INTERNET SECURITY SYSTEMS INC/GA - 10-K Annual Report

Back to GetFilings.com

- --------------------------------------------------------------------------------
- --------------------------------------------------------------------------------

UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, D.C. 20549

---------------------

FORM 10-K

(MARK ONE)
[X] ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE
SECURITIES EXCHANGE ACT OF 1934
FOR THE FISCAL YEAR ENDED DECEMBER 31, 2003
OR
[ ] TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE
SECURITIES EXCHANGE ACT OF 1934
FOR THE TRANSITION PERIOD FROM ____________ TO ____________

Commission file number 0-23655

INTERNET SECURITY SYSTEMS, INC.
(Exact name of Registrant as Specified in Its Charter)

DELAWARE 58-2362189
(State or other jurisdiction of (I.R.S. Employer Identification No.)
incorporation or organization)

6303 BARFIELD ROAD 30328
ATLANTA, GEORGIA (Zip code)
(Address of principal executive offices)

Registrant's telephone number, including area code: (404) 236-2600

Securities registered pursuant to Section 12(b) of the Act: None

Securities registered pursuant to Section 12(g) of the Act:
COMMON STOCK, $0.001 PAR VALUE
PREFERRED STOCK PURCHASE RIGHTS
(Title of Class)

Indicate by check mark whether the Registrant (1) has filed all reports
required to be filed by Section 13 or 15(d) of the Securities Exchange Act of
1934 during the preceding 12 months (or for such shorter period that the
Registrant was required to file such reports), and (2) has been subject to such
filing requirements for the past 90 days.

Yes [X] No [ ]

Indicate by check mark if disclosure of delinquent filers pursuant to Item
405 of Regulation S-K is not contained herein, and will not be contained, to the
best of Registrant's knowledge, in definitive proxy or information statements
incorporated by reference in Part III of this Form 10-K or any amendment to this
Form 10-K. [X]

Indicate by check mark whether the registrant is an accelerated filer (as
defined in Exchange Act Rule 12b-2). Yes [X] No [ ]

The aggregate market value of the voting stock held by non-affiliates of the
Registrant, based upon the closing sale price of Common Stock on June 30, 2003
as reported on the Nasdaq National Market, was approximately $454 million
(affiliates being, for these purposes only, directors, executive officers and
holders of more than 5% of the Registrant's Common Stock).

As of February 27, 2004, the Registrant had 50,199,839 outstanding shares of
Common Stock.

DOCUMENTS INCORPORATED BY REFERENCE

Portions of the Proxy Statement for the Registrant's Annual Meeting of
Stockholders to be held on May 24, 2004 are incorporated by reference into Part
III of this Form 10-K.
- --------------------------------------------------------------------------------
- --------------------------------------------------------------------------------

In this Form 10-K, the words "Internet Security Systems," "ISS," "the
Company," "we," "our," "ours," and "us" refer to Internet Security Systems,
Inc., and its subsidiaries.

This Annual Report on Form 10-K contains forward-looking statements.
Forward-looking statements can be identified by the use of words such as "may,"
"will," "should," "could," "continue," "future," "potential," "believe,"
"project," "plan," "intend," "seek," "estimate," "predict", "expect",
"anticipate" and similar expressions, or the negative of such terms, or other
comparable terminology. Forward-looking statements also include the assumptions
underlying or relating to any of the foregoing statements. Our actual results
could differ materially from those anticipated in these forward-looking
statements as a result of various factors, including those set forth below under
the caption "Risk Factors" and those otherwise described from time to time in
our Securities and Exchange Commission reports filed after this Form 10-K. All
forward-looking statements included in this Form 10-K are based on information
available to ISS on the date hereof. We assume no obligation (except where
required by law) to update any forward-looking statements for any events or
circumstances occurring after the date of this Form 10-K.

Internet Security Systems, Network ICE, Proventia, System Scanner, Wireless
Scanner, SiteProtector, SecurePartner and X-Press Update are trademarks and
service marks, BlackICE is a licensed trademark and the Internet Security
Systems logo, X-Force, RealSecure, Internet Scanner, and Database Scanner are
registered trademarks and service marks, of Internet Security Systems, Inc. or
its wholly-owned subsidiaries. Each trademark, trade name or service mark of any
other company appearing herein belongs to its holder.

PART I

ITEM 1. BUSINESS

INTRODUCTION

OVERVIEW

Internet Security Systems, Inc. is an established world leader in network
and information security providing products and services that help to protect
businesses from network and system risks. We offer a proactive line of security
solutions that provide protection against a variety of ever-changing threats for
gateways, networks, servers and desktops, and includes security software and
appliances, managed security services, consulting and training services and
online security research, advisory and other knowledge services. This
comprehensive line of products and services are designed specifically for the
enterprise, service providers, risk management, small business and consumer
markets. Our threat protection solutions go beyond basic access control to
deliver multiple layers of defense that detect, prevent and respond to threats
before those threats cause damage to our customers' business operations.

Our products are designed to meet the need for comprehensive,
cost-effective detection, prevention and response arising from attacks, misuse
and security policy violations while promoting the confidentiality, privacy,
integrity and availability of proprietary information. Our family of products is
a critical element of an active Internet and networking security program within
today's world of global connectivity, enabling organizations to proactively
monitor, detect and respond to risks to enterprise information. Our managed
services offerings focus primarily on remote management of our best-of-breed
security technology including security assessment and intrusion protection
systems. We focus on serving as the trusted security provider to our customers
by maintaining within our products the latest counter-measures to security
risks, creating new innovative products, and providing professional and managed
services.

ISS was founded in 1994 and is headquartered in Atlanta, Georgia. The
mailing address for our headquarters is 6303 Barfield Road, Atlanta, Georgia,
30328, and our telephone number at that location is (404) 236-2600. Our website
can be found at www.iss.net. We make available free of charge through our
website our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, and
Current Reports on Form 8-K, and amendments to those reports, as soon as
reasonably practicable after we file them electronically with, or furnish them
to, the Securities and Exchange Commission. Our Corporate Governance Guidelines
and Code of Conduct are also available on our website and are available in print
to any stockholder

1

who mails a request to our headquarters, attention to the Corporate Secretary.
Our website also contains other corporate governance-related documents that may
be found of interest to stockholders. The information on our website is not
incorporated by reference in this Form 10-K.

INDUSTRY BACKGROUND

Online security is of growing importance to today's businesses, as
organizations of all sizes and markets become increasingly reliant on
Internet-based technology to conduct day-to-day operations. Businesses adopt
these Internet-based technologies to streamline operations and create new
business opportunities. To capitalize on the benefits of the Internet,
businesses must open their networks to business partners, customers and their
mobile workforce, significantly increasing the value and vulnerability of their
online assets.

The more that organizations and consumers depend on networks to conduct
business, the greater the risk of business interruption, negative publicity,
theft of proprietary or private information, liability for damages to others,
and other costly business losses. The gateways, networks, servers and desktops
that make online commerce work are inherently vulnerable to online threats. A
threat is any tool or technique that can be used to damage the data stored on a
network, server or desktop, or to compromise those resources for unauthorized
use. The tools used to attack online resources and the sophistication of these
threats continues to increase. At the same time, the technological
sophistication needed to launch an attack continues to decrease.

MARKETS

We provide products and services to a variety of customers. We view our
primary customer markets as enterprise, service provider and risk management
customers. We also have products for consumers and small offices. Our primary
markets are addressed through our direct sales efforts and through various
partners, including system integrators, value-added resellers and distributors.

ENTERPRISE

Enterprise market customers generally have annual revenues exceeding $100
million. Our enterprise software, appliances and services solutions provide
proactive protection against online business interruption and loss, all designed
to operate with minimal administration or interference with normal network
operations. These comprehensive protection offerings merge gateway, network,
server and desktop protection into an integrated threat management environment.
This combination of software, appliances and services enables centralized
management across multiple locations and network segments, including wireless
networks, branch offices and mobile workers. Most importantly, our proactive
approach keeps staff informed about newly discovered security issues, ensuring
that the protection solution can be updated to account for newly evolved
threats.

SERVICE PROVIDER

We provide best-of-breed technology and a proven track record in network
security management for service providers looking to establish online security
as part of a broad-based, Internet-oriented business solution. We partner with
service providers that want to resell managed security services and are seeking
a well-known, credible and stable partner in the security industry, an
established ability to bring partners to market, and a comprehensive services
portfolio.

Our advanced security management software solutions, extensive experience
protecting customer networks and industry leading ability to collect and analyze
threat trends from around the world in our Global Threat Operations Center
(GTOC) allow us to partner with organizations looking to bundle a security
management component within a broader set of business services.

2

PRODUCTS AND SERVICES

ENTERPRISE PROTECTION

Enterprise solutions include Proventia(TM) multi-function protection
products, RealSecure(R) software and Managed Services. Our products and services
protect the entire infrastructure, from the perimeter to the core. Our centrally
managed family of Proventia protection products ranges from detection up to
completely unified and proactive multi-function appliances, combining firewall,
intrusion prevention and anti-virus technologies. The Proventia multi-function
protection family streamlines and simplifies security by unifying security
technologies on a single engine. In 2003, we continued to market our REALSECURE
PROTECTION PLATFORM, a unique software offering that encompasses vulnerability
assessment and threat detection, prevention and response across networks,
servers and desktops, all coordinated through the SITEPROTECTOR(TM) centralized
management platform. In addition, our Managed Services extends this protection
strategy through managed security offerings and expert 24/7 monitoring, support
and response management for situations where additional flexibility and support
are required. Extensive professional services and emergency response services
provide an appropriate, effective security solution, regardless of business
environment.

Key components of our enterprise protection products include:

GATEWAY PROTECTION -- Unifies critical security technologies,
including firewall, virtual private network (VPN), anti-virus and intrusion
prevention, within a single appliance and management system to protect
against known and unknown threats, worms and viruses.

Proventia M Series Multi-Function Appliances -- Provide complete
protection at the gateway and network level in a single all-in-one
appliance without jeopardizing network bandwidth or availability.

NETWORK PROTECTION -- Utilizes industry-leading intrusion detection
and prevention technologies to protect corporate networks from attack and
misuse.

Proventia G Series Intrusion Prevention Appliances -- Proactively
block malicious attacks from entering the network, including denial of
service, backdoors and hybrid threats. Attacks are blocked in real-time,
minimizing the need for active administrator involvement in most
security events.

Proventia A Series Intrusion Detection Appliances -- Deliver our
market-leading RealSecure network intrusion detection, forensics, and
response technology in an easy-to-use, cost effective, rapidly deployed
appliance format.

RealSecure Network 10/100 Software -- Provides intelligent,
automated integration of threat assessment, intrusion detection, and
data analysis within a self-contained, centrally managed application.

RealSecure Network Gigabit Software -- Provides intelligent,
automated integration of threat assessment, intrusion detection, and
data analysis within a self-contained, centrally managed application for
line operations at gigabit speeds.

SERVER PROTECTION -- Defends servers and applications against
unauthorized access and a broad array of threats by combining intrusion
prevention with firewall capabilities.

RealSecure Server Software -- Provides automated, real-time
intrusion protection by analyzing events, host logs, and inbound and
outbound network activity on critical enterprise servers to block
malicious activity from damaging critical assets.

DESKTOP PROTECTION -- Protects fixed, remote and mobile desktops
against unauthorized access and a broad array of threats by combining
intrusion prevention, firewall capabilities, application protection and VPN
compatibility.

RealSecure Desktop Software -- Provides real-time protection
against malicious activity by analyzing application, network and VPN
behavior on desktops.

3

SITEPROTECTOR MANAGEMENT CONSOLE -- Scalable, centralized management
and reporting for enterprise deployments of Internet Security Systems'
protection products. Significantly reduces demand on staff and other
operational resources.

SITEPROTECTOR SECURITYFUSION(TM) MODULE -- Uses advanced data
correlation and analysis to rapidly and automatically derive the likelihood
of a successful attack from aggregated vulnerability assessment
information.

SITEPROTECTOR THIRD PARTY MODULE -- Interfaces with market-leading
firewalls such as CheckPoint and Cisco PIX to automate the collection of
audit and intrusion detection events into SiteProtector's central
management system for advanced analysis.

VULNERABILITY ASSESSMENT SOFTWARE

In addition to our gateway, network, server, and desktop protection
products, we also offer security assessment and policy compliance solutions for
proactive measurement of online risk. These offerings include:

INTERNET SCANNER(R) SOFTWARE -- Provides comprehensive network
vulnerability assessment for measuring online risk.

SYSTEM SCANNER(TM) SOFTWARE -- Ensures policy compliance and detects
vulnerabilities that leave servers open to compromise.

DATABASE SCANNER(R) SOFTWARE -- Assesses online business risks by
identifying security exposures in leading database applications.

WIRELESS SCANNER(TM) SOFTWARE -- Provides automated detection and
security analyses of mobile networks utilizing 802.11b WLAN (Wi-Fi) access
points and clients.

CONSUMER AND SMALL OFFICE SOFTWARE

We offer powerful, affordable firewall and intrusion detection protection
software solutions providing fast, accurate protection for the consumer and
small office product market. Our products include:

BLACKICE(TM) PC PROTECTION SOFTWARE -- Provides comprehensive personal
firewall and intrusion protection for individual PCs.

BLACKICE SERVER PROTECTION SOFTWARE -- Provides comprehensive firewall
and intrusion protection capabilities for individual servers.

X-FORCE(R) SERVICES

The X-Force organization, our industry leading group of security experts
dedicated to proactive counter intelligence and public education, delivers
timely, accurate information for anyone interested in protecting online assets
against attack or misuse. This proactive approach suffuses all our offerings,
from research and development to products and services, including publicly
available information and product support.

Our X-Force organization provides information on threats through three
complementary online publications:

- Security Advisories contain new vulnerability research developed by the
X-Force itself, as well as solutions to manage or resolve the threat.

- Security Alerts are timely compilations of threat information, both from
us and from other external resources.

- Security Alert Summaries are weekly publications containing short
descriptions of security issues identified and researched during the past
week. Each issue in the Alert Summary is linked to detailed information
in the online X-Force Database.

4

The X-Force organization begins this process through our Global Threat
Operations Center. This specialized threat intelligence facility collects
security trend information from five state-of-the-art Security Operations
Centers operating on three continents to analyze the nature and severity of any
threat in real-time. The X-Force then proactively helps deliver our solutions to
market via alerts, advisories, product updates, professional services, emergency
response services and 24/7 remotely managed security services. In addition, we
provide the fee-based X-Force Threat Analysis Service for customers needing
immediate, comprehensive notification of the breaking security events.

X-Force threat intelligence consists of global and local primary source
overviews of evolving threats. This information may be sorted by specific
geography, business sector, operating system or attack technique, allowing
anyone interested in information protection to evaluate global threat conditions
as part of their own security operations. All our service offerings use X-Force
threat intelligence as a differentiator, whether as part of a professional
services consulting engagement, managed security services, X-Force Education
Services or customer support. In addition, X-Force research and development
quickly and easily integrates into our software solutions via self-installing
X-Press Update(TM) product enhancements.

MANAGED SECURITY SERVICES

ISS Managed Security Services offer online protection for organizations
lacking the time, expertise or appropriate internal resources to secure critical
information resources. Our services include:

MONITORED AND MANAGED IDS SERVICE -- Unobtrusively monitors client
servers and network traffic for potential threats, and responds to attacks
or misuse that can damage online information resources.

MONITORED AND MANAGED FIREWALL SERVICE -- Flexible, remotely managed
firewall service that delivers cost-effective protection that reduces
customer staff requirements. Optional features include High Availability
capabilities, Monitored Firewall, Client VPN enablement and Site-to-Site
VPN.

VULNERABILITY MANAGEMENT SERVICE -- Provides real time vulnerability
information by examining servers, firewalls, switches and more. Provides
comprehensive on-demand security audits that identify, analyze and report
on network security vulnerabilities.

PROFESSIONAL SECURITY SERVICES

Our professional security services combine our advanced technology and
experienced security experts to help organizations plan and implement sound
security management solutions. Our standards-based methodology covers the
complete security management lifecycle, including assessment, design,
deployment, management and support, as described below.

ASSESSMENT

Penetration Test -- Network simulation attack in a controlled
environment, resulting in a clear snapshot of an organization's security
condition, specific exploitable vulnerabilities and risks as seen from a
designated remote Internet location.

Information Security Assessment -- Comprehensive evaluation of an
organization's information security policies, procedures, controls and
mechanisms, as well as its networks, servers, desktops and databases in
relation to the globally recognized ISO 17799 standard, which is a
comprehensive set of controls comprising best practices in information
security established by the International Standards Organization.

Security Certification -- Comprehensive and rigorous internal and
external evaluation of an organization's information security policies,
procedures, controls and mechanisms, as well as networks, servers, desktops
and databases, comparing current security standing to the globally
recognized ISO 17799 standards. This service includes a two-day
interactive, strategic project-planning workshop that results in an
actionable plan to achieve and maintain on-going security goals. We provide
our clients with a certification of best security practices upon
implementation of our recommendations.

5

ISO 17799 and Regulatory Compliance Gap Analysis -- Analysis and
documentation of tactical recommendations based upon the globally
recognized ISO 17799 standard and regulatory requirements.

Wireless Network Assessment -- Security assessment of wireless network
environments including both assessment and penetration testing.

Application Security Assessment -- Review and evaluation of
application security from the client and server perspectives.

DESIGN

Policy Development -- Rapid development of security policies that map
to an organization's business objectives, regulatory issues and industry
best practices.

Standards & Procedures Development -- Development of written
procedures to ensure the repeated correct installation and configuration of
operating systems, applications and databases which are essential in
reducing risks to the network environment and computing infrastructure.

