Network governance in Sweden’s cybersecurity efforts– participation and power in policy forums

Network governance in Sweden’s cybersecurity efforts–

participation and power in policy forums

Author: Kajsa Colde

Department of Government

Master thesis in political science Autumn 2019 Word count: 18331

Supervisor: Daniel Nohrstedt

Abstract

This thesis aims to empirically describe the current network structure of forums and actors within the field of cybersecurity in Sweden. To discern and identify powerful actors and forums within the network. Also, the thesis studies the emergence of forums since the emergence and creation of forums previously have been neglected. Furthermore, it will describe collaboration opportunities between actors with different organizational types. For example, relationships taking place across different sectors, levels, and jurisdictions. A multimethod approach used to purposefully gather information about relevant actors through both online data collection as well as interviews with 17 actors in the network. Social Network Analysis and centrality measures used to provide an insight into the power structures in the network. The thesis finds that the question of how networks and forums emerge are still relatively difficult to answer since there is a wide variety of processes. There is little documentation regarding the initiative behind the forums.

Further, Sweden has a broad cybersecurity network with both public and private actors.

However, there has been little cross-sectoral and cross-level collaboration through these

forums. The observed power structures are also highly asymmetrical as there are a few

dominant forums and actors within the network that in turn, can dictate and influence policy

outcomes.

CONTENTS

1. Introduction ... 1

1.2 Research question ... 2

1.3 Outline ... 4

2. Case-study Context ... 4

3. Previous research ... 5

3.1 Collaborative governance ... 5

3.2 Security research on collaborative strategies ... 7

3.3 The state of cybersecurity ... 9

4. Theory ... 11

4.1 Institutional complexity ... 12

4.2 Policy networks ... 13

4.3 Policy forum processes and structure ... 14

4.4 Power structures in policy forums ... 16

5. Method ... 17

5.1 Case Selection ... 17

5.2 Social Network analysis ... 18

5.3 Data collection ... 21

5.3.1 Interviews ... 22

5.4 Constructing the dataset ... 23

5.5 Measures of centrality... 25

6. Analysis ... 26

6.1 Actors and forums ... 27

6.2 Emergence of forums ... 27

6.3 Collaboration across organizational types ... 29

6.4 Power structures ... 30

6.4.1 Degree centrality ... 30

6.4.2 Betweenness centrality ... 32

7. Discussion ... 34

8. Conclusion ... 37

References ... 39

Appendix ... 44

1

1. INTRODUCTION

Transnational issues and crises are discussed in terms of cooperation and collaboration. Many suggest that there is a need for a new form of a collaborative governance system in which actors across borders, jurisdiction and authority levels cooperate. The approach is especially prominent in environmental policies for dealing with so-called "wicked problems". Wicked problems have the assumption that collaboration and cooperation is the only effective and possible solution. There has been evidence that claim the opposite and that we should be cautious in using a collaborative governance structure as a cohesive approach to all wicked problems (Bodin, 2017).

Furthermore, asymmetrical power relations and power dynamics is an issue within collaboration and polycentrism. These power dynamics may influence the emergence of policy forums and collaborative efforts as well as the outcomes of such efforts (Morrison et al., 2019).

Hence, studying the power dynamics within a given network structure is crucial within public policy issues. The increasing institutional complexities have been a defining character in modern governance structures as our world is becoming increasingly dependent on networks for a functioning society (Lubell, 2013).

The rise in interconnectedness and automatization has improved the quality of life but also increased security risks. With the rapid development of technology and especially information technology, incidents can often strike the core of governance and governance ability. An increase in interconnectedness is changing our world. It has become the focus for scientists and researchers to understand the concept of governance to adapt it to the modern world. Since cybersecurity is an aspect of society that involves many actors, both public, private, and individual citizens, it is essential to increase civil security to be able to maintain the way of life created today.

When considering both the benefits and the risk with cyberspace in the governmental system,

a multi-level system may require more collaboration cross-level, jurisdictions and sectors. As

many securitization scholars suggest a crucial part of "solving" the problem of cybersecurity is

a collaboration (Boin, Rhinard and Ekengren, 2014, Pernice, 2018, Quigley and Roy, 2012,

Dalgaard-Nielsen, 2017). The ideal collaborative governance is focused on policy-making and

decision-making and the initiative behind it. It centres around the sharing of information on the

issue at hand and creating joint resolutions. While this is prominent and helpful in other fields,

it could be considered a risk in cybersecurity. The risks increase when information is shared

with a broader network. One example of such vulnerability is to release information on security

systems to unauthorized individuals. Carelessness is a reoccurring incident within private as

well as public actors in Sweden. Carelessness has resulted in disastrous consequences, for

example, the poor IT management at The Swedish Transport Agency that results in a leakage

of citizens’ personal information (DS 2018:6).

2

There is a clash between the ideal of collaborative governance, and the risks governance and networks could cause in the systems. This clash can create influences that, in turn, cause effects in the network system, influential actors manipulating the collaboration as an asset in one stakeholder’s interest. The research says that there is a need for collaboration on wicked problems such as cybersecurity. However, "freeriding" is a risk with collaboration since many of the actors want to maximize their profits. A risk is that actors do not comply with the agreed- upon arrangements and get away with it (Bodin, Sandström, Crona, 2016). Collaboration needs trust in others within the same network to be willing to reduce their profits for the common goal.

Further, risks do not only include the lack of trust within cybersecurity. There is information that has a high degree of secrecy which can affect the whole of society. Hence, there is a clash between the need for cooperation in collective action problems and the risks actors perceive when considering collaborating with other institutions.

Concerning the theoretical discussion on collaborative governance with its advantages and limitations, conducting a network analysis of the collaborative policy forums and institutions would be beneficial to analyse established forums. A lot of the research on networked governance and collaborative forums comes from environmentalist research (Lubell, 2013;

Bodin,2017; Berardo, Turner and Rice, 2019; McAllister et al.,2017). Environmental research often defines the issues as wicked problems that are transboundary, and inherently complex. It can also be prescribed to cybersecurity policies. However, theoretical studies concerning collaborative forums have neglected the initiative behind the forums and the process of starting a forum.

To study cybersecurity in this context is beneficial since there is a trade-off between the risks portrayed with information sharing and collaboration on issues that revolve around information based in high secrecy. This study will focus on the actors, the venues, and the participation of actors; however, previous research has had little focus on the actual emergence of the forums and networks.

