Next Article in Journal
A Robust Behavioral Biometrics Framework for Smartphone Authentication via Hybrid Machine Learning and TOPSIS
Previous Article in Journal
Deepfake-Driven Social Engineering: Threats, Detection Techniques, and Defensive Strategies in Corporate Environments
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JCP
Volume 5
Issue 2
10.3390/jcp5020019
jcp-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

From Security Frameworks to Sustainable Municipal Cybersecurity Capabilities

by
Arnstein Vestad
1,* and
Bian Yang
2
1
Department of Information Security and Communication Technology, Norwegian University of Science and Technology (NTNU), 7491 Trondheim, Norway
2
Department of Information Security and Communication Technology, Norwegian University of Science and Technology (NTNU), 2802 Gjøvik, Norway
*
Author to whom correspondence should be addressed.
J. Cybersecur. Priv. 2025, 5(2), 19; https://doi.org/10.3390/jcp5020019
Submission received: 17 March 2025 / Revised: 14 April 2025 / Accepted: 23 April 2025 / Published: 28 April 2025
Browse Figures
Versions Notes

Abstract

:
While security frameworks like the NIST CSF and ISO 27001 provide organizations with standardized best practices for cybersecurity, these practices must be implemented in organizations by people with the necessary skills and knowledge and be supported by effective technological solutions. This article explores the challenges and opportunities of building sustainable cybersecurity capabilities in resource-constrained organizations, specifically Norwegian municipalities. The research introduces the concept of sustainable cybersecurity capabilities, emphasizing the importance of a socio-technical approach that integrates technology, people, and organizational structure. A mixed-methods study was employed, combining document analysis of relevant cybersecurity frameworks with a modified Delphi study and semi-structured interviews with municipal cybersecurity practitioners. Findings highlight six core cybersecurity capabilities within municipalities, along with key challenges in implementing and sustaining these capabilities. These challenges include ambiguities in role formalization, skills gaps, difficulties in deploying advanced security technologies, and communication barriers between central IT and functional areas. Furthermore, the potential of artificial intelligence and cooperative strategies to enhance municipal cybersecurity is considered. Ultimately, the study highlights the need for a holistic perspective in developing sustainable cybersecurity capabilities, offering implications for both research and practice within municipalities and local government.

1. Introduction

Municipal cybersecurity personnel face significant challenges in securing municipal ICT systems from cyberattacks [1]. Failure to do so has been shown to have potentially catastrophic consequences for public trust, the privacy of vulnerable individuals reliant on health and social services, and the availability of all aspects of municipal service delivery [2]. Cyberattacks, such as ransomware, continue to threaten local governments, with reports of increasing attacks despite improved security measures and processes [3].
On a European scale, increased risk and the necessity of improving the security of critical infrastructure and civil society have resulted in new and more stringent regulations like the General Data Protection Regulation (GDPR), Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (the NIS 2 directive), the Digital Operational Resilience Act (DORA), and similar regulations intended to clarify roles and responsibilities and set new standards for cybersecurity. In a Norwegian context, this has resulted in an increased focus on cybersecurity requirements and regulatory oversight that also impacts Norwegian municipalities, including a broad audit of 100 municipalities and counties by the Data Protection Authority [4]. Both Datatilsynet and DigDir point to security frameworks like ISO 27001 and NSM ICT Security Principles as important guidelines for establishing appropriate technical and organizational measures.
However, systematized and structured knowledge, while important and necessary, is not sufficient to improve organizational cybersecurity. The German philosopher and poet Goethe stated, “Knowing is not enough; we must apply. Willing is not enough; we must do.” Similar to the cyber attacker who requires intent, targeting, and capability [5], defenders also need necessary capabilities in the form of technological solutions, a sufficient number of professionals with the necessary knowledge and skills, as well as an organizational intent in the form of structural aspects such as necessary mandate and priority [6], organizational integration, and efficient lines of communication with internal and external stakeholders [7].
Enterprise architecture frameworks such as TOGAF define capabilities as an abstraction of what a business does with supporting components (people, processes, information, and tangible resources) [8]. This understanding fits well with the socio-technical perspective provided by Leavitt’s diamond model [9], which identifies the mutual interdependence between tasks, structure, actors, and technology when addressing organizational change. In this paper, we introduce the concept of sustainable cybersecurity capabilities—a shift in perspective from security frameworks and compliance to capabilities that entails a stronger focus on actual cybersecurity task performance in organizations characterized by a large span in business activities (from water supply to childcare) often performed in a highly interconnected ICT infrastructure [10].
The capability concept is used as a theoretical foundation for a study where municipal cybersecurity practitioners and experts contribute directly to improving the understanding of actual security work in highly resource-constrained organizations and contribute to bridging a theory-practice gap in cybersecurity research. While existing research emphasizes the importance of cybersecurity frameworks and standards, there is still limited empirical investigation into how these frameworks are translated into operational capabilities within resource-constrained organizations, particularly municipalities. Understanding this translation is crucial for moving from mere compliance to effective security. This paper’s primary contributions are threefold: first, it introduces and empirically investigates the concept of “sustainable socio-technical cybersecurity capabilities” specifically within the resource-constrained context of Norwegian local governments; second, it presents a novel methodology that integrates document analysis with a modified Delphi card-sorting technique for expert co-creation of a practice-based capability model; and third, it offers practitioners insights into capability structuring challenges and a tangible web-based tool derived from the study. To achieve this, the study focuses on identifying relevant capabilities, analyzing associated socio-technical challenges, and exploring potential enhancement strategies within the municipal context.
To address these aims, the study employed a mixed-methods approach. First, a set of relevant security standards and frameworks for Norwegian municipalities was identified, and through structured document analysis, expected tasks, technological support systems, requirements for skills and knowledge, and organizational structure were extracted. Subsequently, drawing from this dataset, a modified Delphi-method-based study [11] involved active municipal cybersecurity practitioners in structuring these elements into capabilities that make sense in the municipal context, considering their resource levels, work practices, and organizational structures. This process also served to explore the challenges and opportunities associated with building sustainable cybersecurity capabilities in these resource-constrained organizations. A web-based card-sorting tool, developed for the research project, is also made available [12].
To present these findings, this article considers municipal cybersecurity through a socio-technical lens. We first review existing research on municipal cybersecurity and cybersecurity frameworks before introducing the concept of socio-technical cybersecurity capabilities. The concept emphasizes the importance of integrating technology, people, and organizational structure in building robust cybersecurity defenses. Subsequently, we detail our research methodology, combining a modified Delphi method card-sorting study and semi-structured expert interviews. The interviews with municipal cybersecurity practitioners identify key capabilities and challenges in practice. Through this comprehensive approach, we aim to provide valuable insights for both research and practice, contributing to a better understanding of how to build sustainable cybersecurity capabilities in municipalities.

2. Background and Literature

To give context, this chapter provides essential background information. We begin by outlining research on the growing cybersecurity challenges faced by municipalities, driven by increasing digitalization and limited resources. We then examine the role of prevalent cybersecurity frameworks in guiding security practices, noting the gap between recommendations and implementation in practice. Finally, we introduce a socio-technical systems approach, emphasizing the critical interplay of technology, people, organizational structure, and tasks in developing sustainable cybersecurity capabilities—the core focus of this research.

2.1. Municipal Cybersecurity

Research on municipal cybersecurity has been sparse but has seen an uptick since 2018, driven by the increasing digitalization of municipal services and the move towards smart cities [10,13]. Studies have identified a gap between the growing recognition of the importance of cybersecurity and the actual implementation of necessary security measures [14], as well as gaps in local government cybersecurity policies [15]. Cyberattacks have serious economic implications for municipalities, and while new regulations address the issue, their effect is disputed [16]. Municipalities struggle with limited economic resources, prioritizing cybersecurity in competition with other pressing needs, recruiting qualified cybersecurity personnel, and providing necessary training and education on cybersecurity [13,17].
According to statistics from Statistics Norway (SSB) [18] in 2024, 34.8% of Norwegian municipalities report having outsourced most or all of their security monitoring to external parties. This likely includes many or most of the 26.5% of municipalities that have outsourced their ICT operations to external parties. The numbers do not specify if the external party is an IKS (shared, publicly owned municipal service provider) or a market-based service provider.
Statistics from the Statistics Norway (SSB) [19] also highlight how municipalities struggle to transform high-level security requirements from cybersecurity frameworks into operative capabilities. For example, while 72% report having a written security policy approved by management, only 61% have centralized logging, 60% have systems for detecting unwanted traffic, and only 31% report performing regular penetration tests. These numbers indicate that municipalities are struggling to translate regulations and security frameworks into the necessary organizational structures with sufficient resources, technological support, skills, and knowledge to perform all the required activities prescribed in the security frameworks.

2.2. Cybersecurity Frameworks

Cybersecurity management frameworks, such as ISO 27002, the NIST Cybersecurity Framework, and the CIS Critical Security Controls, provide organizations with a structured approach to managing cybersecurity risks. The standards differ in their approach to management processes but typically contain a set of security controls either considered a baseline standard or to be selected using a risk-based approach. Typical topics are risk management, vulnerability management, continuity, incident response, and security awareness training.
Organizations cite various reasons for adopting cybersecurity management frameworks, from internally motivated expectations of improved cybersecurity or more efficient management of cybersecurity processes to external motivations such as market reputation or governmental regulations [20]. For Norwegian municipalities, there are no direct requirements for the adoption of ISO 27001 or other frameworks. Still, there is a requirement (eForvaltningsforskriften §15) to establish a quality management system for information security based on recognized standards, and the Norwegian Digitalization Agency recommend ISO 27001 as such a standard [21]. In parallel, the Norwegian National Security Authority publishes their NSM ICT Security Principles [22], a set of security recommendations built around a similar structure as the American NIST Cybersecurity Framework [23], and encourages their use among both private and public organizations. In addition to ISO 27001 and the NSM ICT Security Principles, Norwegian municipalities are all connected to the “Norsk Helsenett”—a national service provider for secure connectivity between health and care services and national e-health solutions. Connecting to this network presupposes a contract including requirements for adhering to Norwegian Code of Conduct for Information Security and Data Protection in the Health and Care Sector [24], a governance framework for security and privacy for healthcare organizations in Norway.
While cybersecurity governance frameworks focus on defining organizational and technical control measures, and on stablishing a systematic approach to managing information security risks, frameworks such as ENISA’s Cybersecurity Workforce Framework and the NIST NICE framework focus on the human aspect and aim to standardize and define the knowledge, skills, and competencies required for various cybersecurity roles. While the NIST NICE framework is a US-focused framework that categorizes cybersecurity work into seven categories, 33 specialty areas, and 52 work roles, several of which have a predominantly military focus (including “force projection”), the European ENISA framework takes a broader approach, focusing on the competencies needed across various cybersecurity domains. It aims to harmonize cybersecurity education and training across Europe and improve the overall cybersecurity posture of the EU, and defines a set of 12 work profiles with corresponding responsibilities, expected output, and related skills and knowledge requirements.
While several frameworks are suggested or recommended by directorates and other national-level authorities, there are no formal requirements for their adoption, and no data are available on the rate or quality of framework adoption in Norwegian municipalities. Measuring the actual impact of adopting security frameworks is challenging, with some studies reporting mixed results based on factors such as company size [25], but stakeholders value the effect of adoption as a method to establish and maintain an effective information security management system and as a solid foundation for maintaining security [26].

