Cyber-Resilient Public Infrastructure: Securing Government Systems in the Age of Cloud and AI

 Co esponding au ho : Aisha Abdullahi
Copy igh © 2025 Au ho (s) e ain he copy igh o his a icle. This a icle is published unde he e ms o he C ea i e Commons A ibu ion Liscense 4.0.
Cybe -Resilien Public In as uc u e: Secu ing Go e nmen Sys ems in he Age o
Cloud and AI
Aisha Abdullahi 1, *, Chima Amadi 2 and Sadiq Sanni 3
1 S a egy Consul an , AandA Su Ne wo ks Inc., No he n Cali o nia, U.S.A.
2 Cybe secu i y Leade , AI Ad iso y, Cloud and Risk Specialis .
3 Associa e P o esso , Cybe secu i y Specialis , In en o , Secu e OT, IoT, and IT Expe , Resea che , Ce i ied E hical Hacke
| UNDP Expe | Ce i ied Consul an Uni ed Kingdom.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(03), 2826-2843
Publica ion his o y: Recei ed on 25 Ap il 2025; e ised on 19 June 2025; accep ed on 27 June 2025
A icle DOI: h ps://doi.o g/10.30574/wja .2025.26.3.2195
Abs ac
Go e nmen s a ound he globe a e quickly mo ing s a egic se ices o he cloud and in eg a ing AI in o sys ems
spanning he public sec o , including iden i y and bene i s managemen , sma ci ies, and heal hca e. This
ans o ma ion is hypo he ically e icien , la ge-scale, and da a-d i en, bu i also inc eases a ack su aces, p esen s
new ulne abili ies unique o AI, and makes public sys ems mo e highly coupled and in e dependen . The pape
p esen s a mul i-dimensional and in eg a ed cybe - esilience amewo k o Go Tech pla o ms ha (1) in eg a es he
p inciples o Ze o T us a chi ec u e wi h AI con idence and p i acy-p ese ing compu a ion, (2) ing ains legal,
p ocu emen and go e nance e o ms, and (3) ope a ionalizes con inuous h ea knowledge, simula ion, and employee
de elopmen . The esea ch me hodologically combines s anda ds and guidance (e.g., NIST Ze o T us and AI RMF),
c oss-sec o case s udies, compa a i e policy analysis (e.g., NIS2 and ecen U.S. execu i e di ec i es), and echnical
li e a u e on ad e sa ial machine lea ning and p i acy echnologies. The pape adds (i) a uni ied esilience model
adap ed o cloud+AI Go Tech, (ii) angible implemen a ion oads and KPIs, and (iii) policy sugges ions aimed a s iking
a balance be ween so e eign y, in e ope abili y, and inno a ion.
Keywo ds: Cybe secu i y in public in as uc u e; Digi al go e nance; C i ical in as uc u e p o ec ion; Cybe isk
managemen in he public sec o ; A i icial in elligence Secu i y
1. In oduc ion
1.1. Backg ound o he s udy
The e m digi al go e nmen , some imes known as Go Tech o digi al public in as uc u e, is a key policy ocus o OECD
coun ies and mul ila e al de elopmen agencies, as i can enhance se ice deli e y, anspa ency, and economic
inclusion. Digi al ans o ma ion is he co e o new mode niza ion o he public sec o in in e na ional o ganiza ions
(OECD, Wo ld Bank), and he sugges ed a chi ec u es and go e nance models make he go e nmen digi al by de aul .
Meanwhile, clouds and AI ha e g own up: mul i-cloud, hyb id-deploymen s a e becoming he new no m, and
go e nmen s a e inc easingly using machine lea ning o au oma e and suppo decision-making in i al a eas (heal h,
anspo , iden i y managemen ). Bo h o hese ends a e s uc u al: cloudi ica ion and pe asi e AI. They shi he
locus o con ol, da a lows, and dependencies in a manne ha has a signi ican impac on na ional esilience.
Bu adop ion has no been accompanied by equi alen secu i y and go e nance upg ades. Legacy sys ems, limi ed
p ocu emen p ocedu es and agmen ed ins i u ional oles a e common in he public sec o , ac o s ha complica e
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(03), 2826-2843
2827
swi , sa e emb acemen o cloud and AI. Addi ionally, he echnical li e a u e has epo ed dis inc i e isks due o AI
(e.g., ad e sa ial examples and model-poisoning) and due o he cloud supply chain (miscon igu a ions, mul i- enancy
and hi d-pa y dependencies). Such isks a e no me ely hypo he ical: news o h ea s and inciden s wi h high impac
in ecen imes demons a e ha public in as uc u e is a a ge wi h disp opo iona e socie al impac .
1.2. S a emen o he p oblem
Public sys ems now depend on complex cloud in as uc u es and AI models ha o en span de ices, edge nodes,
egional da a cen e s, and hi d-pa y se ices. This complexi y p oduces h ee in e wined p oblems
• Expanded echnical ulne abili y — Cloud miscon igu a ions, insu icien isola ion be ween enan s, and
supply-chain weaknesses enable a acks ha escala e quickly om IT o ope a ional echnology (OT),
h ea ening se ice con inui y.
• AI-speci ic a ack ec o s — Machine lea ning in oduces new ailu e modes (ad e sa ial inpu s, da a
poisoning, model in e sion) and opaci y ha ad e sa ies can exploi , especially whe e AI suppo s li e-c i ical
o socie ally sensi i e decisions.
• Go e nance and policy gaps — Exis ing legal and p ocu emen amewo ks (and some imes ins i u ional
cul u es) lag behind he pace o echnological change, c ea ing mis-aligned incen i es, unclea accoun abili y,
and inconsis en app oaches o so e eign y, p i acy, and endo isk. Recen di ec i es and egula ions (e.g.,
EU’s NIS2, U.S. execu i e ac ions) acknowledge hese p oblems bu equi e ope a ional ansla ion in o Go
Tech p ac ice.
Taken oge he , hese p oblems mean ha a b each o manipula ion o a Go Tech pla o m can cascade in o public-
heal h ailu es, se ice ou ages, e osion o democ a ic us , and economic damage. The cen al esea ch p oblem o his
pape is: how can go e nmen s design and ope a ionalize cybe - esilience o cloud-and-AI-enabled public
in as uc u e so ha se ices emain secu e, us wo hy, and so e eign wi hou s i ling inno a ion?
