The psychological effects of cyber terrorismMichael L. Gross.docx

The psychological effects of cyber terrorism
Michael L. Gross , Daphna Canetti and Dana R. Vashdi
ABSTRACT
When ordinary citizens think of cyber threats, most are
probably worried about their passwords
and banking details, not a terrorist attack. The thought of a
shooting in a mall or a bombing at an
airport is probably more frightening than a cyber breach. Yet
terrorists aim for mental as well as
physical destruction, and our research has found that, depending
on who the attackers and the
victims are, the psychological effects of cyber threats can rival
those of traditional terrorism.
KEYWORDS
Cyber security; cyber
terrorism
Cyber aggression has become a daily fact of life in the
21st century, yet for most people it’s still only a reality
in the form of cyber crime – hackers targeting financial
information or other personal details. Politically moti-
vated attacks might threaten them as well, but they
tend to be the concern of governments and corpora-
tions rather than ordinary citizens. The thought of a
terrorist shooting in a mall or bombing in an airport
probably seems far more frightening to the average
person than Russian hackers disrupting government
networks in Estonia or Anonymous breaking into the
police department of Ferguson, Missouri. Cyber terror-
ists, after all, have yet to actually kill or injure anyone.

Yet our research has found this perception of cyber
aggression might not be entirely accurate. The aim of
terrorism, after all, is not just physical destruction, and
depending on who the attackers and the victims are,
the psychological effects of cyber terrorism can be just
as powerful as the real thing.
Defining cyber terrorism
People face cyber aggression on an almost daily basis.
Hackers appropriate, erase, or ransom data, defraud
bank customers, steal identities, or plant malevolent
viruses. In many cases, hackers are criminals out for
pecuniary gain. But sometimes their motives are poli-
tical. Some are “hacktivists,” or cyber activist groups,
like Anonymous, others are terror groups like Hamas
or Islamic State, and still others are agents of national
states like Iran, North Korea, or Russia. They are not
usually after money but pursue a political agenda to
foment for social change, gain political concessions, or
cripple an enemy. Sometimes their means are peaceful,
but other times they are vicious and violent. The lines
often blur. Anonymous will hack the Ferguson police
department just as it will initiate an “electronic
Holocaust” against Israel in support of the Palestinian
cause (Rogers 2014). Islamic activists will use the
Internet not only to recruit members and raise funds
for social welfare projects but also to steal money for
terrorist activities or disseminate information to stoke
fear and demoralize a civilian population. States will
pursue online espionage but also wreak havoc by crash-
ing multiple systems – as did the Russians, allegedly, in
Estonia in 2007, with mass denial-of-service attacks on
government sites, and in Ukraine in 2016, with cyber
attacks on the airport and power grid (Polityuk 2016).

Underlying many of these attacks is terrorism: an
attempt to extract political concessions by instilling
fear in the civilian population. In this way, cyber ter-
rorism is no different from conventional terrorism. Yet
cyber terrorism is far more subtle. To date, cyber
terrorists have neither killed nor injured anyone. Nor
have cyber terrorists successfully destroyed any critical
infrastructures. Whether this is due to the offensive
inadequacies of the terrorists or the superior defensive
capabilities of the United States and its allies, experts
have yet to decide.
But as the war on cyber terrorism continues, it is
increasingly clear that protecting vital national interests
is only half the battle. Security experts rightly worry
about defending transportation networks, refineries,
dams, military installations, hospitals, banks, and gov-
ernment offices from cyber attack just as they worry
about defending the same facilities from terrorist
bombs or ballistic missiles (Lewis 2002). Yet lost in
the haze of cyber warfare is the human dimension.
While scholars and policy makers raise concerns
about the dangers that cyber terrorism holds for
CONTACT Michael L. Gross [email protected]
BULLETIN OF THE ATOMIC SCIENTISTS, 2016
VOL. 72, NO. 5, 284–291
http://dx.doi.org/10.1080/00963402.2016.1216502
© 2016 Bulletin of the Atomic Scientists
http://orcid.org/0000-0001-5835-7879
http://orcid.org/0000-0003-0794-4090
http://orcid.org/0000-0003-3644-2129
http://www.tandfonline.com

national security, we know little about its effects on
human security.
Human security emphasizes the conditions neces-
sary for a vibrant civil society (Tadjbakhsh 2014). At
the most basic level, people must be able to live free of
undue fear, anxiety, and trepidation. At a more devel-
oped level, civil society requires energetic public dis-
course, judicious public policy, and respect for human
dignity. Following 9/11, we now recognize that con-
ventional terrorism undermines human security even
more than national security. It is a common truism
that terrorists want a lot of people watching, not a lot
of people dead (Jenkins 1975; Lerner et al. 2003). The
dead are few; it is the living whose daily lives are
transformed by the constant fear of impending doom.
Conventional terrorism exacerbates feelings of insecur-
ity and perceptions of threat that prompt public cries
for protective and militant government policies that
can short circuit public discourse, intensify intolerance
for dissident views, and infringe on human rights
(Boggs 2002; Hirsch-Hoefler et al. 2014). Does cyber
terrorism cause similar effects?
At first glance, it seems that it cannot. In their
attempts to formulate the law of cyber warfare, the
framers of the Tallinn Manual on the International
Law Applicable to Cyber Warfare remain unconvinced
that cyber attacks that block e-mail, deny service,
employ economic coercion, undermine confidence in
the government or economy, or, in their example,
“cause panic by falsely indicating that a highly conta-
gious and deadly disease is spreading through the
population” cause sufficient mental suffering to rise

to the level of a terrorist attack (Schmitt 2013, §11.2,
3; 30.12; 36.3; 59.9). Unfortunately, these assumptions
are untested and in a series of field experiments we
studied how cyber terrorism affects psychological well-
being and political attitudes that impinge upon human
security by causing stress, anxiety, and fear – all of
which radicalize political attitudes and push people to
exchange privacy for security to prevent cyber terror in
the future.
Simulating cyber terrorism
In our field survey experiments, we first interviewed
522 individuals following Anonymous’s well-publicized
attempt to perpetrate an “electronic Holocaust” in
April 2015, when the hacktivist group promised to
take down servers and “erase Israel from cyber
space.” In a second study, in January 2016, 907 subjects
viewed various film clips describing hypothetical
Hamas attacks on Israel’s national water company. In
one scenario, cyber terrorism was fatal; terrorists
poisoned the water supply with an overdose of chlorine
that killed two and injured many more. In other sce-
narios, cyber terrorism was not lethal; no one suffered
physical harm but hackers appropriated the bank
account numbers of the company’s customers and suc-
cessfully transferred money to Hamas. A third group of
subjects viewed a fatal but conventional mass-casualty
terrorist attack, while a control group viewed a neutral
film depicting the dedication of a water treatment
plant. Following these screenings, we surveyed respon-
dents on measures fundamental to human security.
These included stress, anxiety, insecurity and threat
perception, political militancy, and a willingness to
relinquish privacy.

In some ways, Israelis are a unique population for such
a study. The ongoing conflict between Israelis and
Palestinians (and Palestinian allies like Hezbollah and
Iran) is a constant feature of everyday life. Terrorism,
too, simmers beneath the surface. In the 18 months
since January 2015, terrorists have taken 30 civilian lives
in Israel and the West Bank (B’Tselem 2016). Yet Israelis
know their enemy, know what they want, and can ima-
gine the way to peace. This puts terrorism and cyber
terrorism in the context of a political struggle that has,
in many ways, fixed and acceptable costs. Like a couple of
wary boxers, each side circles the other, constantly poking
and provoking. This leaves Israelis, who score very high
on the UN’s world happiness index, weary but resilient.
In contrast, the West’s confrontation with radical Islam
is enigmatic and exceptionally violent. In the same 18
month period, 68 Americans and 269 Europeans have
lost their lives in terrorist attacks (Indian Express 2016;
International Security 2016; McHugh 2016). Unlike
Israelis, Americans and Europeans don’t know their
enemy, have no clear idea what they want or how to
confront their demands. Islamic State attacks are brutally
violent for their own sake. Americans and especially
Europeans will find resilience elusive as terrorism and
cyber terrorism fuel an inescapable cycle of fear.
Learning from the Israeli case and understanding the
effects of cyber terrorism for other Western nations are
crucially important.
Measuring stress and insecurity
Not surprisingly, exposure to cyber terrorism is stress-
ful. Figure 1 uses the State-Trait Anxiety Inventory
(STAI) to show how stress and anxiety grow as attacks

become more deadly. With a score of 4.00, conven-
tional mass-casualty terrorism (e.g. suicide bombings)
evokes a level of anxiety at the top of the scale. The
stress scores for lethal and nonlethal cyber terrorism
are not far behind, and all the scores significantly
BULLETIN OF THE ATOMIC SCIENTISTS 285
surpass the control group. But the interesting point is
this: Individuals were equally disturbed by lethal and
nonlethal cyber terrorism, meaning there is no signifi-
cant difference between the two when it comes to
stress. Both cause significant panic and anxiety and
both, it seems, are equally capable of cracking the
foundations of personal well-being and human
security.
Cyber terrorism also left individuals insecure and
wary of future cyber terrorist attacks. These judgments
are measures of threat perception and gauged by such
questions as: “To what extent do cyber attacks under-
mine your sense of personal security?” and “To what
extent do you feel threatened by cyber terrorism?” Like
stress, threat perception increased steadily as attacks
grew more severe (Figure 2). But even in our control
group, Israelis are on edge, and exposure to nonlethal
cyber terrorism did not appreciably increase perceptions
of threat. Lethal attacks, on the other hand, did trigger a
significant jump in threat perception and it didn’t mat-
ter much whether they were cyber or conventional ter-
rorist attacks. These findings show how stress and threat
perception are two different phenomena. Stress is emo-
tional while threat perception is cognitive. And while
lethal and nonlethal cyber attacks evoke feelings of

stress, only terrorism accompanied by injury and loss
of life nurtures a serious preoccupation about the next
attack. If a person’s reaction to cyber terrorism has both
an emotional and cognitive dimension, it is also sensi-
tive to circumstance and the identity of the perpetrator.
After it was clear that Anonymous’s threat of an “elec-
tronic Holocaust” was empty, threat perception fell by
10%. People were still fearful, but not so much. But
many Israelis do fear Hamas. And when that group,
rather than Anonymous, was the perpetrator, threat
perceptions increased by 20%, from a mean score of
2.9 to a score of 3.5. Hamas is a far more frightening
adversary than Anonymous, even as they perpetrate
similar attacks.
Stress, anxiety, insecurity, and perceptions of
threat do not stand alone. Instead, we know that
studies of conventional terrorism show how stress,
anxiety, and heightened perceptions of threat radica-
lize political attitudes and draw individuals away
from concerns about civil liberties to worries about
national security (Verton and Brownlow 2003). In
the wake of mass-casualty terrorism, individuals
turn inward, disparage outgroups, move to the right
on security and privacy issues, and call upon their
government to take strong military action (Canetti
et al. 2013; McDermott 2010). The effects can have a
chilling effect on civil society and political discourse
in many democratic nations, as debates about tor-
ture, rendition, due process, military belligerency,
and surveillance show. We were not surprised to
see similar effects from cyber terrorism.
Figure 1. Anxiety in the wake of terrorism.

286 M. L. GROSS ET AL.
Political reactions
Figures 3 and 4 depict an array of political attitudes that
harden in the wake of terrorism. As noted, individuals in
our first survey confronted an ongoing cyber attack by
Anonymous and in the second, a simulated attack by
Hamas. In each case, we asked individuals about their
support for internet surveillance, government regulation,
and military retaliation in the context of an unspecified
cyber terror attack. Questions centered on surveillance and
civil liberties (“Should the government monitor emails and
social networks for suspicious phrases?”; “Are you willing
to let the government read emails to improve personal and
national security?”),1 government regulation (“Should the
government require businesses to install cyber security
systems?”), and military retaliation (“Following a cyber
terrorism attack, should the government respond with a
small-scale cyber attack against military targets, a large-
scale cyber attack against military and civilian targets, a
small-scale conventional (missiles, bombs, and artillery)
attack against military targets, or a large-scale conventional
attack attacks against military and civilian targets?”)
Attitudes varied depending on the perpetrator. When
Anonymous was the attacker, 54% of the respondents in
our survey would allow the government to monitor
e-mails for suspicious phrases, 48% would allow the
government to monitor Facebook and Twitter, and 23%
would allow the government to read e-mails. When the
perpetrator was Hamas, support for government surveil-
lance leaps to 67% in favor of monitoring e-mails, 46% in

favor of monitoring social media, and 61% in favor of
reading e-mails. Among Americans in general, by con-
trast, only 43% of the respondents would allow the US
government to monitor the communications of US citi-
zens (Shelton, Rainie, and Madden 2015, 6). Among
Israelis, support for surveillance depends on the identity
of the perpetrator. And while the identity of the attacker
did not affect calls for government regulation (74% of the
respondents would require business to install cyber secur-
ity software) fears of Islamic terrorism dominate the
public’s demand for military responses. As Figure 4
demonstrates, individuals facing Hamas terrorism were
considerably more militant and supported conventional
retaliation by a margin of nearly 2:1 compared to those
facing the hacktivist group Anonymous. One reason may
be greater fear of Hamas but another may be the recogni-
tion that Hamas, like Islamic State, has infrastructures
and territory vulnerable to conventional attack. On the
other hand, it is fear of Hamas rather than its vulner-
ability that drives greater support for surveillance. These
Figure 2. Threat perception and insecurity.
data highlight the public’s willingness to employ conven-
tional military measures to quash cyber terrorism, strong
attitudes that will no doubt influence political leaders as
they weigh kinetic military responses to cyber threats
(Libicki forthcoming).
From a psychological perspective, the data offer a
curious finding. We expected to find a clear connection

between exposure to cyber terrorism and militant,
hardline attitudes. The harsher the terrorist attack our
subjects experienced, the greater their militancy. But
this is not what we discovered. Instead, we found that
the greater one’s perception of threat, the greater one’s
militancy. The odds were more than twice as high that
individuals with high levels of threat perception will
Figure 4. Percent favoring small-scale and large-scale or
conventional retaliation.
Figure 3. Percent favoring surveillance and government
regulation.
support surveillance, government regulation, and mili-
tary retaliation compared to those whose threat percep-
tion is lower. We cannot explain why some individuals
are more fearful than others. Past exposure to cyber
attacks explains only a small part of the variance. Other
personality factors, beyond the scope of our study to
examine, are also probably at work. Nevertheless, it is
clear that the threat of terrorism and how one perceives
it are better determinants of militancy and hardline
attitudes than the experience of an actual attack. And,
indeed, this is how terrorism works. One need not
suffer direct harm to be terrorized; it is enough that
one fear direct harm to suffer the ravages of contem-
porary terrorism, whether cyber terrorism or conven-
tional terrorism.
From Anonymous and Hamas to Islamic state

These results offer tantalizing evidence that cyber ter-
rorism mirrors conventional terrorism even when its
victims do not suffer injury or loss of life. We found
that cyber terrorism increases stress, anxiety, fear, hard-
line attitudes, and political militancy. But circumstances
matter, because the identity of the perpetrator helps
explain the political attitudes related to cyber terrorism.
Hamas is more threatening than Anonymous. When
Hamas is at the wheel, Israelis see a brutal terrorist
organization and do not much distinguish between
cyber and conventional terrorism. Anonymous, on the
other hand, still carries some cachet as a rogue hacktivist
group that is unwilling or unable to harm anyone phy-
sically. Hamas, for the most part, poses no threat to
Americans and Europeans. But Islamic State certainly
does, and it will not be long before the group gains the
capabilities to mount cyber-terrorism attacks. And, as
with Hamas, the fact that these attacks might cause little
physical harm may be irrelevant. Islamic State, like
Hamas, will trade on its ruthless terrorist image.
Leveraging its success at conventional terrorism, it will
move seamlessly and effectively to cyber terrorism to
produce outsized fear and panic. Marrying conventional
and cyber terrorism will have chilling effects: Islamic
State and other terrorist groups will be able to achieve
the dramatic effects of suicide attacks and mass casual-
ties at the relatively low cost and risk of cyber terrorism.
There will be no need for suicide cyber bombers. Cyber
terrorism is a force multiplier that can magnify the
effects of limited, sporadic, and even failed kinetic ter-
rorist attacks. In tandem, conventional and cyber terror-
ism can undermine human security in a most
fundamental way.
Restoring human security

