ELECTION SECURITYPrioritizing Cybersecurity Risk in Election Infrastructure

Published 24 August 2022

How can jurisdictions at each level prioritize their efforts to combat the risk of cyberattacks on their election systems? How can they assess the likelihood of a successful attack? How can they assess the scale and severity of an attack?

U.S. election systems are diverse in terms of governance and technology. This reflects the constitutional roles reserved for the states in administering and running elections but makes it challenging to develop a national picture of cybersecurity risk in election systems. Moreover, it requires each state and jurisdiction to evaluate and prioritize risk in the systems it oversees. With funding from the Cybersecurity and Infrastructure Security Agency, researchers from the Homeland Security Operational Analysis Center have developed a methodology for understanding and prioritizing cybersecurity risk in election infrastructure to assist state and local election officials.

Key Findings

·  Election systems consist of multiple components (voter registration, pollbooks, voting machines, tabulation equipment, and official websites) that are administered and controlled at different levels, depending on the state.

Prioritizing risk across system components requires evaluating three factors

·  The first is the likelihood of a successful attack, using fault tree analysis to determine the level of sophistication needed based on security controls implemented on each system component.

·  The second is the scale of impact of an attack, based on whether a successful attack could affect a single location, a jurisdiction, or an entire state.

·  The third is the severity of an attack, as measured by the extent to which it would impede election officials’ efforts to carry out election processes.


·  Officials can use the ratings or scores on likelihood, scale, and severity to prioritize efforts to protect the election infrastructure in their care.

·  Armed with an understanding of potential adversaries’ tiers, the capability required to execute a particular type of attack on a particular component, and the scale and severity that such an attack would have if successful, election officials can direct protective resources toward the types of prevention and remediation that make most sense for their specific jurisdictions.

Here is the report’s “Summary”:

Addressing cybersecurity risk in election systems is an important initiative requiring partnerships across federal, state, and local governments and with the election system vendor community. Since then–Secretary of Homeland Security Jeh Johnson declared elections a subsector of critical infrastructure in January 2017, the U.S. Department of Home-land Security has engaged state and local election officials to provide cybersecurity services and products to improve their cybersecurity posture.