2.3. Socio-Technical Approach to Cybersecurity

A socio-technical systems approach entails viewing a system as a complex integration of technological and social systems, and any design or redesign needs to address both perspectives in order to succeed [27,28]. Advocates of a socio-technical perspective have argued that a techno-centric approach to cybersecurity neglects or understates the importance of the social and human aspects, leading to an imbalance that leaves organizations open to risk [29,30]. In 1965, Leavitt [9] introduced the diamond model of socio-technical change management, viewing organizations as complex systems characterized by four key variables: tasks, structure, actors, and technology. The model (Figure 1) is illustrated as a diamond with the four aspects at each corner connected by arrows, illustrating the mutual impact of changes in one variable on all others. The model is commonly used to demonstrate how changes, such as introducing a new technological solution, will affect, and be affected by, task performance, organizational structure, and how actors interact and respond based on their personal characteristics such as attitudes, skills, and knowledge.
Weaknesses in aspects of the socio-technical dimensions of cybersecurity can have serious consequences for local governments—some examples are:
  • Structural issues include a lack of prioritization and sufficient resources to perform the necessary cybersecurity activities and a lack of internal coordination [31], so critical functional areas of local government, such as healthcare or water supply, are not adequately supported by vulnerability scanning or security monitoring activities;
  • Issues related to people and the human aspects, such as insufficient training, either on cybersecurity issues such as threats and vulnerabilities related to all aspects of local government technology or on the tools and technologies necessary to perform cybersecurity work [32], such as vulnerability scanning, network and endpoint security, and security monitoring tools leading to lack of use or errors in detecting security issues;
  • Technological issues, such as limitations in functionality and coverage, for example, for specialized security issues in local government areas such as medical technology in municipal healthcare or SCADA systems (supervisory control and data acquisition), in water supply, or the lack of integration between security technologies leading to tool overload for security analysts, or cybersecurity tooling with complicated and unsuitable user interfaces leading to lack of adoption of security technology [33];
  • Doing the wrong tasks or performing them with insufficient quality can lead to vulnerabilities not being correctly removed, security alerts being wrongly prioritized, and security incidents not being investigated with sufficient rigor to identify the root causes of security incidents.
Addressing cybersecurity in complex organizations, such as municipalities, will require considering all of these four dimensions and their mutual interdependency. For example, it is well established that the introduction of technology alone is insufficient to drive value without actual usage [34], and that actual technology adoption is dependent on the skills and education of the workforce [35]. Likewise, individual task performance depends on the “fit” or suitability of the technology [36], and the introduction of technology have a significant effect on organizational structure, roles, and responsibilities [37].

2.4. Introducing Socio-Technical Cybersecurity Capabilities

Cybersecurity frameworks provide a why and how to implement cybersecurity requirements and practices but lack organizational adaptation and a practical focus on organizational capacity and ability to execute these practices, especially in resource-constrained organizations such as municipalities. Enterprise Architecture (EA) can provide an approach to bridging this gap between theory and practice. EA, fundamentally concerned with the design and management of an organization’s structure and operations, particularly the strategic alignment of IT with business objectives [38], offers a capability-centric approach. Enterprise architecture is typically arranged around a baseline architecture (today), a target architecture (where the business wants to be), and a sequencing plan for moving from the baseline to the target architecture [39]. EA methodologies employ business capability maps [40] as a tool for strategic planning, change management, and prioritization, designed to optimize fragmented processes and enhance organizational agility [38,39].
The concept of “capabilities”, though debated in definition [41], is described in the Enterprise Architecture standard TOGAF [8] as “a particular ability or capacity that a business may possess or exchange to achieve a specific purpose or outcome.” While business capabilities focus on what the organization does, rather than how, the capability is, in the TOGAF methodology, realized through the integrated deployment of people, processes, information, and resources (such as technology as well as physical and intangible assets). As such, the EA understanding of capabilities integrates well with the socio-technical approach of the Leavitt diamond model by emphasizing the importance of the alignment and mutual reinforcement of technological, strategic, and human for organizational task/process performance. By framing cybersecurity through the lens of socio-technical capabilities, it allows moving beyond a purely framework-driven or technology-centric approach, towards a more holistic understanding of organizational cybersecurity capacity.
This shift in perspective—from viewing cybersecurity as adherence to frameworks to building demonstrable capabilities—allows for moving beyond simply assessing compliance and instead focusing on understanding and developing the inherent organizational capacity to perform necessary cybersecurity tasks effectively and sustainably. This capability-based approach, grounded in EA principles and the socio-technical insights of Leavitt’s diamond, offers a more robust and practically relevant approach to analyzing the current state of municipal cybersecurity. It also provides a strategic foundation for discussing necessary changes in how these capabilities are developed—whether internally or through ecosystem integrations like managed services, inter-municipal cooperation, or national-level resources [42,43]. Building on the Leavitt diamond model we define sustainable socio-technical cybersecurity capabilities as “a sustainable capacity of coordinated technological and human resources in an organizational structure arranged to perform cybersecurity tasks in order to defend the organization against cybersecurity attacks and incidents”. By sustainable we imply the ability to adapt to changes in personnel, technology, and the threat landscape, ensuring the municipality’s ongoing capacity to address cybersecurity challenges.
While existing research emphasizes the importance of cybersecurity frameworks and standards, there is limited empirical research on how these frameworks are translated into operational capabilities within resource-constrained organizations, particularly municipalities. This study addresses this gap by investigating the challenges and opportunities of building sustainable cybersecurity capabilities in Norwegian municipalities, using a socio-technical approach to understand the interplay of technology, people, and organizational structure in cybersecurity implementation based on expert interviews. Specifically, the literature reveals shortcomings in empirically grounded understandings of how high-level framework recommendations become functioning, sustainable capabilities in practice within the unique, resource-limited municipal setting. Furthermore, there is a need for deeper insights into the critical socio-technical interdependencies—the interplay between structure, people, technology, and tasks—that shape cybersecurity effectiveness beyond mere compliance or framework adoption. This paper directly addresses these gaps by employing a capability-centric, socio-technical lens and a co-creative methodology involving municipal practitioners. Our focus on identifying emergent capability structures, along with the practical challenges related to their human, technological, and organizational dimensions within Norwegian municipalities, provides crucial, context-specific knowledge currently lacking in the field.

3. Methodology

This study adopts an exploratory research design rooted in an interpretivist paradigm to investigate the socio-technical aspects of cybersecurity capabilities within Norwegian municipalities. Acknowledging that cybersecurity practices, challenges, and opportunities are inherently context-dependent and shaped by the subjective interpretations of practitioners, an interpretivist approach is deemed most appropriate to understand these complex phenomena [44].
To achieve a comprehensive understanding, a mixed-methods approach was employed, primarily driven by qualitative data collection and analysis, enhanced by quantitative elements for triangulation and contextualization. A key strength is the researcher’s 20+ years of cybersecurity experience (seven in a Norwegian municipality)—this and subsequent references to “the researcher” indicate the corresponding author. This situated practitioner knowledge is not viewed as a source of bias but rather as a valuable asset, providing unique insights and access to the expert community under study, aligning with principles of insider and practitioner research [45].
The research proceeded in two distinct phases: firstly, a document analysis to establish a foundational understanding of recommended cybersecurity practices from national and international cybersecurity frameworks, and secondly, a series of expert interviews incorporating a modified Delphi card-sorting technique to elicit rich, practice-based insights from municipal cybersecurity professionals [45,46] and co-creation of a practice-based capability model. The full research process is illustrated in Figure 2, while details of the two phases are described and illustrated in Figure 3 and Figure 4.

3.1. Methodological Approach—Document Analysis, Expert Interviews, and Modified Delphi-Inspired Card Sorting

The study proceeded in two main stages, utilizing a mixed-methods approach. The first step consisted of a document analysis focused on eliciting socio-technical aspects of relevant cybersecurity frameworks. The second step was a series of interviews and incorporating both quantitative and qualitative elements, combining a card-sorting study with semi-structured interviews.

3.1.1. Phase 1: Document Analysis—Establishing a Foundation of Recommended Practices

To establish a robust foundation of recommended cybersecurity practices relevant to Norwegian municipalities, a comprehensive document analysis was conducted. Three key cybersecurity frameworks were selected based on their prominence and explicit recommendations within Norwegian public sector guidelines and strategies [43]: ISO 27002 [47], NSM ICT Security Principles [22], and Normen [24]. These frameworks represent established best practices and are widely recognized within the target population. A rigorous qualitative content analysis was employed, guided by Leavitt’s diamond (tasks, structure, technology, people) to ensure a holistic, socio-technical perspective. Each framework document was systematically reviewed to identify and categorize content related to these four dimensions. An iterative and inductive color-coding process was used to tag relevant text segments within each document. Detailed analytical notes documented coding decisions, rules, and borderline cases, ensuring transparency and rigor. Finally, a synthesis of findings was performed across the three frameworks, involving consolidating overlapping descriptions and removing redundancies (e.g., the same task mentioned across multiple frameworks). Variations in wording or emphasis across frameworks were carefully addressed to create unified and comprehensive task descriptions, preserving the core intended meaning for a municipal practitioner audience. This harmonization was informed by the researcher’s practical understanding of municipal cybersecurity operations.
The output, a synthesized set of cybersecurity tasks and their associated socio-technical aspects, directly informed the development of the card-sorting materials and the semi-structured interview guide used in Phase 2. This ensured that the expert interviews were grounded in established best practices while remaining relevant to the specific context of Norwegian municipalities. (See Figure 3 for an overview of the analysis process.)

