Risk vs. threat-based cybersecurity: the case of the EU

Figures & data

Table 1. Operationalisation of risk vs. threat-based security logics. Adopted from Corry (2012, pp. 248–249) in terms of categories and key indicators for risk and threat-based security logics, respectively. Coded words have been added by the author for the content analysis part of the study.

	Threat-based security logic	Risk-based security logic
Problem Emphasis	Focus: Agency and intent of conflicting parties.	Focus: Systemic characteristics, vulnerability of societies.
Proposed Response	Defend against direct causes of harm (antagonistic threats)Coded words:• Threat• Attacks	Govern the constitutive causes of harm.Coded words:• Risk• Vulnerabilities
Policy prescription	Focus: Defend and deter.Plan of action for defence against threat, that is external to referent object.Coded words:• Deterrence • Defense• Diplomacy	Focus: Manage and mitigate.Plan of action to increase governance and resilience of referent object.Coded words:• Prevention• Awareness• Resilience

Figure 1. Weighted Percentage (%) – frequency of the word relative to the total words counted in the EU security strategies, respectively (2015 and 2020).

Figure 2. Words coded as indicators of a risk-based security logic. Weighted Percentage (%) – frequency of the word relative to the total words counted in the EU cybersecurity strategies, respectively (2013 & 2020).

Figure 3. Words coded as indicators of a threat-based security logic. Weighted Percentage (%) – frequency of the word relative to the total words counted in the EU cybersecurity strategies, respectively (2013 & 2020).

Table

Reference	Affiliation
Interviewee 1	Member State 1/National cybersecurity agency
Interviewee 2	Member State 1/National cybersecurity agency/EU working group for 5G
Interviewee 3	Member State 1/National CERT/the EU CSIRT-network
Interviewee 4	Member State 1/National cybersecurity agency
Interviewee 5	EU cyber defence think tank
Interviewee 6	ENISA (2012–2015)
Interviewee 7	ENISA expert group cybersecurity ICS
Interviewee 8	EC3
Interviewee 9	ENISA
Interviewee 10	Member State 2/Cybersecurity agency
Interviewee 11	EEA country 1/National cybersecurity agency
Interviewee 12	Member State 1/National cybersecurity agency
Interviewee 13	Member State 3/National cybersecurity agency

Corry, O., 2012. Securitisation and ‘riskification’: second-order security and the politics of climate change. Millennium: Journal of international studies, 40 (2), 235–258.

 Web of Science ®Google Scholar