Security Strategy Workshop -- Strategic planning engagement in which
we assist customers to develop a specific security strategy based upon best
practices, and the customer's specific requirements.

Implementation Planning -- Our security specialists work with client
staff to determine and plan the most effective and strategic locations in
which to install ISS solutions, how to best implement them with minimal
impact on current network operations, and how to plan for the ongoing
management and maintenance of the security solution.

Network Architecture Design -- Assists organizations in designing a
secure customized network architecture designed to meet organizational
goals now and in the future.

Vulnerability Remediation -- A prioritized roadmap that helps clients
understand the remediation efforts needed, timeframes and expertise
required to quickly remediate the most serious problems and put a long-term
security program into place.

Vertical & Regulatory Markets Strategy Design -- Provides an
organization with a thorough understanding of the impact of regulatory
issues on it and develops a plan to achieve regulatory compliance.

Security Awareness Program Development -- A short duration, high value
engagement that quickly increases employees' security consciousness and
helps other security initiatives move forward effectively.

DEPLOYMENT

Deployment Consulting -- Installation, configuration and tuning for
ISS's vulnerability assessment, intrusion detection and enterprise security
management solutions.

Migration -- Consulting, installation, configuration and tuning
services for migrating to new ISS vulnerability assessment, intrusion
detection and enterprise security management solutions.

MANAGEMENT

Emergency Response Services -- Our professional services staff
combines leading security research with real-world incident response
experience to help organizations prepare for, and respond immediately to,
information security breaches.

X-Force Threat Analysis Service -- Internet Security Systems' X-Force
Threat Analysis Service enables proactive security management through
comprehensive evaluation of global online threat conditions and detailed
analyses tailored for specific customer needs. The X-Force Threat Analysis
Service is a blend of threat information collected from our international
network of Security Operations Centers and trusted security intelligence
from the X-Force research and development organization. This constantly
monitors and advises regarding the nature and severity of external Internet
threats. Daily

6

summaries provide current and forecast assessments for active
vulnerabilities, viruses/worms and threats, including links to recommended
fixes and security advice.

SUPPORT

ISS Technical Support provides ongoing product support services under
license agreements. We believe that providing a high level of customer service
and technical support is necessary to achieve rapid product implementation,
which, in turn, is essential to customer satisfaction and continued license
sales and revenue growth. Accordingly, we are committed to recruiting and
maintaining a high-quality technical support team. A team of dedicated certified
engineers trained to answer questions on the usage of our products provides
telephone and email support worldwide, 24 hours a day, seven days a week
(including holidays), from our corporate office in Atlanta. Customers in Asia
can also contact ISS Technical Support in the Philippines or Tokyo during local
business hours. The ISS Technical Support Team located in Mountain View,
California provides email support to our consumer customer base. In the United
States and internationally, our resellers and distributors provide telephone
support to their customers with additional technical assistance from us. For our
managed services security solutions, customer support is available for several
offerings up to 24 hours a day, seven days a week. Technical support is offered
via phone, email or secure Web form and includes access to an online knowledge
base as well as direct contact with qualified support personnel.

X-FORCE EDUCATION SERVICES

Internet Security Systems' X-Force Education Services division provides
hands-on, real-world security management courses that empower the IT staff of
our clients to take control of their information security. Our courses are based
on ISS' best-of-breed security protection solutions, critical security topics
and real-world experience, preparing our customers for the security tasks that
they will face.

Our experienced instructors offer educational programs for security
professionals worldwide. By developing and maintaining internal staff knowledge,
organizations can maximize the return on their security investments. Classes are
delivered at our Atlanta corporate training center, regional offices around the
world, authorized training centers, and client sites.

GEOGRAPHIC SEGMENTS

We provide our network security management solutions in three geographic
areas: the Americas (United States, Canada, Latin America and South America),
EMEA (Europe, Middle East and Africa) and Asia/Pacific. These geographic areas
represent our three reportable segments. The accounting policies of the
reportable geographic segments are the same as described under the caption
"Critical Accounting Policies" in "Management's Discussion and Analysis of
Financial Condition and Results of Operations" and in our consolidated financial
statements, and are applied consistently across the segments. Revenues, as a
percentage of total revenues, for each segment are as follows:

PRODUCT DEVELOPMENT

We employ a three-pronged product development strategy to achieve our goal
of providing comprehensive security coverage for monitoring, detection and
response.

First, we provide regular security updates to our products that are based
on our X-Force vulnerability and threat database. These updates are usually
provided as part of separate maintenance agreements sold with the product
license.

7

Second, we continue to develop new best-of-breed security products to
protect gateways, networks, servers and desktops. Historically, existing
products are updated to add new features and improve functionality. These
enhancements are available to customers through our software maintenance
program.

Third, to complement our network, server and desktop products and provide
more comprehensive network security coverage, we continue to develop additional
enterprise-level security management features that are included in our
SiteProtector management console. SiteProtector is intended to help customers
protect their networks, servers and desktops by continuously measuring and
analyzing the status of their security- in real time and across the
enterprise-and is designed to operate with our network, server and desktop
products.

We develop our products to operate in heterogeneous computing environments.
Products are compatible with other vendors' products across a broad range of
platforms, including HP-UX, IBM AIX, Linux, Sun Solaris and Microsoft Windows.
Starting in the second quarter of 2003, we began to aggressively transition our
product development efforts from primarily software-based products towards
hardware-based products that deliver integrated network protection solutions on
ISS-branded Linux-based servers. These integrated appliances improve protection
and flexibility for customers, and reduce costs through simple procurement,
deployment and management. Our network products are also offered for specific
hardware vendor platforms, including appliances from Nokia, Crossbeam and ISS
branded appliances through various partners. We have incorporated a modular
design in our software products to permit plug-and-play capabilities, although
customers often use our professional services or our strategic partners to
install and configure products for use in larger or more complex network
systems.

Research and development expenses were $35.4 million, $35.3 million, and
$41.8 million in 2001, 2002 and 2003, respectively. All product development
activities are conducted at either our principal offices in Atlanta or at our
research and development facilities in Mountain View, California. Late in 2003,
we closed our research and development facilities in Reading, England and
Sydney, Australia, consolidating affected projects into our Atlanta operations.
As of December 31, 2003, 275 personnel were employed in product development
teams. Our personnel include members of the Computer Security Institute, Forum
for Incident Response and Security Technicians (FIRST), Georgia Tech Industrial
Partners Association, Georgia Tech Information Security Center and the
International Computer Security Association (ICSA), enabling us to actively
participate in the development of industry standards in the emerging market for
network and Internet security systems and products.

PRICING

We use a range of fee structures to license our products, depending on the
type of product and the intended use. We license our vulnerability assessment
products, Internet Scanner, System Scanner, Wireless Scanner and Database
Scanner based on the number of devices being assessed. The pricing provides low
entry points for departmental users without limiting our revenue potential from
customers with large networks. Pricing for our threat detection and response
products, including the RealSecure line of software agents, is based on the
number of copies deployed on the network. Thus, licensing fees for our products
are ultimately determined by the size of the customer's network, as size
dictates the number of devices to be assessed or the number of copies to be
deployed. Management software is sold on a capacity basis. The license fee for
the management software is determined by the size of the sensor/detector and
scanner purchase. This capacity-based pricing structure provides customers with
the ability to license as much management as they require.

In addition to license fees, customers purchase maintenance agreements in
conjunction with their initial purchase of a software license, with annual
maintenance fees typically equal to 20% of the product's license fee.
Maintenance agreements include annually renewable telephone support, product
updates, access to our X-Force Security Alerts and error corrections. Our
continuing research into new security risks and resulting product updates
provide significant ongoing value. We provide customers with a regular stream of
security updates, known as X-Press Updates, as part of this maintenance
agreement. X-Press Updates serve to keep our products up to date with the latest
vulnerabilities and threats that are present in Internet environments. As a
result, a substantial majority of our customers renew their maintenance
agreements. We have historically

8

sold fully paid perpetual licenses with a renewable annual maintenance agreement
and have licensed our products on a subscription basis, including maintenance,
for one or two year periods. We are currently evaluating other alternatives for
customers desiring longer-term arrangements or multi-year commitments. Customers
who use our products to provide information technology assessment services are
offered subscription license agreements, typically with a one-year term.

Our Proventia multi-function appliances offer more optional components for
the customer, all tightly integrated and managed from a single easy-to-use
web-based console application. After buying the appliance and maintenance, the
customer can choose optional content subscriptions for intrusion prevention and
anti-virus. Annual subscription prices vary by the number of users protected by
the appliances. The customer can also choose to purchase optional add-on
functionality such as the Virtual Private Networking module.

Fees for our Proventia product line are comprised of three components: 1) a
platform fee which includes the hardware and a license to the underlying
software; 2) software and hardware maintenance, which includes technical support
and repair; and, 3) content subscriptions which provide security updates. A
variety of appliance models are offered to fit different customer environments.

Monitoring fees for managed security services are determined by the
complexity of the monitoring arrangement and by the number of devices being
monitored. The pricing is scalable, allowing for customers to start with basic
security monitoring services and expand as the business grows. Contracts are for
a minimum one-year term and are typically billed monthly as services are
performed.

Our professional services fees are calculated either on a fixed-fee basis
or an hourly rate per consultant based on the scope of the engagement, market
sector and geographical territory. Educational services are calculated on a
per-class basis.

CUSTOMERS

As of December 31, 2003, we had more than 11,000 business customers and
maintained operations in 22 countries. No customer accounted for more than 10%
of our consolidated revenues in 2001, 2002 or 2003. Target customers include
both public and private sector organizations, as well as consumers, that use
Internet protocol enabled information systems. Business customers represent a
broad spectrum of organizations within diverse sectors, including financial
services, technology, telecommunications, and government and information
technology services.

SALES AND MARKETING

Sales Organization

Our sales organization is divided regionally among the Americas, EMEA and
the Asia/Pacific regions. In the Americas, we market our products through a
combination of our direct sales organization and through various partners,
including system integrators, value-added resellers and distributors. The direct
sales organization for the Americas consists of regionally based sales
representatives and sales engineers, and a telesales organization located in
Atlanta. We maintain a number of domestic sales offices in various cities
throughout the United States and in Canada, Mexico and Brazil. As of December
31, 2003, we employed approximately 177 people in the Americas sales
organization. The regionally based direct sales representatives focus on
opportunities with large organizations, and frequently these opportunities are
worked in concert with one or more partners. Included as part of the sales
organization is a channel management group that drives incremental revenue
through selected channel partners and acts as the liaison between the direct
sales representatives and the channel partners.

In the EMEA and Asia/Pacific regions, most of our sales occur through
authorized resellers. Internationally we have established regional sales offices
in several countries in Europe as well as in Egypt, Japan, Australia and
Singapore. Personnel in these offices are responsible for market development,
including managing our relationships with resellers, assisting them in winning
and supporting key customer accounts, acting as a liaison between the end user
and our marketing and product development organizations and providing consulting
and training services. As of December 31, 2003, approximately 324 employees were

9

located in our EMEA and Asia/Pacific regional offices. We expect to continue to
expand our field organization into additional countries in these regions.

SecurePartner(TM) Program Channel Sales

A key element of our marketing strategy is to establish our products,
services and information security methodologies as the leading approach for
information protection and security management for the enterprise, service
provider and risk management markets. We have implemented a multi-faceted
program to leverage the use of corporate, product and service brands to increase
acceptance of our offerings through relationships with various distribution and
reseller channel partners. We typically enter into written agreements with
resellers, distributors, managed service providers, internet service providers,
large global consulting firms and OEMs. These agreements generally do not
provide for firm dollar commitments from the parties, but are intended to
establish the basis upon which the parties will work together to achieve
mutually beneficial objectives.

Distributors

To accommodate the large number of smaller resellers, a two-tier
distribution model has been established to ensure appropriate access to ISS
products and support. We provide direct, focused support to these distributors,
who in turn, support an extensive community of smaller resellers and
consultancies as well as provide products to our resellers.

Resellers

We maintain the resources to train and support security consultants,
systems integrators and product and service resellers who match our offerings
with their own complementary products and services. By reselling our solutions,
our resellers provide additional value for specific market and industry
segments, while maintaining our ongoing commitment to quality products and
customer satisfaction. There are three different levels of reseller
opportunities:

- Premier Partners. Premier Partners are typically security consultants,
value-added resellers (VARs) and systems integrators with focused
security practices. Many Premier Partners are experienced in the sales
and implementation of leading protection, authentication and encryption
technologies. Premier Partners must achieve the highest level of resales
to attain and maintain Premier Partner status. These partners leverage
their expertise with our vulnerability assessment and enterprise
protection products. Premier Partners receive direct distribution of our
products, sales and technical training, access to market development
funds, monthly regular SecurePartner email newsletters, other
partner-only communications, access to the ISS Partner Resource Center
Web site and a listing on our Partner Web pages.

- Authorized Partners. Authorized Partners generally consist of
organizations that provide security focused consulting and/or integration
services. Authorized Partners are also required to maintain a specified
level of resale, although at a more modest level than Premier Partners.
Authorized Partners typically purchase ISS products and services though
our distributors but can take advantage of a select number of the
benefits that Premier Partners enjoy.

- Corporate Resellers. Although we have numerous reseller partners,
certain of these relationships generate unique and significant leverage
for us in targeted markets. Our corporate resellers provide broad
awareness of our brands through enhanced marketing activity, access to
large sales forces and access to larger, more strategic customer
opportunities.

Alliance Partners

We work closely with leading global organizations to expand the breadth and
depth of their offerings to include product and service solutions from ISS.
These partners include managed service providers, internet service providers
consulting organizations, and OEMs. Most of these providers integrate and manage
one or

10

more our products as part of a larger service offering, or resell our Managed
Security Services as an extension of its core offerings.

Original Equipment Manufacturers

Agreements with OEMs enable them to incorporate our products into their own
product offerings to enhance their security features and functionality. We
receive royalties or other consideration from OEM vendors and increased
acceptance of our products under these arrangements, which, in turn, are
intended to promote sales of our other products to the OEM's customers.

Marketing Programs

We conduct a number of marketing programs to support the sale and
distribution of our products and services. These programs are designed to inform
existing and potential end-user customers and resellers about the capabilities
and benefits of our products and services. Marketing activities include: Public
relations, industry analyst relations and education; publication of technical
and educational articles in both print and online media, through our white
papers, and through our own print and online newsletters and/or magazines;
direct mail and email; participation in industry tradeshows; product/technology
conferences, seminars, and web casts; competitive analysis; sales training;
advertising and development and distribution of marketing literature; and
maintenance of our Web site.

COMPETITION

The market for network security monitoring, detection, prevention and
response solutions is intensely competitive, and we expect competition to
increase in the future. We believe that the principal competitive factors
affecting the market for information security include security effectiveness,
manageability, technical features, performance, ease of use, price, scope of
product offerings, professional services capabilities, distribution
relationships and customer service and support. Although we believe that our
solutions generally compete favorably with respect to such factors, we cannot
guarantee that we will compete successfully against current or potential
competitors, especially those with significantly greater financial resources or
brand name recognition.

INTELLECTUAL PROPERTY

We rely primarily on copyright, trademark, patent and trade secret laws,
confidentiality procedures and contractual provisions to protect our
intellectual property and other proprietary rights. We have obtained one United
States patent, one Taiwanese patent and have a number of patent applications
pending in the United States and certain foreign jurisdictions. We believe that
the technological and creative skills of our personnel, new product
developments, frequent product enhancements, our name recognition, our
professional services capabilities and delivery of reliable product maintenance
are essential to establishing and maintaining a technology leadership position.
We cannot assure you that our competitors will not develop technologies that are
similar to ours. We generally license our software products to end users in
object code (machine-readable) format. Some of our customers have required us to
maintain a source-code escrow account with a third-party software escrow agent,
and a failure by us to perform our obligations under any of the related license
and maintenance agreements, or our insolvency, could result in the release of
our product source code to such customers. The standard form license agreement
for our software products allows the end user to use our products solely on the
end user's computer equipment for the end user's internal purposes, and the end
user is generally prohibited from sublicensing or transferring the products.

Despite our efforts to protect our intellectual property, unauthorized
parties may attempt to copy aspects of our products or to obtain and use
information that we regard as proprietary. Policing unauthorized use of our
products is difficult. While we cannot determine the extent to which piracy of
our software products occurs, we expect software piracy to be a persistent
problem. In addition, the laws of some foreign countries do not protect our
proprietary rights to as great an extent as do the laws of the United States and
many foreign countries do not enforce these laws as diligently as U.S.
government agencies and private parties. See "Management's Discussion and
Analysis of Financial Condition and Results of Operations -- Risk Factors."

11

EMPLOYEES

As of December 31, 2003, we had 1,148 employees, of whom 275 were engaged
in product research and development, 320 were engaged in sales and marketing,
266 were engaged in customer service and support, 98 were engaged in
professional services, and 189 were engaged in administrative functions. We
believe that we have good relations with our employees.

ITEM 2. PROPERTIES

We currently lease three buildings totaling approximately 302,000 square
feet in Atlanta, Georgia for our headquarters and research and development
facility. The lease on these three buildings expires in May 2013.

We lease additional office space in Chicago, Illinois; Mountain View,
California; Southfield, Michigan; New York, New York; Paramus, New Jersey and
Washington, D.C., as well as small executive suites in a number of United States
cities. In addition, we lease office space in Sao Paulo and Rio, Brazil;
Brussels, Belgium; London, England; Paris, France; Stuttgart, Germany;
Stockholm, Sweden; Milan, Rome and Padova, Italy; Madrid, Spain; Zurich,
Switzerland; Amsterdam, Netherlands; Warsaw, Poland; Cairo, Egypt; Manila,
Philippines; Seoul, Korea; Brisbane, Australia; Singapore; Osaka and Tokyo,
Japan.

