Policy and liability: when does cyber risk become a matter for state intervention?

Abstract

This dissertation examines the conditions under which cyber risk transitions from a matter of private responsibility to one requiring state intervention. Through systematic literature synthesis, this study analyses economic, legal, and public policy scholarship to identify the principal triggers warranting governmental action in cybersecurity governance. The research reveals that state intervention becomes justified when cyber risks exhibit systemic characteristics, threaten critical infrastructure, generate substantial externalities, or exceed private insurance market capacity. Key findings indicate that purely voluntary or advisory approaches prove inadequate for managing correlated cyber losses and cascading failures, whilst private insurance markets, despite functioning as de facto regulators, cannot independently deliver socially optimal resilience. The analysis identifies three primary policy instruments—financial backstops, binding regulatory standards, and liability frameworks—each appropriate under specific risk conditions. The dissertation concludes that whilst the optimal policy mix remains context-dependent, the contemporary threat landscape increasingly renders passive governmental approaches untenable. These findings contribute to ongoing debates regarding the appropriate boundary between private responsibility and public intervention in cybersecurity governance.

Introduction

The digital transformation of society has created unprecedented dependencies upon interconnected information systems, fundamentally altering the risk landscape facing individuals, organisations, and nations. Cyber incidents now possess the capacity to disrupt essential services, compromise critical infrastructure, and generate cascading failures across economic sectors. The 2017 NotPetya attack, attributed to state actors, caused estimated global damages exceeding ten billion dollars, affecting entities as diverse as shipping conglomerates, pharmaceutical manufacturers, and logistics companies (Greenberg, 2018). Such incidents illuminate a fundamental governance question: at what point does cyber risk transcend individual and organisational responsibility to become a matter requiring direct state intervention?

This question carries substantial academic, practical, and societal significance. From an academic perspective, cyber risk challenges established frameworks of risk governance, insurance theory, and regulatory economics. The characteristics distinguishing cyber risk from traditional insurable perils—including correlation of losses, attribution difficulties, and rapid threat evolution—demand theoretical innovation. Practically, policymakers worldwide grapple with designing effective cybersecurity governance frameworks, balancing innovation imperatives against protection requirements. Societally, the potential for catastrophic cyber events affecting essential services raises fundamental questions regarding governmental obligations to citizens.

Traditional approaches to cyber risk governance have predominantly emphasised individual and organisational responsibility. Governments have largely adopted advisory postures, issuing guidance whilst delegating protective obligations to private actors. This responsibilisation paradigm reflects neoliberal governance philosophies privileging market mechanisms and individual agency. However, accumulating evidence suggests this approach may prove insufficient given the distinctive characteristics of cyber threats, including their contagion-like propagation, the externalities they generate, and their potential for systemic harm.

The cyber insurance market has emerged as a significant private governance mechanism, with insurers setting de facto security standards through underwriting requirements and policy conditions. Nevertheless, the insurance sector confronts fundamental challenges in managing cyber risk, including limited actuarial data, correlation of losses across policyholders, and ambiguity regarding coverage exclusions. Recent insurer attempts to invoke war exclusions for state-attributed attacks have generated substantial litigation and uncertainty, exemplified by the Merck litigation concerning NotPetya losses.

This dissertation addresses the gap between prevailing governance approaches and the evolving nature of cyber risk by synthesising multidisciplinary scholarship to establish principled criteria for determining when state intervention becomes warranted. The analysis draws upon economic theory, legal scholarship, public administration research, and insurance studies to develop an integrated framework for understanding the appropriate governmental role in cybersecurity governance.

Aim and objectives

The principal aim of this dissertation is to establish the conditions under which cyber risk warrants direct state intervention, moving beyond purely advisory or voluntary governmental approaches.

To achieve this aim, the following objectives guide the research:

1. To examine economic and policy rationales for state intervention in risk governance, identifying how these apply to the distinctive characteristics of cyber risk.

2. To analyse the capabilities and limitations of private insurance markets in managing cyber risk, establishing where market failures necessitate governmental action.

3. To evaluate existing policy instruments—including financial backstops, regulatory standards, and liability frameworks—assessing their appropriateness for different cyber risk conditions.

4. To critically assess the prevailing responsibilisation paradigm in cybersecurity governance, determining its adequacy for contemporary threat landscapes.

