Beyond Geography and Budget: Machine Learning for Calculating Cyber Risk in the External Perimeter of Local Public Entities

Abstract

Due to their vast number and heterogeneity, local public administrations can act as entry points (or attack surfaces) for adversaries targeting national infrastructure. The individual vulnerabilities of these entities function as entry points that can be exploited to compromise higher-level government assets. This study presents a nationwide risk analysis of the exposed perimeter of 7000 municipalities, achieved through the massive collection of 93 technological and contextual variables over three consecutive years and the application of supervised machine learning algorithms. The findings of this study demonstrate that geographical factors are a key predictor of external perimeter cyber risk, suggesting that supra-local entities providing unified, shared security services are better positioned in terms of risk exposure and therefore more resilient. Furthermore, the analysis confirms, contrary to conventional wisdom, that IT budget allocation lacks a significant statistical correlation with external perimeter risk mitigation. It is concluded that large-scale data collection frameworks, enhanced by Artificial Intelligence, provide policymakers with an objective and transparent tool to optimize cybersecurity investments and protection strategies.

1. Introduction

The ongoing digitization of local public administration is a double-edged sword: while it improves the efficiency of services and accessibility for citizens, it also increases the attack surface for sophisticated cyber threats. These entities act as custodians of vast and highly sensitive datasets, including personally identifiable information (PII), financial records, cadastral surveys, and confidential social services data, such as vulnerability assessments or protection orders against gender-based violence. The significant economic value of this information on the illicit markets of the dark web, where credentials, health records and official documents can be sold for substantial amounts, such as $1000 for complete medical documents or passports that can be worth around $4000 for a Maltese passport [1,2,3], creates a powerful and persistent incentive for malicious actors to target them.

This economic driver fuels a continuous cycle of offensive innovation, where threat actors constantly seek to circumvent established security protocols. The recent democratization of Artificial Intelligence (AI) has had a significant impact on this dynamic, resulting in the creation of an asymmetric advantage for adversaries. AI-powered tools now enable the automated generation of polymorphic malware, the crafting of highly convincing phishing campaigns at scale, and the development of sophisticated attacks designed for stealthy data exfiltration. Conversely, AI also provides defenders with powerful capabilities for anomaly detection, automated incident response, and proactive threat hunting through simulation [4,5,6]. Nevertheless, the reduced barriers to entry for offensive AI tools represent an escalating challenge to conventional defensive postures.

In order to protect these entities in an effective manner, a comprehensive security strategy is required that addresses both the internal perimeter, the purpose of which is to protect internal operations, and the increasingly porous external perimeter, the function of which is to provide e-government services to citizens and to integrate IoT devices. Nevertheless, a significant impediment to the formulation of such strategies is the absence of centralized empirical data. Presently, there is an absence of a consolidated public repository that documents cyber incidents, their operational consequences, and the lessons learned [7]. This has resulted in a reliance on informal evidence from media reports, which can be biased and incomplete. This data deficit prevents large-scale quantitative analysis, hindering the development of evidence-based security policies and forcing entities into a reactive, rather than proactive, defensive posture.

1.1. Related Work

1.1.1. Cyber Attack Figures

According to reports from cybersecurity companies, the average increase has been documented to be over 150%, independent of the sector affected. The prevalence of credential theft has escalated exponentially, with a 442% increase in incidents, leveraging sophisticated techniques such as social engineering and vishing. An analysis of security breaches reveals that 83% of such incidents are attributable to web applications that have been compromised by the use of stolen credentials. It is also noteworthy to mention the role of Generative AI (GenAI) techniques in accelerating the development of attacks and facilitating their automation [8].

Looking specifically at government entities, the same sources indicate that 9% of global attacks are suffered by these organizations [8], with an increase of almost 43% in recent years [9]. The results indicate that 85% of attacks come from external actors, exploiting vulnerabilities in systems, employing social engineering or stealing devices. Likewise, more than 60% of the assets attacked correspond to web systems, in an analysis carried out on a universe of 92 public sector organizations [9].