3.1.2. Phase 2: Expert Interviews Incorporating Modified Delphi Card Sorting—Co-Creating a Practice-Based Capability Model

Expert interviews were chosen to gain in-depth, domain-specific knowledge [44,46]. The researcher’s professional standing facilitated recruitment and fostered a collaborative, co-creative dialogue [45]. The expert interview approach differs from purely phenomenological approaches by focusing on domain-specific expertise viewed through a practitioner lens, enabling critical discussion grounded in practical realities. “Experts” were defined as individuals with extensive, current cybersecurity experience within Norwegian municipalities, recognized by their peers in the municipal cybersecurity community [48]. The recruited contributors had an average of 7 years in municipal security roles and 16.5 years in security overall, representing various municipality sizes and IKSs (shared service providers).
Prior to participation, all participants were provided with detailed information about the study’s purpose and procedures and provided informed consent to participate, ensuring ethical research conduct. Data were anonymized during transcription and analysis to protect participant confidentiality.

3.2. Interactive Expert Interviews and Card-Sorting Activity: A Co-Creative Dialogue

Each expert interview session was designed as an interactive and iterative process forming a co-creative dialogue between the researcher-practitioner and the expert participant, centered around a modified Delphi card-sorting activity [11] and guided by a semi-structured interview approach based on Leavitt’s diamond aspects. The card-sorting methodology provides for an interactive interview with a tangible and engaging technique, thus benefiting the flow of the discussion and aiding in the discussion of abstract concepts. Card sorting is a method for knowledge elicitation used in several research areas to elicit mental models or domain knowledge. The method has its origin in psychological research [49], but has been used in different fields, such as developing human factors categories for learning from maritime accidents [50], for understanding differences in risk perception of online cybersecurity warnings between children and adults [51], or determining the required cybersecurity knowledge levels of strategic-level decision makers [52]. The cognitive load of card sorting with many cards [53] was addressed by using a modified Delphi approach [9], presenting participants with a model that they gradually modified.
While the traditional Delphi method aims for consensus-building through iterative rounds of expert consultation, this study adapts the card-sorting method primarily as a qualitative tool to: (a) structure the interview process around concrete cybersecurity tasks; (b) leverage the researcher’s and experts’ shared understanding of cybersecurity terminology to elicit knowledge about how these tasks are understood and categorized by experts in practice; (c) encourage interactive engagement and “thinking aloud” about complex, abstract concepts related to cybersecurity capabilities, fostering a collaborative exploration; and (d) provide a tangible artifact for exploring and refining a capability model together with each expert. The quantitative data generated by card sorting (e.g., measures of agreement) are considered secondary and serve primarily to support and contextualize the rich qualitative data derived from the sorting process and subsequent in-depth discussions.
While alternative methods such as brainstorming (focused on idea generation) and the Nominal Group Technique (NGT, for structured prioritization) exist for group input, this study required a method suited for the iterative co-creation of a nuanced capability model. Our modified Delphi approach, which incorporates interactive card sorting, was chosen because it enabled structured, tangible engagement with complex tasks, allowed for iterative refinement based on expert feedback, and generated rich qualitative insights through a ”think-aloud” process [54]. This emphasis on collaborative model-building and understanding the ”why” behind task categorization aligned more closely with our research goals than methods primarily focused on idea listing or ranking. A dedicated, open-source web-based tool was developed for the card sorting. The tool consists of a researcher interface that allows for the import of card sets to be sorted, and card-sorting results to be exported, as well as functionality for quantitative analysis such as similarity matrixes, dendrograms, and graph cluster analysis, as well as an external interface for the contributors of the study to perform and submit card-sorting sessions. While off-the-shelf software for card sorting exists, it is commercial, and no open source tool with suitable functionality, for example, for copying sorted sessions to support the continual Delphi sorting process, was found. The tool is made available freely available for other researchers from [12].
The interview sessions, lasting on average 1.5 h, were recorded to facilitate accurate transcription and detailed analysis and consisted of two main phases:
  • Warm-up: Participants performed an open sort with ~35% of the task cards (derived from the document analysis), providing their initial, unbiased (by a previous sort) categorizations. This leveraged the participant’s inherent understanding and served as an accessible entry point for familiarization with the tool;
  • Iterative Model Refinement: Participants were presented with the card-sorting model sorted by previous participants, which they refined based on their experience, guided by the interview themes (structure, people, technology, tasks). Throughout, a “think-aloud” protocol [54] was used, encouraging participants to verbalize their reasoning for why cards were sorted together. The following themes were discussed:
    • Structure: How are capabilities organized in practice? How do municipal structures facilitate or hinder them?
    • People: What roles, skills, and knowledge are essential? What are the real-world human resource challenges?
    • Technology: What technologies are used or needed, within municipal constraints? What are the practical challenges and opportunities related to technology adoption?
    • Tasks: Experts elaborated on their experiences, task interdependencies, and the practical scope of each capability.
This co-creative process, informed by both expert knowledge and the researcher’s perspective, facilitated a dynamic refinement of the capability model. The interactive nature of the process provided abundant opportunities to discuss aspects related to the themes as the relationships between tasks became evident through the sorting process.
The card-sorting process is illustrated in Figure 4, showing the process of an initial sort by one contributor, followed by partial sorts and changes to the initial sorted model (here denoted “refined sort”). The process continued until the Delphi model was considered stabilized, i.e., no further major changes were suggested by several contributors.

3.3. Data Analysis

The audio recordings from all expert interviews were transcribed and prepared for qualitative data analysis using NVivo software, a tool for managing and organizing qualitative data. Data analysis followed a thematic analysis approach, guided by the framework outlined by Braun and Clarke [55], a methodology that emphasizes flexibility and reflexivity throughout the process. The socio-technical framework (tasks, structure, technology, people aspects) derived from the document analysis served as an initial sensitizing framework for coding, providing a starting point for organizing and interpreting the interview data.
The analysis followed a thematic analysis approach. Initially, thorough readings of the transcripts were conducted to develop a comprehensive understanding of experts’ experiences, challenges, and insights. Subsequently, a systematic coding process was undertaken, employing a hybrid approach that integrated deductive codes derived from the socio-technical framework with inductive codes emergent from the data. This allowed for a structured analysis while maintaining sensitivity to practitioner perspectives. Following coding, a rigorous iterative process was engaged in, examining coded segments to identify recurring patterns and develop overarching themes that captured key findings and their practical implications.
The final themes structure the results and discussion, directly addressing the research questions and providing actionable insights informed by expert co-creation and the researcher’s practitioner lens. Quantitative card-sorting data (e.g., agreement measures) are briefly described to contextualize the qualitative findings.

4. Results

This section presents the findings from our mixed-methods study, starting with the identification of core cybersecurity capabilities through the modified Delphi card-sorting study and the structural, human, and technological aspects of these capabilities, as well as the challenges and opportunities associated with each.

4.1. Results from Card-Sorting Activity—Forming Capabilities

As a result of the modified Delphi card-sorting study, the contributors sorted the tasks into six capabilities, as shown in Figure 5—a screenshot from the tool developed for the modified Delphi study [12]. As illustrated in the figure, the majority of tasks were placed in two capabilities—Secure Operations and Governance, Risk, and Compliance. During the sorting, contributors identified the tasks under Secure Operations as tasks normally managed by the municipality’s standard IT operations, such as access management, backup and recovery procedures, monitoring capacity, and secure configuration of systems. The Governance, Risk, and Compliance capability consisted of tasks where many of the contributors have their main responsibilities, sometimes as a sole responsible or in cooperation with a few other resources. It contains tasks related to security governance, such as policy development and maintenance, strategic threat analysis, audit and review of compliance, and security awareness.
Security Operations was identified as a distinct capability, encompassing operational tasks related to detecting and responding to security incidents and managing the associated tools, notably SIEM (Security Incident and Event Management) detection rules, vulnerability scanning and reporting, and forensic analysis. As discussed in the chapter on structure, this capability varies in maturity and approach among municipalities; some have outsourced this capability, others maintain internal capabilities, while still others incorporate these tasks into their IT operations.
The contributors also identified a set of tasks attributed to System Ownership—tasks related to system access management and review, managing supplier risk and compliance, and critical dependencies. These tasks were reported to be responsibilities of system owners in the functional areas (education, healthcare, municipal operations such as water and sewage, etc.). As will be discussed in the chapter on structure, while this responsibility is formally defined, contributors voiced concerns about the practical ability of the functional areas to perform these tasks, as well as the ability of central services, such as the security operations and governance capabilities, to support the functional areas in this.
Only the larger municipalities are conducting internal software development—activities related to this were identified under the Development capability—and contributors reported a limited maturity of this security capability, with resources mainly connected to the Governance, Risk, and Compliance (GRC) capability offering some support for secure development activities, mostly on an ad hoc basis. Finally, Penetration Testing was identified as a separate activity and capability, primarily because this activity is mainly delivered by external specialized competence. Activities around advanced forensic analysis and critical incident management were also considered as possible candidates for external delivery by several contributors.
In some cases, a task that could only be placed in one category led to a discussion on where to categorize the task—an example would be an activity such as “Regularly review granted access approvals”, where the practical work of reviewing access rights is performed in the business units, but central IT is responsible for tools and processes to support the activity. In these cases, the task was generally placed where the process responsibility is placed. From the discussion, it was clear that many of these tasks were tasks that were or could be supported by technology that supports task distribution, for example identity and access management (IAM) tools that allows for central governance, but distributed task execution, of access management decisions.

