Conclusion

Cybersecurity policy has long focused on strengthening infrastructure and mitigating technical risks. These efforts remain essential, but they are no longer sufficient: As the digital landscape evolves, so too must our understanding of where vulnerability resides. This report has argued that human vulnerabilities—stemming from a lack of digital access, skills, and literacy—must be recognized as core cybersecurity concerns, not peripheral issues.

The report has illustrated that the policy efforts related to the digital divide and cybersecurity are not separate challenges but are overlapping layers of the same goal: protecting, and even empowering, users. In this context, it becomes clear that digital divide policy cannot remain isolated from cybersecurity frameworks—and that cybersecurity policy cannot overlook the lived experiences of users.

Bridging these two domains will require expanding the scope of or redesigning existing initiatives like the Broadband Equity Access and Deployment Program and the Digital Equity Act to include cybersecurity awareness and funding for cyber-aware digital literacy and skills programming. Participatory approaches must be embedded into governance, where users help define what security means in their context. Further, there must be a consistent commitment to equitable internet access, even amid changing political conditions, as access remains a baseline for digital participation and protection.

Moving from risk to resilience requires reframing who cybersecurity is for and what it should protect. By recognizing that human vulnerabilities are more than simple user errors, policymakers can build a more inclusive and responsive cybersecurity ecosystem—one that secures not just systems, but people.