1.1.2. Cyber Threats

The primary threats facing these entities include ransomware, malware deployment, social engineering, and Distributed Denial-of-Service (DDoS) attacks, alongside misinformation campaigns aimed at disrupting civic processes. It is important to note that AI is being used to increase the severity of these threats. For example, Large Language Models (LLMs) can generate highly contextualized and persuasive narratives for social engineering attacks, making them almost impossible to distinguish from official communications [10,11].

In response to this challenge, regulatory authorities such as the European Union’s Network and Information Security Agency (ENISA) have proposed a range of conventional security controls, including backup strategies, multi-factor authentication (MFA), and information sharing [12]. While these measures are essential, they are regarded as a baseline defense. They often struggle to scale against automated, AI-driven threats and do not provide a framework for quantitatively prioritizing risks based on the specific context of an entity, thus highlighting the need for more advanced, data-driven assessment models.

1.1.3. Local Public Environment

Within the public sector, local governments are the entities where attacks have grown exponentially. However, there is an absence of a unified, comprehensive record that documents all attacks against the public sector [7]. Nevertheless, the media have documented several consequences of these incidents. In September 2023, the city council of Seville, Spain, was subject to a cyberattack, leading to the complete disruption of all public services [13]. In Washington-Pennsylvania County (USA), the entity was subjected to a data encryption attack, which subsequently compelled the entity to pay for the decryption of the affected data [14]. Local entities utilizing cloud infrastructures were also subject to attacks, as evidenced by the incident that affected thousands of Italian public entities with their provider, Westpole-PA [15,16].

The literature suggests that these entities, due to their considerable number and their provision of essential public services, are vulnerable targets. The volume of confidential information stored from businesses and citizens is substantial; however, there is a limited number of studies that have examined the risks associated with this specific public sector [17]. The International City/County Management Association (ICMA) [18] is an organization that brings together local government professionals with the aim of facilitating the prosperity of these entities on a global scale. The ICMA undertook an extensive analysis of the 71 most prevalent cybersecurity risks confronting local entities worldwide. The presence of entities with constrained financial resources, inadequate protection expertise, a lack of shared protections, and a fragmented leadership structure leaves them particularly susceptible to vulnerability [19,20]. These studies were conducted on a cohort of 14 Chief Information Security Officers (CISOs) in 78 local governments in the United States, resulting in a satisfactory initial approximation. However, these findings were based on qualitative analyses of a small cohort of US local governments. This highlights a clear gap for large-scale, quantitative research that can validate and expand upon these initial observations across an entire national ecosystem.

1.1.4. Cybersecurity Framework

As indicated by the ICMA, the sharing of risk information and strategies is fundamental to minimizing risks between local public entities. However, the establishment of shared legislative frameworks among multinational entities has the potential to ensure interoperability and uniform levels of protection. In Europe, the EU Cybersecurity Regulation [21] establishes a high level of cybersecurity, cyber resilience, and trust. This regulation establishes the ENISA and a cybersecurity certification framework for products and services [22]. The NIS2 Directive 2022/2555 [23] aims to harmonize national strategies among member states, identifying competent authorities, crisis management protocols, and single points of contact in cybersecurity. This requirement is considered fundamental for certain types of entities; however, member states are not compelled to implement it in the context of local public administration (city councils and municipalities) or research centers. The utilization of divergent protection criteria constitutes a systemic risk.

Additionally, the risks linked to the use of Artificial Intelligence are not directly covered by the NIS2, but it talks about risk management, monitoring, detection and response to incidents with technological innovation, training and awareness.

1.1.5. Massive Data in Local Public Entities

Recent research has demonstrated the feasibility of collecting extensive cybersecurity metrics from thousands of local entities at a national scale [24]. This work confirmed that supra-local coordinating bodies play a significant role in promoting shared protections, validating earlier ICMA claims. While establishing the viability of large-scale data collection is a critical first step, the primary scientific opportunity lies in making use of these data. The vast quantity and complexity of these datasets make them ideal for the application of advanced Machine Learning (ML) techniques to move beyond simple monitoring towards predictive risk modeling.

1.2. Summary of Literature and Research Objectives

In summary, the extant literature establishes that local public entities are numerous, critical, and increasingly targeted by AI-enhanced threats. The primary attack surface of these entities is the external perimeter, yet they frequently fall outside mandatory cybersecurity regulations such as NIS2. Additionally, there is a significant lack of large-scale empirical research into their risk posture, despite the proven feasibility of massive data collection frameworks.

