Research Dimensions

Creating Effective Legal and Regulatory Frameworks

Organisations, individuals, and governments need to be confident that their data, computer systems and processes are effectively protected in order to reap the full benefits of cyberspace.

To achieve this, government intervention is sometimes required, for example to oblige private critical infrastructure providers to develop security risk-management plans. We are investigating how governments can encourage the development of a secure Internet and online environment using law and regulation.

This dimension will create a set of resources highlighting best practice in all areas of cyber security legislation. Governments across the world will be able to use this to improve their legislative framework, identifying areas where they can do more to protect cyberspace and seeing what steps are required to do so.

To create these resources, we will be examining at a national, regional and international level all the areas of online security that require government action, such as critical national infrastructure, criminal activity, data protection, computer emergency response teams, and education. Criminal activity is one area that receives much attention, but we will be making sure that we also cover legislation that provides incentives for better protection of data and systems: building more resilient systems, deterring an attack, responding after an incident, and from non-malicious actions, such as losing a laptop.

A key issue is how governments can ensure that private critical infrastructure providers meet essential security standards. This is vital because so much of the economy relies on this infrastructure, and breaches can have far-reaching effects. Some countries have asked critical infrastructure providers to voluntarily participate in security standards but there has been limited uptake to date. For the most essential security measures, some governments are considering stronger interventions, and our research will examine the best ways to go about this. In the area of cybercrime, as well as considering well documented threats, we will be looking at the use of digital equipment in traditional crimes, for example in theft, and consider how the police can make use of new digital technologies without compromising privacy.

As the effectiveness of laws partially depends on how they are enforced, we will also be looking at the impact of regulatory bodies covering communication and the utilities, and the effectiveness of reporting practices and penalties for data leaks in various countries and regions.

Our research will cover laws and regulations at the global, regional and national level. We will also examine whether national, regional or international approaches are most appropriate for a particular aspect. By the end of the programme, we will have created documents highlighting best practices that will enable policymakers across the world to access knowledge to make decisions on developing effective laws and regulations in their own jurisdictions.

This dimension is chaired by Professor Ian Brown, Associate Director of Oxford University’s Cyber Security Centre.

our dimension lead on effective legal frameworks