4.2. Quantitative Analysis

As indicated in the Methodology Section, the quantitative data generated by card sorting (e.g., measures of agreement) are considered secondary and serve primarily to support and contextualize the rich qualitative data derived from the sorting process and subsequent in-depth discussion.
Some quantitative data were collected from a small subset (35%) of the cards, sorted individually as a warm-up exercise. With the limited number of participants and the subset of cards, the data have limited value for statistical analysis, but the developed card-sorting tool supports a graph-based visualization of agreement [56] that allows for indicating a clustering of related tasks. The graph is generated based on a set level of agreement, and a graph based on the 75% agreement level is presented in Figure 6. The figure indicates one primary cluster of tasks, primarily related to Secure Operations, but also containing elements from Security Operations. The other clusters related primarily to the Governance, Risk, and Compliance capability, and one cluster primarily related to Secure Development. While the generated statistics have limited statistical value due to the low sample size, they show a weak support for the structure identified through the modified Delphi-based interview sessions. The combination of Secure Operations and Security Operations may be interpreted as an indication of the existing status for many municipalities, where such a differentiation does not yet exist formally, or in practice.
We will now continue with the results from the qualitative interviews based on the card-sorting activities, discussing the structural, people, and technology aspects, as well as the emergent theme of cooperation strategies.

4.3. Structure

Structural issues in Leavitt’s diamond model pertain to organizational hierarchy, functional organization, departmentalization, formalization, and communication channels [9]. Contributors identified several key structural challenges that hinder the ability to sustain municipal cybersecurity capabilities. These challenges are evident in the ambiguous formalization of security roles and responsibilities, difficulties in sustaining essential internal cybersecurity proficiencies, and complexities in integrating central cybersecurity functions within the inherently distributed municipal IT environment, particularly amidst rapid digitalization efforts and the ongoing transition to cloud services.

4.3.1. Formalization of Security Roles and Responsibilities

The formalization of security roles and responsibilities within municipalities presents a spectrum of approaches, impacting both authority and accountability. Contributors reported varying levels of formal role definition, which consequently shapes the operational reality of cybersecurity within municipal contexts. A crucial distinction lies between formal authority, as dictated by organizational structure, and the actual authority wielded in practice. Unless a dedicated security function exists as a distinct department, formal authority tends to be either distributed across various functional areas, such as schools or health services, or centralized within a core IT function. In the latter case, an IT manager may often unofficially adopt security responsibilities, sometimes reflected in titles like “security manager.” Conversely, larger municipalities may position a security role, or even a function of varying scale, closer to the municipal leadership, whether at the political or administrative level, affording it potentially greater visibility and influence, but less direct operative interaction with both functional areas as well as central IT services.
Across municipalities, several variations in the formal definition of security roles were observed. Some municipalities operate with no or low formal definition of a security role, essentially considering security as an inherent responsibility of the head of IT. In other cases, a security role exists as a component within the IT department, reflecting a closer integration with technical operations. Moving beyond IT, some municipalities have established a security role outside of IT, directly reporting to a municipal director, signaling a higher organizational priority and separation of security governance from IT operations. Furthermore, dedicated structures include a security department as part of IT, indicating a recognized specialization within the technical domain, or, at the most formalized level, a security department situated entirely outside of IT, emphasizing its strategic importance and independence from day-to-day IT management. These structural variations demonstrate the differing organizational priorities and approaches to embedding cybersecurity within municipalities.

4.3.2. Organizational Structure of Cybersecurity

The organizational structure and departmentalization of cybersecurity functions are critical aspects of municipal cybersecurity posture. The placement of security functions within the broader organizational framework, whether centralized or distributed, within or outside of IT, influences coordination, resource allocation, and overall effectiveness. Contributors highlighted the ongoing tension between centralizing cybersecurity expertise and the distributed nature of municipal operations, particularly as municipalities increasingly adopt cloud services and decentralized IT systems.
The decision between centralized and distributed security functions presents municipalities with challenging trade-offs. Centralizing cybersecurity functions, potentially within a dedicated department or within central IT, offers advantages in terms of resource consolidation, standardized policy enforcement, and specialized expertise. However, it can create challenges in responsiveness to the diverse needs of functional areas and may lead to a disconnect from the operational realities within those areas. Conversely, distributing security responsibilities across functional areas can foster greater ownership and contextual understanding within each domain. However, this approach risks inconsistencies in security standards, duplicated efforts, and a lack of overall strategic direction.
Integrating central cybersecurity functions with distributed functional areas presents significant hurdles. As contributors noted, system ownership typically resides within the functional areas, with the central IT department focusing on shared services. This distributed ownership model raises concerns about the varying levels of security focus and priority across these functional areas. Furthermore, some tasks, like risk assessments, often require central governance to ensure consistency, thoroughness, and sufficient rigor across the municipality. The integration challenge is further compounded by the transition to cloud services, which disperses IT infrastructure and data, demanding new models for centralized oversight and distributed accountability in security management.

4.3.3. Sourcing of Cybersecurity Capabilities—Internal vs. External

Structural issues also involve decisions about sourcing, and a key strategic choice centers on whether to build and maintain these capabilities in-house or rely on external providers. Certain capabilities require capacities that many municipalities find difficult to establish due to infrequent usage, the need for 24/7 personnel availability, or specialized knowledge that is scarce in the market. Recruitment challenges, particularly in cybersecurity, emerged as a recurring theme from contributors, who cited both salary levels and strong local competition from other private and public sector employers as factors contributing to difficulties in attracting specialized cybersecurity talent.
Several specific cybersecurity capabilities were identified as particularly challenging to maintain internally. Skills in advanced digital forensic analysis exemplify this, requiring continuously updated knowledge of evolving adversary tactics and techniques, both in theory and practice. The infrequent occurrence of large-scale, advanced attacks within a single municipality makes it difficult to justify and sustain these highly specialized skills in-house. Similarly, penetration testing demands ongoing learning and practical application to remain current with evolving tools, techniques, and changes in the technologies being tested. Only a few municipalities reported having some internal testing capacity, but the amount of externally sourced testing is also variable. Several contributors reported satisfaction with the service provided by the Helse- og kommuneCERT, or services provided by private companies in this area. But some municipalities also see value in building internal security testing competence—encouraging participation in CTFs (CTF—capture the flag—events, online or physical, to learn and practice cybersecurity skills, often as a competition to break into systems, discover information, or protect against attacks) and providing tools and equipment for motivated employees.
The growing perception of an increased threat level, fueled by geopolitical instability, awareness of municipal cybersecurity incidents, rapid digitalization, and increasingly sophisticated attacker capabilities (including AI-driven threats), drives a need for the establishment of 24/7 security monitoring. While some municipalities have some sort of 24/7 availability of IT support services, particularly related to health care services, 24/7 cybersecurity monitoring is not something that most municipalities have. Internal monitoring services are described as mainly being reactive, responding to alerts from existing tooling, with limited capacity for more advanced Security Operations Center (SOC) activities, such as threat hunting. While some contributors had security resources available on call, these resources were not necessarily on active duty. As a result of this, some reported having been alerted of security incidents from external parties such as security vendors or private individuals. Much of the operational cybersecurity work, such as monitoring and responding to alarms, is in some instances reliant on “volunteer work”—internal resources catching alarms and checking up on notifications in their free time. However, there is also the risk of having no-one available to receive alarms due to holidays, illness, or private activities.
However, an external SOC is still dependent on local resources with an understanding of the local infrastructure, and contributors expressed doubt that an external SOC with many customers would be able to have the necessary knowledge about local dependencies and configuration to be able to manage an incident in the internal infrastructure.
Finally, incident response capabilities, beyond basic monitoring and detection, also present challenges. While municipalities reported varying levels of confidence in their internal incident response capacity and planning (including playbook development), this domain is widely considered difficult to outsource entirely. Effective incident response heavily depends on a deep internal understanding of municipal systems, their interdependencies, and the organizational impacts of an attack. Some contributors who reported having previously experienced a significant cybersecurity incident relied on external resources to support the investigation and incident management activities. While some have active agreements with incident response service providers, one respondent also strategically chose not to have a standing agreement, instead opting for choosing the right provider when needed.

4.3.4. Outsourcing and Its Limitations

The municipalities included in the study have organized IT operations differently, with some choosing to outsource large areas of responsibility to either mutually owned municipal service providers (IKSs) or professional ICT operations service providers in the open market. However, some contributors also cited a desire to build a strong internal IT function, as this was seen by ICT leadership to provide flexibility in meeting the organization’s IT needs, stronger ownership of issues, and the possibility of working with continual improvement.
Outsourcing operational security tasks, such as security monitoring through SOC services, presents a potentially viable solution, particularly for smaller municipalities facing resource constraints. However, for those municipalities that have outsourced SOC services, this has not been without challenges. An outsourced SOC creates a new interface between organizations, and some reported challenges regarding tuning of alerts, false positives, and receiving sufficient attention from the provider. However, a managed SOC service also brings new opportunities for automation, speeding up processes that were previously manual. Some also expressed doubt that an external SOC with many customers would be able to have the necessary knowledge about local dependencies and configuration to be able to manage an incident in the internal infrastructure.
Contributors also voiced concerns about the ability of smaller municipalities to effectively interact with and utilize SOC services. These concerns include difficulties in integrating internal systems with SOC platforms and challenges in responding to SOC alerts with sufficient internal competency, also suggesting that successful utilization of mature SOC services is contingent upon the security maturity of the customer organization itself. Due to this concern, some contributors suggested that centralizing IT operations to larger units more broadly could enhance municipalities’ ability to manage security, including outsourced security services, but this broader outsourcing was seen as contentious by others, reporting a strong focus from municipal IT leadership to build robust internal IT services to ensure control and tight integration with municipal functional areas.

4.3.5. Communication and Integration Across Functional Areas and Central IT

Effective communication and integration between central cybersecurity functions and the diverse functional areas of a municipality are paramount for a cohesive security posture. However, significant challenges persist in bridging the gap between central IT security and the operational realities of functional departments like healthcare, water, and education.
Several contributors described challenges related to the integration between central cybersecurity and functional areas. A recurring issue is the lack of early cybersecurity involvement in new projects and digitalization initiatives. Frequently, cybersecurity’s contribution is limited to providing standardized security requirements during the acquisition phase, often late in the project lifecycle. This late engagement has several detrimental consequences, and contributors voiced concerns that security requirements may become generic and ill-suited to the specific context of the project, failing to address nuanced risks. Furthermore, that risk identification often occurs too late, sometimes with a limited understanding from functional areas regarding the potential operational and service consequences of identified vulnerabilities.
The widely varying nature of ICT within municipalities presents a significant challenge to applying uniform security frameworks and guidelines. While major frameworks and official guidance often focus on general enterprise IT, municipalities operate a diverse range of specialized systems, including SCADA systems for critical infrastructure like water supplies and specialized healthcare/welfare technology solutions. Translating general security requirements, such as asset management and logging, to these specialized domains proves to be complex. As one respondent aptly described it, “municipalities are 50 different companies in a messy enterprise”. Although central security resources may be involved during the procurement of these specialized systems, the ongoing security management and continual verification of technical and organizational security controls for these systems often falls to the functional areas. These areas, however, often lack the specialized security competencies required to effectively manage the unique security challenges posed by these complex and often critical systems.

