Effectiveness of Critical Infrastructure Cybersecurity Regulations: A Multi-Sector Assessment

Policy & Governance2023Journal of Cybersecurity

ByJulian Calvo, Ed.D., MBA, M.S.2023

APA Citation

Hoffman, D. & Patel, R. (2023). Effectiveness of Critical Infrastructure Cybersecurity Regulations: A Multi-Sector Assessment. *Journal of Cybersecurity*. https://doi.org/10.1093/cybsec/tyad045

View original paper →

Research Disclaimer: This is an original summary written by DecipherU for educational purposes. We do not host or reproduce the original paper. Verify findings directly from the cited source before making career decisions.

What Did This Cybersecurity Research Find?

This cybersecurity regulation study assessed whether sector-specific regulations (NERC CIP for energy, HIPAA for health, PCI DSS for payment) actually improved security outcomes across 500 organizations. Cybersecurity regulations correlated with improved baseline security posture but showed diminishing returns for organizations already above the regulatory minimum, suggesting regulations set floors rather than drive excellence.

Key Findings

1Regulated organizations had 28% fewer severe breaches than unregulated peers in equivalent industries
2Improvement was concentrated among previously low-maturity organizations
3Organizations at or above NIST CSF maturity level 3 showed no additional benefit from regulation
4Prescriptive regulations (NERC CIP) produced faster initial improvement than risk-based frameworks (NIST CSF)
5Compliance costs averaged 3.7% of IT budget, with diminishing security returns above 5%

How Does This Apply to Cybersecurity Careers?

GRC professionals can position compliance as a starting point rather than an end goal. This helps security leaders justify investments beyond compliance minimums.

Who Should Read This?

seniormanagement

Frequently Asked Questions

What did this cybersecurity research find?

How is this research relevant to cybersecurity careers?

GRC professionals can position compliance as a starting point rather than an end goal. This helps security leaders justify investments beyond compliance minimums.

Where was this cybersecurity research published?

This study was published in Journal of Cybersecurity in 2023. The DOI is 10.1093/cybsec/tyad045. Access the original paper through the publisher link above.

Sources

Last verified: 2026-04-01Report an inaccuracy

Explore Related Cybersecurity Resources

Career GuidesCybersecurity career guidesSee how this research applies to specific roles LawsCybersecurity laws and regulationsExplore the regulatory context behind this research GlossaryCybersecurity glossaryLook up technical terms from this study Q&ACybersecurity career questions and answersFind practical answers informed by research

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

Get Cybersecurity Career Intelligence

Weekly insights on threats, job trends, and career growth.

Unsubscribe anytime. More options

Effectiveness of Critical Infrastructure Cybersecurity Regulations: A Multi-Sector Assessment

APA Citation

Hoffman, D. & Patel, R. (2023). Effectiveness of Critical Infrastructure Cybersecurity Regulations: A Multi-Sector Assessment. *Journal of Cybersecurity*. https://doi.org/10.1093/cybsec/tyad045

View original paper →

What Did This Cybersecurity Research Find?

Key Findings

1Regulated organizations had 28% fewer severe breaches than unregulated peers in equivalent industries
2Improvement was concentrated among previously low-maturity organizations
3Organizations at or above NIST CSF maturity level 3 showed no additional benefit from regulation
4Prescriptive regulations (NERC CIP) produced faster initial improvement than risk-based frameworks (NIST CSF)
5Compliance costs averaged 3.7% of IT budget, with diminishing security returns above 5%

How Does This Apply to Cybersecurity Careers?

GRC professionals can position compliance as a starting point rather than an end goal. This helps security leaders justify investments beyond compliance minimums.

Who Should Read This?

seniormanagement

Frequently Asked Questions

What did this cybersecurity research find?

How is this research relevant to cybersecurity careers?

GRC professionals can position compliance as a starting point rather than an end goal. This helps security leaders justify investments beyond compliance minimums.

Where was this cybersecurity research published?

This study was published in Journal of Cybersecurity in 2023. The DOI is 10.1093/cybsec/tyad045. Access the original paper through the publisher link above.

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

Get Cybersecurity Career Intelligence

Weekly insights on threats, job trends, and career growth.

Unsubscribe anytime. More options