Geopolitics and Critical National Infrastructure

Government Regulation over Market Incentives

By Stephen Hermanson

Public policy interventions in the form of security regulations need to be careful, surgical and consider harms that may arise from poor interventions

4 June 2026

Context

“Last week at the World Economic Forum’s annual cybersecurity conference in Geneva, ISA President Larry Clinton and Joe Levey, President and CEO of Sophos, debated Hans De Vries (ENISA) and Megan Stifel (Institute for Security and Technology) on a question central to global cyber policy: Is cybersecurity best driven by market incentives or government regulation?” [ISA 2026, LinkedIn].

“In a first for the WEF, the session used a true debate format with opposing sides rather than a conventional panel. The audience response was striking. Before the debate, participants favoured government regulation over market incentives by a 2:1 margin. By the end, the audience had nearly reversed course, expressing greater confidence in market incentives by the same margin.” [ISA 2026, LinkedIn].

“The results speak for themselves: the more a sophisticated global audience engages seriously with the intersection of governance and technology, the clearer it becomes that the traditional regulatory model is a poor fit for the cybersecurity challenges ahead — especially as AI accelerates the speed and complexity of the threat environment.” [ISA 2026, LinkedIn].

Introduction

I was fortunate to contribute to this 2016 publication – The Cybersecurity Social Contract by the Internet Security Alliance [ISBN 9780692755037], so enjoyed seeing this debate and the outcome.

Public policy interventions are designed to correct market failures. The question at hand is whether markets can produce good and appropriate cyber security outcomes. Therefore, public policy intervention in the form of security regulations needs to be careful and surgical.

This reminded me of an assignment during a recent course at The London School of Economic and Political Science (LSE) in 2023, which I summarise in this article.

Strategy to bring the issue to the policy agenda

Policymakers may struggle to understand the causal relationships between better cybersecurity, market incentives and regulation. To reach the policy agenda it would be necessary to explain how a seemingly healthy cyber security market with many existing standards and regulations, alongside many established global players generating good levels of competition, innovation and resilience, would need intervention.

Traditional risk assessments (likelihood vs impact) are guiding policymakers on the scope, timing and nature of possible interventions compared to competing priorities on the public policy agenda.

For many countries cyber security is central to national resilience, and risk assessments are mature and routine. However, an assessment of the harm that may arise from poor public policy interventions is often missing. This can orientate policy makers and create better public resonance – important for a technical issue that’s prone to fast-moving issue-attention cycles.

Stronger resonance is useful as it broadens the assessment of policy interventions to include other countries and jurisdictions. This includes ideological arguments (values & norms), technical/scientific arguments (risk assessments) or competitive arguments (economic & strategic autonomy).

The agenda setting power is centred on national security agencies (with technical/scientific arguments) and political groups (with ideological arguments). Both groups use their levers of power to intervene through new or existing laws and incentives.

This creates a competitive agenda setting process and prominent role for policy entrepreneurs seeking to align the problem, solution and politics. In the example of cybersecurity, the problem and political streams align naturally, but the solution stream may fall into and out of alignment quite suddenly as solutions are complex, and likely to see punctuated decision making as stakeholders realise that incremental decision making hasn’t kept pace with the policy issue.

Factors to ensure successful policy interventions

Cybersecurity is a complex policy issue with stakeholders across government, regulators and industry. Implementation requires extended intervention over years across different areas of the economy, and consensus on success metrics (how to know when security has reached an optimal level).

Resource constraints and dependencies in this example are sensitive to funding (as intervention will require both private and public investments in financial, human & material resources) and co-ordination (spanning a wide group of stakeholders across the private and public sectors). As more actors become involved during implementation, having target groups and bureaucratic agencies take part in subsequent agenda setting rounds can help to mitigate implementation issues. Government convening power will play a vital role to ensure a good platform for cooperation between several different groups.

With a prominent role for Industry as an agent for implementation (industry acting almost as street level bureaucrats in this example), the principal-agent dynamic will require a contract that balances Government monitoring and control with private corporate goals and fiduciary duties.

Best approach for evaluation and possible constraints

Evaluation should test a previously agreed hypothesis with a sample group in order to establish whether intervention is having a meaningful impact.

An independent body will offer the best mechanism for stakeholders to join in a common evaluation project that builds trust in the evaluation process and findings (bearing in mind the information asymmetries and differences in interests between stakeholders). In this case the recommended form of evaluation is a cost–benefit analysis as this type of evaluation can compare the inputs and outputs of the intervention to assess its economic effectiveness. Economic effectiveness is likely to have a disproportionate influence in how cybersecurity objectives are achieved and maintained over the long term (and secure further political attention that may be needed as the policy cycle continues).

