An Institutional Theory Perspective on Developing a Cyber Security Legal Framework: A Case of Saudi Arabia

In the information age, the cyber-attacks have increased manifold, and developing a cyber-security legal framework is the need of the hour. Saudi Arabia experiences the highest cyber-attacks in the Arab region. This research attempts to develop a cyber-security legal framework for Saudi Arabia in particular and other countries in general. The study uses coercive, normative, and mimetic forces of institutional theory for this endeavor. Coercive pressure manifests in legal instruments, so countries like Saudi Arabia need to ensure compliance of their organizations to their respective laws, regulations, security policies, and procedures. Normative force manifests in professional networks and community expectations. So, countries like Saudi Arabia should collaborate, share information with other countries and join the Budapest Convention to combat cyber-crimes. Saudi Arabia should sufficiently incorporate the provisions of the Arab Convention on Combating Information Technology Offences in its legal instruments. Mimetic force involves copying the actions and practices of successful organizations. So, countries like Saudi Arabia should improve their legal tools by incorporating key features of legal instruments of more advanced cyber-secure nations like the UK, USA, Singapore, etc. Specifically, Saudi Arabia should improve its legal tools in the areas of privacy, identity theft, cyber-bullying, etc.


Introduction
In the modern era, the Internet has emerged as the most important invention to date. The dependence of organizations to leverage the Internet for meeting the customers' needs has been increasing day-by-day (Hunton, 2011). The use of the Internet for a variety of purposes by customers is increasing as well. By the year 2000, the Internet attracted 413 million users, and this exponentially increased to 3.4 billion in 2016 (Roser et al., 2020). The number of networked devices would increase from 17.1 billion to 27.1 billion in 2021 (Cisco, 2017). The increasing users and usage of the Internet has also made it susceptible to cyber-crimes and brought cyber-security issues to the forefront (Singh, 2017). The cyber-security problems have presented a dark side of the Internet as a platform on which the cyber-criminals have been able to grow and proliferate (Selwyn, 2007). It is difficult to punish cyber-criminals due to the abstract nature of the Internet and the complications involved in getting to the root of the origin of cyber-crimes (Hunton, 2011). These cyber-security issues pose severe threats to sensitive and private information (Joode, 2011). Such cyber-security challenges not only pose risks to individuals or businesses but countries as well. Such cyber-security challenges can threaten any country's national security, sociological balance, and financial position.
Countries across the globe have been experiencing increasing incidents of cyber-crimes. According to Clement (2019), the world regions affected by malicious data breaches (ranked by the share of attacks) in 2018 were: Asia Pacific (35%); North America (30%); Europe, Middle East & Africa (27%); and Latin America and the Caribbean (8%). According to Mihindukulasuriya (2020), the countries that experienced the most cyber-attacks in 2019 were: USA, India, UK, Singapore, Ukraine, Saudi Arabia, Nigeria, Japan, South Korea, and Spain respectively. In the Arab region, Saudi Arabia experiences the highest number of cyber-attacks, followed by the UAE (Forbes Middle East, 2018). Over the last few years, Saudi Arabia has witnessed major cyber-attacks like Shamoon on August 15, 2012; Cyber of emotion on August 15, 2015; Shamoon 2.0 on November 17, 2016, November 29, 2016, and January 23, 2017Stone Drill in 2017;Mamba Ransomware in July 2017;Triton in August 2017;andAdvanced Persistent Threat on November 20, 2017, etc. (Alshammari &Singh, 2018;Alelyani & Harish Kumar, 2018). In the year 2015 alone, Saudi Arabia faced 60 million cyber-attacks (Al-Hussein, 2017). From August 2016 to August 2017, 60 percent of the Saudi institutions faced cyber-attacks (Arab News, 2017). Estimates suggest that cyber-attacks would cost the Saudi economy up to US $8 billion (Bell, 2018). Also, estimates suggest that cyber-attacks would cost the world economy approximately $5.2 trillion from 2019 to 2023 (Ghosh, 2019).
Incidents of cyber-attacks carry a tremendous economic as well as social cost for all countries across the globe. The Middle East region has been one of the major victims of cyber-attacks. Saudi Arabia is worst affected by cyber-attacks in the Middle East region. So, this study stresses the importance of developing the cyber-security legal framework for Saudi Arabia. The knowledge generated by this study would be useful for Saudi Arabia, in particular, and the Middle East and other countries across the world in general. Accordingly, this study proposes Technological, as well as legal interventions, are desired to address the cyber-security challenges. However, generally, technological advancements move at a rapid pace, but legal framework lags (Singh, 2016). This research looks at the problem from a legal approach to develop the cyber-security legal framework. This research paper is divided into six sections to present the research approach. Section 2 is dedicated to the review of the literature. This research makes a case for applying institutional theory to develop a cyber-security legal framework for Saudi Arabia in particular and other countries in general. Accordingly, in sub-Section 2.1, the authors present the tenets of institutional theory. In Sections 3 and 4, the authors examine the tenets of institutional theory in the legal context of Saudi Arabia. In Section 3, the authors examine the Saudi cyber-security related laws, policies and procedures, membership of convention(s), the performance of Saudi Arabia in the legal pillar of GCI index vis-à-vis leading nations. In Section 4, the authors depict the application of three forces of institutional theory for developing a cyber-security legal framework for Saudi Arabia in particular and other countries in general. Section 5 presents the discussion based on the research work in Sections 1 to 4. Section 6 concludes the research paper.