5. To synthesise findings into a coherent framework mapping cyber risk characteristics to appropriate intervention mechanisms.

Methodology

This dissertation employs a systematic literature synthesis methodology, integrating findings from economic, legal, and public policy scholarship addressing cyber risk governance. Literature synthesis represents an appropriate methodological approach when the objective involves consolidating diverse disciplinary perspectives on a complex phenomenon and when primary empirical research would prove impractical given the scope of the inquiry (Snyder, 2019).

The research strategy involved comprehensive searching of academic databases, including Web of Science, Scopus, and Google Scholar, using search terms combining “cyber risk,” “cybersecurity,” “state intervention,” “government regulation,” “insurance,” “liability,” and “critical infrastructure.” Additional sources were identified through citation tracking and examination of reference lists within retrieved articles. The search prioritised peer-reviewed journal articles, with supplementary material drawn from government publications, authoritative institutional reports, and scholarly books.

Inclusion criteria specified English-language publications addressing the intersection of cyber risk with governmental policy, regulatory frameworks, insurance mechanisms, or liability regimes. Materials focusing exclusively on technical cybersecurity measures without policy dimensions were excluded. The analysis concentrated on publications from 2010 onwards to ensure currency, though foundational theoretical works from earlier periods were included where relevant.

Retrieved materials were subjected to thematic analysis, with findings organised according to the research objectives. Themes were identified both deductively, based on the research questions, and inductively, emerging from the literature itself. The analysis sought to identify points of scholarly consensus, ongoing debates, and gaps in existing knowledge.

This methodology carries inherent limitations. Literature synthesis depends upon the quality and scope of available scholarship, potentially excluding relevant unpublished or non-English research. The rapidly evolving cyber threat landscape means that even recent publications may not reflect current conditions. Nevertheless, the systematic approach provides a rigorous foundation for addressing the research questions.

Literature review

Economic foundations of state intervention in risk governance

Classical economic theory provides established justifications for governmental intervention in risk governance, centring upon market failure and externality correction. Public goods theory recognises that certain protections exhibit non-excludability and non-rivalry characteristics, leading to underinvestment absent public provision. Externality theory identifies circumstances where private actions generate costs or benefits affecting parties beyond the immediate transaction, creating divergences between private and social optima.

Applied to cybersecurity, these frameworks illuminate distinctive market failures. Firms investing in security generate positive externalities for interconnected parties who benefit from reduced threat propagation without bearing investment costs. Conversely, organisations with inadequate security impose negative externalities upon others through their vulnerability to compromise and potential as attack vectors. These externalities cause private security investment to fall below socially optimal levels, constituting a classical justification for intervention (Abrardi, Comino and Grassini, 2025).

Economic modelling of cyber risk reveals additional complexities. Öğüt, Raghunathan and Menon (2011) demonstrate that correlated cyber risks create systematic underinvestment in self-protection even within competitive insurance markets. Their analysis reveals that when losses are correlated across policyholders—as occurs with widespread malware, zero-day exploits, or attacks targeting common software vulnerabilities—insurance mechanisms alone cannot achieve efficient outcomes. The correlation problem fundamentally distinguishes cyber risk from traditional insurable perils, which typically exhibit loss independence across policyholders.

Further economic analysis highlights information asymmetries pervading cybersecurity contexts. Organisations may possess private information regarding their security practices that insurers cannot readily observe, generating moral hazard and adverse selection problems. Whilst insurers attempt to address these asymmetries through underwriting assessments and policy conditions, imperfect observability of security investments limits effectiveness. Öğüt, Raghunathan and Menon (2011) specifically address the “imperfect ability to prove loss” characterising many cyber incidents, where organisations may struggle to demonstrate harm causation with the precision required for insurance claims or liability proceedings.

Systemic and catastrophic cyber risk

The potential for systemic cyber events represents a particularly compelling justification for state intervention. Systemic risk, extensively analysed following the 2008 financial crisis, refers to circumstances where individual failures can cascade across systems, generating losses vastly exceeding the sum of isolated incidents. Applied to cybersecurity, systemic risk arises from interconnected digital infrastructure, common dependencies upon particular vendors or technologies, and the potential for malicious actors to exploit vulnerabilities simultaneously affecting numerous organisations.