We believe that our existing facilities are adequate for our current needs
and that additional space will be available as needed.

ITEM 3. LEGAL PROCEEDINGS

The Company and certain of its officers and directors were named as
defendants in a consolidated amended complaint that was filed in the United
States District Court for the Northern District of Georgia on October 9, 2002.
The lawsuit purports to be brought on behalf of a class of investors who
purchased the Company's stock during the period from April 5, 2001 through
August 14, 2001 (the "Class Period"). The lawsuit alleges violations of the
federal securities laws, including Sections 10(b) and 20(a) of the Securities
Exchange Act of 1934, as amended, and Rule 10b-5 thereunder. The complaint
generally alleges that the Company and the individual defendants violated the
anti-fraud provisions of the federal securities laws and caused the Company's
stock to trade at artificially high prices by making misrepresentations relating
to the Company's financial condition and prospects during the Class Period. The
complaint seeks damages in an unspecified amount. On September 3, 2003, the
court dismissed the consolidated amended complaint. The plaintiffs have moved
the court to reconsider its dismissal order and to grant them leave to amend
their complaint. The Company and the individual defendants have opposed those
motions. The court has not yet ruled. The Company believes that the court's
order dismissing the action was appropriate and further that the Company has
meritorious defenses and intends to continue defending the action vigorously.

ITEM 4. SUBMISSION OF MATTERS TO A VOTE OF SECURITY HOLDERS

No matter was submitted to a vote of our stockholders during the fourth
quarter of 2003.

12

PART II

ITEM 5. MARKET FOR REGISTRANT'S COMMON EQUITY AND RELATED STOCKHOLDER MATTERS

Our Common Stock is quoted on the NASDAQ National Market under the symbol
"ISSX". The following table lists the high and low per share sales prices for
the Common Stock as reported by the NASDAQ National Market for the periods
indicated:

As of February 27, 2004, there were 50,199,839 shares of our Common Stock
outstanding held by 255 stockholders of record.

We have never declared nor paid cash dividends on our capital stock. We
intend to retain any earnings for use in our business and do not anticipate
paying any cash dividends in the foreseeable future. Our Board of Directors will
determine future dividends, if any.

On October 29, 2003, ISS announced a voluntary option exchange program
intended to reduce the number of outstanding options. Stock options with
exercise prices exceeding $30 per share were eligible. Our directors and five
most senior executive officers, including the chief executive officer, are not
eligible to participate in the program. Approximately 783,000 of the 1,343,000
eligible option shares with exercise prices between $30 and $83 per share have
elected to participate in the program. New options will be issued at the rate of
2.5 old option shares for each new option share. The exercise price per share
for new options will be priced at the Nasdaq National Market closing price six
months and a day after the cancellation of old options, which is currently
expected to be May 27, 2004. This transaction is exempt from registration under
Section 3(a)(9) of the Securities Act of 1933.

13

ITEM 6. SELECTED CONSOLIDATED FINANCIAL DATA

The financial data set forth below for each of the three years in the
period ended December 31, 2003 and as of December 31, 2003 and 2002 has been
derived from the audited consolidated financial statements appearing elsewhere
in this Annual Report on Form 10-K. The financial data for the years ended
December 31, 1999 and 2000 and as of December 31, 1999, 2000 and 2001 has been
derived from audited financial statements not included herein. This data should
be read in conjunction with the consolidated financial statements and notes
thereto, and with Item 7, "Management's Discussion and Analysis of Financial
Condition and Results of Operations".

14

ITEM 7. MANAGEMENT'S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS
OF OPERATIONS

The following Management's Discussion and Analysis of Financial Condition
and Results of Operations should be read in conjunction with the Consolidated
Financial Statements and related Notes thereto included elsewhere in this Form
10-K. Except for the historical financial information, many of the matters
discussed in this Item 7 may be considered "forward-looking" statements. Such
forward-looking statements are not guarantees of future performance and involve
a number of risks and uncertainties. Many of the risks and uncertainties are
described below under the caption "Risk Factors".

OVERVIEW

We are focused on protecting gateways, networks, servers and desktops
against an ever-changing spectrum of threats, with a comprehensive line of
products and services designed specifically for the enterprise, service
provider, risk management, small business and consumer markets. These threat
protection solutions go beyond basic access control to deliver multiple layers
of defense that detect, prevent and respond to threats prior to those threats
causing damage to our customers' business operations.

Our family of products is a critical element of an active Internet and
networking security program within today's world of global connectivity,
enabling organizations to proactively monitor, detect and respond to risks to
enterprise information. Prior to 2003, our products were exclusively software,
providing intrusion detection and vulnerability assessment solutions. In 2003,
we began to sell a new line of products called Proventia, which includes an
appliance pre-loaded and configured with our network-based software solutions
for intrusion detection and in-line intrusion prevention. Initial customer
response has been positive, with this line representing 45% of product and
license sale revenues for the fourth quarter of 2003. We believe this new
product line is critical to growing our product sales and the ongoing
subscription revenues associated with such sales.

In the fourth quarter of 2003, our product offering expanded to further
include a multi-function Proventia appliance that includes, in addition to
intrusion protection, firewall, virtual private network, and anti-virus
protection. We expect the addition of content filtering and anti-spam to this
product line in the first half of 2004. We believe this expanded product
offering significantly increases our market opportunity as well as our risk from
broader competition. While there were some sales of this product in 2003, our
expectations for future revenue growth are dependent on successfully penetrating
both our existing intrusion protection market and new network security markets
with this multi-function appliance.

Our managed services offerings currently provide remote management of our
best-of-breed security technology, focusing on security assessment and intrusion
detection systems, and include firewalls, VPNs, anti-virus and URL filtering
software. We focus on serving as the trusted security provider to our customers
by maintaining within our existing products the latest counter-measures to
security risks, creating new innovative products based on our customers' needs
and providing professional and managed services. In an effort to create
differentiation, we emphasize the management of our own products, which has
allowed us to announce a new offering in early 2004 called managed protection
services. We expect this new service to provide guaranteed protection to
customers who meet the requirements of the program. The program provides for a
fixed cash payment if the protection system is compromised by an exploit for
which protection is guaranteed.

Many factors will affect our future financial performance, especially our
ability to differentiate our offerings from competitors that include much larger
companies with greater marketing capabilities, financial resources and brand
recognition. In order to continue to create such differentiation, we expect to
continue to expand our domestic and international sales and marketing
operations, seek acquisition candidates and alliances with partners whose
products, technologies or services capabilities are complementary to our
solutions; and improve our internal operating and financial infrastructure in
support of our strategic goals and objectives. At the same time, we expect to
adjust our organization size in light of changing economic conditions and
maintain emphasis on controlling discretionary spending and capital
expenditures. While we believe in the long-term success of our business
solutions, our prospects must be considered in light of the

15

recent experience, risks and difficulties that are frequently encountered by
companies serving rapidly evolving markets. See "Risk Factors".

CRITICAL ACCOUNTING POLICIES

The consolidated financial statements were prepared in conformity with
accounting principles generally accepted in the United States. As such,
management is required to make certain estimates, judgments and assumptions it
believes are reasonable based upon the information available. These estimates
and assumptions affect the reported amounts of assets and liabilities at the
date of the financial statements and the reported amounts of revenues and
expenses during the periods presented. The significant accounting policies which
management believes are the most critical to aid in fully understanding and
evaluating our reported financial results include the following:

Revenue recognition

We recognize software license revenue under Statement of Position ("SOP")
97-2, Software Revenue Recognition, as modified by SOP 98-9, Software Revenue
Recognition with Respect to Certain Transactions, when the following criteria
have been met:

- persuasive evidence of an arrangement exists;

- delivery has occurred or services have been rendered;

- price is fixed or determinable; and

- collection is probable.

Product licenses and sales include revenue from sales of perpetual software
licenses and products. We recognize perpetual software license revenues upon (1)
delivery of software or, if the customer has evaluation software, delivery of
the software key and (2) issuance of the related license, assuming that no
significant vendor obligations or customer acceptance rights exist. Where
payment terms are extended over periods greater than 12 months, revenue is
recognized as such amounts become due and payable. Product sales consist
primarily of appliances sold in conjunction with ISS licensed software. These
sales are recognized upon shipment to the customer provided all other revenue
recognition criteria are met.

Sales of enterprise products are generated both through direct sales to
end-users as well as through various partners, including system integrators,
value-added resellers and distributors. License revenue is recognized when the
sale has occurred for an identified end user through electronic delivery of a
software key that is necessary to operate the product, provided all other
revenue recognition criteria are met. At the point of delivery, the end-user has
no right of return.

Subscription revenues include product support and content updates, term
licenses, and managed service arrangements. Renewable product support and
content updates are separate components of software licenses and appliances
sold. Term licenses allow customers to use our products and receive product
support coverage and content updates for a specified period, generally 12
months. We generally invoice for product support, content updates and term
licenses at the beginning of the term and recognize revenue ratably over the
subscription term. Security monitoring and management services for information
assets and systems are part of managed services and associated revenues are
recognized and billed as such services are provided.

Historically, our appliance and software sales have been accounted for
primarily as revenue at the time of sale, with product support and content
updates generally representing between 20% and 30% of the license or product
amount. With the introduction of the multi-function appliance, we expect to
significantly alter this ratio, as the majority of the initial price paid by the
customer will be for content provided for a specified term. This will result in
the subscription component being recorded initially in deferred revenues and
recognized over the term as subscription revenue.

Professional services revenues include fee-based service engagements and
training. Service engagements are typically billed on either a fixed fee or
time-and-materials basis and focus primarily on security

16

assessments of customer networks and the development of customers' security
policies. These offerings are intended to support our goal of providing products
and managed services. We prefer to have our partners provide these services
where practical. We recognize such professional services revenues as the related
services are rendered.

Multiple element arrangements can include any combination of our products
or services listed above. When some elements are delivered prior to others in an
arrangement, all revenue is deferred until the delivery of the last element
unless all of the following exist:

- vendor specific objective evidence (VSOE) of fair value of the
undelivered elements;

- the functionality of the delivered elements is not dependent on the
undelivered elements; and

- delivery of the delivered elements represents the culmination of the
earnings process.

When these criteria have been met, we allocate revenue to the delivered
software product using the residual method. Under the residual method, we
allocate discounts inherent in the arrangement entirely to the product that is
initially delivered and recognize the other elements as they are delivered based
on the vendor specific objective evidence, which is typically determined by the
company selling those elements separately.

Our historical rate of product returns by customers of our software
products is negligible. We do not have sufficient experience with our
newly-introduced Proventia appliance products to make a meaningful estimate of
product return rates for these products. We offer evaluation software available
via download from our website and evaluation units for appliance-based products
that allow potential customers to see the functionality of the products on their
own networks. We did not have any transactions in 2001, 2002 or 2003 involving
reciprocal arrangements where goods or services were purchased from an
organization at the same time that we licensed software or provided services to
that organization.

Allowance for doubtful accounts

Our sales are global, with customers located in the United States, Europe,
Latin America and Asia/Pacific regions. We perform periodic credit evaluations
of our customer's financial condition and do not require collateral. We provide
for estimated credit losses as such losses become probable. We evaluate specific
accounts when we become aware of a situation where a customer may not be able to
meet its financial obligations due to deterioration of its liquidity or
financial viability, credit ratings or bankruptcy. The allowance for doubtful
accounts is established based on the best facts available to us and is
reevaluated and adjusted as additional information is received. At December 31,
2003, the allowance for doubtful accounts totaled $2.8 million, or 4.0% of the
$69.4 million of total trade receivables. This 4.0% allowance percentage of
receivables reflects our practice to leave accounts on our general ledger and
provide reserves pending final resolution of collectibility rather than
write-off such accounts.

Our bad debt expense for the year ended December 31, 2003 amounted to $1.1
million. This was a decrease from $1.6 million in 2001 and $2.1 million in 2002.
The economic conditions in the Asia/Pacific region, especially in Korea and
China, increased our bad debt expense in 2002 by $1.0 million based on an
internal evaluation of the outstanding receivables in this region. During 2002,
we also decreased the provision by $400,000 for allowances specifically
established in prior years for two customers that were successfully collected in
2002. The lower provision for 2003 is directly attributable to the absence of
any significant new identified exposures. We continued to monitor the Asia
situation identified in 2002. In January 2004, a new distributor for China
assumed the rights and the obligations of the distribution agreement for ISS
products from the old distributor. In connection with this agreement, we
modified the new distributor's obligations, which resulted in an additional
$200,000 of bad debt expense recorded in the fourth quarter of 2003 and the
write-off of $1.1 million against the allowance account. We have a firm
repayment schedule with the new distributor, a public company with a liquid
balance sheet, and expect that the outstanding balance of $2.4 million at
January 31, 2004 is collectible.

While actual credit losses have historically been within management's
expectations and the provisions established, we cannot guarantee that we will
continue to experience the same credit loss rates we have in the

17

past. If the financial condition of our customers were to deteriorate, resulting
in an impairment of their ability to make payments, additional allowances may be
required.

Impairment of goodwill and Other Acquisition-related Intangibles

We review goodwill for impairment on an annual basis or on an interim basis
whenever events or changes in circumstances indicate that the carrying amount of
an asset may not be recoverable. All other long-lived and intangible assets are
reviewed for impairment whenever events or circumstances indicate that the
carrying amount of an asset may not be recoverable. Such impairment loss would
be measured as the difference between the carrying amount of the asset and its
fair value based on the present value of estimated future cash flows.
Significant judgment is required in the forecasting of future operating results,
which are used in the preparation of projected cash flows. Due to uncertain
market conditions and potential changes in our strategy and products, it is
possible that forecasts used to support our intangible assets may change in the
future which could result in significant non-cash charges that would adversely
affect our results of operations.

We currently have goodwill and other acquisition related intangibles of
approximately $211 million, with $195 million of goodwill related to our June
2001 acquisition of Network ICE. The determination of whether or not goodwill is
impaired involves significant judgments based upon short and long-term
projections of future performance. We have concluded that this amount is
realizable based on forecasted discounted cash flows through 2007 and on our
stock market valuation. Neither method indicated that our goodwill had been
impaired and, as a result, we did not record any impairment losses related to
goodwill during the year ended December 31, 2003. Other intangibles of
approximately $10 million are principally software form the Network ICE
acquisition that is a primary component in most of our current product
offerings.

ACQUISITIONS

We believe that our total solutions approach will positively impact all of
our revenue categories. This includes our products and managed services
offerings, as well as product support, professional services and training. While
we expect the expansion of these product and service offerings to originate
primarily from internal development, our strategy includes acquiring products,
technologies and service capabilities that fit within our strategy and could
potentially accelerate the timing of the commercial introduction of such
products and technologies.

In January 2004, we acquired Cobion, AG ("Cobion"), a privately held
company based in Kassel, Germany. Cobion provides content filtering and
anti-spam technology that protects individuals and enterprises against unwanted
Web content, spam, misuse of information and lost productivity. The purchase
price was approximately $33 million in cash plus the direct costs of
acquisition. We intend to continue to sell the Cobion product on a stand-alone
basis as well as include the technology in our multi-function Proventia
appliance in 2004.

In October 2002, we completed the acquisition of privately held vCIS, Inc.
("vCIS") of Santa Clara, California, a developer of patent-pending,
next-generation, pre-emptive behavioral inspection technology. The technology
prevents malicious code from executing and causing damage before it has an
opportunity to interact with the enterprise network. The aggregate purchase
price was $19.6 million and was primarily allocated to in-process research and
development. In-process research and development had not yet reached
technological feasibility and was required to be expensed at the time of
acquisition under generally accepted accounting principles ("GAAP"). As a
result, we incurred an expense of $18.5 million in the fourth quarter of 2002.
Of the remaining purchase price, $1.2 million was allocated to the assembled
workforce, which is being amortized over three years, $200,000 was allocated to
net tangible assets, principally fixed assets, and $300,000 of liabilities were
assumed. In the fourth quarter of 2003 we committed to a plan to close the
research and development facility in Sydney, Australia, transferred knowledge of
the product to our Atlanta-based personnel, and wrote off the remaining
approximately $700,000 of the intangible asset related to the vCIS workforce.

In August 2002, Internet Security Systems KK ("ISS KK"), our Asia-Pacific
subsidiary, acquired a distributor in Singapore, TriSecurity Holdings Pte Ltd.
("TriSecurity"). TriSecurity was the sole distributor

18

for ISS KK in Southeast Asia, including India, and its business was almost
exclusively focused on ISS solutions. This acquisition provides our Asia-Pacific
subsidiary direct support capabilities for their customers in Southeast Asia and
allows ISS KK to expand its capabilities in this growing market. The
consideration consisted of 1,000 shares of ISS KK stock and approximately $1.2
million of cash. Goodwill of approximately $4.0 million related to the purchase
was recorded. During the first quarter of 2003, ISS KK amended the agreement and
agreed to make payment of 245 shares of ISS KK in each of the first quarters of
2004 and 2005, relating to annual contingent consideration payments defined in
the 2002 purchase agreement. The additional consideration of $626,000, based on
current fair market value of the shares, was recorded as additional goodwill and
additional paid-in-capital at such time. When such shares are actually issued, a
gain or loss will be recognized to the extent of any difference between the
$626,000 fair value of the shares to be issued and the book value of those
shares.

