Next Article in Journal
Identification of Optimal Data Augmentation Techniques for Multimodal Time-Series Sensory Data: A Framework
Next Article in Special Issue
Earlier Decision on Detection of Ransomware Identification: A Comprehensive Systematic Literature Review
Previous Article in Journal
Social-STGMLP: A Social Spatio-Temporal Graph Multi-Layer Perceptron for Pedestrian Trajectory Prediction
Previous Article in Special Issue
Insights into Cybercrime Detection and Response: A Review of Time Factor
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Information
Volume 15
Issue 6
10.3390/info15060342
information-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Understanding Local Government Cybersecurity Policy: A Concept Map and Framework

by
Sk Tahsin Hossain
1,
Tan Yigitcanlar
1,*,
Kien Nguyen
2 and
Yue Xu
3
1
City 4.0 Laboratory, School of Architecture and Built Environment, Queensland University of Technology, 2 George Street, Brisbane, QLD 4000, Australia
2
School of Electrical Engineering and Robotics, Queensland University of Technology, 2 George Street, Brisbane, QLD 4000, Australia
3
School of Computer Science, Queensland University of Technology, 2 George Street, Brisbane, QLD 4000, Australia
*
Author to whom correspondence should be addressed.
Information 2024, 15(6), 342; https://doi.org/10.3390/info15060342
Submission received: 8 May 2024 / Revised: 26 May 2024 / Accepted: 7 June 2024 / Published: 10 June 2024
(This article belongs to the Special Issue Cybersecurity, Cybercrimes, and Smart Emerging Technologies)
Browse Figures
Versions Notes

Abstract

:
Cybersecurity is a crucial concern for local governments as they serve as the primary interface between public and government services, managing sensitive data and critical infrastructure. While technical safeguards are integral to cybersecurity, the role of a well-structured policy is equally important as it provides structured guidance to translate technical requirements into actionable protocols. This study reviews local governments’ cybersecurity policies to provide a comprehensive assessment of how these policies align with the National Institute of Standards and Technology’s Cybersecurity Framework 2.0, which is a widely adopted and commonly used cybersecurity assessment framework. This review offers local governments a mirror to reflect on their cybersecurity stance, identifying potential vulnerabilities and areas needing urgent attention. This study further extends the development of a cybersecurity policy framework, which local governments can use as a strategic tool. It provides valuable information on crucial cybersecurity elements that local governments must incorporate into their policies to protect confidential data and critical infrastructure.

1. Introduction and Background

The smart city movement, which significantly enhances urban digital capabilities, also increases our cities’ vulnerability to cybersecurity threats [1,2,3,4,5]. In the age of smart cities and digital transformation, local governments (LGs) face increasing cybersecurity threats due to storing and managing a vast amount of sensitive information, including residents’ data and critical infrastructure details [6,7,8]. The frequency and severity of cyber-attacks on LGs have increased in recent years [9]. A nationwide survey in the USA by Norris, et al. [10] revealed that 27.7% of their LGs are victims of hourly or more frequent cyber-attacks, while 19.4% are targeted at least once daily.
Another study by Norris and Mateczun [11] encompassing 3 counties and 11 cities in the USA showed that LGs of these regions experienced cyber-attacks on a ‘constant’ or ‘near-constant’ basis. Specifically, 57.1% of the surveyed LGs reported constant targeting, while 28.6% reported hourly targeting. Moreover, many LGs across the world are embracing smart city initiatives and increasing their use of Internet of Things (IoT) devices, which further escalates their threat landscape to cyber-attacks [12,13]. Insufficient cybersecurity measures in LGs can lead to significant consequences, including the exposure of sensitive information, potential reputational damage, high costs for fixing security breaches, and impaired capacity to effectively address routine and emergency service needs [14,15].
The cybersecurity of LGs primarily emphasizes technical safeguards such as firewalls, encryptions, and anti-malware tools [16]. While technical defenses are critical for shielding digital infrastructure from cyber-attacks, having policies is equally important [17]. Cybersecurity policies offer a set of guidelines for employees and contractors and enhance the effectiveness of technical measures [18,19]. However, many LGs across the world do not have cybersecurity policies, which is a significant concern due to the increasing rate and ever-evolving nature of cyber-attacks [8,19,20].
An earlier contribution in this field by Caruson, MacManus and McPhee [18] found that only 48% of the LGs had formal cybersecurity policies or standards in Florida’s 67 counties. During a focus group discussion in 2018, IT professionals from the LGs of Maryland identified the lack of policy and its implementation as one of the principal challenges, along with insufficient funding and staffing for effective cybersecurity measures [21]. In another study, Norris, Mateczun, Joshi and Finin [10] found that 60% of the LGs in the USA lack cybersecurity policies. The Office of the Auditor General in Western Australia conducted a study on the cybersecurity issues of fifteen LGs in that region and found only three with updated cybersecurity policies, nine with outdated or inadequate policies, and the rest without policies [22].
There is a noticeable lack of academic research on cybersecurity policies. Several studies have identified the lack of cybersecurity policies in LGs as a significant problem in protecting their digital assets and critical infrastructure [18,21,23,24]. However, Hatcher, Meares and Heslen [19] authored the only article that explicitly investigated both cybersecurity policies and practices.
Hatcher, Meares and Heslen [19] approached 2436 LGs in the USA through an online survey but only received responses from 7% of them. The survey aimed to examine the presence of cybersecurity policies in LGs, the use of Internet-based technologies, the level of support received for cybersecurity planning, the specific types of cybersecurity policies implemented, and the resources needed for planning. Surprisingly, they found more than two-thirds of LGs with formal cybersecurity policies, but they identified multiple flaws in their practices. These included the failure to document and take lessons from previous cyber-attacks, a lack of sufficient training, the absence of reviewing and updating training procedures, the absence of engaging experts in reviewing cybersecurity policies and practices, inadequate protection mechanisms for data, and the absence of appropriate protocols for accessing sensitive information.
Based on the gaps in practices, Hatcher, Meares and Heslen [19] primarily emphasized putting more efforts into securing data, reviewing policies and practice strategies implemented by external auditors and professionals, and allocating an adequate budget to effectively implement cybersecurity policies. They also cited respondents regarding the components of municipal cybersecurity policies, highlighting the necessity for additional research and the creation of a structured policy framework to assist LGs in crafting effective cybersecurity practices. However, a review and evaluation of LGs’ cybersecurity policies are critical prior to the formulation of a guiding policy framework as it will help to understand gaps in existing policy statements and content. This is still a grey area in the academic field.
With this backdrop in mind, we designed this study with the aim of developing a cybersecurity policy framework using insights from an evaluation of LGs’ existing cybersecurity policy documents in different countries. For the empirical analysis, we used 38 cybersecurity policy documents of LGs in five different countries and evaluated them against the 6 functions and 22 underlying categories of the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework (CSF) 2.0.
The NIST CSF is a cybersecurity assessment framework designed to assess the cybersecurity posture of organizations against predefined criteria, providing a systematic methodology for identifying strengths, weaknesses, and areas for improvement in controls, practices, and processes. A cybersecurity policy framework, on the other hand, can offer structured guidelines for LGs on what to include in cybersecurity policies. Cybersecurity policies do not typically include technical measures, but they outline the principles of cybersecurity governance and offer a structured approach to security measures for preventing and responding to cyber-attacks. We designed this study while considering the importance of cybersecurity policies for any organization, including LGs, and while considering the absence of a cybersecurity policy framework. To achieve the aim of this study, we address the following research questions:
  • How effectively do the cybersecurity policy documents of LGs align with the functions and categories of the NIST CSF 2.0?
  • What are the key components that should be included in a cybersecurity policy document by LGs to ensure its effectiveness and comprehensiveness?
We conducted a qualitative and quantitative content analysis of the policy documents and stock-take insights to develop the policy framework, intending to inform cybersecurity policymakers, LG officials, and researchers in the field about the content and gaps in the existing policy documents, as well as the essential components required for consideration in cybersecurity policy for an effective security measure. Section 2 of this paper, following this introductory section, outlines the NIST CSF 2.0. Section 3 presents the methodology. Section 4 includes the results of the analysis, and it is followed by the discussion and conclusion of this study in Section 5 and Section 6, respectively.

