Professional Documents
Culture Documents
https://doi.org/10.1093/cybsec/tyab019
Research paper
Research paper
Abstract
Does exposure to cyberattacks influence public support for intrusive cybersecurity policies? How
do perceptions of cyber threats mediate this relationship? While past research has demonstrated
how exposure to cyberattacks affects political attitudes, the mediating role played by threat percep-
tion has been overlooked. This study employs a controlled randomized survey experiment design
to test the effect of exposure to lethal and nonlethal cyberattacks on support for different types
of cybersecurity policies. One thousand twenty-two Israeli participants are exposed to scripted
and simulated television reports of lethal or nonlethal cyberattacks against national infrastructure.
Findings suggest that exposure to cyberattacks leads to greater support for stringent cybersecurity
regulations, through a mechanism of threat perception. Results also indicate that different types of
exposure relate to heightened support for different types of regulatory policies. People exposed to
lethal cyberattacks tend to support cybersecurity policies that compel the government to alert citi-
zens about cyberattacks. People who were exposed to nonlethal attacks, on the other hand, tend to
support oversight policies at higher levels. More broadly, our research suggests that peoples’ will-
ingness to accept government cybersecurity policies that limit personal civil liberties and privacy
depends on the type of cyberattacks to which they were exposed and the perceptions associated
with such exposure.
Key words: cyberattacks, cybersecurity, cybersecurity policies, threat perceptions
In recent years, the increase in civilian exposure to cyberattacks a delicate tradeoff between security and privacy. In some ways,
has been accompanied by heightened demands for governments privacy is seen as an adequate cost of enhanced personal and
to introduce comprehensive cybersecurity policies. These demands societal security in the face of novel threats. However, the public
peaked in the aftermath of the 2021 Colonial Pipeline and Solar- has grown increasingly sensitive to the importance of online privacy,
Winds cyberattacks, where the US government’s lack of access to and is keenly aware of the ethical, political, legal, and rights-based
cybersecurity information in critical industries wrought havoc on the dilemmas that revolve around government monitoring of online
country’s national and economic security. In the aftermath of these activity and communications [7, 8].
attacks, lawmakers and the public exhibited newfound enthusiasm The debate on digital surveillance centers on how and whether
for legislation that would mandate cyberattack reporting by private authorities should gain access to encrypted materials, and raise key
enterprises—accelerating a regulatory trend that has existed for questions concerning the extent of state interference in civic life, and
several years [1]. In 2020, for example, 40 US states and territories the protection of civil rights in the context of security. Yet what lies
introduced more than 280 cybersecurity related bills and resolutions at the heart of this willingness to accept government policies and reg-
[2, 3]. A similar process has taken place in Europe [4] and in Israel ulations that limit personal civil liberties and privacy via increasing
[5, 6]. public demand for government intervention in cybersecurity? Does
The public willingness to accept government policies and reg- exposure to different types of cyberattacks lead to heightened sup-
ulations that limit personal civil liberties and privacy is part of port for different types of regulatory policies? And does the public
C The Author(s) 2021. Published by Oxford University Press. This is an Open Access article distributed under the terms of the Creative Commons Attribution License 1
(http://creativecommons.org/licenses/by/4.0/), which permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly cited.