Objec i es o he s udy
P ima y objec i e
• To p opose a comp ehensi e, implemen able cybe - esilience amewo k o Go Tech pla o ms ha
in eg a es echnical, o ganiza ional, legal, and human dimensions o cloud+AI en i onmen s.
Seconda y objec i es
• To map and analyze he main echnical and s a egic ulne abili ies in oduced by cloud and AI in public
sys ems.
• To syn hesize c oss-na ional egula o y and go e nance esponses (e.g., NIS2, U.S. EO 14028) and e alua e
hei ope a ional implica ions o Go Tech p ocu emen and o e sigh .
• To design measu able KPIs, a ma u i y model, and an implemen a ion oadmap o na ional and sub-na ional
go e nmen s.
• To ecommend policy ins umen s (p ocu emen s anda ds, endo ce i ica ion, public-p i a e CTI
mechanisms) and echnical app oaches (Ze o T us , AI assu ance, p i acy-p ese ing echniques) ha a e
p ac ical and scalable.
1.3. Rele an Resea ch Ques ions
The s udy is o ganized a ound h ee co e, esea chable ques ions
• RQ1 (Vulne abili y mapping): Wha a e he p edominan echnical, o ganiza ional, and policy ulne abili ies
in oduced in o Go Tech pla o ms by cloud adop ion and AI in eg a ion? (Answe able ia li e a u e syn hesis,
case analysis, and h ea axonomy.)
• RQ2 (F amewo k design): Which combina ion o a chi ec u al con ols, AI-assu ance p ac ices, da a
go e nance ins umen s, and ope a ional p ocesses yields demons ably highe esilience o Go Tech
pla o ms in ealis ic h ea scena ios? (Answe able ia compa a i e amewo k analysis and simula ed
assessmen s.)
• RQ3 (Go e nance and ope a ionaliza ion): Wha go e nance, p ocu emen , and legal mechanisms a e equi ed
o implemen and sus ain he p oposed cybe - esilience measu es ac oss ju isdic ional and o ganiza ional
bounda ies? (Answe able ia policy compa ison, legal analysis, and s akeholde mapping.)
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(03), 2826-2843
2828
Each ques ion is amed o be empi ically es able o alsi iable h ough measu able indica o s (e.g., MTTD, pa ch
la ency, pe cen age o p oduc ion models wi h p o enance eco ds, compliance sco es).
1.4. Resea ch hypo heses
Below a e explici hypo heses ha will be examined in he pape , ph ased so hey can be ope a ionalized in empi ical
ollow-up wo k
• H1 ( ela ed o RQ1): Go Tech pla o ms ha mig a e o cloud a chi ec u es wi hou commensu a e CSPM
(Cloud Secu i y Pos u e Managemen ), mic o-segmen a ion, and s ong iden i y con ols will exhibi highe
incidence and impac o da a-ex il a ion and se ice-dis up ion e en s han pla o ms ha e o i hose
con ols.
• H2 ( ela ed o RQ2): Go Tech deploymen s ha implemen an in eg a ed package—Ze o T us a chi ec u e, AI
assu ance (model p o enance, ad e sa ial es ing), and p i acy-p ese ing compu a ions (e.g., ede a ed
lea ning / di e en ial p i acy)—will show educed ulne abili y o model poisoning and da a leakage in c oss-
o ganiza ional aining scena ios han hose using s anda d cen alized aining. This hypo hesis d aws on
ede a ed lea ning li e a u e and di e en ial p i acy heo y.
• H3 ( ela ed o RQ3): Ju isdic ions ha adop isk-based egula o y amewo ks (e.g., NIS2 s yle obliga ions)
combined wi h cen alized CTI usion cen e s and p ocu emen -le el endo secu i y ce i ica ion will achie e
as e inciden de ec ion and eco e y a na ional scale. This is es able ia c oss-na ional compa a i e
indica o s.
These hypo heses a e in en ionally amed o pe mi quan i a i e o quali a i e es ing (e.g., ia simula ion, ed- eam
exe cises, empi ical inciden da a) in subsequen sec ions o he pape .
1.5. Signi icance o he s udy
This pape is imely and consequen ial o h ee easons.
• Policy u gency: Go e nmen s a e unde poli ical and ope a ional p essu e o mode nize public se ices while
p o ec ing ci izens’ da a and main aining con inui y o c i ical se ices. Recen execu i e ac ions and di ec i es
unde sco e he need o sys ema ic imp o emen s. The s udy ansla es high-le el manda es in o ac ionable,
e idence-based pa hways o Go Tech.
• Technical no el y: By syn hesizing Ze o T us p inciples wi h AI assu ance me hods and p i acy echnologies
( ede a ed lea ning, di e en ial p i acy, homomo phic echniques), he amewo k a ge s he speci ic,
eme gen ailu e modes o cloud+AI sys ems—an a ea whe e guidance is nascen bu u gen ly needed.
• Ope a ional ele ance: The pape p oduces measu able KPIs, a ma u i y model, and p ocu emen -g ade
ecommenda ions, enabling go e nmen s (and hei endo s) o ope a ionalize esilience a he han ea ing
i as an abs ac ideal. Case s udies (e.g., Colonial Pipeline) illus a e consequences and lessons o public-sec o
coun e pa s.
1.6. Scope o he s udy
In his pape , he au ho a ge s na ional and la ge sub-na ional Go Tech pla o ms ha : (a) deploy signi ican po ions
o hei public se ices o c oss-agency in o ma ion pla o ms, (b) d aw hea ily on cloud o hyb id cloud compu ing
pla o ms, and/o (c) use AI/ML sys ems in p oduc ion o suppo decisions o au oma e p ocesses. I speci ically
ocuses on in e ac ion o echnical (ML, a chi ec u e), o ganiza ional (in e -agency go e nance, p ocu emen ), and legal
( egula ion, da a so e eign y) ac o s. The policy and inciden analysis empi ical window ocuses on he 20182025
pe iod o include ecen policy de elopmen s (e.g., NIS2) and landma k e en s. The esea ch is compa a i e and
in e na ional in na u e, ye examples and guidance a e ocused on middle- and high-capaci y go e nmen s ha ha e
ini ia ed he use o clouds and AI. The low-capaci y cases a e men ioned whe e app op ia e, and he o e all
gene aliza ion o all s a es is beyond he scope o he pape .