Literature Review
The literature presents numerous ideas for the assessment of cyber-security at the organizational level. International Organization for Standardization/International Electro-technical Commission (ISO/IEC) standard 27000-4 and National Institute of Standards and Technology (NIST) security metric guide presents the definition and operationalization of security measurements (Chew et al., 2008). The CORAS approach presents a meta-model over the security field to support cyber-security assessments (Lund et al., 2011). Breu et al. (2008) extend the model-based approach to security management and identify the cyber-security threats that have the sturdiest influence on business security objectives. Hallberg et al. (2006) proposed the XMASS method by which modeler can specify cyber-security profiles for business entities and calculate cyber-security values. However, all the above cyber-security assessment methods apply to business organizations and not to countries. Further, they can provide cyber-security assessment and not a cyber-security legal framework.
At the country level, a study was conducted by Alshammari & Singh (2018) to assess the preparedness of Saudi Arabia to defend itself against cyber-crimes. The study made an assessment based on Saudi Anti-Cyber Crime Law (2007) and the Global Cyber-security Index (GCI) of 2017. The study found Saudi Arabia in the maturing stage of the GCI index of 2017 behind leading countries like Singapore, the USA, Malaysia, Oman, Mauritius, Australia, Russia, Egypt, etc.
Despite a comprehensive assessment, this study did not provide a cyber-security legal framework. Also, this study only focused on the Saudi Anti-Cyber Crime Law (2007) and did not consider other Saudi legislations like the Telecom Act (2001) and Electronic Transactions Law (2007). Gandhi (2014) compares cyber-attacks to pathogen infections (e.g.,  and argues that cyber-systems are complex adaptive systems, so principles of complexity science (like system thinking and natural science) should be leveraged in the cyber-security field to complement traditional approaches. The paper presents high-level techniques in this endeavor. The article states that the holism approach to cyber-security is better than the reductionist approach having specific point solutions to individual problems. The author suggests the building of diversity in cyber-security systems to increase their immunity to cyber-attacks. The author also indicates that simulation modeling techniques like Agent-Based Modelling should be used to model cyber-security systems.
However, the author merely presents several theoretical ideas but does not suggest the mechanisms of their implementation. Also, the author presents complexity science in the context of organizations and does not consider the country as an entity for the implementation of the theoretical framework proposed by him. Björck (2004) states that the social behavior of humans' impacts cyber-security. So, they present arguments to deploy institutional theory in Information System/Information Technology (IS/IT) security research. The authors give various examples of the use of institutional theory in IS/IT research and make a case in favor of using institutional theory in IS/IT security. They state that the institutional perspective can help to achieve a sound and cost-effective IS/IT security management infrastructure. Hovav & D'Arcy (2012) call for applying institutional theory to understand better compliance of organizations with information security regulations, standards, and policies.
According to Teo et al. (2003), the institutional theory provides insights into the significance of institutional environments to organizational structures and actions. According to Currie (2009), the institutional theory provides rich observations regarding non-linear routes of IT adoption across organizations.
The authors have found the applications of institutional theory in various researches related to IS/IT at individual and organizational levels. Institutional theory has been applied for financial electronic data interchange (FEDI) adoption at the organizational level by Teo et al. (2003). Butler (2003) used institutional theory to describe, explain, and understand the role of social forces in the development of web-based information systems in organizations. Cavalluzzo & Ittner (2004) establish that leveraging legislative instruments impacts the adoption of management control systems and increases operational productivity in public organizations. Liang et al. (2007) leveraged institutional theory and demonstrated the substantial impact of existing rules and regulations, and public opinions in the assimilation of enterprise systems. Ugrin (2009) has applied institutional theory for enterprise resource planning (ERP) adoption at the orga-nizational level. Shi et al. (2008) have applied institutional theory for internet banking adoption at the individual level. Sherer (2010) has applied institutional theory for physicians' adoption of Electronic Health Records (EHRs). Burnett et al. (2015) have applied institutional theory to analyze hospital responses to external demands for finance and quality in 5 European countries.
Despite multiple applications of institutional theory in the IS/IT field in general and the recommendations of Björck (2004) and Hovav & D'Arcy (2012) to apply it in IS/IT security, there are scant attempts to apply it in the critical area of cyber-security. The authors select this theory due to its scope and its lack of application to the area of cyber-security. Also, the authors would apply it at the level of the country, instead of an organizational or individual level.

