Abstract Cybersecurity in national and international security is frequently discussed in an existential register. However, most cybersecurity activities are normal and routine, including diverse practices of cyber risk management. The intricacies of cyber risk and its connection to security and threat politics have received surprisingly little attention in the cyber politics literature. This article addresses this gap through a twofold theoretical proposition. The first argues that cyber risk in policy and practice inhabits a continuum between ‘classical’ risk and security postures. The second proposes the existence of multiple risk logics, located at different points along this continuum. To illustrate this, we outline two distinct cyber risk logics: ‘risk as potential threats’ and ‘risk as uncertainty’. Through an exploratory case-study of cyber risk policy and guidance in the United Kingdom, we find indications of the simultaneous existence of these risk logics, including in specific organizational contexts. We propose that the ‘risk as potential threats’ logic, in particular, acts as a ‘bridge’ between conventional risk and security. We conclude by discussing how differentiating cyber risk logics facilitates a more finely grained appreciation of cybersecurity policy and practice and provides opportunities for disciplinary engagement with the organizational and institutional politics of cybersecurity and ‘the international’.
Read full abstract