Date of Award

Spring 2020

Document Type

Dissertation

Degree Name

Doctor of Public Administration (DPA)

Department

Public Policy and Administration

Committee Chairperson

Jeremy Phillips, Ph.D.

Committee Member

Michelle L. Wade, Ph.D

Committee Member

Kristen B. Crossney, Ph.D

Abstract

Cybersecurity risk is dynamic and rapidly evolving. Today, cyber incidents can significantly impair government operations, erode public confidence, undermine operations of critical infrastructures, and put citizen data and whole industries at risk. Managing these risks to cyber assets must be part of a state’s overall risk management portfolio. To do this successfully, state leaders must have effective cybersecurity governance. To achieve this, governors and state legislatures must ensure that their states have the essential governance mechanisms necessary for understanding and managing cybersecurity risk and for translating awareness about cyber threats into action. This dissertation gives an overview of three different governance models (centralized, decentralized, and hybrid), comparing effectiveness of each by state. Most literature suggests that a centralized cybersecurity governance approach, where one organization is designated and has authority to make all of the decisions about cybersecurity and IT security, is the most effective at the state level. However, this is not always feasible due to budget constraints, lack of trained personnel, and state culture. Comparing Nationwide Cybersecurity Review (NCSR) governance data and answers from cybersecurity governance interviews with individuals responsible for cybersecurity in their respective states, this study tests the hypothesis that states with centralized authority over cybersecurity governance will have higher NCSR scores (higher scores = more successful cybersecurity programs) than states that utilize a decentralized or hybrid model. While initial data supports the hypothesis, it also suggests that a hybrid cybersecurity governance model (encompassing a mixture of centralized and decentralized) could be the answer for states struggling to become centralized.

Share

COinS