1.7. De ini ion o Te ms
To a oid ambigui y, he key e ms used h oughou he pape a e de ined he e
• Go Tech pla o m: An in o ma ion sys em, se ice, o se o in e ope able se ices ope a ed by go e nmen
en i ies (na ional, egional, local) o ci izen se ices, da a managemen , o policy implemen a ion.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(03), 2826-2843
2829
• Cybe - esilience: The capaci y o sys ems and o ganiza ions o an icipa e, wi hs and, eco e om, and adap
o ad e se cybe e en s—ex ending beyond p e en ion o include con inui y and adap i e lea ning. (Used in
he pape as a mul i-dimensional cons uc in ol ing echnology, go e nance, and human ac o s.)
• Ze o T us A chi ec u e (ZTA): A secu i y pa adigm ha asse s “ne e us , always e i y,” emphasizing
con inuous au hen ica ion, leas p i ilege, and policy en o cemen a he esou ce le el a he han elying on
ne wo k pe ime e de enses. (See NIST SP 800-207.)
• AI assu ance / AI RMF: P ac ices, s anda ds, and con ols in ended o ensu e AI sys ems a e obus ,
in e p e able, sa e, and aligned wi h policy objec i es; in his pape he NIST AI RMF p o ides co e axonomy
and li ecycle guidance.
• Da a so e eign y / localiza ion: Policy and echnical con ols ha keep ce ain da a wi hin speci ied
ju isdic ions, o en mo i a ed by legal, p i acy, o s a egic conce ns; ea ed he e as an impo an cons ain
on cloud a chi ec u e choices.
• Fede a ed lea ning: A decen alized app oach o aining ML models ac oss mul iple pa ies wi hou
cen alizing aw da a—used he e as an example o p i acy-p ese ing ML p ac ice.
• Ad e sa ial ML: A ack echniques ha manipula e inpu s o aining p ocesses o cause e oneous ML
beha io (e.g., ad e sa ial examples, da a poisoning). These phenomena a e cen al o he pape ’s AI secu i y
analysis.
2. Li e a u e Re iew
2.1. P eamble
Go e nmen s now deli e se ices, main ain in as uc u e, and engage wi h i s ci izens in a whole new way wi h he
combina ion o cloud compu ing and a i icial in elligence (AI). Cloud-na i e a chi ec u e and AI-based decision-making
is becoming a signi ican pa o iden i y sys ems, heal hca e pla o ms, axa ion po als, c i ical in as uc u e
ope a ions, and public sa e y ools. This has b ough abou scalabili y, cos -e ec i eness and inno a ion a he same
ime ede ined he cybe - h ea en i onmen . A ack su aces a e now dispe sed, mul i-laye ed, and dynamic;
dependencies ha e ex ended o o he pa s o he wo ld; and new AI-speci ic a acks, including da a poisoning, model
in e sion, and ad e sa ial pe u ba ions, o e lap wi h exis ing isks such as ansomwa e, miscon igu a ions, and
inside h ea s (Biggio and Roli, 2018; Ilyas e al., 2019).
The li e a u e dealing wi h such issues is abundan and in e disciplina ily dispa a e. Technical esea ch ocuses on
ulne abili ies and coun e measu es alone (e.g., ad e sa ial ML, con iden ial compu ing), policy and go e nance
esea ch on egula o y amewo ks, e hics and accoun abili y, and indus y epo s cap u e ope a ional ailu e modes
and new p ac ices. Howe e , he con e gence o hese s eams in o in eg a ed socio- echnical ac ionable s a egies is
uncommon wi hin he eali ies o go e nmen sys ems.
The e iew o li e a u e summa izes and c i icizes hese a ious s ands, b ings hem oge he a ound common
concep ual g ound, and poin s ou gaps le unadd essed. I s a s wi h a heo e ical li e a u e e iew o he majo
amewo ks ha unde lie cybe - esilience hinking, hen p oceeds o an ex ensi e empi ical li e a u e e iew o
echnical, go e nance, sec o al, and o ganiza ional esea ch. In he p ocess, he e iew e eals wha is known, wha has
no been well esea ched upon, and how his pape will ill in he gaps.
2.2. Theo e ical Re iew
2.2.1. Socio-Technical Sys ems and Resilience Enginee ing
Cybe - esilience in public in as uc u e canno be unde s ood pu ely as a echnical challenge. Socio- echnical sys ems
heo y (STS), o igina ing om he Ta is ock Ins i u e, emphasizes ha echnological a i ac s, human ac o s,
o ganiza ional cul u es, and ins i u ional s uc u es co-p oduce sys em beha io and ou comes (T is and Bam o h,
1951). Applied o cybe secu i y, STS sugges s ha ailu es o en eme ge om misalignmen s be ween echnical design
and o ganiza ional p ocesses a he han om isola ed echnical laws.
Resilience enginee ing complemen s STS by shi ing ocus om p e en ion o he capaci y o sys ems o an icipa e,
wi hs and, eco e om, and adap o dis up ions (Hollnagel e al., 2011). In cybe con ex s, his means designing
a chi ec u es and p ocesses ha deg ade g ace ully, eco e quickly, and e ol e in esponse o changing h ea s. NIST’s
Special Publica ion 800-160 encapsula es his app oach, de ining cybe - esilience as a sys em p ope y ha in eg a es
echnical, o ganiza ional, and ope a ional laye s (NIST, 2021).
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(03), 2826-2843
2830
Toge he , STS and esilience enginee ing o m a dual lens: cybe - esilience is bo h a p ope y o socio- echnical sys ems
and a dynamic capabili y ha mus be cul i a ed ac oss he echnology-policy-people nexus.
2.2.2. Complex Adap i e Sys ems and Risk Go e nance
Recen schola ship ex ends hese ounda ions by aming public digi al ecosys ems as complex adap i e sys ems
(CAS)—ne wo ks o in e ac ing componen s ha exhibi eme gen beha io s, non-linea dynamics, and adap a ion
(Com o e al., 2019). CAS heo y explains why linea , pe ime e -based secu i y s a egies ail in dis ibu ed, cloud-AI
en i onmen s. Ins ead, esilience eme ges om decen alized sensing, adap i e eedback loops, and con inuous
lea ning.
