Cybersecurity now stands at the top of the U.S. security agenda. As sources of cyber insecurity have proliferated, States and other stakeholders have increasingly turned to norms as the regulatory tool of choice, hoping to shape the behavior of diverse actors in this space. Proponents of cybernorms have so far focused on what the new norms should say and on what behaviors they should require or prohibit. They have paid little attention to how new norms would actually work — how they could successfully be constructed and the processes by which they would create desired effects. In other words, they have paid a lot of attention to the “cyber” component of cybernorms but very little attention to the “norms” component and the issues of how normativity actually works in the world. In this Article, we offer an inter-disciplinary analysis of the processes by which cybernorms might be constructed and some of the choices and trade-offs involved in doing so. We first situate the current discourse in the varying contexts surrounding cybersecurity. We define the norm concept and examine the diverse array of norms currently populating the landscape of cyberspace. We next draw on the rich body of work in social science about norm construction in other policy areas to understand how norms can be cultivated successfully and how they create effects, both intended and otherwise. Of course, if cyberspace is unique, lessons from other policy domains might not be applicable but we assess these arguments and find them unconvincing.