Institutional Theory
Institutional theory has its roots in social science disciplines like ethnography, political science, anthropology, phenomenology, and organization studies. This study applies the institutional model of isomorphic change by DiMaggio & Powell (1983). The model of DiMaggio & Powell (1983) is widely used to understand the influence of institutional forces on the information security compliance of organizations. This model stresses the importance of conforming to external expectations to secure legitimacy from stakeholders for organizations (Appari et al., 2009). Cavusoglu et al. (2015) state that this legitimacy can be secured by strategically responding to external pressures.
According to DiMaggio & Powell (1983), organizations converge to similar practices and behaviors over a while. They identified and explained three forces that determine how adopted behaviors and practices become isomorphic-ally accepted by the organization field as a whole. These three forces are: coercive (constraining), normative (learning), and mimetic (cloning) (Davidsson et al., 2006;Cavusoglu et al., 2015). Political influence and organizational legitimacy derive coercive isomorphism. It can be conveyed through laws, regulations, policies, outside agency standardization, oversight, or compliance requirements (Cavusoglu et al., 2015;Kim et al., 2016). Normative isomorphism is related to professional values and norms embedded in the organization (Appari et al., 2009). It can stem from learning from others in professional networks. It can also stem from the expectations of the community from organizations to act in a certain manner at a specific time (Appari et al., 2009;Kam & Katerattanakul, 2014). Mimetic isomorphism involves copying or mimicking the behaviors of others. These behaviors are a result of organizational response to uncertainty, and cause them to imitate success actions and practices of similar organizations within their environment (Safa et al., 2016). The publicity of perceived benefits by organizations creates pressure on other organizations to adopt similar actions and practices (Alkalbani et al., 2017). According to DiMaggio & Powell (1983), by examining and measuring the organizational field around these three forces, it is possible to understand convergence on homogenized practices and accepted behaviors in organizations. So coercive, normative, and mimetic pressures guide

