Regulating digital security by design? Implications of the perspectives from DSbD programme stakeholders

As part of the growing necessity for inter-organisational and multi-disciplinary interaction to facilitate complex innovation in digital security, there needs to be greater engagement with regulation in the innovation process. This is particularly true in the case of security technologies that are embedded within wider systems and that are largely invisible to most of the users of that system. This paper aims to describe stakeholders’ perspectives on regulation in the digital security innovation process and evaluates the implications of these perspectives on anticipatory regulation in digital security.

Using a qualitative methodology based on semi-structured expert interviews and ethnographic participant observation, the study draws on the authors’ involvement in a formally organised programme of academia–industry–government collaboration called Digital Security by Design (DSbD).

The study highlights a relational dimension to establishing regulatory responsibilities that is enabled through interdisciplinary dialogue. The study contributes to understanding the multifaceted roles of regulation in digital security innovation across organisations and areas of expertise. It does so by identifying four themes in how regulation is perceived in the DSbD programme: ethical imperative, adding value, adoption lever and passive compliance.

Incorporating regulatory responsibilities through dialogue early in the innovation process, rather than only once a security technology’s deleterious effects are noticeable, which could make digital innovation and transformation safer and better regulated. It can also make regulation successfully adopted, rather than an exercise in damage control or an adversarial process between regulators and organisations.

This paper presents original empirical research on how regulation is considered by stakeholders in a novel multi-disciplinary digital security innovation process. It then uses these findings as a basis to evaluate the implications for establishing regulatory responsibilities for a class of security technologies that are embedded within wider systems and that are largely invisible to most of the users of those wider systems.