Appendix: Normative trade-offs framework
Developed by the System Initiative on Shaping the Future of Digital Economy and Society as a tool for removing the veil of ambiguity from difficult decisions.
In a number of contexts, from business to politics to the social sector, leaders have to make decisions and prioritize one set of values over another — a policy-maker may be forced to choose between allocating a national budget towards education versus healthcare; a business leader may be forced to choose between capturing market share versus profitability.To make these decisions, leaders often seek out data to inform their choices. For example, policy-makers have reams of budget analyses and business leaders have granular visibility into customer segments. While this decision-making environment is rich in facts that may support any decision, the process itself is often divorced from the core values leaders are attempting to promote and prioritize.However, these hard-to-quantify values often implicitly frame the terms of the debate through which policy is made. To facilitate informed decision-making on these “soft” questions, a three-part decision framework was developed, which has been implemented across numerous efforts in the World Economic Forum System Initiative on Shaping the Future of Digital Economy and Society, including cyber resilience, and which is intended for broad dissemination.The objective of this framework is to surface the values that underlie decision-making and offer a transparent and collaborative process by which leaders can make and explain policy decisions with normative implications. This framework is comprised of three steps:
- Articulate the option space
- Isolate the most important values
- Quantitatively rank feasible choices
1. Articulate the option space
To make well-informed decisions where determinations of value trade-offs are required, it is necessary to have a firm grasp of the full set of options and key elements that help distinguish one possible decision from its “nearest neighbour”.
A full set of options, unconstrained by the limitations of present circumstance, helps push the boundaries of thinking. At this stage, it is important to consider many “possible” decisions in a policy space, even if some may be undesirable or implausible. This exercise allows for later attribution of values or norms to be clearer and more explicit.
In cybersecurity policy-making, one commonly debated issue is the handling of so-called “zero-days”. Zero-days are exploitable vulnerabilities not known about publicly (they are in “day 0” of their discoverability). These vulnerabilities (and exploits which take advantage of them) can be catalogued and stockpiled by national defence organizations and deployed offensively. These zero-days can also be shared with the software vendors whose product is vulnerable, so they can develop measures to mitigate and patch these vulnerabilities.
In the process of elucidating the full option-space for zero-days, the Working Group convened by the World Economic Forum suggested that focusing on the government’s role in developing and sharing zero-days, while important, is a reactive and limited policy posture. After all, they reasoned, a software vulnerability first has to be coded before a debate can arise about how to share knowledge of that vulnerability to promote competing valid national interests. In brief, in articulating the full set of areas where policy-makers could contribute, it became obvious that much of the debate — while valid — did not adequately consider other important elements.
2. Isolate the most important values
After mapping the option-space, it is necessary to develop the “long list” of values to consider in the process of making a decision. It is meant to be a list of all the values that might be held by a given constituency with respect to a policy area. The list is not meant to be exhaustive, but should include a sufficient number of values to ensure that the most important or most likely to give rise to a values conflict are represented. Depending on the context, care should be taken to ensure that the values described are relevant to the various political, cultural and personal differences among stakeholders liable to be affected by the decisions in question.
For the Playbook for Public-Private Collaboration, the Forum convened a group to outline the key values that policy-makers should weigh in making choices between different cybersecurity policy options.
After defining the “long list of values”, the Working Group began simplifying and aggregating these values to a tractable and complete set. Again, taking the example of a recent discussion on cybersecurity policy, the more than 20 values that were initially identified as significant were eventually pared down to a list of five key values animating policy debate: security, privacy, fairness, economic value and accountability.
- Security — the protection of assets (tangible and intangible) from damage. Assets may be anything of value, including the well-being of individuals. Damage may comprise the loss of availability, integrity and, where applicable, confidentiality of assets resulting in a diminution of value for the rightful owners of the asset.
- Privacy — the ability of an individual, group or organization (e.g. business) to limit information about themselves. The boundaries of privacy vary by context and by country. The domain of privacy partially overlaps with security (confidentiality), which can include the notion of appropriate use as well as protecting information.
