Weathering the storm: examining how organisations navigate the sea of cybersecurity regulations

Governments around the world routinely regulate the activities of private enterprises to guide the behaviour of individuals and organisations towards acceptable norms. This holds true in a cybersecurity context. However, practitioners report that cybersecurity regulations are often out of date and compliance is confusing, expensive, and time consuming. As a result, organisational leaders are often uncertain about the practicalities of adopting and implementing the various rules, which can lead to trickle-down effects on the robustness of lower-level cybersecurity controls and compliance activities. In this research, we aim to clarify how cybersecurity regulations are operationalised in organisations, as well as reveal the compliance and performance consequences of cybersecurity regulations. To do so, we interviewed 22 senior leaders with expertise in cybersecurity regulations. Our analysis reveals 7 distinct themes (i.e., concept groupings) that are ordered within four phases (i.e., temporal stages), which we use to create the Institutional Cybersecurity Regulations Model (ICRM). The results provide a holistic view of the cybersecurity regulations process in organisations that can serve to clarify current theory relationships and inform future research. As well, the ICRM can provide a practical roadmap for managers to navigate regulatory cybersecurity challenges in their own companies.