Constructing Norms for Global Cybersecurity

110 American Journal of International Law (Forthcoming)

Temple University Legal Studies Research Paper No. 2016-52

56 Pages Posted: 28 Sep 2016 Last revised: 6 Nov 2016

See all articles by Martha Finnemore

Martha Finnemore

George Washington University

Duncan B. Hollis

Temple University - James E. Beasley School of Law

Date Written: September 26, 2016


Cybersecurity now stands at the top of the U.S. security agenda. As sources of cyber insecurity have proliferated, States and other stakeholders have increasingly turned to norms as the regulatory tool of choice, hoping to shape the behavior of diverse actors in this space. Proponents of cybernorms have so far focused on what the new norms should say and on what behaviors they should require or prohibit. They have paid little attention to how new norms would actually work — how they could successfully be constructed and the processes by which they would create desired effects. In other words, they have paid a lot of attention to the “cyber” component of cybernorms but very little attention to the “norms” component and the issues of how normativity actually works in the world.

In this Article, we offer an inter-disciplinary analysis of the processes by which cybernorms might be constructed and some of the choices and trade-offs involved in doing so. We first situate the current discourse in the varying contexts surrounding cybersecurity. We define the norm concept and examine the diverse array of norms currently populating the landscape of cyberspace. We next draw on the rich body of work in social science about norm construction in other policy areas to understand how norms can be cultivated successfully and how they create effects, both intended and otherwise. Of course, if cyberspace is unique, lessons from other policy domains might not be applicable but we assess these arguments and find them unconvincing.

Our paper then unpacks some of the strategic choices facing norm promoters in their decisions on which norms are needed, who should conform to them, not to mention where and how they should do so. We do not prescribe a particular path for norm promoters, but rather emphasize the need to recognize and accommodate the consequences and trade-offs these choices involve. Our paper thus offers lessons for States, industry, civil society, and others interested in promoting norms in cyberspace. By situating our work in both international law and international relations, this paper also provides a case study of the strategic social construction of norms that offers both political scientists and international lawyers more information on how non-legal mechanisms could regulate global problems like cybersecurity.

Keywords: norms, cybersecurity, information and communication technologies, GGE, norm entrepreneurs,norm diffusion, habits, incompletely theorized agreements, insincere conformity, treaties, socialization, incentives, persuasion

JEL Classification: F50, F53, F55, K30, K33

Suggested Citation

Finnemore, Martha and Hollis, Duncan B., Constructing Norms for Global Cybersecurity (September 26, 2016). 110 American Journal of International Law (Forthcoming), Temple University Legal Studies Research Paper No. 2016-52, Available at SSRN:

Martha Finnemore

George Washington University ( email )

2115 G Street, NW Suite 440
Washington, DC 20052
United States

Duncan B. Hollis (Contact Author)

Temple University - James E. Beasley School of Law ( email )

1719 N. Broad Street
Philadelphia, PA 19122
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics