Association for Public Policy Analysis & Management

Public organizations are increasingly experiencing damaging events that are largely unpredictable (Boin & Lodge, 2016; Comfort et al., 2012; Tierney, 2014) and might result in negative impacts. The potential for such events to cause damage increases as the organizations become more vulnerable, where vulnerability is the “degree to which a system is likely to experience harm due to exposure to a hazard” (Fussel, 2007, p. 155). Vulnerability depends to a large extent on technological complexity and the level of operational dependence on the technology (Perrow 1984; Turner and Pidgeon 1997).

Public organizations at all levels have adopted and implemented new technologies including social media, sensors and surveillance systems, open data portals, and e-services. For the most part, increased technological complexity has been associated with positive outcomes for citizens, increases in government efficiency and effectiveness, and greater transparency and accountability (Bertot, Jaeger, & Grimes, 2010; Feeney & Welch, 2014). But as technology becomes an integral part of interconnected government activities, public organizations face greater exposure to cybersecurity events, including risk of attacks by hacking groups and data breaches. The large cyberattack on the city of Atlanta in March 2018 is only one case in point.

Cyber security attacks demonstrate vulnerability in socio-technical systems in public agencies through disruption of public services and loss of private data, which result in economic loss and damaged public trust. Yet there is little discussion in public management research about how perceptions of vulnerability and the increasing exposure of public organizations to cyberattacks affect managers’ behavior. Of particular interest in this paper, vulnerability can affect innovation and risk-taking behavior among public managers. Recent studies argue that in face of greater risk and vulnerability, public managers might tend to under-invest in innovation in order to prevent and reduce their potential losses (Bullock et al. 2018).

In this research, we define several sources of vulnerability related to technology use and adoption in public organizations: technology management capacity, technical complexity of IT systems, digital openness and cybersecurity events. Based on the literature we develop a set of theory-driven hypotheses to assess the impact of vulnerability on innovation and risk taking. We test our hypotheses using a pooled data set combing 3 years of survey data collected among a nationally representative sample of 2,500 department heads in 500 small and medium sized local governments in the US. We make two contributions. First, we provide a theoretical frame explaining how organizational vulnerability impacts innovation and risk taking of public managers. This approach gives substance to the ongoing concerns of cyber-insecurity and points to new directions for research. Second, our results provide timely evidence of the impact that cybersecurity events on local government.