Regulating Risks Within Complex Sociotechnical Systems
Evidence From Critical Infrastructure Cybersecurity Standards
Published in: Science and Public Policy, 2018. doi: 10.1093/scipol/scy061
Posted on RAND.org on November 27, 2018
Using regulations to reduce risks in complex systems is controversial, with some arguing that regulations are ineffective, while others argue that they are essential even if imperfect. In this article, we show how regulations and the systems that they aim to regulate function together as a complex sociotechnical system that influences risk management. We first argue that regulatory influence is shaped by three factors—incentives, scope, and adaptability—which are a product of the interactions between the regulations and the system they regulate. Next, we assess the effect of one set of regulations, the North American Electric Reliability Corporation's Critical Infrastructure Protection standards, on the cybersecurity risks faced by the US electric grid. Our assessment shows that the regulations reduced many but not all cybersecurity risks, and at times may have worsened them. We argue that regulatory influence should be understood as emergent from interactions between regulations and the systems that they regulate.
This report is part of the RAND Corporation External publication series. Many RAND studies are published in peer-reviewed scholarly journals, as chapters in commercial books, or as documents published by other organizations.
The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.