1.2 RESEARCH QUESTION

This essay aims to empirically describe the current network structures of forums and actors within the field of cybersecurity in Sweden. Thus, the study will discern powerful actors and forums within the network as well as focus specifically on the emergence of forums and interactions among different types of organizations. The study seeks to answer the following four research questions.

Research question 1. What actors and forums are present within the network concerning cybersecurity strategies?

In order to outline the network within national cybersecurity strategies, one initial step is to

identify the actors and forums that are present. The European Union has declared it essential to

implement new processes concerning cybersecurity and Sweden has therefore implemented a

3

strategy that highlights collaboration as a critical feature in fulfilling this obligation (Dnr: 2019–

100). An online data collection and 17 interviews with professionals in the public sector have been used to seek the relevant actors and forums.

Research question 2. How do forums in Sweden’s cybersecurity network emerge?

The second research question highlights the emergence of forums within a network. The actors behind the forums and the initiatives behind them will be discovered.

Previous research has not yet paid attention to the emergence of forums, and the emergence of them can have a valuable impact on how the forum is structured (for example Fischer and Leifeld, 2015, Fischer and Maag, 2019, Scholz, Berardo and Kile, 2008). The study of origins of a network can contribute to an overall understanding of networks, including formal and informal rules that emerge in a forum.

Research question 3. To what extent do forums provide an opportunity for collaboration across organizational types?

The third research question is focused on the connection between different types of actors within the network, which actors are connected. This will provide the study with information about actors with different attributes. If forums provide venues for participants with different set attributes and interests, forums can facilitate and create an opportunity for participants to engage, thus, reduce unexpected transaction costs. Can we see any opportunities for collaboration between public and private actors, across levels of authority or sectors? The two- mode network (a two-mode network consists of two layers of actors on different levels) can visualize the forums in which different actors may collaborate and share information practices.

Further, the government and its institutions do not have a monopoly on cyber services, and many of our public services providers within these sectors are private actors. Hence, there might be a will to share information with the most crucial actors within the concerned sectors and areas.

Research question 4: Lastly, what power structures can be observed in the network?

The fourth question is aimed at the centrality of actors and to investigate the power structures in the network. Examining power structures is attractive, especially concerning the risks surrounding cybersecurity. While the theoretical fields are interdependent, there is a trade-off between the benefits and the contingent risks perceived by actors. Actors can act as "brokerage"

agents in which they tend to connect actors that otherwise would not have been presented with an opportunity to collaborate. Actors facilitate collaboration to balance the risks of collaboration with the benefits of it, some

The paper makes contributions to the theoretical discussion on collaborative governance and

policy forums’ evolution process. Empirical results map out the current state of cybersecurity

networks in Sweden with the use of Social Network Analysis (SNA). From that empirical

results conclude the powerful actors within the network and the trade-off risk hypothesis. If

there is a perceived risk that dominates this structure, a caution in collaboration should be

observed, and we should see less of it. If there is, on the other hand, a dominant perceived

4

benefit with collaboration that outweighs the risks, we should observe more collaboration in the network.

1.3 OUTLINE

This study will begin with an overview of the case-study context in Sweden with a short historical background of the regulations concerning cybersecurity. Secondly, previous research on collaborative governance will be presented, and some of the essential definitions of collaborative measures. Within the section, previous research, the study will consider research from the fields of collaborative governance, security research, and cybersecurity research. This section will provide a review of the current research position of the mentioned fields. The following section on theory contains a description of challenges surrounding institutional complexity as well as a framework of policy forums and the different processes within them and provide an account of the theoretical application.

Next, the thesis describes Sweden as a case and why Sweden is a compelling case to study in the context of cybersecurity. Following, a discussion of Social Network Analysis (SNA) as the method chosen, the data collection process and the interviews that followed. In addition, the construction of the dataset will be explained, and the utilized attributes followed by a description of the centrality measurements in SNA. The dataset compiled by the author contains actors during the time of collection; these are used in order to ascertain relevant actors. Also, study ties between actors and forums to establish structures of collaboration or the lack thereof.

The results will be presented next in an analysis section, divided up by each of the four research questions separately, followed by a discussion of the results and the analysis conducted in the previous section — lastly, a conclusion with a foundation in the results and the analysis section.

2. CASE-STUDY CONTEXT

Sweden has established a set of new national cybersecurity strategies that stems from the NIS- directive (2016/1148) that the European Union. The new strategies also stem from an internal investigation of what is necessary when handling valuable information in state agencies. For example, the Swedish National Audit Office (Riksrevisionen) did an investigation on information security processes at state agencies. The investigation is based upon the inadequacies that arose during another investigation between 2005-2007 of the internal guidelines on information security within several public agencies (RIR 2016:8). The recommendations based on this investigation included that there should be a central agency or function to facilitate and evolve the operational aspect of information security to get a comprehensive approach to management on information security.

An official governmental report was constructed with the motivation of the need for strategies

with an increase in digitization on several levels of society. The government highlighted joint

responsibility for all society to work together on the challenges ahead efficiently. Further, it is

5

noted that there is a need for increased cooperation between the public sector, private sector, and the business industry. The report specifies that we need to protect sensitive information, the quality of critical societal functions and critical infrastructure — these protective measures aimed at preserving the fundamental values of society. Statistics show a 949 % increase in cyber-related crimes between 2006 and 2015 (2016/17:213), which could interrupt societal functions. Noteworthy, collaboration between public and private actors are often noted as a primary solution. Private actors’ involvement is critical, considering the technological market is controlled by private actors who deliver many vital societal services.

Further, the report expresses a need for every actor to have a holistic view of information security in all levels of society. Since the aspect of security permeates different sectors and business areas, the report also contained six strategies that are aimed at assuring a collective effort within security. The strategies include; increase product safety, strengthen the ability to detect incidents and to promote knowledge and development within the society and in turn, be perceived as a collaborative partner internationally (2016/17:213).

Furthermore, the Swedish Contingency Agency has, as a complementary of the official report, developed an action plan that contains strategies to strengthen the overall cybersecurity in Sweden on behalf of the government. The action plan, like the report, expresses that cooperation is a prerequisite for Sweden to be adequately resilient towards cyberattacks and other serious IT-incidents. The plan is also considered a tool to be used in cooperation activities. However, the action plan and its strategies are still focused on the individual agency and institution which means that it is reliant on the singular initiative of each public agency to implement the strategies (MSB, 2019).

3. PREVIOUS RESEARCH

This section will provide an account of the research area of governance and the various kinds of definitions provided. It will also include research on collaborative governance and network governance as these theoretical fields highlight the need for cooperation between stakeholders in public policies. Furthermore, it includes a discussion on the current research on security policies to comprehend how security research use collaboration within their field. In addition, a detailed account of the state of cybersecurity and present research of cyber and security within the same context will be presented.

3.1 COLLABORATIVE GOVERNANCE

Collaborative governance has become a prominent and frequently used term within public administration. The definitions, however, are vague and varied between different scholars.

Governance has been traditionally associated with the government, power distribution and the

exercise of power (Kjaer, 2004). As the governance definition progressed during the 1980s, it

evolved to include more actors apart from government and entailing "…systems of rule at all

6

levels of human activity" (Rosenau, 1995, p.13) especially within global governance structures.

Governance theories often trace back to the definition of what governance is, Emerson, Nabatchi, and Balogh (2012) refers to the term governance as the "act of governing” (p.2), and this includes both public and private sectors. Rhodes (1996) argues that there are separate uses of governance; minimal state, cooperate governance, new public management, good governance, socio-cybernetic system, and lastly as self-organizing networks.

The self-organizing networks are prescribed as a network in which many private actors are involved in providing critical public services. These networks are constructed of organizations that need to exchange resources to achieve set objectives. Emerson, Nabatchi, and Balogh (2012) define collaborative governance as a used term that assigns value to the "processes and structures of public policy decision making” (p.2). This type of governance would also employ people across sectors, borders, and public-private boundaries. Collaborative governance stretches through many public and private actors. Since there is an issue (often public), that cannot be solved by either a public or a private actor alone; instead, there is a need for joint efforts (Ibid).

Ansell and Gash (2008) argue that the term governance is a complex concept in which it is difficult to establish a concrete yet exhaustive definition. These "new" definitions focus on networks that could be intergovernmental, inter-organizational, transnational, cross-sectoral and across levels of authority. They argue that the arranged collaborative network engages actors with “a decision making process that is formal, consensus-oriented, and deliberative” to solve the public issues at hand (Ibid, p.544). The authors have identified critical criteria for collaborative governance; a forum needs to be proposed by state actors, and some of the participants must be non-state actors.

Furthermore, all the participants are involved in the decision-making process, and the forum is organized and follow formalized rules. Lastly, the authors claim that the forum aims at consensus while it does not have to be achieved in practice and the focus of the forum or network has to be on some sort of public policy (Ibid, p. 545). The comprehensive ideal approach could be restrictive when limiting collaboration to derive from state agencies. This approach then disregards collaboration that is initiated by civic or private actors.

While collaborative governance has many criteria to be considered a collaboration, networked governance has a more comprehensive approach. It suggests that these networks are different constellations of actors, actors such as politicians, private firms, and social movements.

Noteworthy is that network governance is a form of governance and the actors involved must be able to exhibit their stake in a particular issue (Torfing, 2005). The reason for motivating collaborative governance is the potential of such a structure to adapt and transform within complex policy issues (Emerson, Nabatchi and Balogh, 2012). Modern governance is identified with institutional complexity, and many researchers suggest different kinds of collaborative governance as the solution.

However, there are situations when collaborative governance could be considered

disadvantageous. Lahat and Sher-Hadar (2019) concretize this discussion by exploring a three-

layer approach; the first layer is public values, the second layer consists of the context in which

7

decisions occur, and the third layer is the administrative culture as well as the policy issue and its complexities. Concerning the first layer of public values, there is a need for collaboration only when there is a lack of knowledge in the issue or with the application of it. Contrasting within the second layer, Lahat and Sher-Hadar (2019) argue that situations in which the issue at stake diverges on values and not the implementation collaboration may result in deadlock.

Furthermore, the third layer relies heavily on what kind of governance arrangements and traditional approaches a state has. The state must consult other actors and with a more pluralistic approach has a higher success level than those with previously more state-centred and authoritative governance styles. These considerations are beneficial when discussing collaborative governance and reflect on policy issues and the context of the case.

To address more complex policy issues, governments have increasingly been using networks in collaborative forms. The process of collaboration requires the public sector to work more closely with other public and private actors to achieve joint goals. However, managing these kinds of networks is not specifically for the public sector it also denotes the importance of networks as a form of "social co-ordination” (Rhodes 1996, p.659) and it is just as necessary within the private sectors. This kind of collaboration would entail higher levels of trust among the actors. It would also require that networks have a shared understanding that is based on shared objectives that are established through compromises and agreements (Ulibarri and Scott, 2017).

Problems within collaborative governance could occur in different stages, as mentioned above, a higher chance of success within a network relies on the configuration of relationships.

Coordination problems can arise if many of the actors are disconnected, and information sharing gets lost. Bridging network capital can solve this problem, in other words, connecting the disconnected actors or create ties that are outside of their group in which the actor has little to no contact with before. Collaboration problems arise when actors cannot agree on the outcomes or the policy issues underlying problems. These issues are solved by "bonding" network capital through a close-knit and robust structure. This structure is based on the created relationships that would result in the improvement of information about other parties within the group (Berardo, 2014).

To sum up the discussion on collaborative governance, it is crucial to understand the way in which modern governance structures are presented. The increased popularity of collaborative governance in public policy issues comes with many challenges, including the risks of collaboration with actors across sectors, levels, and jurisdictions. Noteworthy, this presentation of previous research considers collaboration being the "one size, fits all" solution to any wicked problem occurring in society. This preferential treatment towards collaboration should be carefully considered, especially when it involves security issues as cybersecurity that involve risks if cooperation is unsuccessful.

3.2 SECURITY RESEARCH ON COLLABORATIVE STRATEGIES

The security research focuses on the defence of the nation or protection of the public system as

well as the strategies involving military defence. Researchers are also focused on the

8

networking aspect of collaboration, meaning that many promote collaboration and cooperation within military operations as well as within national security. The complexities of cybersecurity have been a hot topic. However, these complex strategies and ways of practice are challenging to uncover. Many of the researchers focus on one area within communication, technology, or managerial aspects, but the overall picture of cybersecurity and recommendations for practices comes from securitization theory.