Addressing this critical research gap, the present paper proposes a large-scale, empirical methodology to quantitatively assess cyber risk on the external perimeter of local public administration. The objective of this study is to utilize supervised ML algorithms to analyze a dataset comprising 93 technological and competency variables from over 7000 municipalities, with the aim of identifying the key variables of external cyber risk. Specifically, the development and validation of a composite risk indicator, termed CIORank, is undertaken. The primary objective of this research is to build an optimized model that moves beyond traditional assumptions, allowing us to uncover non-obvious relationships between an entity’s intrinsic characteristics and its security posture. This study provides empirical evidence demonstrating that geographical location is a significant risk factor, a finding that challenges the common assumption about the role of IT budget allocation. Consequently, this work offers a novel application based in a data-driven framework that objectifies resource allocation and risk management in the public sector.

2. Materials and Methods

The study population comprises approximately 7000 municipalities in Spain, covering a wide range of population sizes, economic capacities, and geographical contexts. Data were collected on an annual basis over a three-year period, from 2022 to 2024, with the objective of enabling both cross-sectional analysis and temporal validation of the models.

As illustrated in Figure 1, the primary tasks are:

• The process of acquiring and processing captured data;
• Risk definition;
• Empirical justification of risk thresholds;
• A correlation study is to be conducted between technological investments and the identified risk;
• The generation of a qualitative model (Classification) is required to indicate whether the entity is at risk. This model should also identify the most representative risk variables;
• The generation of an optimized quantitative model (Regression) is necessary to establish a numerical risk value for each entity;
• Verification of the model’s suitability using data from subsequent years.

Therefore, this section details the study design, data sources, risk metric definition, and ML pipeline used to identify key cybersecurity predictors in local public administrations in Spain. Furthermore, the proposal produces two ML models that facilitate enhanced risk estimation for each entity.

2.1. Data Acquisition and Processing Framework

In order to manage the scale and heterogeneity of the data, an automated collection framework and a Medallion architecture for data processing were implemented. This architecture organizes the data into three layers of increasing quality (Bronze, Silver, and Gold), ensuring governance, traceability, and preparation of the data for analysis. Complete information on this framework is available in Appendix A.1.

2.1.1. Data Sources

A total of 93 variables were collected for each municipality, which were then classified into two main categories:

• Technological variables: This information was obtained through the implementation of active scans of the exposed digital perimeter of each municipality. These scans, performed by automated scripts, measure technical aspects of public web services. The metrics encompass SSL/TLS certificate configuration, the presence of security headers, response times, known vulnerabilities (CVEs) in exposed components, and technical SEO best practices;
• Competential or Contextual variables: The data has been obtained from public and government data sources, including the National Institute of Statistics (INE) and the Ministry of Finance. The aforementioned variables are indicative of each municipality, and include demographic data (population, age distribution), socio-economic data (unemployment rate, average income) and budgetary data (specific investment in IT items, total budget).
• Complete information related with the variables is available in Appendix A.2.

2.1.2. Definition of the Risk Metric: CIORank

The central dependent variable in this study is CIORank, a composite indicator designed to quantify the maturity and security posture of an entity’s external perimeter [24]. The calculation of the online presence index is derived from the arithmetic mean of three normalized sub-indices (on a scale of 0 to 100), with each sub-index representing a key dimension of online presence. To validate the robustness of this equal-weighting approach, a sensitivity analysis was conducted to assess the impact of alternative, strategically focused weighting schemes, as detailed in Appendix C.1.

$$CIORank={\displaystyle \frac{1}{3}}·Security+{\displaystyle \frac{1}{3}}·Availability+{\displaystyle \frac{1}{3}}·SEO$$

(1)

• Security: Aggregates defensive security metrics, such as the quality of cryptographic implementation, the absence of vulnerabilities, and the adoption of security headers;
• Availability: Measures of the reliability and performance of web services, including loading speed, correct time synchronization, and the absence of domain blacklists;
• SEO: Evaluates technical optimization, compliance with web standards, and accessibility, which act as a proxy for development quality and maintenance. This category is referred to as “Web Quality & Performance” to accurately describe its focus on technical audits. The underlying individual metrics retain their original SEO prefix (e.g., SEO3_performance) for consistency with the data collection tools used.

