Cyber risk logics and their implications for cybersecurity

Sarah Backman, Tim Stevens*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review


Cybersecurity in national and international security is frequently discussed in an existential register. However, most cybersecurity activities are normal and routine, including diverse practices of cyber risk management. The intricacies of cyber risk and its connection to security and threat politics have received surprisingly little attention in the cyber politics literature. This article addresses this gap through a twofold theoretical proposition. The first argues that cyber risk in policy and practice inhabits a continuum between ‘classical’ risk and security postures. The second proposes the existence of multiple risk logics located in different positions on this continuum. To illustrate this, we outline two distinct cyber risk logics – ‘risk as potential threats’ and ‘risk as uncertainty’. Through an exploratory case study of UK risk policy and guidance, we find indications of the simultaneous existence of these risk logics, including in specific organisational contexts. We propose that ‘risk as potential threats’, in particular, acts as a ‘bridge’ between conventional risk and security. We conclude by discussing how differentiating cyber risk logics facilitates a finer-grained appreciation of cybersecurity policy and practice and provides opportunities for disciplinary engagement with the organisational and institutional politics of cybersecurity and ‘the international’.
Original languageEnglish
JournalInternational Affairs
Publication statusAccepted/In press - 12 Mar 2024


  • risk
  • cybersecurity
  • risk management
  • international security
  • International Relations theory

Cite this