The new cyber investment mandate: Why ‘cyber risk quantification’ is key to state government’s pivot to human-centric defense

State and local government agencies are facing a “stark new reality” as traditional federal support for cybersecurity infrastructure and information sharing undergoes dramatic federal government cutbacks.

That’s putting new pressure on public officials — already confronting escalating cyberattacks and fewer resources — to take a closer look at their cybersecurity investment strategies.

The burden of protecting constituent data is shifting squarely onto state and local leaders, forcing state financial, risk and security officials to rethink how they evaluate their cybersecurity investment strategies, according to a new special report from Scoop News Group, Rethinking Cyber Risk.

“Clearly, there’s going to be less funding, leaving states more on their own to protect themselves,” says Ryan Witt, vice president of industry solutions at Proofpoint. “There will not be as much guidance coming from the federal government.”

For over two decades, the Multi-State Information Sharing and Analysis Center (MS-ISAC) served as a critical pillar for state security officials. However, recent federal funding cuts to both MS-ISAC and the Cybersecurity and Infrastructure Security Agency (CISA) are eliminating much of that support, forcing state CISOs to become more self-reliant.

The AI-driven threat to public trust

Compounding this loss of support is a dramatic escalation in AI-enabled and human-centered cyberattacks, according to the report, which was sponsored by Proofpoint.

Modern threat actors are increasingly leveraging AI tools and sophisticated impersonation techniques to bypass traditional defenses, seeking access to sensitive personal, tax, and health data. These attacks are rarely singular events; they are multi-stage campaigns that often begin with a deceptive email and escalate into credential harvesting and deep network penetration, says Witt.

The report argues that as these threats grow more complex, state and local chief financial and risk officers must adopt human-centric defenses and also evaluate those strategies using “cyber risk quantification” (CRQ) techniques, which differ from conventional return-on-investment metrics.

“Most organizations still struggle to define risk coherently,” notes Marcel Eisma, senior director of the value management office at Proofpoint. Eisma argues in the report that CRQ allows agencies to put a number on the risk they are “buying down” when choosing between different security options. “Risk is a dollar number that says, ‘what’s the probability of something happening and the likely magnitude of that happening?’” Eisma explains.

Traditional methods of assessing risk often rely on “red-yellow-green” matrices, which fail to provide a mathematical foundation for objective decision-making, says Eisma. To make sounder investment decisions, officials need a framework that translates probabilities into dollar terms, answering: “What is the likely frequency and magnitude of a negative event?”

Rethinking the risk equation: ROSI vs. ROI

As budgets tighten, IT and financial leaders must change how they justify security spending, Eisma adds. Traditional Return on Investment (ROI) is based on predictable gains, such as a new software platform increasing productivity. Cybersecurity, however, requires a Return on Security Investment (ROSI) model based on cost avoidance, he explains.

Chief financial and risk officers must also recognize how the risk environment is evolving as threat actors have more tools, data, and AI at their disposal. While the vast amount of personal and sensitive data held by government agencies has always made them a prime target, it’s becoming easier for threat actors to bypass traditional cyber defenses. As a result, it’s essential for agency officials to carefully reevaluate their cyber investment portfolio, focusing on more effective ways to protect employees and the public from human-centric attacks.

The four economic pillars of human-centric defense

With 60% of data breaches now involving human interaction, according to Verizon’s 2025 Data Breach Investigation Report (DBIR), the new report advocates for state and local agencies to continue shifting from perimeter-based security to a human-centric strategy. Doing so delivers significant payoffs, according to the report, which highlights four key areas where organizations are seeing significant returns:

• Risk Alleviation: Automated tools and real-time URL protection can reduce phishing clicks by 82%, resulting in fewer high-impact incidents such as data breaches and reputational fallout.
• Workforce Efficiency: Consolidating tools and automating manual tasks reduces the workload on overstretched security teams, saving time in triaging and investigating incidents.
• IT Optimization: Retiring redundant point solutions in favor of a modern platform can lower the total cost of ownership by up to 40% compared to legacy tech stacks.
• Improved Business Agility: Streamlined incident response workflows enable agencies to reinvest resources in more valuable, forward-looking public service initiatives.

Insights from the human-centered attack data

The report includes a sidebar summary revealing how the threat landscape is shifting toward high-frequency, mobile, and URL-based attacks. It notes that URLs are now used four times more often than attachments in malicious emails. It also stresses that mobile threats, such as “smishing” (SMS phishing), now impact 75% of organizations. QR code threats have also mushroomed in 2025.

Ultimately, the report concludes, when leaders share common metrics and transparency around the logic of their choices, they can better protect their employees, constituents, and data.

Download the full report, sponsored by Proofpoint.

The article was produced by Scoop News Group for StateScoop and sponsored by Proofpoint.