Framing and governing cyber risks: comparative analysis of U.S. Federal policies [1996–2018]

Ido Sivan-Sevilla*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

2 Scopus citations

Abstract

Cyber risk governance has been occupying U.S. policymakers in the past two decades. This pressing challenge calls for a better understanding of how policymakers frame and consequently craft risk governance frameworks using public policies. Through a novel typology that analyzes the patchwork of laws and regulations in this policy space, this article investigates how policymakers design risk governance frameworks to address cyber risks. This typology is based on a systematic text analysis of thirty federal policies from the past twenty-two years (1996–2018) in which (N = 463) key sentences were recognized and coded to ten risk governance categories. Existent literature highlights the significance of risk framing to policy outputs and explains cross-national rather than cross-sector variance in risk governance. It also considers only specific cyber policy measures and does not question the link between policymakers’ risk perceptions and chosen policy paths. In contrast, this study finds that policymakers create three distinct risk governance frameworks across private owners of critical infrastructures, health and financial service provides, and companies in the broader digital economy. These risk regimes are comparatively analyzed to gauge variance (1) across sectors: in the role of the government and the extent to which it dictates coercive risk management steps, and (2) over time: on the ways in which the government has responded to cyber threats. I found that variance stemmed from the institutional configurations in each regulated sector and the consequent decision-making structures that had been institutionalized early on, rather than the framing of cyber risks. Tracing the governance of cyber risks and the missing link between policymakers’ risk perceptions and actions, this study sheds light on how seemingly technical decisions of cybersecurity governance can be social and political issues that are contingent on institutional settings and early policy decisions, questioning the central role of framing to risk governance outputs.

Original languageEnglish
Pages (from-to)692-720
Number of pages29
JournalJournal of Risk Research
Volume24
Issue number6
DOIs
StatePublished - 2021

Bibliographical note

Publisher Copyright:
© 2019 Informa UK Limited, trading as Taylor & Francis Group.

Keywords

  • Cybersecurity
  • risk framing
  • risk-governance
  • U.S. federal policymaking

Fingerprint

Dive into the research topics of 'Framing and governing cyber risks: comparative analysis of U.S. Federal policies [1996–2018]'. Together they form a unique fingerprint.

Cite this