The Efficacy of Cybersecurity Regulation: Examining the Impact of Law on Security Practices

Cybersecurity regulation presents an interesting quandary because private entities possess the best information about threats and defenses. Yet leaving the responsibility for setting security standards to individual actors bears risk—there will always be at least some organizations with deficient security, thus creating "weak links in the chain" that harm all organizations. Those same "weak links" are also least likely to be responsive to industry self-regulatory efforts.

Thus lawmakers and regulators, seeking to preserve trust in the overall information economy, create legal obligations designed to protect both individual consumers and organizations so that they may reasonably trust and do business with one another. My research explores the wisdom of those choices by comparing the two primary styles of cybersecurity regulation: 1) comprehensive security requirements under which organizations develop and adhere to their own individualized compliance plans; and 2) more traditional, directive regulation mandating compliance with precise specific standards.

My analysis suggests that a blend of these two modes of regulating is superior to either method alone. I present data from qualitative interviews with Chief Information Security Officers (CISOs) at leading multinational corporations, detailing the practical effects of how regulation drives their organizations' security practices, as well as quantitative data on breach incidence detailing the efficacy of these regulations at preventing data breaches.

David Thaw is a Visiting Assistant Professor of Law at the University of Connecticut and an Affiliated Fellow of the Information Society Project at Yale Law School. He is a law and technology expert whose research and scholarship examine the regulation of the Internet and computing technologies, with specific focus on cybersecurity regulation and cybercrime. Dr. Thaw received his Ph.D., J.D., and M.A. from the University of California, Berkeley, and his B.S. and B.A from the University of Maryland.

Prior to joining the Law School faculty, Professor Thaw was a Research Associate on the University of Maryland Computer Science faculty, where he conducted research with the Maryland Cybersecurity Center and taught an undergraduate honors seminar on cybersecurity, law, and policy.

Professor Thaw is a frequent presenter on cybersecurity regulation and cybercrime. He has also testified before the U.S. House of Representatives regarding his research on cybersecurity regulation and its implications for federal legislation.