H. P. Singh, T. S. Alshammari
Saudi Arabia has also developed the Information Security Policies and Procedures Development Framework for Government Agencies (CITC, 2011). It contains information security policies and guidelines that assist Saudi government agencies in managing their information security risks. Saudi Arabia also formed the Parental Control Service Regulatory Framework (CITC, 2017) to protect children from internet risks and prevent abuse on social media, etc.
Cyber-attacks occur beyond the country boundaries through a network of intermediary systems that mask the attackers' identity (Grabosky, 2014). So, countries need to collaborate and share information. Saudi Arabia is a member of the Arab League. It shares cultural, political, and socio-economic interests with Arab League countries (Alazab & Chon, 2015). Arab countries formed a platform to enhance cooperation among themselves to combat cyber-crimes-the Arab Convention on Combating Information Technology Offences (ACCITO, 2015). The convention covers cyber-crimes involving more than one state (Article 3). The convention covers offenses of illicit access (Article 6), illicit interpretation (Article 7), compromising the integrity of data (Article 8), misuse of Information Technology means (Article 9), online forgery (Article 10), cyber fraud (Article 11), cyber pornography (Articles 12 and 13), cyber-piracy (Article 14), cyber-terrorism (Article 15), organized cyber-crimes (Article 16), violation of copyright (Article 17), illicit use of electronic payment tools (Article 18), the attempt at and participation in the commission of offenses (Article 19), etc. The convention calls on member states to increase punishment for cyber-crimes (Article 21) and to mutually assist each other for investigating and combating crimes (Article 32). Despite signatory, Saudi laws related to cyber-security do not mention or sufficiently incorporate the provisions of this convention. Saudi Arabia and other countries of the Gulf Cooperation Council (GCC) have not joined the Budapest convention, which is a comprehensive international treaty for cyber-crime investigation and law (Council of Europe, 2020).
Saudi Arabia had improved its position in the GCI index of 2018 to 13 th rank from 46 th rank in 2017. As per the GCI index of 2018, the leading cyber-secure countries are the UK, USA, and Singapore, etc. UK has strong legal instruments to fight cyber-crimes like Computer Misuse Act 1990, Communications Act 2003

Institutional Theory for Developing Cyber-Security Legal Framework
In this section, the authors present the application of institutional theory for developing the cyber-security legal framework for Saudi Arabia in particular and other countries in general. In the case of countries like Saudi Arabia, the three forces (coercive, normative, and mimetic) under institutional theory are applicable. Table 1 depicts this.

Discussion
Countries across the globe have been witnessing increasing incidents of cyber-crimes. In the Arab region, Saudi Arabia has been the worst hit by cyber-crimes. To successfully defend against cyber-crimes, countries like Saudi Arabia need a cyber-security legal framework. The literature presents various cyber-security assessment methods like ISO/IEC standard 27000-4, NIST security metric guide, CORAS approach, XMASS method, etc. However, these methods apply to business organizations,  (Edwards et al., 2009). Such legislative requirements increase information security compliance in organizations (Smith & Jamieson, 2006). Countries such as Saudi Arabia need to ensure that various institutions comply with these coercive legal instruments.

Normative
In developing countries like Saudi Arabia, community pressures influence information security compliance in public organizations (Kam & Katerattanakul, 2014). Privacy, trust, and quality of services are socially desirable needs, and organizations need to address them to maintain their reputation in the information era (Zhang et al., 2005). To enhance cooperation with Arab League countries, Saudi Arabia needs to incorporate provisions of the Arab Convention on Combating Information Technology Offences in its legal instruments. Countries like Saudi Arabia should standardize their laws in line with international conventions (Singh, 2018a). They should also join the Budapest convention to build cooperative and collaborative relationships with the international community.

