An Examination of Cybersecurity Assessment Frameworks from a U.S. County Perspective
Restricted (Penn State Only)
- Author:
- Morrow, Andrew
- Graduate Program:
- Public Administration
- Degree:
- Doctor of Philosophy
- Document Type:
- Dissertation
- Date of Defense:
- October 04, 2024
- Committee Members:
- Goktug Morcol, Professor in Charge/Director of Graduate Studies
Roderick Lee, Outside Unit Member
Glenn McGuigan, Major Field Member
Dan Mallinson, Chair & Dissertation Advisor
Parag Pendharkar, Outside Field Member - Keywords:
- cybersecurity
framework
local government
assessment - Abstract:
- This study examines the specific cybersecurity challenges and objectives for county level government. This study is a qualitative examination utilizing document analysis to derive a holistic view of the range of cybersecurity responsibilities of county governments and an evaluation of how well existing cybersecurity frameworks match said responsibilities. It assesses the unique demands of cybersecurity at the intermediate level of government including those that result from the combination of relying on upper-level support and providing support to lower-level entities. Comparisons among public and private sector requirements as well as relevant cybersecurity-related certifications derived from public sector job listings are used to develop a comprehensive list of themes that shed light on the unique cybersecurity challenges at the county level. Lastly, the resultant themes are compared and mapped to existing cybersecurity assessment frameworks to evaluate the effectiveness of their ability to gauge the preparedness level for county governments. The study found that a new framework was needed to address the critical areas that are lacking from existing frameworks. A new framework is proposed that accounts for the identified gaps. Key findings indicate that there are several areas of cybersecurity protections that are currently not being measured or assessed using any of the current assessment frameworks. A new modular framework is proposed that accounts for the missing areas. The impact of not measuring the cyber protections for these missing areas is significant because of the likely result of successful cyber-attacks and data breaches due to unknown vulnerabilities in county government infrastructure and systems. The proposed framework would proactively identify and measure the probability of an attack via these blind spots and could aid in the improvement of the security stance for county governments.