Securitization theorists focus on military practices and political strategies for security incidents, the fundamental focus is on the securitization actor, i.e. the role of nation-states within the arena. The following paragraphs are based on a literature review conducted by the author in the subject of cybersecurity research in spring 2019. Weber and Sperling (2016) suggest a new strand of collective securitization that distinguishes itself from the suggested state-centric approach. The perspective involves a more iterative approach to processes than just a leading security actor. The perspective, in turn, can be seen as a suggestion of collaborative governance (Dunn Cavelty and Balzacq (2016).

Dunn Cavelty and Balzacq (2016) explain that issues with cybersecurity within securitization theory are through its complexity. Cybersecurity is inherently multifaceted. Actors implement different sets of political and societal notions of security since they use different threat representations and definitions. It is also a co-production of every private computer user, programmers, security consultants, computer organizations, etc. which makes it challenging to adhere to a securitization practice that has been accepted. Hence, the previous concepts within securitization could be deemed ineffective and obsolete. Dunn Cavelty and Balzacq (2016) introduces actor-networks as a new aspect within securitization theory. They argue that this new strand of literature can highlight the link between cyber-incidents and their effects.

Cyber-incidents often threaten the sovereignty of actors involved by moving spatially through hardware and software and across borders and sectors alike. Thus, cyber-incidents shape the political threat representation and most policy amendments or political strategies framed through a reactive position. Hence, the authors state that an actor-network theory will enable collaboration between technological advances (the hardware) and human strategies (Ibid).

However, no empirical evidence gathered, and there is only a small strand of theorists that investigates how the structures should be transformed.

Not only is there an inherent complexity problem within cybersecurity, but collaborative

governance research also highlights contingent risks with collaboration. Alliances, explained

by Masala (2010), is a mean to establish cooperation among states. Like collaborative

governance, the actors only enter an alliance if there are any interest or expectation of a

rewarding exchange. While there are complex dynamics within alliances and the connection of

a high degree of institutionalization and conflicts among members, there is still confusion about

the survival and flexibility of alliances (Masala, 2010). Security research has focused on

collaborative governance in many different theoretical fields. For example, Berardo, Turner,

and Rice (2019) discussed coordination and collaboration in harmful algal blooming, Nohrstedt

(2018) discussed collaborative forums on weather warnings, and McAllister et al. (2017)

focuses their research on plant pest and biosecurity. Noteworthy, within security research, there

9

is a large community studying the effects of collaborative governance structures. It is, therefore, a solution to the many "wicked problems" that arose in security policies.

3.3 THE STATE OF CYBERSECURITY

To fully grasp the complexity of cybersecurity, a brief introduction to the current research on the subject is beneficial. This next paragraph is based on the authors’ work in a literature review in Spring 2019 on the subject. The concept of cybersecurity arrived in the post-cold war era in response to new technological innovations and the changing climate of geographical conditions (Hansen and Nissenbaum, 2009). Defining cybersecurity and cyberspace has been a subject of popular literature and academic literature that has viewed the concept through a particular lens.

The term cybersecurity is not easily defined, many definitions contain different elements, and the term is subjective and dependent on context (Craigen, Diakun-Thibault and Purse, 2014).

Cybersecurity has become essential for civil society. We have seen a rise in theoretical perspectives on security issues. Critical infrastructures are increasingly vulnerable to new threats and attacks, which has been a concern among security scholars. Threats that can affect public and national safety quicker and lasts for longer than we have seen before (Vasilescu, 2012). We have seen examples of these types of crises where electronic infrastructure, governmental functions, and private enterprises were attacked. In Estonia, in April 2007, an attack was launched that affected the country profoundly with a diminished water supply and no access to telephones or the internet (Ruus, 2008). This attack was devastating to the public and private enterprises as well as national security. This is a typical crisis that countries are generally not prepared for and can create chaos within days.

Cyber-threats cannot only originate from a foreign entity or governmental opponent.

Mismanagement of crucial information that is stored in an IT environment can have a devastating effect on public opinion and trust towards a governmental institution. In a Swedish context, The Swedish Transport Agency made important decisions about crucial information that in turn leaked to unauthorized personnel. The discovery of the poor IT management at The Swedish Transport Agency created a discussion throughout the governmental branches about how vital information should be handled and protected (DS 2018:6). The internal investigation and the new European directive (2016/1148) concerning measures for a high standard level of security of network and information systems (NIS - directive) evoked the Swedish authority to consider the national safety regarding cyber incidents and exposures. Since many private actors are involved in providing communicational and technological services to the public, it is interesting to investigate the collaboration between both the private and public actors involved.

However, establishing practices that involve the public as well as private actors concerning

"wicked problems" that expand across several sectors and hierarchical levels have been proven

almost impossible in hierarchical governmental settings. Many theorists suggest a more

collaborative approach towards cybersecurity and risk management even though this could be

problematic since there are specific vulnerabilities towards sharing infrastructures and

procedures with more actors than there is to share them in a closed setting. Fortunately, Sweden

10

has not experienced a crisis such as the attack on Estonia, but with the electronic transition, a similar incident is more likely in the future.

Since cyberspace is a contested concept, it is no surprise that cybersecurity is debated not only among social scientists but also looked at from a technological perspective. It is often used as a catch-all concept (von Solms and van Niekerk, 2013). Among security scholars, the concept of "security" is also contested, and there is no broad definition. However, in some discourses, it is suggested that it includes who securitizes, from what issues or threat and whom it is supposed to protect. Craigen, Diakun-Thibault and, Purse (2014) discuss definitions that are important for the debate and differ to understand the broad-spectrum cybersecurity encompasses. The oxford university press expresses cybersecurity as "The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this” (Ibid, p.15).

Furthermore, within security, it is fundamental to understand that cybersecurity is not only a concern of the individual state; it is also a concern for organizations and the public as a whole.

Thus, cybersecurity and the strategies suggested need to consider both the micro and macro levels. There is a wide variety of cyber-attacks or incidents, some may affect a smaller part of a private IT system, and some may affect critical infrastructures. Therefore, there are more aspects to consider, and distinctions of external and internal policies have lost its meaning (Pernice, 2018).

