A MUSA project, featured in Wired, analyzes the state of cybersecurity in local authorities in Lombardy: solid infrastructures, but it is the human factor that truly makes the difference.

Cybersecurity in public administration is one of those “big” topics that intertwines technology, processes, and skills. Today, it returns to the spotlight thanks to a new feature in Wired, dedicated to a MUSA project: Cybersecurity in Local Authorities: It Is Always the Human Factor That Makes the Difference. The message is clear: even with more modern infrastructures and cloud migration, security still depends – significantly – on behavior, awareness, and training.

A structured research project, not just a survey

The study – completed in 2024 – was coordinated by Danilo Bruschi, Director of the Department of Computer Science at the University of Milan, within the Milan Economic Impact Evaluation Center (MEIEC), in collaboration with AnciLab. The aim was to provide a rigorous snapshot of the state of cybersecurity across municipalities in Lombardy, going beyond formal statements and declared intentions.

Three phases: listening, data, field validation

The project was developed through a progressive and concrete approach:

  • Preliminary focus groups involving managerial, administrative, and technical staff from around 20 municipalities, to identify which aspects of cybersecurity were perceived as most critical.

  • A questionnaire distributed to all municipalities in Lombardy, with 206 local authorities responding.

  • Field validation – crucial to the study: with the consent of the participating entities, researchers conducted vulnerability assessments on municipal websites and simulated a phishing campaign.

This methodology made it possible to measure not only “what is declared,” but also “what actually happens” in day-to-day practice.

The key finding: the human factor

The research highlights a central point: cybersecurity is not just about tools. Even when infrastructures are adequate, the real difference lies with people—how they recognize risks, manage credentials and procedures, and respond to the most common threats, starting with phishing. In other words, security becomes truly effective only when it is embedded in daily work habits and organizational culture.

The report’s conclusion is clear and demanding: decision – makers should focus on three priorities – training, training, and more training. Awareness alone is not enough; structured and continuous learning pathways are needed to transform awareness into operational competence at every level of the organization.

This new feature in Wired confirms MUSA’s ability to generate practical and actionable evidence to support the digital transformation of public administration. Because when it comes to digital resilience in local territories, technology is essential – but it is the human component that ultimately determines the strength of the system.