred Stock") at a
purchase price of $80 per one one-thousandth of a share. If a person or group
acquires beneficial ownership of 20% or more of the then outstanding shares of
the Company's Common Stock (an "Acquiring Person"), the holder of a Right, upon
exercise of the Right, will thereafter have the right to receive, in lieu of
shares of Junior Preferred Stock, shares of the Company's Common Stock (or, in
certain circumstances, cash, property or other securities of the Company) having
a value equal to twice the purchase price of the Right.

The Rights expire on July 11, 2012. Generally, the Board of Directors may
redeem the Rights at a price of $.001 per Right (subject to adjustment) at any
time prior to the earlier of (i) the close of business on the tenth business day
following the date a person becomes an Acquiring Person or (ii) the expiration
date of the Rights. Prior to any person or group becoming an Acquiring Person,
the Company may amend the Rights Agreement at any time.

6. OTHER INCOME AND MINORITY INTEREST

Other income for 2002 includes a gain of $2.6 million related to the
issuance of subsidiary shares in connection with the acquisition of TriSecurity
Holdings Pte Ltd. The Company reported a gain on the difference between the fair
market value of the shares issued and the book value of those shares, in
accordance with Staff Accounting Bulletin No. 51 and company policy. A gain of
$1.9 million was recorded in 2002 on the sale by the Company's Asia/Pacific
subsidiary of an investment in an ISS distributor in Japan. The shares of the
publicly traded company were acquired when the distributor was privately held
and were subsequently sold on the open market.

53

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

6. OTHER INCOME AND MINORITY INTEREST -- (CONTINUED)

In September 2001 the Asia/Pacific subsidiary sold newly issued shares in
an initial public offering ("IPO") on the Japan over-the-counter market. These
newly issued shares represented approximately 10% of the previously outstanding
shares of our Asia/Pacific subsidiary. Other income in 2001 includes a gain on
the subsidiary IPO of $13.6 million from this initial public offering. Other
income also includes $1.6 million generated from the March 2001 sale of
approximately 2% of the outstanding shares of our Asia/Pacific subsidiary to
employees and key partners. These amounts represent the difference between
proceeds received and the underlying basis in the stock less the minority
interest in such gains, in accordance with Staff Accounting Bulletin No. 51.

Minority interest totaled $336,000 in 2001 and $187,000 in 2002. Minority
interest represents the portion of earnings that would be distributed to shares
not held by the Company if the Asia/Pacific subsidiary declared a dividend equal
to its earnings.

7. COMMITMENTS AND LITIGATION

ISS has non-cancelable operating leases for facilities that expire at
various dates through 2013. ISS has a lease for its corporate headquarters,
which it began to occupy in various stages beginning in November 2000 and will
continue through December 2003. The Company has shorter-term leases for office
space in other locations and various computer equipment.

Future minimum payments under non-cancelable operating leases with initial
terms of one year or more consisted of the following at December 31, 2002:

Rent expense was approximately $4,939,000, $6,806,000 and $12,008,000 for
the years ended December 31, 2000, 2001 and 2002, respectively.

Beginning on September 28, 2001, the Company and certain of its officers
and directors were named as defendants in several lawsuits alleging violations
of the federal securities laws, including Sections 10(b) and 20(a) of the
Securities Exchange Act of 1934, as amended, and Rule 10b-5 thereunder. Six such
actions were filed in the United States District Court for the Northern District
of Georgia. All six actions have been consolidated into a single case and the
court has appointed lead plaintiffs and lead plaintiff's counsel. The
consolidated complaint was filed October 9, 2002 and purports to be brought on
behalf of a class of investors who purchased the Company's stock during the
period from April 5, 2001 through August 14, 2001 (the "Class Period"). The
complaint generally alleges that the Company and the individual defendants
violated the anti-fraud provisions of the federal securities laws and caused the
Company's stock to trade at artificially high prices by making
misrepresentations relating to the Company's financial condition and prospects
during the Class Period. The complaint seeks damages in an unspecified amount.
On December 11, 2002, the Company and the individual defendants moved to dismiss
the consolidated amended complaint under the Private Securities Litigation
Reform Act of 1995. The Court has not yet ruled on that motion. The Company
believes that it has meritorious defenses and intends to defend the actions
vigorously.