Human security thrives when societies are open, toler-
ant, peaceful, and vibrant, and when they offer citizens
the conditions necessary to flourish economically, intel-
lectually, physically, and emotionally (Tadjbakhsh and
Chanoy 2007). Physical security is a necessary condition
for human security but not sufficient if civil society fails
to allow its members to thrive. To thrive, individuals
must maintain tolerance and social discourse. By indu-
cing stress and anxiety, cyber terrorism endangers psy-
chological well-being and increases perceptions of threat
even if individuals suffer no physical harm. Once cyber
terrorism successfully breaches a critical infrastructure
to kill and injure (as in our film clips), these effects are
more pronounced. Threat perception is not all bad.
Reasonable perceptions of threat are essential to protect
individuals and their communities from dangerous sur-
prises but become disabling when they foster insecurity
and prompt visions of an inescapable cycle of violence
(Canetti-Nisim et al. 2009). It is the nature of cyber
terrorism to target civilians (Gross 2015, 153–183).
Some of this is mere efficiency: Civilian targets are softer
than military targets or critical infrastructures, which
states take great pains to protect. But part is strategic:
Targeting civilians is a way to demoralize and terrorize.
This is precisely what Anonymous, Hamas, and Islamic
State promise to do.
In response, civilians are increasingly willing to jet-
tison privacy and support military retaliation. Neither
outcome bodes well for human security. Privacy
embraces the right to keep secrets and preserves a
domain for individuals to build their personal identities
and communicate without interference or duress.
Surveillance inhibits free speech, discourages political
opposition, prevents dissenters from organizing or
publishing anonymously, and disrupts the flow of

information necessary for a well-functioning civil
society. Surveillance threatens privacy but not without
cause. Surveillance can strengthen physical security.
Gaining access to the content of e-mails and social
media may allow law enforcement authorities and
intelligence agencies to co-opt and cripple hostile orga-
nizations. Physical security is as important for human
security as privacy. Balancing the two will be excep-
tionally challenging in the shadow of cyber terrorism,
and cyber security experts and policy makers cannot
unilaterally fortify the former at the expense of the
latter.
Political militancy is equally problematic. Facing
cyber terrorism and the threat it poses to national
and human security, governments consider a range of
tempered policies that include criminal prosecution,
counter espionage, and active cyber defenses. Because
most offensive cyber attacks fall far short of war, each
of these retaliatory responses is freighted with fears of
escalation that the United States and other nations wish
to avoid. Nations must be careful as they weigh their
responses to hostile cyber operations (Hathaway et al.
2012). Civilians, particularly those who already find
themselves in the midst of an armed conflict, are less
restrained and may push their governments in unwar-
ranted and dangerous directions as they call for harsh
military retaliation following cyber attacks. Human
security does not demand pacifism but it thrives best
in a society that is cautious about the use of armed
force. Cyber terrorism, like conventional terrorism,

upends judicious decision making.
Eliminating the toxic effects of cyber terrorism is
not simply a matter of cyber security. It is not enough
to thwart or reduce the incidence of cyber-terror
attacks. Protecting facilities is only half the battle.
Fear, insecurity, anxiety, and militancy are often the
product of perceived, not actual, threats. Cyber terror-
ists lurk in the background, and individuals will not be
mollified unless they are eliminated. Despite their best
efforts, however, no government will ever eradicate
cyber terrorism, and people will always be driven by
their outsized fears. Mitigating these fears is as equally
important as reducing the incidence of attack. But the
means are entirely different. Perceptions depend cru-
cially on information and, as a result, risk assessment
and communication are of crucial importance in the
war against cyber terrorism. Individuals who misun-
derstand the nature of cyber terrorism and the threat it
poses are most likely inclined to greater fear, insecurity,
and militancy than those whose assessment is sober.
Experts, to be sure, remain divided over the risk of
cyber terrorism. Nevertheless, the cyber security com-
munity must address the fears of everyday citizens by
cogently assessing the danger of cyber terrorism and
the protective measures necessary to maintain secure
networks. Risk communication is sorely lacking; prop-
erly implemented, it can reduce insecurity and percep-
tions of threat. Finally, there is also room to think
about psychological intervention and cognitive beha-
vior therapy to treat cyber terrorism-induced anxieties,
just as it is used to treat the effects of conventional
terrorism.2 Risk assessment and psychological treat-
ment protocols address the human dimension of
cyber terrorism and should not be neglected as nations
work to fend off cyber terrorists of all stripes.

Cyber terrorism has many faces, as does the psy-
chology of the masses. Our research demonstrates how
even nonlethal, seemingly banal forms of cyber
terrorism have a considerable impact on the attitudes
of victimized populations. Our experiments show a
“cyber terrorism effect” that can enable terrorists to
foster fears akin to kinetic terrorism and pursue simi-
larly ideological goals. In this way, cyber terrorism
pushes well beyond cyber crime even when its methods
– identity theft, destruction of data, and disruption of
service – are sometimes similar. When Anonymous
threatens an electronic Holocaust by corrupting data
or stealing identities, they are taking sides in violent,
armed conflict, and their actions are far more than
criminal. They are attacking innocent civilians, not
bilking an easy mark. Victims know the difference.
Under attack, they react not only with fear and trepi-
dation, as do victims of crime, but also with demands
for protection from the enemies of the state via harsh
military retaliation, surveillance, and strong govern-
ment. This is the psychology of terrorism.
Notes
1. “Reading” and “monitoring” are different. “Monitoring”
suggests either the collection of metadata or only read-
ing e-mails that trigger security concerns, while “read-
ing” suggest scrutinizing every e-mail.
2. For example, see Somer et al. (2005).
Disclosure statement
No potential conflict of interest was reported by the authors.

Funding
This research was made possible, in part, by grants awarded
to Daphna Canetti from the US National Institute of Mental
Health [R01 MH073687], from the Israel Science Foundation
[594/15], and from the US-Israel Binational Science
Foundation [2009460], and to Michael L. Gross from the
Israel Science Foundation [156/13].
Notes on contributors
Michael L. Gross is a professor in and the head of the School
of Political Science at the University of Haifa, Israel. His
recent books include The Ethics of Insurgency (Cambridge
2015), Moral Dilemmas of Modern War (Cambridge 2010)
and the forthcoming, Soft War: The Ethics of Unarmed
Conflict (Cambridge).
Daphna Canetti is a professor of political science at the
University of Haifa and the director of the university’s grad-
uate program in Democracy Studies. Canetti’s research
examines the psychological challenges and policy implica-
tions of terrorism, warfare, and political violence. Her pub-
lications appear in political and psychological outlets
including the Lancet, the American Journal of Political
Science, the British Journal of Political Science, and Political
Psychology. Her commentary has been featured in media
outlets including NPR and the Washington Post.
Dana Vashdi is the head of the Division of Public

Administration and Policy at the University of Haifa, Israel.
Her research focuses on the well-being of citizens in general
and of employees in particular as well as on teams in public
organizations, organizational learning, and healthcare policy.
She has published articles in a wide variety of academic
journals including the Academy of Management Journal,
British Medical Journal, Human Resource Management, and
Public Administration Review.
ORCID
Michael L. Gross http://orcid.org/0000-0001-5835-7879
Daphna Canetti http://orcid.org/0000-0003-0794-4090
Dana R. Vashdi http://orcid.org/0000-0003-3644-2129
References
Boggs, C. 2002. “Militarism and Terrorism: The Deadly
Cycle.” Democracy & Nature 8 (2): 241–259. doi:10.1080/
10855660220148598.
B’Tselem. 2016. “Fatalities after Operation Cast Lead.”
B’Tselem - The Israeli Information Center for Human
Rights in the Occupied Territories. http://www.btselem.
org/statistics/fatalities/after-cast-lead/by-date-of-death.
Canetti, D., B. J. Hall, C. Rapaport, and C. Wayne. 2013.
“Exposure to Political Violence and Political Extremism: A
Stress-Based Process.” European Psychologist 18 (4): 263–
272. doi:10.1027/1016-9040/a000158.
Canetti-Nisim, D., E. Halperin, K. Sharvit, and S. E. Hobfoll.
2009. “A New Stress-Based Model of Political Extremism:
Personal Exposure to Terrorism, Psychological Distress,
and Exclusionist Political Attitudes.” Journal of Conflict
Resolution 53 (3): 363–389. doi:10.1177/0022002709333296.