In pa allel, he In e na ional Risk Go e nance Council (IRGC) amewo k emphasizes inclusi e, i e a i e isk
go e nance p ocesses ha in eg a e echnical assessmen wi h s akeholde engagemen , ins i u ional lea ning, and
policy adap a ion (Renn, 2018). This app oach is pa icula ly ele an in public-sec o cybe secu i y, whe e decisions
in e sec wi h democ a ic accoun abili y, public us , and legal obliga ions.
2.2.3. Socio echnical T ansi ions and Digi al T ans o ma ion
Finally, Socio echnical T ansi ion (STT) heo y—widely used in sus ainabili y and in as uc u e s udies—helps explain
he mac o-le el ans o ma ion o go e nmen sys ems om legacy IT silos o cloud-AI pla o ms (Geels, 2002). STT
unde sco es he ole o ins i u ional ine ia, egula o y egimes, and socio-poli ical dynamics in shaping echnological
change. Applying STT o Go Tech esilience highligh s why echnical solu ions mus be accompanied by p ocu emen
e o m, in e -agency coo dina ion, and capaci y building.
Syn hesis: Combining STS, esilience enginee ing, CAS, isk go e nance, and STT p o ides a iche concep ual oolki . I
ames cybe - esilience no as a s a ic s a e bu as a co-e ol ing p ope y o complex socio- echnical sys ems shaped by
echnical a chi ec u es, ins i u ional p ac ices, and adap i e go e nance.
2.3. Empi ical Re iew
2.3.1. Cloud In as uc u e: Miscon igu a ions, Supply Chains, and Ze o T us
Empi ical esea ch consis en ly iden i ies cloud miscon igu a ions as a leading cause o public-sec o b eaches. Indus y
s udies (Wiz, 2023; Palo Al o Ne wo ks, 2024) epo ha up o 60% o sensi i e da a exposu es o igina e om simple
miscon igu a ions, exace ba ed by inadequa e au oma ion and skills sho ages. Academic analyses ad oca e cloud
secu i y pos u e managemen (CSPM) and policy-as-code as scalable solu ions, ye adop ion in go e nmen lags behind
he p i a e sec o due o p ocu emen cons ain s and legacy in eg a ion challenges (Sha ma and Joshi, 2023).
Supply-chain a acks—exempli ied by he Sola Winds/Sunbu s comp omise—ha e shi ed ocus ups eam. Pos -
inciden analyses show how comp omised endo upda es can p opaga e ac oss go e nmen ne wo ks, bypassing
adi ional de enses (CISA, 2023). Solu ions such as So wa e Bills o Ma e ials (SBOMs) and secu e build pipelines a e
ecommended (Execu i e O de 14028, 2021), bu empi ical da a e eal limi ed adop ion and en o cemen in public
p ocu emen (Boyens e al., 2022).
Gap: While p inciples like Ze o T us A chi ec u e (ZTA) a e well-de ined (NIST SP 800-207, 2020), he e is limi ed
empi ical guidance on inc emen ally in eg a ing ZTA, CSPM, and SBOM p ac ices in o public agencies cons ained by
legacy sys ems, mul i- endo ecosys ems, and compliance manda es.
This pape add esses his gap by p oposing p ac ical, phased adop ion models ailo ed o Go Tech con ex s.
2.3.2. AI Secu i y: Technical Vulne abili ies and Assu ance Gaps
AI in oduces new classes o ulne abili ies. Founda ional esea ch shows ha machine-lea ning models a e suscep ible
o ad e sa ial a acks, da a poisoning, model in e sion, and membe ship in e ence (Biggio and Roli, 2018; F ed ikson
e al., 2015). Such a acks a e no hypo he ical: ad e sa ial pe u ba ions ha e been shown o bypass image-based
iden i y e i ica ion, and poisoned da a has al e ed p edic i e policing ou comes (Pape no e al., 2021).
P i acy-p ese ing app oaches such as ede a ed lea ning (Kai ouz e al., 2021) and di e en ial p i acy (Dwo k and
Ro h, 2014) o e pa ial mi iga ion bu in oduce new challenges, including communica ion o e head, u ili y ade-o s,
and suscep ibili y o poisoning by malicious pa icipan s. Meanwhile, eme ging wo k on AI p o enance and model

Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(03), 2826-2843
2831
lineage seeks o imp o e accoun abili y and ep oducibili y (Shok i e al., 2023), bu mos solu ions emain
expe imen al.
Beyond echnical ulne abili ies, empi ical esea ch on AI e hics, explainabili y, and accoun abili y highligh s isks
unique o public go e nance. Lack o explainabili y unde mines due p ocess and us in algo i hmic decision-making,
while bias and disc imina o y ou comes can e ode legi imacy (OECD, 2023; GPAI, 2024). Howe e , he li e a u e o en
ea s hese e hical dimensions sepa a ely om cybe secu i y, despi e hei con e gence in p ac ice.
Gap: Resea ch lacks an in eg a ed AI assu ance li ecycle o go e nmen pla o ms ha connec s p o enance,
ad e sa ial es ing, p i acy gua an ees, and explainabili y equi emen s o p ocu emen and egula o y compliance.
This pape p oposes a comp ehensi e AI assu ance module aligned wi h NIST’s AI RMF and public-sec o go e nance
needs.
2.3.3. Con iden ial Compu ing and Da a-in-Use P o ec ions
Secu ing da a “in use” emains a weak link in many Go Tech pla o ms. Con iden ial compu ing echnologies— us ed
execu ion en i onmen s (TEEs) and secu e encla es—o e ha dwa e-based isola ion ha mi iga es isks om
malicious inside s and comp omised ope a ing sys ems (Con iden ial Compu ing Conso ium, 2023). Ea ly
deploymen s in heal hca e and inance show p omise, bu adop ion in he public sec o is limi ed due o pe o mance
o e head, a es a ion complexi y, and un esol ed policy ques ions a ound law ul access and o e sigh (Smi h e al.,
2023).
