The Efficacy of Cybersecurity Regulation

89 Pages Posted: 31 Mar 2013 Last revised: 24 May 2019

See all articles by David Thaw

David Thaw

University of Pittsburgh - School of Law; University of Pittsburgh - School of Information Sciences; Yale University - Information Society Project; University of Pittsburgh - Graduate School of Public & International Affairs

Date Written: June 2014


Cybersecurity regulation presents an interesting quandary where, because private entities possess the best information about threats and defenses, legislatures do – and should – deliberately encode regulatory capture into the rulemaking process. This relatively uncommon approach to administrative law, which I describe as Management-Based Regulatory Delegation, involves the combination of two legislative approaches to engaging private entities' expertise. This Article explores the wisdom of those choices by comparing the efficacy of such private sector engaged regulation with that of a more traditional, directive mode of regulating cybersecurity adopted by the state legislatures. My analysis suggests that a blend of these two modes of regulating is superior to either method alone.

Federal regulation of cybersecurity through HIPAA, Gramm-Leach-Bliley, and the Federal Trade Commission's enforcement heavily involves private organizations subject to the regulation in the establishment of the actual practices and standards to which those organizations are held. By contrast, the state cybersecurity laws – a form of disclosure-based regulation that de facto achieves directive regulation – detail specific standards developed without industry input.

This Article compares the efficacy of those two modes of regulating using a mixed-methods empirical approach. Qualitative data based on interviews with Chief Information Security Officers (CISOs) at leading multinational corporations details the practical effects of how regulation drives cybersecurity practices. Analysis of quantitative data describing security breach incidents reveals that a blend of the two types of regulation is substantially more effective at preventing such incidents than is either method alone. These results provide insight into ways to mitigate the risks of deliberate regulatory capture while still leveraging the unique knowledge private entities have about what are the most salient cybersecurity threats and defenses.

Keywords: cybersecurity, regulation, regulatory capture, information security, hybrid rulemaking, regulatory delegation

Suggested Citation

Thaw, David, The Efficacy of Cybersecurity Regulation (June 2014). Georgia State University Law Review, Vol. 30, 2014, Available at SSRN: or

David Thaw (Contact Author)

University of Pittsburgh - School of Law ( email )

3900 Forbes Ave.
Pittsburgh, PA 15260
United States


University of Pittsburgh - School of Information Sciences ( email )

Pittsburgh, PA 15260
United States

Yale University - Information Society Project ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

University of Pittsburgh - Graduate School of Public & International Affairs ( email )

Pittsburgh, PA 15260-0001
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics