Abstract
Cyber risk governance has been occupying U.S. policymakers in the past two decades. This pressing challenge calls for a better understanding of how policymakers frame and consequently craft risk governance frameworks using public policies. Through a novel typology that analyzes the patchwork of laws and regulations in this policy space, this article investigates how policymakers design risk governance frameworks to address cyber risks. This typology is based on a systematic text analysis of thirty federal policies from the past twenty-two years (1996–2018) in which (N = 463) key sentences were recognized and coded to ten risk governance categories. Existent literature highlights the significance of risk framing to policy outputs and explains cross-national rather than cross-sector variance in risk governance. It also considers only specific cyber policy measures and does not question the link between policymakers’ risk perceptions and chosen policy paths. In contrast, this study finds that policymakers create three distinct risk governance frameworks across private owners of critical infrastructures, health and financial service provides, and companies in the broader digital economy. These risk regimes are comparatively analyzed to gauge variance (1) across sectors: in the role of the government and the extent to which it dictates coercive risk management steps, and (2) over time: on the ways in which the government has responded to cyber threats. I found that variance stemmed from the institutional configurations in each regulated sector and the consequent decision-making structures that had been institutionalized early on, rather than the framing of cyber risks. Tracing the governance of cyber risks and the missing link between policymakers’ risk perceptions and actions, this study sheds light on how seemingly technical decisions of cybersecurity governance can be social and political issues that are contingent on institutional settings and early policy decisions, questioning the central role of framing to risk governance outputs.
Original language | English |
---|---|
Pages (from-to) | 692-720 |
Number of pages | 29 |
Journal | Journal of Risk Research |
Volume | 24 |
Issue number | 6 |
DOIs | |
State | Published - 2021 |
Bibliographical note
Publisher Copyright:© 2019 Informa UK Limited, trading as Taylor & Francis Group.
Keywords
- Cybersecurity
- risk framing
- risk-governance
- U.S. federal policymaking