Awiszus et al. (2023) develop computational models demonstrating how correlated cyber losses and cascading failures create inefficient outcomes even in competitive insurance markets. Their artificial laboratory approach simulates cyber incident propagation, revealing that private insurance capacity becomes overwhelmed under catastrophic scenarios. The authors propose state-funded backstops for systemic cyber incidents, explicitly modelled upon terrorism insurance frameworks such as the United States Terrorism Risk Insurance Act (TRIA). Under their proposal, federal guarantees would absorb losses exceeding private capacity, with post-event surcharges on policyholders tied to their systemic risk contributions.

The terrorism insurance analogy carries substantial analytical value. Following the September 11 attacks, private insurers withdrew terrorism coverage, creating protection gaps for commercial property essential to economic activity. Governmental intervention through TRIA established a public-private risk sharing mechanism, enabling markets to function whilst limiting taxpayer exposure. Cyber risk increasingly exhibits comparable characteristics—potential for catastrophic losses, attribution to hostile actors, and private market capacity constraints—suggesting analogous policy responses may prove appropriate (Wolff, 2022).

Critical infrastructure protection

Critical infrastructure—comprising systems essential for societal functioning including energy, water, transportation, healthcare, and financial services—presents distinctive governance challenges. Disruption to these systems can generate severe social harm extending far beyond direct economic losses to operators. The essential nature of these services, combined with their interdependencies, means that private actors cannot fully internalise the social costs of inadequate protection.

Haber and Zarsky (2017) provide critical analysis of cybersecurity frameworks for infrastructure protection, concluding that light-touch or purely voluntary regimes prove insufficient given market failures, externalities, and potential for severe social harm. Their analysis identifies multiple mechanisms through which voluntary approaches fail: operators may underinvest where security costs are immediate whilst attack probabilities remain uncertain; competitive pressures may discourage security investments perceived as reducing profitability; and information asymmetries may prevent stakeholders from distinguishing secure from insecure operators.

The authors advocate stronger ex ante standards and enforcement, moving beyond advisory approaches toward binding regulatory requirements. Their analysis engages with counterarguments regarding regulatory burden and innovation effects, acknowledging legitimate concerns whilst maintaining that infrastructure criticality justifies mandatory protections. This position reflects broader scholarly consensus that purely market-based governance proves inadequate for infrastructure presenting substantial systemic risks.

Empirical research on United States critical infrastructure partnerships provides qualified support for regulatory approaches. Atkins and Lawson (2020) examine public-private partnerships established to enhance infrastructure cybersecurity, finding that effectiveness depends heavily upon regulatory pressure, particularly when threats to operations are substantial. Their research reveals that voluntary collaboration proves insufficient absent underlying regulatory compulsion, with organisations responding primarily to mandatory requirements rather than advisory guidance. This finding carries significant implications for governance design, suggesting that partnership frameworks require regulatory underpinning to achieve meaningful security improvements.

The responsibilisation paradigm and its limitations

Contemporary cybersecurity governance in numerous jurisdictions reflects what scholars term “responsibilisation”—governmental strategies that place protective obligations upon individuals and organisations whilst limiting direct state intervention to advisory functions. Under this paradigm, governments issue guidance, establish voluntary frameworks, and promote awareness, whilst citizens and businesses bear primary responsibility for their own protection.

Renaud et al. (2018) subject this responsibilisation approach to sustained critique, arguing it proves unreasonable given the complexity and contagion-like nature of cyber threats. Their analysis identifies multiple respects in which individual responsibility proves inadequate: ordinary users lack technical expertise to assess threats or evaluate protective measures; the interconnected nature of cyber threats means that individual actions affect others beyond the immediate actor; and the sophistication of contemporary attacks renders individual defences frequently insufficient regardless of user diligence.

Comparative analysis across jurisdictions reveals the pervasiveness of responsibilisation approaches. Renaud et al. (2020) evaluate intervention approaches adopted by the Five Eyes countries—the United States, United Kingdom, Canada, Australia, and New Zealand—alongside China, finding that Western democracies predominantly emphasise individual responsibility and voluntary business engagement. The authors argue this represents an inadequate response to threats exhibiting public health characteristics, advocating instead for active governmental support analogous to fire safety or disease prevention frameworks.