54

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

8. INCOME TAXES

For financial reporting purposes, the provision for income taxes includes
the following components, all of which are current:

Pre-tax income (loss) attributable to foreign and domestic operations is
summarized below:

A reconciliation of the provision for income taxes to the statutory federal
income tax rate is as follows:

Deferred income taxes reflect the net income tax effects of temporary
differences between the carrying amounts of assets and liabilities for financial
reporting purposes and the amounts used for income tax

55

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

8. INCOME TAXES -- (CONTINUED)

purposes. The net income tax effect has been computed using a combined statutory
rate of 38% for federal and state taxes. Significant components of ISS's net
deferred income taxes are as follows:

For financial reporting purposes, a valuation allowance has been recognized
to reduce the net deferred income tax assets to zero. In 2002, the change in
valuation allowance is a result of changes in deferred income tax assets and
liabilities for which the related benefit or provision was charged to
stockholders' equity. Therefore, such change in the valuation allowance is not
included in the rate reconciliation above. ISS has not recognized any benefit
from the future use of the deferred income tax assets because management's
evaluation of all the available evidence in assessing the realizability of the
tax benefits of such loss carryforwards indicates that the underlying
assumptions of future profitable operations contain risks that do not provide
sufficient assurance to recognize such tax benefits currently.

The net deferred income tax assets include approximately $27,112,000 and
$18,681,000 at December 31, 2001 and 2002, respectively, of assets that were
created by or are subject to valuation allowance as a result of stock option
deductions. While income tax expense will be recorded on any future pre-tax
profits from United States operations, these deferred tax assets would reduce
the related income taxes payable. This reduction in income taxes payable in
future periods would be recorded as additional paid-in capital.

ISS has approximately $53,000,000 of net operating loss carryforwards for
federal income tax purposes that expire in varying amounts between 2011 and
2021. The net operating loss carryforwards may be subject to certain limitations
in the event of a change in ownership. ISS also has approximately $5,983,000 of
research and development tax credit carryforwards that expire between 2011 and
2022 and foreign tax credit carryforwards of $1,937,000 that expire between 2006
and 2007.

9. EMPLOYEE STOCK AND BENEFIT PLANS

ISS sponsors a 401(k) plan that covers substantially all employees over 18
years of age. Participating employees may contribute up to 15% of their pre-tax
salary, but not more than statutory limits. ISS matches 25% of participant
contributions up to 3% of their pre-tax salary. Matching contributions were
$196,000 in 2000, $290,000 in 2001 and $288,000 in 2002 and were charged to
expense.

56

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

9. EMPLOYEE STOCK AND BENEFIT PLANS -- (CONTINUED)

Effective July 1, 1999 ISS implemented an employee stock purchase plan (the
"Plan") for all eligible employees. Under the Plan, shares of ISS's Common Stock
may be purchased at six-month intervals at 85% of the lower of the fair market
value on the first or the last day of each six-month period. Employees may
purchase shares with aggregate fair value up to 10% of their gross compensation
during a six-month period. During 2001 employees purchased 75,000 shares at an
average price of $30.40 per share and during 2002 employees purchased 126,000
shares at an average price of $16.61 per share. At December 31, 2002, 310,000
shares of ISS Common Stock were reserved for future issuance.

10. INCOME (LOSS) PER SHARE

The following table sets forth the computation of basic and diluted net
income (loss) per share:

For the year ended December 31, 2001, 1,364,000 weighted average options
were not included in the above calculations as their effect on loss per share
was anti-dilutive.

