The increased use of technologies such as social media, the Internet of Things, mobility, and cloud computing by government agencies has extended the sources of potential cyber risk faced by those agencies.

As a result, cyber is increasingly being viewed as a key component in enterprise risk management (ERM) frameworks. At the same time, agency managers encounter the challenge of implementing cyber risk management by selecting from a complex array of security controls that reflect a variety of technical, operational, and managerial perspectives.

In this report, the authors address current and potential future organizational cybersecurity and risk management needs by creating a decision model that allows agencies to tailor approaches for particular cyber challenges. The authors review existing risk management frameworks in use across government, and analyze steps that agencies can take to understand and respond to those risks in a manner consistent with existing law and policy. They put this work together to develop an implementation model based on taking five steps to improve cybersecurity outcomes: Prioritize, Resource, Implement, Standardize, and Monitor–the PRISM model.

This report builds on recent Center publications that address risk management, including Managing Risk in Government: An Introduction to Enterprise Risk Management by Karen Hardy; Managing Risk, Improving Results: Lessons for Improving Government Management from GAO’s High Risk List by Don Kettl; and Improving Government Decision Making through Enterprise Risk Management, by Thomas Stanton and Douglas Webster.

We hope that this report provides a useful model for government agencies to adapt in managing cyber risks.

Read the article in Government Executive and Government Computer News.