Title: Regulating risks within complex sociotechnical systems: Evidence from critical infrastructure cybersecurity standards
Abstract: Using regulations to reduce risks in complex systems is controversial, with some arguing that regulations are ineffective, while others argue that they are essential even if imperfect. In this article, we show how regulations and the systems that they aim to regulate function together as a complex sociotechnical system that influences risk management. We first argue that regulatory influence is shaped by three factors—incentives, scope, and adaptability—which are a product of the interactions between the regulations and the system they regulate. Next, we assess the effect of one set of regulations, the North American Electric Reliability Corporation's Critical Infrastructure Protection standards, on the cybersecurity risks faced by the US electric grid. Our assessment shows that the regulations reduced many but not all cybersecurity risks, and at times may have worsened them. We argue that regulatory influence should be understood as emergent from interactions between regulations and the systems that they regulate.
Publication Year: 2018
Publication Date: 2018-09-27
Language: en
Type: article
Indexed In: ['crossref']
Access and Citation
Cited By Count: 25
AI Researcher Chatbot
Get quick answers to your questions about the article from our AI researcher chatbot