2 Snider et al.
differentiate between interventionist and regulatory forms of cyber- against financial institutions resulting in colossal financial losses and
security policies? the capture of personal information relating to hundreds of millions
To test these questions, we ran a controlled randomized survey of people [13]. Cyberattacks executed by terror organizations are a
experiment that exposed 1022 Israeli participants to simulated video newer phenomenon, albeit one that has captured the popular imag-
news reports of lethal and nonlethal cyberattacks. We argue that pub- ination. While terror organizations predominantly make use of cy-
lic support for governmental cybersecurity measures rises as a result berspace for fundraising, propaganda, and recruitment [14, 15], a
of exposure to different forms of cyberattacks, and that perceived recent development has been the next-generation capacity of cyber
threat plays a mediating role in this relationship. More specifically, strikes to trigger lethal consequences, be it through first- or second-
we propose that exposure to initial media reports about cyberattacks order effects.1 We acknowledge that scholars have expressed some
is a key to the exposure effect, since at this time the threat is mag- skepticism about the likelihood of impending destructive cyberterror
nified and the public has minimal information about the identity of incidents [16–18], yet national security officials have regularly pre-
the attacker and the type of cyberattack that was conducted. Past dicted that lethal cyberattacks pose a "critical threat" [19]. In the last
a nuclear power plant… with the intent of threatening to conduct hind the 2017 WannaCry attacks, the 2016 cyber intrusion into the
cyber operations against the system in a manner that will cause sig- Democratic National Committee’s networks, and the 2016 cyberat-
nificant damage or death…” [30]. Even more recently, reports have tack against the Bowman Dam in New York [45–47]. While each of
acknowledged how cyberterror attacks could immobilize a country’s these incidents were eventually attributed to an attack source, and the
or region’s electrical infrastructure [31], disable military defense sys- authorities may well have known the identity of the attacker from an
tems [32], and even imperil nuclear stability [33]. While there is a early date, we can see that from the perspective of the public, there
difference between capability and intent, and we acknowledge that was a time lag of several months or years before a name was attached
physically destructive cyber threats have remained scarce until now, to any attack. Third, state involvement in cyberattacks—either as a
understanding how civilians respond to such digital cyberattacks will direct attacker or via proxies—can add substantial background noise
become particularly important as the threat matures. to the perception of an attack, raising the specter of interstate war.
Studies that directly investigated exposure to digital political vio- There is an interesting debate in the literature about whether states
lence found that exposure had significant effects on political behavior may be deemed capable of conducting cyberterrorism—or whether
perception was found to mediate the relationship between exposure Lethal Cyber Condition—The television news report described
to violence and support for harsh or restrictive policies, especially in various cyberattacks with lethal consequences that had targeted Is-
conflict-related contexts [27]. Extending this empirical and theoreti- rael during the previous years. For example, in one of the featured
cal evidence to digital political violence suggests that individuals are stories, an attack was revealed to have targeted the servers control-
likely to respond similarly to cyber threats by supporting strong cy- ling Israel’s electric power grid, cutting off electricity to a hospital and
bersecurity policies through the interceding influence of heightened causing deaths. In another story, cyber operatives were said to have
threat perception. attacked a military navigation system, altering the course of a missile
A set of early studies compared the level of threat evoked by ex- so that it killed three Israeli soldiers. A third story concerned the use
posure to different forms of cyber threats, identifying key differences of malware to infect the pacemaker of the Israeli Defense Minister,
in the how cybercrime and cyberterrorism influenced attitudes to- and a fourth involved the failure of an emergency call to 10 000 mil-
ward government policy [34, 36]. These studies concluded that direct itary reserve soldiers due to a cyberattack in which foreign agents
exposure to cyberterrorism had no effect on support for hardline cy- changed the last digit of the soldiers’ telephone numbers in the mil-
–0.015(0.035)[–0.101, 0.046]
–0.033(0.033)[–0.117, 0.017]
–0.040(0.033)[–0.127, 0.024]
0.016(0.030)[–0.063, 0.064]
–0.043(0.037)[0.030, 0.077]
0.050(0.031)[–0.030, 0.095]
0.015(0.033)[–0.075, 0.066]
structed an integrative path analysis model [53]. Running this model
enables us to identify direct and indirect effects among all the study
0.087∗∗∗ (0.018)
variables. We provide modeling results in the following Table 1 and
an illustration of the path analysis model in Fig. 1.
CPP (Y3 )
coefficients) of each experimental group vis-à-vis the control group
(i.e. NLC vs control, and LC vs control), perceptions of threat, past
exposure to cyberattacks and socio demographic variables—gender,
religiosity, education and political ideology—with the three dimen-
–0.005(0.030)[–0.083, 0.035]
–0.024(0.034)[–0.105, 0.035]
–0.027(0.031)[–0.104, 0.022]
0.088∗∗ (0.031)[0.004, 0.137]
0.010(0.031)[–0.070, 0.060]
0.027(0.033)[–0.063, 0.082]
the lethal and nonlethal conditions to the control group, we find a
larger direct effect in the LC (lethal) group compared with the NLC
0.074∗∗∗ (0.015)
(nonlethal) group in predicting support for CAP.
