Two prominent CIRI-funded researchers have brought the social sciences in dialogue with STEM through their analysis of cybersecurity regulations for critical infrastructure. Rebecca Slayton, Cornell University Science & Technology Studies (STS) Professor, and Aaron Clark-Ginsberg, RAND Associate Social Scientist, recently published the paper “Regulating risks within complex sociotechnical systems: Evidence from critical infrastructure cybersecurity standards” in Oxford UP’s Science and Public Policy journal.
Through the study, one of the first of its kind, researchers collected evidence on the impact of regulations on society by analyzing the whole spectrum of players who work to manage the electric grid.
Says Clark-Ginsberg: “One of the top-level findings of our research is that the electric grid is a complex socio-technical system - a mixture of technologies, people, and regulations operating at local, regional and national scales … when a new regulation is injected into that system, unexpected changes can occur.”
The researchers label such behavior - unexpected changes that arise, often in a non-linear manner - as “emergent.” Such emergent behavior can have positive or negative effects. For example, a positive unintended effect includes the birth of the new cybersecurity Operations Technology (OT) expert.
As the literature in thi“The regulatory landscape for cybersecurity is still in its infancy," notes Clark-Ginsberg. "It’s still experiencing a lot of growing pains in figuring out how to appropriately manage and mitigate cyber risk.”
The duo designs their research with a dual audience in mind, with the intention of filling the gap between academic researchers and policy-makers. While cybersecurity is often see as too complex and too quickly- moving to regulate, Slayton and Clark-Ginsberg believe that regulations can be used to mitigate cybersecurity risk and ought to be a salient component of the sociotechnical system that revolves around our nation’s critical infrastructure.