Mapping the cybersecurity institutional landscape
| Date | 11 September 2017 |
| DOI | https://doi.org/10.1108/DPRG-05-2017-0024 |
| Published date | 11 September 2017 |
| Pages | 466-492 |
| Author | Brenden Kuerbis,Farzaneh Badiei |
| Subject Matter | Information & knowledge management,Information management & governance,Information policy |
Mapping the cybersecurity institutional
landscape
Brenden Kuerbis and Farzaneh Badiei
Brenden Kuerbis is
based at the School of
Public Policy, Georgia
Institute of Technology,
Atlanta, Georgia, USA.
Farzaneh Badiei is
Research Associate at
the School of Public
Policy, Georgia Institute
of Technology, Atlanta,
Georgia, USA.
Abstract
Purpose –There is growing contestation between states and private actors over cybersecurity
responsibilities, and its governance is ever more susceptible to nationalization. The authors believe
these developments are based on an incomplete picture of how cybersecurity is actually governed in
practice and theory. Given this disconnect, this paper aims to attempt to provide a cohesive
understanding of the cybersecurity institutional landscape.
Design/methodology/approach –Drawing from institutional economics and using extensive desk
research, the authors develop a conceptual model and broadly sketch the activities and contributions
of market, networked and hierarchical governance structures and analyze how they interact to produce
and govern cybersecurity.
Findings –Analysis shows a robust market and networked governance structures and a more limited
role for hierarchical structures. Ex ante efforts to produce cybersecurity using purely hierarchical
governance structures, even buttressed with support from networked governance structures, struggle
without market demand like in the case of secure internet identifiers. To the contrary, ex post efforts like
botnet mitigation, route monitoring and other activities involving information sharing seem to work under
a variety of combinations of governance structures.
Originality/value –The authors’ conceptual framework and observations offer a useful starting point
for unpacking how cybersecurity is produced and governed; ultimately, we need to understand if and
how these governance structure arrangements actually impact variation in observed levels of
cybersecurity.
Keywords Institutions, Cybersecurity, Governance structures, Internet governance
Paper type Research paper
1. Introduction
The goal of this paper is to provide a detailed view of the cybersecurity institutional
landscape. Cybersecurity combines “public good” characteristics often associated
with governmental responsibilities with a wide variety of private market goods and
services while also involving networked forms of organization that involve non-market,
non-governmental resource and information sharing. We attempt to bring all three
together into a synthetic overview of cybersecurity governance. We broadly sketch the
activities and contributions of each type of actor (e.g. internal activities, outsourcing,
regulations and cooperation) to cybersecurity structures and identify how markets,
networks and hierarchies are related.
The authors believe that a more detailed institutional mapping of cybersecurity
arrangements is especially important now, as there is growing contestation between states
and private actors over cybersecurity responsibilities. Cybersecurity governance is ever
more susceptible to nationalization, or the conflation of societal cybersecurity with national
security. Some factors that catalyze the notion of nationalized cybersecurity in internet
governance are: the assertion of states’ sovereignty in cyberspace (Lewis, 2010), the
linkage between many aspects of cybersecurity to national security (NIST, 2014) and the
Received 19 May 2017
Revised 1 July 2017
Accepted 1 July 2017
Both authors would like to
thank Grace Harper for
research assistance, as well
as participants at the “Who
Governs – States or
Stakeholders? Cybersecurity
and Internet governance”
workshop held on May 11-12,
2017, at Georgia Tech for their
contributions to the
development of this paper.
PAGE 466 DIGITAL POLICY, REGULATION AND GOVERNANCE VOL. 19 NO. 6, 2017, pp. 466-492, © Emerald Publishing Limited, ISSN 2398-5038 DOI 10.1108/DPRG-05-2017-0024
separation of internet governance discussions from cybersecurity discussions (see
Mueller, in this issue).
Some allege that there “is a growing consensus that nations bear increasing responsibility
for enhancing cybersecurity” (Shackelford and Kastelic, 2015). But what exactly is this
consensus based upon and what should these responsibilities entail? Many existing
arguments, making the claim for a greater state role, are simply prefaced by the existence
of insecurities, e.g. the latest vulnerability and the potential scale of actors impacted by it
(Lewis, 2014). In their view, this is reason enough for government action. Far less attention
is paid to the scope and scale of cybersecurity governance across the private sector.
Admittedly, multiple factors influence what actions governments take concerning
cybersecurity. But a careful assessment of how cybersecurity is being governed provides
a good starting basis for making those decisions. This paper seeks to address that
shortcoming.
The paper proceeds as follows: Section 2 reviews the relevant literature on cybersecurity
governance. Section 3 provides some analytical underpinnings of cybersecurity
governance based on new institutional economics (NIE) and the concept of governance
structures. In Section 4, we present data on markets, networks and hierarchies collected
from multiple sources, and Section 5 applies our conceptualization to the data in analyzing
three cybersecurity cases. We conclude with some preliminary observations about forms of
cybersecurity governance and opportunities for future research.
2. Literature review
More than a decade of work exists examining economic incentives in cybersecurity
(Anderson and Moore, 2006). More recent work focuses also on its behavioral aspects
(Pfleeger and Caputo, 2012). However, the literature on cybersecurity institutions is still in
its infancy. Much work has focused on specific cybersecurity incidents (Healey, 2013),
politically motivated cyberattacks (Shakarian et al., 2013) and policy issues related to
cybersecurity (Goodman et al., 2008;Harknett and Stever, 2011;Clark, 2014). Early work
examining the cybersecurity institutional landscape was descriptive, identifying
international/regional governmental, public-private and non-governmental organizations
active in cybersecurity. (Portnoy and Goodman, 2009) More recently, Testart Pacheco
(2016) systematically analyzed attendance at the Internet Governance Forum to “identify
areas of competing and overlapping [organizational] interest, relevant areas out of scope
of current [organizations] and dysfunctionalities that hinder overall security improvement”.
Some studies begin to unpack the institutional landscape from a theoretical perspective.
Nye (2014,2017) uses the regime theory (Krasner, 1982) to examine the normative
structure of cyberspace. Applying the concept of regime complexes including formal,
informal and hierarchical institutions, he concludes that fragmentation exists among various
issues (e.g. crime, privacy, war) and that, it is unlikely an overarching governance regime
for cyberspace will emerge (p. 13). Choucri et al. (2014) look specifically at cybersecurity
from an institutional perspective and identify a number of formal organizations within the
cybersecurity landscape based on whether the organizations have a mandate from
international or national bodies. This narrow focus leads to a similar conclusion that the
institutional landscape of cybersecurity is more of a patchwork of efforts rather than an
overarching landscape that addresses all the known cyberthreats (Choucri et al., p. 34).
Shackelford (2014) uses Ostrom’s (2010) concept of polycentric governance to describe
how cybersecurity is regulated.
The literature highlights the important role of norms in cybersecurity governance. While
cyber norms are considered as the basic building block for cybersecurity (Farrell, 2015),
the discussions and studies, with the exception of Craig et al. (2015), are mostly focused
on norms without considering how and where these norms are being or can be effectuated.
VOL. 19 NO. 6 2017 DIGITAL POLICY, REGULATION AND GOVERNANCE PAGE 467
To continue reading
Request your trial