Trust over firewalls: strengthening cybersecurity through ethics and law

Cybersecurity is changing rapidly. New security loopholes are emerging every day, and new technical safeguards are needed all the time. The pace of this change prevents users from making informed decisions about their usage behaviour. And on top of that, the rule of law also faces many challenges, for example because legislative processes are unable to keep pace with the speed of technological advancement. The NRP 77 research project led by Markus Christen from the University of Zurich looked at the non-technical aspects of cybersecurity and compiled recommendations for policymakers and experts.

Key insights

As the research team showed, successful cybersecurity not only requires technology, but also clear rules on information exchange, trust and cooperation. The new Swiss National Cybersecurity Centre (NCSC) in particular has a key role to play. It is tasked with ensuring clear framework conditions and effective oversight. The research team also identified legal loopholes in the Information Security Act, particularly with regard to the definition and requirements of critical infrastructures. The project also highlighted the need for regulation in the field of cybersecurity due to the growing gap between technological progress and the pace of legislative response. By conducting surveys of critical infrastructure operators and cybersecurity professionals, the researchers also compiled insights that support the National Cyberstrategy (NCS). From this and drawing on the legal analysis, recommendations were drawn up for legislators and for the authors of ethical guidelines.

Significance for policy and practice

The central legislative recommendations for policymakers include sharpening the definition of ‘critical infrastructure’ and expanding the minimum requirements. In addition, the research team developed a set of guidelines for the establishment of a value-driven cybersecurity culture. It is designed to ensure that ethical and legal uncertainties can be identified at an early stage so that swift decisions can be made in an emergency. And the project recommends that research should focus on analysing specific decision-making processes in the event of incidents. This should build trust and reinforce collaboration between the various actors.

Three main takeaways

1. State involvement in the cybersecurity of critical infrastructures should focus on three aspects:
   a) Cybersecurity legislation should focus more on preventative measures, whereas soft law could support critical infrastructures in responding to cyber-incidents;
   b) Collaboration with the authorities should exist but should not compromise the autonomy of critical infrastructure;
   c) Information sharing, both on technical and management levels, should be supported by adequate legislation.
2. Critical infrastructures must adhere to enhanced minimum cybersecurity requirements detailed in the Information Security Act, which should also be amended to clarify the concept of critical infrastructures and to impose additional requirements on IT services.
3. First responders to incidents should develop a value-driven cybersecurity culture through preparatory steps that involve open and lawful discussions among peers about how their actions align with personal and societal values to make incident handling more effective.

To find out more about the precise methodology the researchers used and other background information on the research project, visit the NRP 77 project website:

You can find further research projects on the topic of digital transformation conducted as part of the National Research Programme NRP 77 here: