While nearly 95% of public and private sector leaders reported being somewhat or very concerned about cybersecurity risk and almost 80% of public sector respondents noted that their organizations have proactively addressed risks, about 40% of those in the public sector said they did not have any incident response plans, GCN reports. The findings, published in SSRN, indicate that incident response plans have not yet become the norm, with the lagging adoption mainly due to confusion, according to Indiana University Assistant Professor Scott Shackelford, who co-wrote the study. "It gets to that core question of what the heck is reasonable cybersecurity, how does it vary by organization type – even public and private sector," said Shackelford. The report noted that most states have agreed to adhere to a combination of National Institute of Standards and Technology’s Cybersecurity Framework and the Center for Internet Security Top 20 security controls. "There would be a big benefit to having a single federal standard [on reasonableness]," added Shackelford.