2. The National Institute of Standards and Technology’s Cybersecurity Framework 2.0

In February 2024, the NIST of the Department of Commerce in the USA released CSF 2.0, an updated version of CSF 1.1 from April 2018 [25]. The framework is a widely recognized assessment tool for all types of organizations’ cybersecurity to strengthen their digital defenses [26,27]. The CSF consists of three components: organizational profiles, tiers, and CSF core [28]. The organizational profiles describe an organization’s current or desired cybersecurity posture in relation to the outcomes of the CSF core [29]. The CSF tiers are used to categorize the level of an organization’s cybersecurity risk governance and management practices in the organizational profiles [25,28].
The CSF core is a structured taxonomy of cybersecurity objectives that help organizations manage risks effectively [28]. It consists of a hierarchy of functions, categories, and subcategories, each specifying a target outcome. Central to the NIST CSF are the six functions—Govern, Identify, Protect, Detect, Respond, and Recover. These functions are universally applicable, allowing any organization, regardless of their type and size, to tailor strategies to meet their unique risk profiles, technological environments, and goals [30]. The functions are further classified into 22 categories, representing collective cybersecurity outcomes [28]. These categories consist of 108 subcategories, providing detailed descriptions of technical and managerial activities supporting each category. In this study, we evaluated the policy documents of LGs against 22 categories of six core functions. Table 1 presents all the categories that were used as the evaluation criteria in this study.

3. Methodology

3.1. Policy Documents

To address the first research question, our initial plan was to assess the policy documents of the top 100 smart cities under the assumption that they would possess structured cybersecurity policies. To determine the top 100 smart cities, we utilized the IMD (Institute for Management Development) Smart City Index 2023, a thorough ranking system created by the IMD World Competitiveness Center’s Smart City Observatory in partnership with the Singapore University of Technology and Design (SUTD). The index assessed cities by considering how effectively technology enhanced the lives of their citizens. We found less than ten cybersecurity policy documents available online for those cities. This unavailability of policy documents in the online portal and their website should not be misunderstood as a lack of cybersecurity policies without empirical evidence; rather, it suggests that such policies may exist but are not readily available in the public domain.
In response to this challenge, we shifted to a more targeted approach by conducting an advanced keyword search in the Google search engine to explore the cybersecurity policy documents of LGs in Australia, Canada, England, India, and the USA. To locate policy documents, we employed an advanced search query in the following format: “site: (government domain) “keyword” filetype: (type of file)”. We substituted the term “government domain” with the appropriate domain for each country, such as “.in” for India and “.au” for Australia, to limit our search exclusively to websites belonging to government entities. Otherwise, we encountered a substantial volume of search results that were predominantly unrelated to our research. In “keyword”, we used “cybersecurity policy” and “cyber security policy”.
Lastly, we specified filetype as “pdf” to search for policy documents in the Portable Document Format (PDF), which is a commonly used format used to upload policies online. For example, to find policy documents in Australian LGs, we employed two search syntaxes: (a) site:gov.au “cybersecurity policy” filetype:pdf; and (b) site:gov.au “cyber security policy” filetype:pdf. The first search yielded 279 results, while the second search yielded 4420 results. We applied similar strategies to other countries, except for the USA.
For the USA, we utilized the government domain “.gov” in the same manner as in other countries, following the previously described search syntax. We also took into account the domain “.us” and repeated the search process, as some local governments in the USA also use that domain. In fact, it is important to note that local governments in the USA do not follow a consistent pattern for their domain names. For example, Volusia County uses the “.org” domain (volusia.org), and some other LGs may use different domains. This lack of uniformity in the gTLD (generic top-level domain) and naming system means that our search using only “.gov” and “.us” may not yield all LGs’ cybersecurity policies in the USA. This inconsistency in LG domain names could similarly apply to other countries included in this study, where some LGs may employ alternative domains instead of their official government domain. However, except for the “.us” domain, we restricted our search to government domains only for each of the countries in our study to avoid the risk of encountering non-official or misleading sources. Furthermore, this approach ensured a consistent search mechanism for LGs’ cybersecurity policies in each country.
Figure 1 displays the search count and number of policy documents identified by each search query. We conducted the search during the first week of December 2023. We discovered a total of 38 cybersecurity policy documents, distributed as follows: 12 in Australia, 2 in Canada, 7 in England, 6 in India, and 11 in the USA. Table 2 presents notable attributes of the LGs that possess the cybersecurity policy documents identified in this study.

3.2. Research Strategy

This study used the content analysis method to evaluate cybersecurity policy documents. We defined the functions of NIST CSF as codes (first column in Table 1) and categories as sub-codes (second column in Table 1) and used NVivo 14.23.2 (46) software to classify and conduct the analysis. The evaluation process encompasses the identification of recurring themes, patterns, and gaps. We employed this systematic approach to gain insights from the existing policy documents, which later helped us develop the cybersecurity policy framework.

4. Results and Analysis

4.1. Quantitative Content Analysis

We assessed LGs’ cybersecurity policy documents using the quantitative content analysis tools in NVivo Software. Initially, we generated word clouds to visually emphasize the most frequently cited words within the policy documents, with the largest size representing those that were mentioned most frequently. Figure 2 displays the frequency of words in cybersecurity policy documents, while Figure 3 shows the frequency of words in the coded data specifically. We examined the number of cited policy documents for each code and sub-code, as well as the frequency of sub-codes within the policy documents. Of the 6 codes, 37 policy documents addressed Govern, while 16 policy documents addressed Recover. Table 3 shows that the sub-codes under the Protect function were cited most frequently (n = 222), followed by the sub-codes under Govern (n = 220), while the sub-codes under Recover were cited the least (n = 22).
Figure 4 displays a hierarchical chart generated in NVivo software showing all codes and sub-codes from the aggregated cybersecurity policy document data. Each rectangular section corresponds to a specific code frequency. The chart shows that the most prevalent codes in the analysis of policy documents were Protect and Govern, while the least prevalent codes were Recover and Detect. The hierarchy chart shows the prominence of sub-codes, with identity management, authentication, and access control under the Protect code and roles, responsibilities, and authorities under the Govern code being the most prominent. On the other hand, incident recovery communication under the Recover code and incident analysis under the Respond code are the least prominent sub-codes.

4.2. Qualitative Content Analysis

Following the quantitative analysis, this study conducted a qualitative content analysis to identify recurring themes and patterns in the policy documents for each of the categories of NIST CSF functions. We developed a concept map (Figure 5) to effectively communicate these themes and the emphasis of each category in the policies, which ultimately indicate the areas of strength or weakness in current cybersecurity practices at the LG level. The following sections present details of the qualitative content analysis.

4.2.1. ‘Govern’, Focusing on Organizational Risk and Responsibility

The Govern function includes six categories as presented in Table 3. Among the 38 policy documents that we reviewed, 37 addressed Govern. However, none of them encompassed all six categories under this function. Most of the policies (n = 27) included statements on organizational context and the roles of personnel, emphasizing LGs’ goals, vision, cybersecurity targets, standards, and responsibilities of officials, departments, and dedicated committees. For example, the cybersecurity policy of Royal Borough Windsor and Maidenhead (RBWM) highlighted the importance of executing desired actions as suggested in the policies:
“The aim... to ensure that the correct processes and procedures, roles and responsibilities are in place and followed for any council cyber threat or incident while we continue our normal business operations”.
[31]
Articulating risk management strategies involves establishing and communicating the organization’s priorities, constraints, and assumptions to support operational risk decisions [32]. Only 22 policy documents covered this category, addressing statements mostly related to cyber risks, risk management guidelines, and cyber governance. A similar number of policy documents (n = 21) addressed statements on the communication and enforcement of policies, emphasizing the need for procedures and guidelines, standards, and national and state-level policy alignment. This study also revealed that supply chain risk management and oversight have been rarely cited (n = 4 and n = 0, respectively) in the policies. In four documents that included statements for supply chain risk management, they mostly focused on the roles and responsibilities of third parties and service providers who support LGs in operating software and maintaining hardware.