Gap: Li e a u e does no adequa ely explo e how public agencies can inco po a e TEEs in o p ocu emen speci ica ions,
no how o balance con iden iali y wi h anspa ency and accoun abili y obliga ions. This pape add esses his gap by
p oposing p ocu emen empla es, a es a ion policies, and go e nance ules o con iden ial compu ing in public
in as uc u e.
2.3.4. Sec o -Speci ic Resilience: Ene gy, Heal h, T anspo , and Ci ic Se ices
Resea ch on c i ical in as uc u e cybe secu i y shows wide a ia ion in h ea models and esilience s a egies ac oss
sec o s.
• Ene gy sys ems ely on legacy indus ial con ol sys ems (ICS) ulne able o la e al mo emen and
ansomwa e (Figue oa e al., 2022).
• Heal hca e aces unique da a in eg i y and a ailabili y challenges whe e b eaches can di ec ly endange li es
(Jalali and Kaise , 2021).
• T anspo a ion sys ems, pa icula ly au onomous ehicles and sma a ic ne wo ks, aise complex IoT and
AI sa e y issues (Zhou e al., 2022).
Ye , li e a u e a ely compa es o in eg a es hese sec o al app oaches in o c oss-sec o al esilience s a egies, e en
hough many public se ices now depend on in e dependen in as uc u e ecosys ems.
Gap: A need exis s o a holis ic c oss-sec o al esilience amewo k ha accoun s o in e dependencies, cascading
ailu es, and sha ed AI/cloud in as uc u es. This pape aims o de elop such a amewo k and illus a e i h ough
compa a i e case analyses.
2.3.5. Human, O ganiza ional, and Capaci y Dimensions
Human and o ganiza ional ac o s a e o en he weakes link. Inside h ea s, skill sho ages, cogni i e o e load in
secu i y ope a ions cen e s (SOCs), and misaligned incen i es all comp omise esilience (Nu se e al., 2021). Su eys
show ha o e 40% o public agencies ci e wo k o ce capaci y as a p ima y ba ie o cybe secu i y mode niza ion
(Wo ld Bank, 2022).
Despi e he cen ali y o hese issues, empi ical esea ch in o wo k o ce eadiness, o ganiza ional change, and socio-
echnical alignmen in public cybe secu i y emains spa se.
Gap: The li e a u e lacks empi ically g ounded amewo ks linking wo k o ce de elopmen , o ganiza ional cul u e, and
echnical esilience. This pape p oposes a socio- echnical capaci y-building model aligned wi h he b oade esilience
amewo k.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(03), 2826-2843
2832
2.3.6. Go e nance, Regula ion, and Global Pe spec i es
Regula o y egimes such as he EU’s NIS2 Di ec i e (2022) and he U.S. Execu i e O de 14028 ma k a shi om so
no ms o en o ceable cybe secu i y obliga ions. Howe e , compliance challenges pe sis , and many amewo ks s op
sho o p esc ibing speci ic echnical con ols (ENISA, 2024).
2.3.7. Global case s udies demons a e a ied app oaches
• Es onia’s X-Road showcases how a chi ec u al design and legal amewo ks can ein o ce esilience (Kal e ,
2022).
• Singapo e’s Cybe secu i y Ac (2018) emphasizes p oac i e h ea in elligence and public-p i a e
coo dina ion.
• India’s Digi al Public In as uc u e (DPI) highligh s da a so e eign y and ede a ed a chi ec u es a scale
(Mei Y, 2023).
Despi e hese ad ances, c oss-na ional compa a i e esea ch emains limi ed, and lessons a e a ely syn hesized in o
uni e sally applicable amewo ks.
Gap: Li e a u e needs compa a i e, empi ically g ounded s udies ha ansla e egula o y obliga ions in o echnical,
o ganiza ional, and p ocu emen -le el ac ions. add esses his gap by mapping speci ic con ols and me ics o legal
equi emen s and o e ing globally in o med policy ecommenda ions.
2.4. Compa a i e Syn hesis and Remaining C oss-Cu ing Gaps
2.4.1. Th ee b oad insigh s eme ge om he li e a u e
• Dep h bu agmen a ion: Technical, go e nance, and ope a ional li e a u es a e ma u e in hei silos bu
poo ly in eg a ed.
• Wes e n-cen ic bias: Much empi ical e idence cen e s on U.S. and EU con ex s, wi h insu icien a en ion o
Global Sou h and non-Wes e n inno a ions.
• Neglec o measu emen and alida ion: Few s udies p opose conc e e me ics o ma u i y models o assess
cybe - esilience.
2.4.2. This pape esponds by
• P oposing a uni ied cybe - esilience amewo k linking s anda ds (NIST ZTA, AI RMF), echnical con ols
(CSPM, TEEs), and go e nance mechanisms (p ocu emen e o m, SBOMs).
• T ansla ing egula o y manda es in o ope a ional KPIs and ma u i y models.
• Inco po a ing global case s udies and sec o al compa isons.
• Embedding socio- echnical and CAS pe spec i es o in eg a e human, ins i u ional, and echnical dimensions.
3. Resea ch Me hodology
3.1. P eamble
The esea ch adop ed a con e gen mixed-me hods design (quali a i e and quan i a i e s ands un in pa allel and
in eg a ed a in e p e a ion) in o de o cap u e he mul i-dimensional and socio- echnical na u e o cybe - esilience in
go e nmen sys ems (C eswell and Plano Cla k, 2017). The design was selec ed o econcile h ee needs simul aneously
• Cap u e echnical ealism h ough con olled simula ions and secu i y exe cises ( o measu e echnical
ou comes such as Mean Time o De ec — MTTD — unde a ied con ols);
• Cap u e ins i u ional and go e nance eali y h ough compa a i e case s udies, documen analysis, and
s akeholde in e iews ( o unde s and p ocu emen cons ain s, legal d i e s, and o ganiza ional cul u e); and
• P oduce gene alizable indica o s ia su eys and s a is ical modeling o es he hypo heses posed in he
in oduc ion.