4.4. People

The people aspect of the socio-technical cybersecurity capabilities focuses on roles, skills, and knowledge. The analysis draws upon discussions during the card-sorting process followed by a discussion of the ENISA European Cybersecurity Skills Framework (ECSF) [32], to understand the realities and challenges faced by municipal cybersecurity professionals in recruitment, knowledge management, and skill development.

4.4.1. Cybersecurity Roles in Municipalities

The ENISA Cybersecurity Skills Framework (ECSF) provides a comprehensive set of cybersecurity roles and contributors discussed the relevance of these roles in the municipal context, considering their relation to identified cybersecurity capabilities and tasks. Table 1 illustrates the identified relationships between the identified cybersecurity capabilities and corresponding ECSF roles.
As shown in Table 1, most ECSF roles were deemed relevant to municipal cybersecurity, with the exception of Cybersecurity Researcher. Contributors affirmed the importance of these roles in principle, recognizing their functional descriptions. No direct link between the ECSF roles and the System Ownership and Secure Development capabilities was identified. While the ECSF roles were seen as relevant, the municipalities experienced challenges in adapting the roles to the practical reality of municipal cybersecurity practice.

4.4.2. Adaptation and Practical Realities: Role Combination and Dispersion

The contributors indicate that the number of roles and specializations in the ECSF framework is deemed unachievable given the current organization of municipal ICT services, including cybersecurity. This results in individuals experiencing too many tasks and, especially in smaller organizations, a lack of professional support for discussing complex cybersecurity issues. This lack of resources to fill the roles also contributes to a less proactive stance, with cybersecurity struggling to keep pace. This leads to risks being identified late in the process, ultimately affecting efforts to implement digital solutions.
Facing a situation of both a general lack of personnel with sufficient knowledge and skills (in relation to the ECSF role definitions) and understaffing/under-resourcing, the municipalities utilized two main strategies: role combination and role dispersion. Contributors described that roles are frequently combined—for example, Cybersecurity Architect, Implementer, and Incident Responder for a technical role or CISO, Risk Manager, and Auditor for a governance-focused role. In smaller municipalities, where no dedicated technical security role is established, the technical role is also combined with other technical tasks outside cybersecurity. On the other hand, several persons could collectively serve a role (role dispersion); an example was a cross-functional group serving as a joined CISO function.
Particularly in smaller organizations, the lack of dedicated colleagues to discuss complex cybersecurity issues and share the workload was acutely felt. This resource scarcity contributes to a more reactive cybersecurity posture, where efforts struggle to keep pace with emerging threats and proactively address vulnerabilities. Consequently, risks are often identified late in the process, at times hindering the effective implementation of secure digital solutions. In some instances, contributors conceded that some roles exist as “paper roles”—formally recognized but lacking sufficient resources, dedicated skills, and role-specific knowledge for effective fulfillment. Conversely, some cybersecurity roles have evolved organically, with personnel in these positions described as having “created their own role” based on necessity and individual initiative.
Most contributors reported challenges in recruiting personnel with documented cybersecurity education or experience, such as market competition for the same resources, limitations on salaries compared with the private sector, or geographical localization.

4.4.3. Types of Cybersecurity Knowledge

The respondents identified two categories or types of knowledge as relevant for cybersecurity in the municipal context—firstly, specific cybersecurity skills and knowledge, and secondly, contextual, rich experience, knowledge, and skills in local municipal ICT systems and operational practices. Specific higher education programs for cybersecurity are relatively new, and for this reason, personnel with a formal educational background in cybersecurity frequently have limited experience. These younger, more mobile personnel with specialized security knowledge are challenging to recruit, and the municipalities face harder competition with local private sector employers. For many, a set of senior, experienced resources forms a backbone of knowledge and experience. One contributor framed this as municipalities being dependent on “good people doing the right thing”.

4.4.4. Strategies for Addressing the Skills Challenge

The identified knowledge gaps, coupled with recruitment challenges, necessitate proactive strategies for internal skill development and knowledge building within municipalities. When specific cybersecurity roles are challenging to establish and fill, contributors highlighted the importance of the general cybersecurity culture in the ICT departments and how the non-security-specific roles must actively focus on securing the systems they are responsible for. One strategy identified by the contributors to foster the development of these “good people” is to encourage participation in cybersecurity events like “Capture the Flag” training (CTFs). CTF participation, encouraged by IT leadership, was seen as an important tool for motivation. It was seen to serve as an activity for “building the whole team”, and not just the security experts. Contributors reported benefits of participation, both on a technological and organizational level. One example was using the learning from participation to adjust internal security monitoring, an example of the people aspect directly affecting the technology aspect. When participating in events where other municipalities also participated, the activity was also seen to create bonds between municipalities—providing access to colleagues in similar roles for discussion and the exchange of ideas.

4.5. Technology

Technology, as the fourth aspect of Leavitt’s diamond, functions as the means by which cybersecurity personnel occupying various roles execute the majority of identified tasks. Consequently, technology is critical to both the nature and manner in which tasks are performed, as well as the overall efficiency of task execution.

4.5.1. Evolving Municipal ICT Landscape and Cybersecurity Technology Needs

Municipal ICT infrastructures are undergoing major transformations. This includes the increasing adoption of cloud services, encompassing both SaaS applications and Infrastructure-as-a-Service from international hyperscalers. Simultaneously, the increasing digitalization of municipal services involves developing, introducing, or improving digital solutions for citizen communication, welfare technology in healthcare, and IoT and industrial control systems for technical services. This architectural shift increases the potential external attack surface, as municipal systems become more exposed through web applications, APIs, and cloud service interfaces. Concerns reported include vulnerabilities in these new application layers and the complexities of managing security configurations across diverse cloud platforms. To mitigate these expanding attack surfaces and manage the complexities of cloud security, municipalities require new categories of security tools. The contributors reported concerns related to solutions for enhanced information classification to manage data in diverse cloud environments, tools to enforce evolving compliance rules across hybrid infrastructures, and modern data protection platforms adapted to cloud-native architectures. Furthermore, capabilities for effectively scanning and managing vulnerabilities in these expanded and more dynamic environments were seen as crucial.

4.5.2. Challenges in Implementing Key Security Technologies

Security monitoring and detection services and the related incidence response were identified in the capability model as a central capability, in line with industry recommendations of “assuming breach” [57]—a security approach premised on recognizing that no system is impenetrable, and that emphasizes early detection and rapid response to minimize the impact of security incidents. However, respondents indicated that implementing effective security monitoring technology presents significant challenges. Sophisticated Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) tools, while offering advanced capabilities, were reported, by those that had experience with them, to be complex to deploy and manage within municipal contexts. Specifically, contributors highlighted the substantial effort required for continuous tuning of detection rules and alerts within these systems. This ongoing adaptation demands specialized knowledge and dedicated personnel, which are often scarce resources in municipalities. Some municipalities recounted experiences trialing advanced SIEM/SOAR platforms, where vendors initially presented the tools as requiring minimal administrative overhead. In practice, however, these tools demanded significant internal capacity for ongoing tuning, adaptation, and customization—levels of expertise and resources that exceeded the municipalities’ available capacity.

4.5.3. Continual Vulnerability Management

Beyond sophisticated security monitoring, basic vulnerability management practices also presented technological challenges. Several contributors reported a lack of internal tooling and dedicated resources for conducting routine vulnerability scanning of their ICT infrastructure. As a result, many municipalities rely on external vulnerability scanning services, such as those provided by Helse-og kommuneCERT. While valuable, reliance on external scanning may limit the frequency and scope of vulnerability assessments compared to establishing internal, continuous scanning capabilities.

4.5.4. Distributed Risk Analysis Tools

In relation to the security governance capability, several contributors expressed interest in supporting a distributed risk analysis process. The goal was to delegate responsibility for system-level risk analysis to system owners, empowering those closest to the systems to actively participate in risk management. However, the technological tools intended to support this distributed approach were often reported to be a barrier rather than an enabler. Contributors indicated that employees, frequently from diverse functional areas with varying levels of technical expertise, found the risk analysis tools to be inflexible and difficult to use. This poor usability inhibited broad adoption of the tools across the organization and undermined the potential for efficiently supporting a truly distributed governance process. These challenges in implementing user-friendly risk analysis tools directly impact the System Ownership capability, as system owners are hampered in their ability to effectively perform delegated risk analysis responsibilities if the provided tools are cumbersome and inefficient.

4.5.5. Perspectives on Artificial Intelligence (AI) in Municipal Cybersecurity

Respondents expressed diverse perspectives regarding the potential impact of Artificial Intelligence (AI) on cybersecurity work within municipalities. Some contributors voiced optimism that AI could offer valuable support for challenging capabilities, particularly in areas like security monitoring and incident response. They envisioned AI assisting IT personnel in analyzing complex event logs, identifying anomalies, and suggesting appropriate response actions, potentially enhancing the efficiency and effectiveness of security operations. Conversely, other respondents expressed less optimistic views regarding the near-term impact of AI. Concerns were raised about the current limitations of AI in understanding context-specific nuances within complex municipal infrastructures. Furthermore, practical challenges around integrating AI solutions with existing, heterogeneous municipal IT environments were highlighted as potential barriers to realizing the benefits of AI in the cybersecurity domain.

