By providing reasons for action

According to the law and economic scholars’ correct criticism, traditional legal analysis has little means beside intuition and available facts to study the effects of laws³³⁷. This is partly because the doctrinal legal education grounded in descriptive legal scholarship gives a limited understanding of the ways the law influences behaviour³³⁸. Not even the normative guidance provided by law is clear and interest in the

The way regulation affects behaviour 141

339 The way the law influences behaviour of ordinary citizens has not been subject to great interest even in legal theory. The concentration is typically on judicial decision-making, especially by judges, and on the way regulation influences their decision-making. Even though many of the consideration are derived from general theory of action that is applicable more generally, legal theory has mostly concentrated on applying it to judicial decision-making. Not even the creation of law by the legislator has been of much interest in legal theory due to the separation of law and politics in the mainstream legal thinking as Luc Wintgens, Legisprudence as a New Theory of Legislation, p. 3, argues in a recent effort to apply the tools of legal theory to legislative problems. Extreme concentration on adjudication in legal scholarship has been criticised already in the 1970s as Luc Wintgens points out in Legislation as an Object of Study of Legal Theory: Legisprudence, p. 9.

The understanding of the ways regulation affect behaviour is crucial, however, also for legal scholarship. According to the basic premise of the economic approach to law, which is also shared by the scholars in other behavioural sciences like sociology and political science, the nature of legal institutions cannot be understood by limiting the consideration to the legal arguments alone. It is essential to consider as well what effects those institutions have on society and what reactions they will evoke from the citizens as result. This argument has also been made in relation to the economics of information by Ejan Mackaay in Economics of Information and Law, p. 4.

340 Even though this assumption of mechanical obedience of the law lies in the background of many positivist approaches to the study of law, it has to be noted that not all positivist general theories of the law presume this. As pointed out by Ruth Gavison in Comment: Legal Theory and the Role of Rules, footnote 103 and accompanying text, positivist legal theoreticians have held a variety of positions on the obligation to obey the law. For example, Joseph Raz in The Authority of Law, p. 233-250, argues that there is no general obligation to obey the law.

issue is scarce outside legal theory³³⁹. This emphasises even further in relation to the wider aspect of regulation.

The inadequacy of the hierarchical, top-down commanding model, according to which the objects of regulation follow the orders of the regulator (possibly backed by sanctions) in a uniform and predictable way is obvious despite the fact that it is still widely used in the studies on the effects of legislation and a general assumption made by legal scholars when they consider the effects of laws³⁴⁰. Behaviour modification that is associated with the activity of ensuring compliance with rules through strategies of enforcement (i.e., being accompanied

Regulating Secure Software Development 142

341 To treat the law as an incentive for changing behaviour (implicit prices) is the core of law and economics and the most praised, and the least contradictory, part of the economic analysis of the law. Similar analysis can be applied, and have been applied, also to the regulation more widely. The arguments developed in these studies, which are collected in scholarly books on regulation, are used to analyse the effects of specific instruments when available.

342 For example, the effects of sanctions and private law remedies on behaviour are analysed like the effects of prices.

343 This is emphasised by Ejan Mackaay in his analysis of the economics of information and law (Economics of Information and Law, p. 4 especially endnote 10 with references to Posner). The problems of sociological studies in providing even a somewhat comprehensive model of the effects of laws has been addressed by one of the most influential Nordic sociolegal scholars Vilhelm Aubert in Rettens sosiale funksjon, p. 164.

with deterrent effects) goes a little further, but not much. A better understanding is needed in order to study the effects of regulation.