O e all, he s udy combined (a) compa a i e policy and documen analysis, (b) semi-s uc u ed in e iews and a
p ac i ione su ey, (c) echnical simula ion and ed- eam expe imen s in a dedica ed cybe - ange, (d) ad e sa ial
machine-lea ning (ML) expe imen s on syn he ic/benchma ked da a, (e) quan i a i e modeling (index cons uc ion
and eg ession/su i al analysis), and ( ) an expe Delphi p ocess o alida e KPIs, p ocu emen a i ac s, and he
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(03), 2826-2843
2833
ma u i y model. The me hods we e execu ed be ween Janua y and Oc obe 2024 ac oss mul iple ju isdic ions and we e
designed o iangula ion so ha indings om one me hod could alida e and con ex ualize he o he s.
3.2. Model Speci ica ion
3.2.1. Concep ual model
The s udy ope a ionalized cybe - esilience o Go Tech as a mul i-dimensional, la en cons uc in luenced by echnical
con ols, AI assu ance, da a go e nance, o ganiza ional capaci y, and collec i e in elligence ( h ea in elligence sha ing).
The empi ical model es ed di ec and media ing ela ionships among hese cons uc s and hei e ec on inciden
ou comes and esilience pe o mance.
3.2.2. A compac linea o mula ion used o s a is ical es ing was
CRSi = β0 + β1ZTAi + β2CSPMi + β3AI_Assu ei + β4Da aGo i + β5O gCapi + β6CTIi + Xi′γ + εi
We e
• CRSᵢ = Cybe -Resilience Sco e o agency/pla o m i (la en index).
• ZTAᵢ = Deg ee o Ze o T us A chi ec u e implemen a ion (con inuous index).
• CSPMᵢ = Ex en o Cloud Secu i y Pos u e Managemen and au oma ion.
• AI_Assu eᵢ = AI assu ance ma u i y (p o enance, ad e sa ial es ing, moni o ing).
• Da aGo ᵢ = Da a go e nance and so e eign y con ols (policy and echnical).
• O gCapᵢ = O ganiza ional capaci y (wo k o ce, budge s, SOC ma u i y).
• CTIᵢ = Le el o pa icipa ion in CTI sha ing / usion mechanisms.
• Xᵢ = con ol a iables (agency size, sec o , legacy a io, coun y-le el egula o y s ic ness).
• εᵢ = e o e m.
Fo disc e e ou comes such as b each occu ence o inciden coun s he model used app op ia e gene alized linea
o ms
• Logis ic eg ession o bina y b each occu ence (0/1) wi hin a 12-mon h window.
• Nega i e binomial eg ession o coun o inciden s pe yea .
• Cox p opo ional haza ds (su i al) models o ime- o-de ec ion and ime- o- eco e y me ics.
3.2.3. Ope a ionaliza ion and measu emen
Each la en cons uc was ope a ionalized using mul iple obse able indica o s. Examples include
• Ze o T us (ZTA): Au hen ica ion equency, pe cen o mic o-segmen ed wo kloads, policy-as-code adop ion
sco e, p esence o leas -p i ilege en o cemen .
• CSPM: Pe cen o cloud asse s wi h au oma ed miscon igu a ion emedia ion, equency o in as uc u e-as-
code (IaC) scanning, SBOM co e age o cloud wo kloads.
• AI Assu ance: Pe cen o p oduc ion models wi h documen ed p o enance, ad e sa ial obus ness es pass
a e, p esence o model d i de ec ion.
• Da a Go e nance: Pe cen o da ase s wi h enc yp ion in ansi / es /in use, da a localiza ion compliance,
documen ed da a li ecycle policies.
• O ganiza ional Capaci y: Numbe o ull- ime secu i y s a pe 100 IT s a , SOC ma u i y a ing, aining hou s
pe yea .
• CTI: Numbe o in elligence eeds consumed, imeliness o CTI inges ion, pa icipa ion in na ional usion
cen e s.
These indica o s we e combined in o s anda dized sub-indices (z-sco es) and hen agg ega ed—weigh ed by ac o
loadings om explo a o y ac o analysis—in o he composi e Cybe -Resilience Sco e (CRS). Fac o s uc u e and
eliabili y (C onbach’s α) we e assessed be o e index cons uc ion.
3.3. Types and Sou ces o Da a
The s udy used mul iple p ima y and seconda y da a sou ces o ensu e b ead h and iangula ion.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(03), 2826-2843
2834
3.3.1. P ima y da a (collec ed o his s udy)
• Semi-s uc u ed in e iews (n = 36): Conduc ed wi h CISOs, p ocu emen leads, pla o m a chi ec s, and policy
o ice s ac oss 12 na ional o la ge sub-na ional agencies in 6 coun ies (selec ed o di e si y in cloud and AI
adop ion). In e iews a e aged 60 minu es, ollowed a common p o ocol, and we e audio- eco ded wi h
consen .
• P ac i ione su ey (n = 158 alid esponses): A c oss-sec ional online su ey a ge ed a Go Tech p ac i ione s
(CISOs, De SecOps enginee s, policy o ice s) o measu e implemen a ion le els, pe cei ed ba ie s, and KPIs.
The ins umen included Like -scale and nume ic i ems; i was pilo ed (n = 18) and e ined.
• Delphi panel (3 ounds; 18 expe s): Domain expe s om academia, go e nmen , and indus y pa icipa ed o
con e ge on KPI weigh s, ma u i y h esholds, and p ocu emen clause empla es. Consensus h esholds
ollowed Okoli and Pawlowski (2004).
• Cybe - ange simula ions and ed- eam exe cises: Fi e con olled exe cises we e execu ed in an isola ed cybe -
ange o compa e baseline (pe ime e ) s. Ze o-T us + CSPM con igu a ions. Each scena io was epea ed 25
imes wi h andomized ini ial condi ions o cap u e a iance in de ec ion and con ainmen me ics.
• Ad e sa ial ML expe imen s: Th ee expe imen al se ies e alua ed (a) cen alized aining, (b) ede a ed
lea ning wi hou de enses, and (c) ede a ed lea ning wi h di e en ial p i acy. Syn he ic bu ealis ic da ase s
(iden i y e i ica ion, ansac ional logs) and s anda d benchma k asks we e used. Each expe imen included
poisoning a acks, membe ship in e ence es s, and ad e sa ial inpu gene a ion; each condi ion was epea ed
30 imes.
• Documen collec ion: P ocu emen con ac s, SBOM samples ( edac ed), inciden esponse a e -ac ion epo s
(public and p o ided unde NDA), and policy documen s collec ed om pa icipa ing agencies.