Bounded rationality will place a significant constraint on policy makers given the duration and complexity of the interventions in this example. The use of experimental design for the impact evaluation can help to address policy maker bias (subject matter, beliefs systems or ideologies) and avoid situations where evaluation is used to justify political positions.

References

Bachrach, P. & Baratz, M.S. 1962. Two faces of power. The American Political Science Review, 56(4):947–952. DOI: https://www.jstor.org/stable/1952796.

Cairney, P. 2012. Understanding public policy: Theories and Issues. London: Red Globe Press. Dahl, R.A. 1957. The concept of power. Behavioral Science, 2(3):201–215. DOI: https://doi.org/10.1002/bs.3830020303.

Downs, A. 1972. Up and down with ecology – the “issue-attention” cycle. The Public Interest, 28(Summer):38–50.

Howlett, M., Ramesh, M. & Perl, A. 2009. Studying public policy: policy cycles & policy subsystems. Rev. 3rd ed. Toronto: Oxford University Press.

Kingdon, J. 2013. Agendas, alternatives, and public policies. 2nd ed. United States: Pearson Higher Education.

Cobb, R., Ross, J. & Ross, M.H. 1976. Agenda building as a comparative political process. The American Political Science Review, 70(1):126–138. DOI: https://doi.org/10.1017/S0003055400264034.

Hogwood, B. & Gunn, L.A. 1984. Policy analysis for the real world. Oxford: Oxford University Press.

Lipsky, M. 1980. Street-level bureaucracy: dilemmas of the individual in public services. New York: Russell Sage Foundation.

Bovens, M., ’t Hart, P. & Kuipers, S. 2006. The politics of policy evaluation. In The Oxford handbook of public policy. M. Moran, M. Rein & R.E. Goodin, Eds. Oxford: Oxford University Press. 319–335.

Weiss, C. 1999. The interface between evaluation and public policy. Evaluation, 5(4):468–486. DOI: https://doi.org/10.1177/135638909900500408.

Security, Corporate Affairs & Compliance

By Stephen Hermanson

The special alliance that helps to ensure that public policy interventions achieve good and sustainable security outcomes

29 May 2026

The traditional cybersecurity compliance assessment arrived. The legislation had been in place for some time, the regulatory interpretation was mature, and Compliance colleagues were ready and understood the process. All good so far.

During the process questions surface about the medium-long term relevance, effectiveness and proportionality of obligations. The compliance process continues, the outcome is positive, and these questions are put aside.

Later, the government updates the national cybersecurity strategy, setting out an agenda for strengthening cyber security outcomes for the country. In due course a public consultation arrives, and industry invited to comment on updates to legislation.

External/Corporate Affairs notice the consultation. It’s a security thing, not directly related to the traditional policy themes for this sector. Even so, someone asks Security about it. What happens next?

A Security Public Policy team will have spotted the consultation already, and may even have advised on its scope, questions and timing following close engagement on the government’s security agenda.

Prepared positions are ready, having done the legwork with SecOps teams that need to respond to the threat whilst meeting public policy expectations. Security Public Policy has already spotted that compliance assessments have highlighted some questions that need addressing and rolled those into the analysis.

Security Public Policy collaborates naturally with External/Corporate Affairs, the corporate narrative and strategy is neatly integrated into the security position. Political and civil service engagement is synchronised and co-ordinated.

The process repeats itself for national infrastructure resilience, national security & investment, ransomware, physical protection, cyber security, product security and the full A-Z of the security public policy agenda.

Different departments, agencies and alliances are engaged. Trust and credibility is established or strengthened through data-led evidence about the impact of current and proposed measures. The Executive Committee and Board are confident that security obligations allow for sustainable operations and investments.

Eventually, the next iteration of legal and regulatory updates arrives (after sustained monitoring and interventions by Security Public Policy to fact-check proposals, understand the counter-lobby, course correct and generally keep the process moving in the right direction).

Compliance has already adapted, having been part of the Security Public Policy analysis, and everyone is confident the business understands the new obligations, the purpose, the private sector responses (and asks), and the risks. No surprises.

SecOps are happy as they can focus on operations and defence during the public policy cycle, and know what to expect when it concludes. Compliance is happy as they can concentrate on the technicality of compliance assessment, being confident the legislation and regulatory interpretations are clear. External/Corporate Affairs are happy as the business has shown itself as a trusted and reliable advisor to government and industry. Strategy is happy as the public policy outcome introduces no barriers and may even directly support the business strategy.