But neither is economics the silver bullet that explains the ways regulation affects behaviour. When analysing the effects of regulation the standard economic principles and assumptions about human behaviour used in the economic approach to law have to be lowered to the same level with arguments from other disciplines. The argument is not that the law and economic type of behaviour prediction is not valid³⁴¹. Empowered with the simple assumption that legal consequences (e.g., sanctions, rewards, liability, remedies) affect the implicit prices of actions³⁴², and accompanied with the mathematically precise theories (price theory and game theory) and empirically sound methods of economics (statistics and econometrics), the law-and-economics studies have been able to predict how people respond to changes in laws. It might be true that the economics provides a single best, even moderately comprehensive, theory of regulatory phenomena (especially legal) and human behaviour from which verifiable propositions can derived and that empirical studies tend to support³⁴³. As a method it is the most advanced and tested way of predicting the effects of regulation on behaviour and it has provided several important insights about the ways regulation influences behaviour.

The way regulation affects behaviour 143

344 Collins, Regulating Contracts, p. 7. This means that I do not tie myself down to normative law-and-economics which holds that legal norms must be formed in a way that maximum economic efficiency is fulfilled. The analysis of the effects of regulation is not the sole factor from which behavioural norms or justifications for their improvement are derived. However, in the descriptive sense law-and-economics can produce information about the effects of regulation that is useful in the evaluation of positive valid norms and different regulatory choices. A leading Finnish private law scholar Mika Hemmo in Vahingonkorvauksen sovittelu ja moderni korvausoikeus, p. 25-32, makes similar considerations in analysing the reliability of the information provided by law-and-economics research in revising tort doctrines.

345 Economics as a discipline has admitted its need to widen the basis for analysing human behaviour. The typical account of the standard economic principles according to which the economic approach to law analysis legal rules, i.e., that all human behaviour can be viewed as involving participants who maximise their utility from a stable set of preferences and accumulate an optimal amount of information and other inputs in a variety of markets, is currently being modified under the banner of behavioural law and economics in order to be able to “model and predict behaviour relevant to law with the above mentioned tools of economic analysis, but with more accurate assumptions about human behaviour, and more accurate predictions and prescriptions about law” (Jolls et al., A Behavioural Approach to Law and Economics, p. 1474 and 1476). With the insights from other disciplines about actual human behaviour currently being internalised into the economic approach, it is likely to be even a more useful tool for regulatory analysis.

But we are not concerned with the prediction of behaviour as such in this study. The analysis concerns more widely the ways regulation influences behaviour and the possibilities it has to guide behaviour related to the specific topic of secure software development. The quest for the ways regulation affects behaviour is even more interdisciplinary than law and economics. Economics is just a heuristic device in analysing the ways regulation affects behaviour, not a comprehensive method, as Hugh Collins has emphasised in his regulatory analysis of contracts and contracting³⁴⁴. In order to be able to comprehend the efficacy of regulation on this specific topic, the disciplinary basis has to be widened³⁴⁵. Overall, results and observations utilised in this study come from disciplines like political science, sociology, economics, policy analysis (especially implementation and evaluation

Regulating Secure Software Development 144

346 The necessary multidisciplinary approach in regulatory studies in general is emphasised by Baldwin and Cave in their basic study book Understanding Regulation, p. 1. Despite the usage of interdisciplinary material in this study, i.e., the adoption of a more external point of view to regulation that is more interested in the interaction between the regulation and the social practice that it seeks to alter, the internal aspect of the law that the legal scholarship employs plays an important role. The internal aspect to law and regulation is necessary to see how those functioning inside the regulatory system think about the social practices under regulation and how regulatory objectives are defined and implemented. This dimension is important for any critical assessment of the potential efficacy of regulation. The internal functioning of the regulatory system and the considerations of those functioning inside centrally shapes the effects regulation can have and influences its efficacy.

347 This has been presented as a starting point in studies about legislation or theory of legislation such as Tala, Lakien vaikutukset, p. 16 and 286, in basic textbooks on sociolegal studies such as Mathiesen, Rätten i samhället, p. 30, and in political studies and especially studies on policy tools such as Schneider and Ingram, Behavioural Assumptions of Policy Tools, p. 513-514, or Daintith, Law as Policy Instrument, p. 28. This is also the typical approach of legal philosophy and legal theory as explicated, e.g., by MacCormick,On Legal Decisions and their Consequences, p. 254, when he reminds us that “the law and rulings in law … are grounds for choice by people, and how people will choose to respond is always in some degree an open question”.

studies), legal theory, philosophy, management studies, software engineering, and information systems science³⁴⁶.