4.2.2. ‘Identify’, Focusing on Asset and Risk Management

Our study found a total of 29 cybersecurity policy documents that addressed at least one of the three underlying categories. Among them, 25 policy documents adequately covered asset management, addressing the endpoint or hardware security, software security, security of personal and organizational service accounts, and network protection. For instance, Beaverton’s policy focused on keeping inventory of hardware and software as follows:
“...must take an inventory of all approved hardware and software on City networks and systems; one inventory for hardware and one for software”.
[33]
The impact analysis of cyber-attacks, vulnerability assessment, risk registration, and use of assessment frameworks have been highlighted to address the risk assessment category in the policies [34]. This category has been covered by only 14 policies. Improvement is another category under the Identify function, and it has only been addressed in a few policies (n = 9). Regular audits, continuous assessments, feedback loops, performance metrics, and process refinements have been emphasized in the policies to address this category.

4.2.3. ‘Protect’, Focusing on Access Control, and Raising Awareness

We found 32 policies addressing one or more among the five categories of this function. Identity verification, password policy, and access monitoring have been heavily emphasized in the policy documents (n = 29) to address identity management and access control. Some policy documents have also included statements on the access revocation of employees as soon as they leave LGs, such as in Portland’s policy:
“System administrator passwords will be terminated immediately if the employee who has access to such passwords is terminated, fired, investigated, or otherwise leaves employment”.
[35]
The policy documents (n = 24) have frequently addressed the awareness and training category, with emphasis on training employees, running awareness campaigns, and promoting cyber-hygiene. The technology infrastructure resilience category has been mentioned in a few policies (n = 5), emphasizing continuous operation and following standards. Data security and platform security are two crucial categories of the Protect function, particularly critical for LGs. Data and platform security are very important aspects of organizational cybersecurity. However, we found only 18 policy documents that addressed data security and 15 that cited platform security. Endpoint security, patch management, network segmentation, and application security are covered under the platform security category, whereas data classification, encryption, data loss prevention, and storing and backing up data have been highlighted under the data security category in the policy documents.

4.2.4. ‘Detect’, Focusing on Continuous Monitoring

A total of 19 cybersecurity policy documents encompassed statements on this function. All of them included statements about ongoing surveillance to identify anomalies and breaches. However, only seven of them addressed adverse event analysis, which is the other category of this function, focusing statements on scanning for irregularities, analyzing cyber-attack consequences, and monitoring activities. To address continuous monitoring, the policies mentioned anomaly detection, real-time monitoring, keeping log records, intrusion detection, and network traffic monitoring. For instance, the policy document of the City of Madras addressed:
“All organization servers and workstations will utilize Microsoft Windows Defender with Windows Advanced Threat Protection (ATP) to protect systems from malware and viruses. Real-time scanning will be enabled on all systems and weekly malware scans will be performed”.
[36]

4.2.5. ‘Respond’, Focusing on Incident Management

We found 30 cybersecurity policy documents covering this function in varying degrees of adherence to the four categories under this function. Of those documents, 27 addressed incident management, with an emphasis on incident scanning, logs, rapid response, and notification systems. The policy document of Norwich stated:
“... develop and implement appropriate activities to take action regarding a detected cybersecurity event, Response processes and procedures are executed and maintained, to ensure adequate response and recovery actions”.
[37]
Other categories under Respond have been cited in a significantly low number of policies, with the incident analysis (n = 2) focusing on impact analysis, root cause analysis, and attack vector analysis; the incident response, reporting, and communication (n = 9) emphasizing real-time notification, incident reporting, incident communication, and briefings; and the incident mitigation (n = 2) focusing on regular drills and coordination between departments.

4.2.6. ‘Recover’, Focusing on Incident Recovery Plan Execution

We only identified 16 policy documents addressing this function. All of them included statements on incident recovery plan execution, which included statements for service restoration, disaster recovery, and system backup. Woodburn and Lebanon included statements on incident recovery communication, which is the other category under Recover. The statements emphasized stakeholders’ communication, international communication, and internal coordination. For instance, Woodburn’s cybersecurity policy stated:
“External communications should only be handled by designated individuals at the direction of the City Administrator. Recovery activities are communicated to internal stakeholders, executives, and management teams”.
[38]

5. Findings and Discussion

5.1. Insights from Cybersecurity Policies of LGs

Our study revealed concerning gaps as none of the policies addressed each category of the NIST CSF. In fact, 24 of the 38 policies covered less than half of the total categories. Figure 6 shows the coverage of functions and categories by policy documents.
In Australia, only three LGs (Sutherland, NSW, and Rous) addressed more than 10 categories (n = 11, n = 12, and n = 12, respectively). State governments such as Tasmania and Western Australia (WA), presumably with more resources than local councils, addressed only three and seven categories, respectively. None of Australia’s cybersecurity policies addressed supply chain risk management, except for WA. This gap is particularly concerning given the rapid increase in digital device usage and LGs’ adoption of smart city initiatives [39,40,41]. In the process of digital advancement, LGs tend to rely more on an intricate web of suppliers [42,43]. Inadequate measures for the proper management of these suppliers make them vulnerable to increased cybersecurity threats [44,45].
An important, perhaps most critical asset of LGs, which often makes them an attractive and frequent target for cyber-attacks, is the storage of a wide range of sensitive data, including individual-centric data, public safety and governance data, infrastructure and utility data, and community and environment data [23,46,47]. LGs typically prioritize securing these data and platforms, which include software and hardware for storage and communication [18,48]. Most of the policies in Australia did not mention clear statements for these two categories. Even NSW’s policy, which is among the top two that covered the greatest number of categories, failed to comprehensively mention statements on data and platform security.
Risk assessment involves understanding the risks to LGs’ assets and employees [49], an important category that has been overlooked in most of the policies in Australia, except for Sutherland and New South Wales, revealing a potential gap in risk assessment practices in LGs. This absence can hinder effective cybersecurity threat mitigation and response [50,51]. One of the strengths identified in most of the cybersecurity policies in Australia, which is often missing in the policies of other countries, is the presence of improvement in most of the policies. This category involves identifying enhancements to organizational cybersecurity risk management processes, procedures, and activities to keep up with evolving threats [19,52].
Vancouver and Greenview in Canada addressed 11 and 12 categories, respectively, in their policies. These two policies effectively mentioned employer responsibilities, asset management, risk assessment, access control, data and platform security, and continuous monitoring for cyber-attacks. However, both policies failed to address incident mitigation, recovery plan execution, and communication, which are crucial for restoring assets and operations affected by cybersecurity incidents [13,53]. None of the LG policies in Canada mentioned technology infrastructure resilience, indicating a significant gap in maintaining continuous operations or defending against the increasing sophistication of cyberthreats [54].
In England, except for the policy documents of London, other LGs addressed less than 10 categories each. The cybersecurity policies of Enfield and Crediton are among the least comprehensive ones, covering only four categories each, ignoring important statements on training and awareness, data and platform security, and monitoring activities to detect and respond. Even though London’s cybersecurity policy is one of the most comprehensive policies that we reviewed, it still failed to include crucial details on incident analysis, reporting, and mitigation, along with most of the other LGs in England. The incident analysis entails activities such as investigation to facilitate efficient response and recovery efforts [55,56], whereas the incident mitigation involves activities to prevent the expansion of a cyber-attack [46,57]. The policy documents of London, Northwest Leicestershire, the RBWM, and Aylesford in England emphasized training and awareness, understanding the need to equip personnel with the necessary knowledge and skills. This is particularly significant as human factors are often considered a vital weak point in cyber defenses [58,59].
Among Indian LGs, Odisha successfully addressed 15 categories. However, like other policies in India, Odisha’s cybersecurity policy inadequately addressed the Detect function. This function refers to the process of identifying and analyzing potential cybersecurity threats, which serves as a foundation for the efficient implementation of incident response and recovery activities [6,25]. None of the policy documents of Indian LGs mentioned incident recovery communication, which involves informing internal and external stakeholders, such as communities, about the incident to update them about the restoration process and maintain organizational integrity and public trust. Another important function that has not been addressed in most of the cybersecurity policies in India is the Protect function. Critical topics such as asset management, including data, software, hardware, services, people, facilities and systems, risk assessment, and improvement, have been largely absent in most of the cybersecurity policies of LGs in India.
In the USA, 6 of the 11 policy documents addressed less than 10 categories of the NIST CSF. Some cities such as Albuquerque, San Francisco, and Portland addressed only one, three, and five categories, respectively, which is particularly concerning. Articulating risk management strategies in the policies is crucial as it involves establishing and communicating the organization’s priorities, constraints, risk tolerance, and assumptions to support operational risk decisions [32]. But the policy documents of Albuquerque, San Francisco, Portland, Scappoose, Madras, Beaverton, and Woodburn failed to mention this. Statements on supply chain risk management are also absent in all policies in the USA, except for New York. The USA’s policy documents showed strength in addressing the Protect function, which refers to security measures created to prevent or minimize cybersecurity threats by securing assets [60,61]. As indicated in Figure 6, most of the LGs in the USA addressed access control, awareness and training procedures, data security, and platform security adequately.