A follow-up that compared the two regression weights further
COP (Y2 )
exposed to lethal cyberattacks tended to support cybersecurity poli-
cies that compel the government and security forces to alert citizens if
they have evidence of citizens’ computers being hacked or if an act cy-
berattack is discovered (CAP) at higher levels than people who were
exposed to nonlethal/economic cyberattacks compared with people
in the control group.
–0.012(0.030)[–0.088, 0.036]
–0.044(0.036)[–0.137, 0.013]
0.072∗ (0.032)[–0.011, 0.126]
–0.028(032)[–0.124, –0.028]
Standard error in parentheses; ∗ P < 0.05, ∗∗ P < 0.01, ∗∗∗ P < 0.001. NLC = non-ethal cyberattack; LC = lethal cyberattack.
Interestingly, this trend was reversed for the oversight policies
0.050(0.032)[–0.025, 0.106]
(COP) form of cybersecurity regulation. Here, we identified a signif-
0.047∗∗∗ (0.014)
icant direct effect wherein exposure to nonlethal cyberattacks led to
support for oversight policies (COP) at higher levels than respondents
Beta (S.E.) [95% CI]
Mediating effects
Table 2 presents the indirect effects of each of the two treatment
conditions in comparison to the control group for the three dimen-
sions of cybersecurity policies—with threat perception as a mediator.
The indirect effects are pathways from the independent variable to
the policy variables through threat perceptions. In the path analysis
model, each dependent variable, i.e. support for particular cybersecu-
rity policies, could have two potential paths, one from the nonlethal
NLC/Control (X1 )
Political ideology
LC/Control (X2 )
condition and the one from the lethal condition. Altogether, six me-
Past exposure
Religiosity
Education
port. This means that for those participants who were exposed to the
Cyberattacks, cyber threats and attitudes toward cybersecurity policies 7
CAP
Mediation 1 NLC/Control (X1 ) Threat CAP 0.026∗∗∗ ; 0.008 [0.010, 0.042]
Mediation 2 LC/Control (X2 ) Threat CAP 0.033∗∗∗ ; 0.009 [0.015, 0.050]
COP
Mediation 3 NLC/Control (X1 ) Threat COP 0.041∗∗∗ ; 0.010 [0.020, 0.060]
Mediation 4 LC/Control (X2 ) Threat COP 0.052∗∗∗ ; 0.011 [0.028, 0.071]
CPP
Mediation 5 NLC/Control (X1 ) Threat CPP 0.045∗∗∗ ; 0.011 [0.021. 0.066]
Mediation 6 LC/Control (X2 ) Threat CPP 0.056∗∗∗ ; 0.011 [0.030, 0.077]
Standard error in parentheses; ∗ P < 0.05, ∗∗ P < 0.01, ∗∗∗ P < 0.001. In squared brackets 95% confidence interval with bias correction bootstrapping (n = 2000).
akin to national security and espionage discussions—has typically encourage future studies to corroborate these findings in different
taken place without public input due to the perception that it is a settings.
question best left to experts with engineering or national security A second area where our findings could benefit from additional
expertise [81]. Scholars argue that this complete abdication of cyber- research relates to the nature of the media exposure. In this study, we
security policy to specialists is a profound mistake, since excluding exposed respondents to "initial" media reports about major cyberat-
“the general public from any meaningful voice in cyber policymaking tacks where there is minimal information pertaining to the identity
removes citizens from democratic governance in an area where our of the attacker and the type of attack that was conducted. While this
welfare is deeply implicated” [82]. Functional cybersecurity relies on in many ways reflects the reality of media reports about cyberattacks,
good practices by the ordinary public, and the failure of cybersecu- it does not discount that journalists will sometimes make inferences
rity awareness campaigns to effectively change behavior may well be about the details of an attack, and that later reports in the days and
linked to the lack of public input in its regulation [81]. Our findings weeks following an attack will include far more detailed information.
indicate that growing civilian exposure to cyberattacks leads to more More so, this article bears implications for a wide literature beyond
https://www.heritage.org/defense/report/the-alarming-trend-cyberse 33. Gross ML, Canetti D, Vashdi DR. Cyberterrorism: its effects on psycho-
curity-breaches-and-failures-the-us-government-continues (17 April logical well-being, public confidence and political attitudes. J Cybersecur
2020, last accessed). 2017;3:49–58.
