Project description
Cybersecurity has become a fundamental issue in the most recent years. It “covers all aspects of prevention, forecasting, tolerance, detection, mitigation, removal, analysis and investigation of cyber incidents” (ENISA 2017). The complexity, the scale, the scope, and the interdependencies of cybersecurity problems are widely recognized as one of the deepest and most relevant challenges that have to be faced by governments and political actors nowadays. Private and public policies have increasingly been developed around cybersecurity collective problems all over the world, and their impact and consequences on individuals, businesses, public administrations and institutions are very much overlooked.
The main objective of this project is to understand how cybersecurity is getting institutionalized in multilevel, polycentric systems of governance, such as the European Union and Italy. This research aims to investigate the institutionalization of cybersecurity policy as a multidimensional process. Institutionalization is intended as a process through which ideas, norms, rules, and procedures tend to stabilize and guide the decisions, behaviors, and interactions of the actors. Moreover, institutionalization mobilizes actors and tools to make policy programs work and achieve specific results.
The research will define, analyse and explain cybersecurity policy institutionalization along all the stages of the policy cycle, considering various indicators of institutionalization. Policy discourses, frames, networks, instruments and outcomes will be identified, contextualised and assessed through a mixed methods approach applied to a set of crucial cases, including EU and Italian cybersecurity related power arenas, as well as the Italian public administration. The genesis of a full-blown cybersecurity policy at the EU level was marked by the 2013 EU Cybersecurity Strategy (EUCSS 2013) which includes binding and non-binding measures geared toward the creation of an open, safe and protected cyberspace. EUCSS also inaugurated the adoption of a common cybersecurity strategy at the EU level. The EUCSS is constituted by the NIS directive (2018), transposed in Italy in the same year, then evolved into the 2020 EU Cybersecurity Act.
Results are expected to shed light on institutionalization processes and policy-making in complex, multilayered policy arenas, and to provide knowledge to explain how cybersecurity is emerging as a specific domain of public policy. The research will provide valuable data, findings, and insights to decision-makers involved into emerging cybersecurity policy processes, helping society to deal with the challenges and transformations occurring worldwide because of the Covid-19 pandemic.