Security culture is the public sector’s resilience infrastructure

Public authorities face a growing paradox. Digital threats are rising, systems are becoming more interconnected, and public expectations for reliable services have never been higher. Yet, many public institutions lack the cultural foundations needed to respond effectively. Technology alone cannot close this gap.

This tension sat at the heart of Prof. Dennis-Kenji Kipker’s masterclass at the Human Firewall Conference 2025. As an advisor to the German federal government, the European Commission, and Scientific Director of the Cyber Intelligence Institute, Prof. Kipker brings rare insight into how cybersecurity challenges unfold inside public administration.

He frames the problem plainly:

Cybersecurity in the public sector is often discussed, but far too little is actually done.”

– Prof. Dr. Dennis-Kenji Kipker, Scientific Director, cyberintelligence.institute

This article unpacks Prof. Kipker’s masterclass to explore why security culture in the public sector remains fragile, and how public institutions can build resilience that endures beyond compliance.

Why municipalities remain the public sector’s Achilles heel

Prof. Kipker’s central argument is clear: municipalities are critical infrastructure, but they remain among the least protected parts of the public sector.

Using real-world incidents from Germany, he illustrates the scale of the issue. Cyberattacks on municipalities such as Potsdam, Vorpommern-Rügen, the Südwestfalen-IT service provider, and Anhalt-Bitterfeld (where a formal state of disaster was declared) reveal how deeply digital disruption affects public life.What fails in these cases is not merely convenience. Citizen registrations stall, treasury operations revert to manual processes, and as Prof. Kipker explains, “it is not just that some citizen services no longer work. It is that the foundations of democracy stop functioning when council information systems are offline.”

This vulnerability is not new. As early as 2009, Germany’s KRITIS strategy identified public administration as critical infrastructure and introduced the “vulnerability paradox”: the more digital, efficient, and interconnected a system becomes, the more severe the impact of each disruption is.

Sixteen years later, this paradox has only intensified, while municipal cybersecurity is still largely unaddressed.

Why security culture keeps falling through the cracks

One of the most persistent barriers to public-sector security culture is regulatory inconsistency.

At EU level, the NIS2 Directive gives member states discretion over whether local authorities fall under cybersecurity obligations. In Germany’s current transposition approach, most municipal administrations are not included in scope.

Prof. Kipker traces this decision to two dominant concerns: municipal self-administration and, more decisively, cost avoidance. Under the connexity principle, imposing cybersecurity obligations and training on municipalities would require federal states to fund them; a commitment many were unwilling to make.

The result is fragmented and illogical. Municipal utilities responsible for water, waste management, and energy fall under strict cybersecurity rules, while the municipal administrations delivering digital services remain exempt.

This division weakens security culture by signalling that some public systems matter more than others, despite all of them underpinning public trust.

Why public-sector cybersecurity still isn’t seen as a leadership responsibility

Beyond regulation, Prof. Kipker identifies a deeper cultural challenge. Cybersecurity in public administration is still widely viewed as a technical issue, and not a leadership’s duty or responsibility.

Findings from his research highlight recurring patterns:

• Cyber incidents are treated as isolated local problems.
• Mayors, councils, and administrative leaders often do not see cybersecurity as their responsibility.
• Decision-makers lack a basic understanding of attack vectors and digital risk.

This mindset leads directly to underfunding, slow modernisation, and unclear accountability.

Without political understanding and executive ownership, no amount of technology can create resilience. Cultural change must start at the leadership level.

Making security safe: awareness, empathy, and everyday practices

Structural reform must be matched by cultural change. Prof. Kipker stresses that security culture is not built through rules alone, but through human behaviour, trust, and daily practice.

Clear communication, psychological safety, and small, repeatable habits, like short nudges, simple routines, and regular reminders to pause and reflect before acting, make way for employee progression.

As Prof. Kipker puts it:

Cybersecurity does not just come from the cloud. It happens in every municipality, every day.”

Training, upskilling, and safe reporting environments are essential. When employees feel supported rather than blamed, risks surface earlier, and learning accelerates.

What public-sector leadership needs to do effectively

Public-sector learners bring diverse backgrounds, roles, and digital competencies. Effective training must therefore be adaptable, accessible, and supportive. Leadership can enable this by recognising progress at every stage.

Encouraging curiosity

When learning feels safe and engaging, employees explore more and retain more. Scenario-based exercises, interactive modules, and reinforcement help spark interest and build confidence.

Supporting different learning styles

Some employees prefer guided instruction, while others learn best through independent exploration. Rewarding effort, not only perfect outcomes, creates a supportive environment that accommodates this diversity.

Building digital trust

Trust is essential for raising concerns and reporting incidents. Prof. Kipker emphasised that there remains “little awareness that municipalities are now digitally vulnerable and must treat cybersecurity as part of basic public services”. Reinforcement-based models help close this gap by showing employees that their secure behaviours directly contribute to the resilience of their community.

A new public-sector mindset for a resilient future

Prof. Kipker’s message is unmistakable: technology alone cannot secure the public sector. Cultural foundations, leadership engagement, and structural reform are essential.

His roadmap is practical:

• Build political awareness.
• Share resources responsibly.
• Strengthen internal capability.
• Embed cybersecurity into everyday public administration.

True resilience emerges when public institutions shift from checkbox compliance to trust-based security cultures.

As digitalisation accelerates, cybersecurity must be treated as part of modern democratic infrastructure.

With the right amount of positive, impactful feedback, recognition mechanisms, and values-aligned training, public-sector organisations can build cultures that comply with regulation and truly embody resilience.