5.2. Key Contributing Factors to Existing Gaps in the Cybersecurity Policies

This study revealed a significant gap in encompassing NIST CSF functions and categories in the policies as discussed above. We identified and argued for several potential factors behind these gaps in the policies. A key contributing factor could be that LGs may follow country-specific cybersecurity guidelines or frameworks, such as the Essential Eight in Australia [62,63]. To verify this, we calculated the number of NIST CSF categories addressed by each policy document, as shown in Figure 7.
We found that there was no significant difference in NIST CSF function and category coverage between cybersecurity policy documents in the USA and in other countries. In fact, policy documents in Australia, Canada, England, India, and the USA addressed about four to five functions on average. On the other hand, the policy documents of Australia, England, India, and the USA covered about seven to nine categories on average. Canada’s policy documents addressed more categories (n = 11) on average than other countries. However, this number of category coverage is significantly lower than the total number of categories (n = 22) in the NIST CSF. Despite differences in terminologies or categorical emphasis between national frameworks, the fundamental objective and thematic elements of cybersecurity are consistent across most frameworks. So, while some LGs may align with their national framework or strategy, we still found a similar coverage of NIST CSF functions and categories among LGs from different countries.
The use of NIST CSF 2.0 as the evaluation benchmark, which was recently released in February 2024, could also contribute to the disparities in cybersecurity policy documents, as all policy documents used in the study were published prior to 2024. So, we further examined the functions and categories of previous NIST CSF versions. The current version introduces a sixth function—Govern, recognizing its importance and influence across all other functions. This new function is an extension of the governance category under the Identify function in the previous versions.
The Govern function comprises two categories from previous versions and four new categories. Despite these changes, 18 categories out of 22 in the latest NIST CSF remained consistent with the previous versions. Surprisingly, our study found that three of the four recently added categories (organizational context; roles, responsibilities, and authorities; and policy) have been addressed at a relatively higher rate (n = 27, n = 27, and n = 21, respectively) than many other categories. Overall, the update in versions mostly involved reclassification and combining certain categories together to enhance their applicability and simplicity. Therefore, this consistency between versions allowed us to conduct a valid and relevant evaluation of the cybersecurity policy documents against the functions and categories of NIST CSF 2.0 and present an overview of the gaps in existing policy documents.
Several studies identified limited financial resources and expertise and a lack of proper knowledge of the LGs’ officials about the significance of cybersecurity as major challenges for effective cybersecurity measures [11,60,64]. LGs, particularly smaller LGs, face these challenges more often [19]. Furthermore, many LGs underestimate their digital infrastructure with a lower risk profile, overlooking the fact that all LGs, regardless of their size, are attractive targets because they store critical citizen and governance data [65,66]. Our findings also indicate the same, as we found that the policy documents of the top 10 smaller LGs in terms of population addressed a lower number (n = 8) of categories on average than the top 10 larger LGs (n = 10), even though they covered a similar number of functions on average (n = 4), as presented in Figure 8.
Nevertheless, the average number of categories covered by either smaller or larger LGs is not even close to the total number of 22 categories. These statistics indicate that regardless of the size of LGs, cybersecurity policy documents still lack critical details, and we acknowledge the absence of a well-defined and acceptable cybersecurity policy framework as a vital cause. Several researchers have also emphasized the importance of cybersecurity policy and a structured policy framework [19,63,67,68,69,70], as the inconsistencies in the policy documents not only hinder best practices but also significantly expose LGs to cyber-attacks. Therefore, this study advocates for and develops a cybersecurity policy framework to guide LGs through the complex process of establishing effective cybersecurity strategies without missing any critical details.

5.3. Cybersecurity Policy Framework for LGs

Our proposed cybersecurity policy framework encompasses seven key components and 38 sub-items, as illustrated in Figure 9. Document introduction is the first key component that includes introductory information, such as the organization name, approvers’ details, approval date, and upcoming review date. The second key component—organizational context, comprises sub-items that present organizational background, including organizational overview, purposes, scope, definition or explanation of the vital terms, policy alignment with state, national, or regional policy or agreement, and periodic or emergency policy amendment procedures. Cybersecurity administrative structure; the roles and responsibilities of departments, employees, and contractors; regulatory compliances; disciplinary actions in case of policy violation; and public communication in case of a breach are all included under cybersecurity governance, which is the third key component of our policy framework.
Asset identification is the fourth key component of our framework, which is dedicated to identifying and categorizing LGs’ assets, including the types of data, inventories of software, applications, and digital devices. The fourth key component also includes a sub-item called periodic inventory review process, highlighting the importance of having a structured inventory review process considering the constantly evolving nature of technology and cyberthreats. The fifth key component, assessment and management, emphasizes identifying potential risks and implementing appropriate measures to mitigate them. The component includes sub-items such as risk assessment and prioritization, authentication and access control mechanisms, and clear guidelines on the core cybersecurity concepts, including data security, Internet security, web security, network security, application security, and endpoint security.
The COVID-19 pandemic has significantly impacted work culture, promoted by lockdowns and social distancing measures, leading to the widespread adoption of remote work [71,72]. The rise of remote work has significantly expanded cybersecurity threats, introducing new vulnerabilities and complexities for organizations as employees often work under unsecure network and devices [73]. Remote workstations often lack the required security measures that are typically enforced within organizational networks. Several studies have also indicated a rise in the frequency and types of cyber-attacks [72,74,75].
Given the increase in remote workers since the COVID-19 pandemic, we have also included a sub-item under this component that highlights the security protocols and practices necessary to secure their access to LGs’ networks. LGs have significantly increased their use of IoT devices in recent years, as they have with the adoption of smart city initiatives. This prompted us to add a sub-item—smart city security—to our framework, which is only applicable for LGs that act as the administrators of smart cities. Audits and compliance check is the last sub-item under the fifth key component, emphasizing the importance of assessing vulnerabilities regularly and keeping practices updated.
Detection and response is the sixth key component of our policy framework, which includes sub-items for continuous and real-time monitoring to detect cyber-attacks. A structured incident response plan, with procedures to report and alert within departments, detailing a clear step-by-step process for swift and coordinated actions during a cyber incident, is crucial for immediate action against cyber-attacks. Sequential instructions on disaster recovery and restoration after a cyber-attack should also be included in the LGs’ cybersecurity policy to minimize operational disruptions; hence, we included this as a sub-item in our policy framework.
The fifth and sixth key components of our framework are of utmost importance as they encompass vital security protocols that are necessary for both current and future cybersecurity challenges. With the fast pace of technological progress, growing complexity of cyber threats, and the adoption of smart city initiatives, it is crucial for LGs to regularly update their evaluation and control procedures for essential infrastructure [58,76]. This includes integrating emerging technologies such as Open-Source Intelligence (OSINT) and Internet of Things Security Exploits (IoTSE) into their detection systems [77,78]. These tools will allow local governments to actively detect and fix possible weaknesses in their system. Daskevics and Nikiforova [78] highlighted the importance of conducting comprehensive assessments of vulnerabilities in open databases.
This is especially important and in line with LGs as they are expanding the use of digital devices and interconnected systems, which involve the gathering and handling of substantial amounts of data, particularly in smart city settings. de Sousa Rodrigues [77] investigated the application of OSINT in automating the identification and monitoring of assets, a consideration that could be highly beneficial for LGs. Ramadhan, et al. [79] emphasized the significance of employing information-gathering tools for the purpose of identifying subdomains. This practice assists LGs in identifying hidden vulnerabilities in their web infrastructure. To effectively protect critical assets, sensitive information, and ensure the continuity of essential public services, it is essential to regularly conduct large-scale vulnerability scanning and update existing security measures [80,81]. Therefore, these activities should be included in various key components, particularly in sub-items under the fifth and sixth key components.
Training and awareness is the last and final key component of our policy framework, recognizing the importance of training and awareness for employees, contractors, and anyone who interacts with LGs. Particularly for employees, establishing a culture of cyber-hygiene in their day-to-day activities can significantly benefit LGs by reducing potential weak links for breaches [82]. Overall, the policy framework covers a wide range of considerations—ranging from governance and asset management to response planning and community awareness—and provides a blueprint for LGs to develop cybersecurity policies and advancements towards a structured approach for robust cybersecurity measures.