The public health analogy carries considerable analytical power. Infectious disease management recognises that individual actions carry collective consequences, that information asymmetries limit individual capacity for informed decision-making, and that coordination failures prevent purely voluntary measures from achieving socially optimal outcomes. These characteristics apply equally to cyber threats, where compromised systems become vectors for malware propagation, where technical complexity exceeds ordinary user comprehension, and where collective action problems impede private protection efforts.

Insurance as private governance

The cyber insurance market has expanded substantially, with insurers assuming significant private governance functions. Through underwriting requirements, policy conditions, and claims processes, insurers establish de facto security standards influencing organisational behaviour. Herr (2019) analyses this enforcement power of markets, documenting how insurers require specific security controls, mandate incident response capabilities, and incentivise protective investments through premium structures.

This private governance function offers potential advantages over direct regulation. Insurers possess commercial incentives to accurately assess risks and price policies accordingly, potentially achieving more nuanced risk differentiation than regulatory frameworks permit. The contractual relationship between insurer and policyholder enables enforcement mechanisms unavailable to regulators, including coverage denial for non-compliance with security requirements. Furthermore, insurers can adapt requirements more rapidly than legislative or regulatory processes typically permit.

However, significant limitations constrain insurance as a cybersecurity governance mechanism. Correlated risk poses fundamental challenges: when attacks simultaneously affect numerous policyholders, insurers confront concentrated losses potentially exceeding reserves. Attribution difficulties complicate coverage determinations, particularly regarding war exclusions that have generated substantial litigation. Limited actuarial data renders pricing uncertain, with premium levels potentially reflecting insurer uncertainty rather than accurate risk assessment.

Wolff (2022) provides comprehensive analysis of cyber insurance policy, identifying gaps between insurance market capabilities and societal protection requirements. Without state-provided data, standards, and possibly a public backstop, insurance alone cannot deliver socially optimal resilience. This conclusion aligns with economic analyses demonstrating that private insurance markets confronting correlated risks and externalities cannot achieve first-best outcomes absent governmental intervention (Öğüt, Raghunathan and Menon, 2011; Awiszus et al., 2023).

Liability frameworks and their complexities

Liability regimes represent an alternative or complementary intervention mechanism, potentially aligning private incentives with social optima by imposing costs upon actors whose conduct generates harm. Product liability, negligence standards, and contractual obligations each offer potential mechanisms for incentivising security investments and allocating losses to parties best positioned to prevent or absorb them.

Bellovin (2023) examines cybersecurity liability proposals, acknowledging their theoretical appeal whilst identifying practical complications. Liability frameworks function effectively when causal relationships are identifiable, when defendants possess capacity to satisfy judgments, and when legal processes operate with sufficient speed to influence ongoing behaviour. Cyber incidents frequently challenge these conditions: attack attribution remains contested; causal chains extend across multiple actors; and the time between security decisions and resultant harms may span years.

Vendor liability presents particular complexities. Software producers have historically disclaimed responsibility for security defects through contractual terms, limiting purchaser recourse. Proposals to impose mandatory liability upon vendors aim to internalise security costs within development decisions. However, Abrardi, Comino and Grassini (2025) caution that liability regimes must be carefully designed to avoid stifling innovation, recognising the difficulty of specifying security requirements for software addressing diverse use cases and threat environments.

Carefully scoped liability frameworks may nonetheless contribute to improved security incentives. The combination of liability risk with insurance requirements can motivate organisations to implement protective measures, with insurers conducting risk assessments that regulatory processes may lack capacity to replicate. Abrardi, Comino and Grassini (2025) identify liability regimes, mandatory standards, and potentially mandatory cyber insurance as complementary corrective tools, whilst emphasising the need for calibration to specific sectoral contexts.

Regulatory approaches and their critiques

Mandatory cybersecurity regulation represents the most direct form of state intervention, establishing binding requirements enforced through governmental authority. Regulatory approaches range from prescriptive standards specifying particular controls to outcome-based frameworks requiring achievement of defined security objectives. Disclosure requirements, audit obligations, and certification regimes provide additional regulatory mechanisms.

