Regulating Risks Within Complex Sociotechnical Systems
Evidence From Critical Infrastructure Cybersecurity Standards
Published in: Science and Public Policy, 2018. doi: 10.1093/scipol/scy061
Posted on RAND.org on November 27, 2018
Using regulations to reduce risks in complex systems is controversial, with some arguing that regulations are ineffective, while others argue that they are essential even if imperfect. In this article, we show how regulations and the systems that they aim to regulate function together as a complex sociotechnical system that influences risk management. We first argue that regulatory influence is shaped by three factors—incentives, scope, and adaptability—which are a product of the interactions between the regulations and the system they regulate. Next, we assess the effect of one set of regulations, the North American Electric Reliability Corporation's Critical Infrastructure Protection standards, on the cybersecurity risks faced by the US electric grid. Our assessment shows that the regulations reduced many but not all cybersecurity risks, and at times may have worsened them. We argue that regulatory influence should be understood as emergent from interactions between regulations and the systems that they regulate.