6. Conclusions

This study revealed concerning gaps in the existing cybersecurity policies of LGs, irrespective of their size and location. We investigated and discussed various potential contributing factors to these gaps, and we acknowledged the absence of a unifying and guiding framework as a principal cause. Therefore, we developed a cybersecurity policy framework for LGs, offering a structured approach to cover all essential aspects and guiding them to formulate effective policy documents.
Our proposed policy framework shares certain overlaps and similarities of topics with the NIST CSF. However, while the NIST CSF acts as an assessment tool of the cybersecurity posture of any organization, our policy framework serves as a guiding tool for LGs to formulate effective cybersecurity policies without missing critical details. Most of the sub-items under the seven key components of our cybersecurity policy framework are broadly applicable in various organizational contexts, including both public and private. But its true uniqueness and value lie in its tailored approach for addressing specific aspects of LG operations. Among them is the emphasis on smart city security and data security. The unique aspect of our framework lies in its focus on smart city security and data security.
The sub-item smart city security is included in the framework to specifically focus on tackling cybersecurity challenges associated with the interconnected infrastructure in smart cities and the management of IoT devices. These are crucial for LGs too, as many cities around the world are embracing the smart city concept to enhance efficiency and quality of service delivery. Unlike many organizations, LGs store and manage a diverse range of sensitive data, including residents’ personal information, urban infrastructural data, governance data, spatial data, and so on. Given the sensitivity and breadth of these data, the scenario necessitates a nuanced approach to data security, one that goes beyond standard practices to address the specificities of public sector information management. However, our proposed framework has the potential to be adapted to various organizations, including public and private. Future research could also explore the contextualization to ensure its relevance and effectiveness across different organizational settings.
The findings of this study are exclusively focused on the cybersecurity policies of the LGs, and it is important to underscore that the gaps we found in the policies should not be misconstrued as deficiencies in their actual cyber-defense posture. Assessing LGs’ cyber-defense readiness, encompassing the evaluation of policy execution, real-time threat mitigation, and effectiveness of incident response, is a potential future research area. The evaluation of cybersecurity policies adopted by the federal or central government agencies is another potential future research area. Multiple researchers have indicated that LGs are more vulnerable compared with other government agencies due to various factors, including budget constraints and limited resources, as discussed previously in our paper.
Nonetheless, similar studies on other government agencies can generate a comparative scenario of cybersecurity between different levels of government agencies and organizations. In addition, the evaluation of current cybersecurity practices in government agencies can also be an important research area to identify potential gaps in existing policies and practices among various government agencies and organizations. The gaps identified in the cybersecurity policy documents of LGs in our study raise serious concerns about the preparedness and strategic planning in cyber defenses. Having policies in place can provide a structured framework for actions—facilitating coordination across departments in LGs and establishing a baseline for accountability and transparency in practices—along with continuous improvement. Without such documentation, LGs may struggle to align their cybersecurity efforts with best practices and regulatory requirements.