Advocates for mandatory regulation emphasise the inadequacy of voluntary approaches documented in empirical research (Atkins and Lawson, 2020) and the theoretical arguments regarding externalities and market failures (Haber and Zarsky, 2017). Binding standards can establish minimum security levels across industries, preventing competitive dynamics that might otherwise drive protection levels downward. Regulatory enforcement provides accountability mechanisms absent from purely advisory approaches.

However, regulatory intervention attracts substantial criticism. Hodgins (2024) articulates perils of cybersecurity regulation from an Austrian economics perspective, emphasising knowledge limitations confronting regulators, the potential for regulatory requirements to become outdated as threats evolve, and risks that compliance-focused approaches displace genuine security improvement. These critiques echo broader debates regarding command-and-control regulation versus market-based alternatives.

Effective regulatory design must navigate these tensions. Performance-based standards may offer greater flexibility than prescriptive requirements, permitting organisations to select implementation approaches suited to their circumstances. Risk-based regulatory priorities can concentrate oversight upon entities presenting greatest systemic significance. Adaptive regulatory frameworks incorporating sunset provisions and regular review can address concerns regarding obsolescence. Nevertheless, designing regulation that achieves meaningful security improvement without excessive burden or innovation suppression remains challenging.

Discussion

The literature synthesis reveals substantial scholarly convergence regarding conditions warranting state intervention in cybersecurity governance. This discussion analyses key findings, critically examines their implications, and assesses achievement of the research objectives.

Establishing intervention thresholds

Research across economic and policy disciplines converges upon the position that state intervention becomes appropriate when cyber risks exhibit systemic characteristics, threaten critical infrastructure, generate substantial externalities, or exceed private market capacity to efficiently manage. This convergence provides a principled foundation for distinguishing circumstances requiring governmental action from those appropriately addressed through private mechanisms.

Systemic risk represents the clearest intervention trigger. When cyber incidents possess potential for cascading failures affecting entities beyond those initially compromised, the divergence between private incentives and social optima becomes pronounced. Individual organisations lack motivation to invest adequately in security contributing to collective resilience, generating underprotection relative to socially optimal levels. The computational modelling by Awiszus et al. (2023) demonstrates this dynamic rigorously, establishing that even competitive insurance markets cannot achieve efficient outcomes under conditions of correlated cyber risk.

Critical infrastructure presents a related but distinct justification. The essential nature of infrastructure services, combined with interdependencies across sectors, means that protection failures carry consequences extending far beyond direct financial losses to operators. Haber and Zarsky (2017) persuasively argue that these characteristics render voluntary approaches inadequate, necessitating binding standards with meaningful enforcement. The empirical findings of Atkins and Lawson (2020) reinforce this conclusion, demonstrating that partnership frameworks achieve effectiveness primarily when underpinned by regulatory pressure.

The externality framework provides theoretical coherence to these observations. When security investments by one party benefit others who do not bear associated costs, private investment falls below socially optimal levels. This market failure justifies corrective intervention, whether through liability regimes internalising external costs, subsidies incentivising positive externalities, or mandatory standards establishing minimum protection levels (Abrardi, Comino and Grassini, 2025).

Limitations of private governance mechanisms

The analysis reveals significant limitations constraining private governance mechanisms, particularly insurance, as standalone cybersecurity governance instruments. Whilst insurers exercise substantial influence through underwriting requirements and premium structures, their capacity to achieve socially optimal resilience remains constrained.

Correlation of cyber risks poses the fundamental challenge. Traditional insurance models assume loss independence across policyholders, enabling risk pooling to reduce uncertainty. Cyber incidents frequently violate this assumption: widespread malware, zero-day exploits, and attacks targeting common technologies generate correlated losses across policyholder populations. Under these conditions, diversification benefits diminish, and catastrophic scenarios may exceed insurer capacity.

Attribution difficulties compound these challenges. War exclusions in cyber insurance policies create coverage uncertainty regarding state-attributed attacks, as demonstrated by high-profile litigation following NotPetya. This uncertainty undermines insurance as a reliable risk transfer mechanism, potentially reducing policyholder incentive to purchase coverage or to rely upon insurance for risk management planning.

These limitations do not diminish insurance value within a broader governance framework. Rather, they suggest insurance functions most effectively as a component of mixed governance arrangements incorporating public elements. State provision of threat intelligence, establishment of common standards, and availability of public backstops for catastrophic scenarios can enable insurance markets to operate more effectively, as Wolff (2022) analyses comprehensively.