In June 2001, we acquired Network ICE Corporation ("Network ICE"), a
privately-held corporation based in San Mateo, California. Network ICE was a
leading developer of desktop intrusion protection technology and highly scalable
security management systems. The merger was accounted for as a purchase and,
accordingly, the operating results of Network ICE are included in the
consolidated financial statements of ISS from the date of acquisition.
Substantially all of the aggregate purchase price of $237.6 million was
allocated to goodwill, with the remainder allocated to identified intangibles,
including in-process research and development, developed technology, customer
relationships, and to deferred compensation related to stock options assumed.

RESULTS OF OPERATIONS

The following table sets forth our consolidated historical operating
information, as a percentage of total revenues, for the periods indicated:

19

REVENUES

Product licenses and sales

Product licenses and sales, including perpetual licenses and sales of
partner software and hardware appliances, reflect a decreasing trend for the
last three years. They also continue to be a decreasing source of revenue
generation at 55% of total revenues in 2001, 50% in 2002 and 44% in 2003 as
subscription revenues grew significantly. We believe that the general economic
slowdown in information technology spending contributed to the decrease in
product licenses and sales as well as the cost and complexity of deploying and
managing software based solutions for networks.

In the second quarter of 2003, we began to ship our first Proventia network
protection appliance (the Proventia A Series Appliance) which provides intrusion
detection capabilities to customers. The Proventia family of appliances
collectively provides unified, multi-function protection capabilities designed
to identify and prevent many forms of attack with minimal user intervention.
They are designed to operate in demanding network environments while being easy
to deploy, easy to use and centrally managed, all in an effort to make our
solution more cost-effective. Revenues from our Proventia appliance line
represented 10% of total revenues for the year ended December 31, 2003. In the
fourth quarter of 2003, we introduced and shipped our in-line intrusion
protection Proventia appliance (the Proventia G Series Appliance) and the
multi-function appliance (the Proventia M Series Appliance) that initially
includes firewall, virtual private network anti-virus and intrusion protection
capabilities. In the fourth quarter, Proventia represented 45% of our product
and license revenues, which produced a reversal in the quarterly trend of
reduced product and license revenues. Our future growth is dependent on a
continuation of the positive market response to our Proventia family of
products. In 2004, we expect to extend Proventia to our server and desktop
solutions that will continue to be delivered as software offerings. This
expected growth is critical as it represents not only product and license
revenues, but also subscription revenues from product support and content.

Our present product roadmap focuses our development on product offerings
and enhancements that will continue to improve central control and
manageability, easier deployment and more refined information and broader
Proventia appliance offerings. We expect that this focus will make our products
more cost effective to implement and maintain and will increase the future level
of product licenses and sales.

Subscriptions

Subscriptions revenue represented 30% of total revenues in 2001, 38% of
total revenues in 2002 and 46% in 2003. Subscription revenues consist of product
support and content updates, term licenses of products and security-monitoring
fees for managed services offerings. The increase in subscriptions revenue as a
percentage of total revenues was primarily due to an increase in product content
and support revenues, the largest component, which grew from 20% of total
revenues in 2001 to 27% in 2002 and to 31% in 2003. Product content and support
includes hardware support of our Proventia appliances, software updates,
technical support and security content that includes advisory updates from
X-Force, our internal team of security experts. We continue to increase our
software client base that generates product content and support revenues,
through a combination of contracts associated with new product licenses and
renewal of existing contracts.

Managed services revenues accounted for 11% of total revenues in the year
2003, as compared with 8% in the year 2002 and 6% in the year 2001. We believe
these increases were due to a strong demand in the market for proven,
financially sound, managed security service providers. We are marketing managed
services both directly to end users and through partners, including a number of
new arrangements with integrators and service providers that include managed
services as a part of their service offerings to their customers. We also expect
sales of managed services to continue to increase as a percentage of total
revenues over time as we focus our efforts on marketing new, innovative
offerings, such as our Managed Protection Services, to new and existing
customers. Managed Protection Services is a premium service combining
vulnerability assessment, managed protection and other professional services.

20

Professional services

Professional services revenue decreased both in absolute dollars and as a
percentage of total revenue from 15% in 2001 to 12% in 2002 and to 10% in 2003.
During 2001 we began narrowing our consulting offerings to focus on services
that directly contribute to our protection platform strategy. This strategy
continued in 2002 as we focused on high-value offerings that utilize our X-Force
expertise, and chose to use partners to provide deployment and other offerings
where appropriate. In 2003, we believe that entities continued to curtail costs
and limit spending of discretionary dollars on professional services in current
economic times, which resulted in flat to lower levels of demand for these
services. In addition, we continued the strategy that promotes professional
services through our systems integrator and channel partner relationships.

Although we continue to offer training classes at our Atlanta headquarters
and customers' premises, our primary focus is to deliver course materials to our
customers through authorized training centers.

Geographic regions

Geographically, we derived the majority of our revenues from sales to
customers within the Americas region. Revenues by region represented the
following percentages of total revenues:

Revenues in EMEA benefited from volume growth combined with a strengthening
currency throughout 2003, since products are primarily sold in the Euro
currency. Asia/Pacific remained consistent with 2002, decreasing minimally, we
believe, because of difficult economic conditions in portions of the region in
2003. The financial data for each segment can be found in Note 11 to the
Consolidated Financial Statements.

COSTS AND EXPENSES

Personnel

Personnel and related costs represent our largest expense category. Our
headcount has fluctuated between approximately 1,150 and 1,250 over the last 3
years as we acquired and integrated acquisitions and continually refined our
business targets in light of difficult economic conditions during these years.

Cost of product licenses and sales

Cost of product licenses and sales consists of several components. Costs
associated with licensing our software products are minor. The substantial
portion of our cost of product licenses and sales represents the hardware cost
of our Proventia appliances and payments to partners for their products that we
sell or integrate with our managed service offerings. This cost, as a percentage
of product licenses and sales, decreased from 11% in 2001 to 6% in 2002 and
increased to 9% in 2003. The decrease from 2001 to 2002 was a result of a
movement away from the direct sales of third-party products that had been a more
significant part of our revenues as a result of a 1999 acquisition. The increase
from 2002 to 2003 was connected with the introduction of the Proventia appliance
line in the second quarter of 2003 and we expect the increase in cost of product
licenses and sales to continue to increase in future periods as sales of the
Proventia appliances increase and become a larger component of our product
licenses and sales.

Cost of subscriptions and professional services

Cost of subscriptions and professional services includes the cost of our
technical support personnel who provide assistance to customers under product
support agreements, the security operations center ("SOC") costs of providing
managed security monitoring services and the costs related to our professional
services and training. These costs increased modestly from $50.7 million in 2001
to $51.1 million in 2002 followed by a

21

decrease to $48.7 million in 2003. As a percentage of subscription and
professional services revenues, the costs decreased from 50% in 2001 to 42% in
2002 and 35% in 2003.

Costs associated with our technical support personnel and our security
operations centers increased in 2002 and 2003 as we added personnel to handle
additional customers. We gained efficiencies in our security operations centers
and restructured our support groups to be more productive so personnel increased
at a much lower rate than revenue growth, contributing to the decrease in those
costs as a percentage of total revenues. While we continue to seek increased
productivity, we do expect to increase costs with a continued increase in
revenues in the future.

Offsetting this increase of costs associated with our technical support
personnel and our security operations centers was a decrease in costs associated
with our professional services and education services. Cost decreases
accompanied the decrease in revenues that occurred through a continued narrowing
of our consulting offerings to focus on services that directly contribute to our
protection platform strategy, the outsourcing of educational training outside of
Atlanta to authorized partners, and a decrease in the number of training classes
related to third-party products.

Research and development

Research and development expenses consist of salary and related costs of
research and development personnel, including costs for employee benefits, and
depreciation on computer equipment. These costs include those associated with
maintaining and expanding the X-Force, our internal team of security experts. We
believe our primary research and product development and managed service
offerings are important to retaining our leadership position in the market.

We continue to add functionality to our product family, providing gateway,
network, server and desktop-based solutions, as well as to our security
management applications. These improvements as well as new offerings are
intended to provide our customers with more powerful and easier-to-use solutions
for security management across the enterprise. Included among new releases and
major enhancements in 2003 were:

- Proventia A Series models (A201, A604 and A1204) -- network threat
detection appliance for aggregate network bandwidth from 200 Mbps to 1200
Mbps on 1 to 4 network segments.

- Proventia G Series models (G100 and G200) -- network threat protection
appliance for aggregate network bandwidth from 100 Mbps to 200 Mbps on a
particular network segment.

- Proventia M Series model (M50) -- unified firewall, VPN, anti-virus, and
intrusion detection and prevention in one appliance, under one management
system, to protect at the network and the gateway.

- RealSecure Server Sensor 7.0 -- assesses host security to detect and
report system security weaknesses, and provides intrusion prevention and
response.

- RealSecure(R) Desktop 7.0 -- provides protection against malicious
activity by analyzing application and network (including VPN) behavior on
desktops.

- RealSecure Internet Scanner 7.0 -- added improved accuracy and new
ease-of-use features to our network assessment solution.

- RealSecure SiteProtector 2.0 -- unifies the management of protection
across networks, servers and desktops to increase customers' ability to
effectively detect, prevent and respond to today's ever-changing spectrum
of threats.

Research and development expenses were $35.4 million in 2001, $35.3 million
in 2002 and $41.8 million in 2003. These costs fluctuated as a percentage of
total revenues from 16% in 2001 to 15% in 2002 and 17% in 2003.

In 2002 we continued to provide new product offerings and enhancements
without an increase in research and development expenses. Our development group
headcount increased in the fourth quarter of 2002 due to

22

the addition of 20 engineers from the vCIS acquisition. The increase in 2003 in
both absolute dollars and percentage of revenues is due to the increase in the
number of our development personnel focused on our Proventia offerings.

Throughout 2003, we also reorganized and consolidated our efforts for
security content, protection agent frameworks, management infrastructure and
multifunction appliance delivery to enhance operational and development
efficiency. This resulted in closing our engineering operations in Reading, U.K.
and Sydney, Australia in the fourth quarter of 2003. The Reading office was
closed November 30, 2003 and all costs associated with the closing of this
facility were charged to expense in 2003. The Sydney office will remain open
through the first half of 2004, with a small number of key employees. The costs
of severance associated with all terminated employees from the Sydney office
were expensed in 2003. The normal operating costs of keeping the office open
into 2004 will be expensed as incurred. These exit costs, which totaled $1.5
million, increased research and development expenses by 1% of total revenues in
2003 to 16%.

While we are committed to continue our investment in X-Force research and
development capabilities, which we believe distinguishes ISS from its
competitors, we intend to seek leverage in future periods in the research and
development area while enhancing current technologies and developing new
technologies.

Sales and marketing

Sales and marketing expenses consist of salaries, travel expenses,
commissions, advertising, maintenance of our website, trade show expenses, costs
of recruiting sales and marketing personnel and costs of marketing materials.
Sales and marketing expenses were $92.0 million in 2001, $93.7 million in 2002
and $87.5 million in 2003.

Gaining leverage in sales and marketing was a key objective for us in 2002,
and we were able to decrease these expenses as a percentage of total revenues
from 41% in 2001 to 39% in 2002. This occurred largely because we resized our
operations globally in the third quarter of 2001, resulting in personnel
reductions and decreases in various operating expenses, followed by further
reduction in the third quarter of 2002 in areas such as Latin America and Europe
where revenue demand did not support our cost base. Marketing costs increased in
2002 as we launched our first television and print advertising campaign designed
to demonstrate the multitude of threats that can compromise the security of a
company's networks, servers or desktops. This campaign was aimed at increasing
awareness of the ISS brand, especially at the mainstream business market.

In 2003, sales and marketing expenses decreased in both absolute dollars to
$87.5 million and as a percentage of total revenue to 36%. These decreases
occurred as a result of a full year impact of 2002 sales headcount reductions as
well as selective decreases during 2003. Additionally, we incurred lower
commissions due to the decrease in total product license and sales revenues.
Finally, marketing costs were at a lower level, as we did not continue our
television and print advertising campaign in 2003.

We expect to continue to achieve leverage in our sales efforts by focusing
our direct touch sales force on large customers that are served either directly
by us or through large systems integrators. This channel, which includes systems
integrators, value-added resellers and distributors, will continue to be of
increasing importance to us. We intend to use its capabilities to reach larger
customers through joint selling efforts and to reach departmental and small
companies, especially for our Proventia multi-function appliance, which we
believe has much more appeal to these companies.

General and administrative

General and administrative expenses of $20.4 million in 2001, $24.3 million
in 2002 and $22.7 million in 2003, represented approximately 9% of our total
revenues in 2001, 10% in 2002 and 9% in 2003. General and administrative
expenses consist of personnel-related costs for executive, administrative,
finance and human resources, internal information systems and other support
services costs, and legal, accounting and other professional service fees.

The increase in general and administrative expenses from 2001 to 2002
includes non-recurring expenses associated with a relocation of our Asia/Pacific
headquarters in Tokyo during the second quarter of 2002.

23

Costs included lease termination costs, including remaining rent payments,
write-off of leasehold improvements and moving costs. These costs increased
general and administrative expenses by 1% of total revenues in 2002.

Charge for in-process research and development

We have reflected charges of $2.9 million in 2001 and $18.5 million in 2002
for the write-offs of in-process research and development costs associated with
the Network ICE acquisition in June 2001 and the vCIS acquisition in October
2002. In-process research and development had not reached technological
feasibility based on identifiable technological risk factors which indicated
that even though successful completion was expected, it was not assured at the
acquisition date and was immediately charged to operations.

vCIS was developing a protection kernel that uses behavior analysis
technology to identify viruses, Trojans, worms, and other forms of malicious
code. The technology operates on behavior of malicious code rather than on
individual signatures of malicious code. It conducts real time assessments of
all executable program files, in a safe environment, and cleans the files before
they are allowed to execute within an actual system. At the time the merger
transaction was concluded, the vCIS technology had not reached technological
feasibility, vCIS had no marketable product and vCIS had not identified any
alternative uses for the technology at its current stage of development. We
continue to work on the development of the product and had not used this
technology in our product line as of the end of 2003.

Amortization

We incurred amortization expense related to intangible assets and
stock-based compensation of $5.2 million in 2001, $5.7 million in 2002 and $6.0
million in 2003. These intangible assets and stock-based compensation resulted
from acquisitions accounted for under the purchase method of accounting and are
amortized over their useful lives. Due to the closing of our Reading, UK and
Sydney, Australia research and development facilities in late 2003, the expense
in 2003 includes a $738,000 charge related to our workforce reductions at these
facilities.

Interest income

Net interest income decreased from $6.3 million in 2001 to $3.2 million in
2002 and to $2.7 million in 2003. The decrease in interest income year over year
resulted from lower market rates of interest on debt securities. The market rate
of interest paid on investment-grade commercial paper and similar investments
dropped from approximately 4.5% during 2001 to approximately 2% during 2002 and
dropped to approximately 1% for 2003. As a result, interest income decreased
despite an increase in cash and cash equivalents and interest-bearing marketable
securities.

Other income (expense), net

Other income and expense is primarily the result of issuance of stock in
subsidiary companies and the results of investment in and the acquisition of
distributors. In accordance with Staff Accounting Bulletin No. 51 ("SAB 51"), we
have recorded gains when shares in our Japanese subsidiary have been issued in
connection with its 2001 initial public offering, a 2002 acquisition of a
Singapore-based distributor and option exercises in 2002 and 2003. Additionally,
our Japan subsidiary took a minority position in a number of private companies,
which ultimately produced a $1.9 million realized gain in 2002, and a $2.2
million impairment loss in 2003. At December 31, 2003, our Japan subsidiary has
only one remaining investment for $700,000, which is carried at cost and has
been deemed to not be impaired.

Provision for income taxes

We recorded a provision for income taxes of $12.5 million in 2001, $13.1
million in 2002, and $11.2 million in 2003. While income tax expense was
recorded on domestic income for each year, taxes payable were reduced by
deductions related to the value of employee exercise of stock options. The tax
benefit

24

for the use of these stock option deductions was recorded as additional paid-in
capital. Taxes paid generally relate to foreign operations.

As of December 31, 2003, we had net operating loss carryforwards of
approximately $21.8 million related to stock option deductions that expire in
varying amounts between 2011 and 2021. The tax benefit for this carryforward
will be recorded as additional paid-in-capital when it is realized. We also have
approximately $7.7 million of research and development tax credit carryforwards,
which expire between 2011 and 2023 and foreign tax credit carryforwards of $2.8
million that expire between 2006 and 2008.

LIQUIDITY AND CAPITAL RESOURCES

Our financial position remained strong throughout 2003. Our cash and cash
equivalents and marketable security investments increased from $202.3 million at
December 31, 2002 to $238.2 million at December 31, 2003. Our investments in
marketable securities consist solely of high rated debt obligations with
maturities of 12 months or less.

During 2003, we met our working capital needs and capital equipment needs
with cash provided by operations. Cash provided by operations in 2003 totaled
$48.7 million compared to $48.9 million in 2002 and $39.4 million in 2001.
Accounts receivable, net of acquisitions, increased $9.9 million in 2003
compared to an increase of $5.2 million in 2002 and a decrease of $9.3 million
in 2001. These changes were primarily the result of changes in sales levels in
the fourth quarter of the respective periods, increasing from 2001 to 2002 and
from 2002 to 2003. We measure our accounts receivable management by our daily
sales outstanding. This is a measurement of accounts receivable divided by
billings in the quarter, represented by the sum of revenues plus the change in
the deferred revenues liability account balance. This measurement was 78, 77 and
81 days at December 31, 2001, 2002 and 2003, respectively, each within our
publicly stated target range of 75 to 85 days.

Our investing activities of $4.8 million in 2003 resulted from our capital
purchases, which decreased to $7.2 million compared to $10.9 million in 2002.
Our spending is primarily for improved computer hardware for new and existing
employees and investment in infrastructure hardware and software applications.
Investing activities also included changes in our marketable securities that
have quality characteristics similar to cash equivalents, except their
maturities when we acquire them are longer than three months. The cash flow
statement included the purchase of $76.5 million of intermediate term marketable
securities, primarily interest-bearing government obligations and commercial
paper, offset by net proceeds from the maturity of marketable securities of
$76.6 million.

Our financing activities used $13.7 million of cash in 2003, principally
due to the repurchase of our common stock under an authorized plan to repurchase
up to $50 million. Through December 31, 2003, we had repurchased a total of
$18.4 million, including the purchase of 1,177,000 shares of our common stock on
the open market during 2003 at an aggregate cost of $16.3 million.

At December 31, 2003, we had $238.2 million of cash and cash equivalents
and marketable securities; primarily money market accounts and investment grade
commercial paper. An additional $12.8 million of commercial paper investments
are pledged as collateral for stand-by letters of credit related to the
operating leases of our facilities and are shown on the balance sheet as
restricted marketable securities. We believe that such cash and cash equivalents
and marketable securities will be sufficient to meet our working capital needs
and capital expenditures for the foreseeable future. Furthermore, we are not
aware of any trends, events, or uncertainties that are reasonably likely to
result in any significant change to our liquidity.

From time to time, we evaluate possible acquisition and investment
opportunities in businesses, products or technologies that are complementary to
ours. In the event we determine to pursue such opportunities, we may use our
available cash and cash equivalents and marketable securities for this purpose.
In January 2004, we used approximately $40 million of cash in acquiring Cobion
and the license of development source code from another party.

25

Off-Balance Sheet Arrangements

Payments for certain of our operating leases are secured by two
collateralized stand-by letters of credit totaling approximately $10.3 million
at December 31, 2003. The stand-by letters of credit are annually renewable over
the duration of the applicable leases. These stand-by letters of credit
guarantee our payment obligations on the leases. If we default on the lease
payments, the landlords can claim against the letters of credit. We, in turn,
would be liable to the letter of credit issuers. Our stand-by letters of credit
are collateralized by securities worth $12.8 million at December 31, 2003. Other
than these non-cancelable operating leases, we have no off-balance sheet
financing arrangements, any relationships with "structured finance" or "special
purpose" entities, or any contractual obligations with unconsolidated entities
that are reasonably likely to impact our liquidity.

Contractual Commitments

The following table summarizes our significant contractual obligations at
December 31, 2003, and the effect such obligations are expected to have on our
liquidity and cash flows in future periods. This table excludes amounts already
recorded on our balance sheet as current liabilities at December 31, 2003
(amounts in thousands):

Other obligations consist of payments due under an existing software
licensing agreement. The expected timing and payment of the obligations above is
estimated based on current information. Timing of payments and actual amounts
paid may be different depending on the timing of receipt of goods or services or
changes to agreed-upon amounts for some obligations.

RISK FACTORS

There are many factors that affect ISS' business and the results of its
operations, some of which are beyond ISS' control. The following is a
description of some of the important factors that may cause the actual results
of ISS' operations in future periods to differ materially from those currently
expected or desired. We encourage you to read this section carefully.

We Operate in a Rapidly Evolving Market

We operate in a rapidly evolving market and must, among other things:

- respond to competitive developments;

- continue to upgrade and expand our product and services offerings; and

- continue to attract, retain and motivate our employees.

We cannot be certain that we will successfully address these issues. As a
result, we cannot assure our investors that we will be able to continue to
operate profitably in the future.

We introduced our new Proventia appliance line, beginning with the A Series
in April 2003. The G Series and M Series were introduced in the fourth quarter
of 2003. As a result of our limited history with these products, it may be
difficult to plan or project our revenues accurately. The revenue and income
potential of these products is unproven and the markets addressed by these
products are volatile. If these products fail to gain market acceptance, our
revenue could be below our expectations and our operating results could be
adversely affected.

26

Our Future Operating Results Will Likely Fluctuate Significantly

We cannot predict our future revenues and operating results with certainty.
However, we do expect our future revenues and operating results to fluctuate due
to a combination of factors, including:

- the growth in the acceptance of, and activity on, the Internet and the
world wide web, particularly by corporate, institutional and government
users;

- the extent to which the public perceives that unauthorized access to and
use of online information are threats to network security;

- customer budgets;

- the volume and timing of orders, including seasonal trends in customer
purchasing;

- our ability to develop new and enhanced product, managed service and
professional service offerings;

- the introduction and acceptance rate of ISS branded appliances, including
increased cost of goods sold and inventory costs;

- our ability to accurately forecast and produce demanded quantities of our
appliance products and models;

- availability of component parts of appliance products and reliance on
contract manufacturers to produce such products;

- our ability to provide scalable managed services offerings through our
partners in a cost effective manner;

- foreign currency exchange rates that affect our international operations;

- product and price competition in our markets; and

- general economic conditions, both domestically and in our foreign
markets.

We increasingly focus our efforts on sales of enterprise-wide security
solutions, which consist of our entire product suite and related professional
services, and managed security services, rather than on the sale of component
products. As a result, each sale requires substantial time and effort from our
sales and support staff. In addition, the revenues associated with particular
sales vary significantly depending on the number of products licensed by a
customer, the number of devices used by the customer and the customer's relative
need for our professional services. Large individual sales, or even small delays
in customer orders, can cause significant variation in our license revenues and
results of operations for a particular period. The timing of large orders is
usually difficult to predict and, like many software and services companies,
many of our customers typically complete transactions in the last month of a
quarter.

We cannot predict our operating expenses based on our past results.
Instead, we establish our spending levels based in large part on our expected
future revenues. As a result, if our actual revenues in any future period fall
below our expectations, our operating results likely will be adversely affected
because very few of our expenses vary with our revenues. Because of the factors
listed above, we believe that our quarterly and annual revenues, expenses and
operating results likely will vary significantly in the future.

Our ability to provide timely guidance and meet the expectations of
investors with respect to our operating and financial results is impacted by the
tendency of a majority of our sales to be completed in the last month of a
quarter. We may not be able to determine whether we will experience material
deviations from guidance or expectations until the end of a quarter.

Dependence on Third Party Suppliers and Manufacturers

We carry little inventory of our appliance products and we rely on
suppliers to deliver necessary components to our contract manufacturers in a
timely manner based on the forecasts we provide. We currently purchase some
Proventia appliance components and contract manufacturing services from single
or limited

27

sources. If shortages occur, supplies are interrupted, or we under forecast
sales of demanded models, we may not be able to deliver products to our
customers and our revenue and operating results would be adversely affected.
Because our supply of hardware is based on short-term forecasts and purchase
orders, our contract manufacturers are not obligated to purchase components for
greater quantities over longer periods. We provide six-month forecasts of our
demand to our contract manufacturer. If we overestimate our requirements, we or
our contract manufacturers may have excess inventory, which could increase our
costs. If we underestimate our requirements, our contract manufacturers may have
an inadequate component inventory and, based on lead times, this could interrupt
manufacturing and result in delays in shipments and revenues.

We Face Intense Competition in Our Market

The market for network security monitoring, detection, prevention and
response solutions is intensely competitive, and we expect competition to
increase in the future. We cannot guarantee that we will compete successfully
against our current or potential competitors, especially those with
significantly greater financial resources or brand name recognition. Our chief
competitors generally fall within the following categories:

- large companies, including Symantec Corp., Cisco Systems, Inc., Netscreen
Technologies, Inc. (which is being acquired by Juniper Networks, Inc.),
and Network Associates, Inc., that sell competitive products and
offerings, as well as other large software companies that have the
technical capability and resources to develop competitive products;

- software or hardware network infrastructure companies like Cisco Systems,
Inc. and Juniper Networks, Inc. that could integrate features that are
similar to our products into their own products;

- relatively smaller software companies offering relatively limited
applications for network and Internet security; and

- small and large companies with competitive offerings to components of our
managed services offerings.

Mergers or consolidations among these competitors, or acquisitions of small
competitors by larger companies, represent risks. For example, Symantec Corp.,
Cisco Systems, Inc., and Network Associates, Inc. have acquired smaller
companies that have intrusion prevention technologies during the past several
years, and Juniper Networks, Inc. announced that it is acquiring Netscreen
Technologies, Inc. These acquisitions will make these entities potentially more
formidable competitors to us if such products and offerings are effectively
integrated. Large companies may have advantages over us because of their longer
operating histories, greater name recognition, larger customer bases or greater
financial, technical and marketing resources. As a result, they may be able to
adapt more quickly to new or emerging technologies and changes in customer
requirements. They can also devote greater resources to the promotion and sale
of their products than we can. In addition, these companies have reduced and
could continue to reduce, the price of their security monitoring, detection and
response products and managed security services, which increases pricing
pressures within our market.

Several companies currently sell software and hardware products (such as
encryption, firewall, operating system security and virus detection software)
that our customers and potential customers have broadly adopted. Some of these
companies sell products that perform the same functions as some of our products.
In addition, the vendors of operating system software or networking hardware may
enhance their products to include the same kinds of functions that our products
currently provide. The widespread inclusion of comparable features to our
software in operating system software or networking hardware could render our
products less competitive or obsolete, particularly if such features are of a
high quality. Even if security functions integrated into operating system
software or networking hardware are more limited than those of our products, a
significant number of customers may accept more limited functionality to avoid
purchasing additional products.

In addition, with the introduction of our multi-function M Series Proventia
appliance, we have offerings that compete with vendors of firewalls, VPN's,
anti-virus systems, and content and spam filtering. This offering is competitive
with a broader spectrum of network security companies, as well as those that
also offer multi-function appliances or broad product suites, like Symantec
Corp.

28

For the above reasons, we may not be able to compete successfully against
our current and future competitors. Increased competition may result in price
reductions, reduced gross margins and loss of market share.

We Face Rapid Technological Change in Our Industry and Frequent Introductions
of New Products

Rapid changes in technology pose significant risks to us. We do not control
nor can we influence the forces behind these changes, which include:

- the extent to which businesses and others seek to establish more secure
networks;

- the extent to which hackers and others seek to compromise secure systems;

- evolving computer hardware and software standards;

- changing customer requirements; and

- frequent introductions of new products and product enhancements.

To remain successful, we must continue to change, adapt and improve our
products in response to these and other changes in technology. Our future
success hinges on our ability to both continue to enhance our current line of
products and professional services and to introduce new products and services
that address and respond to innovations in computer hacking, computer technology
and customer requirements. We cannot be sure that we will successfully develop
and market new products that do this. Any failure by us to timely develop and
introduce new products, to enhance our current products or to expand our
professional services capabilities in response to these changes could adversely
affect our business, operating results and financial condition.

Our products involve very complex technology, and as a consequence, major
new products and product enhancements require a long time to develop and test
before going to market. Because this amount of time is difficult to estimate, we
have had to delay the scheduled introduction of new and enhanced products in the
past and may have to delay the introduction of new and enhanced products in the
future.

The techniques computer hackers use to gain unauthorized access to, or to
sabotage, networks and intranets are constantly evolving and increasingly
sophisticated. Furthermore, because new hacking techniques are usually not
recognized until used against one or more targets, we are unable to anticipate
most new hacking techniques. To the extent that new hacking techniques harm our
customers' computer systems or businesses, affected or prospective customers may
believe that our products are ineffective, which may cause them or prospective
customers to reduce or avoid purchases of our products.

Risks Associated with Our Global Operations

The expansion of our international operations includes our presence in
dispersed locations throughout the world, including throughout Europe and the
Asia/Pacific and Latin America regions. Our international presence and expansion
exposes us to risks not present in our U.S. operations, such as:

- the difficulty in managing an organization spread over various countries
located across the world;

- compliance with, and unexpected changes in, a wide range of complex
regulatory requirements in countries where we do business;

- duties and tariffs imposed on importation of our products in other
jurisdictions where other manufacturers may not bear those same costs;

- increased financial accounting and reporting burdens;

- potentially adverse tax consequences;

- fluctuations in foreign currency exchange rates resulting in losses or
gains from transactions and expenses denominated in foreign currencies;

29

- reduced protection for intellectual property rights in some countries;

- reduced protection for enforcement of creditor and contractual rights in
some countries; and

- import and export license requirements and restrictions on the import and
export of certain technology, especially encryption technology and trade
restrictions.

Despite these risks, we believe that we must continue to expand our
operations in international markets to support our growth. To this end, we
intend to establish additional foreign sales operations, expand our existing
offices, hire additional personnel, expand our international sales channels and
customize our products for local markets. If we fail to execute this strategy,
our international sales growth will be limited.

Our Networks, Products and Services May be Targeted by Hackers

Like other companies, our websites, networks, information systems, products
and services may be targets for sabotage, disruption or misappropriation by
hackers. As a leading network security solutions company, we are a high profile
target. Although we believe we have sufficient controls in place to prevent
disruption and misappropriation, and to respond to such situations, we expect
these efforts by hackers to continue. If these efforts are successful, our
operations, reputation and sales could be adversely affected.

We Must Successfully Integrate Acquisitions

As part of our growth strategy, we have and may continue to acquire or make
investments in companies with products, technologies or professional services
capabilities complementary to our solutions. When engaging in acquisitions, we
could encounter difficulties in assimilating or completing the development of
the technologies, new personnel and operations into our company. These
difficulties may disrupt our ongoing business, distract our management and
employees, increase our expenses and adversely affect our results of operations.
These difficulties could also include accounting requirements, such as
impairment charges related to goodwill or expensing in-process research and
development costs. We cannot be certain that we will successfully overcome these
risks with respect to any future acquisitions or that we will not encounter
other problems in connection with our recent or any future acquisitions. In
addition, any future acquisitions may require us to incur debt or issue equity
securities. The issuance of equity securities could dilute the investment of our
existing stockholders.

Our Proprietary Rights May be Difficult to Enforce

We rely primarily on copyright, trademark, patent and trade secrets laws,
confidentiality procedures and contractual provisions to protect our proprietary
rights. We have obtained one United States patent and have a number of patent
applications pending, as well as numerous trademarks and trademark applications
pending. There can be no assurance that patents will be issued from pending
applications, or that claims allowed on any patents will be sufficiently broad
to protect our technology. There can be no assurance that any issued patents
will not be challenged, invalidated or circumvented, or that any rights granted
under these patents will actually provide competitive advantages to us. Despite
our efforts to protect our proprietary rights, unauthorized parties may attempt
to copy aspects of our products or to obtain and use information that we regard
as proprietary. Policing unauthorized use of our products is difficult. While we
cannot determine the extent to which piracy of our software products occurs, we
expect software piracy to be a persistent problem. In addition, the laws of some
foreign countries do not protect our proprietary rights to as great an extent as
do the laws of the United States, and many foreign countries do not enforce
these laws as diligently as U.S. government agencies and private parties. If we
are unable to protect our proprietary rights to the totality of the features in
our software and products (including aspects of our software and products
protected other than by patent rights), we may find ourselves at a competitive
disadvantage to others who need not incur the additional expense, time and
effort required to create the innovative products that have enabled us to be
successful.

30

We May Be Found to Infringe the Proprietary Rights of Others

Third parties may assert claims or initiate litigation related to exclusive
patent, copyright, trademark and other intellectual property rights to
technologies that are relevant to our business. Because of the large number of
patents in the Internet, networking, security and software fields, the secrecy
of some pending patents and the rapid rate of issuance of new patents, it is not
economically practical (or even possible) to determine in advance whether a
product (or any of its components) infringe or will infringe the patent rights
of others. Third party asserted claims and/or initiated litigation can include
claims against us or our manufacturers, suppliers, or customers, alleging
infringement of their proprietary rights with respect to our existing or future
products (or components of those products). Regardless of the merit of these
claims, they can be time-consuming, result in costly litigation and diversion of
technical and management personnel, or require us to develop a non-infringing
technology or enter into license agreements. There can be no assurance that
licenses will be available on acceptable terms and conditions, if at all, in
these circumstances, or that any indemnification that might be available to us
would be adequate to cover our costs of defense. Furthermore, because of the
potential for large judgments, which are not necessarily predictable, it is not
unusual to find even arguably unmeritorious claims settled for significant
funds. If any infringement or other intellectual property claim made against us
by a third party is successful, or if we fail to develop non-infringing
technology or license the proprietary rights on commercially reasonable terms
and conditions, our business, operating results, financial condition and
liquidity could be materially and adversely affected.

Some Provisions in the ISS Certificate of Incorporation and Bylaws Make a
Takeover of ISS Difficult

Our certificate of incorporation and bylaws contain provisions that could
have the effect of making it more difficult for a third party to acquire, or of
discouraging a third party from attempting to acquire, control of ISS. These
provisions:

- establish a classified board of directors;

- create preferred stock purchase rights that grant to holders of common
stock the right to purchase shares of Series A Junior Preferred Stock in
the event that a third party acquires 20% or more of the voting power of
our outstanding common stock;

- prohibit the right of our stockholders to act by written consent;

- limit calling special meetings of stockholders; and

- impose a requirement that holders of 66 2/3% of the outstanding shares of
common stock are required to amend the provisions relating to the
classification of our board of directors and action by written consent of
stockholders.

ITEM 7A. QUANTITATIVE AND QUALITATIVE DISCLOSURES ABOUT MARKET RISK

INTEREST RATE SENSITIVITY

The primary objective of our investment activities is to preserve principal
while at the same time maximizing the income we receive from our investments
without significantly increasing risk. Some of the securities in which we invest
may be subject to market risk. This means that a change in prevailing interest
rates may cause the principal amount of the investment to fluctuate. For
example, if we hold a security that was issued with a fixed interest rate at the
then-prevailing rate and the prevailing interest rate later rises, the market
value of our investment will probably decline. To minimize this risk, we
maintain our portfolio of cash equivalents and marketable securities in a
variety of high-quality relatively short-term investments, including commercial
paper and overnight repurchase agreements. As of December 31, 2003, $27.1
million of our securities mature in more than three months and $19.2 million of
our securities mature in more than six months, but in all cases less than one
year.

