Government Regulation over Market Incentives
By Stephen Hermanson
Public policy interventions in the form of security regulations need to be careful, surgical and consider harms that may arise from poor interventions
4 June 2026
Context
“Last week at the World Economic Forum’s annual cybersecurity conference in Geneva, ISA President Larry Clinton and Joe Levey, President and CEO of Sophos, debated Hans De Vries (ENISA) and Megan Stifel (Institute for Security and Technology) on a question central to global cyber policy: Is cybersecurity best driven by market incentives or government regulation?” [ISA 2026, LinkedIn].
“In a first for the WEF, the session used a true debate format with opposing sides rather than a conventional panel. The audience response was striking. Before the debate, participants favoured government regulation over market incentives by a 2:1 margin. By the end, the audience had nearly reversed course, expressing greater confidence in market incentives by the same margin.” [ISA 2026, LinkedIn].
“The results speak for themselves: the more a sophisticated global audience engages seriously with the intersection of governance and technology, the clearer it becomes that the traditional regulatory model is a poor fit for the cybersecurity challenges ahead — especially as AI accelerates the speed and complexity of the threat environment.” [ISA 2026, LinkedIn].
Introduction
I was fortunate to contribute to this 2016 publication – The Cybersecurity Social Contract by the Internet Security Alliance [ISBN 9780692755037], so enjoyed seeing this debate and the outcome.
Public policy interventions are designed to correct market failures. The question at hand is whether markets can produce good and appropriate cyber security outcomes. Therefore, public policy intervention in the form of security regulations needs to be careful and surgical.
This reminded me of an assignment during a recent course at The London School of Economic and Political Science (LSE) in 2023, which I summarise in this article.
Strategy to bring the issue to the policy agenda
Policymakers may struggle to understand the causal relationships between better cybersecurity, market incentives and regulation. To reach the policy agenda it would be necessary to explain how a seemingly healthy cyber security market with many existing standards and regulations, alongside many established global players generating good levels of competition, innovation and resilience, would need intervention.
Traditional risk assessments (likelihood vs impact) are guiding policymakers on the scope, timing and nature of possible interventions compared to competing priorities on the public policy agenda.
For many countries cyber security is central to national resilience, and risk assessments are mature and routine. However, an assessment of the harm that may arise from poor public policy interventions is often missing. This can orientate policy makers and create better public resonance – important for a technical issue that’s prone to fast-moving issue-attention cycles.
Stronger resonance is useful as it broadens the assessment of policy interventions to include other countries and jurisdictions. This includes ideological arguments (values & norms), technical/scientific arguments (risk assessments) or competitive arguments (economic & strategic autonomy).
The agenda setting power is centred on national security agencies (with technical/scientific arguments) and political groups (with ideological arguments). Both groups use their levers of power to intervene through new or existing laws and incentives.
This creates a competitive agenda setting process and prominent role for policy entrepreneurs seeking to align the problem, solution and politics. In the example of cybersecurity, the problem and political streams align naturally, but the solution stream may fall into and out of alignment quite suddenly as solutions are complex, and likely to see punctuated decision making as stakeholders realise that incremental decision making hasn’t kept pace with the policy issue.
Factors to ensure successful policy interventions
Cybersecurity is a complex policy issue with stakeholders across government, regulators and industry. Implementation requires extended intervention over years across different areas of the economy, and consensus on success metrics (how to know when security has reached an optimal level).
Resource constraints and dependencies in this example are sensitive to funding (as intervention will require both private and public investments in financial, human & material resources) and co-ordination (spanning a wide group of stakeholders across the private and public sectors). As more actors become involved during implementation, having target groups and bureaucratic agencies take part in subsequent agenda setting rounds can help to mitigate implementation issues. Government convening power will play a vital role to ensure a good platform for cooperation between several different groups.
With a prominent role for Industry as an agent for implementation (industry acting almost as street level bureaucrats in this example), the principal-agent dynamic will require a contract that balances Government monitoring and control with private corporate goals and fiduciary duties.
Best approach for evaluation and possible constraints
Evaluation should test a previously agreed hypothesis with a sample group in order to establish whether intervention is having a meaningful impact.
An independent body will offer the best mechanism for stakeholders to join in a common evaluation project that builds trust in the evaluation process and findings (bearing in mind the information asymmetries and differences in interests between stakeholders). In this case the recommended form of evaluation is a cost–benefit analysis as this type of evaluation can compare the inputs and outputs of the intervention to assess its economic effectiveness. Economic effectiveness is likely to have a disproportionate influence in how cybersecurity objectives are achieved and maintained over the long term (and secure further political attention that may be needed as the policy cycle continues).
Bounded rationality will place a significant constraint on policy makers given the duration and complexity of the interventions in this example. The use of experimental design for the impact evaluation can help to address policy maker bias (subject matter, beliefs systems or ideologies) and avoid situations where evaluation is used to justify political positions.
References
Bachrach, P. & Baratz, M.S. 1962. Two faces of power. The American Political Science Review, 56(4):947–952. DOI: https://www.jstor.org/stable/1952796.
Cairney, P. 2012. Understanding public policy: Theories and Issues. London: Red Globe Press. Dahl, R.A. 1957. The concept of power. Behavioral Science, 2(3):201–215. DOI: https://doi.org/10.1002/bs.3830020303.
Downs, A. 1972. Up and down with ecology – the “issue-attention” cycle. The Public Interest, 28(Summer):38–50.
Howlett, M., Ramesh, M. & Perl, A. 2009. Studying public policy: policy cycles & policy subsystems. Rev. 3rd ed. Toronto: Oxford University Press.
Kingdon, J. 2013. Agendas, alternatives, and public policies. 2nd ed. United States: Pearson Higher Education.
Cobb, R., Ross, J. & Ross, M.H. 1976. Agenda building as a comparative political process. The American Political Science Review, 70(1):126–138. DOI: https://doi.org/10.1017/S0003055400264034.
Hogwood, B. & Gunn, L.A. 1984. Policy analysis for the real world. Oxford: Oxford University Press.
Lipsky, M. 1980. Street-level bureaucracy: dilemmas of the individual in public services. New York: Russell Sage Foundation.
Bovens, M., ’t Hart, P. & Kuipers, S. 2006. The politics of policy evaluation. In The Oxford handbook of public policy. M. Moran, M. Rein & R.E. Goodin, Eds. Oxford: Oxford University Press. 319–335.
Weiss, C. 1999. The interface between evaluation and public policy. Evaluation, 5(4):468–486. DOI: https://doi.org/10.1177/135638909900500408.
Geopolitics and Critical National Infrastructure 
Leave a comment