An Institutional Theory Perspective on Developing a Cyber Security Legal Framework: A Case of Saudi Arabia

Abstract

In the information age, the cyber-attacks have increased manifold, and developing a cyber-security legal framework is the need of the hour. Saudi Arabia experiences the highest cyber-attacks in the Arab region. This research attempts to develop a cyber-security legal framework for Saudi Arabia in particular and other countries in general. The study uses coercive, normative, and mimetic forces of institutional theory for this endeavor. Coercive pressure manifests in legal instruments, so countries like Saudi Arabia need to ensure compliance of their organizations to their respective laws, regulations, security policies, and procedures. Normative force manifests in professional networks and community expectations. So, countries like Saudi Arabia should collaborate, share information with other countries and join the Budapest Convention to combat cyber-crimes. Saudi Arabia should sufficiently incorporate the provisions of the Arab Convention on Combating Information Technology Offences in its legal instruments. Mimetic force involves copying the actions and practices of successful organizations. So, countries like Saudi Arabia should improve their legal tools by incorporating key features of legal instruments of more advanced cyber-secure nations like the UK, USA, Singapore, etc. Specifically, Saudi Arabia should improve its legal tools in the areas of privacy, identity theft, cyber-bullying, etc.