31

RISK ASSOCIATED WITH FOREIGN EXCHANGE RATES

ISS is subject to foreign exchange risk as a result of exposures to changes
in currency exchange rates. Our foreign operations are, for the most part,
naturally hedged against exchange rate fluctuations since both revenues and
expenses of each foreign affiliate are denominated in the same currency.
Therefore, we do not engage in formal hedging activities, but we do periodically
review the potential impact of this risk to ensure that the risk of significant
potential losses remains minimal. As a result, an unfavorable change in the
exchange rate for any particular foreign subsidiary would result in lower
revenues and expenses with regards to operating results, and lower assets and
liabilities with regards to the balance sheet.

The Company's operating results are affected by changes in exchange rates
between the U.S. Dollar and the Euro and the Japanese Yen. When the U.S. Dollar
strengthens against these foreign currencies, the value of our non-functional
currency revenues decreases. When the U.S. Dollar weakens, the value of our
functional currency revenues increases. Since much of our international
operating expenses are also incurred in local currencies, which is the foreign
subsidiaries functional currency, the impact of exchange rates on net income or
loss is relatively less than the impact on revenue. Although our operating and
pricing strategies take into account changes in exchange rates over time, our
results of operations may be affected significantly in the short term by
fluctuations in foreign currency exchange rates.

During 2003, the Company recorded a net foreign exchange gain of $813,000.
The nature and extent of the foreign currency risk faced by the Company depends
on many factors that cannot be accurately predicted. These factors include
significant changes in foreign currency market conditions, the Company's
inability to match foreign currency denominated revenues with costs denominated
in the same currency, and changes in the amount or mix of revenues denominated
in various foreign currencies. As a result of material unforeseen changes in
these factors, the Company's foreign currency risk could have a greater impact
on the Company's results of operations in the future.

ITEM 8. CONSOLIDATED FINANCIAL STATEMENTS AND SUPPLEMENTARY DATA

Schedules other than the one listed above are omitted as the required
information is inapplicable or the information is presented in the consolidated
financial statements or related notes.

ITEM 9. CHANGES IN AND DISAGREEMENTS WITH ACCOUNTANTS ON ACCOUNTING AND
FINANCIAL DISCLOSURE

None.

ITEM 9A. CONTROLS AND PROCEDURES

ISS' management with the participation of the Chief Executive Officer and
Chief Financial Officer evaluated the effectiveness of ISS' disclosure controls
and procedures (as such term is defined in Rules 13a-15(e) and 15d-15(e) under
the Securities Exchange Act of 1934, as amended (the "Exchange Act)) as of the
end of the period covered by this annual report (the "Evaluation Date"). Based
on such

32

evaluation, such officers have concluded that, as of the Evaluation Date, ISS'
disclosure controls and procedures were effective to provide reasonable
assurance that information required to be disclosed in the reports ISS files
under the Exchange Act is recorded, processed, summarized and reported on a
timely basis.

There have not been any changes in ISS' internal controls over financial
reporting during the quarter ended December 31, 2003 that have materially
affected, or are reasonably likely to materially affect, such controls.

33

PART III

ITEM 10. DIRECTORS AND EXECUTIVE OFFICERS OF THE REGISTRANT

DIRECTORS AND EXECUTIVE OFFICERS

See the Proxy Statement for the Company's 2004 Annual Meeting of
Stockholders, under the headings "Proposal One: Election of Directors",
"Executive Officers", and "Section 16(a) Beneficial Reporting Compliance", which
information is incorporated herein by reference.

CODE OF CONDUCT AND CODE OF ETHICS FOR FINANCIAL PROFESSIONALS

The Company has adopted a Code of Conduct and a Code of Ethics for
Financial Professionals which apply to its Chief Executive Officer, Chief
Financial Officer, and Principal Accounting Officer. These documents are
available on the "Investor Relations -- Corporate Governance" portion of our
website at www.iss.net\About ISS.

INCORPORATION OF OTHER INFORMATION BY REFERENCE

For information on audit committee financial experts see the Proxy
Statement for the Company's 2004 Annual Meeting of Stockholders, under the
heading "Audit Committee", which information is incorporated herein by
reference.

ITEM 11. EXECUTIVE COMPENSATION

See the Proxy Statement for the Company's 2004 Annual Meeting of
Stockholders, under the headings "Director Compensation" and "Executive
Compensation", which information is incorporated herein by reference.

ITEM 12. SECURITY OWNERSHIP OF CERTAIN BENEFICIAL OWNERS AND MANAGEMENT AND
RELATED STOCKHOLDER MATTERS

See the Proxy Statement for the Company's 2004 Annual Meeting of
Stockholders, under the headings "Security Ownership of Management and Principal
Stockholders" and "Equity Compensation Plans", which information is incorporated
herein by reference.

ITEM 13. CERTAIN RELATIONSHIPS AND RELATED TRANSACTIONS

See the Proxy Statement for the Company's 2004 Annual Meeting of
Stockholders, under the heading "Certain Relationships and Related
Transactions", which information is incorporated herein by reference.

ITEM 14. PRINCIPAL ACCOUNTANT FEES AND SERVICES

See the Proxy Statement for the Company's 2004 Annual Meeting of
Stockholders, under the headings "Audit Fees", "Audit-Related Fees", "Tax Fees",
"All Other Fees" and "Fee Pre-approval Policy", which information is
incorporated herein by reference.

34

PART IV

ITEM 15. EXHIBITS, FINANCIAL STATEMENT SCHEDULES AND REPORTS ON FORM 8-K

(a) The following documents are filed as part of this report:

1. Consolidated Financial Statements. See Index to Financial
Statements on page 32

2. Financial Statement Schedules See Index to Financial Statements on
page 32

3. Exhibits. The exhibits to this Annual Report on Form 10-K have
been included only with the copy of this Annual Report on Form 10-K filed
with the Securities and Exchange Commission. Copies of individual exhibits
will be furnished to stockholders upon written request to the Company and
payment of a reasonable fee.

- ---------------

* Identifies those filed with this Form 10-K.

** Data required by SFAS No. 128, "Earnings Per Share", is provided in Note 4 to
the consolidated financial statements in this report.

(b) Reports on Form 8-K

On October 21, 2003 ISS furnished a report on Form 8-K pursuant to Item 12
thereof relating to a press release regarding its financial results for the
quarter ended September 30, 2003 and providing its Business Outlook for the
quarter ending December 31, 2003 and fiscal year ending December 31, 2003.

36

REPORT OF INDEPENDENT AUDITORS

The Board of Directors and Stockholders
Internet Security Systems, Inc.

We have audited the accompanying consolidated balance sheets of Internet
Security Systems, Inc. as of December 31, 2002 and 2003, and the related
consolidated statements of operations, stockholders' equity, and cash flows for
each of the three years in the period ended December 31, 2003. Our audits also
included the financial statement schedule listed in the Index at Item 15(a).
These financial statements and schedule are the responsibility of the Company's
management. Our responsibility is to express an opinion on these financial
statements and schedule based on our audits.

We conducted our audits in accordance with auditing standards generally
accepted in the United States. Those standards require that we plan and perform
the audit to obtain reasonable assurance about whether the financial statements
are free of material misstatement. An audit includes examining, on a test basis,
evidence supporting the amounts and disclosures in the financial statements. An
audit also includes assessing the accounting principles used and significant
estimates made by management, as well as evaluating the overall financial
statement presentation. We believe that our audits provide a reasonable basis
for our opinion.

In our opinion, the financial statements referred to above present fairly,
in all material respects, the consolidated financial position of Internet
Security Systems, Inc. as of December 31, 2002 and 2003, and the consolidated
results of its operations and its cash flows for each of the three years in the
period ended December 31, 2003, in conformity with accounting principles
generally accepted in the United States. Also, in our opinion, the related
financial statement schedule, when considered in relation to the basic financial
statements taken as a whole, presents fairly in all material respects the
information set forth therein.

As discussed in Note 1 to the consolidated financial statements, in 2002
the Company ceased amortization of goodwill in accordance with Statement of
Financial Accounting Standards No. 142, Goodwill and Other Intangible Assets.

/s/ Ernst & Young LLP

Atlanta, Georgia
February 26, 2004

37

INTERNET SECURITY SYSTEMS, INC.

CONSOLIDATED BALANCE SHEETS

See accompanying notes.

38

INTERNET SECURITY SYSTEMS, INC.

CONSOLIDATED STATEMENTS OF OPERATIONS

See accompanying notes.

39

INTERNET SECURITY SYSTEMS, INC.

CONSOLIDATED STATEMENTS OF STOCKHOLDERS' EQUITY

See accompanying notes.

40

INTERNET SECURITY SYSTEMS, INC.

CONSOLIDATED STATEMENTS OF CASH FLOWS

See accompanying notes.

41

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
DECEMBER 31, 2003

1. SIGNIFICANT ACCOUNTING POLICIES

DESCRIPTION OF BUSINESS

The business of Internet Security Systems, Inc. and its subsidiaries
("ISS") is focused on protecting gateways, networks, servers and desktops
against an ever-changing spectrum of threats, with a comprehensive line of
products and services designed specifically for the particular needs of
enterprise, service provider, risk management, small business and consumer
markets.

PRINCIPLES OF CONSOLIDATION

The consolidated financial statements include the accounts of Internet
Security Systems, Inc. and its majority-owned subsidiaries. All significant
intercompany and investment accounts and transactions have been eliminated in
consolidation. Certain prior year amounts have been reclassified to conform to
current year presentation.

ISS's shares are traded on the NASDAQ National Market under the ticker
symbol "ISSX". In addition, ISS has various other subsidiaries in the Americas,
Europe and the Asia/Pacific regions with primary marketing and sales
responsibilities for ISS's products and services in their respective markets.
ISS is organized as, and operates in, a single business segment that provides
products, technical support, managed security services, professional security
services and education services as components of providing security management
solutions. ISS is organized around geographic areas: the Americas (United
States, Canada, South America and Latin America), EMEA (Europe, Middle East and
Africa) and Asia/Pacific. These geographic areas represent ISS' three reportable
segments (see Note 11).

FOREIGN CURRENCY TRANSLATIONS

The functional currency of ISS' foreign subsidiaries is the local currency.
Assets and liabilities denominated in foreign currencies are translated using
the exchange rate on the balance sheet dates. The translation adjustments
resulting from this process are shown separately as a component of stockholders'
equity. Revenues and expenses are translated using average exchange rates for
the period. Transaction gains and losses are included in the results of
operations.

USE OF ESTIMATES

The preparation of financial statements in conformity with accounting
principles generally accepted in the United States requires management to make
estimates and assumptions that affect the amounts reported in the financial
statements and accompanying notes. Actual results may differ from those
estimates, and such differences may be material to the consolidated financial
statements.

REVENUE RECOGNITION

Revenue is recognized under Statement of Position ("SOP") 97-2, Software
Revenue Recognition, as modified by SOP 98-9, Software Revenue Recognition with
Respect to Certain Transactions, when the following criteria have been met:

- persuasive evidence of an arrangement exists;

- delivery has occurred or services have been rendered;

- price is fixed or determinable; and

- collection is probable.

42

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

Product licenses and sales include revenue from sales of perpetual software
licenses and products. We recognize perpetual software license revenues upon (1)
delivery of software or, if the customer has evaluation software, delivery of
the software key and (2) issuance of the related license, assuming that no
significant vendor obligations or customer acceptance rights exist. Where
payment terms are extended over periods greater than 12 months, revenue is
recognized as such amounts become due and payable. Product sales consist
primarily of appliances sold in conjunction with ISS licensed software. These
sales are recognized upon shipment to the customer provided all other revenue
recognition criteria are met.

Sales of enterprise products are generated both through direct sales to
end-users as well as through various partners, including system integrators,
value-added resellers and distributors. License revenue is recognized when the
sale has occurred for an identified end user through electronic delivery of a
software key that is necessary to operate the product, provided all other
revenue recognition criteria are met. At the point of key delivery, the end-user
has no right of return.

Subscription revenues include product support and content updates, term
licenses, and managed service arrangements. Renewable product support and
content update is a separate component of each perpetual license agreement and
appliance sold in conjunction with ISS products. Term licenses allow customers
to use our products and receive product support coverage and content updates for
a specified period, generally 12 months. We generally invoice for product
support, content updates and term licenses at the beginning of the term and
recognize revenue ratably over the subscription term. Security monitoring and
management services of information assets and systems are part of managed
services and associated revenues are recognized and billed as such services are
provided.

Historically, our appliance and software sales have been accounted for
primarily as revenue at the time of sale, with product support and content
updates generally representing between 20% and 30% of the upfront revenue
amount. With the introduction of the multi-function appliance, we expect to
significantly alter this ratio, as the majority of the initial price paid by the
customer will be for content provided for a specified term. This will results in
the subscription component being recorded in deferred revenues and recognized
over the term as subscription revenue.

Professional services revenues include fee-based service engagements and
training. Service engagements, typically billed on either a fixed fee or
time-and-materials basis, primarily focus on security assessments of customer
networks and the development of customers' security policies. We have these
offerings to support our primary goal of providing products and managed
services, desiring to have such services provided by our partners where
practical. We recognize such professional services revenues as the related
services are rendered.

Multiple element arrangements can include any combination of our products
or services. When some elements are delivered prior to others in an arrangement,
all revenue is deferred until the delivery of the last element unless there is
all of the following:

- vendor specific objective evidence (VSOE) of fair value of the
undelivered elements;

- the functionality of the delivered elements is not dependent on the
undelivered elements; and

- delivery of the delivered elements represents the culmination of the
earnings process.

When these criteria have been met, we allocate revenue to the delivered
software product using the residual method. Under the residual method, we
allocate discounts inherent in the arrangement entirely to the product that is
initially delivered and recognize the other elements as they are delivered based
on the vendor specific objective evidence, which is typically determined by the
Company selling those elements separately.

43

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

COST OF REVENUES

Cost of revenues includes the cost of product licenses and sales and the
cost of subscriptions and professional services. Cost of product licenses and
sales includes the costs associated with licensing software and the hardware
cost associated with appliances. These costs are incurred upon recognition of
the associated product revenues. Cost of subscriptions and professional services
includes the cost of the technical support group that provides assistance to
customers with product support agreements, the operations center costs of
providing managed services and the costs related to the professional services
and training staff.

CASH AND CASH EQUIVALENTS

Cash equivalents include all highly liquid investments with original
maturities of three months or less when purchased. Such amounts are stated at
cost, which approximates market value.

MARKETABLE SECURITIES

Marketable securities consist of debt instruments of U.S. government
agencies and corporate commercial paper. All such marketable securities have a
maturity of less than twelve months. These investments are classified as
available-for-sale and reported at fair market value. The amortized cost of
securities classified as available-for-sale is adjusted for amortization of
premiums and accretion of discounts to maturity. Such amortization is included
in interest income. Unrealized gains and losses on available-for-sale securities
were immaterial for 2002 and 2003. Realized gains and losses, and declines in
value judged to be other-than-temporary are included in net securities gains
(losses) and are included in results of operations. Interest on securities
classified as available-for-sale is included in interest income (see Note 3).

CONCENTRATIONS OF CREDIT AND SUPPLIER RISK

Product revenues are concentrated in the software industry, which is highly
competitive and rapidly changing. Significant technological changes in the
industry or customer requirements, or the emergence of competitive products with
new technologies or capabilities could adversely affect operating results. In
addition, fluctuations of the U.S. dollar against foreign currencies or changes
in local regulatory or economic conditions could adversely affect operating
results.

We carry little inventory of our appliance products and we rely on
suppliers to deliver necessary components to our contract manufacturers in a
timely manner based on the forecasts we provide. We currently purchase some
Proventia appliance components and contract manufacturing services from single
or limited sources.

Financial instruments that potentially subject ISS to significant
concentrations of credit risk consist principally of cash and cash equivalents,
marketable securities and accounts receivable. ISS maintains cash and cash
equivalents in short-term money market accounts with financial institutions and
in short-term, investment grade commercial paper. Marketable securities consist
of United States government agency securities and investment grade commercial
paper.

ISS's sales are global, primarily to companies located in the Americas,
Europe, and the Asia/Pacific regions. ISS performs periodic credit evaluations
of its customer's financial condition and does not require collateral. Accounts
receivable are due principally from large U.S. companies under stated contract
terms. ISS also has receivables from its European and Asia/Pacific operations,
which are principally from its partners in such regions. This includes various
markets such as China and Korea where difficulties associated with doing
business exposes the Company to associated credit risk. ISS provides for
estimated credit losses as such losses become probable. In January 2004, a new
distributor for China assumed the rights and the obligations

44

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

of a distribution agreement for ISS products from a previous distributor. In
connection with this agreement, we modified the old distributor's obligations,
which resulted in an additional $200,000 of bad debt expense recorded in the
fourth quarter and the write off of $1.1 million against the allowance account.
We have a firm repayment schedule with the new distributor and the Company
believes the remaining receivables balance of $2.4 million at January 31, 2004
is collectible.

FAIR VALUE OF FINANCIAL INSTRUMENTS

The carrying amounts reported in the balance sheets for cash and cash
equivalents, marketable securities, accounts receivable and accounts payable
approximate their fair values.