However, the path taken in economic analysis is correct; the concentration on the decision-making of small groups, such as individuals and firms. But there is no reason to adhere solely to the price theory or even to economics more generally. It is a widely accepted assumption in societal studies in law and regulation, that the effects are always caused by the actions of the objects of regulation (individuals, corporations, associations, institutions) that make the final decision to react (or not) to a specific regulation, or to redirect their actions or beliefs in the intended way (intended by the regulator)³⁴⁷. Regulation affects through the decisions and choices, either conscious or unconscious, made by its objects.

This means that a regulator can try to alter the behaviour of the addressees only by influencing their choices or desires in a decision-making process, in their practical deliberation (reasoning) on what to do or not to do. Regulation can only provide reasons for action

The way regulation affects behaviour 145

348 Schauer, Playing by the Rules, p. 128, makes this point in his philosophical examination of rule-based decision-making, while analysing the means by which prescriptive weight is added to the process of decision-making and how much difference does it make.

349 After all, calculated and negotiated non-compliance are common phenomena as pointed out by Terence Daintith in Law as Policy Instrument, p.

29, in relation to the economic sphere in his introductory essay to a larger collection of studies on the instruments used in the implementation of economic policy and the role of law as an instrument for implementation. This holds at least for the user perspective into the law explicated, e.g., by Hydén in Rättsregler, p. 22-23, as separated from the perspective of the judges and regulators more generally, the perspective used in legal education, whose conduct might be more constrained by the law and the rulings in law. The user of the law, i.e., the object of regulation, looks at the reality and her position in it, and concentrates on what the valid law means for her economic or social action. The focus is on the consequences that the law is expected to have on the practiced area. The law is a strategic variable that sometimes leaves more or less discretionary power. Basically, the law is seen a risk that has to be managed on the basis of some type of more or less conscious cost-benefit calculation.

350 This has been explicated, e.g., by H.L.A. Hart in The Concept of Law, p. 124.

351 Raz, On the Functions of Law, p. 281.

or inaction (i.e., incentives); an individual can always choose not to comply with the provision and to suffer the consequences. As Frederick Schauer notes, “…the way in which and the extent to which, if at all, rules become a part of a decisional process is ultimately determined by the decision-maker alone”³⁴⁸. There are differences in the level of discretion included in the regulation, but in the end, the individual always makes the final decision³⁴⁹.

Philosophy of law provides an explanation of the way legal norms guide behaviour. In the traditional understanding, legal norms guide behaviour by providing and communicating a general standard of conduct that makes it possible for the addressees to evaluate their behaviour in a specific situation without further direction³⁵⁰. However, as Raz points out, not even the recognition that standards provided by regulation serve as basis for evaluation for individuals when they make decisions on how to act clarifies the way the guiding function is performed³⁵¹. Neither does it distinguish between the various modes in which the law can and does guide behaviour. According to Joseph Raz the only way in which laws can guide behaviour is by adding to

Regulating Secure Software Development 146

352 Raz in On the Functions of Law, p. 281-283, provides this explanation as an adjustment and a clarification to the traditional legal theoretic view of how a legal norms guide behaviour.

353 As pointed out by Redondo in Reasons for Action and the Law, p. 1, in studying on the various roles the notion of reason for action plays in jurisprudence, some of the most prominent contributions to the concerns in contemporary philosophy about the idea of law-imposed duty and its relevance for action, such as Hart, Raz and von Wright, have their starting point the notion of

“reason for action”. According to them, the concept of reason is a necessary element for understanding the relationship between norm and action. Note that the very idea of a reason for action has generated an enormous literature in philosophy as pointed out by Schauer in Playing by the Rules, p. 112, with extensive references. By no means can I drawn on this literature in depth. This is left for further studies.