A higher CIORank is indicative of an advanced technical posture, which in turn leads to a reduction in the inherent risk within the exposed perimeter. Complete information related with the indicators and risk metric are available in Appendix A.3.

2.1.3. Empirical Threshold of Risk

In the context of classification models, the designation of an entity as “at risk” is executed through a binary process. Instead of employing an arbitrary statistical threshold, an empirical approach is adopted, with data from real incidents being utilized from actual incidents reported in the media.

Table 1. Attacks received by public entities and average CIORank indicator.

Year	n	CIORank Average
2022	125	57.3%
2023	129	56.8%

shows two independent cohorts of municipalities that suffered confirmed cyberattacks in 2022 and 2023. The mean CIORank score for these entities in the year of the attack was found to be remarkably consistent. It is essential to acknowledge the fact that the present set of identified attacks does not constitute an exhaustive enumeration of all attacks that have occurred. This limitation will be addressed in the discussion section, where recommendations for improvements will be provided.

Considering the evidence presented and with a sensitivity analysis of the risk threshold described in Appendix C.2, a risk threshold of CIORank < 60 was established. This value is employed as a conservative upper limit, with any entity exhibiting a technical posture below the average observed in municipalities that were effectively compromised being designated “at risk”.

2.2. Modeling with Machine Learning

The objective of modeling is twofold: to predict the level of risk and, crucially, to identify the contextual and technological variables that are key determinants of that risk.

2.2.1. Dataset Preparation

The data from 2022 and 2023 were consolidated and used to train and evaluate the model. To ensure robust performance estimates across multiple splits, stratified k-fold cross-validation (with k = 20) was employed. The 2024 data were designated as an out-of-time validation set to assess the model’s generalization capability on entirely unseen data.

Further detailed information can be found in Appendix B, which shows the ML model flow followed between phases 1 and 3, which correspond to the preparation of the dataset.

2.2.2. Model Training and Selection

Two types of supervised models were evaluated:

• Classification Models: The objective is to predict the binary risk category, which is defined as either “at risk” or “not at risk”. A comprehensive comparison of a wide range of algorithms was conducted, including tree ensembles (such as Random Forest and CatBoost), logistic regression, and Support Vector Machines (SVMs). The Area Under the ROC Curve (AUC) was identified as the primary metric for selection, given its resilience to class imbalance;
• Regression Models: The primary objective is to predict the numerical value of risk. Analogous algorithms were evaluated in their regression versions. The selection metric employed was the Mean Absolute Error (MAE), a metric that lends itself to straightforward interpretation.

The model that demonstrated the greatest degree of efficacy in each task underwent a process of hyperparameter optimization. This process entailed the implementation of grid search with 20-fold cross-validation.

Further detailed information can be found in Appendix B, which shows the ML model flow followed between phases 5 and 7, which correspond to the selection of algorithms, goodness metrics, and hyperparameter optimizations.

2.2.3. Variable Importance Analysis

Once the final model was trained, the most critical step was to interpret it to identify risk factors. To achieve this objective, we employed the SHAP (Shapley Additive Explanations) technique. The SHAP values facilitate the quantification of the contribution of each variable (e.g., geographic location, investment in budget item X, number of inhabitants) to risk prediction for each individual municipality and for the population as a whole.

Comprehensive details concerning the execution of a ML project, organized by phases, and the interpretation of SHAP plot can be found in the Appendix B.

3. Results

3.1. Correlation Between Risk and IT Investment

A key issue to be resolved is whether a local public entity’s IT investments within its budget are aligned with the risks posed to its external perimeter. It is possible to carry out a basic statistical analysis using the seven economic variables and risk indicators. The non-Gaussian nature of the variables was determined through the implementation of the non-parametric Kolmogorov–Smirnov (KS) test. Therefore, Spearman or Kendall correlation coefficients were utilized.

Table 2. Spearman test: Correlation between budget and risk variables.

Budget Concept	Security	Availability	SEO	CIORank
1	−0.0363	0.0827	0.0336	0.0459
206	0.0123	0.0525	−0.0069	0.0266
216	−0.0736	0.0173	−0.0136	−0.031
220.02	−0.0701	0.0147	0.0058	−0.022
222.03	−0.0494	0.0841	0.0093	0.0272
636	−0.0087	0.029	−0.0115	−0.0135
641	−0.0061	0.0012	−0.0025	−0.0091

contains further information on Spearman’s coefficients.