PROPERTY AND EQUIPMENT

Property and equipment are stated at cost less accumulated depreciation.
Depreciation is computed using the straight-line method for financial reporting
purposes on the basis of the following estimated useful lives: three years for
computer equipment, five to seven years for office furniture and equipment and
over the shorter of the estimated useful life or the term of the lease for
leasehold improvements.

INVENTORY

Inventory consists of finished goods purchased for resale and is recorded
at the lower of cost or market. Cost is determined using the first-in, first-out
(FIFO) method.

PREPAIDS AND OTHER CURRENT ASSETS

Prepaids and other current assets consist of invoices that have been paid
previous to the service being provided. These are then expensed over the period
of service indicated. Included in this balance at December 31, 2003 is a
$1,000,000 advance related to a license of source code completed in January
2004.

GOODWILL AND INTANGIBLES

Goodwill represents the excess acquisition cost over the fair value of net
assets acquired. On January 1, 2002, ISS adopted SFAS No. 142, Goodwill and
Other Intangible Assets ("SFAS 142"). Under this statement, goodwill is no
longer amortized but is subject to annual impairment tests (or more frequent
tests if impairment indicators arise). The Company performed impairment tests of
goodwill as required, evaluating recoverability based on a combination of
forecasted discounted cash flows and stock market valuation.

Goodwill was determined not to be impaired in 2003 based on such tests.
Prior to the adoption of SFAS 142, the Company amortized the Network ICE
goodwill over five years and other goodwill over periods ranging from 2 to 10
years.

45

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

Goodwill and intangible assets are comprised of the following, as of the
dates indicated:

The change in the carrying amount of goodwill from December 31, 2002 to
December 31, 2003 was the result of currency translation adjustments.

Adoption of the non-amortization provisions of SFAS 142 as of January 1,
2001 would have decreased the net loss for the year ended December 31, 2001 by
$26.5 million, resulting in earnings per diluted share of $0.24.

The Company amortizes intangible assets over their estimated useful lives
of eight years for core technology, five years for developed technology, three
to six years for work force and three years for customer relationships.
Amortization expense of intangible assets is as follows:

As part of the closing of the UK and Sydney research and development
facilities as described in Note 13, the Company wrote-off the unamortized
balances in the related work force intangibles totaling $738,000.

The estimated future amortization expense of intangible assets as of
December 31, 2003 is as follows:

Long-lived assets include property and equipment, other intangibles, and
other assets. In accordance with SFAS No. 144 "Accounting for the Impairment or
Disposal of Long-Lived Assets" ("SFAS 144"), the Company regularly evaluates
whether events and circumstances have occurred which indicate that the

46

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

carrying amount of long-lived assets may warrant revision or may not be
recoverable. When factors indicate that long-lived assets should be evaluated
for possible impairment, the Company uses an estimate of the future undiscounted
net cash flows of the related business over the remaining life of the asset in
measuring whether the carrying amount of the related asset is recoverable. To
the extent these projections indicate that future undiscounted net cash flows
are not sufficient to recover the carrying amounts of the related assets, the
underlying assets are written down by charges to the expense so the carrying
amount is equal to fair value, primarily determined based on future discounted
cash flows. In the opinion of management, the Company's long-lived assets are
appropriately valued at December 31, 2003 and 2002.

RESEARCH AND DEVELOPMENT COSTS

Research and development costs are charged to expense as incurred. ISS has
not capitalized any such development costs under Statement of Financial
Accounting Standards ("SFAS") No. 86, Accounting for the Costs of Computer
Software to Be Sold, Leased, or Otherwise Marketed, because the costs incurred
between the attainment of technological feasibility for the related software
product through the date when the product is available for general release to
customers has been insignificant.

ADVERTISING COSTS

ISS incurred advertising costs of $2,636,000 in 2001, $6,265,000 in 2002
and $3,477,000 in 2003, which are expensed as incurred and are included in sales
and marketing expense in the statements of operations.

STOCK-BASED COMPENSATION

Statement of Financial Accounting Standard 123, Accounting for Stock-Based
Compensation ("SFAS 123"), as amended by SFAS 148, Accounting for Stock-Based
Compensation -- Transition and Disclosure, establishes accounting and reporting
standards for stock-based employee compensation plans. As permitted by SFAS 123,
ISS continues to account for stock-based compensation in accordance with
Accounting Principles Board Opinion No. 25, Accounting for Stock Issued to
Employees ("APB 25"), and has elected the pro forma disclosure alternative of
SFAS 123.

47

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

Although SFAS 123 allows the Company to continue to follow APB 25
guidelines, the following is pro forma net loss and pro forma net loss per share
for the periods indicated as if the Company had adopted SFAS 123. The following
table illustrates the effect on net income per share if the provisions of SFAS
123 had been applied. The pro forma impact of applying SFAS 123 as illustrated
below will not necessarily be representative of the pro forma impact in future
years. Pro forma information is as follows:

Inputs used for the fair value method for our employee stock options are as
follows:

The Black-Scholes option valuation model was developed for use in
estimating the fair value of traded options that have no vesting restrictions
and are fully transferable. In addition, option valuation models require the
input of highly subjective assumptions including the expected stock price
volatility. When necessary, volatility is adjusted to reflect the expected
volatility over the expected life of the options. Because employee stock options
have characteristics different from those of traded options, and because the
changes in the subjective input assumptions can materially affect the fair value
estimate, management believes that the existing models do not necessarily
provide a reliable single measure of the fair value of its employee stock
options.

In 2003, 13,000 restricted shares were issued to the non-employee
directors. The fair value of the shares at the date of grant is recognized as
compensation expense ratably over the vesting period, which amounted to $124,000
of compensation expense in 2003.

ACCOUNTING FOR ISSUANCES OF STOCK BY A SUBSIDIARY

When one of the Company's subsidiaries issues shares of its stock at an
amount different than the Company's carrying value for the subsidiary's stock,
the Company records the difference as a gain or loss in the consolidated
statements of operations, in accordance with SEC Staff Accounting Bulletin No.
51, if the

48

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

transaction meets the following conditions: (1) the sale of such shares is not a
part of a broader corporate reorganization contemplated or planned by the
Company; (2) the Company does not intend to spin-off the related subsidiary to
stockholders; (3) reacquisition of shares is not contemplated at the time of
issuance; and (4) the subsidiary is not a newly-formed, non-operating entity, a
research and development start-up or development stage entity, or an entity
whose ability to continue in existence is in question. The Company accounts for
sales that do not meet these criteria as capital transactions.

ACCUMULATED OTHER COMPREHENSIVE INCOME

Accumulated other comprehensive income at December 31, 2003, 2002 and 2001
consists of the cumulative foreign currency translation adjustment.

INCOME (LOSS) PER SHARE

Basic net income (loss) per share was computed by dividing net income
(loss) by the weighted average number of shares outstanding of Common Stock.
Diluted net income per share was computed by dividing net income by the weighted
average shares outstanding including common equivalents (when dilutive) (see
Note 10).

RECENTLY ISSUED ACCOUNTING STANDARDS

In July 2002, the Financial Accounting Standards Board ("FASB") issued
Statement of Financial Accounting Standard No. 146, Accounting for Costs
Associated with Exit or Disposal Activities ("SFAS 146"). SFAS 146 addresses
financial accounting and reporting for costs associated with exit or disposal
activities and nullifies Emerging Issues Task Force ("EITF") Issue No. 94-3,
Liability Recognition for Certain Employee Termination Benefits and Other Costs
to Exit an Activity (including Certain Costs Incurred in a Restructuring). The
provisions of SFAS 146 are effective for exit or disposal activities that are
initiated after December 31, 2002, with early application encouraged. The
Company adopted SFAS 146 for exit activities initiated after December 31, 2002
(see Note 13).

In November 2002, the EITF of the FASB issued EITF 00-21, Revenue
Arrangements with Multiple Deliverables, which addresses certain aspects of the
accounting for arrangements that involve the delivery or performance of multiple
products, services and/or rights to use assets. Under EITF 00-21, revenue
arrangements with multiple deliverables should be divided into separate units of
accounting if the deliverables meet certain criteria, including whether the fair
value of the delivered items can be determined and whether there is evidence of
fair value of the undelivered items. In addition, the consideration should be
allocated among the separate units of accounting based on their fair values, and
the applicable revenue recognition criteria should be considered separately for
each of the separate units of accounting. The Company adopted the provisions of
EITF 00-21 for all revenue arrangements entered into after June 30, 2003. The
adoption of EITF No. 00-21 did not have an impact on the Company's financial
position, results of operations or liquidity.

In November 2002, the FASB issued Financial Interpretation No. 45,
Guarantor's Accounting and Disclosure Requirements for Guarantees, Including
Indirect Guarantees of Indebtedness of Others ("FIN 45"), which is an
interpretation of SFAS Nos. 5, 57, and 107 and rescission of FASB Interpretation
No. 34. FIN 45 requires that a guarantor recognize, at the inception of a
guarantee, a liability for the fair value of the obligation undertaken by
issuing the guarantee. FIN 45 also requires additional disclosures to be made by
a guarantor in its interim and annual financial statements about its obligations
under certain guarantees it has issued. The accounting requirements for the
initial recognition of guarantees are applicable on a

49

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

prospective basis for guarantees issued or modified after December 31, 2002. The
following is a summary of agreements that are determined to be within the scope
of FIN 45:

(1) Our sales agreements with customers generally contain infringement
indemnity provisions. Under these agreements, we agree to indemnify, defend
and hold harmless the customer in connection with patent, copyright or
trade secret infringement claims made by third parties with respect to the
customer's authorized use of our products and services. The indemnity
provisions generally provide for our control of defense and settlement and
cover costs and damages finally awarded against the customer, as well as
our modification of the product so it is no longer infringing or, if it
cannot be corrected, return of the product for a partial refund that
reflects the reasonable value of prior use. Our sales agreements with
customers sometimes also contain indemnity provisions for death, personal
injury or property damage caused by our personnel or contractors in the
course of performing services to customers. Under these agreements, we
agree to indemnify, defend and hold harmless the customer in connection
with death, personal injury and property damage claims made by third
parties with respect to actions of our personnel or contractors. The
indemnity provisions generally provide for our control of defense and
settlement and cover costs and damages finally awarded against the
customer. The indemnity obligations contained in sales agreements generally
have no specified expiration date and no specified monetary limitation on
the amount of award covered. We have not previously incurred costs to
settle claims or pay awards under these indemnification obligations. As a
result, we believe the estimated fair value of these obligations is
nominal. Accordingly, we have no liabilities recorded for these agreements
as of December 31, 2003.

(2) We warrant that our software products will perform in all material
respects in accordance with our standard published specifications in effect
at the time of delivery of the licensed products to the customer for ninety
days. We also warrant that for one year after shipment, all hardware will
be free from defects in materials and workmanship under normal authorized
use, consistent with the instructions contained in the product
documentation. Additionally, we warrant that our services will be performed
consistent with generally accepted industry standards or specific service
levels through completion of the agreed upon services. If necessary, we
would provide for the estimated cost of product and service warranties
based on specific warranty claims and claim history, however, we have not
incurred significant recurring expense under our product or service
warranties and hardware warranties are covered by the manufacturer
warranties. As a result, we believe the estimated fair value of these
agreements is nominal. Accordingly, we have no liabilities recorded for
these agreements as of December 31, 2003.

(3) Payments for certain operating leases for our office space are
secured by collateralized standby letters of credit totaling $10.3 million
at December 31, 2003. These standby letters of credit guarantee payments on
certain lease obligations and are renewed annually unless cancelled by
either party. The lease obligations have terms that expire at various dates
through 2013. The beneficiary of the standby letters of credit can draw on
the letters of credit if we default on the related lease obligation. Each
standby letter of credit is collateralized by securities. At December 31,
2003, $12.8 million of commercial paper investments are pledged as
collateral and are shown on the balance sheet as restricted cash and
marketable securities.

In December 2003, the FASB issued FIN 46 (revised 2003), Consolidation of
Variable Interest Entities, an Interpretation of Accounting Research Bulletin
No. 51, ("FIN 46"). FIN 46 requires the consolidation of variable interest
entities in which an enterprise absorbs a majority of the entity's expected
losses, receives a majority of the entity's expected residual returns, or both,
as a result of ownership, contractual or other financial interests in the
entity. The FASB has deferred the effective date for applying the provisions of
Interpretation No. 46 for interests in certain variable interest entities or
potential variable interest entities

50

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

1. SIGNIFICANT ACCOUNTING POLICIES -- (CONTINUED)

created before February 1, 2003 until the end of the first interim period ending
after March 15, 2004. We are still assessing the impact of Interpretation No. 46
on arrangements that we have with certain entities.

2. BUSINESS COMBINATIONS AND ASSET ACQUISITIONS

On October 30, 2002, ISS acquired 100% of the outstanding stock of vCIS,
Inc., a privately held corporation based in Santa Clara, California. vCIS was a
development-stage company focused on the development of software designed to
enhance the security of a computing environment by detecting and defeating
malicious code, including viruses, worms and trojans, in real-time using
behavior analysis technology. ISS issued approximately 966,000 shares of ISS
Common Stock for all of the outstanding vCIS stock and assumed all of the
outstanding vCIS stock options resulting in approximately 35,000 additional ISS
shares being reserved for outstanding grants under the vCIS stock option plan.
In addition, ISS made a series of cash investments in vCIS prior to the date of
merger totaling $1,945,000. The investments were in the form of a convertible
line of credit note that allowed ISS to convert the balance due to equity in
vCIS at a rate consistent with the lowest price offered to other investors in
any new equity financing offered by vCIS. The combined fair value of common
stock issued, options assumed, cash investments and acquisition costs,
consisting of approximately $800,000 of legal and accounting fees, was
approximately $19.6 million. The fair value of common stock issued was
determined based on the average closing price of ISS stock on August 23, 2002
and the two trading days before and after this date.

The merger was accounted for as a purchase and, accordingly, the operating
results of vCIS are included in the consolidated financial statements of ISS
from the date of acquisition. The aggregate purchase price was allocated based
on a valuation of the vCIS assets, intangibles and in-process research and
development. The vCIS acquisition did not meet the definition of a business
under EITF 98-3, Determining Whether a Nonmonetary Transaction Involves Receipt
of Productive Assets or of a Business. As required by paragraph 9 of SFAS 142,
the excess purchase price was allocated to the assets acquired in proportion to
their relative values. The final allocation was as follows:

Net liabilities of vCIS..................................... $ (100,000)
In-process research and development......................... 18,500,000
Assembled workforce......................................... 1,200,000
-----------
$19,600,000
===========

The tangible assets of vCIS acquired in the merger consisted primarily of
cash and fixed assets. The liabilities of vCIS assumed in the merger consisted
primarily of accounts payable and accrued expenses. In-process research and
development valued at approximately $18.5 million had not reached technological
feasibility based on identifiable risk factors, which indicated that even though
successful completion was expected, it was not assured as of the acquisition
date and was immediately charged to operations. Accordingly, under current
accounting standards, such amount was expensed.

In August 2002, Internet Security Systems KK ("ISS KK") acquired privately
held TriSecurity Holdings Pte Ltd. ("TriSecurity"), a primary ISS KK distributor
in Singapore. In exchange for all of the outstanding shares of TriSecurity, ISS
KK issued approximately 1,000 shares of ISS KK stock and paid approximately $1.2
million of cash. Goodwill of approximately $4.0 million related to the purchase
was recorded. The operating results of ISS include the operating results of
TriSecurity Holdings Pte Ltd. since the date of acquisition. During the first
quarter of 2003, ISS KK amended the agreement and agreed to make payment of 245
shares of ISS KK in each of the first quarters of 2004 and 2005, relating to
annual contingent consideration payments defined in the 2002 purchase agreement.
The additional consideration of $626,000, based on current fair market value of
the shares, was recorded as additional goodwill and additional paid-in-

51

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

2. BUSINESS COMBINATIONS AND ASSET ACQUISITIONS -- (CONTINUED)

capital at such time. When such shares are actually issued, a gain or loss will
be recognized to the extent of any difference between the $626,000 fair value of
the shares to be issued and the book value of those shares.

In June 2001, ISS acquired 100% of the outstanding stock of Network ICE
Corporation, a privately held corporation based in San Mateo, California
("Network ICE"). Network ICE is a leading developer of desktop intrusion
protection technology and highly scalable security management systems. ISS
issued approximately 4,311,000 shares of ISS common stock for all of the
outstanding Network ICE common stock and assumed all of the outstanding Network
ICE stock options resulting in approximately 289,000 additional ISS shares being
reserved for outstanding grants under the Network ICE Stock Plan. The combined
fair value of common stock issued, options assumed and acquisition costs was
approximately $237.6 million based on the average closing price of our common
stock on the merger agreement date of April 30, 2001 and the two days before and
after April 30, 2001. Acquisition costs of approximately $8.0 million consisted
primarily of financial advisory, legal and accounting fees. The Company adopted
a plan to restructure Network ICE whereby 46 Network ICE employees were
terminated over a six-month period following the acquisition. As a result, $1.8
million of severance costs were included in the acquisition costs for severance
related to these terminations. At December 31, 2001, all such terminations and
related severance payments had been completed.

The merger was accounted for as a purchase and, accordingly, the operating
results of Network ICE are included in the consolidated financial statements of
ISS from the date of acquisition. The adjusted aggregate purchase price was
allocated based on a valuation report of the Network ICE intangibles and
in-process research and development was as follows:

Net tangible liabilities of Network ICE..................... $ (4,020,000)
In-process research and development......................... 2,910,000
Customer relationships...................................... 2,490,000
Technology.................................................. 17,030,000
Deferred income taxes....................................... (7,418,000)
Deferred compensation....................................... 6,231,000
Goodwill.................................................... 220,398,000
------------
$237,621,000
============

The tangible assets of Network ICE acquired in the merger consisted
primarily of cash, accounts receivable and fixed assets. The liabilities of
Network ICE assumed in the merger consisted primarily of accounts payable and
accrued expenses and deferred revenue. In-process research and development of
approximately $2.9 million had not reached technological feasibility based on
identifiable technological risk factors, which indicated that even though
successful completion was expected, it was not assured as of the acquisition
date and was immediately charged to operations.

