Communications of the ACM

applies to governments writing and enforcing laws about cybersecurity. Layer 10 applies where there is no government to issue laws. Study of layer 10 thus includes both state and non-state actors that have transborder effects.

In the matrix, each of the three columns refines the sorts of institutions making the decisions. For each layer, column A contains issues arising within the institution—the organization or nation. Each “issue” identifies cyber vulnerabilities or mitigating activities. Column B contains issues defined by relations with other actors at that level. Column C contains issues where other limits arise from actors at the same layer of the stack.

This three-column approach becomes clearer as applied to layer 8, the organizational layer. Column A includes cybersecurity activities within a single organization. A company (or other organization that faces cybersecurity attacks) takes numerous actions to reduce cyber-risk. It develops incident response plans and other internal policies, and trains its employees. One way to conceptualize cell 8A is to think of the responsibilities of a CISO in managing cyber-risk within the organization.

Column B in layer 8 (cell 8B) concerns the organization’s relations with other actors. First, a company creates data-use agreements and other contracts with vendors and other entities. Flawed management of these relations can expose a company to risk, such as if it hires a subcontractor to manage systems or data and the contractor does so badly. Another much-discussed aspect of cybersecurity is information sharing between organizations, such as through an Information Sharing and Analysis Center.

The third column, cell 8C, concerns other limits that originate in the private sector. The PCI DSS standard is a well-known example, governing security at the point of sale. This standard has a powerful effect on the cybersecurity of millions of merchants. The contractual standard originates in the private sector, led by the PCI Security Standards Council. If the standard is designed and implemented well, then cybersecurity improves; if done badly, cyber-risks and costs increase.

1, the vulnerabilities in these new layers are further organized by institutional form—whether the vulnerability arises within the organization (or nation), between organizations (or nations), or from other institutions at that layer.

In addition to categorizing vulner-
abilities, the PCF builds on another
aspect of the OSI model, the “protocol
data unit,” such as bits for the physi-
cal layer, packets for the network layer,
and data for the application and other
top layers. These protocol data units
“describe the rules that control hori-
zontal communications,” within a sin-
gle layer of the OSI stack.d
At layer 8, for organizations, I sug-
gest the controlling rules come from
contracts. The much-cited law and eco-
nomics scholars Jensen and Meckling
have defined corporations as a “nexus
of contracts.” 1 Contracts are the gover-
nance structure for relations between
corporations, such as data-use agree-
ments between an organization and
its contractors. Less intuitively for non-
lawyers, contracts also govern arrange-
ments within a corporation, governing
the roles and actions of the board of
directors, management, and employ-
ees. Contracts are thus the protocol
data unit for layer 8, providing the rules
within that layer.

At layer 9, the controlling rules for government—the protocol data units—are laws. Governments enact and enforce laws, requiring actions from the organizations within the government’s jurisdiction. The international realm of layer 10 operates where no binding law applies. Actors at layer 10 interact through diplomacy (or lack of diplomacy), such as negotiating a cyber-related treaty, and sometimes through declared or undeclared war.

Put another way, the traditional seven layers concern protocols expressed in machine language; layers 8 to 10 concern protocols (contracts, laws, diplomacy) expressed in natural language. The layers operate in a way familiar from the OSI stack: organizations at layer 8 select the applications at layer 7. Governments at layer 9 set laws to govern organizations. Actions at layer 10 affect the governments at layer 9, and apply when no single government can set the law.

d https://bit.ly/2x40Aoj

The 3x3 Institutional Matrix

Universities have traditionally studied the three non-code layers in different departments. In general, business schools focus on managing companies and other organizations. Law schools are the experts in law. International relations programs study international affairs. These different university departments are organized based on the institutions they primarily study: companies, laws, and transnational institutions.

By contrast, my experience is that
computer scientists often group all
of these issues into the general term
“policy.” Traditionally in computer
science, this soft realm of “policy” is
the generic term for everything not
expressed in machine language. But
public policy departments do not
intensively cover all aspects of man-
agement, law, and international re-
lations, so the computer science use
of “policy” creates confusion for the
other departments that increasingly
teach and research on cybersecurity.
The proposed framework matches the
typical departmental organization in
universities, and provides a visual rep-
resentation of the key dimensions for
what computer scientists have often
simply called “policy.”
As an additional way to organize
the many non-code cybersecurity-
concerns, the PCF employs a 3x3 ma-
trix that refines which institutions
are involved in each area of cyber-
vulnerability or response. Table 2
portrays the matrix. In Figure 2, each
layer (row) is defined by the institu-
tions that make decisions affecting
cybersecurity. Layer 8 applies to orga-
nizations facing cyberattacks. Layer 9