Against the widespread belief that public opinion is likely to panic in response to severe cybersecurity incidents, the relevant scholarship is putting this belief and the associated narratives into question. This analysis offers a brief overview of how public opinion approaches and responds to cybersecurity incidents.
It is fair to say that our understanding of how public opinion reacts to an incident in cyberspace has progressed significantly in the past few years. Contrary to previous assumptions, in which uncertainty and fear lead to a public reaction somewhere between panic and paralysis in the aftermath of cybersecurity incidents, current research points to an increased public knowledge about the limited societal or physical impacts of disruptive incidents. A greater knowledge undermines the narratives of securitisation that exaggerate the impact of incidents in the daily life of ordinary people. A better understanding of public reactions would help cybersecurity authorities to improve their communication and deterrence procedures about severe incidents.
Transcending panic and paralysis
Cybersecurity incidents that disrupt essential services or potentially contribute to the loss of life continue to reinforce narratives of the existential threat posed by malicious behaviour in and through this human-made space.1 Popular culture and high-profile incidents in recent years do little to curb the apparent validity of such claims. As observed by Jarvis, Macdonald & Whiting,2 these narratives frequently surface in the news despite limited evidence to support claims of wide-ranging damage following such cybersecurity incidents.
These depictions hinge on the idea that public opinion is inherently sensitive and likely to panic in response to severe cybersecurity incidents. As convincing as this argument may be, the public’s comprehension and response to cybersecurity incidents remains under-explored. More often than not, the argument that increases the societal dependence on these technologies is likely to invoke anxiety and dread among the public that malicious actors might exploit is readily accepted. Consequently, this leads some to assert the strategic potential of cyber operations.3
The depiction of public opinion following severe cybersecurity incidents often portrays it as panic-stricken and disempowered in the face of society-wide effects. Although popular media exaggerate such reactions for entertainment, there remains a grain of truth in these scenes. The potential for exaggerated reactions to severe cybersecurity incidents is rooted in: (1) the uncertainty of the environment; and (2) the rarity of severe cybersecurity incidents.
Cyberspace is a fundamentally uncertain environment owing to the underlying technology and interconnectivity that enables it. Uncertainty, in this case, refers to the ambiguity of the information rather than the lack of it.4 Information Communication Technologies (ICT), that constitute the basic component of cyberspace, are frequently characterised as being inherently vulnerable. For instance, an estimated 15 to 50 flaws are expected for every 1,000 lines of code.5 While not all of them are likely to result in catastrophic failure, complexity makes it difficult to predict precisely where and how failure will occur.6 These technologies build on one another for cyberspace to function and are selected primarily on the grounds of interoperability rather than security.7
Observations of public behaviour
While the idealised approach to understanding how the public responds to cybersecurity incidents is to observe behaviour following such an event, doing so consistently and rigorously is problematic given the nature of this phenomenon. However, recent experimental studies that utilise hypothetical cybersecurity incidents offer valuable insight that challenges commonly held notions surrounding the publics’ reactions to these events. Broadly, these studies note that: (1) anxiety is not pervasive vis-à-vis cyberspace; (2) it is not the sole emotion facilitating public behaviour; and (3) public opinion is not passive following a severe cybersecurity incident.
Although the narratives surrounding public reactions to cyberspace encouraged by popular culture often depict panic and anxiety following a severe cybersecurity incident, little to no empirical evidence offers support. For instance, Gomez & Whyte16 demonstrate that while repeated exposure to cybersecurity incidents causes an increase in negative emotions, it does not appear to be pronounced. Informing individuals of adverse events in cyberspace, on its own, did not appear to lead to elevated levels of concern relative to those who were informed of neutral events (i.e., the acquisition of one IT company by another). In addition, neither domain knowledge nor trust in cyberspace appear to explain the observed outcome.
While research on how the public responds to malicious behaviour in cyberspace still represents a small subset of cybersecurity scholarship, initial findings appear to question our understanding of public behaviour and preferences. Rather than being passive and anxious recipients of consequences, the public have likely come to accept the risk associated with the integration of cyberspace as part of their daily lives. As disruptive as these may be, the exploitation of cyber-dependent systems does not result in a pronounced sense of alarm as frequently depicted. However, when such events rise to these levels, the public is not passive and is likely to demand an active response.
Implications for policy
Since becoming an issue of national security, elites continue to shape the narrative surrounding threats to and from cyberspace.24 Consequently, this suggests that public perceptions of cyberspace are in line with how policymakers perceive this human-made environment. This paper and the considerations above call this into question.
With more evidence surfacing that public opinion has distinct views concerning the state of cyberspace, especially in terms of threats, policymakers need to re-assess the extent to which the narratives they espouse resonate among their constituents. For instance, support for improved cybersecurity practices may fail to deliver results if public opinion normalises the risks involved in cyberspace. Conversely, policymakers should also consider the pressure that public opinion might exert on them following the disclosure of severe cybersecurity incidents. While the decision to go public may function to deter future threats,25 doing so might provoke the public to call for a more forceful response depending on the incident’s consequences. This leaves political leaders in the difficult situation of effectively deterring potential adversaries without risking an escalation while balancing domestic concerns and courting the displeasure of the public.
It is fair to say that our understanding of how public opinion reacts to an incident in cyberspace has progressed significantly over the past 20 years. Rather than being passive and anxious, public opinion appears to have accepted the realities of operating in an increasingly cyber-dependent global society. However, acceptance is not passive, and agency is exercised if malicious behaviour crosses a particular threshold. Recognising this dynamic is crucial as it calls for a critical assessment of cybersecurity policies thus far.