4.6. Cooperation Strategies

Given the size and structure of municipalities, as well as the challenges in developing sufficiently sustainable capabilities, cooperation has emerged as a common theme and a potential strategy to address individual weaknesses. In the municipal context, cooperation is a multi-level strategy that can occur both internally within the organization and externally, operating on operational, tactical, and strategic levels. This cooperation may be both formal and informal, inter-organizational or peer-to-peer on an individual level—Table 2 shows some reported types of external cooperation.
The cybersecurity domain is becoming more regulated, with new legal frameworks such as GDPR, NIS2, as well as smaller domain-specific national regulations. The municipalities have different approaches to the process of keeping up with changes to regulations. While some have support from internal legal resources, others draw on active participation in professional security associations and membership associations as a way to both be updated and participate in discussions and provide feedback on hearings of new legislation and regulations.
A practice that has been adopted in some instances to compensate for the lack of sufficient skilled resources is developing shared risk assessments for common applications and ICT services. In these instances, projects with participants, either consultants or available resources from municipalities, are assembled in a shared project to develop generic risk assessments for municipalities. The stated intention is often to ease and speed up the adoption of new solutions. Sharing of risk assessments between municipalities has also been encouraged, but some contributors shared a concern that municipalities with insufficient resources and skills would be unable to adapt these risk assessments to their own technical and organizational security controls. This was perceived as a risk of “ticking a checkbox” for performing a risk assessment without actually assessing risk and potentially adapting their security controls based on the risk assessment.
The municipalities also have several vendors in common that deliver ICT solutions in specialized areas like healthcare, water supply, and education. Supply chain and vendor cybersecurity management is seen as a challenge but also as an opportunity for cooperation—by sharing results or by running audits cooperatively, fewer resources would be used both on the supplier and customer side. However, such an arrangement would require some form of formal establishment of structures and financial support to keep the work going—the cooperation has so far been arranged through temporary structures.
While cooperation offers municipalities a pathway to address cybersecurity capability weaknesses and navigate regulatory demands through diverse formal and informal mechanisms, realized benefits are tempered by challenges in adapting shared resources (such as risk assessments) to specific contexts and the need for more robust, sustained organizational structures to fully leverage cooperative opportunities.

5. Discussion

This study’s findings, derived from a mixed-methods approach, reveal a nuanced picture of municipal cybersecurity capabilities, categorized into six core functions. However, across the structural, human resource, and technological domains, significant implementation challenges emerge. Results point to ambiguous role formalization, skills gaps exacerbated by recruitment limitations, difficulties in deploying and managing sophisticated security technologies, and persistent communication silos. These findings collectively highlight the need for municipalities to address fundamental organizational and resource constraints to effectively mature and sustain their cybersecurity capabilities.

5.1. Misalignment and the Weakening of Municipal Cybersecurity Capabilities

While Leavitt’s diamond is a useful tool for identifying and categorizing socio-technical aspects of municipal cybersecurity, its strength lies in highlighting the dynamic interdependence of structure, people, and technology in enabling effective tasks and building sustainable capabilities. The individual elements are mutually influencing and must be aligned to achieve organizational effectiveness. In the context of municipal cybersecurity, this implies that sustainable capabilities are not simply the sum of well-defined structures, skilled personnel, and advanced technology but depend on the mutual interplay between these elements. Several examples of this interplay and mutual dependence can be identified in the empirical material.
Consider the challenge of supporting diverse functional areas within municipalities. As our results in the Structure subsection highlighted, a distributed governance model that delegates responsibility for certain specific tasks to the functional areas is regarded as efficient and desirable. However, technological and socio-technical support are crucial to ensure efficient alignment with central policies and strategy. For instance, regarding the System Ownership capability, tasks related to identity and access management (IAM) and third-party security emerged as key distributed responsibilities. While centralized IAM technology can enhance efficiency and accuracy through automation, its effectiveness in creating synergies for collective action is entirely dependent on the people dimension—requiring skilled IAM engineers to manage the technology and, crucially, cross-organizational support structures to ensure the functional areas effectively adopt and utilize the system. Similarly, the efficient distribution of tasks related to third-party/supplier cybersecurity relies on the proper skills of system owners but is hindered by low-quality or complicated technological solutions for risk management, as reported in the Technology subsection. This inhibits cross-organizational risk awareness and impacts the governance structure, demonstrating how misalignments in socio-technical aspects can significantly impede the overall cybersecurity capability.

5.2. The Case of System Ownership—From Role to Capability

The contributors identified System Ownership as a specific capability in the municipal context comprised of tasks closely related to the secure administration and management of applications and systems specific to the municipal functional areas, such as access management and supplier management (including compliance, risk, and supply chain management). This capability aligns with a similar role/function described by the national governmental security advisory from DigDir [58], specifying similar responsibilities related to system-specific risks. Particularly in the transition to SaaS and cloud services, where systems are moved out of centrally governed infrastructures, the importance of the security competence of this role will increase. Given the importance of this role, focusing on education and guidance tailored for this role could improve the people aspect [59]—but seen through a capabilities perspective, focusing solely on role development would be sub-optimal. Seen from a socio-technical capability perspective, System Ownership can be seen not just as a role (as described in the governmental guidance), but as a capability, implying that it should be supported not only by personnel with knowledge (specific role with related skills and knowledge requirements), but also technology (such as identity and access management (IAM) and third-party risk analysis and threat exposure management software) as well as proper structural support (clear role definitions, management priority, funding, communication and reporting structures, and process definitions). By acknowledging the link from role to structure, technology, and tasks, necessary skills and training, for example, in related technologies, become apparent.

5.3. Capability Maturity and the Path to Sustainable Municipal Cybersecurity

Our study’s categorization into six broad capabilities, informed by practical experience and awareness of structural limitations and resource constraints in municipal organizations, aligns with the understanding that many municipalities operate at lower maturity levels. As capability maturity models suggest [60,61], progression towards higher maturity—essential for sustainable cybersecurity—demands a shift towards more granular, specialized, and integrated functions. While ISO 27002’s 15 operational capabilities represent a more mature and detailed framework, reflecting a higher level of specialization, our findings suggest that municipalities are still largely operating at a level where broader capabilities still are more practically relevant. A maturation process will require a holistic approach simultaneously developing structure, people, technology, and tasks in an integrated fashion to move beyond the limitations of broader, less differentiated capabilities.
Our findings indicate that municipalities, due to size, share many of the same challenges as small and medium enterprises (SMEs), including aspects such as limited resources, low formalization, multiple roles or responsibilities within one position, and limited procedural formalization [62,63]. The identified resource limitations and structural constraints imply that significant improvements are likely to require larger structural changes enabling sufficiently resourced units capable of supporting more granular roles in line with the ECSF role definitions, and supported by state-of-the-art technology, enabled either through effective service sourcing strategies, more formalized cooperation, or public sector shared services [17,64]. However, a push towards outsourcing needs to take into account a concurrent need for customer purchasing competence, the need for an operational unit able to interact with an outsourced security provider, as well as outsourcing specific costs and difficulties measuring security results and potential lock-in effects [42].

6. Conclusions and Further Work

This study examined the challenges and opportunities in developing sustainable cybersecurity capabilities within Norwegian municipalities, using a socio-technical perspective. Through a mixed-methods approach that combined document analysis with expert interviews and a modified Delphi card-sorting technique, we identified six core cybersecurity capabilities practiced within these organizations: Secure Operations; Governance, Risk, and Compliance; Security Operations; System Ownership; Development; and Penetration Testing. Our findings reveal significant, interdependent challenges across structural, human resource, and technological dimensions that hinder the sustainability of these capabilities. These challenges include unclear role definitions, skills gaps, difficulties in deploying advanced security technologies, and communication barriers. The study also highlighted the use and potential of various cooperation strategies to address some of these inherent challenges.

6.1. Managerial and Practical Implications

The insights generated offer several practical implications for municipal stakeholders. Firstly, this research provides practitioners with a deeper understanding of current cybersecurity practices, challenges, and opportunities, specifically within the Norwegian municipal sector. The identified capability model, developed collaboratively with experts, can serve as a valuable framework for internal discussion and strategic planning regarding the organization and distribution of cybersecurity tasks and responsibilities. Secondly, the card-sorting tool developed for this research is presented as a practical resource. It can function as a “boundary object” [65] to facilitate more concrete and actionable dialogue about cybersecurity structure and needs between diverse stakeholders, such as municipal leadership, central IT/security staff, and functional area managers.
For policymakers, the study enhances the understanding of the current maturity level of municipal cybersecurity. It suggests potential strategies such as formalizing cooperation structures for shared capabilities (including monitoring and third-party audits) and initiating essential discussions regarding the sustainable sizing and resourcing of municipal ICT and cybersecurity services.

6.2. Limitations of the Study

The current study has limitations in terms of sample size, although the number of participants is within the recommended range [11]. Especially prominent is the lack of perspectives from small municipalities—given that the average number of ICT employees in small municipalities is very low (small municipalities may have only 1–2 ICT employees), specialist cybersecurity competence would not be expected and was not identified during contributor recruitment. Given that municipalities, small and large, are obliged to serve the same functions, it would be expected that the challenges identified in this study are similar, if not to a larger extent. The study is also limited to Norway, and further research should investigate international similarities and differences.
While the limitations impact generalizability, our methodology, which is based on grounding existing expert knowledge from international and national best practice guidelines through a rigorous document analysis and a structured methodology to engage working municipal cybersecurity expertise, is transferable to other organizations and provides a crucial understanding of key challenges and opportunities in developing sustainable socio-technical cybersecurity capabilities in Norwegian municipalities.

6.3. Recommendations for Future Research

The findings open several avenues for future research. Further investigation into how municipalities can strategically develop cybersecurity capabilities through sensing, seizing, and transformation—concepts associated with dynamic capabilities—could yield valuable insights [66]. Correctly scaling IT capabilities also remains a complex challenge. Studies could collect data on workload expectations for cybersecurity tasks in the municipal context to provide a better foundation for proper sizing of cybersecurity organizations. This information could also be used to build socio-technical cybersecurity simulation models, providing organizations with a better understanding of practical integration and the effect of sustainable capabilities [67,68].
From a research perspective, this study enhances the understanding of the practical challenges in translating abstract security standards into operational capabilities within resource-constrained environments. The employed card-sorting methodology provides a means to elicit richer and more tangible contributions from subject matter experts in future cybersecurity research.

Author Contributions

Conceptualization, A.V.; methodology, A.V. writing—original draft preparation, A.V.; writing—review and editing, A.V. and B.Y.; supervision, B.Y. All authors have read and agreed to the published version of the manuscript.

Funding

This work has received funding from the Research Council of Norway through the SFI Norwegian Centre for Cybersecurity in Critical Sectors (NORCICS) project no. 310105.

Data Availability Statement

The data presented in this study are available on request from the corresponding author due to privacy regulations.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. DigDir. Arbeidet Med Informasjonssikkerhet i Fylkeskommuner og Kommuner|Digdir. Available online: https://www.digdir.no/informasjonssikkerhet/arbeidet-med-informasjonssikkerhet-i-fylkeskommuner-og-kommuner/2102 (accessed on 19 September 2024).
  2. Sævold, H. “Dataangrepet Mot Østre Toten: Ekstern Rapport Fant Flere Svakheter,” Digi.no. Available online: https://www.digi.no/artikler/kommune-etter-dataangrep-i-januar-noen-tjenester-er-fortsatt-nede/512959 (accessed on 17 February 2025).
  3. Center for Internet Security. 2022 Nationwide Cybersecurity Review Summary Report. Available online: https://www.cisecurity.org/insights/white-papers/2022-nationwide-cybersecurity-review (accessed on 20 September 2024).
  4. Datatilsynet. Funn Fra Tilsyn i Kommuner og Fylkeskommuner. Available online: https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2023/funn-fra-tilsyn-i-kommuner-og-fylkeskommuner/ (accessed on 7 January 2025).
  5. Joint Task Force Transformation Initiative. Guide for Conducting Risk Assessments; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2012; Report nr. NIST SP 800-30r1. [Google Scholar]
  6. Hasani, T.; O’Reilly, N.; Dehghantanha, A.; Rezania, D.; Levallet, N. Evaluating the Adoption of Cybersecurity and Its Influence on Organizational Performance. SN Bus. Econ. 2023, 3, 97. [Google Scholar] [CrossRef] [PubMed]
  7. Jalali, M.S.; Kaiser, J.P. Cybersecurity in Hospitals: A Systematic, Organizational Perspective. J. Med. Internet Res. 2018, 20, e10059. [Google Scholar] [CrossRef]
  8. The Open Group. TOGAF Business Capabilities Guide V2. Available online: https://pubs.opengroup.org/togaf-standard/business-architecture/business-capabilities.html (accessed on 18 March 2024).
  9. Leavitt, H.J. Applied Organizational Change in Industry: Structural, Technological and Humanistic Approaches. In Handbook of Organizations (RLE: Organizations); Routledge: London, UK, 1965; ISBN 978-0-203-62913-0. [Google Scholar]
  10. Vestad, A.; Yang, B. Municipal Cybersecurity—A Neglected Research Area? A Survey of Current Research. In Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media, Copenhagen, Denmark, 3–4 July 2023; Onwubiko, C., Rosati, P., Rege, A., Erola, A., Bellekens, X., Hindy, H., Jaatun, M.G., Eds.; Springer Nature: Singapore, 2023; pp. 151–165. [Google Scholar]
  11. Paul, C.L. A Modified Delphi Approach to a New Card Sorting Methodology. J. Usability Stud. 2008, 4, 7. [Google Scholar]
  12. Vestad, A. CardSort3 2025. Available online: https://github.com/arnves/CardSort3 (accessed on 17 February 2025).
  13. Hossain, S.T.; Yigitcanlar, T.; Nguyen, K.; Xu, Y. Local Government Cybersecurity Landscape: A Systematic Review and Conceptual Framework. Appl. Sci. 2024, 14, 5501. [Google Scholar] [CrossRef]
  14. Hatcher, W.; Meares, W.L.; Heslen, J. The Cybersecurity of Municipalities in the United States: An Exploratory Survey of Policies and Practices. J. Cyber Policy 2020, 5, 302–325. [Google Scholar] [CrossRef]
  15. Hossain, S.T.; Yigitcanlar, T.; Nguyen, K.; Xu, Y. Understanding Local Government Cybersecurity Policy: A Concept Map and Framework. Information 2024, 15, 342. [Google Scholar] [CrossRef]
  16. Curti, F.; Ivanov, I.; Macchiavelli, M.; Zimmermann, T. City Hall Has Been Hacked! The Financial Costs of Lax Cybersecurity. May 2023. Available online: https://ssrn.com/abstract=4465071 (accessed on 17 February 2025).
  17. Waltz, C.; Gasco-Hernandez, M. Understanding Cybersecurity Outsourcing Processes in Local Governments. In Proceedings of the Hawaii International Conference on System Sciences, Big Island, HA, USA, 7–10 January 2025; pp. 1874–1883. [Google Scholar] [CrossRef]
  18. Statistics Norway 12031: ICT Roles, by Degree of Outsourcing (Central Government, County Municipalities, Municipalities) 2012–2024 Statistikkbanken. Available online: https://www.ssb.no/en/statbank/table/12031 (accessed on 11 February 2025).
  19. Statistics Norway 12618: Implemented ICT Security Efforts (County Municipalities, Municipalities) 2019–2021. Statistikkbanken. Available online: https://www.ssb.no/en/statbank/table/12618 (accessed on 23 September 2024).
  20. Culot, G.; Nassimbeni, G.; Podrecca, M.; Sartor, M. The ISO/IEC 27001 Information Security Management Standard: Literature Review and Theory-Based Research Agenda. TQM J. 2021, 33, 76–105. [Google Scholar] [CrossRef]
  21. DigDir. Regelverkskrav og Anbefalinger-Internkontroll Informasjonssikkerhet|Digdir. Available online: https://www.digdir.no/informasjonssikkerhet/regelverkskrav-og-anbefalinger-internkontroll-informasjonssikkerhet/3229 (accessed on 23 September 2024).
  22. NSM ICT Security Principles-Nasjonal Sikkerhetsmyndighet. Available online: https://nsm.no/advice-and-guidance/publications/nsm-ict-security-principles (accessed on 23 September 2024).
  23. National Institute of Standards and Technology. The NIST Cybersecurity Framework (CSF) 2.0; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024; p. NIST CSWP 29. [Google Scholar]
  24. Direktoratet for e-Helse Normen. Available online: https://www.ehelse.no/normen (accessed on 23 September 2024).
  25. Arntzen Toftegaard, Ø.A. An Effect Analysis of ISO/IEC 27001 Certification on Technical Security of Norwegian Grid Operators. In Proceedings of the 2022 IEEE International Conference on Big Data (Big Data), Osaka, Japan, 17–20 December 2022; pp. 2620–2629. [Google Scholar]
  26. Kamil, Y.; Lund, S.; Islam, M.S. Information Security Objectives and the Output Legitimacy of ISO/IEC 27001: Stakeholders’ Perspective on Expectations in Private Organizations in Sweden. Inf. Syst. E-Bus. Manag. 2023, 21, 699–722. [Google Scholar] [CrossRef]
  27. Zoto, E.; Kianpour, M.; Kowalski, S.; Lopez-Rojas, E. A Socio-Technical Systems Approach to Design and Support Systems Thinking in Cybersecurity and Risk Management Education. Complex. Syst. Inform. Model. Q. 2019, 18, 65–75. [Google Scholar] [CrossRef]
  28. Bostrom, R.P.; Heinen, J.S. MIS Problems and Failures: A Socio-Technical Perspective. Part I: The Causes. MIS Q. 1977, 1, 17–32. [Google Scholar] [CrossRef]
  29. Malatji, M.; Von Solms, S.; Marnewick, A. Socio-Technical Systems Cybersecurity Framework. Inf. Comput. Secur. 2019, 27, 233–272. [Google Scholar] [CrossRef]
  30. Susan, M. Tisdale Cybersecurity: Challenges From a Systems Complexity Knowledge Management and Business Intelligence Perspective. Issues Inf. Syst. 2015, 16, 191–198. [Google Scholar] [CrossRef]
  31. KS. Styrking av Digital Robusthet i Kommunal Sektor. Available online: https://www.ks.no/fagomrader/forskning-og-utvikling-fou/forskning-og-utvikling/digital--robusthet-i-kommunal-sektor/ (accessed on 17 February 2025).
  32. European Cybersecurity Skills Framework Role Profiles|ENISA. Available online: https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles (accessed on 5 December 2024).
  33. Vestad, A.; Yang, B. Adoption of Cybersecurity Innovations—A Systematic Literature Review. In Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media, Scotland, UK, 27–28 June 2024; Onwubiko, C., Rosati, P., Rege, A., Erola, A., Bellekens, X., Hindy, H., Jaatun, M.G., Eds.; Springer Nature: Singapore, 2024; pp. 285–304. [Google Scholar]
  34. Devaraj, S.; Kohli, R. Performance Impacts of Information Technology: Is Actual Usage the Missing Link? Manag. Sci. 2003, 49, 273–289. [Google Scholar] [CrossRef]
  35. Venkatesh, V.; Bala, H. Technology Acceptance Model 3 and a Research Agenda on Interventions. Decis. Sci. 2008, 39, 273–315. [Google Scholar] [CrossRef]
  36. Goodhue, D.L.; Thompson, R.L. Task-Technology Fit and Individual Performance. MIS Q. 1995, 19, 213–236. [Google Scholar] [CrossRef]
  37. Barley, S.R. Technology as an Occasion for Structuring: Evidence from Observations of CT Scanners and the Social Order of Radiology Departments. Adm. Sci. Q. 1986, 31, 78–108. [Google Scholar] [CrossRef] [PubMed]
  38. The Open Group. The TOGAF® Standard. Available online: https://pubs.opengroup.org/togaf-standard/introduction/index.html (accessed on 23 September 2024).
  39. Kotusev, S. Enterprise Architecture and Enterprise Architecture Artifacts: Questioning the Old Concept in Light of New Findings. J. Inf. Technol. 2019, 34, 102–128. [Google Scholar] [CrossRef]
  40. Van Riel, J.; Poels, G. A Method for Developing Generic Capability Maps. Bus. Inf. Syst. Eng. 2023, 65, 403–424. [Google Scholar] [CrossRef]
  41. Tell, A.W. What Capability Is Not. In Proceedings of the Perspectives in Business Informatics Research, Lund, Sweden, 22–24 September 2014; Johansson, B., Andersson, B., Holmberg, N., Eds.; Springer International Publishing: Cham, Switzerland, 2014; pp. 128–142. [Google Scholar]
  42. Nussbaum, B.; Park, S. A Tough Decision Made Easy? Local Government Decision-Making About Contracting for Cybersecurity. In Proceedings of the 19th Annual International Conference on Digital Government Research: Governance in the Data Age, Delft, The Netherlands, 30 May–1 June 2018; Association for Computing Machinery: New York, NY, USA, 2018; pp. 1–9. [Google Scholar]