The calculated correlation coefficients are all approximately equal to zero, suggesting the absence of a correlative relationship between the economic variables and the risk management variables.

3.2. Qualitative Supervised Learning Model Results

The final dataset contains a total of 13,833 entries, with 93 total variables obtained for each monitored entity. Fifty-four variables have been selected where 48 are numerical and 5 categorical variables will be used for training. The remaining variable will be the one to be estimated. It should be noted that the rest of the variables up to 93 are discarded because they represent unique values of each entity, such as contact telephone number, web URL and identification codes in the different information sources.

The CatBoost Classifier model was identified, demonstrating superior performance in comparison with the other models, as evidenced in

Table 3. Testing ML models for qualitative classification. Supervised classification.

Model	Accuracy	AUC	Recall	Precision	F1
catboost	0.848	0.940	0.848	0.848	0.847
lightgbm	0.845	0.929	0.845	0.845	0.844
et	0.842	0.919	0.842	0.842	0.842
rf	0.834	0.914	0.834	0.834	0.834
gbc	0.832	0.920	0.832	0.833	0.832
lr	0.821	0.903	0.821	0.822	0.821
ridge	0.819	0.901	0.819	0.820	0.818
lda	0.819	0.901	0.819	0.820	0.818
knn	0.819	0.895	0.819	0.819	0.819
ada	0.816	0.903	0.816	0.817	0.816
svm	0.807	0.903	0.807	0.816	0.806
dt	0.774	0.774	0.774	0.775	0.774
qda	0.604	0.730	0.604	0.655	0.561
dummy	0.506	0.500	0.506	0.256	0.340
nb	0.496	0.804	0.496	0.516	0.351

. As demonstrated in Figure 2, Accuracy achieved a score of 84.8%, while the AUC metric attained a remarkable 94.0%. Other model performance metrics also show high performance, such as Precision, Recall and F1-Score.

Discussion section will provide a detailed explanation why the CatBoost algorithm performs better in these types of situations.

3.3. Analysis of Variables in the Qualitative Model

It has been observed that the most significant variables in the model align with the technological variables, which is consistent with the expected behavior. However, incorporating competential variables has been shown to significantly enhance the model’s predictive capacity. Figure 3 illustrates the significance of the ten variables with the highest importance in the model.

Figure 4 shows the variables that dominate the ML model. The main variables in this model are the technological variables.

As can be seen, the province is a geographical variable and is at the top of the list in Figure 3 and Figure 4. In terms of the model’s predictions regarding risk, other relevant competence variables such as geo_area, outstanding_debt, female_unemployment or male_unemployment and agriculture_unemployment are less influential.

3.4. Optimized Quantitative Supervised Learning Model Results

The most significant variables within the qualitative supervised learning model (binary classification) have been utilized to formulate the optimized quantitative model, exclusive of the ten most representative variables:

• S5_sslabs_scan;
• SEO3_performance;
• SEO4_cookies;
• SEO3_seo;
• SX_shodan;
• A7_black_list;
• province;
• S3_openports;
• A2_ntp;
• SEO3_bestpractices.

A total of 13,833 entries have been obtained, with 10 selected variables. The model utilizes a total of 9 numerical and 1 categorical variables during the training process. The estimation process will be applied to the risk variable.

The CatBoost Regressor model is distinguished from the other models by its higher performance, as illustrated in

Table 4. Testing ML models for quantitative regression.