- Fairness — the extent to which entities within a given nation-state will be impacted symmetrically (or with otherwise perceived appropriateness) by policy, including due process. Perceptions of appropriateness will vary by context and by country.
- Economic value — the amount of monetary and common wealth, and commerce statically (e.g. current market participants) and dynamically (e.g. in the future from innovation) resulting from, or destroyed by, a given policy choice. Lower costs from cyberincidents may also contribute to greater economic value.
- Accountability — the extent to which an entity (individual, group, organization) can be held responsible or even liable for consequences arising out of its action or inaction. Public- and private-sector accountability have been separately delineated to demonstrate how burden shifts in particular policy models.
In addition to analytical tractability, the forcing function of shaping values is itself informative about how to think about value-based decisions:
- Not all values are equally relevant or important for a given policy discussion. For example, security is qualitatively more important as a dimension to evaluate cybersecurity policy than interoperability.
- Some values subsume others in their scope. For example, innovation is a subset of economic value.
- Some values enable others but are not fundamentally important in themselves. For example, transparency has little intrinsic importance but is enormously empowering to greater accountability.
Beginning consideration of values for cybersecurity policy
3. Quantitatively rank feasible choices
After defining the policy and business choices a leader can make on a given topic and the values that should be considered in making those decisions, one can begin confining the option-space; certain choices simply cannot be made by virtue of a fundamental constraint. For example, while it is important to consider a world in which many entities can fully monitor internet traffic, in practice the cost of capturing and effectively analysing such a massive volume of data will be prohibitive for most governments.
Having pared down the option-space into a set of feasible choices, it is important to explicitly enumerate the risks and benefits associated with a given choice.
Next, to ensure that subjective values are thoroughly debated and understood, it is valuable to numerically rank how much each value is promoted. Assigning a numerical estimate to how much a value is promoted or prioritized serves another important forcing function. By assigning a number to a given value, organizations are forced to make a more granular and nuanced judgement as to the impact of a given choice. Such quantification (even if only for illustrative purposes) also avoids absolutist justifications of preferred policy options and false binaries.
For example, in the context of cybersecurity and the values that different policy choices embody, a persistent problem is stakeholders grasping for rhetorical simplicity. For example, defence ministries will often argue that absent security, no other liberties can be secured. But the rhetorical simplicity of such an argument is undercut by being forced to articulate numerically the relative difference of different policies on security. If a policy is indeed able to provide significantly enhanced security, it should be easy to articulate either through anecdotal evidence or, better yet, numerical evidence.
The choice of numerical ranking is also important. A numerical scale with too many degrees of gradation will be intellectually taxing. Choosing a numerical scale that is odd numbered (e.g. with five options) risks allowing clustering of evaluations to form around the number 3. And a lukewarm indicator of a given choice’s impact is less valuable (e.g. 3 in the context of a 1 to 5 scale where 1 is the lowest prioritization of a given value and 5 is the highest prioritization of a given value). Just as exploitable differentiation is key to statistical inference, differentiation draws into high relief the trade-offs decisions require.
Another important benefit of forcing a numerical thinking for decision-making is its ability to illuminate inconsistencies or themes across different questions that a leader in a given organization will confront. For example, in the course of defining the numerical impact of policy choices, the World Economic Forum cyber resilience project found that the normative impact of insisting on weak encryption for companies in the private sector is similar to the normative impact of allowing employers to monitor the internet traffic of their employees. For most participants, the intellectual resemblance between these policies was not evident until this exercise was completed.
In the end, this exercise can be distilled to a series of “if …, then …” statements of the type “if a decision-maker prioritizes x value, then he/she should most likely promote y policy option.” These statements form the basis for a values-focused set of decisions and for a rubric to measure current policy decisions vis-à-vis professed values.
When to use a decision framework on values
A decision framework for normative questions is useful — it helps force relevant conversations quickly and, in imposing rigour on a typically circuitous process, helps ensure that there is forward movement on the outcome: making a decision.
However, the use of a decision framework implicitly prioritizes deliberation. Discussions of values are cognitively taxing and take time. In some contexts, the ability to rapidly make a decision may obviate the need for a well-considered framework, particularly if those decisions are easily reversible.