How do non experts think about cyber attack consequences?

Nonexperts do not always follow the advice in cybersecurity warning messages. To increase compliance, it is recommended that warning messages use nontechnical language, describe how the cyberattack will affect the user personally and do so in a way that aligns with how the user thinks about cyberattacks. Implementing those recommendations requires an understanding of how nonexperts think about cyberattack consequences. Unfortunately, research has yet to reveal nonexperts’ thinking about cyberattack consequences. Toward that end, the purpose of this study was to examine how nonexperts think about cyberattack consequences.

Nonexperts sorted cyberattack consequences based on perceived similarity and labeled each group based on the reason those grouped consequences were perceived to be similar. Participants’ labels were analyzed to understand the general themes and the specific features that are present in nonexperts’ thinking.

The results suggested participants mainly thought about cyberattack consequences in terms of what the attacker is doing and what will be affected. Further, the results suggested participants thought about certain aspects of the consequences in concrete terms and other aspects of the consequences in general terms.

This research illuminates how nonexperts think about cyberattack consequences. This paper also reveals what aspects of nonexperts’ thinking are more or less concrete and identifies specific terminology that can be used to describe aspects that fall into each case. Such information allows one to align warning messages to nonexperts’ thinking in more nuanced ways than would otherwise be possible.