3.3.2. Seconda y da a (public and open sou ces)
• Public inciden epo s and ad iso ies (CISA, ENISA, NCSC) o e en imelines and echnical de ails.
• Indus y cloud-secu i y epo s (Wiz, Palo Al o Ne wo k Co ex Xpanse, e c.) o sec o benchma ks.
• S anda ds and no ma i e guidance (NIST SP 800-207, NIST AI RMF, NIST SP 800-160) and ecen egula o y
ex s (NIS2, na ional cybe secu i y ac s).
• Academic da ase s and p io s udies (ad e sa ial ML li e a u e, ede a ed lea ning su eys).
• All p ima y eleme y and sensi i e a i ac s we e ei he syn he ic, edac ed, o cap u ed wi hin he isola ed
es en i onmen o a oid exposing eal ope a ional sys ems.
4. Me hodology
4.1. Resea ch design and analy ic s a egy
A con e gen pa allel mixed-me hods app oach was ollowed (C eswell and Plano Cla k, 2017). Quan i a i e and
expe imen al s ands p oduced nume ic, gene alizable measu es o esilience and inciden ou comes; quali a i e
s ands p o ided con ex ual explana ion and policy- ele an mechanisms. In eg a ion occu ed a wo poin s: (a)
du ing ins umen design (quali a i e indings shaped su ey i ems and simula ion scena ios), and (b) a in e p e a ion
(quan i a i e esul s we e explained using in e iew and documen e idence; Delphi ou pu s alida ed model weigh s).
4.2. Case selec ion and sampling
• Case selec ion o in e iews and pilo ma u i y model applica ion used pu posi e sampling o cap u e
a ia ion along key dimensions: sec o (ene gy, heal h, anspo , ci ic se ices), cloud pos u e (cloud- i s s.
legacy hea y), and coun y/ egula o y en i onmen (EU, No h Ame ica, Asia, and one Global Sou h case).
Agencies we e ec ui ed h ough p o essional ne wo ks and mu ual-NDA a angemen s; selec ion p io i ized
agencies ha had implemen ed a leas one p oduc ion AI sys em o had mig a ed subs an ial se ices o he
cloud.
• Su ey sampling le e aged p o essional associa ions, Go Tech o ums, and a ge ed ou each o lis s o
p ac i ione s. Response bias was mi iga ed ia eminde s, anonymized esponses, and checks o non- esponse
pa e ns.
4.2.1. Ins umen de elopmen and pilo es ing
• In e iew p o ocol was de eloped om he esea ch ques ions and li e a u e e iew; i included modules on
a chi ec u e, p ocu emen , inciden s, AI go e nance, and wo k o ce. P o ocols we e i e a i ely es ed in h ee
pilo in e iews.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(03), 2826-2843
2841
adap i e sys ems heo y in o a single concep ual model, o e ing a mo e holis ic unde s anding o how esilience
eme ges in go e nmen digi al ecosys ems.
The esea ch also p o ides a me hodological con ibu ion by combining quan i a i e modeling wi h cybe - ange
expe imen a ion, o e ing a eplicable amewo k o u u e e alua ions o cybe secu i y in e en ions in he public
sec o . Fu he mo e, i b idges gaps in he li e a u e by inco po a ing global pe spec i es, sec o -speci ic insigh s, and
human ac o s, which ha e o en been neglec ed in p e ious wo k.
Recommenda ions
Based on he indings, se e al key ecommenda ions eme ge o policymake s, sys em a chi ec s, and public
adminis a o s
• Ins i u ionalize Ze o T us and CSPM: Go e nmen s should adop hese as baseline secu i y a chi ec u es,
embedding hem in o digi al ans o ma ion bluep in s and p ocu emen s anda ds.
• Manda e AI assu ance p o ocols: Public-sec o pla o ms mus in eg a e ad e sa ial obus ness es ing,
p o enance acking, and p i acy-p ese ing echniques in o all AI deploymen s.
• S eng hen da a go e nance amewo ks: Clea da a classi ica ion, li ecycle managemen , and c oss-agency
sha ing p o ocols should be en o ced o enhance inciden isibili y and esponse speed.
• Fos e collec i e de ense ecosys ems: Expanding pa icipa ion in na ional and c oss-bo de h ea in elligence
ne wo ks is essen ial o p eemp ing and mi iga ing sophis ica ed a acks.
• In es in wo k o ce capaci y: Technical measu es should be complemen ed by con inuous aining, simula ion
exe cises, and ins i u ional lea ning p og ams o imp o e cogni i e eadiness.
• De elop esilience me ics and ma u i y models: Go e nmen s should implemen s anda dized me ics (e.g.,
MTTD, MTTR, esilience indices) o ack and imp o e cybe - esilience o e ime.
• In eg a e u u e-p oo ing s a egies: P epa a ion o quan um-e a h ea s, supply chain secu i y isks, and he
nex wa e o AI-enabled a acks should be buil in o long- e m planning.
Concluding Rema ks
The ans o ma ion o public in as uc u e in o cloud-na i e, AI-d i en ecosys ems o e s emendous po en ial o
inno a ion, e iciency, and public alue. Howe e , i also exposes go e nmen s o unp eceden ed le els o cybe isk.
This s udy has shown ha esilience is no he p oduc o a single ool o echnology bu o a s a egic syn hesis o
laye ed de enses, ins i u ional go e nance, collec i e in elligence, and human capabili y.
By empi ically alida ing he impac o ZTA, CSPM, AI assu ance, da a go e nance, and collabo a i e in elligence, his
esea ch con ibu es a bluep in o nex -gene a ion cybe secu i y s a egies in he public sec o . I s insigh s
unde sco e ha cybe - esilience is no a s a ic end s a e bu a dynamic capaci y — one ha mus e ol e as h ea s
e ol e, con inuously ein o ced h ough policy, echnology, and people.
In an e a whe e public us hinges on he secu i y o digi al se ices, in es ing in cybe - esilien in as uc u e is no
longe op ional. I is ounda ional o sa egua ding democ acy, p o ec ing c i ical se ices, and ensu ing he in eg i y and
con inui y o go e nance in he age o cloud and AI.
Compliance wi h e hical s anda ds
Disclosu e o con lic o in e es
The au ho (s) decla e ha he e is no con lic o in e es ega ding he publica ion o his pape .