354 As Frederick Schauer, Playing by the Rules, p. 8, points out in a philosophical examination of rule-based decision-making, the force of rules in pressuring behaviour comes from the sanctions (positive or negative) that attach to following or violating rules, or from attitudes about rules held by the objects of regulation. Schauer concentrates not only on legal rules, but on regulative rules in general, be they used by formal institutions like churches and associations, or less formal social practices like morality and etiquette (Schauer, Playing by the Rules, p. 12).

By concentrating on the consequences attached to actions by regulation, I take a more restrictive approach than Schauer to the analysis of the ways in which regulation provides reasons for action. Not only punishment and reward affect

the natural consequences of actions the additional consequences provided by the law³⁵². These additional consequences affect the reasons for or against the performance of the actions³⁵³.

By applying this approach to regulation more widely we can see that regulation guides behaviour by communicating that consequences follow upon the performance of certain actions. The regulation makes the consideration of the consequences relevant to the desirability of the actions bringing them about. Basically the regulation provides additional reasons for performing or abstaining from certain actions that, at the same time, are incentives for the object of regulation to behave in a certain manner. When people make decisions to perform or abstain from certain action they now not only have to consider the natural consequences of their actions but also the additional consequences provided by the regulation.³⁵⁴

The way regulation affects behaviour 147

the reasons for action for Schauer, even though he does recognise their importance for most decision-makers; also other prudential considerations, like the role of rules as serving an important role in decisional simplification or the role of rules as providing reasons for action by virtue of the decision-maker’s distrust of her own capacities with respect to some family of decisions, and moral considerations, like the arguments for taking a rule to be a reason for action stemming from agreement with and willingness to cooperate in the system from which the rule emanates (e.g., the solution of Prisoner’s Dilemma or coordination problems), can influence individuals decision to treat an applicable rule as a reason action (Schauer, Playing by the Rules, p. 123-126).

However, as Schauer notes in Playing by the Rules, p. 123, by extending the consideration above sanctions and rewards, he adopts the perspective of the objects of regulation. Since these considerations are not provided by the rules themselves, they are excluded from the normative analysis in order to be able to see how normative guidance communicates itself into the behaviour of the objects of regulation.

355 According to this incentive approach, which is often studied as the opposite of traditional command-and-control regulation, the objects of regulation can be induced to behave in accordance with the public interest by the regulator imposing negative or positive taxes, or by deploying grants and subsidies from the public purse. (Baldwin and Cave, Understanding Regulation, p. 41-42)

356 Note the similarity to the economic analysis of the law. The mechanisms are basically the same. Different consequences generate different reasons for action similar to different prices providing different incentives for behaviour.

Only the consequences attached to action by regulation are widened.

Even though the conception of regulation (especially the law) as an incentive for changing behaviour is used especially and most forcefully in law and economics (implicit prices), and in regulatory studies in relation to the instruments that provide economic incentives³⁵⁵, it is applicable, and have for long been used, more widely.

Regulation (and especially law) as an instrument of public or private policy is built in the conception of regulation causing an effect on the behaviour of its addressees; regulation can be used to achieve certain desired goals. When the effects are caused through the decisions and choices of an object of regulation, what regulation can do is to provide reasons for action or inaction (i.e., either negative or positive incentives)³⁵⁶. It is not only economic incentives that the law or regulation provides; they provide reasons for performing or abstaining from a certain action in general.

Regulating Secure Software Development 148

357 The argument that rules often function as a reason for a person to act in some way is generally accepted in legal theory as pointed out by Mark Van Hoecke in Law as Communication, p. 76.

357 The argument that rules often function as a reason for a person to act in some way is generally accepted in legal theory as pointed out by Mark Van Hoecke in Law as Communication, p. 76.