Mimetic
In countries like Saudi Arabia, who still need to make progress in the area of cyber-security, mimicking the cyber-security practices, more advanced nations like the UK, the USA, and Singapore, etc. can be done. Such mimicking can help to minimize risks and threats, increase stakeholders' confidence and trust, and improve people's confidence due to enhanced security (Singh & Agarwal, 2011;Singh & Grover, 2011;Steinbart et al., 2012;Singh, 2018b). Saudi Arabia has Anti-Cyber Crime Law (2007), but it is deficient in preventing protecting the privacy of individuals, theft of identity, preventing cyber-bullying, etc. (Alshammari & Singh, 2018). Saudi Arabia needs to make these improvements in its legal framework mimicking the actions and practices of more advanced countries as per the GCI Index of 2018. not countries. Alshammari & Singh (2018) assessed the preparedness of Saudi Arabia vis-à-vis Anti-Cyber Crimes Law and GCI index of 2017 but did not provide a cyber-security legal framework. Gandhi (2014) presents theoretical ideas to model cyber-security systems but does not present implementation mechanisms.
The institutional theory has been applied to multiple IS/IT studies. At the organizational level, institutional theory has been applied in IS/IT by Teo et al. (2003), Butler (2003), Cavalluzzo & Ittner (2004), Liang et al. (2007), Ugrin (2009), Burnett et al. (2015, etc. At the individual level, institutional theory has been applied in IS/IT by Sherer (2010), Shi et al. (2008), etc. There is hardly any study in the area of cyber-security, where institutional theory has been applied. Authors like Björck (2004) and Hovav & D'Arcy (2012) recommended the application of institutional theory in IS/IT security. Due to its scope, institutional theory has been selected and applied in this research to develop a cyber-security legal framework. This answers the first research question (RQ1).
To answer the second research question (RQ2), the authors examined the tenets of institutional theory as well as Saudi cyber-security related laws, policies and procedures, membership of convention(s), the performance of Saudi Arabia in GCI index vis-à-vis leading countries. According to Institutional theory, three forces guide the behavior of organizations: coercive, normative, and mimetic (Davidsson et al., 2006;Cavusoglu et al., 2015). Coercive force is visible in the form of legal instruments (Cavusoglu et al., 2015;Kim et al., 2016). In Saudi Arabia, the coercive legal tools are Telecom Act (2001) (Appari et al., 2009;Kam & Katerattanakul, 2014). Saudi Arabia is a member of the Arab Convention on Combating Information Technology Offences (ACCITO, 2015). Mimetic force involves copying or mimicking the actions and practices of successful organizations (Safa et al., 2016). Saudi Arabia is behind countries like the UK, the USA, and Singapore, etc. in the legal pillar of the GCI Index of 2018 and needs to mimic them to sharpen its cyber-security legal framework. By complying with the three forces of institutional theory, countries like Saudi Arabia can leverage the cyber-security legal framework. This answers the second research question (RQ2).

Conclusion
In the modern era, increasing users of internet and networking devices have brought cyber-security challenges to the forefront. To address these challenges and keep cyber-criminals at bay, countries like Saudi Arabia need to develop their cyber-security legal framework. The three forces of institutional theory (coercive, normative, and mimetic) present a proper structure to develop such a cyber-security legal framework. Although Saudi Arabia possesses coercive legal cyber-security tools, however, countries like Saudi Arabia need to ensure the compliance of organizations to these legal instruments. In partial compliance of normative force, Saudi Arabia is a member of the Arab Convention on Combating Information Technology Offences. However, countries like Saudi Arabia need to sufficiently incorporate provisions of this convention in its cyber-security legal instruments. Also, Saudi Arabia and other Arab League countries should join the Budapest Convention and should standardize their laws in line with this international convention. They should collaborate and share information with other countries. Although Saudi Arabia has improved its position in the GCI Index of 2018 as compared to 2017, it is still behind the leading nations in the legal pillar of the GCI index. So, countries like Saudi Arabia need to strengthen their legal instruments by learning from more cyber-secure nations like the UK, USA, and Singapore, etc. Specifically, Saudi Arabia needs to improve its Anti-Cyber Crime Law (2007) in the areas of privacy, identity theft, cyber-bullying, etc.