Author Contributions

S.T.H.: Data collection, processing, investigation, analysis, and writing—review and editing; T.Y., K.N. and Y.X.: supervision, conceptualization, writing—review and editing. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by the Australian Research Council Discovery Grant Scheme under grant number DP220101255.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Data will be made available upon request from the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. D’Amico, G.; L’Abbate, P.; Liao, W.; Yigitcanlar, T.; Ioppolo, G. Understanding sensor cities: Insights from technology giant company driven smart urbanism practices. Sensors 2020, 20, 4391. [Google Scholar] [CrossRef]
  2. Repette, P.; Sabatini-Marques, J.; Yigitcanlar, T.; Sell, D.; Costa, E. The evolution of city-as-a-platform: Smart urban development governance with collective knowledge-based platform urbanism. Land 2021, 10, 33. [Google Scholar] [CrossRef]
  3. Altoub, M.; AlQurashi, F.; Yigitcanlar, T.; Corchado, J.; Mehmood, R. An ontological knowledge base of poisoning attacks on deep neural networks. Appl. Sci. 2022, 12, 11053. [Google Scholar] [CrossRef]
  4. Micozzi, N.; Yigitcanlar, T. Understanding smart city policy: Insights from the strategy documents of 52 local governments. Sustainability 2022, 14, 10164. [Google Scholar] [CrossRef]
  5. Son, T.H.; Weedon, Z.; Yigitcanlar, T.; Sanchez, T.; Corchado, J.M.; Mehmood, R. Algorithmic urban planning for smart and sustainable development: Systematic review of the literature. Sustain. Cities Soc. 2023, 94, 104562. [Google Scholar] [CrossRef]
  6. Ahmadi-Assalemi, G.; Al-Khateeb, H.; Epiphaniou, G.; Maple, C. Cyber resilience and incident response in smart cities: A systematic literature review. Smart Cities 2020, 3, 894–927. [Google Scholar] [CrossRef]
  7. Toh, C.K. Security for smart cities. IET Smart Cities 2020, 2, 95–104. [Google Scholar] [CrossRef]
  8. Frandell, A.; Feeney, M. Cybersecurity threats in local government: A sociotechnical perspective. Am. Rev. Public Adm. 2022, 52, 558–572. [Google Scholar] [CrossRef]
  9. Chaudhuri, A.; Bozkus Kahyaoglu, S. Cybersecurity assurance in smart cities: A risk management perspective. EDPACS 2023, 67, 1–22. [Google Scholar] [CrossRef]
  10. Norris, D.F.; Mateczun, L.; Joshi, A.; Finin, T. Cyberattacks at the grass roots: American local governments and the need for high levels of cybersecurity. Public Adm. Rev. 2019, 79, 895–904. [Google Scholar] [CrossRef]
  11. Norris, D.F.; Mateczun, L.K. Cyberattacks on local governments 2020: Findings from a key informant survey. J. Cyber Policy 2022, 7, 294–317. [Google Scholar] [CrossRef]
  12. Garcia-Retuerta, D.; Chamoso, P.; Hernández, G.; Guzmán, A.; Yigitcanlar, T.; Corchado, J. An efficient management platform for developing smart cities: Solution for real-time and future crowd detection. Electronics 2021, 10, 765. [Google Scholar] [CrossRef]
  13. Ma, C. Smart city and cyber-security; technologies used, leading challenges and future recommendations. Energy Rep. 2021, 7, 7999–8012. [Google Scholar] [CrossRef]
  14. Tariq, N.; Khan, F.A.; Asim, M. Security challenges and requirements for smart internet of things applications: A comprehensive analysis. Procedia Comput. Sci. 2021, 191, 425–430. [Google Scholar] [CrossRef]
  15. Sharma, K.; Mukhopadhyay, A. Sarima-based cyber-risk assessment and mitigation model for a smart city’s traffic management systems (SCRAM). J. Organ. Comput. Electron. Commer. 2022, 32, 1–20. [Google Scholar] [CrossRef]
  16. Sarker, I.H.; Furhad, M.H.; Nowrozy, R. AI-driven cybersecurity: An overview, security intelligence modeling and research directions. SN Comput. Sci. 2021, 2, 173. [Google Scholar] [CrossRef]
  17. Savaş, S.; Karataş, S. Cyber governance studies in ensuring cybersecurity: An overview of cybersecurity governance. Int. Cybersecur. Law Rev. 2022, 3, 7–34. [Google Scholar] [CrossRef] [PubMed]
  18. Caruson, K.; MacManus, S.A.; McPhee, B.D. Cybersecurity policy-making at the local government level: An analysis of threats, preparedness, and bureaucratic roadblocks to success. J. Homel. Secur. Emerg. Manag. 2012, 9, 1–22. [Google Scholar] [CrossRef]
  19. Hatcher, W.; Meares, W.L.; Heslen, J. The cybersecurity of municipalities in the United States: An exploratory survey of policies and practices. J. Cyber Policy 2020, 5, 302–325. [Google Scholar] [CrossRef]
  20. Preis, B.; Susskind, L. Municipal cybersecurity: More work needs to be done. Urban Aff. Rev. 2022, 58, 614–629. [Google Scholar] [CrossRef]
  21. Norris, D.F.; Mateczun, L.; Joshi, A.; Finin, T. Cybersecurity at the grassroots: American local governments and the challenges of internet security. J. Homel. Secur. Emerg. Manag. 2018, 15, 20170048. [Google Scholar] [CrossRef]
  22. Morrissey, A.; Aslam, K.; Goodwin, B.; Vikas, R.; Langford-Smith, J. Cyber Security in Local Government. 2021. Available online: https://audit.wa.gov.au/reports-and-publications/reports/cyber-security-in-local-government/ (accessed on 2 December 2023).
  23. MacManus, S.A.; Caruson, K.; McPhee, B.D. Cybersecurity at the local government level: Balancing demands for transparency and privacy rights. J. Urban Aff. 2013, 35, 451–470. [Google Scholar] [CrossRef]
  24. Chaudhary, S.; Gkioulos, V.; Katsikas, S. A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprises. Comput. Sci. Rev. 2023, 50, 100592. [Google Scholar] [CrossRef]
  25. NIST. NIST Cybersecurity Framework 2.0: Resource Overview Guide; National Institute of Standards and Technology, US Department of Commerce: Gaithersburg, MD, USA, 2024. [Google Scholar]
  26. Wolff, J.; Lehr, W. When cyber threats loom, what can state and local governments do? Georget. J. Int. Aff. 2018, 19, 67–75. [Google Scholar] [CrossRef]
  27. Taherdoost, H. Understanding cybersecurity frameworks and information security standards—A review and comprehensive overview. Electronics 2022, 11, 2181. [Google Scholar] [CrossRef]
  28. NIST. NIST Cybersecurity Framework (CSF) 2.0; National Institute of Standards and Technology, US Department of Commerce: Gaithersburg, MD, USA, 2024. [Google Scholar]
  29. NIST. The NIST Cybersecurity Framework 2.0—Initial Public Draft; National Institute of Standards and Technology, US Department of Commerce: Gaithersburg, MD, USA, 2023. [Google Scholar]
  30. Toussaint, M.; Krima, S.; Panetto, H. Industry 4.0 data security: A cybersecurity frameworks review. J. Ind. Inf. Integr. 2024, 39, 100604. [Google Scholar] [CrossRef]
  31. RBWM. Cyber security policy. Royal Borough Windsor Maidenhead, South East England, UK. 2020. Available online: https://www.rbwm.gov.uk/sites/default/files/2020-10/info_sec_cyber_security_policy.pdf (accessed on 4 December 2023).
  32. Öğüt, H.; Raghunathan, S.; Menon, N. Cyber security risk management: Public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk Anal. 2011, 31, 497–512. [Google Scholar] [CrossRef] [PubMed]
  33. Beaverton. Cybersecurity Policy. City of Beaverton, Oregon, USA. 2021. Available online: https://content.civicplus.com/api/assets/fda4939f-c8e3-4228-85b8-87d31ae22c6d (accessed on 3 December 2023).
  34. Zhou, B.; Sun, B.; Zang, T.; Cai, Y.; Wu, J.; Luo, H. Security risk assessment approach for distribution network cyber physical systems considering cyber attack vulnerabilities. Entropy 2022, 25, 47. [Google Scholar] [CrossRef] [PubMed]
  35. Portland. A Resolution Authorizing the City of Portland to Enact a Critical Infrastructure Cyber Security Policy. City of Portland, Tennessee, USA. 2023. Available online: https://www.cityofportlandtn.gov/AgendaCenter/ViewFile/Item/865?fileID=2178 (accessed on 3 December 2023).
  36. Madras. Cybersecurity Policy. City of Madras, Oregon, USA. 2020. Available online: https://www.ci.madras.or.us/sites/default/files/fileattachments/city_council/page/98/g-council_policies-approved_4-27-2021.pdf (accessed on 2 December 2023).
  37. Norwich. Cybersecurity Policy. Town of Norwich, New York, USA. 2020. Available online: http://norwich.vt.us/wp-content/uploads/2020/03/SB-packet-03-25-20.pdf (accessed on 3 December 2023).
  38. Woodburn. Cybersecurity Policy and Procedures. Woodburn, Oregon, USA. 2021. Available online: https://www.woodburn-or.gov/sites/default/files/fileattachments/human_resources/page/13801/cybersecurity_policy.pdf (accessed on 2 December 2023).
  39. Verhulsdonck, G.; Weible, J.L.; Helser, S.; Hajduk, N. Smart cities, playable cities, and cybersecurity: A systematic review. Int. J. Hum.–Comput. Interact. 2023, 39, 378–390. [Google Scholar] [CrossRef]
  40. Yigitcanlar, T.; Li, R.Y.M.; Beeramoole, P.B.; Paz, A. Artificial intelligence in local government services: Public perceptions from Australia and Hong Kong. Gov. Inf. Q. 2023, 40, 101833. [Google Scholar] [CrossRef]
  41. Yigitcanlar, T.; Agdas, D.; Degirmenci, K. Artificial intelligence in local governments: Perceptions of city managers on prospects, constraints and choices. AI Soc. 2023, 38, 1135–1150. [Google Scholar] [CrossRef]
  42. Popescul, D.; Radu, L.D. Data security in smart cities: Challenges and solutions. Inform. Econ. 2016, 20, 29–38. [Google Scholar] [CrossRef]
  43. David, A.; Yigitcanlar, T.; Li, R.Y.M.; Corchado, J.M.; Cheong, P.H.; Mossberger, K.; Mehmood, R. Understanding local government digital technology adoption strategies: A PRISMA review. Sustainability 2023, 15, 9645. [Google Scholar] [CrossRef]
  44. Boyson, S. Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems. Technovation 2014, 34, 342–353. [Google Scholar] [CrossRef]
  45. Vitunskaite, M.; He, Y.; Brandstetter, T.; Janicke, H. Smart cities and cyber security: Are we there yet? A comparative study on the role of standards, third party risk management and security ownership. Comput. Secur. 2019, 83, 313–331. [Google Scholar] [CrossRef]
  46. Ali, O.; Shrestha, A.; Chatfield, A.; Murray, P. Assessing information security risks in the cloud: A case study of Australian local government authorities. Gov. Inf. Q. 2020, 37, 101419. [Google Scholar] [CrossRef]
  47. Sadik, S.; Ahmed, M.; Sikos, L.F.; Najmul Islam, A.K.M. Toward a sustainable cybersecurity ecosystem. Computers 2020, 9, 74. [Google Scholar] [CrossRef]
  48. Ullah, F.; Qayyum, S.; Thaheem, M.J.; Al-Turjman, F.; Sepasgozar, S.M.E. Risk management in sustainable smart cities governance: A TOE framework. Technol. Forecast. Soc. Chang. 2021, 167, 120743. [Google Scholar] [CrossRef]
  49. Kalinin, M.; Krundyshev, V.; Zegzhda, P. Cybersecurity risk assessment in smart city infrastructures. Machines 2021, 9, 78. [Google Scholar] [CrossRef]
  50. Fielder, A.; König, S.; Panaousis, E.; Schauer, S.; Rass, S. Risk assessment uncertainties in cybersecurity investments. Games 2018, 9, 34. [Google Scholar] [CrossRef]
  51. Goel, R.; Kumar, A.; Haddow, J. PRISM: A strategic decision framework for cybersecurity risk assessment. Inf. Comput. Secur. 2020, 28, 591–625. [Google Scholar] [CrossRef]
  52. Srinivas, J.; Das, A.K.; Kumar, N. Government regulations in cyber security: Framework, standards and recommendations. Future Gener. Comput. Syst. 2019, 92, 178–188. [Google Scholar] [CrossRef]
  53. Hamdani, S.W.A.; Abbas, H.; Janjua, A.R.; Shahid, W.B.; Amjad, M.F.; Malik, J.; Murtaza, M.H.; Atiquzzaman, M.; Khan, A.W. Cybersecurity standards in the context of operating system: Practical aspects, analysis, and comparisons. ACM Comput. Surv. 2021, 54, 57. [Google Scholar] [CrossRef]
  54. AlDaajeh, S.; Saleous, H.; Alrabaee, S.; Barka, E.; Breitinger, F.; Raymond Choo, K.-K. The role of national cybersecurity strategies on the improvement of cybersecurity education. Comput. Secur. 2022, 119, 102754. [Google Scholar] [CrossRef]
  55. Sun, N.; Zhang, J.; Rimba, P.; Gao, S.; Zhang, L.Y.; Xiang, Y. Data-diven cybersecurity incident prediction: A survey. IEEE Commun. Surv. Tutor. 2019, 21, 1744–1772. [Google Scholar] [CrossRef]
  56. Patterson, C.M.; Nurse, J.R.C.; Franqueira, V.N.L. Learning from cyber security incidents: A systematic review and future research agenda. Comput. Secur. 2023, 132, 103309. [Google Scholar] [CrossRef]
  57. Habibzadeh, H.; Nussbaum, B.H.; Anjomshoa, F.; Kantarci, B.; Soyata, T. A survey on cybersecurity, data privacy, and policy issues in cyber-physical system deployments in smart cities. Sustain. Cities Soc. 2019, 50, 101660. [Google Scholar] [CrossRef]
  58. Javed, A.R.; Shahzad, F.; Rehman, S.U.; Zikria, Y.B.; Razzak, I.; Jalil, Z.; Xu, G. Future smart cities: Requirements, emerging technologies, applications, challenges, and future aspects. Cities 2022, 129, 103794. [Google Scholar] [CrossRef]
  59. Nuñez, M.; Palmer, X.L.; Potter, L.; Aliac, C.J.; Velasco, L.C. ICT security tools and techniques among higher education institutions: A critical review. Int. J. Emerg. Technol. Learn. 2023, 18, 4–22. [Google Scholar] [CrossRef]
  60. Ibrahim, A.; Valli, C.; McAteer, I.; Chaudhry, J. A security review of local government using NIST CSF: A case study. J. Supercomput. 2018, 74, 5171–5186. [Google Scholar] [CrossRef]
  61. Möller, D.P.F. NIST cybersecurity framework and MITRE cybersecurity criteria. In Guide to Cybersecurity in Digital Transformation: Trends, Methods, Technologies, Applications and Best Practices; Möller, D.P.F., Ed.; Springer Nature: Cham, Switzerland, 2023; pp. 231–271. [Google Scholar] [CrossRef]
  62. Syafrizal, M.; Selamat, S.; Zakaria, N. Analysis of sybersecurity standard and framework components. Int. J. Commun. Netw. Inf. Secur. 2020, 12, 417–432. [Google Scholar] [CrossRef]
  63. Grobler, M.; Gaire, R.; Nepal, S. User, usage and usability: Redefining human centric cyber security. Front. Big Data 2021, 4, 583723. [Google Scholar] [CrossRef] [PubMed]
  64. Norris, D.F.; Mateczun, L.; Joshi, A.; Finin, T. Managing cybersecurity at the grassroots: Evidence from the first nationwide survey of local government cybersecurity. J. Urban Aff. 2021, 43, 1173–1195. [Google Scholar] [CrossRef]
  65. Bauer, J.M.; van Eeten, M.J.G. Cybersecurity: Stakeholder incentives, externalities, and policy options. Telecommun. Policy 2009, 33, 706–719. [Google Scholar] [CrossRef]
  66. Li, L.; He, W.; Xu, L.; Ash, I.; Anwar, M.; Yuan, X. Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. Int. J. Inf. Manag. 2019, 45, 13–24. [Google Scholar] [CrossRef]
  67. Harknett, R.J.; Stever, J.A. The new policy world of cybersecurity. Public Adm. Rev. 2011, 71, 455–460. [Google Scholar] [CrossRef]
  68. Wu, Y.C.; Sun, R.; Wu, Y.J. Smart city development in Taiwan: From the perspective of the information security policy. Sustainability 2020, 12, 2916. [Google Scholar] [CrossRef]
  69. Ariffin, K.A.Z.; Ahmad, F.H. Indicators for maturity and readiness for digital forensic investigation in era of industrial revolution 4.0. Comput. Secur. 2021, 105, 102237. [Google Scholar] [CrossRef]
  70. Mishra, A.; Alzoubi, Y.I.; Anwar, M.J.; Gill, A.Q. Attributes impacting cybersecurity policy development: An evidence from seven nations. Comput. Secur. 2022, 120, 102820. [Google Scholar] [CrossRef]
  71. Baz, M.; Alhakami, H.; Agrawal, A.; Baz, A.; Khan, R.A. Impact of COVID-19 pandemic: A cybersecurity perspective. Intell. Autom. Soft Comput. 2021, 27. [Google Scholar] [CrossRef]
  72. Lallie, H.S.; Shepherd, L.A.; Nurse, J.R.C.; Erola, A.; Epiphaniou, G.; Maple, C.; Bellekens, X. Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Comput. Secur. 2021, 105, 102248. [Google Scholar] [CrossRef] [PubMed]
  73. Alawida, M.; Omolara, A.E.; Abiodun, O.I.; Al-Rajab, M. A deeper look into cybersecurity issues in the wake of Covid-19: A survey. J. King Saud Univ. Comput. Inf. Sci. 2022, 34, 8176–8206. [Google Scholar] [CrossRef] [PubMed]
  74. Williams, C.M.; Chaturvedi, R.; Chakravarthy, K. Cybersecurity risks in a pandemic. J. Med. Internet Res. 2020, 22, e23692. [Google Scholar] [CrossRef] [PubMed]
  75. Tasheva, I. Cybersecurity post-COVID-19: Lessons learned and policy recommendations. Eur. View 2021, 20, 140–149. [Google Scholar] [CrossRef]
  76. Arulkumar, V.; Latha, C.P.; Dasig, D. Concept of implementing big data in smart city: Applications, services, data security in accordance with internet of things and AI. Int. J. Recent Technol. Eng. 2019, 8, 6819–6825. [Google Scholar] [CrossRef]
  77. De Sousa, R.; Carvalho, P.D. An Osint Approach to Automated Asset Discovery and Monitoring. Master’s Thesis, University of Porto, Porto, Portugal, 2019. [Google Scholar]
  78. Daskevics, A.; Nikiforova, A. IoTSE-based open database vulnerability inspection in three Baltic countries: ShoBEVODSDT sees you. In Proceedings of the 2021 8th International Conference on Internet of Things: Systems, Management and Security (IOTSMS), Gandia, Spain, 6–9 December 2021. [Google Scholar]
  79. Ramadhan, R.A.; Aresta, R.M.; Hariyadi, D. Sudomy: Information gathering tools for subdomain enumeration and analysis. IOP Conf. Ser. Mater. Sci. Eng. 2020, 771, 12019. [Google Scholar] [CrossRef]