Both security and cyber are contested subjects, the organizations and the nation-states all include or exclude different wordings, practices, or networks. Even though cybersecurity has been discussed for several years and is a part of the overall security spectrum, research achievements on the evolving nature of cyberspace, cybercrime and cyber warfare have made it almost impossible to narrow down towards a definition. While many securitization scholars have used the cyber domain as a topic to be a separate sector within security policies, critique regarding the over-securitization and comparison with historical events are considered to be outdated (Schmidt,2014).

Jasper and Wirtz (2017) argue that information sharing in the digital age is a fundamental action to reduce the risks with an informed decision about the actual threats. The authors explain that a network of organizations has been created with both public and private sectors for information sharing. Furthermore, Jasper and Wirtz (2017) emphasize the benefits of international cooperation as well as collaboration within the national cybersecurity strategy. This cooperation is between nation-states would include enforcing cyber-crime laws and develop policy documents internationally.

As with the securitization scholars, many of the researchers with insight in both the cyber

domain and security policies concerning cyberspace promote a more collaborative effort, both

internally and externally. A report from OECD has shared the strategies of cybersecurity often

include coordination and cooperation between public and private organisations. Noteworthy is

the enhanced coordination between the policy decisions, and at the operational levels. Hence,

there is a need for intergovernmental cooperation, and no single agency can have a

comprehensive understanding of the issues (Ibid).

11

Cybersecurity can be characterized as a "wicked problem". The characteristics of a wicked problem include that the problem is unique, and there is no exhaustive definition. It is often considered a symptom of another problem and has no definitive solution, and there is often little patience for experiments (Head and Alford, 2015). Within the discussion about wicked problems, it is discussed that the hierarchical forms of public policy and administration are not equipped to deal with them. However, there have also been discussions about the collaboration aspect of not being the single solution to a wicked problem. In order to successfully manage a problem, there is a need for a broader view of the problem and new models of leadership, according to Head and Alford (2015).

Further, Weber and Khademian (2008) discuss the importance of networks to solve wicked problems. With the government as a prominent actor within the network and capacity building strategies. The issue of cybersecurity is, however, not an ordinary wicked problem and brings new risks other issues might not. Oversharing of information or informational leakage can create crucial problems for the societal functions, and therefore there is an inherent risk of collaborative actions. As the individual and public are encouraged to take caution when it comes to information sharing the same applies to the public, private and civic organizations.

4. THEORY

This section will provide a short account of institutional complexity, what policy forums are, and how they emerge. This is important to understand the forums and why they are present in this context of cybersecurity networks in Sweden. Furthermore, several processes of policy forums will be explained, and the different constellations that can occur within a forum. Forums may be initiated and constructed in several ways from a bottom-up structure to a top-down structure. Hence, it is necessary to consider the complexity of the issues and to clarify the emergence of forums. In addition, the section will conclude with a discussion of power structures within collaborative strategies.

Collaborative governance is a contested subject among scholars, and the definitions are not universal. In the Swedish case, the study will not only focus on networks or forums that have been deliberately started by public actors. It will also include forums that have emerged through a private actor and then involve public actors. The reason for including private actors’ efforts is that the private actors are a big part of providing cybersecurity to the public as well as to the public agencies themselves. To not include private actors as the primary coordinator would exclude many forums that can potentially be a centre for many of the important actors observed.

The issue of institutional complexity is prevalent in the case of cybersecurity and Sweden based on the fragmented governance structure with a highly decentralized authority.

While collaborative governance may have several connotations within the framework of this

study, the forums only facilitate an opportunity for collaboration. Hence, the actual

collaboration process is not investigated. Partly because of the difficulty gathering data about

12

the process within a forum and partly because the study is trying to uncover the more descriptive part of how the network of cybersecurity in Sweden are organized.

4.1 INSTITUTIONAL COMPLEXITY

According to Lubell (2013), the updated and revived framework of the ecology of games has a reliable explanatory power concerning cases of environmental policy. The core of the ecology of games is that it involves multiple stakeholders within a geographically defined area in which actors collaborate within a policy institution (Lubell, 2013, p.2). The ecology of games develops a complex system of multiple outcomes and outputs that would converge and be used as a function of the decision-making process.

The framework has been previously denoted as a theory of polycentric governance. However, Lubell (2013) argues that this is a simplification and that the framework aims to create a working hypothesis in institutional complexity that could be empirically tested. It, therefore, strives to go beyond the normative focus of other theories. The framework further identifies three core concepts of governance; cooperation, distribution, and learning. The author argues that this perspective would go beyond previous research and theories that heavily focuses on efficiency. Lubell (2013) explains that the framework involves main concepts of different policy issues, policy actors, policy games and policy arenas. The policy issue concept requires that there is some type of collective action problem that affects the policy actors. Lastly, the policy arenas are the territories in which the games would exist, and they can encompass several issues, games, and actors simultaneously.

The ecology of games assumes that actors prefer one or more actions when cooperating with others, but only if the other actors are engaged and prefer cooperation. The framework also suggests that an actor may protect their own interests in the policy issue and therefore seek change within the system. This would benefit the powerful actor but decrease the overall efficiency of the system (Lubell,2013). Ostrom (1990) suggests that when stakeholders share a resource pool, in other words, if multiple stakeholders within a public issue collectively share resources equally, this will result in more efficient cooperation and create trust. Lubell (2013) also assumes that the institutions would act more efficiently if the strategies facing a public issue is perceived as fair by enough actors. The institution is more likely to survive if this is the case.

Furthermore, Ostrom (1990), addresses the rules within institutions. There are layers of rules and norms at various levels of cooperative institutions. Hence, it is difficult to change the structure of the institution, without contributing to the uncertainty that actors involved will face in the situation.

The ecology of games brings forth an explanation concerning modern governance structure and

institutional complexity in which actors involved consist of many different organizational

types; thus, it has a wide array of stakeholder’s interests. This complex structure within

governance makes it interesting to observe what kind of organizational types are present within

13

a network structure. As society is characterized by institutional complexity, it is beneficial to observe what challenges it brings.

4.2 POLICY NETWORKS

Policy networks describe the workings of policy systems and observe the relationships of exchanges and political coordination. While there are several promises of collaborative institutions and networks, there is still uncertainty whether these processes promote or increase collaboration in specific issues (Henry, 2011). After World War two, there was an increase in institutional complexity within governmental structures. This led to the idea of a more collaborative policy approach in which actors that shared the same interests were involved in a policymaking process (Osborne, 2010).

The concept of policy networks is contested and difficult to operationalize since it varies between researchers and theoretical fields of studies (Ibid). Some have argued about the lack of influence a policy forum brings, while others believe that the influence of the policy networks is substantial and real. However, despite this belief, policy networks have indeed emerged within governance and spread out across sectors and jurisdictions (Ibid). The policy network approach assumes that the policy process and decision-making process takes place within a more extensive network of interdependent actors (Klijn and Koppenjan, 2000).

As mentioned earlier, policy networks or forums are contested by scholars who have resulted in research that is heavily focused on the terminology of a policy network including its defining characteristics as well as the impact they may have (Kapucu, Hu, Khosa, 2017). The ambiguity of the concept can create problems as researchers use it without agreeing on a universal definition. Therefore, it is essential to include a definition of what policy forums or networks entail and what characteristics they possess as well as the origin of the forum (Osborne, 2010).

The collaborative form of governance through policy networks are perceived as an alternative form of collaboration that is seen as theoretically influenced and idealistic (Ibid). A policy forum in this context will be defined as an "interorganizational collaboration arrangements"

consisting of actors who connect via those arrangements. These arrangements are focused on achieving goals that otherwise would not be possible through a single organization (Kapucu, Hu, Khosa, 2017, p.4). Further, while there might be a slight difference in defining a forum in public administration, what can be agreed to is that the majority of these arrangements are focused on achieving policy goals.

When identifying policy forums, researchers have identified three components in the triangle

as stakeholders (private organizations), committees of some form, and an agency with executive

power. This is characterized as the iron triangle; this triangle is seen to be a safe and secure

arrangement with some decision-making abilities (Osborne, 2010, pp.353-354). The concept of

iron triangles was used to simplify complex organizational or institutional arrangements and

structures but if the concept would be helpful and fit in "the real world" is still questionable

(Ibid, pp.353-354).

14

Furthermore, policy forums can be identified as a stable entity, which would include stability over time and an organizational structure in which interaction often entails sharing or exchanging resources like knowledge or information about the policy issues. However, the forums do not have to pursue a specific issue but can focus on a broader spectrum that includes a specific policy issue. The forums can also be active participants in more than policymaking and decision-making; they can deal with other stages of the cycle of policies such as implementation or formulation (Fischer and Leifeld, 2015).

A strong assumption within policy networks is that the stakeholders or actors involved are dependent on each other. The actors cannot achieve their goals on their own and require resources or information from other actors. Henry (2011), on the other hand, explains the networks as individuals who try to influence policy outcomes within the set of a forum and start working together in a defined policy area. However, this area must be defined.

Within a stable and robust network, several interactions occur around the policy and other issues that may emerge. These interactions can be considered a game and the result of their actions would establish their positions within the network; hence their ability as players (Klijn and Koppenjan, 2000, pp. 139-140). Klijn and Koppenjan (2000) describe that the public institutions are generally not seen as the main player within policy forums; hence there is no real hierarchical structure within these forums (Ibid, pp.139-140). The authors suggest that while governments might not be a dominant actor, this does not entail that they are treated as other actors since they have a particular position with a unique type of resources.

While public actors have positions that might be viewed as an advantage point, the public actors also have many limitations to their possibilities to use these positions, especially in regard to surrounding norms and values. Furthermore, the authors describe four viable options for the government to choose when offered a policy network; not join, cooperate with other public and private actors, function as a process coordinator or facilitate network building strategies (Ibid).

To sum up this section, the definition of a policy forum in this context of cybersecurity will be broad and accept many different types of forums. As mentioned above, a policy forum will be included if it is a forum that allows for collaboration across organizations. However, there will be no limitation to which types of organizations or the initiator of those policy forums. The sections aim is to comprehend the importance of interdependence and trust among actors for a policy forum to function.

4.3 POLICY FORUM PROCESSES AND STRUCTURE

Current research differs on how forums should be constructed, Fischer and Leifeld (2015) argue that their definition would entail forums being created in a bottom-up manner. Moreover, this could be done by any actor with interest in the issue, and that other actor is invited to join but free to choose involvement or not.

Klijn and Koppenjan (2000) do not prescribe any creation presumptions about networks or that

it is preferable in a more top-down structure or a bottom-up structure. Hence, the network policy

15

approach would entail both bottom-up structures as well as top-down structures. There are, however, three distinct forms of forums that can be observed. The first one is that organizations comprise the network or in this case forum. The management of those organizations is also the member organizations themselves. Hence, there is a highly decentralized network in which all organizations interact. This type is called participant-governed networks and rely on the commitment of all participants in order to function. Secondly, there could be forums that are highly centralized and managed by one organization or broker. These forums are formed when shared governance is not preferable either because of its inefficiencies or the need for a centralized actor.

Through the lead organization, all activities are planned and coordinated by a member of the forum. The network itself might appoint these leaders in order to keep the network efficient.

Thirdly, networked governance entails an entirely separate administrative unit that is organized and plays a vital role within the forum. Unlike the lead-organization forum, the administrative unit is externally organized through a mandate from the forum members (Provan and Kenis, 2008).

As discussed in this section, collaborative governance research focuses mainly on the effects of networks and collaboration (Lubell, Henry, and McCoy,2010) or the actual structure of the collaboration. It considers the structure of the forum and the collaboration process (Lubell and Hamilton, 2018). It also focuses on the complex set of actors that may be included in such networks as discussed in the section on policy forums and networks. However, little focus is placed on how a policy forum emerged in the first place.

This study focuses on observing policy forums that are structured bottom-up and top-down.

The reason for this is that many of the forums created within cybersecurity have many state agencies included, and they also have a dominant or coordinating role within the network. Even though collaborative governance research and especially network research focuses on environmental policies, one could argue that both environmental policies and cyber policies are complex issues. Issues that are increasingly cross-sectoral and in turn, are handled with collaborative actions.

The creation or initiation of a policy forum can be described as an activation stage in the lifecycle of network governance (Imperial et al., 2016, p. 137). This stage is the most crucial in the development of a policy forum since it establishes the informal and formal structures within the network itself. During this stage, the focus is on building relationships between actors instead of focusing on the goals. Since the individual goals may also be difficult to distinguish from the forum’s goals, further, participants may come and go while deciding whether the forum has relevant objectives and if the participant can accept the interdependence between group members (Ibid). Hence, the start of a policy forum is turbulent and unstable, which creates a forum vulnerable to changes as the involved actors search for processes that are appropriate in this context.

The start of a policy forum is crucial to understand the rules in the forum and what is essential

for policy forum processes. As discussed above, there are three main structures of policy forums

and to understand which one is applicable for each case, it is crucial to study the emergence of

16

the forum itself and the outcomes produced. For example, participant-governed forums rely on the participation of all members and the distribution of power are, therefore, decentralized and lacks a general leadership model. This type of forum is often found within healthcare since networks can help build a more holistic view of these types of services (Provan and Kenis, 2008). Different types of forums will be crucial when observing the initiation of a policy forum as well as the informal and formal rules that come with the creation of a forum.

4.4 POWER STRUCTURES IN POLICY FORUMS

Governance structures contain power dynamics that commonly create a beneficial outcome for one influential, powerful actor. Hence equality between them is rare (Morrison et al., 2019).

Within collaborative governance, power as a concept is characterized by researchers as blurred and divided by interdependence between actors as well non-transparency in the sense of no formal hierarchical power (Ran and Qi, 2018). The authors argue that power-sharing is necessary for effective collaboration as the formal hierarchies are denied within networks. The lack of power-sharing tendencies can cause various challenges for the actors within a network that could affect the bonding and bridging capabilities. These challenges could result in disagreement of the factual properties of a policy hence discourage consensus-building (Lahat and Sher-Hadar, 2019). Power-sharing, on the other hand, is a costly process as well as time- consuming since it involves trust-building and often has to occur during a more extended period. This counteracts the significant benefit of collaboration as efficient. However, analysing collaborative power structures can be complicated as the settings are changing the processes and structures. In addition, collaborative participants can interchange quickly.

Purdy and Jones (2012) argue for three sources of power; Authority, resources, and legitimacy.

Authority is the perceived right for an actor to contribute to decision-making processes or exercise judgment upon it or take appropriate action. Within a collaborative process, an actor with authority may share that with other participants. For example, if consensus has been reached about an issue, the authoritative actor may enforce the recommendation rather than take it under consideration. Resource-based power can come in terms of financial abilities, knowledge, or resources in terms of people or technology. In collaborative structures, the relational aspect is just as important as financial resources.

Nevertheless, financial resources are observed as more powerful resource-based power, and actors positioned with other resources such as knowledge or people might be overlooked (Purdy and Jones, 2012). Legitimacy might be related to an actor to represent a discourse or a societally important issue and can speak on behalf of the public. However, this is more plausible if the issue is widespread and shared by others in the public sphere. The shifting power imbalance within collaborative processes have also been discussed and is a weakness in collaborative governance. Power discrepancies affect cooperation in terms of the trust, participation, influence, and representation of "weaker" organizations.

Some actors have a status within the specific policy that may interest other participants in joining the forum. Governmental actors often possess this power and can raise crucial questions.

However, governmental actors, therefore, create a more critical role for themselves as the

17

initiator. This can, in turn, implicate their role as an "ordinary" actor within the process. Further, actors who have less power in terms of resources or influence might be overlooked and dominated by the actors who seemingly have more influence and higher status whether it might be in terms of recourses or legitimacy (Purdy and Jones, 2012).

Further, a position of power within a network can amount to an actor’s position of power in terms of connections within the network. These can be called brokers or key agents, and they can have a crucial impact on the outcomes of a policy process because they have strategical positions within the network (Christopoulos and Ingold, 2014, pp.477-478). These actors can promote solutions or processes that can work as a combining structure. Hence, the actors can function as a conciliatory agent. (Ibid). The different types of power and power structures are crucial when examining power in a network.

1. METHOD

The method section will contain an overview of the methods used in the study as well as a more in-depth description of the measurements used. Firstly, Sweden, as a case, is discussed and how it fits into the field of cybersecurity. Further, SNA will be explained and how one can use SNA in a study as well as a discussion about why it is being used in this particular case. Online data collection will be discussed and how the author carried out the data collection process.

Following, a presentation about the 17 interviews presented as a complement to the online data collection process. A brief description of the construction of the dataset will follow with a discussion of the attributes. Also, a detailed account and explanation surrounding the measurements used to conduct the SNA and what these measurements are expected to clarify.

5.1 CASE SELECTION

After the NIS-directive (2016/1148) at the EU level, Sweden has implemented a new set of legal frameworks that are supposed to enhance the overall risk reduction and risk management when it comes to cyber-threats. Furthermore, Sweden has a decentralized governmental structure, which makes the network and collaborative governance theories interesting. This decentralized governmental structure increases modern governance structures to emerge. The collaborative setting is, therefore, useful since decentralization requires cooperation between authority levels and civil society.

Sweden’s open and democratic stance with many international ties also opens up for

vulnerability and various kinds of threats, including cyber-threats. With an increase in

standardization on information exchange within the public sector after several investigations,

Sweden is an interesting case towards observing the information exchange and the collaboration

(DIGG DNR: 2019-100). After the introduction of the NIS-directive and the implementation of

new cybersecurity strategies focus has shifted towards a more collaborative process, the

authorities encourage it to work collaboratively.

18

Sweden is a compelling case concerning its governmental structure, which is highly decentralized, meaning many responsibilities are appointed to the local and regional authorities.

The differences throughout the nation are, therefore, many. There has also been a need for conformity as a result of those differences. The decentralization in Sweden can cause discrepancies in the handling of information and cybersecurity practices, while there are guidelines regarding these processes; there are differences in how they are perceived and interpreted by different actors. Hence, there is an apparent need for collaboration in cybersecurity, especially since there have been incidents of severe IT-incidents. Mainly those incidents have been about the mishandling of information about security. However, even though there is a framework for the agencies to use, it has not been a part of actor processes when incidents occur. Also, collaboration is deeply rooted in Sweden’s political settings with a long tradition of consensualism in policy-making processes.

Why study cybersecurity as a case within network analysis? Collaborative governance refers to

"wicked problems" and collaboration as a solution to these problems. Hence, there is an interest in studying cybersecurity as a wicked problem outside of the environmental policy domain that previously dominated the research. Another compelling argument for studying cybersecurity is the trade-off between the risks of sharing crucial information that could be threatening to the overall societal function and the apparent benefits of cooperation.

