In the information age, the cyber-attacks have increased manifold, and developing a cyber-security legal framework is the need of the hour. Saudi Arabia experiences the highest cyber-attacks in the Arab region. This research attempts to develop a cyber-security legal framework for Saudi Arabia in particular and other countries in general. The study uses coercive, normative, and mimetic forces of institutional theory for this endeavor. Coercive pressure manifests in legal instruments, so countries like Saudi Arabia need to ensure compliance of their organizations to their respective laws, regulations, security policies, and procedures. Normative force manifests in professional networks and community expectations. So, countries like Saudi Arabia should collaborate, share information with other countries and join the Budapest Convention to combat cyber-crimes. Saudi Arabia should sufficiently incorporate the provisions of the Arab Convention on Combating Information Technology Offences in its legal instruments. Mimetic force involves copying the actions and practices of successful organizations. So, countries like Saudi Arabia should improve their legal tools by incorporating key features of legal instruments of more advanced cyber-secure nations like the UK, USA, Singapore, etc. Specifically, Saudi Arabia should improve its legal tools in the areas of privacy, identity theft, cyber-bullying, etc.
References
[1]
ACCITO (9 March 2015). Arab Convention on Combating Information Technology Offences. https://www.asianlaws.org/gcld/cyberlawdb/GCC/Arab%20Convention%20on%20 Combating%20Information%20Technology%20Offences.pdf
[2]
Alazab, M., & Chon, S. (2015). Cyber Security in the Gulf Cooperation Council. SSRN Electronic Journal, 1-3. https://doi.org/10.2139/ssrn.2594624
[3]
Alelyani, S., & Harish Kumar, G. R. (2018). Overview of Cyberattack on Saudi Organizations. Journal of Information Security and Cybercrimes Research, 1, 42-50. https://doi.org/10.26735/16587790.2018.004
[4]
Al-Hussein, I. (2 May 2017). 60 Million Cyber-Attacks Targeted Saudi Arabia in One Year. https://english.alarabiya.net/en/media/digital/2017/05/02/60-million-cyber-attacks-targeted- Saudi-Arabia-in-one-year
[5]
Alkalbani, A., Deng, H., Kam, B., & Zhang, X. (2017). Information Security Compliance in Organizations: An Institutional Perspective. Data and Information Management, 1, 104-114. https://doi.org/10.1515/dim-2017-0006
[6]
Alshammari, T. S., & Singh, H. P. (2018). Preparedness of Saudi Arabia to Defend Against Cyber Crimes: An Assessment with Reference to Anti-Cyber Crime Law and GCI Index. Archives of Business Research, 6, 131-146. https://doi.org/10.14738/abr.612.5771
[7]
Anti-Cyber Crime Law (2007). Communications and Information Technology Commission. https://www.citc.gov.sa/en/RulesandSystems/CITCSystem/Pages/CybercrimesAct.aspx
[8]
Appari, A., Johnson, M. E., & Anthony, D. L. (2009). HIPAA Compliance: An Institutional Theory Perspective. Proceedings of the 15th Americas Conference on Information Systems, San Francisco, CA 6-9 August 2009, 252-261.
[9]
Arab News (29 September 2017). Study: 60% of Saudi Institutions Hit by Virus Attacks, Malware. https://www.arabnews.com/node/1169846/saudi-arabia
[10]
Bell, J. (21 July 2018). KSA Must Become More Resilient against Cyberattacks. https://www.arabnews.com/node/1343151/saudi-arabia
[11]
Björck, F. (2004). Institutional Theory: A New Perspective for Research into IS/IT Security in Organisations. Proceedings of the 37th Annual Hawaii International Conference on System Sciences, Big Island, HI, 5-8 January 2004, 1-5. https://doi.org/10.1109/HICSS.2004.1265444
[12]
Breu, R., Innerhofer-Oberperfler, F., & Yautsiukhin, A. (2008). Quantitative Assessment of Enterprise Security System. 2008 3rd International Conference on Availability, Reliability and Security, Barcelona, 4-7 March 2008, 921-928. https://doi.org/10.1109/ARES.2008.164
[13]
Burnett, S., Mendel, P., Nunes, F., Wiig, S., Bovenkamp, H. V., Karltun, A., Robert, G., Anderson, J., Vincent, C., & Fulop, N.(2015). Using Institutional Theory to Analyze Hospital Responses to External Demands for Finance and Quality in Five European Countries. Journal of Health Services Research & Policy, 21, 109-117. https://doi.org/10.1177/1355819615622655
[14]
Butler, T. (2003). An Institutional Perspective on Developing and Implementing Intranet- and Internet-Based Information Systems.Information Systems Journal, 13, 209-231. https://doi.org/10.1046/j.1365-2575.2003.00151.x
[15]
Cavalluzzo, K. S., & Ittner, C. D. (2004). Implementing Performance Measurement Innovations: Evidence from Government. Accounting, Organizations and Society, 29, 243-267. https://doi.org/10.1016/S0361-3682(03)00013-8
[16]
Cavusoglu, H., Cavusoglu, H., Son, J.-Y., & Benbasat, I. (2015). Institutional Pressures in Security Management: Direct and Indirect Influences on Organizational Investment in Information Security Control Resources. Information & Management, 52, 385-400. https://doi.org/10.1016/j.im.2014.12.004
[17]
Chew, E., Swanson, M., Stine, K. M., Bartol, N., Brown, A., & Robinson, W. (2008). Performance Measurement Guide for Information Security. NIST Special Publication 800-55 Revision 1, 1-40. https://doi.org/10.6028/NIST.SP.800-55r1
[18]
Cisco (7 June 2017). The Zettabyte Era: Trends and Analysis. https://www.cisco.com/c/en/us/solutions/
[19]
CITC (17 September 2017). Parental Control Service Regulatory Framework. https://www.citc.gov.sa/en/new/publicConsultation/Pages/143804.aspx
[20]
CITC (2011). Information Security Policies and Procedures Development Framework for Government Agencies. https://www.citc.gov.sa/en/RulesandSystems/RegulatoryDocuments/OtherRegulatoryDocuments /Documents/CITC_Information_Security_Policies_and_Procedures_Guide_En.pdf
[21]
Clement, J. (22 July 2019). Cyber-Crime: Most-Targeted Victim Countries 2018. https://www.statista.com/statistics/256653/most-targeted-victim-countries-of-cyber-attacks/
[22]
Council of Europe (2020). Parties/Observers to the Budapest Convention and Observer Organisations to the T-CY. https://www.coe.int/en/web/cybercrime/parties-observers
[23]
Currie, W. (2009). Contextualizing the IT Artefact: Towards a Wider Research Agenda for IS Using Institutional Theory. Information Technology & People, 22, 63-77. https://doi.org/10.1108/09593840910937508
[24]
Davidsson, P., Hunter, E., & Klofsten, M. (2006). Institutional Forces: The Invisible Hand that Shapes Venture Ideas? International Small Business Journal: Researching Entrepreneurship, 24, 115-131. https://doi.org/10.1177/0266242606061834
[25]
DiMaggio, P. J., & Powell, W. W. (1983). The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields. American Sociological Review, 48, 147-160. https://doi.org/10.2307/2095101
[26]
Edwards, J. R., Mason, D. S., & Washington, M. (2009). Institutional Pressures, Government Funding and Provincial Sport Organizations. International Journal of Sport Management and Marketing, 6, 128-149. https://doi.org/10.1504/IJSMM.2009.028798
[27]
Electronic Transactions Law (2007). Communications and Information Technology Commission. https://www.citc.gov.sa/en/RulesandSystems/CITCSystem/Pages/ElectronicTransactionsLaw.aspx
[28]
Floyd, J. T. (8 March 2016). A Guide to Cyber Crime Laws. https://www.johntfloyd.com/
[29]
Forbes Middle East (28 March 2018). Arab Countries Facing the Highest Number of Cyber Attacks. https://www.forbesmiddleeast.com/en/
[30]
Gandhi, G. (May 2014). Complexity Theory in Cyber Security. http://cognitsolutions.blogspot.com/p/complexity-in-cyber-security.html
[31]
Ghosh, I. (7 November 2019). This Is the Crippling Cost of Cybercrime on Corporations. https://www.weforum.org/agenda/2019/11/cost-cybercrime-cybersecurity/
[32]
Grabosky, P. (2014). The Evolution of Cybercrime, 2004-2014. SSRN Electronic Journal, RegNet Research Paper No. 2014/58. https://doi.org/10.2139/ssrn.2535605
[33]
Hallberg, J., Hallberg, N., & Hunstad, A. (2006). Crossroads and XMASS: Framework and Method for System IT Security Assessment. Linköping: Total Försvarets Forskningsinstitut (FOI).