Gross, M. 2015. The Ethics of Insurgency: A Critical Guide to
Just
Guerrilla Warfare. Cambridge: Cambridge University Press.
Hathaway, O. A., R. Crootof, P. Levitz, H. Nix, A. Nowlan,
W. Perdue, and J. Spiegel. 2012. “The Law of Cyber-
Attack.” California Law Review 100 (4): 817–885.
Hirsch-Hoefler, S., D. Canetti, C. Rapaport, and S. E.
Hobfoll. 2014. “Conflict will Harden Your Heart:
Exposure to Violence, Psychological Distress and Peace
Barriers in Israel and Palestine.” British Journal of
Political Science 1–15. doi:10.1017/S0007123414000374.
Indian Express, 2016. “List of Terrorist Attacks that have
Struck Europe in 2016.” Indian Express. http://indianex
press.com/article/world/world-news/list-of-terrorist-
attacks-that-have-struck-europe-in-2016/.
International Security, 2016. “Deadly Attacks Since 9/11.”
International Security. http://securitydata.newamerica.net/
extremists/deadly-attacks.html.
Jenkins, B. M. 1975. “Will Terrorists Go Nuclear?” P-5541 in
the RAND Paper Series. Santa Monica, CA: The RAND
Corporation.
Lerner, J. S., R. M. Gonzalez, D. A. Small, and B.
Fischhoff. 2003. “Effects of Fear and Anger on
Perceived Risks of Terrorism: A National Field
Experiment.” Psychological Science 14 (2): 144–150.
doi:10.1111/psci.2003.14.issue-2.
Lewis, J. A. 2002. Assessing the Risks of Cyber Terrorism,
Cyber War and Other Cyber Threats. Washington, DC:

Center for Strategic and International Studies, December.
Libicki, M. C. forthcoming. ““From the Tallinn Manual
to Las Vegas Rules.” Chap. 32.” In Cyberspace in Peace
and War. Annapolis, MD: Naval Institute Press, 2016.
McDermott, R. 2010. “Decision Making under Uncertainty.”
In Proceedings of a Workshop Deterring Cyberattacks:
Informing Strategies and Developing Options for U.S.
Policy, National Research Council, 227–241. Washington,
DC: The National Academies Press.
McHugh, J. 2016. “Europe Terrorist Attacks 2016.” IBT, March
24. http://www.ibtimes.com/europe-terrorist-attacks-2016-
timeline-bombings-terror-threats-brussels-2341851.
Polityuk, P. 2016. “Ukraine Sees Russian Hand in
Cyber Attacks on Power Grid.” Reuters, February 12.
http://www.reuters.com/article/us-ukraine-cybersecurity-
idUSKCN0VL18E.
Rogers, A. 2014. “What Anonymous is Doing in Ferguson.”
Time, August 21. http://time.com/3148925/ferguson-
michael-brown-anonymous/.
Schmitt, M. N., ed. 2013. Tallinn Manual on the International
Law Applicable to Cyber Warfare. Cambridge: Cambridge
University Press.
Shelton, M., L. Rainie, and M. Madden. 2015. “Americans’
Privacy Strategies Post-Snowden.” Pew Research Center,
March 15. http://www.pewinternet.org/files/2015/03/PI_
AmericansPrivacyStrategies_0316151.pdf.
Somer, E., E. Tamir, S. Maguen, and B. T. Litz. 2005. “Brief
Cognitive Behavioral Phone-Based Intervention Targeting

Anxiety about the Threat of an Attack: A Pilot Study.”
Behaviour Research and Therapy 43 (5): 669–679.
doi:10.1016/j.brat.2004.05.006.
Tadjbakhsh, S. 2014. “Human Security Twenty Years on.”
Norwegian Peacebuilding Resource Centre (NOREF), June.
http://www.peacebuilding.no/var/ezflow_site/storage/origi
nal/application/540cb240aa84ac7133bce008adcde01f.pdf.
Tadjbakhsh, S., and A. M. Chanoy. 2007. Human Security:
Concepts and Implications. Abingdon, UK: Routledge.
Verton, D., and J. Brownlow, eds. 2003. Black Ice: The
Invisible Threat of Cyber-Terrorism. Emeryville, CA:
McGraw-Hill/Osborne.
http://dx.doi.org/10.1080/10855660220148598
http://dx.doi.org/10.1080/10855660220148598
http://www.btselem.org/statistics/fatalities/after-cast-lead/by-
date-of-death
http://www.btselem.org/statistics/fatalities/after-cast-lead/by-
date-of-death
http://dx.doi.org/10.1027/1016-9040/a000158
http://dx.doi.org/10.1177/0022002709333296
http://dx.doi.org/10.1017/S0007123414000374
http://indianexpress.com/article/world/world-news/list-of-
terrorist-attacks-that-have-struck-europe-in-2016/
http://securitydata.newamerica.net/extremists/deadly-
attacks.html
http://securitydata.newamerica.net/extremists/deadly-

attacks.html
http://dx.doi.org/10.1111/psci.2003.14.issue-2
http://www.ibtimes.com/europe-terrorist-attacks-2016-timeline-
bombings-terror-threats-brussels-2341851
http://www.ibtimes.com/europe-terrorist-attacks-2016-timeline-
bombings-terror-threats-brussels-2341851
idUSKCN0VL18E
idUSKCN0VL18E
http://time.com/3148925/ferguson-michael-brown-anonymous/
http://time.com/3148925/ferguson-michael-brown-anonymous/
http://www.pewinternet.org/files/2015/03/PI_AmericansPrivacy
Strategies_0316151.pdf
http://www.pewinternet.org/files/2015/03/PI_AmericansPrivacy
Strategies_0316151.pdf
http://dx.doi.org/10.1016/j.brat.2004.05.006
http://www.peacebuilding.no/var/ezflow_site/storage/original/ap
plication/540cb240aa84ac7133bce008adcde01f.pdf
http://www.peacebuilding.no/var/ezflow_site/storage/original/ap
plication/540cb240aa84ac7133bce008adcde01f.pdf
Copyright of Bulletin of the Atomic Scientists is the property of
Bulletin of the Atomic
Scientists and its content may not be copied or emailed to
multiple sites or posted to a listserv
without the copyright holder's express written permission.
However, users may print,
download, or email articles for individual use.
AbstractDefining cyber terrorismSimulating cyber
terrorismMeasuring stress and insecurityPolitical reactionsFrom
Anonymous and Hamas to Islamic stateRestoring human
securityNotesDisclosure statementFundingNotes on
contributorsReferences

Information Security Journal: A Global Perspective, 21:102–
114, 2012
Copyright © Taylor & Francis Group, LLC
ISSN: 1939-3555 print / 1939-3547 online
DOI: 10.1080/19393555.2011.647250
How Can We Deter Cyber Terrorism?
Jian Hua1 and Sanjay Bapna2
1School of Business and Public
Administration, University of
the District of Columbia,
Washington, D.C., USA
2Morgan State University,
Baltimore, Maryland, USA
ABSTRACT In order to deter cyber terrorism, it is important to
identify the
terrorists, since punishment may not deter them. The
identification probability
relies heavily on tracking cyber terrorists. However, there are
legal and technical
challenges to tracking terrorists. This paper proposes
suggestions and insights
on overcoming these challenges. Three types of infrastructures
must be present
in order to deter cyber terrorism: technical, policy, and legal.
We list some
of the key items that academics as well as practitioners need to
focus on to
improve cyber-terrorism deterrence.
KEYWORDS cyber terrorism, cyber terrorist, information
security, cyber deterrence, legal

Address correspondence to Jian Hua,
School of Business and Public
Administration, University of the
District of Columbia, 4200
Connecticut Avenue, Washington,
DC 20008. E-mail: [email protected]
1. INTRODUCTION
Considerable research and investigative efforts have been spent
studying ter-
rorism and terrorists. Prevention of bombing, kidnapping, and
other common
types of terrorism has been among the focal concerns in the
struggle for world
peace. However, terrorists do not restrict themselves to common
and regular
methods. The terrorist’s attack of September 11, 2001, is a
primary example.
It is common knowledge that information technology (IT)-based
informa-
tion systems are vulnerable. Hence, it is possible for terrorists
to utilize the
vulnerabilities of IT-based information systems to attack their
adversaries and
to launch an information war (Jormakka & Molsa, 2005; Embar-
Seddon, 2002).
Currently, terrorism is spreading globally and being facilitated
by information
technology (Gable, 2009; Hansen, Lowry, Meservy, &
McDonald, 2005; Chu,
Deng, Chao, & Huang, 2009). Many studies urge paying more
attention to
cyber terrorism (Gable; Hua & Bapna, 2009; Foltz, 2004;
Embar-Seddon).
In a statement before the Senate Select Committee on

Intelligence, the
director of the National Intelligence testified that terrorists have
intentions
to deploy cyber attacks against the United States (Gable, 2009).
Cyber
attacks against the U.S. government in 2009 were expected to
increase about
60% compared to the number of attacks in 2008, most of it
coming from
Chinese state and state-sponsored computers (U.S. Government,
2009).
Attacks against Supervisory Control and Data Acquisition
systems (SCADA)
computer networks that operate the critical infrastructure have
risen dra-
matically in 2009 and account for 20% of the 164 incidences
reported since
1982 (Aitoro, 2009a). The reason cyber terrorists cannot launch
attacks to
cause significant damage is that these cyber terrorists have not
gained the
102
sufficient expertise, which could be available within the
next few years (Aitoro, 2009b).
Gable (2009) cites several recent incidences of cyber
terrorism:
• A distributed denial of service (DDOS) attack
launched on July 2009, which affected 27 U.S. and
South Korean government agencies including the
Secret Service and the U.S. Pentagon, may have been

the work of cyber terrorists residing in the United
Kingdom.
• Attacks on Estonian government Websites in
2007 effectively crippled the government transac-
tions in that country.
• The information for the stealth fighter jet program
was stolen.
• The U.S. Air Force’s air traffic control systems were
intruded.
Currently, cyber-terrorism research has focused on
three orientations: technology, legal, and economic.
All of these orientations are receiving increasing atten-
tion. The technology-oriented research stream focuses
on the technical means to prevent cyber attacks
(Hansen et al., 2005; Griffith, 1999). The legal-oriented
research stream examines the legal perspectives in order
to prosecute cyber terrorists (Trachtman, 2004; Walker,
2006; Gable, 2009). The economic-oriented research
stream develops and analyzes economic models to
determine the level of investment necessary to safe-
guard information assets (Hua & Bapna, 2009). In this
paper, our research specifically focuses on deterrence
and prevention from cyber terrorism and thus bor-
rows on the technical, legal, and economic orientation
streams.
Because cyber terrorism can result in economically
devastating threats to nations, we need to develop a
framework to deter cyber terrorism. In this paper, we
develop such a framework, relying on existing inter-
disciplinary literature and cyber-terrorism cases. Three
types of infrastructures — technical, policy, and legal —

must be present in order to craft cyber-terrorism deter-
rence policies. This paper is divided into five sections.
In section 2, a comprehensive literature survey of ter-
rorism, cyber terrorism, and deterrence is provided.
Since our focus on this paper is on deterrence, we
examine the literature in these areas in details. The lit-
erature shows that punishment may not result in an
adequate deterrence effect even for ordinary crimes,
let alone terrorism. In section 3, we argue that in
order to deter cyber terrorism, it is important to
identify the perpetrators of cyber attacks, which pose
both technical and legal challenges. In section 4, we
develop a framework based on the aspects learned
from the literature review and challenges associated
with current solutions. This framework clearly shows
that both national and international governments
have tremendous leverage to control cyber terrorism.
We provide recommendations for national and inter-
national bodies in order to prevent and deter the
incidents of cyber terrorism. We discuss the implica-
tions of our work in the section 5, “Conclusions and
Implications.”
2. LITERATURE REVIEW
The word “terrorism” came about during the French
Revolution when terror was used by the government to
suppress counter-revolutionary adversaries. Most ter-
rorists share two common aspects: (1) they assault
civilians, and (2) they target victims that are not their
true targets but rather these victims do influence the
target audience. The term terrorist refers to a per-
son who practices terrorism. Terrorism and terrorists
have a strong negative connotation. Terrorists know
that they cannot be superior to their adversaries in

conventional resource-intensive warfare. Hence they
rely on terrorism and low-intensive conflict to erode
the enemy’s moral and physical capacities (Oprea &
Mesnita, 2005).
Victoroff (2005) proposed a comprehensive typol-
ogy to illustrate the dimensions of terrorism (Table 1).
The demographic data about terrorists have been pre-
sented in studies by Hassan (2001), Pedahzur, Perliger,
and Weinberg (2003), and Sageman (2004).
People commonly believe that terrorists are insane
or psychopathic. Strictly speaking, the psychopathic
ailment can be divided into two conditions: clinical ill-
ness and personality disorder. The person with clinical
illness cannot differentiate right from wrong, but the
person with personality disorder can. As such, terrorists
are rarely psychotic or insane (Victoroff, 2005).
Contrary to common beliefs, terrorists are also rarely
sociopathic. There is no evidence, from any empirical
study, that demonstrates that terrorists are antisocial.
Considerable evidence supports the observation that
terrorists are regarded as heroes, at least by their groups
or local communities. The Middle Eastern students
103 How Can We Deter Cyber Terrorism?
TABLE 1 Dimensions of Terrorism (Victoroff, 2005)
Variable Classification
Perpetrator Number Individual vs. Group
Sponsorship State vs. Substate vs. Individual

Relation to authority Anti-state/Anti-establishment/
Separatist vs. Pro-state
Locale Intrastate vs. Transnational
Military status Civilian vs. Military
Spiritual motivation Secular vs. Religious
Financial motivation Idealistic vs. Entrepreneurial
Political Ideology Leftist vs. Rightist
Hierarchical role Sponsor vs. Leader
Willingness to die Suicidal vs. Nonsuicidal
Target Property vs. Individual vs. Masses
of people
Methodology Bombing, Assassination,
Kidnapping, Mass Poisoning,
other
who join an Islamic radical group may enjoy popular
support and believe they are serving their society in
a pro-social way. Contrary to common understand-
ing, terrorists are altruistic in their groups (Keet, 2003;
Krueger & Maleckova, 2003).
In this section, we define cyber terrorism and delin-
eate the differences and similarities between terrorism
and cyber terrorism. Types of cyber attacks and the
dangers of cyber attacks are provided. We then discuss
the literature on deterrence and how it relates to cyber
terrorism.
2.1. Cyber Terrorism
The term “cyber terrorism” is used to describe
the new approach adopted by terrorists to attack
cyberspace (Parks & Duggan, 2001). It is an extension

of traditional terrorism. The threat of cyber terrorism
is more dangerous than that of common information
security attacks (Rogers, 1999; Verton, 2003). Cyber ter-
rorism is becoming a major concern for most countries
(Foltz, 2004).
Two ways to define cyber terrorism have been pro-
posed (Rollins & Wilson, 2007):
• Effects-based: Cyber terrorism exists when computer
attacks result in effects that are disruptive enough
to generate fear comparable to a traditional act of
terrorism, even if done by criminals.
• Intent-based: Cyber terrorism exists when unlawful
or politically motivated computer attacks are done
to intimidate or coerce a government or people to
further a political objective or to cause grave harm
or severe economic damage.
We define cyber terrorism as an activity imple-
mented by computer, network, Internet, and IT
intended to interfere with the political, social, or eco-
nomic functioning of a group, organization, or coun-
try; or to induce physical violence or fear; motivated
by traditional terrorism ideologies. Cyber terrorism
includes all the dimensions as proposed by Victoroff
as shown in Table 1, where the terrorism methodology
is driven extensively by computer and computing net-
work architectures. The main goal of cyber-terrorism
attacks is to create fear and panic among civilians or
to disrupt or destroy public and private infrastructures
(Morgan, 2004). The most dangerous cyber-terrorism
attacks are those that affect national infrastructure or
business systems.

Cyber terrorists can be differentiated from the other
hacker groups by their attack motives. (Embar-Seddon,
2002) even though the cyber attack methods and the
targets attacked by cyber terrorists are the same as those
adopted by other hacker groups. Cyber terrorists can
launch DDOS attacks to disrupt public servers within
government, telecommunication services, transporta-
tion communication systems, and utility distribution
systems. They can also intrude into public media sys-
tems to spread rumor or alert civilian targets. Although
cyber terrorists cannot cause death on a large scale,
such as physical terrorism incidents, they might cause
large monetary losses exceeding that of physical terror-
ism or induce fear comparable to physical terrorism
acts. Thus, preventing cyber terrorism is as important
as preventing terrorism.
Foltz (2004) listed some of the potential threats of
cyber terrorism, including:
• Access a drug manufacturer’s facility and alter its
medication formulas to be deadly (Wehde, 1998).
• Access hospital records and change patient blood
types (Gengler, 1999).
• Report stolen information to others (i.e., troop
movement) (Desouza & Hensgen, 2003).
• Manipulate perception, opinion, and the political
and socioeconomic direction (Stanton, 2002).
• Facilitate identity theft (Gordon & Ford, 2002a).
• Attack critical infrastructure including electri-

cal power systems; gas and oil production,
J. Hua and S. Bapna 104
transportation, and storage; water supply sys-
tems; banking and finance; homeland security;
telecommunication; agricultural and food supply;
and public health (Embar-Seddon, 2002).
In its 1996 report Cyberterror: Prospects and
Implications, The Center for the Study of Terrorism
and Irregular Warfare at the Naval Postgraduate School
in Monterey, California, defined three levels of cyber
terror capability:
• Simple-Unstructured: The capability to conduct
basic hacks against individual systems using tools
created by someone else. The organization pos-
sesses little target analysis, command and control, or
learning capability.
• Advanced-Structured: The capability to conduct
more sophisticated attacks against multiple systems
or networks and possibly to modify or create basic
hacking tools. The organization possesses an ele-
mentary target analysis, command and control, and
learning capability.
• Complex-Coordinated: The capability for coordi-
nated attacks capable of causing mass-disruption
against integrated, heterogeneous defenses (includ-
ing cryptography). Ability to create sophisticated
hacking tools. Highly capable target analysis, com-
mand and control, and organization learning

capability.
According to the Center’s estimates, a terrorist
group may be able to reach the advanced-structured
level within two to four years after starting from
scratch and within six to ten years to reach the
complex-coordinated level. However, using outsourc-
ing or sponsorship means, a group may reach the
complex-coordinated level must faster.
Compared with other terrorism approaches, cyber
terrorism requires fewer people and fewer inputs.
Pure cyber terrorism does not require cyber terror-
ists to show up in the target area. Cyber terrorists
can remotely launch attacks and remain anonymous.
Cyber terrorists can use proxy servers and IP-change
methods to hide their real addresses. Because cyber ter-
rorists can easily hide their identity, it is difficult for
government agents to trace and capture them. This
poses tremendous challenges to thwart cyber-terrorist
attacks.
2.2. Deterrence
Deterrence theory has been widely employed in
the fields of economics and criminology to study
the behavior of criminals and antisocialists (Becker,
1968; Pearson & Weiner, 1985). In criminology, deter-
rence theory asserts that the probability of criminal
behavior varies with the expected punishment, which
consists of the perceived probability of being caught and
the punishment level (Pearson & Weiner). The decision
to undertake a criminal action by an individual is made
when the individual’s expected payoff is greater than
the expected punishment and cost. Moreover, the indi-
vidual moves in and out of illegal activities as the

opportunities change (Anadarajan & Simmers, 2003).
In the realm of cyber terrorism, the expected pun-
ishment level depends upon the legal national and
international frameworks, and the perceived probabil-
ity of being caught depends upon the ability to identify
the perpetrators and the cooperation for information
sharing between nations. We classify all deterring activ-
ities in terms of three dimensions: technical, policy,
and legal. The ability to use technical means to pre-
vent cyber terrorism is not relevant to this paper, but
the ability to identify terrorists using technical means
is of relevance. Policy decisions, such as how often
to share breaching information, are under the control
of governments and organizations. Governments and
societies operate under their legal infrastructures, and
their ability to prosecute cyber terrorists falls under the
legal dimension.
In criminology, deterrence theory focuses on the
effects of punishment. In economics, deterrence the-
ory focuses on the reward of legal behavior and the
punishment of illegal behavior (Becker, 1968). In eco-
nomics, deterrence theory asserts that individuals make
rational decisions to maximize benefits and minimize
costs. A person can make a decision to undertake a
criminal activity when the expected payoff from the
criminal activity exceeds the expected expense from
the potential cost and punishment (Straub & Welke,
1998). Deterrence theory has an underlying assump-
tion that human behaviors pursue pleasure and avoid
pain. To deter potential criminals from committing
unlawful behavior, it is necessary to impose counter-
measures that increase the cost or reduce the benefits
associated with doing so (Becker). Thus, for cyber ter-
rorism in the existing legal infrastructure, the costs
to commit terrorism can be increased significantly by

raising the probability of being tracked. Using different
perspectives (e.g., policing, education, economics, and
behavioral), we show that increasing the punishment
level may not lead to deterring cyber terrorism.
Cameron (1988) studied the theoretical effect of
crime deterrence and compared this effect with empir-
ical works from other economists. Since Becker (1968)
published his famous crime and punishment theory, a
large body of literature on crime believed that police
expenditures were an effective input to deter crime.
To prove Becker’s belief, Cameron conducted a survey
to test whether punishment deterred crime, in theory,
and to test the effectiveness of the police in deter-
ring crime. In comparison, a literature review indicated
that punishment often increases crime or that police
inputs were positively correlated with crime. After care-
ful examination, the author found that studies using
aggregate data failed to demonstrate the deterrence
effects of policy inputs. On the other hand, the stud-
ies of individual prisoners and victims suggested that
police inputs do have a positive deterrent effect on the
supply of crime. The paper provided nine reasons why
punishment may not deter crime:
(1) risk in legal activities,
(2) reductions in private sector deterrence efforts,
(3) spillover/displacement effects,
(4) effects of criminals with a target income,
(5) effects on industry supply behavior for organized

crime,
(6) adaptive behavior,
(7) practical certainty,
(8) cognitive dissonance, and
(9) income and substitution effects.
Nations have different legal structures for punishing
criminal activities not only for these reasons but also
from societal mores. Due to conflicting results of the
research on punishment, it is unclear as to what degree
punishment levels may deter cyber terrorism.
Workman and Gathegi (2007) studied the effects
of attitudes towards the law and the effects of
social influence. Their study began by investigating
the counterproductive-behavior literature. Punishment
and ethics education were found to be effective in
deterring cyber criminal behavior. Punishment was
more effective in deterring people who tried to avoid
punishment or negative sequences, other than ethics
education. Ethics education more so than punish-
ment was effective in deterring people who had a
strong social consciousness. People who had a high
level self-control were more responsive to ethics train-
ing. People who had a low level of self-control were
more responsive to punishment for information secu-
rity contravention. Based on the well-know fact that
terrorists are willing to sacrifice their lives, it is unlikely
that the punishment level will be an effective tool in
deterring cyber terrorists.
Oksanen and Valimaki (2007) discussed copyright
violations and solutions on the Internet. The two
authors formed a traditional behavioral economic
model on the deterrence effect of lawsuits against

Internet copyright violations. The general deterrence
theory attempted to reduce the successful rates of crim-
inal behavior. Their observations supported the theory
that individuals tried to maximize their payoffs by
calculating utilities. The authors also found that the
strategy of minimizing risk was not only theoretically
practiced but also extensively used. The classic deter-
rence model heavily relied on the utility theory and
had many limitations. The two authors found that the
classic deterrence model should incorporate the repu-
tational cost of violations and the reputational benefit
of violations (Sunstein, 2003). The reputational cost
means the unofficial sanction applied by the indi-
vidual’s peers. The reputational benefit comes from
the support of the individual’s community or peers
(Rebellon & Manasse, 2004). The reputational bene-
fit may play a significant role in individual decision
making. This literature shows the possible existence of
the reputational benefits behind cyber terrorism. The
increased reputation from peer groups after a successful
cyber attack may motivate cyber terrorists to advertise
their activities.
Straub and Welke (1998) considered deterrence the-
ory as a theoretical basis for security countermeasures
to reduce information security risks. They derived four
distinct activities from deterrence theory: deterrence,
prevention, detection, and recovery. With respect to
internal computer abuse, they believed that managers
were the key to successfully deterring, preventing,
detecting, and pursuing remedies. The authors claimed
that deterrent countermeasures were passive because
they had no inherent provision for enforcement. They
also believed that security training for internal employ-
ees was a form of deterrent countermeasures, which
can convince potential internal computer abusers that

the company was serious about the security and would
sue the computer abusers. This research clearly points
to the influence of managerial policies for deterrence,
prevention, detection, and recovery from cyber threats,
which may have a similar impact on cyber terrorism.
The punishment may be to a person, group, or to a
party to which the person belongs. The punishment
may not just be imprisonment and fine. For cyber
terrorism, the punishment may include antiterrorism
wars against the state in which the cyber terrorists
reside. Thus, the punishment to cyber terrorists may
be more severe and in some cases exceed the losses
they caused to the victims. Determining the proper
punishment is an important issue in the legal field.
Becker (1968), in his classical paper about punishment
determination, believed that punishment determina-
tion has to consider the social cost of punishments
and that all punishments can be converted to monetary
values. Legal systems in most societies specify punish-
ments that increase with the level of social harm caused
by the criminal activities (Rasmusen, 1995). As cyber
terrorism becomes more harmful, based on Becker’s
theory, increasing the punishment substantially for the
sake of the additional deterrence may be worth the
costs. However, since the research on punishment level
is inconclusive, it is difficult to quantify the level of
punishment that will stop cyber terrorism.
Based on the literature survey, a functional form of
punishment level on the deterrence effect for cyber

terrorism is plotted in Figure 1. While the functional
form is a sigmoid curve, low levels of punishment lev-
els have little or no impact on deterrence. Only at high
punishment levels do deterrence effects show up. From
an economic perspective, such high punishment levels
may be achieved only by means of very high invest-
ment levels, for example, extensive crippling of parts
of the cyber infrastructure.
Wible (2003) proposed two approaches to deter
cyber hackers: (1) reinforce the criminal law and
increase punishment, and (2) decriminalized the least
dangerous kinds of hacking in ways that demarginalize
the hacking community. Rational economic models on
deterrence perceive all potential criminals are rational.
However, little empirical research supports the rational
economic models on deterrence (Sheizen, 1995). The
failure reason of rational economic models on deter-
rence is that the hackers’ perception of the probability
of identification and punishment is more complex
than what we thought (Zimring & Hawkins, 1973).
In a recent workshop that discussed how informa-
tion warfare on the United States might be deterred,
several important findings were proposed (IWAR,
2008). We map these findings into three dimensions
of cyber deterrence: technical, policy, and legal.
• The workshop participants always assume that a vis-
ible set of defenses was the beginning to deter cyber
attacks (policy).
• Current employed defenses were inadequate to deter
well-prepared cyber attacks (technology).

• Deterrence of cyber-attacks was understood to
depend upon the nature of attackers (policy, legal).
• Deterrence requires identification of the value held
by the potential attackers and the capacity to com-
municate with those attackers (policy).
• It may be impossible to create an omnipotent deter-
rence policy that will be effective (technology, legal,
policy).
FIGURE 1 Effect of punishment level on deterrence. (color
figure available online.)
• Cyber attackers could be deterred by explicit threats
and retaliatory actions implying future threats (legal,
policy).
• Aggressive domestic and international law enforce-
ment can certainly have a deterrence effect on
potential adversaries. To deter cyber attackers, realis-
tic threat of capture and punishment should be used
(legal).
• Electronic IDs combined with computer hardware
and software can also deter potential cyber attackers
(technology).
3. CHALLENGES TO THE DETERRENCE
ON CYBER TERRORISM
Deterrence theory can be applied to all cyber

crimes including cyber terrorism (Ginges, 1997; Frey &
Luechinger, 2002; Carns, 2001). The literature review
(section 2.2) indicated that the impact of deterrence
(deterrence effect) is positively correlated with the iden-
tification probability, and it also may be positively
correlated with punishment level. Keeping the poten-
tial punishment severity unchanged, the deterrence
effect will be determined by the identification proba-
bility. The identification probability depends upon the
capability to track cyber terrorists. Thus, to increase the
impact of deterrence on cyber terrorism, the identifica-
tion probability must be increased. An inability to track
cyber terrorists would make it difficult for local and
international jurisdictions to track the entire network
of cyber terrorists as well as to prosecute them due to
the lack of proof of identification of these cyber ter-
rorists. In this section, we describe the technical means
available to cyber terrorists to avoid being tracked.
From a cyber terrorist’s perspective, the advantages
of cyber terrorism are anonymity and the ability to
remotely control the terrorist act. To attack a vic-
tim anonymously, a cyber terrorist has to make sure
that he or she cannot be tracked. An experienced
cyber terrorist could utilize the vulnerabilities in soft-
ware, hardware, networks, Internet, human beings, and
jurisdictions to avoid being tracked back.
To avoid being tracked back, cyber terrorists can
employ three methods: (1) spoofing their media access
control (MAC) and Internet protocol (IP) addresses,
(2) using a public Internet, and (3) using proxy servers.
To access a switched network, a cyber terrorist’s com-
puter must have a MAC address. A MAC address
is unique and assigned to a network interface card

(NIC) by its manufacturer for identification purpose.
Similarly, if this cyber terrorist wants to access a routed
network, his computer must an IP address. There are
many programs available on the Internet to spoof
MAC and IP addresses. A fake MAC address could
cheat a firewall by bypassing a network access restric-
tion and erase intruders’ fingerprints (a MAC address
is unique and combined with a NIC card). A cyber
terrorist can use a sniffer hacking tool to pick up
MAC addresses from the traffic of a target network,
spoof the MAC, and disguise himself as an autho-
rized user to bypass the network access control of the
target. IP address spoofing is a fairly old intruding
method. In DDOS attacks, a cyber terrorist can spoof
the IP addresses of source computers. Because the IP
addresses are changing, it is difficult for the target to
trace and defend against DDOS attacks. Of course,
spoofing MAC and IP address currently cannot guar-
antee complete anonymity. If an investigator can trace
back to the Internet service provider (ISP) of the cyber
terrorist, the cyber terrorist location still can be nar-
rowed to a small list with the connection logs provided
by the ISP.
Some cyber terrorists may think of using public
Internet connections such as those available at the free
library or in Internet cafés. Usually these free Internet
connection services do not require any identification.
However, this method is not completely safe for a
cyber terrorist, for example, if there are video cameras
in these public areas. Investigators can use recorded
video and the Internet connection logs to make a
narrow suspect list.
Cyber terrorists who are good at sniffing could abuse

a private wireless connection which does not have
encryption protection. It is not known how to track
a cyber terrorist in a wireless network (Velasco, Chen,
Ji, & Hsieh, 2008). Closest access point, triangulation,
and radio frequency fingerprinting are commonly used
techniques for tracking in wireless networks, but all of
them are inaccurate (Zeilandoo & Ngadi, 2008). Cyber
terrorists can hide themselves in a neighbor area to uti-
lize intruded wireless network as a proxy server and
escape detection by investigators.
Proxy servers are the most common methods to
prevent tracking back. Usually there are many hops
between a cyber terrorist host and a target host. Cyber
terrorists can utilize proxy servers to cover their loca-
tions. For example, if a cyber terrorist is living in Iraq,
he can use several anonymous proxy servers hosted
in other countries as intermediators. If the last proxy
server is located in the United States, the target vic-
tim will assume the connection from a domestic area,
which is not in the highly restricted area. In the other
side, those anonymous proxy servers are used by many
users every day. If one of those proxy servers dumps its
log every two to three hours, it is difficult for investi-
gators to find the cyber attack’s cyber path. The clue
chain is broken. Sometimes cyber terrorists could use
zombies as proxy servers, which are totally under their
control. If cyber terrorists install special programs in
their zombies to physically clean the Internet collec-
tion logs every minute, it is difficult for investigators
to collect evidence. If one of those proxy servers is