9. Lee JK, Chang Y, Kwon HY. et al. Reconciliation of privacy with 34. Backhaus S, Gross ML, Waismel-Manor I. et al. A cyberterrorism effect?
preventive cybersecurity: the bright internet approach. Inf Syst Front Emotional reactions to lethal attacks on critical infrastructure. Cyberpsy-
2020;22:45–57. chol Behav Soc Netw 2020;23:595–603.←
10. Nye JS. Nuclear lessons for cyber security? Strateg Stud Q 2011;5:18–38. 35. Gross ML, Canetti D, Vashdi DR. The psychological effects of cyber-
11. Annual number of data breaches and exposed records in terrorism. Bull At Sci 2016;72:284–91.
the United States from 2005 to 2018 (in millions). Statista. 36. Canetti D, Gross ML, Waismel-Manor I. Immune from cyber-fire? The
https://www.statista.com/statistics/273550/data-breaches-recorded- psychological & physiological effects of cyberwar. In: Allhoff F, Henschke
in-the-united-states-by-number-of-breaches-and-records-exposed (26 A, Strawser BJ (eds). Binary Bullets: The Ethics of Cyberwarfare. Oxford:
February 2019, last accessed). Oxford University Press, 2016, 157–76.
12. For big banks, it’s an endless fight with hackers The Business Times , 37. Canetti D, Gross ML, Waismel-Manor I. et al. How cyberattacks terror-
30 July 2019. https://www.businesstimes.com.sg/banking-finance/for-big ize: Cortisol and personal insecurity jump in the wake of cyberattacks.
58. Shoshani A, Slone M. The drama of media coverage of terrorism: 74. Castanho Silva B. The (non)impact of the 2015 Paris terrorist attacks on
emotional and attitudinal impact on the audience. Stud Confl Terror political attitudes. Pers Soc Psychol Bull 2018;44:838–50.
2008;31:627–40.← 75. Brandon SE, Silke AP. Near- and long-term psychological effects of ex-
59. Huddy L, Smirnov O, Snider KL. et al. Anger, anxiety, and selective expo- posure to terrorist attacks.← In: Bongar B, Brown LM, Beutler LE al. et
sure to terrorist violence. J Confl Resolut 2021:00220027211014937.← (eds). Psychology of Terrorism. Oxford: Oxford University Press 2007,
60. Greenberg J, Pyszczynski T, Solomon S. The causes and consequences of 175–93.
a need for self-esteem: a terror management theory. In: Public Self and 76. Pfefferbaum B, Nixon SJ, Krug RS. et al. Clinical needs assessment of mid-
Private Self. New York, NY: Springer, 1986, ←212–189. dle and high school students following the 1995 Oklahoma City bombing.
61. Hall BJ, Hobfoll SE, Canetti D. et al. The defensive nature of benefit find- Am J Psychiatry 1999;156:1069–74.←
ing during ongoing terrorism: an examination of a national sample of 77. Galea S, Vlahov D, Resnick H. et al. Trends of probable post-traumatic
Israeli Jews. J Soc Clin Psychol 2009;28:993–1021.← stress disorder in New York City after the September 11 terrorist attacks.
62. Canetti D, Hall BJ, Rapaport C. et al. Exposure to political violence and Am J Epidemiol 2003;158:514–24.←
political extremism. Eur Psychol 2013; 18:263–72 78. Landau MJ, Solomon S, Greenberg J. et al. Deliver us from evil: the ef-
63. McCallister E. Guide to Protecting the Confidentiality of Personally Iden-