Force

Developing a Cyber Security Legal Framework

Coercive

Coercive force in cyber-security is visible in Saudi Arabia in the form of legal instruments like Telecom Act (2001) , Anti-Cyber Crime Law (2007) , Electronic Transactions Law (2007) , Information Security Policies and Procedures Development Framework for Government Agencies (CITC, 2011) , Parental Control Service Regulatory Framework (CITC, 2017) , etc. The presence of such laws, policies, and procedures create legal pressure on organizations to act in compliance to gain acceptability from the government (Edwards et al., 2009) . Such legislative requirements increase information security compliance in organizations (Smith & Jamieson, 2006) . Countries such as Saudi Arabia need to ensure that various institutions comply with these coercive legal instruments.

Normative

In developing countries like Saudi Arabia, community pressures influence information security compliance in public organizations (Kam & Katerattanakul, 2014) . Privacy, trust, and quality of services are socially desirable needs, and organizations need to address them to maintain their reputation in the information era (Zhang et al., 2005) . To enhance cooperation with Arab League countries, Saudi Arabia needs to incorporate provisions of the Arab Convention on Combating Information Technology Offences in its legal instruments. Countries like Saudi Arabia should standardize their laws in line with international conventions (Singh, 2018a) . They should also join the Budapest convention to build cooperative and collaborative relationships with the international community.

Mimetic

In countries like Saudi Arabia, who still need to make progress in the area of cyber-security, mimicking the cyber-security practices, more advanced nations like the UK, the USA, and Singapore, etc. can be done. Such mimicking can help to minimize risks and threats, increase stakeholders’ confidence and trust, and improve people’s confidence due to enhanced security (Singh & Agarwal, 2011; Singh & Grover, 2011; Steinbart et al., 2012; Singh, 2018b) . Saudi Arabia has Anti-Cyber Crime Law (2007) , but it is deficient in preventing protecting the privacy of individuals, theft of identity, preventing cyber-bullying, etc. (Alshammari & Singh, 2018) . Saudi Arabia needs to make these improvements in its legal framework mimicking the actions and practices of more advanced countries as per the GCI Index of 2018.