U.S. CYBERSECURITY WITH/OUT PRIVACY: A Risk Regulation Perspective on United States' Cyber Regimes

Cybersecurity and cyber-privacy are two major policy aims in U.S. regulatory governance. These two aims can complement or contradict, and thus, allow us to explore fundamental questions on the interests, institutions,... [ view full abstract ]

Cybersecurity and cyber-privacy are two major policy aims in U.S. regulatory governance. These two aims can complement or contradict, and thus, allow us to explore fundamental questions on the interests, institutions, policy-trends, and social norms that shape U.S. regulatory governance. Within this scope, the paper has three main goals. First, better understanding of the policy trends and institutional practices in the U.S. that structure cybersecurity and cyber-privacy trade-offs. Second, developing and applying a risk-based approach to U.S. regulation of cybersecurity and cyber-privacy. Third, explaining variations within U.S. regulatory sub-regimes that govern different aspects of cybersecurity and cyber-privacy. In order to do so, I compare the dynamics of regime making across three U.S. regulatory regimes that embrace a different 'risk-strategy' approach (Moss and Baker 2009): (a) the Cyber Risk Prevention regime that enhances the protection of personal information and critical infrastructures; (b) the Cyber Risk Coordination regime that coordinates cybersecurity information between the government and private sector and embraces a risk-shifting approach; (c) the Cyber Risk Mitigation regime that minimizes consequences from a data breach and follows a loss-control approach. Usually, the current literature addresses concerns of either cybersecurity or privacy. Nonetheless, this paper studies their interaction in a comprehensive way, taking both as important elements of the whole, through the application of a risk-based approach. Moreover, through the analysis of cybersecutiy and privacy relations, we are better suited to understand how and why preference of values is expressed in an unexplored field of risk regulation.