Adaptive governance for the Internet of Things: Coping with emerging security risks

The Internet of Things (IoT) is a disruptive innovation known for its socio-economic potential, but also for generating unprecedented vulnerabilities and threats. As a dynamic sociotechnical system, the IoT comprises well-known cybersecurity risks and endemic uncertainties that arise as IoT adoption increases and the system evolves. We highlight the impact of these challenges by analyzing how insecure IoT devices pose threats to both consumer protection and the Internet's infrastructure. While recent regulatory responses are starting to target IoT security risks, crucial deficiencies - especially related to the feedback necessary to keep pace with emerging risks and uncertainties - must be addressed. We propose a model of adaptive regulatory governance that integrates the benefits of centralized risk regulatory frameworks with the operational knowledge and mitigation mechanisms developed by epistemic communities that manage day-to-day Internet security. Rather than focusing on the choice of regulatory instruments, this model builds on the "planned adaptive regulation" literature to highlight the need to systematically plan for a knowledge-sharing interface in regulatory governance design for disruptive technologies, facilitating the feedback necessary to address evolving IoT security risks.