Publication Date

October 2023


This paper should be of interest to the readers of this journal because it addresses a subject that has received little scholarly attention; namely, local government cybersecurity. The U.S. has over 90,000 units of local government, of which almost 39,000 are “general purpose” units (i.e., municipalities, counties, towns and townships). On average, these governments do not practice cybersecurity effectively (Norris, et al., 2019 and 2020). One possible reason is that they do not adopt and/or implement highly recommended cybersecurity policies. In this paper, we examine local government adoption or lack of adoption of cybersecurity policies using data from three surveys. Norris, et al, 2019 & 2020; Hatcher, et al., 2020; and Norris and Mateczun, 2023. It will probably not be surprising that our first finding is that, by and large, local governments still do a poor good job of adopting and implementing cybersecurity policies. Thus, our first recommendation is that these governments must take whatever actions are needed to ensure high levels of cybersecurity. If they do not, the consequences will be painful and costly, as demonstrated by examples presented in the text. Among these actions, we next recommend that local governments adopt and effectively implement the highly recommended cybersecurity policies discussed in the concluding section. Last, as we have recommended previously, we again call upon local governments to create and maintain within their organizations a culture of cybersecurity – one in which all parties in these governments fully understand and support cybersecurity at the highest levels in their governments.