Funding and sustaining cybersecurity initiatives is one of the fundamental challenges confronting state policy makers. A recent survey of states found that, on average, cybersecurity funding only accounted for three to five percent of information technology (IT) budgets. This memo examines how 23 states and the District of Columbia (D.C.) have allocated resources for cybersecurity and how they measure their return on investment. Throughout Fiscal Years (FY) 2015, 2016, and 2017, these 24 states spent over $160 million on six categories of cybersecurity: (1) Information Security and Assessments; (2) Homeland Security and Emergency Management; (3) Education; (4) Training and Law Enforcement; (5) Business Investments; and (6) Unique Initiatives. Figure 1 highlights how the states allocated funds in these categories. The tables at the end of the memo break out each state’s appropriation by category.