  80. Genge, B.; Călin, E. Shovat: Shodan-based vulnerability assessment tool for internet-facing services. Secur. Comm. Netw. 2016, 9, 2696–2714. [Google Scholar] [CrossRef]
  81. Dahle, T. Large scale Vulnerability Scanning: Development of a Large-Scale Web Scanner for Detecting Vulnerabilities. Master's Thesis, University of Oslo, Oslo, Norway, 2020. [Google Scholar]
  82. Yigitcanlar, T.; Senadheera, S.; Marasinghe, R.; Bibri, S.; Sanchez, T.; Cugurullo, F.; Sieber, R. Artificial intelligence and the local government: A five-decade scientometric analysis on the evolution, state-of-the-art, and emerging trends. Cities 2024, 152, 105151. [Google Scholar] [CrossRef]
Information 15 00342 g001
Figure 1. Summary of search results for LG cybersecurity policy documents.
Figure 1. Summary of search results for LG cybersecurity policy documents.
Information 15 00342 g001
Information 15 00342 g002
Figure 2. Word cloud of the policy documents.
Figure 2. Word cloud of the policy documents.
Information 15 00342 g002
Information 15 00342 g003
Figure 3. Word cloud of the coding.
Figure 3. Word cloud of the coding.
Information 15 00342 g003
Information 15 00342 g004
Figure 4. Hierarchy of codes and sub-codes.
Figure 4. Hierarchy of codes and sub-codes.
Information 15 00342 g004
Information 15 00342 g005
Figure 5. The cybersecurity policy concept map of local governments.
Figure 5. The cybersecurity policy concept map of local governments.
Information 15 00342 g005
Information 15 00342 g006
Figure 6. NIST CSF function and category coverage by policy documents.
Figure 6. NIST CSF function and category coverage by policy documents.
Information 15 00342 g006
Information 15 00342 g007
Figure 7. Number of functions and categories addressed by each policy document and country-wise average of functions and categories.
Figure 7. Number of functions and categories addressed by each policy document and country-wise average of functions and categories.
Information 15 00342 g007
Information 15 00342 g008
Figure 8. Average coverage of functions and categories in cybersecurity policy documents by the top 10 smaller and larger LGs.
Figure 8. Average coverage of functions and categories in cybersecurity policy documents by the top 10 smaller and larger LGs.
Information 15 00342 g008
Information 15 00342 g009
Figure 9. Proposed cybersecurity policy framework.
Figure 9. Proposed cybersecurity policy framework.
Information 15 00342 g009
Table 1. Functions and categories of NIST CSF [25,28].
Table 1. Functions and categories of NIST CSF [25,28].
FunctionCategoryDescription
GovernOrganizational ContextOrganization’s mission, goal, stakeholder expectations, legal requirements.
Risk Management StrategyPriorities, constraints, risk appetite and tolerance statements, and assumptions of the organization are established, disseminated, and utilized to support operational risk decisions.
Roles, Responsibilities, and AuthoritiesEstablishment and communication of cybersecurity roles, responsibilities, and authorities to promote accountability.
PolicyCybersecurity policy is established, communicated, and enforced.
OversightThe outcomes and performance of risk management activities are utilized to inform, enhance, and modify the risk management strategy.
Cybersecurity Supply Chain Risk ManagementSupply chain risk management processes are identified, established, managed, monitored, and improved.
IdentifyAsset ManagementManagement of assets, including personnel, facilities, services, data, hardware, software, and systems.
Risk AssessmentUnderstanding the risk to the organization, its assets, and involved individuals.
ImprovementNecessary improvement to organizational cybersecurity risk management processes, procedures, and activities.
ProtectIdentity Management, Authentication, and Access ControlRestricting access to assets to only authorized users, services, and hardware.
Awareness and TrainingTraining staff about cybersecurity-related activities and raising awareness.
Data SecurityManagement of data to be consistent with the organization’s risk strategy.
Platform SecurityManagement of hardware, software, systems, applications, and services of physical and virtual platforms to be consistent with the organization’s risk strategy.
Technology Infrastructure ResilienceManagement of security architecture in accordance with the organization’s risk strategy.
DetectContinuous MonitoringMonitoring assets to detect anomalies, adverse events, and potential breaches.
Adverse Event AnalysisEvents are analyzed to characterize and learn about them for future detection.
RespondIncident ManagementManaging incidents through a response mechanism.
Incident AnalysisSupporting forensics and recovery efforts and ensuring an effective response.
Incident Response Reporting and CommunicationCoordinating response activities with internal and external stakeholders.
Incident MitigationPreventing the escalation of an incident and alleviating its consequences.
RecoverIncident Recovery Plan ExecutionEnsuring operational availability of systems and services.
Incident Recovery CommunicationCoordination of restoration activities involving both internal and external stakeholders.
Table 2. Salient characteristics of LGs that have cybersecurity policy documents found in this study.
Table 2. Salient characteristics of LGs that have cybersecurity policy documents found in this study.
LGLocationLG StatusPopulationPolicy Adoption/Last Update Year
Country CapitalStateState CapitalMetropolitanRural Area2021
Central Highlands CouncilAustralia 2144Not Mentioned
Murray River Council 11,4562022
Sutherland Shire Council 218,4642023
Bayswater 69,2832021
Western Australia 2,660,0262022
New South Wales 8,072,1632022
Tasmania 557,5712023
Murrumbidgee Council 40002021
Rous County Council 100,0002019
King Island Council 16172022
Copper Coast Council 15,0502022
Balranald Shire Council 22082023
VancouverCanada 662,2482022
Greenview 85842016
LondonEngland 9,748,0332023
Enfield 330,0002021
Northwest Leicestershire District Council 104,7052020
Crediton Town 21,9902020
Royal Borough Windsor and Maidenhead 154,7382021
Saughall and Shotwick Park Parish Council 30942022
Aylesford Parish Council 11,6712022
TelanganaIndia 38,157,3112021
Odisha 47,099,2702022
Jammu and Kashmir 14,999,3972020
Tamil Nadu 83,697,7702020
Assam 35,713,0002018
Tripura 4,184,959
Woodburn City CouncilUSA 26,2432019
City and County of San Francisco 670,6252021
New York 7,613,4662020
Village of Pleasantville 73052021
Beaverton 100,5592022
Albuquerque 556,4962023
Portland 13,7012020
Scappoose 81912020
City of Madras 82002020
Town of Norwich 64762021
City of Lebanon 48,6292022
Table 3. Frequency of the codes and sub-codes.
Table 3. Frequency of the codes and sub-codes.
Code and Document FrequencySub-CodeDocuments with Sub-CodeFrequency of Sub-CodeTotal Frequency for Sub-Codes
Govern = 37Organizational Context2771220
Risk Management Strategy2237
Roles, Responsibilities, and Authorities2776
Policy2131
Oversight00
Cybersecurity Supply Chain Risk Management45
Identify = 29Asset Management254271
Risk Assessment1418
Improvement911
Protect = 32Identity Management, Authentication, and Access Control2977222
Awareness and Training2440
Data Security1851
Platform Security1543
Technology Infrastructure Resilience511
Detect = 19Continuous Monitoring192334
Adverse Event Analysis711
Respond = 30Incident Management274464
Incident Analysis22
Incident Response Reporting and Communication913
Incident Mitigation55
Recover = 16Incident Recovery Plan Execution162022
Incident Recovery Communication22
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Hossain, S.T.; Yigitcanlar, T.; Nguyen, K.; Xu, Y. Understanding Local Government Cybersecurity Policy: A Concept Map and Framework. Information 2024, 15, 342. https://doi.org/10.3390/info15060342

AMA Style

Hossain ST, Yigitcanlar T, Nguyen K, Xu Y. Understanding Local Government Cybersecurity Policy: A Concept Map and Framework. Information. 2024; 15(6):342. https://doi.org/10.3390/info15060342

Chicago/Turabian Style

Hossain, Sk Tahsin, Tan Yigitcanlar, Kien Nguyen, and Yue Xu. 2024. "Understanding Local Government Cybersecurity Policy: A Concept Map and Framework" Information 15, no. 6: 342. https://doi.org/10.3390/info15060342

APA Style

Hossain, S. T., Yigitcanlar, T., Nguyen, K., & Xu, Y. (2024). Understanding Local Government Cybersecurity Policy: A Concept Map and Framework. Information, 15(6), 342. https://doi.org/10.3390/info15060342

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop