Access the full text.
Sign up today, get DeepDyve free for 14 days.
Loading next page...
/lp/unpaywall/fear-uncertainty-and-dread-cognitive-heuristics-and-cyber-threats-K3H0Y3VyVH
- Publisher
- Unpaywall
- ISSN
- 2183-2463
- DOI
- 10.17645/pag.v6i2.1279
- Publisher site
- See Article on Publisher Site
Abstract
Advancesincybercapabilitiescontinuetocauseapprehensionamongthepublic.Withstatesengagingincyberoperations in pursuit of its perceived strategic utility, it is unsurprising that images of a “Cyber Pearl Harbor” remain appealing. It is crucial to note, however, that the offensive action in cyberspace has only had limited success over the past decade. It is estimatedthatlessthan5%ofthesehaveachievedtheirstatedpoliticalorstrategicobjectives.Moreover,onlyfivestates are thought to have the capabilities to inflict or threaten substantial damage. Consequently, this raises the question of what accounts for the continued sense of dread in cyberspace. The article posits that this dread results from the inap- propriate use of cognitive shortcuts or heuristics. The findings herein suggest that the lack of experience in dealing with cyberoperationsencouragesuncertainty,whichmotivatesdecision-makerstobasetheirjudgementsonpre-existing,and possibly incorrect, conceptions of cyberspace. In response, the article segues into potential solutions that can mitigate unsubstantiated dread towards cyberspace by peering into the role that attributes at the organizational level can play in temperingthepositionofindividuals.Thesuggestedconsiderationsarerootedintheinteractionsbetweenthemicroand macrolevelprocessesinformingjudgments,sensemaking,andultimately,mobilizingactions. Keywords cybersecurity;cyberthreats;dread;experiment;heuristics Issue Thisarticleispartoftheissue“GlobalCybersecurity:NewDirectionsinTheoryandMethods”,editedbyTimStevens(King’s CollegeLondon,UK). © 2018 by the authors; licensee Cogitatio (Lisbon, Portugal). This article is licensed under a Creative Commons Attribu- tion4.0InternationalLicense(CCBY). 1.Introduction the actual cost of cybercrime is much lower than that reported by the private sector or the media. Expound- OnFriday,May12,2017,theUnitedKingdom’sNational ing on this argument, Jardine (2015, 2017) notes that Health Service (NHS), Spain’s Telefonica, and other enti- maliciousactivityincyberspaceisfarlesslikelytooccur tieswereincapacitatedbytheWannaCrymalwarewhich when viewed relative to the growth of the domain and infected over 200,000 computers in nearly 150 coun- when vulnerable actors are disaggregated and studied tries (R. Goldman, 2017). In 2001, Code Red exploited in isolation. More closely related to this article, Maness vulnerabilities leading to the infection of over 300,000 and Valeriano’s (2016) study highlights that out of 68 computers(Perrone,2001).In2003,Slammerinitiateda stateswithcybersecurityprograms,onlyfive(5)demon- denial-of-serviceattackandstalledInternettrafficwhile stratedthe capability toinflict noteworthy damage. Fur- compromising approximately 75,000 computers within thermore,lessthan5%oftheseoperationshaveresulted tenminutes(Boutin,2003).Theseeventsreinforcenega- in behavioural changes on the part of the target as in- tiveperceptionstowardscyberthreats,yetoverstatethe tended by the aggressor. Consequently, this raises the scope of the problem. Anderson et al. (2013) note that question as to why dread continues to persist as a re- PoliticsandGovernance,2018,Volume6,Issue2,Pages61–72 61 sponse to cyber operations (Jarvis, Macdonald, & Whit- Given its coercive intent, aggressors failed to achieve ing,2017). their objectives despite the exploitation of these valu- Dread is defined in this article as the apprehension ablesystems (Iasiello,2013;Maness&Valeriano,2016). of the negative consequences of an event. This percep- Besidesitstechnologicalfragility,thedomain’sstrate- tion of dread in cyberspace is often attributed to in- gic value also enjoys attention (Dunn Cavelty, 2012). creasing technological dependence and the strategic ex- Specifically, its perceived offensive advantage reflected ploitation by state actors. The literature analyses this by its low cost of entry and the difficulty of defending phenomenonmainlythroughthelensofrationalchoice against aggressors is thought to serve as an equalizer theory,whileunderemphasizingindividualcognitivepro- within the international system (Lawson, 2013). For in- cesses(Dean&McDermott,2017;Edwards,Furnas,For- stance, the availability of tools stands in contrast with rest, & Axelrod, 2017; Gartzke & Lindsay, 2015). Conse- how hard it is to defend against aggressors. Conse- quently, this article explores dread in response to cyber quently, weaker powers may offset their material dis- operations as a reflection of heuristic usage resulting in advantage through cyberspace (Valeriano & Maness, sub-optimaljudgements. 2014). Moreover, offensive acts are thought to be eas- Using two vignette survey experiments, it forwards ierthandefensiveacts,furtheremboldeningaggressors three main arguments. First, the lack of experience and (Edwardsetal.,2017). the novelty of this threat generates an environment of No actor, however, has met its objectives by cyber uncertainty with respect to cyber operations (Gigeren- means alone (Iasiello, 2013). Its low cost of entry is pro- zer, 2008; Hafenbradl, Waeger, Marewski, & Gigeren- portionaltotheexpectedgains(Pytlak&Mitchell,2016; zer,2016;Kruglanski,Orehek,Dechesne,&Pierro,2010). Slayton, 2017). While disruptive events require minimal Second, judgmental errors that facilitate elevated levels effort, degradative operations demand substantial in- of dread are not suggestive of irrationality but rather vestmentsonthepartoftheaggressor.Thisisduetothe stem from the use of inappropriate cognitive strategies. organizational demands of an effective offensive cam- Finally,errorsmaybetemperedbyattributesdefinedat paignthatisoftenoverlookedinfavouroftechnological theorganizationallevel. considerations(Buchanan,2017;Rid&Buchanan,2015; Before proceeding with the rest of the article, it Slayton,2017).Consequently,thisweakensargumentsin shouldbenotedthattheresultsdonotservetoexplicitly favourofacyberoffensive-advantage.Inaddition,theev- identify the use of a specific heuristic. Rather, heuristic idencealsoillustratesrestraintonthepartofaggressors usage is inferred from the level of dread demonstrated with their actions occurring below thresholds that are byparticipantsandsuggeststhattheuseofthesestrate- likelytoresultinescalation(Valeriano&Maness,2015). giesinthiscontextmeritsfurtherinquiry. Despite its suggested exceptionalism, cyberspace remains subject to systemic, organizational, and ma- 2.FramingCyberThreats terial constraints such that operations have, thus far, achievedlimitedgains(Healey,2016;Iasiello,2013;Law- A cyber threat, in the context of this article, is an ex- son,2013;Sheldon,2014).Yetwhetheroneascribesitto pectation of harm to a political body through the mali- oneoralloftheabovereasons,empiricalevidencehas cious manipulation of cyberspace which reduces its ca- yet to account for the continued sense of dread (Jarvis pability to meet strategic, political, or economic objec- etal.,2017). tives (Creppell, 2011). While threat conceptualizations vary,thesearedependentonthedomain’stechnological 3.ACaseforCognitiveHeuristics characteristics.Increaseddependenceoncyberspaceel- evatesasociety’sexposuretopotentialthreats,andcon- Theprevioussectionsuggeststhatadegreeofirrational- sequently, the perception of dread brought by unfore- ity influences judgements vis-à-vis cyber operations. As- seenconsequences(Hansen&Nissenbaum,2009;Kuehl, suming the uniformity of the underlying technologies 2009). Furthermore, its growth coincides with Perrow’s and the move towards greater societal dependence, (2011)claimthatcomplexityandinterdependencyresult these deviations cannot be justified solely by techno- innormalaccidentsthatemergefromtheinherentchar- logical or systemic variations. A classical understand- acteristicsofsystems—compoundingattemptstosecure ing of rationality requires that decision-makers possess thedomain.Experience,however,hasprovenlessconse- knowledge of all possible alternatives. Such conditions quential.In2010,StuxnetaffectednearlyathirdofIran’s are rarely met and result in bounded rationality where nuclearcentrifuges;yetdamagedidnotexceedexpected individuals operate as satisfiers rather than optimizers operationalwear-and-tear(Lindsay,2013).Likewise,dis- (Dawes, 1979; De Neys, Rossi, & Houde, 2013; Kahne- ruption to segments of Ukraine’s power grid in 2015 re- man,2003;Thompson,Turner,&Pennycook,2011). quired the exploitation of interdependent systems but Extending this argument further, Savage (1972) la- only resulted in temporary disruption (Zetter, 2016). bels conditions of perfect information as small worlds, StuxnetdidnotresultinthediscontinuationoftheIranianNuclearProgrammeandtheUkraineattackdidnotshiftthebalanceoftheconflictinfavour ofRussia. Asimilarsenseofdreadhasoccurredinresponsetonoveltechnologies.Itiscrucialtonotethatcyberspaceisnotexceptionalinthiscase. PoliticsandGovernance,2018,Volume6,Issue2,Pages61–72 62 distinguishing these from large worlds where judge- ture this reality. Second, trust in automated systems to ments informed by rational choice cannot be presumed collect, identify, and model threats aggravate the prob- tobethecorrectresponse.Researchdemonstratesthat lemofoverfitting.Thesesystemsaredependentonpre- strategies that deviate from normative models are pre- existing signatures, the development of which is left to ferred when conditions with less than or almost per- individuals or organizations with a limited worldview fect information exist (Binmore, 2008). The resulting and are unable to capture the full spectrum of threats. less-is-moreeffectchallengestheconventionofrational Finally, efforts to reduce bias through increased infor- cognition and brought renewed interest to the concept mation sharing and exchange is problematic. The ex- ofheuristics. change of information is non-obligatory and active par- Gigerenzer and Gaissmaier (2011, p. 454) define ticipants share similarities in terms of technology and heuristics as a strategy that “ignores part of the infor- worldview. Moreover, the integrity of such information mation, with the goal of making decisions more quickly, cannotbeguaranteed. frugally,and/oraccuratelythanmorecomplexmethods”. Althoughtheclassicalapproachtoheuristicsemphasizes 4.2.LimitedExperience its propensity to generate sub-optimal judgements, sat- isfactory results are possible when the strategy exploits Cyberoperationsthatsignificantlyaffectastate’sstrate- thestatisticalcharacteristicsofthe informationenviron- gic interests or normal day-to-day life are rare. This in- ment (Gigerenzer, 2008; Kruglanski et al., 2010; Mar- frequency provides decision-makers with a limited sam- tignon&Hoffrage,1999). ple from which to generalize. Valeriano and Maness The information environment plays a crucial role in (2014), for instance, identified less than fifty (50) in- making judgements. Assuming that information is read- stances where cyber threats inflicted noticeable dam- ily available, the introduction of free parameters is un- agetocriticalinfrastructure.Judgementsemergingfrom problematic.This,however,israrelythecase.Mostenvi- these may not reflect reality. Furthermore, efforts to ronmentswhereinjudgementsconcerningfutureevents increase the availability of threat intelligence, as men- are crucial involve large worlds in which relevant infor- tioned above, may increase the volume of information, mation is unknown or uncertain and is derived from butnotnecessarilyitsquality. a small sample. The introduction of additional parame- In reference to Slovic’s (2016) model of risk percep- ters to improve fit risks the introduction of noise. Con- tion, events that are both uncertain and exhibit the po- sequently, normative strategies such as expected utility tential (real or imagined) for catastrophe increase the aredisadvantaged. level of dread. Translating this into the realm of politics, decision-makers operating in an uncertain environment 4.Cyberspace:AVeryLargeWorld withincompleteinformationtendtoover-estimaterisks associatedwitheventssuchasthethreatposedbyanad- Heuristicsmayoutperformnormativestrategiesinuncer- versarial state (Jervis, 2017). Note, however, that while tain environments. While it may be counterintuitive to research has shown that appropriate judgements may assertthatjudgementsregardingcyberspacearebestap- stillemergeusingheuristics.This,however,iscontingent proached through this frugal process, its characteristics on its fit with the existing information environment— arebetteralignedwiththenotionofalargeratherthan alsoknownasaheuristic’secologicalrationality(Gigeren- asmallworld. zer&Gaissmaier,2011). 4.1.AnUncertainDomain 4.3.ConstraintsonEcologicalRationality Cyberspaceisunpredictable.Whileitshistoryismarked While the characteristics of cyberspace make it an ideal by efforts to reduce uncertainty, these do not eradi- candidate for heuristic use, the selected heuristic must catetheeffectsofincreasedcomplexitythatlimitpredic- be able to exploit the environmental structures of un- tiveaccuracy.Consequently,thesignificanceofoffensive certainty,samplesize,redundancy,andvariabilityincue or defensive acts cannot be fully anticipated (Farrell & weights (Todd & Gigerenzer, 2012). The environmental Glaser,2017). structures of redundancy and variability in cue weights The growth of technologically-driven solutions does areofparticularinterestforthisarticle.Theformerrefers notabolishthechallengeofuncertainty.First,additional to the correlation between cues or the extent to which information does not translate to a generalizable view two or more sources of evidence are related to one an- ofthreats.Althoughcyberspaceoperatesonpre-defined other. For instance, to what extent does the ability to rules ,theinterconnectionbetweencomponentsvaries compromise the banking system in Country A indicate by function. Relying on public threat information gen- thevulnerabilityofthesamecountry’spowergeneration erated from a limited sample does not adequately cap- facilities? Relatedly, the variability of cue weights deter- The underlying components of cyberspace interact with the aid of pre-defined architectures (e.g., the Von Neumann architecture common to most modern-daycomputers)andprotocols(e.g.HypertextTransferProtocol,HTTP). Intheformofcrowd-sourcedthreatintelligencesuchastheOpenThreatExchange(OTX). PoliticsandGovernance,2018,Volume6,Issue2,Pages61–72 63 mines whether the relevance of these cues is normally 5.ExperimentalDesign distributed or skewed. Building on the previous exam- ple,towhatextentwouldCountryB’sbankingsystembe 5.1.OperationalizationandGeneralDesign vulnerable if that of Country A was exploited? Although heuristics have been proven to outperform more delib- To demonstrate the role of heuristics, the article im- erate strategies, the ability to discern these characteris- plements a 2×2 between-group vignette survey exper- tic is crucial for this task. Failure to do so results in eco- iment (Auspurg & Albanese, 2015; Rousseau & Garcia- logicallyirrationalstrategiesbeingselectedthat,inturn, Retamero,2007;Sniderman,2011).Thetreatmentisap- leadstoinappropriatejudgements.Whilefactorssuchas plied through the manipulation of Internal and External time-pressure,cognitiveresources,andpre-existingbias variablesthatreflectpositiveornegativeevents.Forthe hindertheabilitytoselectecologicallyrationalstrategies, purposes of this experiment, these events are cyber op- this article is interestedprimarily in the enabling roleof erations targeting a state’s power generation facilities. domainexpertisewithrespecttocyberspace(Kruglanski These are made to vary slightly with respect to their &Gigerenzer,2011). cause, impact, and time, and to reflect the uncertainty Although cyberspace appears monolithic to laymen, of the informational environment. Participants are also its inner workings are greatly segmented. Such abstrac- denied information regarding other events besides that tion is crucial to allow individuals to exploit its func- of a second state’s experience with a cyber operation. tionality for their professional or day-to-day tasks. How- These are meant to operationalize the concept of un- ever, attempts to explain its finer points have resulted certainty and limited experience which is crucial to the to the use of analogies that poorly explain the function- above framework. Furthermore, the countries depicted ingofthisdomainandwhichhaveresultedinmanymis- in the vignette are portrayed as being nearly identical conceptions amongst the public (Betz & Stevens, 2013; to one another in terms of their usage of cyberspace. E. Goldman & Arquilla, 2014). While simplification aids Nospecificinformationisprovidedregardingthespecific communication,itlimitstheabilitytoformsoundjudge- technologies used or how they vary. This is intended to mentswhichcouldotherwiseemergeinlightofabetter, stimulatetheparticipant’sknowledgeofcyberspaceand if not complete, understanding of cyberspace. Authors operationalizestheconceptsofredundancyandvariabil- suchasHansenandNissenbaum(2009)havecitedknowl- ity, which entails that those with greater knowledge of edgediscrepanciesbetweenexpertsandnon-expertsas the domain ought to be able to recognize the possible the source of alarmism over cyberspace. Similarly, a re- differences that may exist. These characteristics meant cent study of media articles covering cyber operations thatbothhypothesescouldbetested. has found no difference in how threats are perceived Before reading the vignette, participants responded between different states and those that occur domesti- to a set of questions to measures their trust in cy- cally (Jarvis et al., 2017). In the earlier example, if both berspace to act as a control for pre-treatment effects. power generation (Country A) and banking (Country B) The questionnaire is based on Jian, Bisantz and Drury’s usedidenticalsystemsandwereequallyvulnerablethen (2000) measure of trust in automated systems. This is heuristicssuchas“TaketheBest”wouldworkjustaswell, followedbythevignetteinwhichtheparticipantsarein- if not better, than more deliberate cognitive strategies structed to evaluate the extent to which they perceive (Gigerenzer, 2008). However, expertise gained through cyberspace as threatening. Threat is measured with a experience or formal training would prompt decision- 10-pointLikertscale. Thebaselinevalueisfive(5),which makers to recognize the differences between these sys- suggestsaneutralperceptionofthedomain. Higherval- tems resulting in the use of more ecologically rational ues indicate elevated levels of dread while lower values strategies. Taken collectively, questions concerning the reflectitsabsence. lack of experience and expertise towards cyber opera- The choice to operationalize the concept of dread tionsleadstotwokeypropositions: as the threatening (or not) nature of cyberspace is grounded in the vernacular understanding of a threat. (a)Hypothesis1:Limitedofexperiencewithcyberopera- A threat may be an indication of something impending tions creates an environment of uncertainty resulting in (e.g.threatofablackout).Inthecontextofthevignette, theuseofcognitiveheuristics. this is presented as the threat of the negative conse- quencesofacyberoperation.Analytically,thisisequiva- (b)Hypothesis2:Theabsenceofdomainknowledgeincy- lent to Slovic’s (2016) notion of dread which is viewed berspace prompts the selection of inappropriate heuris- as the apprehension of the negative consequences of ticsresultinginelevatedlevelsofdread. anactivity. TheLikertscaleisawidelyusedinstrumentformeasuringaparticipant’sattitudeinsurveyresearch.Formoreinformation,refertotheSageResearch Methodswebpage(Lavrakas,2008). Asthereisnoavailablebaselineastothe“appropriate”levelofdread,thisvaluewasdeemedappropriategiventheobjectivesofthestudy. AnInternet-basedplatformforrecruitingparticipantsspecificallyforresearch. PoliticsandGovernance,2018,Volume6,Issue2,Pages61–72 64 5.2.ParticipantRecruitment was performed. For this analysis, the effects on Trust (i.e. Positive, Negative, Neutral) was controlled for ParticipantswererecruitedthroughProlific .Whilecon- throughblocking. cerns regarding data quality from Internet sources per- The results of the experiment shows a significant sist, no significant difference has been found with re- Average Treatment Effect (ATE) due to the External, spect to experiments investigating cognitive processes F(1,114)=10.33andInternalF(1,114)=7.37treatments (Casler, Bickel, & Hackett, 2013; Crump, McDonnell, & as well the pre-existing level of Trust F(2,144) = 4 on Gureckis, 2013; Peer, Brandimarte, Samat, & Acquisti, Threat at the p < 0.05 level. A Post Hoc comparison 2017). Special care, however, is required as participants reveals that the main effects are significant at p < 0.05. are often less engaged with the experiment. Conse- The presence of an External event had a main effect of quently,twoattentioncheckquestionsareincludedsuch 1.34 on Threat. An Internal event, on the other hand, thatfailingonerequirestheremovalofaparticipant. had a main effect of 1.13. Finally, Trust had a signif- The participants consist of university students di- icant main effect of 1.27 between Positive and Nega- vided into two groups. The first are those pursuing de- tivegroups.Nosignificantinteractionswereobservedin grees in Computer Science and related disciplines while thisexperiment. the second are those who do not have the same ed- ucational background. The former represents “domain 6.2.Experiment2:DomainExperts experts” while the latter are viewed as “domain non- experts”.Participantsarethenrandomlyassignedtoone The second experiment recruited 166 participants. Of of four versions of the vignette. Given the absence of these, 22.29% (37) were female and the remaining methodologically similar research for this problem do- 77.71%(129)weremale.Issuesconcerningengagement main, the authors assumed a moderately large effect wereencounteredleadingtotheremovalof32.53%(54). size (f = 0.3). Consequently, a minimum sample size To ensure a balanced analysis, random samples were with appropriate statistical power (1 − 𝛽 = 0.8) was es- drawnbasedonthesizeofthesmallesttreatmentgroup timatedat90. Itoughttobenotedthattheresultscon- resultingin112sampleswithtwenty-eight(28)samples tainedhereinarevalidwithrespecttothesamplesused pertreatmentgroup. and are therefore not immediately generalizable. Repli- Analysis reveals that 50.89% (57) of participants be- cationsstudiesarenecessarybeforemoregeneralizable gan the experiment with a distrust of cyberspace while conclusionsaremade. the remaining 49.11% (55) indicated that they either trustedthedomainorheldnopreference.Themeanfor 6.ExperimentalResults Threat, however, does not suggest an elevated sense of dread (x = 5.71, baseline = 5.0). To determine the ef- 6.1.Experiment1:DomainNon-Experts fectofTrustandtheabsenceorpresenceofExternaland InternaleventsonThreat,ablockedfactorialANOVAwas Thefirstexperimentrecruited202participants.Ofthese, performed.Forthisanalysis,theeffectstoTrustwascon- 50.99% (103) were female and the remaining 49.01% trolledforthroughblocking. (99)weremale.Issuesconcerningengagementwereen- The analysis does not reveal a significant ATE of the counteredleadingtotheremovalof27.72%(56). Toen- Internal, or Trust treatments on Threat at the p < 0.05 sure a balanced analysis, random samples were drawn level .ExternalF(1,106)=2.72,p = 0.06,however,had based on the size of the smallest treatment group re- a barely significant main effect on Threat. A Post Hoc sultingin120sampleswiththirty(30)samplespertreat- comparison illustrates that there is no statistically sig- mentgroup. nificant difference across different treatment groups in Analysisrevealsthat65.9%(79)ofparticipantsbegan termsofThreatforthisgivenexperiment.Nosignificant the experiment with a distrust of cyberspace while the interactionsareobservedinthisexperiment. remaining 34.1% (41) indicated that they either trusted thedomainorheldnopreference.ThemeanforThreat, 7.GeneralDiscussion however, does not suggest an elevated sense of dread (x = 5.5,baseline=5.0). 7.1.Non-ExpertsandMotivatedReasoning To determine the effect of Trust and the absence or presence of External and Internal events on Threat, Theresultsindicatethatdreadisnotnoticeablyelevated a blocked factorial Analysis of Variance (ANOVA) for domain non-experts (x = 5.5). When comparisons The approximation that 90 participants are necessary to ensure that the findings were not simply the result of chance and that the treatment has resultedinavalidandobservableeffect. StudiesconcerningthelackofattentiononInternet-basedplatformssuggestthatattritioncanbeashighas50%.Aratelessthan30%exceedsexpec- tations(Peeretal.,2017). Acollectionofstatisticaltechniquesusedtoanalyzethedifferenceofmeansbetweengroups.Forfurtherinformation,refertoIntroductiontoAnalysis ofVariance(Turner&Thayer,2001). EffectSize(Cohen’sf):Trust =0.265;External =0.301;Internal =0.254. f f f EffectSize(Cohen’sf):Trust =0.206;External =0.187;Internal =0.136. f f f PoliticsandGovernance,2018,Volume6,Issue2,Pages61–72 65 are made between treatment groups, however, a differ- tion with this statement. The absence of a negative Ex- entpictureemerges.Treatmentgroupsexposedsolelyto ternal eventreinforces the benign nature of cyberspace External events(x = 5.7,p = 0.044)andthosethatex- asothercountrieswithseeminglysimilarcharacteristics perienced both External and Internal events (x = 6.7, have not encountered problems. Additionally, the simi- p = 0.0) reflect elevated and statistically significant lev- larity in the levels of Threat irrespective of Trust rules elsofdreadincomparisontothecontrol(x = 4.167). thelatteroutasasourceofassociation.Finally,thelack While the design of the experiment does not per- of difference between the level of Threat of this group mittheidentificationofspecificcognitiveheuristic,ital- andthatofthecontrolsuggeststhattheparticipantsper- lows one to infer the possible processes involved. For ceivethesituationasroutine. groupsinwhichnegativeExternalandInternaleventsoc- curred,theimageryofanextendedperiodofpowerloss 7.2.MotivatedReasoningandInappropriateStrategies experienced by a similar country is set in the memory of the participant. The participant is then informed of a The presence of motivated reasoning in the formation similareventtakingplaceintheirhypotheticalcountry— ofjudgementdoesnotnecessarilyresultinsub-optimal resulting in an emotional association between the two outcomes. The literature on motivated reasoning iden- events. This process of emotional association has been tifies two modes of thinking: accuracy-oriented and identified as a cornerstone of motivated reasoning in goal-oriented (Kunda, 1990; Taber, Lodge, & Glathar, which decision-makers strive to maintain cognitive con- 2001). The former assumes that individuals will engage sistency with respect to their existing beliefs (Jervis, in more deliberate and cognitively demanding process- 2017). Furthermore, these beliefs are self-reinforcing ing to reach the best conclusion. The latter, in contrast, withlaterexperiencesconfirmingorstrengtheningone’s motivatesindividualstomaintainpre-determinedbeliefs position on the matter (Holmes, 2015; Mercer, 2010; resulting in selective information processing which rein- Roach, 2016). Yet this association may not be depen- forcesexistingbiases. dentsolelyonthedebilitativeexperienceofathird-party. With respect to the article, the situation in the vi- TheexistinglevelsofTrustbyparticipantsmayhavealso gnetteisframedsuchthatitencouragesagoal-oriented playedarole. mindset.Participantsplaytheroleofanappointedelite For treatment groups experiencing only negative Ex- withnoapparentaccountabilitytothepublic.Moreover, ternal events,themeanofThreat was2.2pointshigher therearenoexplicitlystatedconsequencesthatmayre- for participants who distrusted cyberspace (p = 0.01). sult from bad judgement (Lerner & Tetlock, 1999). Fur- This similarity in direction between Trust and Threat thermore,thestereotypicaluseofExternal andInternal suggests an association between the two, which may events(aswellasTrust)suggestsanattempttomaintain have led participants to use the former to inform their pre-existingbeliefsbybuildingassociations(specifiedin judgements.Unfortunately,thisprocessisnotobserved the vignette or from past experience) to serve as refer- in cases where both External and Internal events are encepointstoassessthecurrentstateofcyberspace. negative in nature where the difference due to Trust is The representativeness heuristic is employed when only 0.8 points (p = 0.5). This does not discredit ear- makingjudgementsinuncertainenvironments.Whenin lierarguments. use, individuals resort to the comparison of salient fea- The level of dread may have been a manifestation tures exhibited by objects or events (Kahneman, 2011). ofmotivatedreasoning—theneedtobelieveinthedan- In the experiment, participants appear to draw similar- gers of cyberspace. But the emotional association may ities between their hypothetical country and others re- have been caused by the recency effect (Krosnick, Li, & gardingtheuseofcyberspaceanditscorrespondingvul- Lehman, 1990). When participants are asked to evalu- nerability as well as between the situation presented in ate the level of Threat, those exposed to negative Inter- thevignetteandtheirownpre-existingnotionsconcern- nal events begin their associated memory search with ingcyberspace(i.e.Trust). theirmostrecentexperience.IfanegativeExternalevent Acursoryevaluationofthevignetteencouragesread- had recently been shown, the recency effect could re- erstoidentifyandfindsimilaritiesbetweenthecountries sult in an association forming between the two. In its beingdiscussed.Bothhypotheticalcountriesinvestedin absence, participants would have to extend the search and enjoyed the economic benefits of ICT. For those of their stored memory which may include pre-existing that experienced negative External and Internal events, trustincyberspace. bothhadtheirpowerplantsaffectedtovaryingdegrees. The above process also accounts for the absence of A few assumptions may be made given these. First, ICT elevated levels of Threat (i.e. negative Internal event (and in turn cyberspace) is a monolithic and homoge- only). Prior to applying the Internal treatment, partic- nous construct. Second, all power plants that depend ipants are informed that “domestically, your country, on these technologies are vulnerable. Third, these vul- like others, occasionally experiences trouble with crim- nerabilities can easily be exploited. Finally, the conse- inals in cyberspace who target individuals and small quences of such a compromise are predictable. These to medium-sized enterprises for financial gain”. Conse- raise questions whether the redundancy and variability quently, it is possible that participants form an associa- of cues within the information environment were suffi- PoliticsandGovernance,2018,Volume6,Issue2,Pages61–72 66 cientlyrecognizedbytheparticipants.Failuretodosore- as a means of maintaining bias-prone beliefs. Although sults in the selection of ecologically irrational strategies findings are inconclusive, it opens the possibility of fur- andaccountsfortheobservedlevelofdread. therinquiryintothedecision-makingprocessesusedby As logical as these propositions may be, they fail experts.Pastresearchdemonstratesthatexpertsformu- to grasp certain realities. Indeed, cyberspace is by no latesoundjudgementswhileutilizingcognitiveshortcuts. means a homogenous entity. While these technologies This,however,isdependentonthepastinformationen- do share commonalities that allow for integration, they vironmentmatchingthepresent(Lau&Redlawsk,2001). retain enough individual characteristics to make each Thepastdecadehasseenthegrowthofmaliciousin- unique. For instance, while both Windows and Unix sys- terstateactivitiesincyberspace.Yettheaggressiveuseof temssharecommonprotocols,avulnerabilityinthefor- thesetechnologiesexistedlongbeforeeventsinEstonia mer is not necessarily shared by the latter. And even (i.e.2007).Thecontext,however,haschanged.Although if a vulnerability is found to exist, it is not a confirma- the participants in Experiment 2 are most likely aware tionofitsexploitability.Bothintentandcapabilitiesneed ofthesedevelopments,thebodyofknowledgetheypos- to exist for this to occur (Edwards et al., 2017; Mau- sessthroughtheirformaleducationwasdevelopedfrom rer, 2018). Absent an interested actor, a vulnerability combatingnon-stateactors .Whiletheauthorsarenot maycontinuetoexistwithoutanyfurtherrepercussions. arguing that the current mechanisms in place are insuf- Moreover, the successful exploitation of a vulnerabil- ficient, the possibility exists that they are not the most ity also depends on the capabilities of both parties in- efficientandmaylimittheabilityofstatestoact. volved.InthecaseofStuxnet,significantresourceswere The inconclusive results of the second experiment investedtoovercomethephysicalandtechnologicalbar- should not be treated as a failure. Rather, it serves to riers raised to secure the targeted systems. Finally, the inform future research how experiments involving do- consequences of such an interdependent and intercon- main experts ought to be designed. Specifically, it nar- nected system failing cannot be predicted beforehand rows the factors that may serve to influence the quality withabsolutecertainty(Perrow,2011). ofexpertjudgements. This depth of knowledge cannot be expected from the average participant in Experiment 1. This results 8.TemperingBiasandtheOrganization in uncertainty that prompts the use of the representa- tivenessheuristics.Theresultssuggestthatparticipants The findings demonstrate that decision-makers can re- attempted to find similarities between the events and sort to motivated reasoning when formulating judge- structurespresentedresultinginunsuitablestereotypes ments regarding cyberspace. These tendencies have im- being drawn between External and Internal events as plications in two related ambits: (a) the cost conse- well as between these and their personal experiences quences within the immediate context that decisions withcyberspace.Consequently,thebehaviourobserved mustbemade,and(b)considerationsfortemperingbias with non-experts confirms the assertions of Hypothe- tominimizecostconsequences. sis 1 that limited experience with cyber operations cre- atesanenvironmentofuncertaintythatpromptstheuse 8.1.ConsequencesforMobilizationduetoPerceptions ofheuristics. ofDread 7.3.ABriefNoteonDomainExperts The context in which judgements regarding cyberspace are made occur within specific institutional boundaries. Aswiththefirstexperiment,thelevelofdreadreflected Policiesareformedasaresultofjudgementsundertaken by experts does not appear to rise significantly above withinanorganizedcontext.Onthatnote,consequences the established baseline (x = 5.71). When treatment for this context are spread across two levels—the orga- groups are compared to the control, however, no statis- nization, and the state that the organization represents. ticaldifferenceisnoted.Thissuggeststhatexpertsmain- When decision-makers resort to intuitive thinking, the tain a consistent perceptionof cyberspaceregardlessof probability that their perception of dread relative to a thetreatmentprovided.Thisiscorroboratedbythefact specificcyberissueisreasonablycongruentwiththeac- thatneitherExternal,Internal,orTrusthadastatistically tuallevelofdreadvariesaccordingtothreelikelyscenar- significantimpactontheoutcome.Thissupportsthear- ios:(a)deflation,wheretheperceivedthreatislessthan gumentthatknowledgeableindividualswouldnotcreate the actual threat; (b) congruence, where the perceived inappropriate stereotypes and appears. Consequently, threat is congruent with the actual threat; and (c) infla- this supports Hypothesis 2 which asserts that domain tion, where the perceived threat is greater than the ac- knowledge would result in lower levels of dread given tualthreat. the use of appropriate heuristics. However, it does not Consequently,anyofthescenariosabovecanframe allowustoruleouttheuseofgoal-orientedmotivations the deployment of capabilities and tools in response to ThecurriculumusedtoteachInformationSecurityinComputerSciencedepartmentsisbuiltonpasteffortstocombathackingandcyber-crime.Frame- workssuchasthe(ISC) CommonBodyofKnowledge(Brecht,2017)areexamplesofthis.Whilesomeofthetechnicalconceptsareapplicabletostate actors,thepoliticalcontextmaybeuniqueandrequiresadditionalinsightsbeyondtheseframeworks. PoliticsandGovernance,2018,Volume6,Issue2,Pages61–72 67 an impending event in the cyberspace (Dunn Cavelty, findings reveal the recurring use of heuristics at the in- 2013). This has consequences for the resulting strategy dividual level, which is critical because individuals who formobilization,whichinturncomeswithcostsincurred respondtocyberoperationsareassumedtobeinaposi- bytheorganization. tionof authority and able tomakedecisions which may, Asfarasconsequentmobilizationstrategiesarecon- in turn, have repercussions for the organizations and cerned,therearethreepossibilities.First,itcanoccurin states they represent. Indeed, judgments formed at the aformofaracetotheextentthatitmaybeintendedas individual level frame decisions, and in turn, incur cost anoffensiveposition.Second,itcanoccurinaformthat implicationsandrelatedrepercussionswithintheimme- meetstheminimumcapabilitiesnecessarytobeinapo- diate social context for which the decision-maker is un- sitionofdefence.Finally,itcanoccurinamannerwhere dertaking the decisions for. To this end, considerations base capabilities are developed for decreasing vulnera- forminimizingcostsattheorganizationallevelwhichem- bilitiesandincreasingresiliencetopotentialattacks.The anate from inaccurate judgments at the individual level underlying costs for the deployment of capabilities is a are inevitably linked with considerations for how micro- complex feat because approximating the symmetry be- levelprocessescontributetomacro-leveloutcomes. tween the perceived threat and the actual threat is not However, our findings are limited to the extent that alwaysoptimal.Anindividualmakingthejudgmentwho they do not consider the embeddedness of the individ- isatthesameinapositionofauthoritymayeitherover- ual within the organizational setting in undertaking de- estimate or underestimate the threat and could, there- cisions. Considering that decisions pertaining to cyber fore, impose material and immaterial costs for both the operations are undertaken within a context with insti- organizationandthestate. tutional boundaries, it is possible that the direction of Beyond theoretical assertions, the implications of effects of the inaccurate judgments on the organization (in)correctly providing security assessments ought to be doesnotoccurinonedirectionfromtheindividualtothe considered considering the pace at which states are de- organization.Instead,wepositthelikelihoodthattheor- velopingtheirrespectivecybercapabilities.Whilecongru- ganizationswhichindividualsrepresentalsopossesscer- ence has long been the desired state, the inherent char- tainattributesthatcanmodulateindividualbiases.Inthe acteristics of the domain compounds the persistent dif- study of organizations, these micro-macro process con- ficulty of assessing an adversary’s intent and capabilities siderations during uncertain contexts such as cyber op- (Buchanan,2017).Theessentialsecrecythatobscuresca- erationsarereminiscentofsensemakingwithinorganiza- pabilitiesincyberspacegeneratesuncertaintyonthepart tions (Weick, Sutcliffe, & Obstfeld, 2005), and how insti- ofassessorstates.Intheabsenceofknowledgeregarding tutionsenterthemeaning-makingprocessesofindividu- apotentialadversary’struecapabilities,statesareleftto alsincriticaltimes(Weber&Glynn,2006). form judgements based on past behaviour; judgements Sensemaking is broadly defined as a process by whichmay,inthemselves,besubjecttobias. which people seek to make plausible sense of ambigu- Interestingly,theneedforinsightintoapotentialad- ous, equivocal, or confusing issues and events (Brown, versary’scapabilitiesmayitselfleadtogreaterinstability. Colville, & Pye, 2015; Maitlis & Sonenshein, 2010) so as Regardlessofwhetheracyberoperationismeantforin- to be able to mobilize an appropriate response (Weick telligencegatheringorasafirststepofalargeroffensive etal.,2005).Sensemakinghasbeenstudiedparticularly campaign,unauthorizedaccesstoasecuresystemisnec- within the context of crises and emergencies (Maitlis & essary. If discovered, the inherent characteristics of cy- Sonenshein, 2010; Weick, 1993) where individual mem- berspace do not permit the victim to determine which bers of an organization become suddenly faced with a ofthetwoobjectivesledtothisevent.Atthispoint,the situation that is difficult to approximate with certainty, victim’s own pre-existing beliefs may determine its po- while at the same time being constrained by both infor- tentialresponsewhichcouldrangefromatacitacknowl- mation and time, as well as having to provide an imme- edgementofroutine(andexpected)espionagetooneof diatejustifiableresponse.Giventhatthefindingsofthis anescalatoryspiral(Buchanan,2017). articleinfertheuseofheuristicsbyindividuals,itwould Consequently, the need for sufficient, if not optimal alsobeinterestingtoextendtheinvestigationregarding judgement, is mandatory on both sides of an interstate how intuitive judgements can be minimized during an interaction. Parties must temper pre-existing beliefs to overall sensemaking process that involves various cues avoid engaging in either provocative action (aggressor) from the organization that the individuals are a part of. orunnecessaryescalatoryresponses.Althoughtheesca- Note that sensemaking is a means by which individuals lation of hostilities into the physical domain is unlikely, are enabled to continuously stay in action amidst a dis- thedisruptionofcyberspacecarriespotentialandavoid- ruptiveshock(Weicketal.,2005)andtostayinaction,in- ablecosts. dividualsdrawfromcertain“frameworksincludinginsti- tutional constraints, organizational premises, plans, ex- 8.2.TemperingBiastoMinimizeUnnecessaryCosts pectations,acceptablejustificationsandtraditionsinher- itedfrompredecessors”(Weicketal.,2005).Incyberop- This, in turn, begs the question: how can bias be tem- erations,asmuchasindividualswithapositionofauthor- pered to minimize the likelihood of accruing costs? Our ityarticulateajudgment,itisalsoimportanttoconsider PoliticsandGovernance,2018,Volume6,Issue2,Pages61–72 68 theinstitutionalboundariesthatshapewaysinwhichde- fluence of bias, it increases the likelihood that assess- cisions are made. Empirically, it would be interesting to ments will be congruent to current realities. This mini- extendtheexperimentinacontextwhereindividualsare mizes the likelihood that costs will be incurred through exposed to interactions with other individuals with the the unnecessary development of capabilities or as the same organizational membership and see how such in- consequencesofescalationbetweenparties. teractions may either weaken or strengthen the extent Interstate interactions in cyberspace is an emergent ofecologicalrationalityincyberspaceoperations. phenomenonthatdemandsfurtheranalysis.Whileexist- Broadly,institutionsinfluencethesense-makingpro- ingtheoriesconcerningmaterialorsystemicconstraints cess (Weber & Glynn, 2006). These institutional in- have proven useful, it is necessary to move towards fluences are exerted concretely through various ways micro- and meso-level factors to better account for be- within the sensemaking process of the individual. For haviour in this man-made domain. To this end, this ar- example, institutions can affect individual sensemaking ticle contributes to the on-going discourse by providing through institutional policing, which may be embedded theinitialstepsneededtostrengthenthislineofinquiry. in the structural hierarchies and command-and-control approachesoftheorganization.Thiscanbeexploredby Acknowledgements considering how structure, templates, and other mani- festations of organizational control may affect the way WewouldliketothankDr.MargaritaPetrovaforallowing decision-makers in cyberspace make meaning. Sense- ustoconducttheinitialpilotstudyfortheseexperiments making can also be triggered by the institution through at the Institut Barcelona d’Estudis Internacionals (IBEI); interactions within groups that are oriented towards a theresultscontributedsignificantlytothedevelopment specific organizational goal. Cyberspace operations are of the experimental instruments. We would also like to presently deemed ubiquitous for purposes that involve extend our gratitude to Nadiya Kostyuk, Dr. Christopher policy of the state, where conventions regarding its use Whyte and the other members of the Digital Issues Dis- have yet to converge and be institutionalized. This has cussionGroup(DIDG)whoseinsightsallowedustobetter animplicationforthecompositionofgroupsinvolvedin frameourarguments. cyberspace operations, namely, those with positions of authoritytoenactcertainpoliciesrelatedtocyberspace ConflictofInterests have a variety of backgrounds and turf representations. Future research may thus investigate how group com- Theauthorsdeclarenoconflictofinterests. position, group dynamics, and group interaction among variousindividualswithspecifictypesofjudgmentsand References biases can influence collective sensemaking, and ulti- matelytempertheperceptionofdreadincyberspace. Anderson, R., Barton, C., Böhme, R., Clayton, R., Van Eeten, M., Levi, M., . . . Savage, S. (2013). Measur- 9.Conclusions ing the cost of cybercrime. In R. Böhme (Ed.). The economics of information security and privacy (pp. The phenomenon of dread in cyberspace is a conflu- 265–300):NewYork,NY:Springer. ence of the domain’s inherent characteristics and indi- Auspurg,K.,&Albanese,J.(2015).Factorialsurveyexper- vidual cognitive processes. The complex interdependen- iments.LosAngeles,CA:SAGE. cieswithinthedomaingenerateasignificantamountof Betz,D.J.,&Stevens,T.(2013).Analogicalreasoningand uncertainty regarding the consequences of cyber oper- cybersecurity.SecurityDialogue,44(2),147–164. ations aimed at disrupting its routine operations. While Binmore, K. (2008). Rational decisions. Princeton, NJ: preventivemeasuresmaybetakentoreduceitsimpact, PrincetonUniversityPress. its true scope cannot be determined beforehand. Con- Boutin, P. (2003). Slammed! Wired Magazine. Retrieved sequently,individualdecision-makers,particularlythose fromhttps://www.wired.com/2003/07/slammer lackingexperience,resorttosimilar(thoughpossiblyun- Brecht, D. (2017). The CISSP CBK domains: Information related) events to form judgements regarding the situ- andupdates.InfosecInstitute.Retrievedfromhttp:// ation at hand. This causes decision-makers fall into the resources.infosecinstitute.com/category/certifications trapoffindingcorrelationsbetweeneventswherenone -training/cissp/domains/#gref exist, resulting in the use of strategies that are deemed Brown,A. D., Colville, I., & Pye, A. (2015). Making sense ecologically irrational. In doing so, the resulting judge- ofsensemakinginorganizationstudies.Organization ments may either overestimate or underestimate the Studies,36(2),265–277. level of threat that can result in inappropriate policies Buchanan, B. (2017). The cybersecurity dilemma: Hack- whichcancomplicateexistinginterstaterelations. ing,trustandfearbetweennations.London:Hurst& Tomitigatetheseissues,organizationstowhichthese Company. individuals belong should take appropriate steps to en- Casler, K., Bickel, L., & Hackett, E. (2013). Separate but courage accuracy-oriented reasoning on the part of equal? A comparison of participants and data gath- decision-makers. While this does not eliminate the in- ered via Amazon’s MTurk, social media, and face-to- PoliticsandGovernance,2018,Volume6,Issue2,Pages61–72 69 facebehavioraltesting. ComputersinHumanBehav- 8th international conference on cyber conflict (pp. ior,29(6),2156–2160. 37–49).Tallinn:IEEE. Creppell, I. (2011). The concept of normative threat. In- Holmes,M.(2015). Believingthis andalievingthat:The- ternationalTheory,3(3),450–487. orizing affect and intuitions in international politics. Crump, M., McDonnell, J. V., & Gureckis, T. M. (2013). InternationalStudiesQuarterly,59(4),706–720. Evaluating Amazon’s Mechanical Turk as a tool for Iasiello, E. (2013). Cyber attack: A dull tool to shape for- experimental behavioral research. PloS one, 8(3), eignpolicy.InK.Podins,J.Stinissen,&M.Maybaum e57410. (Eds.), 2013 5th international conference on cyber Dawes,R. M. (1979). The robustbeauty of improperlin- conflict(pp.451–470).Tallinn:IEEE. ear models in decision making. American Psycholo- Jardine, E. (2015). Global cyberspace is safer than you gist,34(7),571–582. think:Realtrendsincybercrime.Waterloo:Centrefor De Neys, W., Rossi, S., & Houde, O. (2013). Bats, balls, InternationalGovernanceInnovation. and substitution sensitivity: Cognitive misers are no Jardine,E.(2017).Sometimesthreerightsreallydomake happy fools. Psychonomic Bulletin & Review, 20(2), a wrong: Measuring cybersecurity and Simpson’s 269–273. paradox. Paper presented at the Workshop on the Dean, B., & McDermott, R. (2017). A research agenda EconomicsofInformationSecurity,LaJolla,CA. to improve decision making in cyber security policy. Jarvis, L., Macdonald, S., & Whiting, A. (2017). Unpack- Penn State Journal of Law & International Affairs, 5, ing cyberterrorism discourse: Specificity, status, and 29–164. scale in news media constructions of threat. Euro- Dunn Cavelty, M. (2012). The militarisation of cy- peanJournalofInternationalSecurity,2(1),64–87. berspace: Why less may be better. In C. Czosseck, R. Jensen, B., Maness, R. C., & Valeriano, B. (2016). Cy- Ottis, & K. Ziolkowski (Eds.), 2012 4th international bervictory:Theefficacyofcybercoercion.Paperpre- conferenceoncyberconflict(pp.1–13).Tallinn:IEEE. sented at the Annual Meeting of the International Dunn Cavelty, M. (2013). From cyber-bombs to politi- StudiesAssociation,Atlanta,USA. cal fallout: Threat representations with an impact Jervis, R. (2017). Perception and misperception in inter- inthecyber-securitydiscourse.InternationalStudies national politics. Princeton, NJ: Princeton University Review,15(1),105–122. Press. Edwards, B., Furnas, A., Forrest, S., & Axelrod, R. (2017). Jian, J.-Y., Bisantz, A. M., & Drury, C. G. (2000). Founda- Strategic aspects of cyberattack, attribution, and tions for an empirically determined scale of trust in blame. Proceedings of the National Academy of Sci- automated systems. International Journal of Cogni- ences,114(11),2825–2830.doi:1700442114 tiveErgonomics,4(1),53–71. Farrell, H., & Glaser, C. L. (2017). The role of effects, Kahneman, D. (2003). A perspective on judgment and saliencies and norms in US cyberwar doctrine. Jour- choice—Mappingboundedrationality.AmericanPsy- nalofCybersecurity,3(1),7–17. chologist,58(9),697–720. Gartzke,E.,&Lindsay,J.R.(2015).Weavingtangledwebs: Kahneman,D.(2011).Thinking,fastandslow.NewYork, Offense,defense,anddeceptionincyberspace.Secu- NY:Farrar,StrausandGiroux. rityStudies,24(2),316–348. Krosnick, J. A., Li, F., & Lehman, D. R. (1990). Conversa- Gigerenzer,G.(2008).Whyheuristicswork.Perspectives tional conventions, order of information acquisition, OnPsychologicalScience,3(1),20–29. and the effect of base rates and individuating infor- Gigerenzer, G., & Gaissmaier, W. (2011). Heuristic de- mation on social judgments. Journal of Personality cision making. Annual Review Of Psychology, 62, AndSocialPsychology,59(6),1140–1152. 451–482. Kruglanski, A. W., & Gigerenzer, G. (2011). Intuitive and Goldman,E.,&Arquilla,J.(2014).Cyberanalogies.Mon- deliberate judgments are based on common princi- terey:NavalPostgraduateSchool. ples.PsychologicalReview,118(1),97–109. Goldman, R. (2017). What we know and don’t know Kruglanski, A. W., Orehek, E., Dechesne, M., & Pierro, A. about the international cyberattack. The New York (2010).Layepistemictheory:Themotivational,cogni- Times. Retrieved from https://www.nytimes.com/ tive,andsocialaspectsofknowledgeformation.Social 2017/05/12/world/europe/international-cyberattack andPersonalityPsychologyCompass,4(10),939–950. -ransomware.html?_r=0 Kuehl, D. T. (2009). From cyberspace to cyberpower: Hafenbradl, S., Waeger, D., Marewski, J. N., & Gigeren- Defining the problem. In F. D. S. Kramer, Stuart H.; zer,G.(2016).Applieddecisionmakingwithfast-and- Wentz,Larry(Eds.),Cyberpowerandnationalsecurity frugalheuristics.JournalofAppliedResearchinMem- (pp.24–42).Dulles,VA:PotomacBooks. oryandCognition,5(2),215–231. Kunda,Z.(1990).Thecaseformotivatedreasoning.Psy- Hansen, L., & Nissenbaum, H. (2009). Digital disaster, chologicalBulletin,108(3),480–498. cyber security, and the copenhagen school. Interna- Lau, R., R., & Redlawsk, D. P. (2001). Advantages and tionalStudiesQuarterly,53(4),1155–1175. disadvantages of cognitive heuristics in political de- Healey,J.(2016).Winningandlosingincyberspace.InN. cision making. American Journal of Political Science, Pissanidis, H. Rõigas, & M. Veenendaal (Eds.), 2016 45(4),951–971. PoliticsandGovernance,2018,Volume6,Issue2,Pages61–72 70 Lavrakas, P. J. (2008). Likert scale. Sage Research Meth- experimental study. Journal of Conflict Resolution, ods. Retrieved from http://methods.sagepub.com/ 51(5),744–771. reference/encyclopedia-of-survey-research-methods Savage, L. J. (1972). The foundations of statistics. New /n273.xml York,NY:DoverPublications. Lawson, S. (2013). Beyond cyber-doom: Assessing the Sheldon,J.B.(2014).Geopoliticsandcyberpower:Why limits of hypothetical scenarios in the framing of geography still matters. American Foreign Policy In- cyber-threats. Journal of Information Technology & terests,36(5),286–293. Politics,10(1),86–103. Slayton,R.(2017).Whatisthecyberoffense-defensebal- Lerner,J.S.,&Tetlock,P.E.(1999).Accountingfortheef- ance?Conceptions,causes,andassessment.Interna- fectsofaccountability.PsychologicalBulletin,125(2), tionalSecurity,41(3),72–109. 255–275. Slovic, P. (2016). The perception of risk. New York, NY: Lindsay,J.R.(2013).Stuxnetandthelimitsofcyberwar- Earthscan. fare.SecurityStudies,22(3),365–404. Sniderman,P.M.(2011).Thelogicanddesignofthesur- Maitlis, S., & Sonenshein, S. (2010). Sensemaking in cri- vey experiment. In J. N. Druckman, D. P. Green, J. sis and change: Inspiration and insights from We- H. Kuklinski, & A. Lupia (Eds.), Cambridge handbook ick (1988). Journal of Management Studies, 47(3), ofexperimentalpoliticalscience(pp.102–114).New 551–580. York,NY:CambridgeUniversityPress. Maness,R.C.,&Valeriano,B.(2016).Theimpactofcyber Taber, C. S., Lodge, M., & Glathar, J. (2001). The moti- conflict on international interactions. Armed Forces vatedconstructionofpoliticaljudgments.InJ.H.Kuk- &Society,42(2),301–323. linski (Ed.), Citizens and politics: Perspectives from Martignon, L., & Hoffrage, U. (1999). Why does one- politicalpsychology(pp.198–226).Cambridge:Cam- reasondecisionmakingwork?InG.Gigerenzer,P.M. bridgeUniversityPress. Todd, & T. A. R. Group (Eds.), Simple heuristics that Thompson,V.,Turner,J.A.,&Pennycook,G.(2011).Intu- make us smart (pp. 119–140). New York, NY: Oxford ition, reason, and metacognition. Cognitive Psychol- UniversityPress. ogy,63(3),107–140. Maurer, T. (2018). Cyber mercenaries: The state, hack- Todd, P., & Gigerenzer, G. (2012). Ecological rationality: ers, and power.NewYork,NY:CambridgeUniversity Intelligence in the world. New York, NY: Oxford Uni- Press. versityPress. Mercer, J. (2010). Emotional beliefs. International Orga- Turner, J. R., & Thayer, J. F. (2001). Introduction to anal- nization,64(1),1–31. ysis of variance: Design, analysis, & interpretation. Peer,E.,Brandimarte,L.,Samat,S.,&Acquisti,A.(2017). ThousandOaks,CA:SagePublications. Beyond the Turk: Alternative platforms for crowd- Valeriano,B.,&Maness,R.C.(2014).Thedynamicsofcy- sourcing behavioral research. Journal of Experimen- berconflictbetweenrivalantagonists,2001–11.Jour- talSocialPsychology,70,153–163. nalofPeaceResearch,51(3),347–360. Perrone, J. (2001). Code Red worm. The Guardian. Re- Valeriano, B., & Maness, R. C. (2015). Cyber war versus trieved from https://www.theguardian.com/world/ cyberrealities:Cyberconflictintheinternationalsys- 2001/aug/01/qanda.janeperrone tem.Oxford;NewYork,NY:OxfordUniversityPress. Perrow, C. (2011). Normal accidents: Living with high Weber, K., & Glynn, M. A. (2006). Making sense with in- risktechnologies.Princeton,NJ:PrincetonUniversity stitutions:Context,thoughtandactioninKarlWeick’s Press. theory.OrganizationStudies,27(11),1639–1660. Pytlak, A., & Mitchell, G. E. (2016). Power, rivalry, and Weick, K. E. (1993). The collapse of sensemaking in cyber conflict: An empirical analysis. In K. Friis & J. organizations—TheMannGulchdisaster.Administra- Ringsmose(Eds.),Conflictincyberspace:Theoretical, tiveScienceQuarterly,38(4),628–652. strategicandlegalperspectives(pp.65–82).London: Weick,K.E.,Sutcliffe,K.M.,&Obstfeld,D.(2005).Orga- Routledge. nizingandtheprocessofsensemaking.Organization Rid, T., & Buchanan, B. (2015). Attributing cyber attacks. Science,16(4),409–421. JournalofStrategicStudies,38(1/2),4–37. Zetter, K. (2016). Inside the cunning, unprecendented Roach,S.C.(2016).Affectivevaluesininternationalrela- hack of Ukraine’s power grid. Wired Magazine. tions:Theorizingemotionalactionsandthevalueof Retrieved from https://www.wired.com/2016/03/ resilience.Politics,36(4),400–412. inside-cunning-unprecedented-hack-ukraines-power Rousseau, D. L., & Garcia-Retamero, R. (2007). Iden- -grid tity, power, and threat perception—A cross-national PoliticsandGovernance,2018,Volume6,Issue2,Pages61–72 71 AbouttheAuthors Miguel Alberto Gomez is Senior Researcher with the Center for Security Studies (CSS) at the ETH in Zurich and is a doctoral candidate at the School of Law and Politics at Cardiff University. His current researchfocusesonpoliticalpsychologyanditsimplicationsforthecoerciveuseofcyberpower. EulaBiancaVillarisaResearcherandPhDCandidateattheDepartmentofBusinessandTechnologyin LaSalleUniversitatRamonLlullinBarcelona,Spain.ShewasagrantrecipientoftheEuropeanUnion Marie Curie Fellowship for the project “A Networked and IT-Enabled Firm’s Approach to Crisis Man- agement”.Herresearchfocusesonorganizingprocessesinextremeenvironments. PoliticsandGovernance,2018,Volume6,Issue2,Pages61–72 72
Journal
Politics and Governance – Unpaywall
Published: Jun 11, 2018