Regulating Risks Within Complex Sociotechnical Systems

Evidence From Critical Infrastructure Cybersecurity Standards

Published in: Science and Public Policy, 2018. doi: 10.1093/scipol/scy061

Posted on on November 27, 2018

by Aaron Clark-Ginsberg, Rebecca Slayton

Read More

Access further information on this document at Science and Public Policy

This article was published outside of RAND. The full text of the article can be found at the link above.

Using regulations to reduce risks in complex systems is controversial, with some arguing that regulations are ineffective, while others argue that they are essential even if imperfect. In this article, we show how regulations and the systems that they aim to regulate function together as a complex sociotechnical system that influences risk management. We first argue that regulatory influence is shaped by three factors—incentives, scope, and adaptability—which are a product of the interactions between the regulations and the system they regulate. Next, we assess the effect of one set of regulations, the North American Electric Reliability Corporation's Critical Infrastructure Protection standards, on the cybersecurity risks faced by the US electric grid. Our assessment shows that the regulations reduced many but not all cybersecurity risks, and at times may have worsened them. We argue that regulatory influence should be understood as emergent from interactions between regulations and the systems that they regulate.

This report is part of the RAND Corporation External publication series. Many RAND studies are published in peer-reviewed scholarly journals, as chapters in commercial books, or as documents published by other organizations.

Our mission to help improve policy and decisionmaking through research and analysis is enabled through our core values of quality and objectivity and our unwavering commitment to the highest level of integrity and ethical behavior. To help ensure our research and analysis are rigorous, objective, and nonpartisan, we subject our research publications to a robust and exacting quality-assurance process; avoid both the appearance and reality of financial and other conflicts of interest through staff training, project screening, and a policy of mandatory disclosure; and pursue transparency in our research engagements through our commitment to the open publication of our research findings and recommendations, disclosure of the source of funding of published research, and policies to ensure intellectual independence. For more information, visit

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.