Beyond the IT Checklist: Engineering a Reasonable Standard of Care for Cyber Safety

📅 2026-06-11
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This study addresses the inadequacy of current IT compliance–oriented cybersecurity policies in safeguarding the physical safety of cyber-physical systems, as digital failures often precipitate real-world harm. By coding 292 critical infrastructure policies (2000–2025) and aligning them with the NIST SP 800-160 Vol. 2 resilience lifecycle, the research reveals a significant misalignment between prevailing policy approaches—overreliant on IT control catalogs during resistance and recovery phases—and actual physical risks. The work proposes a modernized “duty of reasonable care” standard centered on hazard-specific traceability, structured assurance cases, and cyber resilience engineering. It identifies three critical disconnects: misaligned delegation of standards, reduction of recovery mechanisms to mere incident reporting, and uneven sectoral adaptability. The study further outlines a viable pathway for federal policy that integrates engineering implementation with targeted incentives.
📝 Abstract
Current U.S. cyber policy, centered on security, often treats documentation of controls and incident reports as a proxy for safety in the built environment. This paper argues that such an approach is inadequate for cyber-physical systems, where digital failures can produce kinetic harm. We construct and code a corpus of critical infrastructure policy documents (N=292, 2000-2025) to examine how "reasonable care" is operationalized across the NIST SP 800-160 Vol.~2 resilience lifecycle. The resulting maps show that obligations are concentrated in the Anticipate phase and emphasize administrative compliance, while Withstand and Recover phases rely heavily on delegated references to IT-focused control catalogs that are poorly aligned with physics-based hazards. We identify three major disconnects: miscalibrated delegated standards, recovery defined as notification rather than engineered navigation, and uneven adaptation requirements across sectors. We then propose a modernized standard of care anchored in hazard-specific traceability, structured assurance cases, and cyber resiliency engineering. Finally, we recommend that federal policy pair these engineering obligations with targeted incentives so that resilient architectures for critical infrastructure become a viable business decision rather than an unfunded expectation.
Problem

Research questions and friction points this paper is trying to address.

cyber-physical systems
reasonable standard of care
cyber safety
critical infrastructure
resilience
Innovation

Methods, ideas, or system contributions that make the work stand out.

cyber-physical systems
reasonable standard of care
structured assurance cases
hazard-specific traceability
cyber resiliency engineering
🔎 Similar Papers
No similar papers found.
M
Matthew E. Jablonski
College of Engineering and Computing, George Mason University, Fairfax, VA
L
Linton Wells II
College of Engineering and Computing, George Mason University, Fairfax, VA
K
Kathryn B. Laskey
College of Engineering and Computing, George Mason University, Fairfax, VA
F
F. Brett Berlin
College of Engineering and Computing, George Mason University, Fairfax, VA