Model	MAE	MSE	RMSE	R2
catboost	2.4319	10.2184	3.1947	0.8457
lightgbm	2.4780	10.5687	3.2491	0.8403
rf	2.5249	11.2499	3.3521	0.8301
gbr	2.6563	11.9368	3.4539	0.8197
et	2.6058	12.1019	3.4770	0.8173
knn	2.6554	12.5221	3.5366	0.8106
lar	3.2710	16.9024	4.1100	0.7453
br	3.2709	16.9024	4.1100	0.7453
ridge	3.2709	16.9023	4.1100	0.7453
lr	3.2710	16.9024	4.1100	0.7453
huber	3.2476	17.1601	4.1407	0.7417
ada	3.4064	17.9231	4.2325	0.7293
dt	3.2027	19.3444	4.3949	0.7080
par	3.7511	22.8557	4.7635	0.6526
omp	5.5543	49.3850	7.0232	0.2581
en	5.6148	56.1674	7.4853	0.1603
lasso	5.8728	60.7659	7.7857	0.0915
llar	2.4780	10.5687	3.2491	0.8403

. The MAE metrics stand out at 2.43 (the smaller the better), MSE with 10.22, RMSE with 3.19 (the smaller the better) and R² with 0.8457 (the closer to 1 the better).

The performance of the model with the predicted values and their residuals can be seen in Figure 5, and the error prediction using the R² metric in Figure 6. The representation of the residuals demonstrates that the data conforms to a Gaussian bell-shaped distribution, thereby confirming that the error density is centered on the zero value.

The error prediction representation shows the identity line close to the model’s predictions. The closer these lines are, the better the model. Dispersion is observed at the extremes of the lines (lower and higher values). However, the majority of points are concentrated along the identity line. With a coefficient determination of 0.842, the model is able to explain a significant amount of variability in the data, thus allowing favorable conclusions about the performance of the regression model to be made.

3.5. Goodness of the Quantitative Model in the 2024 Data

After training the regression model, the 2024 data are used to predict and check the goodness of fit of the model. This data was not used before. See

Table 5. Post-deployment results.

Year	MAE	MSE	RMSE	R2
2022 and 2023	2.43	10.22	3.19	0.8457
2024	2.62	10.57	3.25	0.8403

for model performance.

The results obtained demonstrate that there are no significant differences between the data for the years 2022 and 2023 and the data for 2024. This finding suggests that the model has generalized relatively well.

4. Discussion

Technological variables dominate the interpretation of the ML model as can be seen in Figure 3 and Figure 4. Security and SEO variables stand out, such as S5_sslabs_scan (the better the quality of the SSL certificate, the better the model score), SEO3_performance and SEO4_cookies (the higher the score, the better the model score), SX_shodan (the higher the variable score, the more negatively it affects the model score). The findings of this study indicate that the province variable is a significant factor in the estimation of risk as evidenced by its high ranking in the SHAP analysis.

However, it is improbable that geography will be a direct causal factor. Instead, the province variable is a powerful proxy for governance structures and shared service delivery. This connection is facilitated by supra-local entities known as Provincial Councils, which provide centralized IT and cybersecurity services. Municipalities affiliated with these models benefit from shared technological solutions, unified protection strategies, and expert knowledge, resulting in significantly higher and more homogeneous security postures. In contrast, entities not affiliated with this homogenization model often lack the resources or expertise necessary to achieve the same level of protection. Therefore, the machine learning model has not identified a new phenomenon but has quantitatively confirmed the critical impact of these governance and shared service delivery models. This finding aligns directly with the recommendations of organizations such as ICMA, which advocate for shared protection strategies to improve the resilience of local governments [19,20].

Intuitively, other competency or context variables may be posited as potential contributors to risk, including cultural differences and political management. However, the current study has not incorporated these variables, as their preliminary analysis is necessary to avoid the biases inherent to differences in political party management or cultural identifications specific to a region. While these variables are of interest, it is important to acknowledge that they require special treatment that may ultimately lead to future work focusing on the objectification of these variables.

Regarding the correlation between IT budgets and associated external perimeter risk in local public entities, previous studies on this relationship have been analyzed. Research has been conducted on the correlation between budget size and cyber losses, with a strong positive correlation being identified [25]. Despite the apparent discrepancy between the two findings, they are actually complementary for the following reasons:

• Risk vs. cyber losses can be viewed as a cause-effect relationship. The presence of a risk to an entity does not directly imply an economic loss until the occurrence of a cyber security event;
• The same research states that they have observed a weakening of the correlation between budget size and cyber losses. The authors of the study have provided a justification for this phenomenon, attributing it to an increase in attacks on smaller entities with limited financial resources.