Re e ences
[1] Belmon Repo . (1979). The Belmon Repo : E hical P inciples and Guidelines o he P o ec ion o Human
Subjec s o Resea ch. U.S. Na ional Commission o he P o ec ion o Human Subjec s o Biomedical and
Beha io al Resea ch.
[2] Biggio, B., and Roli, F. (2018). Wild pa e ns: Ten yea s a e he ise o ad e sa ial machine lea ning. Pa e n
Recogni ion, 84, 317–331. h ps://doi.o g/10.1016/j.pa cog.2018.07.023

Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(03), 2826-2843
2842
[3] Boyens, J., Paulsen, C., and Pla , J. (2022). SBOM adop ion challenges in go e nmen p ocu emen . Jou nal o
Cybe Policy, 7(3), 245–262. h ps://doi.o g/10.1080/23738871.2022.2089214
[4] Con iden ial Compu ing Conso ium. (2023). Technical whi epape on us ed execu ion en i onmen s.
Con iden ial Compu ing Conso ium.
[5] CISA. (2023). Pos -inciden ad iso ies and echnical epo s. Cybe secu i y and In as uc u e Secu i y Agency.
[6] CISA. (2023). The a ack on Colonial Pipeline: Lessons lea ned. Cybe secu i y and In as uc u e Secu i y Agency.
[7] C eswell, J. W., and Plano Cla k, V. L. (2017). Designing and conduc ing mixed me hods esea ch (3 d ed.). SAGE
Publica ions.
[8] Dwo k, C., and Ro h, A. (2014). The algo i hmic ounda ions o di e en ial p i acy. Founda ions and T ends in
Theo e ical Compu e Science, 9(3–4), 211–407. h ps://doi.o g/10.1561/0400000042
[9] ENISA. (2023). Th ea landscape epo 2023. Eu opean Union Agency o Cybe secu i y.
[10] ENISA. (2024). ENISA h ea landscape 2024. Eu opean Union Agency o Cybe secu i y.
[11] Eu opean Pa liamen and Council. (2022). Di ec i e (EU) 2022/2555 (NIS2 Di ec i e). O icial Jou nal o he
Eu opean Union, Dec 27, 2022. EUR-Lex.
[12] Execu i e O de 14028. (2021). Imp o ing he na ion’s cybe secu i y. Fede al Regis e , May 12, 2021. The Whi e
House.
[13] F ed ikson, M., Jha, S., and Ris enpa , T. (2015). Model in e sion a acks ha exploi con idence in o ma ion. In
P oceedings o he ACM Con e ence on Compu e and Communica ions Secu i y (CCS) (pp. 1322–1333). ACM.
h ps://doi.o g/10.1145/2810103.2813677
[14] Geels, F. W. (2002). Technological ansi ions as e olu iona y econ igu a ion p ocesses: A mul i-le el
pe spec i e and a case-s udy. Resea ch Policy, 31(8–9), 1257–1274.
[15] Hollnagel, E., Woods, D. D., and Le eson, N. (2011). Resilience enginee ing: Concep s and p ecep s. CRC P ess.
[16] Ilyas, A., San u ka , S., Tsip as, D., e al. (2019). Ad e sa ial examples a e no bugs, hey a e ea u es. In Ad ances
in Neu al In o ma ion P ocessing Sys ems (Neu IPS). a Xi :1905.02175
[17] Kai ouz, P., McMahan, H. B., e al. (2021). Ad ances and open p oblems in ede a ed lea ning. Founda ions and
T ends in Machine Lea ning, 14(1–2), 1–210. h ps://doi.o g/10.1561/2200000084
[18] Kal e , T. (2022). Digi al esilience and e-go e nmen in Es onia. Go e nmen In o ma ion Qua e ly, 39(4),
101720.
[19] Miles, M. B., Hube man, A. M., and Saldaña, J. (2019). Quali a i e da a analysis: A me hods sou cebook (4 h ed.).
SAGE Publica ions.
[20] NIST. (2020). Ze o us a chi ec u e (SP 800-207). Na ional Ins i u e o S anda ds and Technology.
h ps://doi.o g/10.6028/NIST.SP.800-207
[21] NIST. (2021). De eloping cybe - esilien sys ems: A sys ems secu i y enginee ing app oach (SP 800-160 2).
Na ional Ins i u e o S anda ds and Technology.
[22] NIST. (2023). A i icial in elligence isk managemen amewo k (AI RMF 1.0). Na ional Ins i u e o S anda ds
and Technology.
[23] OECD. (2020). The OECD digi al go e nmen policy amewo k. O ganisa ion o Economic Co-ope a ion and
De elopmen .
[24] OECD. (2023). AI go e nance and accoun abili y in he public sec o . O ganisa ion o Economic Co-ope a ion
and De elopmen .
[25] Okoli, C., and Pawlowski, S. D. (2004). The Delphi me hod as a esea ch ool: An example, design conside a ions
and applica ions. In o ma ion and Managemen , 42(1), 15–29.
[26] Renn, O. (2018). Risk go e nance: Coping wi h unce ain y in a complex wo ld. Rou ledge.
[27] Sha ma, V., and Joshi, R. (2023). Secu ing cloud deploymen s in go e nmen sys ems. Compu e s and Secu i y,
126, 102936.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(03), 2826-2843
2843
[28] Smi h, J., e al. (2023). A es a ion and go e nance in con iden ial compu ing. IEEE T ansac ions on Cloud
Compu ing, 11(2), 101–119.
[29] The Whi e House. (2021). Execu i e O de 14028: Imp o ing he na ion’s cybe secu i y. The Whi e House.
[30] Wo ld Bank. (2020). Go Tech — The new on ie in digi al go e nmen ans o ma ion. Wo ld Bank G oup.
[31] Wo ld Bank. (2022). Go Tech ma u i y index: The new on ie in digi al go e nmen ans o ma ion. Wo ld
Bank G oup.
[32] Yin, R. K. (2014). Case s udy esea ch: Design and me hods (5 h ed.). SAGE Publica ions.
[33] Zhou, X., e al. (2022). Cybe secu i y o au onomous anspo sys ems. T anspo a ion Resea ch Pa C, 137,
103579.