11. SEGMENT AND GEOGRAPHIC INFORMATION

ISS conducts business in one operating segment; namely providing
information security management solutions. The Company does, however, prepare
information for internal use on a geographic basis. This information consists of
the operating results of each geographic segment. The segment operating costs
reported internally generally consist of direct sales expenses, an executive
team and infrastructure to support its employee and customer and partner base,
and supporting billing and financial systems. Unallocated corporate expenses
include research and development, general and administrative costs that support
the global organization, amortization of intangibles, stock based compensation
and goodwill and costs that are one-time in nature, such as acquired in-process
research and development, that are not charged directly to the other segments.

The accounting policies of the segments are the same as those described in
the summary of significant accounting policies. There are no intersegment sales.
Our chief executive officer and chief financial officer evaluate performance
based on operating profit or loss from operations, and trade accounts receivable
for each segment. Other than trade accounts receivable, assets and liabilities
are not discretely allocated or reviewed by segment. Goodwill is allocated to
the segments in accordance with the requirements of SFAS 142. We do not allocate
or review goodwill by segment for internal reporting purposes.

57

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

11. SEGMENT AND GEOGRAPHIC INFORMATION -- (CONTINUED)

In accordance with Statement of Financial Accounting Standards No. 131,
"Disclosures about Segments of an Enterprise and Related Information", the
Company has included a summary of the segment financial information reported
internally. The geographic segments are the Americas, Europe, Middle East and
Africa ("EMEA"), and the Asia/Pacific region.

58

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

12. QUARTERLY FINANCIAL RESULTS (UNAUDITED)

Summarized quarterly results for the two years ended December 31, 2001 and
2002 are as follows:

Because of the method used in calculating per share data, the quarterly per
share data will not necessarily total the per share data as computed for the
year.

59

SCHEDULE II

VALUATION AND QUALIFYING ACCOUNTS

60

SIGNATURES

Pursuant to the requirements of the Section 13 or 15(d) of the Securities
Exchange Act of 1934, the Registrant has duly caused this Report to be signed on
its behalf by the undersigned, thereunto duly authorized.

INTERNET SECURITY SYSTEMS, INC.

By: /s/ RICHARD MACCHIA
------------------------------------
Richard Macchia
Vice President and Chief Financial
Officer

By: /s/ MAUREEN RICHARDS
------------------------------------
Maureen Richards
Corporate Controller and Chief
Accounting Officer

Dated: March 28, 2003

POWER OF ATTORNEY

KNOW ALL PERSONS BY THESE PRESENTS, that each person whose signature
appears below hereby severally constitutes and appoints, Thomas E. Noonan,
Richard Macchia and Maureen Richards, and each or any of them, his true and
lawful attorney-in-fact and agent, each with the power of substitution and
resubstitution, for him in any and all capacities, to sign any and all
amendments to this Annual Report (Form 10-K) and to file the same, with exhibits
thereto and other documents in connection therewith, with the Securities and
Exchange Commission, hereby ratifying and confirming all that each said
attorney-in-fact and agent, or his substitute or substitutes, may lawfully do or
cause to be done by virtue hereof.

Pursuant to the requirements of the Securities Exchange Act of 1934, this
Report has been signed below by the following persons on behalf of the
Registrant and in the capacities and on the dates indicated.

62

CERTIFICATION OF CHIEF EXECUTIVE OFFICER

I, Thomas E. Noonan, Chief Executive Officer and President of Internet Security
Systems, Inc., certify that:

1. I have reviewed this annual report on Form 10-K of Internet Security
Systems, Inc. ("Registrant");

2. Based on my knowledge, this annual report does not contain any untrue
statement of a material fact or omit to state a material fact necessary to make
the statements made, in light of the circumstances under which such statements
were made, not misleading with respect to the period covered by this annual
report;

3. Based on my knowledge, the financial statements, and other financial
information included in this annual report, fairly present in all material
respects the financial condition, results of operations and cash flows of
Registrant as of, and for, the periods presented in this annual report;

