An analysis of U.S. state level cybersecurity plans and policies
Date
2022
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of Delaware
Abstract
While technological developments and interconnected information networks have improved many aspects of individuals’ lives and increased the effectiveness of public and private services, they also have created cybersecurity challenges. To address these challenges, governments at federal, state, and local levels have started to plan and make policies that improve their cybersecurity posture. This research explores U.S. state governments’ cybersecurity planning documents and cybersecurity-related policies. Through the use of document analyses methods, the research reveals the landscape of 50 states’ cybersecurity planning documents and sample states’ cybersecurity-related legislative policies. In addition, this study combines issue-area specific criteria gained from the state and local government cybersecurity scholarship with overall guidelines from the 2018 NIST Cybersecurity Framework. By doing so, this research contributes to a Best Practices Framework, which is the most complete set of assessment criteria for state cybersecurity planning and policymaking. The research offers a categorization of states based on how well their planning documents and policies incorporate the Best Practices Framework. Findings show that while all states engage in cybersecurity planning and policy making to some extent, there is significant variation across states’ level of incorporation of the Best Practices Framework. ☐ For the sample states with high cyberattack figures, the research conducts a correspondence assessment between their planning documents and policies. The assessment finds that the majority of sample states present a high correspondence level between planning and legislative policy, and their policies incorporate the Best Practices Framework better than their plans. Overall, the research findings lead to the conclusion that cybersecurity policies often lead planning rather than the other way around. Besides contributing one of the first academic endeavors that systematically research state level cybersecurity governance, the research findings and conclusions offer lessons for state cybersecurity planners and policy makers. The research significance stems from the exploration of an emerging and understudied issue area for state governments, the development of an original framework for the assessment of cybersecurity planning documents and policies, and the generation of options for improving cybersecurity posture for state governments.
Description
Keywords
Best practices, Cybersecurity, NIST, Planning, Policy making, State governments