[34]
Hovav, A., & D’Arcy, J. (2012). Applying an Extended Model of Deterrence Across Cultures: An Investigation of Information Systems Misuse in the US and South Korea. Information & Management, 49, 99-110. https://doi.org/10.1016/j.im.2011.12.005
[35]
Hunton, P. (2011). A Rigorous Approach to Formalising the Technical Investigation Stages of Cybercrime and Criminality within a UK Law Enforcement Environment. Digital Investigation, 7, 105-113. https://doi.org/10.1016/j.diin.2011.01.002
[36]
Joode, A. D. (2011). Effective Corporate Security and Cybercrime. Network Security, 2011, 16-18. https://doi.org/10.1016/S1353-4858(11)70097-6
[37]
Kam, H.-J., & Katerattanakul, P. (2014). Information Security in Higher Education: A Neo-Institutional Perspective. Journal of Information Privacy and Security, 10, 28-43. https://doi.org/10.1080/15536548.2014.912482
[38]
Kim, D.-J., Hwang, I.-H., & Kim, J.-S. (2016). A Study on Employees Compliance Behavior towards Information Security Policy: A Modified Triandis Model. Journal of Digital Convergence, 14, 209-220. https://doi.org/10.14400/JDC.2016.14.4.209
[39]
Liang, H., Saraf, N., Hu, Q., & Xue, Y. (2007). Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management. MIS Quarterly, 31, 59-87. https://doi.org/10.2307/25148781
[40]
Lund, M. S., Solhaug, B., & Stølen, K. (2011). Model-Driven Risk Analysis—The CORAS Approach. Berlin: Springer. https://doi.org/10.1007/978-3-642-12323-8
[41]
Mihindukulasuriya, R. (3 March 2020). India Was the Most Cyber-Attacked Country in the World for Three Months in 2019. https://theprint.in/tech/india-was-the-most-cyber-attacked-country-in-the-world-for-three-months-in-2019/374622/
[42]
Roser, M., Ritchie, H., & Ortiz-Ospina, E. (2020). Internet. https://ourworldindata.org/internet
[43]
Safa, N. S., Solms, R. V., & Furnell, S. (2016). Information Security Policy Compliance Model in Organizations. Computers & Security, 56, 70-82. https://doi.org/10.1016/j.cose.2015.10.006
[44]
Selwyn, N. (2007). A Safe Haven for Misbehaving? Social Science Computer Review, 26, 446-465. https://doi.org/10.1177/0894439307313515
[45]
Sherer, S. A. (2010). Information Systems and Healthcare XXXIII: An Institutional Theory Perspective on Physician Adoption of Electronic Health Records. Communications of the Association for Information Systems, 26, 127-140. https://doi.org/10.17705/1CAIS.02607
[46]
Shi, W., Shambare, N., & Wang, J. (2008). The Adoption of Internet Banking: An Institutional Theory Perspective. Journal of Financial Services Marketing, 12, 272-286. https://doi.org/10.1057/palgrave.fsm.4760081
[47]
Singh, H. P. (2016). E-Commerce Security: Legal and Policy Aspects of Technology Solutions in India. Mumukshu Journal of Humanities, 8, 13-19.
[48]
Singh, H. P. (2017). Strategic Analysis and Security Issues of Social Media Services: A Study of Facebook. International Journal of Information Movement, 2, 134-139.
[49]
Singh, H. P. (2018a). Domain Name Disputes and Their Resolution under UDRP Route: A Review. Archives of Business Research, 6, 147-156. https://doi.org/10.14738/abr.612.5786
[50]
Singh, H. P. (2018b). Data Protection and Privacy Legal-Policy Framework in India: A Comparative Study vis-à-vis China and Australia. Amity Journal of Computational Sciences, 2, 24-29.
[51]
Singh, H. P., & Agarwal, A. (2011). Espousal of E-Learning in Adult Education. In Proceedings of the International Conference on Computational Techniques and Artificial Intelligence (pp. 28-31). Pattaya, Thailand: ISEM-Planetary Scientific Research Centre. https://www.researchgate.net/publication/311104278_Espousal_of_E-Learning_in_Adult_Education
[52]
Singh, H. P., & Grover, S. T. (2011). Marketing of E-Banking Services: A Critical Analysis on Lifecycle Demographics, Enabling and Disabling Factors. Zenith International Journal of Multidisciplinary Research, 1, 20-38.
[53]
Smith, S., & Jamieson, R. (2006). Determining Key Factors in E-Government Information System Security. Information Systems Management, 23, 23-32. https://doi.org/10.1201/1078.10580530/45925.23.2.20060301/92671.4
[54]
Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2012). The Relationship between Internal Audit and Information Security: An Exploratory Investigation. International Journal of Accounting Information Systems, 13, 228-243. https://doi.org/10.1016/j.accinf.2012.06.007
[55]
Telecom Act (2001). Communications and Information Technology Commission. https://www.citc.gov.sa/en/RulesandSystems/CITCSystem/Pages/TelecommunicationsAct.aspx
[56]
Teo, H. H., Wei, K. K., & Benbasat, I. (2003). Predicting Intention to Adopt Inter-Organizational Linkages: An Institutional Perspective. MIS Quarterly, 27, 19-49. https://doi.org/10.2307/30036518
[57]
Timmons, J., Chabinsky, S. R., & Pittman, F. P. (1 May 2019). Cybersecurity and the UK Legal Landscape. https://www.whitecase.com/publications/alert/cybersecurity-and-uk-legal-landscape
[58]
Ting, S., & Kin, L. C. (25 February 2019). Cybersecurity in Singapore. https://www.lexology.com/library/detail.aspx?g=e8e0c6b8-d81a-4dfc-a8fe-36a1dd3baa54
[59]
Ugrin, J. C. (2009). The Effect of System Characteristics, Stage of Adoption, and Experience on Institutional Explanations for ERP Systems Choice. Accounting Horizons, 23, 365-389. https://doi.org/10.2308/acch.2009.23.4.365
[60]
Zhang, J., Dawes, S. S., & Sarkis, J. (2005). Exploring Stakeholders Expectations of the Benefits and Barriers of E-Government Knowledge Sharing. Journal of Enterprise Information Management, 18, 548-567. https://doi.org/10.1108/17410390510624007