Benefits of collaboration in cybersecurity include reduced costs and information sharing connections between actors since a single actor cannot solve this issue. It is essential to collaborate in cybersecurity. Within collaborative governance, as stated above, it is often expected that networks improve the quality of the decision-making process as well as improve the interpersonal exchanges when developing relationships. As cybersecurity is a relatively new and emergent issue within security politics and scholars studying cybersecurity, there has been a shift from a state-centric approach towards a collective approach (Eriksson and Rhinard, 2009).

While there has been a transformation from a more state-centric approach towards collaboration, researchers focus on collaboration as the holistic solution to every transnational problem. There seem to exist a trust that collaboration can fix all given the right tools. The issue of cybersecurity is multifaceted and complex, which makes it inherently difficult for a single actor to approach the issue with efficient solutions. While many private organizations have been working with cybersecurity for a longer time, public actors are still relatively new to the idea.

Hence, sharing and exchanging information could, therefore, be a solution. Collaborative network structures and forums in which the issues can be discussed has been the focus within cybersecurity lately and also within the security studies and the case of Sweden.

5.2 SOCIAL NETWORK ANALYSIS

Social Network Analysis (SNA) is the study of the relational ties between organizations or

people. Within SNA, there is a possibility to analyse different relationships and dynamics

19

between them as well as their interactions. Networks are then illustrated within the analysis often concerning collaboration, cooperation or the different relationships between nodes that are involved in a specific policy issue or process (Kapucu, Hu and Khosa 2017). SNA can be understood as a pattern of relationships among actors, and this can reveal the structure in which our social, political, or economic behaviour evolve (Ward, Stovel, and Sacks, 2011).

A social network consists of both nodes and ties: nodes or also called here, the actors or forums, within a network represent individuals, groups, organizations, etc. Ties visualize the relationship between them. These ties can indicate a variety of different things, all from communication to information exchange or friendships between the nodes. These relationships can be either formal, informal, or based on already established personal relationships. The relationships, in turn, establish different kinds of networks such as information exchange networks, resource exchange networks or formal coordination networks. The ties within a network can be examined directed or undirected. A directed tie represents how information flows from one node to another. The ties in the current research case would, therefore, be undirected as it does not include any flow of information data or any exchanges of resources data (Lazer 2011).

Network data could be in a one-mode structure or a two-mode structure. The one-mode data are data on only a particular set of nodes, for example, ties between equal social actors such as states and observe the relationships between them. The two-mode data consist of two layers of nodes such as organizations and the members of the organization. In this type of structure actors of the same type usually do not have a tie or relationship between them, the only tie is between organization and people. This typically means a connection of one node to another node of a different type (Robins, 2015).

This research is based on a two-mode dataset or a bipartite network. A two-mode network shows policy actors and their attachment to a policy institution or organization. Actors are tied to some forums that handle issues of cybersecurity either as the main issue or sub-question.

Therefore, the dataset does not consist of direct ties between actors but the indirect ties between

them through the facilitation of forums.

20

Picture 1. Simple visualization of how a part of Sweden’s cybersecurity network is constructed with indirect ties.

Noteworthy, the data presented are a snapshot of the current network structure. Networks often change through time, and different actors may emerge during different times. Thus, there is an assumption of missing data as networks are generally dynamic through time. SNA can show a broad characterization of a network structure. It can be of interest to observe how dense a network is at the network level; this allows for an analysis that shows how clustered a network is and if there could be signs of hierarchy within the network. Furthermore, interests at the individual level consist of observing individual nodes and how close or connected they are to others within the same structure, whether it is a central actor or at the peripherals (Ward, Stovel, Sacks, 2011).

The reason for choosing SNA as the methodological approach is that it facilitates an understanding of the relational ties within a network in ways other methods are not able too. In addition, the data collection consisted only of publicly available material since the cybersecurity issue is surrounded by secrecy and the actors’ unwillingness to share information. Hence, concluding the available material with SNA through the material alleviates the conclusions that can be deduced from this material and the prerequisites for cooperation. The method clarifies and visualizes the network structure which simplifies the analytical process.

With an additional discussion of centrality, we can determine specific actors that may or may

not be influential in the network. Do these actors have the power to either influence decision-

21

making processes or influence other actors’ decisions and actions? So instead of focusing on one individual actor, the focus has shifted towards a perspective of ties between actors.

Focusing on only one level of the system in (e.g. only one actor in a network) the explanations are often insufficient. There is a need to uncover the interdependencies among actors. When observing interdependencies in the network, there is a possibility to get a complete overview of the network.

5.3 DATA COLLECTION

Cybersecurity information is often protected through a high level of secrecy whether it is through private companies or public agencies hence observing the network and identifying the important actors and forums is difficult. Further, cybersecurity also contains a complex mix of different actors and forums. Actors and forums from different levels that exist in the different sectors of society and through many jurisdictions. Collecting the relevant data was, therefore, a challenge and required collection through many different online sources.

The data collection process started with Sweden’s national security strategies (Riksdagens skrivelse 2016/17:213, p.11-12) in which some of the forums are specified. In the governmental report (2016/17:213), nine of the forums were found and included in the empirical dataset.

Furthermore, a search on the website of the Swedish Civil Contingencies Agency (MSB) with the key phrases “Cybersecurity” and “forums”, this generated some more information about the already found forums in the governmental report such as FIDI-Drift, FIDI-Telekom, FIDI- Finans, and FIDI-SCADA. These forums were initiated by MSB and involve different actors within the same sector. On the institution of “Sweden’s municipalities and counties”

webpage, a collective framework for digital cooperation (eSAM) was found between public actors to improve the cybersecurity standards within the public sector. After finding the relevant forums on the national level, the collection process continued with forums and actors on the regional level.

Figure 1. The figure of the data collection process.

A search through all the 21 regions websites in Sweden to find collaborative initiatives regarding cybersecurity or information security was conducted. The search method used was to individually search through documents on the region’s webpage with the keywords; “cyber”,

“information security”, “data security”, “network security”, “IT security” or “collaboration”,

“forum”, “cooperation” and “digitizing”

. This generated some documents that stated the counties work with internal information security as well as protection of classified information.

1 Sveriges kommuner och landsting

2 Search words in original: “informationssäkerhet”, “datasäkerhet”, “nätverkssäkerhet”, “IT säkerhet” or

“samverkan”, “forum”, “samarbete” and “digitalisering”