Critiquing responsibilisation

The responsibilisation critique articulated by Renaud et al. (2018, 2020) carries significant implications for governance design. Prevailing approaches in many jurisdictions emphasise individual and organisational responsibility, with governments limiting intervention to advisory functions. This paradigm reflects broader neoliberal governance philosophies but proves inadequate given distinctive cyber risk characteristics.

The public health analogy illuminates this inadequacy. Just as infectious disease management recognises collective dimensions of individual health decisions, cybersecurity governance must acknowledge that compromised systems pose risks extending beyond their immediate operators. The technical complexity of cyber threats exceeds ordinary user competence to evaluate, whilst information asymmetries prevent non-expert assessment of vendor or service provider security practices.

This critique does not necessarily advocate comprehensive governmental control of cybersecurity. Rather, it suggests that purely advisory approaches prove insufficient, requiring supplementation through mechanisms that address externalities, provide baseline protections, and support actors lacking capacity for independent protection. The appropriate balance between individual responsibility and collective provision remains context-dependent, but doing nothing beyond advice appears increasingly untenable.

Policy instrument selection

The research identifies three primary policy instrument categories—financial backstops, regulatory standards, and liability frameworks—each appropriate under specific conditions. Effective governance design requires matching instruments to risk characteristics.

Financial backstops, potentially modelled upon terrorism insurance frameworks, address catastrophic systemic risks exceeding private insurance capacity. The proposal by Awiszus et al. (2023) for state guarantees with post-event surcharges tied to systemic risk contributions represents a sophisticated approach balancing risk sharing with incentive preservation. Such mechanisms would enable insurance markets to function for non-catastrophic risks whilst ensuring coverage availability for extreme scenarios.

Regulatory standards prove most appropriate for critical infrastructure and sectors exhibiting strong externalities where voluntary approaches have demonstrated inadequacy. The evidence synthesised by Haber and Zarsky (2017) and Atkins and Lawson (2020) supports binding requirements with meaningful enforcement for these contexts. However, regulatory design must address concerns articulated by Hodgins (2024) regarding knowledge limitations, obsolescence risks, and innovation effects.

Liability frameworks offer mechanisms for aligning private and social optima through cost internalisation. Carefully scoped vendor and user liability, as analysed by Bellovin (2023) and Abrardi, Comino and Grassini (2025), can motivate security investments by parties best positioned to implement protections. However, practical challenges regarding attribution, causation, and defendant capacity require attention in framework design.

Achievement of research objectives

The analysis achieves the stated research objectives. The first objective—examining rationales for intervention applicable to cyber risk—has been addressed through analysis of externality, public goods, and systemic risk frameworks. The second objective—analysing insurance capabilities and limitations—has been fulfilled through discussion of correlation problems, attribution challenges, and market capacity constraints. The third objective—evaluating policy instruments—has been accomplished through examination of backstops, standards, and liability mechanisms. The fourth objective—assessing responsibilisation adequacy—has been met through engagement with the Renaud et al. critique. The fifth objective—synthesising findings into a coherent framework—emerges from the integrated analysis mapping risk characteristics to intervention mechanisms.

Conclusions

This dissertation has examined the conditions under which cyber risk warrants direct state intervention, establishing that governmental action becomes justified when risks exhibit systemic characteristics, threaten critical infrastructure, generate substantial externalities, or exceed private market capacity. The analysis synthesises economic, legal, and public policy scholarship to provide a principled framework for distinguishing circumstances requiring intervention from those appropriately addressed through private mechanisms.

The research demonstrates that purely voluntary or advisory governmental approaches prove inadequate for managing significant cyber risks. Private insurance markets, whilst exercising valuable private governance functions, confront fundamental limitations arising from loss correlation, attribution difficulties, and capacity constraints. These limitations do not eliminate insurance utility but establish that insurance functions most effectively within mixed governance frameworks incorporating public elements.

Three primary intervention mechanisms emerge from the analysis: financial backstops for catastrophic systemic risks, binding regulatory standards for critical infrastructure and high-externality sectors, and carefully scoped liability frameworks for aligning private with social optima. The appropriate policy mix remains context-dependent, varying with sectoral characteristics, risk profiles, and existing governance arrangements. Nevertheless, the contemporary threat landscape increasingly renders passive governmental approaches untenable.