4. Registrant's other certifying officers and I are responsible for
establishing and maintaining disclosure controls and procedures (as defined in
Exchange Act Rules 13a-14 and 15d-14) for Registrant and have:

a. designed such disclosure controls and procedures to ensure that
material information relating to Registrant, including its consolidated
subsidiaries, is made known to us by others within those entities,
particularly during the period in which this annual report is being
prepared;

b. evaluated the effectiveness of Registrant's disclosure controls and
procedures as of a date within 90 days prior to the filing date of this
annual report (the "Evaluation Date"); and

c. presented in this annual report our conclusions about the
effectiveness of the disclosure controls and procedures based on our
evaluation as of the Evaluation Date;

5. Registrant's other certifying officers and I have disclosed, based on
our most recent evaluation, to Registrant's auditors and the audit committee of
Registrant's board of directors (or persons performing the equivalent
functions):

a. all significant deficiencies in the design or operation of internal
controls which could adversely affect Registrant's ability to record,
process, summarize and report financial data and have identified for
Registrant's auditors any material weaknesses in internal controls; and

b. any fraud, whether or not material, that involves management or
other employees who have a significant role in Registrant's internal
controls; and

6. Registrant's other certifying officers and I have indicated in this
annual report whether there were significant changes in internal controls
or in other factors that could significantly affect internal controls
subsequent to the date of our most recent evaluation, including any
corrective actions with regard to significant deficiencies and material
weaknesses.

/s/ THOMAS E. NOONAN
--------------------------------------
Thomas E. Noonan
Chief Executive Officer and President

March 28, 2003

63

CERTIFICATION OF CHIEF FINANCIAL OFFICER

I, Richard Macchia, Vice President and Chief Financial Officer of Internet
Security Systems, Inc., certify that:

1. I have reviewed this annual report on Form 10-K of Internet Security
Systems, Inc. ("Registrant");

2. Based on my knowledge, this annual report does not contain any untrue
statement of a material fact or omit to state a material fact necessary to make
the statements made, in light of the circumstances under which such statements
were made, not misleading with respect to the period covered by this annual
report;

3. Based on my knowledge, the financial statements, and other financial
information included in this annual report, fairly present in all material
respects the financial condition, results of operations and cash flows of
Registrant as of, and for, the periods presented in this annual report;

4. Registrant's other certifying officers and I are responsible for
establishing and maintaining disclosure controls and procedures (as defined in
Exchange Act Rules 13a-14 and 15d-14) for Registrant and have:

a. designed such disclosure controls and procedures to ensure that
material information relating to Registrant, including its consolidated
subsidiaries, is made known to us by others within those entities,
particularly during the period in which this annual report is being
prepared;

b. evaluated the effectiveness of Registrant's disclosure controls and
procedures as of a date within 90 days prior to the filing date of this
annual report (the "Evaluation Date"); and

c. presented in this annual report our conclusions about the
effectiveness of the disclosure controls and procedures based on our
evaluation as of the Evaluation Date;

5. Registrant's other certifying officers and I have disclosed, based on
our most recent evaluation, to Registrant's auditors and the audit committee of
Registrant's board of directors (or persons performing the equivalent
functions):

a. all significant deficiencies in the design or operation of internal
controls which could adversely affect Registrant's ability to record,
process, summarize and report financial data and have identified for
Registrant's auditors any material weaknesses in internal controls; and

b. any fraud, whether or not material, that involves management or
other employees who have a significant role in Registrant's internal
controls; and

6. Registrant's other certifying officers and I have indicated in this
annual report whether there were significant changes in internal controls or in
other factors that could significantly affect internal controls subsequent to
the date of our most recent evaluation, including any corrective actions with
regard to significant deficiencies and material weaknesses.

/s/ RICHARD MACCHIA
--------------------------------------
Richard Macchia
Vice President and Chief Financial
Officer

March 28, 2003

64