Adaptive governance for the Internet of Things: Coping with emerging security risks. Irina Bass & Jesse Sowell (2020)

Key take aways:

Adaptive governance (dynamic regulatory governance mechanisms) integrates the benefits of centralised risk regulatory frameworks with the operational knowledge and mitigation mechanisms that are developed continually
It explicitly plans to incorporate new knowledge about emerging risk as it becomes available, so that underlying assumptions or standards can be reviewed and adjusted without assessing entire regulatory instruments or mechanisms, reducing the lag between new scientific and technical knowledge and updates of salient elements in regulatory requirements.
This is an essential mechanism for emerging technologies that have a range of unknown risks and unintended consequences associated with their adoption and use.

—

Emerging technologies, such as the IoT, present decision-makers with a familiar yet wicked challenge: how to harness the socio-economic benefits of rapid technological innovation while mitigating the risks and unintended consequences associated with their adoption and use.

This dilemma is especially acute when rapid technological advancements make it difficult to project all possible risks based on existing knowledge, giving rise to considerable uncertainty about how new technologies will be implemented, used and potentially misused.

As a dynamic sociotechnical system, the IoT comprises well-known cybersecurity risks and endemic uncertainties that arise as IoT adoption increases and the system evolves. - Ensuring governance mechanisms keep pace with dynamic, evolving IoT threats requires iterative feedback mechanisms for integrating new information about cybersecurity risk back into the design and codification of existing standards and regulatory requirements.

We propose a model of adaptive regulatory governance that integrates the benefits of centralized risk regulatory frameworks with the operational knowledge and mitigation mechanisms developed by epistemic communities that manage day-to-day Internet security.

This article proposes a model that expands the scope of regulatory governance to

(i) integrate more timely feedback from actors managing risks and uncertainties in complex sociotechnical systems on a day-to-day basis (Sowell 2019) and
(ii) develop strong, explicit commitments to adapting rules in order to address new threats and vulnerabilities as they are identified.

![Screenshot 2025-01-18 at 18.28.14.png](<https://prod-files-secure.s3.us-west-2.amazonaws.com/ad0cbaee-6892-47bf-8981-43fd59ade881/fb108036-be2a-4154-9280-8a9e7c475d06/Screenshot_2025-01-18_at_18.28.14.png>)

This article identifies three types of emerging responses to IoT security risks and evaluates them in terms of how effectively they plan for adaptations necessary to secure the IoT:

self-regulation
light-touch regulation, and
centralized risk regulation

Planned adaptive regulation literature focuses on how “to further characterize and/or reduce the uncertainties in the assumptions made in past decisions” (McCray et al. 2010, p. 958) based on new knowledge about how threats and new risks manifest in the system itself.