The significance of these findings extends to ongoing policy debates across jurisdictions. As cyber threats intensify and digital dependencies deepen, governments worldwide confront decisions regarding intervention scope and modality. This dissertation provides an evidence-based foundation for such decisions, grounded in established theoretical frameworks and supported by empirical research findings.

Future research should address several limitations of the present analysis. Empirical investigation of intervention mechanism effectiveness across different contexts would strengthen the evidence base for policy design. Comparative analysis of emerging regulatory frameworks would illuminate effective governance approaches. Investigation of public perception and political feasibility dimensions would contribute to understanding implementation challenges. Additionally, research tracking cyber insurance market evolution following significant legislative or regulatory changes would enhance understanding of public-private governance interactions.

The boundary between private responsibility and public intervention in cybersecurity governance will continue evolving as threats develop and understanding advances. This dissertation contributes to that ongoing evolution by establishing principled criteria for determining when the risks pervading our digital world become matters for the state.

References

Abrardi, L., Comino, S. and Grassini, S. (2025) ‘The economics of cyber risk: a survey of the literature’, *Journal of Industrial and Business Economics*. Available at: https://doi.org/10.1007/s40812-025-00370-3

Atkins, S. and Lawson, C. (2020) ‘An Improvised Patchwork: Success and Failure in Cybersecurity Policy for Critical Infrastructure’, *Public Administration Review*, 81(5), pp. 847–861. Available at: https://doi.org/10.1111/puar.13322

Awiszus, K., Bell, Y., Lüttringhaus, J., Svindland, G., Voß, A. and Weber, S. (2023) ‘Building resilience in cybersecurity: An artificial lab approach’, *Journal of Risk and Insurance*, 90(4), pp. 1007–1041. Available at: https://doi.org/10.1111/jori.12450

Bellovin, S. (2023) ‘Is Cybersecurity Liability a Liability?’, *IEEE Security & Privacy*, 21(3), pp. 99–100. Available at: https://doi.org/10.1109/msec.2023.3273461

Greenberg, A. (2018) ‘The Untold Story of NotPetya, the Most Devastating Cyberattack in History’, *Wired*, 22 August. Available at: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ (Accessed: 15 January 2025).

Haber, E. and Zarsky, T. (2017) ‘Cybersecurity for Infrastructure: A Critical Analysis’, *Florida State University Law Review*, 44(2), pp. 515–578.

Herr, T. (2019) ‘Cyber insurance and private governance: The enforcement power of markets’, *Regulation & Governance*, 15(1), pp. 98–114. Available at: https://doi.org/10.1111/rego.12266

Hodgins, M. (2024) ‘The perils of cybersecurity regulation’, *The Review of Austrian Economics*. Available at: https://doi.org/10.1007/s11138-024-00660-4

Öğüt, H., Raghunathan, S. and Menon, N. (2011) ‘Cyber Security Risk Management: Public Policy Implications of Correlated Risk, Imperfect Ability to Prove Loss, and Observability of Self-Protection’, *Risk Analysis*, 31(3), pp. 497–512. Available at: https://doi.org/10.1111/j.1539-6924.2010.01478.x

Renaud, K., Flowerday, S., Warkentin, M., Cockshott, W. and Orgeron, C. (2018) ‘Is the responsibilization of the cyber security risk reasonable and judicious?’, *Computers & Security*, 78, pp. 198–211. Available at: https://doi.org/10.1016/j.cose.2018.06.006

Renaud, K., Orgeron, C., Warkentin, M. and French, P. (2020) ‘Cyber Security Responsibilization: An Evaluation of the Intervention Approaches Adopted by the Five Eyes Countries and China’, *Public Administration Review*, 80(5), pp. 777–787. Available at: https://doi.org/10.1111/puar.13210

Snyder, H. (2019) ‘Literature review as a research methodology: An overview and guidelines’, *Journal of Business Research*, 104, pp. 333–339.

Wolff, J. (2022) *Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks*. Cambridge, MA: MIT Press. Available at: https://doi.org/10.7551/mitpress/13665.001.0001