  43. DigDir. Felles Sikkerhet i Forvaltningen|Digdir. Available online: https://www.digdir.no/informasjonssikkerhet/felles-sikkerhet-i-forvaltningen/4106 (accessed on 17 February 2025).
  44. Trinczek, R. How to Interview Managers? Methodical and Methodological Aspects of Expert Interviews as a Qualitative Method in Empirical Social Research. In Interviewing Experts; Bogner, A., Littig, B., Menz, W., Eds.; Palgrave Macmillan: London, UK, 2009; pp. 203–216. ISBN 978-0-230-24427-6. [Google Scholar]
  45. Dwyer, S.C.; Buckle, J.L. The Space Between: On Being an Insider-Outsider in Qualitative Research. Int. J. Qual. Methods 2009, 8, 54–63. [Google Scholar] [CrossRef]
  46. Bogner, A.; Littig, B.; Menz, W. (Eds.) Interviewing Experts; Palgrave Macmillan: London, UK, 2009; ISBN 978-1-349-30575-9. [Google Scholar]
  47. ISO/IEC 27002:2022. Available online: https://www.iso.org/standard/75652.html (accessed on 11 March 2025).
  48. Meuser, M.; Nagel, U. The Expert Interview and Changes in Knowledge Production. In Interviewing Experts; Bogner, A., Littig, B., Menz, W., Eds.; Palgrave Macmillan: London, UK, 2009; pp. 17–42. ISBN 978-0-230-24427-6. [Google Scholar]
  49. Lobinger, K.; Brantner, C. Picture-Sorting Techniques. Card Sorting and Q-Sort as Alternative and Complementary Approaches in Visual Social Research. In The Sage Handbook of Visual Research Methods; Sage: Newcastle upon Tyne, UK, 2020; pp. 309–321. ISBN 978-1-4739-7800-3. [Google Scholar]
  50. Navas de Maya, B.; Khalid, H.; Kurt, R.E. Application of Card-Sorting Approach to Classify Human Factors of Past Maritime Accidents. Marit. Policy Manag. 2021, 48, 75–90. [Google Scholar] [CrossRef]
  51. Jeong, R.; Chiasson, S. “Lime”, “Open Lock”, and “Blocked”: Children’s Perception of Colors, Symbols, and Words in Cybersecurity Warnings. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, Honolulu, HI, USA, 25–30 April 2020; Association for Computing Machinery: New York, NY, USA, 2020; pp. 1–13. [Google Scholar]
  52. Garcia-Granados, F.B.; Bahsi, H. Cybersecurity Knowledge Requirements for Strategic Level Decision Makers. In Proceedings of the International Conference on Cyber Warfare and Security, Online, 20–21 October 2020; Academic Conferences International Limited: Oxfordshire, UK, 2020. [Google Scholar]
  53. Cole, M.F.; Britton, C.O.; Roberts, D.; Rubin, P.; Shin, H.D.; Watson, Y.R.; Harrison, C. A Card-Sorting Tool to Measure Expert versus Novice Thinking in Scientific Research. Life Sci. Educ. 2023, 22, ar38. [Google Scholar] [CrossRef]
  54. Conrad, L.Y.; Tucker, V.M. Making It Tangible: Hybrid Card Sorting within Qualitative Interviews. J. Doc. 2019, 75, 397–416. [Google Scholar] [CrossRef]
  55. Braun, V.; Clarke, V.; Terry, G. Thematic Analysis. In Handbook of Research Methods in Health Social Sciences; Springer: Berlin/Heidelberg, Germany, 2014; pp. 95–113. ISBN 978-1-137-29104-2. [Google Scholar]
  56. Paul, C. Analyzing Card-Sorting Data Using Graph Visualization. J. Usability Stud. 2014, 9, 87–104. [Google Scholar]
  57. Rose, S.; Borchert, O.; Mitchell, S.; Connelly, S. Zero Trust Architecture; National Institute of Standards and Technology: Gaithersburg, ML, USA, 2020. [Google Scholar]
  58. DigDir. Rolle: Systemeier|Digdir. Available online: https://www.digdir.no/informasjonssikkerhet/rolle-systemeier/2111 (accessed on 16 February 2025).
  59. Skjelvik, A.; Vestad, A. Digital Safety Alarms—Exploring the Understandings of the Cybersecurity Practice in Norwegian Municipalities. In Proceedings of the 2023 European Interdisciplinary Cybersecurity Conference, Stavanger, Norway, 14–15 June 2023; Association for Computing Machinery: New York, NY, USA, 2023; pp. 129–133. [Google Scholar]
  60. Prislan, K.; Mihelič, A.; Bernik, I. A Real-World Information Security Performance Assessment Using a Multidimensional Socio-Technical Approach. PLoS ONE 2020, 15, e0238739. [Google Scholar] [CrossRef] [PubMed]
  61. Brezavšček, A.; Baggia, A. Recent Trends in Information and Cyber Security Maturity Assessment: A Systematic Literature Review. Systems 2025, 13, 52. [Google Scholar] [CrossRef]
  62. Heidt, M.; Gerlach, J.P.; Buxmann, P. Investigating the Security Divide between SME and Large Companies: How SME Characteristics Influence Organizational IT Security Investments. Inf. Syst. Front. 2019, 21, 1285–1305. [Google Scholar] [CrossRef]
  63. Chidukwani, A.; Zander, S.; Koutsakis, P. A Survey on the Cyber Security of Small-to-Medium Businesses: Challenges, Research Focus and Recommendations. IEEE Access 2022, 10, 85701–85719. [Google Scholar] [CrossRef]
  64. Sanchez-Zurdo, J.; San-Martín, J. A Country Risk Assessment from the Perspective of Cybersecurity in Local Entities. Appl. Sci. 2024, 14, 12036. [Google Scholar] [CrossRef]
  65. Henderson, K. Flexible Sketches and Inflexible Data Bases: Visual Communication, Conscription Devices, and Boundary Objects in Design Engineering. Sci. Technol. Hum. Values 1991, 16, 448–473. [Google Scholar] [CrossRef]
  66. Teece, D.J. Explicating Dynamic Capabilities: The Nature and Microfoundations of (Sustainable) Enterprise Performance. Strateg. Manag. J. 2007, 28, 1319–1350. [Google Scholar] [CrossRef]
  67. Hettinger, L.J.; Kirlik, A.; Goh, Y.M.; Buckle, P. Modelling and Simulation of Complex Sociotechnical Systems: Envisioning and Analysing Work Environments. Ergonomics 2015, 58, 600–614. [Google Scholar] [CrossRef] [PubMed]
  68. Vestad, A.; Yang, B. A survey of agent-based modeling for cybersecurity. In Human Factors in Cybersecurity, Proceedings of the AHFE (2024) International Conference, Nice, France, 24–27 July 2024; AHFE Open Access; Moallem, A., Ed.; AHFE International: New York, NY, USA, 2024; Volume 127. [Google Scholar] [CrossRef]
Jcp 05 00019 g001
Figure 1. Leavitt’s diamond model—adapted from [9].
Figure 1. Leavitt’s diamond model—adapted from [9].
Jcp 05 00019 g001
Jcp 05 00019 g002
Figure 2. Research process illustration.
Figure 2. Research process illustration.
Jcp 05 00019 g002
Jcp 05 00019 g003
Figure 3. Framework analysis process.
Figure 3. Framework analysis process.
Jcp 05 00019 g003
Jcp 05 00019 g004
Figure 4. Card-sorting data collection and analysis.
Figure 4. Card-sorting data collection and analysis.
Jcp 05 00019 g004
Jcp 05 00019 g005
Figure 5. Identified capabilities.
Figure 5. Identified capabilities.
Jcp 05 00019 g005
Jcp 05 00019 g006
Figure 6. Graph cluster analysis–screenshot from tool.
Figure 6. Graph cluster analysis–screenshot from tool.
Jcp 05 00019 g006
Table 1. Identified relationships between capabilities and ECSF roles.
Table 1. Identified relationships between capabilities and ECSF roles.
Cybersecurity CapabilityECSF Roles
Secure operationsCybersecurity Implementer
Governance, risk, and complianceChief Information Security Officer (CISO),
Cybersecurity Architect,
Cyber Legal, Policy, and Compliance Officer,
Cybersecurity Auditor, Cybersecurity Educator, Cybersecurity Risk Manager,
Monitoring and incident managementCyber Incident Responder, Cyber Threat Intelligence Specialist, Digital Forensics Investigator
System ownershipNo related ECSF role identified
Secure developmentNo related role ECSF role identified
Security testingPenetration Tester
Not directly relevantCybersecurity Researcher
Table 2. External cooperation in municipal cybersecurity.
Table 2. External cooperation in municipal cybersecurity.
FormalInformal
IKSs, interkommunale selskaper (inter-municipal enterprises), or formalized inter-municipal cooperations
May provide whole or parts of several cybersecurity capabilities, and general ICT operations services and infrastructure.		Membership organizations, particularly Foreningen Kommunal Informasjonssikkerhet -KiNS, Forum for personvernombud
Mainly individual-level membership organizations for security and privacy.
Utilization of shared services from KS or government (DigDir)
Provides specific shared services, such as ID-Porten for authentication of citizens, electronic signature, citizen communication, etc.
Municipalities are to a large extent free to choose to implement these or other services.		CTF competitions
Participation in CTF competitions, mainly individual-level participation.
Helse- og KommuneCERT
Managed security service providers
Providing outsourced SOC services.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Vestad, A.; Yang, B. From Security Frameworks to Sustainable Municipal Cybersecurity Capabilities. J. Cybersecur. Priv. 2025, 5, 19. https://doi.org/10.3390/jcp5020019

AMA Style

Vestad A, Yang B. From Security Frameworks to Sustainable Municipal Cybersecurity Capabilities. Journal of Cybersecurity and Privacy. 2025; 5(2):19. https://doi.org/10.3390/jcp5020019

Chicago/Turabian Style

Vestad, Arnstein, and Bian Yang. 2025. "From Security Frameworks to Sustainable Municipal Cybersecurity Capabilities" Journal of Cybersecurity and Privacy 5, no. 2: 19. https://doi.org/10.3390/jcp5020019

APA Style

Vestad, A., & Yang, B. (2025). From Security Frameworks to Sustainable Municipal Cybersecurity Capabilities. Journal of Cybersecurity and Privacy, 5(2), 19. https://doi.org/10.3390/jcp5020019

Article Metrics

Back to TopTop