The absence of a Security Public Policy cadre, it seems to me, puts all this at risk. Perhaps this role can be given in whole or in part to a combination of SecOps, Compliance, External/Corporate Affairs or others (even 3rd parties). I’m not convinced this fragmented approach produces good public policy interventions.

Organisations that invest in this cadre are not waiting for clarity. They’re helping to shape it by investing in intelligence, analysis, solutions, relationships and alliances.

Organisations that only think about Security Public Policy when change, uncertainty or shifting government priorities appear, will find that key decisions have already been made and shaped by others.

Assessing Potential Impact

By Stephen Hermanson

21 May 2026

The previous article shared an overview of the UK government’s legislative agenda for security and resilience. This follow-up helps to flesh out some of the questions that individual organisations could or should be asking about the potential impact.

Monitoring and engagement can build a picture of the legislative agenda and how others are responding. Depending on the impact, a passive stance may suffice. However, the purpose of Security Public Policy is to understand the relevance and impact of the legislative agenda to the organization, supply chains and broader eco-system.

Therefore, an intelligence brief about the legislative agenda should be accompanied by an impact assessment that considers how new or amended legislation may influence operational, financial, reputational and strategic risk. This understanding is important to allow business leaders to make informed choices about how to respond. In essence:

• Protect the business (reduce risk).
• Ensure appropriate partners and funding (sustainability & efficiency).
• Remain compliant.

To illustrate, I’ve taken the UK Cybersecurity & Resilience Bill as an example. Whilst the questions could apply equally regardless of the legislation, the specific purpose, scope and timing of legislation together with the specific context and constraints for the particular organisation may require more specific questions.

The nine lenses below offer a framework for considering organisational impact. It’s not an exhaustive checklist, and each element could expand to include additional considerations. It’s offered simply as a starting point.

	Lens	Focus
1	Supply Chain Response	Mapping exposure and seeking to understand new or adjusted obligations on supply chains and how these co-exist with your own obligations. The ultimate aim is to strengthen operational effectiveness by driving clarity about responsibility and accountability.
2	Customer Response	Looking closely at demand shifts, procurement criteria, contract management and consolidation risk. The ultimate aim is to ensure customers are confident about your security posture and compliance. In some instances, you may be supporting customers to understand their obligations.
3	Sector Regulator Response	Your regulator’s interpretation is your effective compliance standard. The aim is to remain engaged with the regulator (and possibly multiple regulators) to understand the timetable and process for arriving at new/adjusted interpretations, and being ready to provide evidence-based input to support or challenge regulatory measures.
4	Cross-Sector Consistency	Divergence risk for multi-sector operators and suppliers. This can often be the most neglected element as organisations need to look beyond their immediate sector and regulator to understand how horizontal security & resilience legislation plays out. The aim is to understand and remedy any ambiguities, gaps or inconsistencies between sectors.
5	International Comparison	Security and resilience are agnostic to borders and global supply chains continue to transcend jurisdictions. Many of the technical standards and guidelines that underpin the implementation of security & resilience controls stem from collaborations in regional and international standards bodies and alliances. The aim is to offer a practical perspective on where and how international approaches need to adapt.
6	Threat Actor Response	Adversaries get a vote too. They will be looking closely at the steps governments and organisations are taking to detect, protect and respond to attacks. Threat Intelligence can play an important role in understanding how adversaries are responding and adapting. The aim is to pair good Threat Intelligence with good Security Public Policy to design measures that are relevant, effective and sustainable.
7	Internal Governance & Culture	It’s very easy for all of this to go unnoticed at ExCo and Board levels unless the impact assessment can package and articulate the risks in a timely and effective way. The aim is to ensure sustained and reliable access to the ExCo and Board to ensure literacy, ownership clarity, compliance maturity, and prioritisation. The key is to frame security and resilience as part of the broader External/Corporate Affairs strategy.
8	Insurance Market Response	It’s worth keeping an eye on underwriting shifts, policy terms and regulatory penalty cover. In an environment such as security and resilience where it’s acknowledged that incidents are inevitable, insurance can play a central part in response and recovery. Understanding of threat landscape, performance against regulatory obligations and credible track-record of investments in security and resilience will feature strongly in underwriting discussions.
9	Investor & ESG Scrutiny	Investors may seek to apply their own interpretation and standards (usually from their home jurisdiction or other parts of their portfolio). They will seek confidence in the organisation’s security and resilience performance and relationships with government, regulators and agencies. They’ll want to be certain about disclosure, prioritisation, efficiency and risk tolerance. The aim is to understand and reconcile these factors.

The nine lenses are not equally urgent. They map to different planning horizons and organisational functions. Organisations should calibrate it to their sector, size, supply chain complexity and regulatory relationships. For example:

Priority	Lenses	Rationale
Immediate	Regulator · Supply Chain	Regulatory guidance and supply chain scope determine your actual obligations before secondary legislation is confirmed.
Near-term 2026	Cross-Sector · Governance · Insurance	Secondary legislation consultation. Board governance and insurance alignment can begin immediately.
Strategic 2026–28	Customers · International · Threats · Investors	Longer planning cycle. These lenses inform investment decisions, international strategy and market positioning over the full implementation period.

In conclusion, not every question will be relevant to every organisation. These proposed lenses can provide a structure for workshops or risk assessments. The key is to keep pace with the policy cycle and remain engaged at proposal, primary legislation, secondary legislation, regulatory guidance and standards development. New or reformed public policy considerations and risks could emerge at each stage, especially in response to powerful lobbies.

UK Legislative Agenda for Security & Resilience

By Stephen Hermanson

14 May 2026

The King’s Speech traditionally receives a comprehensive level of analysis and commentary, which is no different in 2026.

This piece is a small contribution that focuses specifically on the government’s agenda for security and resilience, which contains a number of legislative measures to respond to the security landscape driven by the current geopolitical context.

For organisations on the frontline, responding to security threats, the timing and nature of public policy interventions has important implications for the success and sustainability of security postures and investments.

A complex tapestry of extant, updated and new legislation has arisen to provide both governments and industry with mandates and obligations to understand and respond to threats against national security and resilience (examples in Annex-A).

Leaving aside how governments define national security and resilience (something to return to in a future piece), the mission for organisations is to chart a course through a complex array of legal and regulatory requirements to arrive at an effective and sustainable security strategy.

Too often, however, the strategy merely responds to the legal and regulatory position as it lands. At this point the legal and regulatory position has determined the paradigm and broad parameters. Security Public Policy gets in front of this cycle and helps to assess and shape the design and scope of legislative measures for current and future contexts.

This is useful as it brings real world operational data about security into the public policy process. This allows for careful analysis of what works, what doesn’t and what the trade-offs might be in terms of cost, capability and intrusion. It’s also useful as it allows for a holistic approach that considers how separate pieces of legislation co-exist to support/amplify effects.

There’s no avoiding the reality of complex legislative stacks. The role of Security Public Policy is to refine and consolidate security and resilience measures to reduce overlap, ambiguity and gaps insofar as possible – looking across primary and secondary legislation, regulatory interpretations and industry standards.

The aim is effective and efficient public policy that creates the conditions for good security outcomes. It’s a long game that needs to span a number of policy cycles, financial years and even governments.

Annex-A – Key Security Initiatives as of 14 May 2026

Legislation	Headline Summary
Cyber Security & Resilience Bill	Replaces 2018 Network & Information Systems (NIS) Regulations. Expands scope. 24/72-hour incident reporting. Regulators gain cost recovery and audit powers.
Computer Misuse Act Reform	New legal defence for individuals who access systems in good faith to identify and responsibly disclose vulnerabilities where they follow defined safeguards.
Terrorism (Protection of Premises) Act (Martyn’s Law)	Comes into force no earlier than April 2027. Security Industry Authority oversees compliance of proactive steps to ensure formal security planning and training for public events.
Border Security, Asylum & Immigration Act	Counter Terrorism style ‘precursor offences’ criminalise supply chain support and information gathering for organised immigration crime.
Crime and Policing Act	New youth diversion orders for terrorism-related arrests. Police can extract data from cloud accounts accessed via seized devices.
Tackling State Threats Bill	New designation mechanism for state-linked organisations to disrupt foreign proxies and front companies. 2023 National Security Act offences also extended to state proxies.
National Security Bill	Criminalises creation and sharing of the most harmful online material associated with mass casualty planning. Extends Online Safety Act framework.
Energy Independence Bill	Explicitly framed as a national security measure and creates a dual regulatory track for energy operators that intersects with Cyber Security & Resilience Bill obligations.
Armed Forces Bill	Introduced in 2024–26 session and carries over to 2026-27. Improves the service justice system and establishes the Armed Forces Covenant in statute.
Defence Readiness Bill	Absent. Would have implemented the Strategic Defence Review 2025 recommendations. Defence Investment Plan stalled.