Factors Shaping Policy for Cybersecurity Resilience in Critical Infrastructure (CI) Organizations: Proposing an Adaptive Cyber Resilience Policy Model (ACRPM)

Author(s)

Raymond Pythias Friedman, Liberty UniversityFollow

Date

11-13-2025

Department

Helms School of Government

Degree

Doctor of Philosophy in Public Policy (PhD)

Chair

Scott Wilson William

Keywords

cybersecurity resilience, critical infrastructure, governance, internal controls, employee attitudes, socio-technical systems, adaptive policy, organizational culture, adaptive cyber resilience policy model, narrative policy behavioral compliance aptitude assessment

Disciplines

Political Science | Psychology

Recommended Citation

Friedman, Raymond Pythias, "Factors Shaping Policy for Cybersecurity Resilience in Critical Infrastructure (CI) Organizations: Proposing an Adaptive Cyber Resilience Policy Model (ACRPM)" (2025). Doctoral Dissertations and Projects. 7629.
https://digitalcommons.liberty.edu/doctoral/7629

Abstract

This study examines the factors that influence cybersecurity resilience in private critical infrastructure (CI) organizations, with a focus on governance structures, internal controls, employee attitudes, and cybersecurity capabilities. Although the empirical focus is on private-sector entities, the findings bear significant implications for public policy, given the societal reliance on CI sectors such as energy, telecommunications, and water. Employing a convergent mixed-methods design, the study synthesizes quantitative survey data from cybersecurity professionals with qualitative case studies of CI organizations.

The analysis reveals that internal controls and employee attitudes are the most salient predictors of organizational resilience. Governance exerts an indirect influence by shaping these internal mechanisms and cultural dispositions, while technical expertise alone is insufficient in the absence of a supportive organizational environment. Key vulnerabilities persist, including systemic weaknesses, leadership deficiencies, and inconsistent policy enforcement.

In response, the study proposes the Adaptive Cyber Resilience Policy Model (ACRPM), a novel framework grounded in Socio-Technical Systems Theory, the Risk Governance Framework, and the Narrative Policy Framework. ACRPM reconceptualizes cybersecurity policymaking as participatory, iterative, and culturally embedded. It advocates for stakeholder co-design, narrative integration, and dynamic implementation strategies that transcend static, compliance-based regulation. By foregrounding human behavior and organizational dynamics, ACRPM offers a robust alternative to conventional policy approaches, enhancing the resilience of CI systems in an increasingly complex cyber-threat landscape.