In view of the fact that the principal providers of cybersecurity solutions have corroborated the almost exponential increase in attacks on any type of local public entity, and that the extant literature has already indicated that these correlations have been weakening, it can be affirmed that the results obtained are aligned: The correlation between an increase in economic items within the external perimeter and an increase in perceived security is not guaranteed. It has been determined that entities with acceptable levels of perimeter security are in a position to focus their economic efforts on alternative activities, where a greater impact can be achieved. Such activities may include the following: the training of employees, the homogenization of systems with supra-local entities, or investment in the internal perimeter. Political and technical management is key when it comes to managing the type of investment, its amount, and its distribution among employees and citizens. This would be consistent with the findings indicated by ICMA in its studies of local entities in the USA.

Furthermore, the superior performance of certain machine learning (ML) algorithms in this study can be attributed to specific factors related to the dataset and the training process. The set of variables collected includes a significant number of numerical variables, in addition to a variety of categorical variables. Within the domain of training, two distinct categories of risks have been identified: “target leakage” and “prediction shift”. The “target leakage” risk materializes when the training process has access to the target variable that would not be available at the time of prediction. This phenomenon enables the development of models that exhibit high performance during the training phase, yet demonstrate suboptimal performance during the production phase. This results in a scenario of overfitting. The “prediction shift” risk materializes when one attempts to calculate statistics on categorical variables in the training dataset. It has been demonstrated that CatBoost performs optimally with this category of problem with heterogeneous data, as it permits complex interactions between categorical variables (province) to be captured and minimizes overfitting. However, it should be noted that this approach entails a higher time cost during the training phase [26,27].

With regard to the implications of the study, it is evident that political leaders and policymakers are the primary users for the protection of national security [28,29,30]. This methodology would enable them to make investment and organizational decisions based on objective data. However, for such data-driven approaches to be adopted, it is vital that the algorithms used for risk estimation are not only accurate but also transparent, auditable, and interpretable [29,31,32]. This research deliberately prioritized machine learning models over black-box approaches like deep learning, whose lack of interpretability can be a significant barrier in a public policy context. This is crucial when decisions involve prioritizing some entities over others, where transparency is imperative to prevent perceived bias. The analysis highlights a key trade-off. The study found that while the CatBoost model provided the highest predictive accuracy (R² = 0.8457), its complex nature limits its direct interpretability. However, the analysis also revealed that simpler, more transparent models performed robustly. Notably, the K-Neighbors Regressor (knn) model, which offers moderate interpretability, achieved a strong R² score of 0.8106. This presents policymakers with a clear and powerful choice. For tasks requiring the most accurate identification of at-risk entities, CatBoost is the optimal tool. For tasks requiring explanation and policy simulation, the K-Neighbors Regressor is highly recommended, as it offers a robust predictive performance with a marginal trade-off in accuracy for a substantial gain in explainability. A detailed classification of all evaluated algorithms by their interpretability level can be found in Appendix D. It is recommended that policymakers begin with a PDCA continuous improvement or Deming cycle, identifying and validating mitigation actions in successive years by comparing local and regional security metrics.

Despite the fact that this study covers more than 7000 municipalities in Spain, its direct applicability to other countries is inherently limited. However, this characteristic is also its main strength: it serves as a first test model at the national level, demonstrating the viability of a data-based approach. The present work demonstrates a baseline and a modular methodology that has been designed for adaptation to other countries. It is important to note that the technological variables that capture the infrastructure exposed to the Internet and its vulnerabilities are global and would not require adaptation. However, the variables of competency or context (demographic, economic, geographical) require local adaptation. In order to achieve this objective, it is necessary to conduct a preliminary study. The purpose of this study is twofold: firstly, to identify reliable government sources, and secondly, to establish a mapping of variables between countries. To provide an illustrative example, in a federal state such as Germany, the variable province could be linked to the concept of Land. Conversely, in a centralized system like France, the relevance of province could be limited, with the predictive weight being attributed to other variables, such as the allocation of specific state aid to municipalities. This necessity for contextual adaptation is so precise that it is even evident within Spain itself. Some autonomous communities, such as the Basque Country and Navarre, maintain historical special economic quotas within their constitutional legal frameworks that exclude them from the general economic criteria applicable to the rest of the provinces. The correlation between IT investments and risk could not be analyzed in these two communities, which represent less than 6% of municipalities globally. In subsequent studies, it would be advisable to undertake a more comprehensive analysis of these two autonomous communities by aligning their public information sources.

