The Power and Politics of Cybersecurity: A Quantitative Study of Federal Cash Windfall Allocation as a Measure of Impact on Comprehensive Cybersecurity Posture Öffentlichkeit
Herunterladbarer InhaltPDF Herunterladen
In their attempts to create a comprehensive cybersecurity posture, chief information security officers (CISOs) can only be as effective as the resources they garner. In the federal context, budgets and spends are ultimately under the auspices of the agency heads who set priorities and direction. This study sought to gain insight on the impact of organizational power and politics in the cybersecurity post-budgetary process within U.S. federal government agencies through a comparative examination of budgeted versus actual spending. It addressed one research question: To what extent do power and politics impact the federal cybersecurity budgetary cash windfall allocation and the resultant organizational cybersecurity posture?The literature of organizational power and politics establishes means to measure the impact of individual and group power on budgets, funding, allocations, expenditures, and gamesmanship. Applied in the federal cybersecurity arena, the impact of power and politics on budgets and spend can be measured to better understand and mitigate risk factors in cybersecurity posture. A quantitative cross-sectional causal-comparative approach with a CISO survey was leveraged to study the topic ex post facto. The study utilized three phases of data collection from publicly available sources and primary data collection, as well as five phases of data analysis covering 2009 to 2016, to examine civilian cabinet-level agencies across the executive branch of the federal government.Findings showed that most agencies were budgeting cybersecurity in a comprehensive fashion. However, actual expenditures were significantly reduced from budgetary allocations and remained focused on the area of technology, leaving the people, process, and policy aspects of cybersecurity posture at times unfunded. Further, the results showed that the agency head and CISO had little to no power or political connectedness and there were intractable barriers against improving their dyadic relationship. The CISO’s career at the agency and political awareness, among other factors, were statistically significant in predicting the differences of cybersecurity technology budgets and spends, but the greatest effect was seen in agency head connectedness and political connectedness. Considering the vital importance of the CISO in the federal sphere, these findings point to issues that need to be further studied and addressed to effectuate a comprehensive cybersecurity posture.