Managing Cyber Threats through Effective Governance: A Call to Action for Governors and State Legislatures


Project started on July 1, 2019 (Completed)

Cybersecurity threats are an ever-present organizational risk on par with economic, legal, operational, financial, and political risks. They increasingly affect state assets. Managing these risks, and the threats from which they stem, must be part of a state’s overall risk management portfolio.

cybersecurity personnel New York State

To do this, state leaders must have effective cybersecurity governance. Cybersecurity governance is the processes by which decisions are made about cybersecurity risk. Effective cybersecurity governance provides the mix of control and influence necessary and appropriate for a state, and includes mechanisms for mitigating and responding to risk. While every state has implemented cybersecurity programs, few have cybersecurity governance that effectively ensures that a state’s risk is managed to a level and in ways that have been determined to be, through formalized governance processes, acceptable to the governor and legislature.

An effective cybersecurity governance framework answers important questions such as:

  • What decisions need to be made about cybersecurity threats?
  • Who makes those decisions?
  • How are those decisions made?
  • What mechanisms exist to inform those decisions?
  • Who has responsibility for translating decisions made by cybersecurity governance into effective cybersecurity programs?
  • What processes exist to make sure that the cybersecurity programs are effective?

Press Releases & News Stories

Publications & Results


  • Center for Internet Security Inc. (CIS)
  • Robert H. Smith School of Business, University of Maryland
  • New York State Cyber Security Advisory Board
  • National Association of State Chief Information Officers (NASCIO)
  • National Conference of State Legislatures (NCSL)
  • College of Emergency Response, Homeland Security and Cybersecurity, University at Albany

Funding Sources

The Center for Internet Security funded this project.