Author
Abstract
Cyber risk governance has been occupying U.S. policymakers in the past two decades. This pressing challenge calls for a better understanding of how policymakers frame and consequently craft risk governance frameworks using public policies. Through a novel typology that analyzes the patchwork of laws and regulations in this policy space, this article investigates how policymakers design risk governance frameworks to address cyber risks. This typology is based on a systematic text analysis of thirty federal policies from the past twenty-two years (1996–2018) in which (N = 463) key sentences were recognized and coded to ten risk governance categories. Existent literature highlights the significance of risk framing to policy outputs and explains cross-national rather than cross-sector variance in risk governance. It also considers only specific cyber policy measures and does not question the link between policymakers’ risk perceptions and chosen policy paths. In contrast, this study finds that policymakers create three distinct risk governance frameworks across private owners of critical infrastructures, health and financial service provides, and companies in the broader digital economy. These risk regimes are comparatively analyzed to gauge variance (1) across sectors: in the role of the government and the extent to which it dictates coercive risk management steps, and (2) over time: on the ways in which the government has responded to cyber threats. I found that variance stemmed from the institutional configurations in each regulated sector and the consequent decision-making structures that had been institutionalized early on, rather than the framing of cyber risks. Tracing the governance of cyber risks and the missing link between policymakers’ risk perceptions and actions, this study sheds light on how seemingly technical decisions of cybersecurity governance can be social and political issues that are contingent on institutional settings and early policy decisions, questioning the central role of framing to risk governance outputs.
Suggested Citation
Ido Sivan-Sevilla, 2021.
"Framing and governing cyber risks: comparative analysis of U.S. Federal policies [1996–2018],"
Journal of Risk Research, Taylor & Francis Journals, vol. 24(6), pages 692-720, June.
Handle:
RePEc:taf:jriskr:v:24:y:2021:i:6:p:692-720
DOI: 10.1080/13669877.2019.1673797
Download full text from publisher
As the access to this document is restricted, you may want to search for a different version of it.
Corrections
All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:taf:jriskr:v:24:y:2021:i:6:p:692-720. See general information about how to correct material in RePEc.
If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.
We have no bibliographic references for this item. You can help adding them by using this form .
If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.
For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Longhurst (email available below). General contact details of provider: http://www.tandfonline.com/RJRR20 .
Please note that corrections may take a couple of weeks to filter through
the various RePEc services.
Printed from https://ideas.repec.org/a/taf/jriskr/v24y2021i6p692-720.html
