Managing Cybersecurity Risk in Government

Abstract

The increased use of technologies such as social media, the Internet of Things, mobility, and cloud computing by government agencies has extended the sources of potential cyber risk faced by those agencies. As a result, cyber is increasingly being viewed as a key component in enterprise risk management (ERM) frameworks. At the same time, agency managers encounter the challenge of implementing cyber risk management by selecting from a complex array of security controls that reflect a variety of technical, operational, and managerial perspectives.

In this report, the authors address current and potential future organizational cybersecurity and risk management needs by creating a decision model that allows agencies to tailor approaches for particular cyber challenges. The authors review existing risk management frameworks in use across government, and analyze steps that agencies can take to understand and respond to those risks in a manner consistent with existing law and policy. They put this work together to develop an implementation model based on taking five steps to improve cybersecurity outcomes: Prioritize, Resource, Implement, Standardize, and Monitor–the PRISM model.

Document Date
Author (organization)
IBM Center for the Business of Government
Document type
Report