The following table summarizes unaudited pro forma results of operations as
if the acquisitions of vCIS and Network ICE were concluded as of the beginning
of the periods presented. The adjustments to the historical data reflect the
following: (i) amortization of goodwill in 2001 and intangibles, (ii) write off
of in-process research and development, and (iii) deferred stock compensation.
This pro forma information is not

52

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

2. BUSINESS COMBINATIONS AND ASSET ACQUISITIONS -- (CONTINUED)

necessarily indicative of what combined operations would have been if ISS had
control of such combined businesses for the periods presented.

3. MARKETABLE SECURITIES

The following is a summary of available-for-sale marketable securities as
of December 31:

As of December 31, 2002 and 2003, the cost of marketable securities
approximated fair value. The contractual maturities of all of these investments
were less than one year as of December 31, 2003. Cash and marketable securities
of $12,760,000 at December 31, 2003 and $14,690,000 at December 31, 2002 were
restricted as collateral for letters of credit issued in relation to operating
leases for facilities and classified as restricted marketable securities.

4. STOCK OPTION PLANS

ISS's Incentive Stock Plan (the "Plan") provides for the granting of
qualified or nonqualified options to purchase shares of ISS's Common Stock.
Under the Plan, at December 31, 2003 there were 16,435,875 shares reserved for
future issuance which increases automatically on the first trading day of each
year by an amount equal to 4% of the number of shares of Common Stock
outstanding on the last trading day of the preceding year. An additional 160,000
shares have been reserved for non-statutory options issued in 1997 to non-
employee directors.

In October 2002, as a result of the acquisition of vCIS, the Company
assumed all outstanding vCIS stock options. Each vCIS stock option assumed is
subject to the same terms and conditions as the original grant and generally
vest over three to four years and expires ten years from the date of grant. Each
option was adjusted at a ratio of 0.04770 shares of ISS common stock for each
one share of vCIS common stock. In June 2001, as a result of the acquisition of
Network ICE, the Company assumed all outstanding Network ICE stock options. Each
Network ICE stock option assumed is subject to the same terms and conditions as
the original grant and generally vests over four years and expires ten years
from the date of grant. Each option was adjusted at a ratio of 0.13529 shares of
ISS common stock for each one share of Network ICE common stock.

53

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

4. STOCK OPTION PLANS -- (CONTINUED)

A summary of ISS's stock option activity is as follows:

All vCIS and Network ICE options assumed by ISS were included in the
purchase price based on their fair value. The intrinsic value of the unvested
options has been allocated to deferred compensation and is being amortized over
the remaining vesting periods of the related options. The Company recorded
deferred compensation of approximately $6.2 million for the Network ICE options
in June 2001 and approximately $153,000 in October 2002 for the vCIS options.
Amortization of deferred compensation was $2.1 million in 2001, $1.1 million in
2002 and $361,000 in 2003.

The following table summarizes information about stock options outstanding
at December 31, 2003:

On October 29, 2003, ISS announced a voluntary option exchange program
intended to reduce the number of outstanding options. Stock options with
exercise prices exceeding $30 per share were eligible. ISS' directors and five
most senior executive officers, including the chief executive officer, are not
eligible to participate in the program. Approximately 783,000 option shares, of
the 1,343,000 eligible, with exercise prices between $30 and $83 per share have
elected into the program. New options will be issued at the rate of 2.5 old
option shares for one new option share. The exercise price per share for new
options will be priced at the Nasdaq National Market closing price six months
and a day after the cancellation of old options, which is currently expected to
be May 27, 2004.

5. ADOPTION OF SHAREHOLDER RIGHTS PLAN

On July 11, 2002, the Board of Directors adopted a shareholder rights plan
and authorized and declared a dividend of one preferred share purchase right (a
"Right") for each outstanding share of Common Stock, par value $.001 per share,
of the Company. The dividend was paid on July 29, 2002 to the stockholders of
record

54

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

5. ADOPTION OF SHAREHOLDER RIGHTS PLAN -- (CONTINUED)

on that date. Stock issued subsequent to July 29, 2002 will be issued with an
attached Right. Each Right will initially represent the right, under certain
circumstances, to purchase one one-thousandth of a share of Series A Junior
Participating Preferred Stock (the "Junior Preferred Stock") at a purchase price
of $80 per one one-thousandth of a share. If a person or group acquires
beneficial ownership of 20% or more of the then outstanding shares of the
Company's Common Stock (an "Acquiring Person"), the holder of a Right, upon
exercise of the Right, will thereafter have the right to receive, in lieu of
shares of Junior Preferred Stock, shares of the Company's Common Stock (or, in
certain circumstances, cash, property or other securities of the Company) having
a value equal to twice the purchase price of the Right.

The Rights expire on July 11, 2012. Generally, the Board of Directors may
redeem the Rights at a price of $.001 per Right (subject to adjustment) at any
time prior to the earlier of (i) the close of business on the tenth business day
following the date a person becomes an Acquiring Person or (ii) the expiration
date of the Rights. Prior to any person or group becoming an Acquiring Person,
the Company may amend the Rights Agreement at any time.

In addition, the Company has retention agreements with certain officers of
the Company which provide for severance payments upon a termination that is a
result of a change in control, as described in the agreements.

6. OTHER INCOME (EXPENSE) AND MINORITY INTEREST

Other expense for 2003 includes a $2.2 million write off of an investment
made by ISS KK in a China distributor. The Company completed an impairment
analysis on the China distributor's March 2003 annual financial results issued
and made available in the fourth quarter of 2003. Upon reviewing these results,
the Company determined the investment was impaired and concluded that a
write-off of the entire investment was appropriate.

Other income for 2002 includes a gain of $2.6 million related to the
issuance of subsidiary shares in connection with the acquisition of TriSecurity
Holdings Pte Ltd. The Company reported a gain on the difference between the fair
market value of the shares issued and the book value of those shares, in
accordance with SEC Staff Accounting Bulletin No. 51 and company policy. A gain
of $1.9 million was recorded in 2002 on the sale by the ISS KK of an investment
in an ISS distributor in Japan. The shares of the publicly traded company were
acquired when the distributor was privately held and were subsequently sold on
the open market.

In September 2001, ISS KK sold newly issued shares in an initial public
offering ("IPO") on the Japan over-the-counter market. These newly issued shares
represented approximately 10% of the previously outstanding shares of our
Asia/Pacific subsidiary. Other income in 2001 includes a gain on the subsidiary
IPO of $13.6 million. Other income also includes $1.6 million generated from the
March 2001 sale of approximately 2% of the outstanding shares of our
Asia/Pacific subsidiary to employees and key partners. These amounts represent
the difference between proceeds received and the underlying basis in the stock
less the minority interest in such gains, in accordance with SEC Staff
Accounting Bulletin No. 51.

Minority interest totaled $336,000 in 2001, $187,000 in 2002 and $157,000
in 2003. Minority interest in earnings of consolidated subsidiary represent the
minority shareholders' share of the after-tax net income or loss of the
consolidated subsidiary, ISS KK.

7. COMMITMENTS AND CONTINGENCIES

ISS has non-cancelable operating leases for facilities that expire at
various dates through 2013. The Company has shorter-term leases for office space
in other locations and various computer equipment leases.

55

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

7. COMMITMENTS AND LITIGATION -- (CONTINUED)

The Company also has obligations for payments under an agreement for software
used in our computer equipment. The future payments under this agreement amount
to $484,000 in 2004 and 2005. Future minimum payments under non-cancelable
operating leases with initial terms of one year or more consisted of the
following at December 31, 2003:

Rent expense was approximately $6,806,000, $12,008,000, and $14,469,000 for
the years ended December 31, 2001, 2002 and 2003, respectively.

The Company and certain of its officers and directors were named as
defendants in a consolidated amended complaint that was filed in the United
States District Court for the Northern District of Georgia on October 9, 2002.
The lawsuit purports to be brought on behalf of a class of investors who
purchased the Company's stock during the period from April 5, 2001 through
August 14, 2001 (the "Class Period"). The lawsuit alleges violations of the
federal securities laws, including Sections 10(b) and 20(a) of the Securities
Exchange Act of 1934, as amended, and Rule 10b-5 thereunder. The complaint
generally alleges that the Company and the individual defendants violated the
anti-fraud provisions of the federal securities laws and caused the Company's
stock to trade at artificially high prices by making misrepresentations relating
to the Company's financial condition and prospects during the Class Period. The
complaint seeks damages in an unspecified amount. On September 3, 2003, the
court dismissed the consolidated amended complaint. The plaintiffs have moved
the court to reconsider its dismissal order and to grant them leave to amend
their complaint. The Company and the individual defendants have opposed those
motions. The court has not yet ruled. The Company believes that the court's
order dismissing the action was appropriate and further that the Company has
meritorious defenses and intends to continue defending the action vigorously.

8. INCOME TAXES

For financial reporting purposes, the provision for income taxes includes
the following components:

56

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

8. INCOME TAXES -- (CONTINUED)

ISS' income tax provisions consist of the following:

Pre-tax income (loss) attributable to foreign and domestic operations is
summarized below:

A reconciliation of the provision for income taxes to the statutory federal
income tax rate is as follows:

57

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

8. INCOME TAXES -- (CONTINUED)

Deferred income taxes reflect the net income tax effects of temporary
differences between the carrying amounts of assets and liabilities for financial
reporting purposes and the amounts used for income tax purposes. Significant
components of the Company's net deferred income taxes are as follows:

The change in valuation allowance is primarily a result of changes in
deferred income tax assets and liabilities for which the related benefit or
provision was charged to stockholders' equity. Therefore, such change in the
valuation allowance is not included in the rate reconciliation above. The
Company has recognized a deferred income tax asset related to its Asia/Pacific
operations because management's evaluation of all of the available evidence
indicates that the asset is more likely than not to be realized. Net deferred
income tax assets are included in other assets in the Consolidated Balance
Sheets.

The Company has not recognized any benefit from the future use of the
deferred income tax assets related to its Americas operations because
management's evaluation of all the available evidence in assessing the
realizability of the tax benefits of such loss carryforwards indicates that the
underlying assumptions of future profitable operations contain risks that do not
provide sufficient assurance to recognize such tax benefits currently.

The net deferred income tax assets subject to valuation allowance include
approximately $18,681,000 and $11,163,000 at December 31, 2002 and 2003,
respectively, of assets that were created by or are subject to valuation
allowance as a result of stock option deductions. While income tax expense will
be recorded on any future pre-tax profits from United States operations, these
deferred tax assets would reduce the related income taxes payable. This
reduction in income taxes payable in future periods would be recorded as
additional paid-in capital. An additional $395,000 of net deferred income tax
assets subject to valuation allowance resulted from operating losses in Brazil.

The Company has approximately $21,816,000 of net operating loss
carryforwards for federal income tax purposes that expire in varying amounts
between 2011 and 2021. The net operating loss carryforwards may be subject to
certain limitations in the event of a change in ownership. The Company also has
approximately

58

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

8. INCOME TAXES -- (CONTINUED)

$7,662,000 of research and development tax credit carryforwards that expire
between 2011 and 2023 and foreign tax credit carryforwards of $2,814,000 that
expire between 2006 and 2008.

9. EMPLOYEE STOCK AND BENEFIT PLANS

ISS sponsors a 401(k) plan that covers substantially all employees over 18
years of age. Participating employees may contribute up to 15% of their pre-tax
salary, but not more than statutory limits. The Company matches 25% of
participant contributions up to 3% of their pre-tax salary. Matching
contributions of $290,000 in 2001, $288,000 in 2002 and $437,000 in 2003 were
charged to expense.

Effective July 1, 1999, the Company implemented an employee stock purchase
plan (the "Plan") for all eligible employees. Under the Plan, shares of the
Company's Common Stock may be purchased at six-month intervals at 85% of the
lower of the fair market value on the first or the last day of each six-month
period. Employees may purchase shares with aggregate fair value up to 10% of
their gross compensation during a six-month period. Employees purchased 75,000
shares at an average price of $30.40 per share in 2001, 126,000 shares at an
average price of $16.61 per share in 2002 and 150,000 shares at an average price
of $10.53 per share. At December 31, 2003, 210,000 shares of the Company's
Common Stock were reserved for future issuance.

10. INCOME (LOSS) PER SHARE

The following table sets forth the computation of basic and diluted net
income (loss) per share:

For the year ended December 31, 2001, 1,364,000 weighted-average options
were not included in the above calculations as their effect on loss per share
was anti-dilutive.

11. SEGMENT AND GEOGRAPHIC INFORMATION

ISS conducts business in one operating segment; providing information
security management solutions. The Company does, however, prepare operating
results for internal use on a geographic basis. These geographical based
operating costs consist of direct sales expenses, infrastructure to support its
employee and customer and partner base, supporting billing and financial systems
and a management team. Corporate expenses that are not charged directly to the
other segments include research and development, general and administrative
costs that support the global organization, amortization of intangibles, stock
based compensation and goodwill and costs that are one-time in nature, such as
acquired in-process research and development.

59

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

11. SEGMENT AND GEOGRAPHIC INFORMATION -- (CONTINUED)

The accounting policies of the segments are the same as those described in
the summary of significant accounting policies. There are no inter-segment
sales. Our chief executive officer and chief financial officer evaluate
performance based on operating profit or loss from operations, and trade
accounts receivable for each segment. Other than trade accounts receivable,
assets and liabilities are not discretely allocated or reviewed by segment.

In accordance with SFAS No. 131, "Disclosures about Segments of an
Enterprise and Related Information", the Company has included a summary of the
segment financial information reported internally. The geographic segments are
the Americas, EMEA, and the Asia/Pacific region.

60

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

12. QUARTERLY FINANCIAL RESULTS (UNAUDITED)

Summarized quarterly results for the two years ended December 31, 2002 and
2003 are as follows:

Because of the method used in calculating per share data, the quarterly per
share data will not necessarily total the per share data as computed for the
year.

13. EXIT OR DISPOSAL ACTIVITIES

In response to the competitive climate for protection systems that require
platform focus, the Company reorganized and consolidated its efforts for
security content, protection agent frameworks, management infrastructure and
multifunction appliance delivery to enhance operational and development
efficiency. In the fourth quarter of 2003, the Company committed to a plan of
cost reduction and exit activities aggregating $1.5 million through the closing
of its engineering operations in Reading, U.K. and Sydney, Australia. These
costs are included in research and development expenses in the statement of
operations. Additionally, the Company incurred approximately $326,000 of cost
associated with consolidating certain European managed service operational
responsibilities into U.S. operations. These exit costs are included in the EMEA
costs of subscriptions and services in the statement of operations.

The Reading office was closed effective November 30, 2003 and all costs
associated with the closing of this facility were charged to expense in 2003.
The Sydney office will remain open through the first half of 2004, with a small
number of key employees. The costs of severance associated with terminated
employees were expensed in 2003.

The following is a summary of the exit costs associated with engineering
operations and managed services:

61

INTERNET SECURITY SYSTEMS, INC.

NOTES TO CONSOLIDATED FINANCIAL STATEMENTS -- (CONTINUED)

13. EXIT OR DISPOSAL ACTIVITIES -- (CONTINUED)

One-time termination benefits consisted of severance and benefits for
involuntarily terminated employees. The contract termination costs include costs
for remaining lease payments on vacated facilities and costs associated with
vacating the facility. Other costs consisted primarily of write-off of abandoned
fixed assets and the write-off of leasehold improvements related to the vacated
facilities. The Company expects to utilize the balance of the exit cots by June
30, 2004.

14. SUBSEQUENT EVENTS

In January 2004, the Company announced the acquisition of Cobion, AG, a
privately held company based in Kassel, Germany. Cobion provides content
filtering and anti-spam technology that protects individuals and enterprises
against unwanted Web content, spam, misuse of information and lost productivity.
The Company acquired Cobion for approximately $33 million in cash, including the
direct costs of acquisition.

62

SCHEDULE II

VALUATION AND QUALIFYING ACCOUNTS

63

SIGNATURES

Pursuant to the requirements of the Section 13 or 15(d) of the Securities
Exchange Act of 1934, the Registrant has duly caused this Report to be signed on
its behalf by the undersigned, thereunto duly authorized.

INTERNET SECURITY SYSTEMS, INC.

By: /s/ RICHARD MACCHIA
------------------------------------
Richard Macchia
Senior Vice President and Chief
Financial Officer

Dated: March 15, 2004

POWER OF ATTORNEY

KNOW ALL PERSONS BY THESE PRESENTS, that each person whose signature
appears below hereby severally constitutes and appoints, Thomas E. Noonan,
Richard Macchia and Maureen Richards, and each or any of them, his true and
lawful attorney-in-fact and agent, each with the power of substitution and
resubstitution, for him in any and all capacities, to sign any and all
amendments to this Annual Report (Form 10-K) and to file the same, with exhibits
thereto and other documents in connection therewith, with the Securities and
Exchange Commission, hereby ratifying and confirming all that each said
attorney-in-fact and agent, or his substitute or substitutes, may lawfully do or
cause to be done by virtue hereof.

Pursuant to the requirements of the Securities Exchange Act of 1934, this
Report has been signed below by the following persons on behalf of the
Registrant and in the capacities and on the dates indicated.