The absence of a public registry of cyber incidents is a key limitation. This limitation was partially mitigated in this study by using more than 250 incidents reported by the media. This directly impacts the definition of the risk threshold. The following courses of action are proposed to overcome this situation:

• At the National level: Leverage structures such as CCN-CERT in Spain (or its counterparts) to centralize incident reporting by local administrations in a standardized, anonymized manner that is accessible to the research sector;
• At the European level: It is hereby proposed that ENISA assume the leadership role in the development of a unified platform and a standardized taxonomy of incidents, in accordance with the directives outlined in the NIS2 Directive. The establishment of a European-level risk observatory would facilitate the validation and refinement of predictive models such as ours on an unprecedented scale.

It is important to acknowledge that the CIORank metric is designed to address external perimeter vulnerabilities, including web-facing and digital service perimeter. Consequently, it does not directly measure high-impact vectors such as phishing campaigns or internal on-premise or cloud misconfigurations [33]. However, the security flaws identified by CIORank frequently function as initial entry points for more complex attacks. For instance, an unpatched vulnerability on a public web server or exposure of private ports (factors that lower the risk score) could serve as the initial entry point for an attacker to collect credentials, which are then used to breach internal systems or launch phishing attacks from a trusted domain. It is evident that the fundamental purpose of this framework is to facilitate the identification of critical weak links in the external perimeter. This, in turn, will enable the prioritization of mitigation measures.

The following are related to future work that could minimize the impact of the above limitations:

• Increase the number of local public entities in nearby countries. This could establish a supranational geographical trend among similar countries;
• Develop models that relate risk metric to expected economic loss if risks are not mitigated, using the FAIR framework [34];
• Perform attack simulations based on the vulnerabilities detected in the external perimeter. Since this study conducts a strategic analysis at the country level, answering “what” and “why”, the use of techniques similar to Monte Carlo would allow tactical actions to be prioritized by defining “how”;
• A perception study could be conducted among key C-level executives, such as Chief Operating Officers (COOs), Chief Technology Officers (CTOs), Chief Information Officers (CIOs), and Chief Information Security Officers (CISOs) in public administrations, in order to base the weighting in line with the country’s overall strategies.
• Explore and correlate the study results with publicly available datasets on regional differences, if accessible. This could include national statistics on digital infrastructure (e.g., broadband penetration) or official reports from national/European agencies, which would help further contextualize the impact of institutional versus infrastructural factors;
• The temporal dynamics of risk should be investigated by means of causal inference methodologies appropriate for mixed data types. Although standard Granger causality is constrained to numerical variables, future research could adapt advanced techniques to explore time-lagged relationships. Such analysis has the potential to yield valuable leading indicators of risk, for example, by determining whether certain technical changes systematically precede a change in an entity’s security posture.

5. Conclusions

The present study proposes a methodological approach to the assessment of external perimeter exposure, integrating technological and competence-related variables. The results indicate that, while technological factors remain relatively consistent across various contexts, competence-related variables, particularly geographical and organizational distribution, have the potential to substantially influence the external risk profile. With more than 250 incidents reported by the media, the importance of identifying weaknesses before an attack occurs is underscored. By prioritizing preventive measures based on this exposure assessment, organizations can optimize resource allocation and strengthen their cyber resilience.

The analysis enabled the empirical calculation of a risk threshold for the risk metric, providing a practical benchmark for classifying exposure levels. Findings also revealed no correlation between IT investment levels and associated external perimeter cyber risk, challenging the assumption that higher expenditure guarantees lower vulnerability. Among the competence-related variables, province emerged as a key non-technological factor in external risk determination, highlighting the relevance of contextual and organizational elements in cyber risk management.

Regression models demonstrated strong performance in estimating both past and future risk levels, offering policymakers robust, data-driven tools for strategic decision-making. The ML integration techniques ensure that not only is external risk quantified, but the underlying drivers are made transparent, thus enhancing the trust and usability of the results.

Future research should expand the geographical scope, incorporate structured incident datasets beyond media reports, and explore additional explainable AI approaches to further strengthen the reliability and generalizability of the proposed framework.