【 摘 要 】

Recently, ‘security by design’ has surfaced as an aspirational mantra in cybersecurity regulation and policy. It urges those involved in building information systems to consider the systems’ security needs before they are built and integrate these needs in the systems’ subsequent design and construction. The mantra joins a design-focused discourse on the integration of various values into technology development processes. However, critical scholarship on the roots, meaning(s) and regulatory dimensions of ‘security by design’ is scarce. This article aims to fill this gap. It examines the nascent discourse on ‘security by design’ with a view to assessing the mantra’s utility as a regulatory principle in the context of information systems development. An argument advanced in the article is that while the mantra is a valuable addition to cybersecurity law and policy, realising its aspirations is likely to be hindered by its nebulous semantics and particular characteristics of computer engineering culture. The article warns that the legitimacy of ‘security by design’ as a regulatory principle could be weakened if it is used to further authoritarian or corporate interests at the expense of civil liberties or consumer protection.

【 授权许可】

Unknown