located in a country that does not consider cyber
attacks a crime or never cooperates with the United
States, it becomes impossible for investigators to col-
lect evidences. We still think the clue chain is totally
broken.
If we cannot find the location of cyber terrorists,
we cannot punish them and alert their community.
Tracking cyber terrorists is a big problem that must
be solved. However, the history of the Internet shows
that it was not designed with foolproof tracking func-
tions. The Internet was originally designed for and
used by scientists and researchers. While the Internet
does have logging capabilities, these capabilities can be
foiled and the Internet protocol has no other means
of recording a user’s activities. Moreover, high-speed
Internet development hinders tracking cyber terrorists.
For example, the primary duty of an Internet route is
to route packets as fast as possible in order to facili-
tate high-speed connections. If the Internet speed is too
fast, it is impossible for a regular router to keep a suffi-
cient log. For example, a router on the Internet with a
speed of 1,000 gigabytes needs a 6,000 gigabyte mem-
ory to record one minute of traffic. The writing speed
of the memory must be 100 gigabytes per second. Even
though this kind of memory exists, it can increase
the price of the router and the expense incurred for
Internet usage. Also, current literature has not shown
any available network infrastructure for tracking.
In summary, the design of the Internet, which is
based on the TCP/IP, poses serious challenges to the
identification of cyber terrorists. TCP/IP has several
weaknesses that are inherent in the architecture of
the protocol. A group knowing about these protocols
can effectively sabotage it to their advantage (Bellovin,

2004). Moreover, even private networks not connected
to the Internet, but based on the TCP/IP protocol they
are susceptible to breaches from “springboard” attacks
(US-CERT, 2005).
4. ENHANCING CYBER-TERRORISM
DETERRENCE
Wible (2003) believes that reinforcing the criminal
law and increasing punishment will improve the deter-
rence effect of cyber crimes. Similarly, increasing the
identification rate will increase the deterrence effect of
cyber terrorism. In order to deter cyber terrorism, the
legal and law enforcement communities will need to
signal the cyber terrorist community that the identi-
fication rate and the punishment severity have been
increased. While it is believed that cyber terrorists fear
punishment, punishment can only occur if the cyber
terrorists can be traced, found, and identified. If the
cyber terrorists believe they will never be identified,
increasing punishment severity will be less effective
in deterring hacking activities. Thus, the first line of
defense is to increase the identification rate since it will
be more effective in deterring potential cyber terrorism
activities. Signaling mechanisms from the legal com-
munity that punishment severity has been increased
also need to be sent to the cyber-terrorist community.
We propose a framework to enhance the deterrence
effect for cyber terrorism (see Figure 2). This frame-
work relies on three critical infrastructures to deter
cyber terrorism activities: the technical, policy, and
legal infrastructure (section 2.2).
The proposed framework incorporates six enti-
ties: the national government, fee-based Internet ser-

vice providers, organizations, free Internet service
providers, citizens, and other countries. As per the
framework, the national government plays a leading
role in enhancing deterrence for cyber terrorism. Any
national government has five responsibilities in this
deterrence war:
1. Enhance cooperation among different international
jurisdiction areas. Without international coopera-
tion and agreements, the evidences used to track
and sue the cyber terrorists could be destroyed.
From an international legal perspective, several
bases of jurisdictions are available to prosecute
cyber terrorists: nationality of the victim or the
perpetrator (e.g., anti-child sex tourism, victims
of terrorism), territorial jurisdiction based on a
National
Government
• Cooperate with other national
jurisdictions to share
information
• Invest on Internet
Authentication Technologies
• Educate citizens
• Cooperate with ISPs to
tighten access controls

• Legal Infrastructure
Free Internet
Service Providers
• Tighten the access control
of the free Internet
service
Internet Service
Providers
• Adopt the latest security
technologies
• Record users activities
Citizens
• Receive education on the
Internet usage
Organizations
• Train employees to
prevent Cyber-Terrorism
• Adopt latest security
technologies
Other Countries
• Cooperate with other
national jurisdictions to
share information

(See National
Government
Policies)
FIGURE 2 Framework of enhancing deterrence for cyber
terrorism.
state’s borders (e.g., antitrust conspiracies effecting
local businesses), universal jurisdiction based on the
extreme gravity of the crime (e.g., piracy, slavery,
war crimes), and protective jurisdiction based on the
threat to a state e.g., counterfeiting, treason. Gable
(2009) argues that universal jurisdiction is most
suited to cyber terrorism and is the most efficient
way of deterring such crimes. Universal jurisdic-
tion can be based on treaties among nations or
in customary international law. Numerous treaties
exist to prosecute terrorists, such as the Convention
to Prevent and Punish Acts of Terrorism Taking
the Form of Crimes Against Persons and Related
Extortion that are of International Significance, and
the International Convention for the Suppression
of Terrorist Bombings. These treaties can conceiv-
ably be applied to cyber terrorism (Gable). Similarly,
the United Nations (UN) Security Council has
condemned terrorism through Security Council
Resolutions 1373, 1566, and 1624. UN Resolution
51/210 is specifically aimed at cyber terrorism.
2. Fund research on adoption of Internet authenti-
cation technologies. Current technologies to track
sophisticated cyber terrorists are lacking in trac-
ing capabilities primarily due to the design of the
TCP/IPv4 protocol (see section 3). With increased
investments in universal adoption of IPv6, track-

ing problem of any packets can be solved. However,
even IPv6, which uses the secure Internet Protocol
Security (IPsec) to encrypt all data packets at
OSI Layer 3, may not solve all issues, especially
since IPv6 with backwards compatibility defeats
the purpose of authentication. Moreover, terror-
ists may manage to acquire a previously authenti-
cated machine. Increased funding may be directed
towards creation of protocols and processes that
embed authentication at all levels (Lipson, 2002).
3. Enhance cooperation between law enforcement and
local ISPs. If ISPs can use advanced technologies
to record all connection requests, it is much eas-
ier for investigators to track and lockdown the cyber
terrorists (Morris, 2001; Benoist, 2008).
4. Educate and train the public to protect them from
cyber terrorism. A policy of mandating all wireless
users to implement an access control scheme to their
wireless networks should prevent cyber terrorists
from acquiring Internet resources easily. The policy
may mandate that the default configuration of all
wireless access points be set to a secure protocol and
prohibit any access without a unique key assigned to
each and every individual (Morris, 2001). However,
this needs to be balanced by privacy rights.
5. Create a legal infrastructure that will lead to quick
and effective prosecution of hackers and white col-
lar computer crimes. The infrastructure becomes a

signaling mechanism to potential cyber terrorists
and thus increases their costs of conducting harmful
activities.
Of these five policies, the first four deal with pol-
icy decisions that a central/local government needs to
make. The legal infrastructure is the glue that binds
these and other cyber security policies.
Internet service providers’ responsibilities include
(1) adopting the latest authentication technologies and
(2) logging the Internet connections. By adopting the
latest authentication technologies, it will be difficult for
cyber terrorists to spoof their MAC and IP addresses.
By logging the Internet connections, investigators can
obtain the raw historical data about all users’ activ-
ities. The technical infrastructure of cyber terrorism
deterrence should support all such responsibilities.
Free Internet service providers need to tighten their
access control of free Internet services. Proper identifi-
cation should be required to use their free Internet ser-
vices, especially for their free wireless Internet services.
Free training on Internet security should be provided
by local governments to their citizens. Education and
mass marketing efforts to citizens should focus on the
citizens to secure their home wireless networks against
unauthorized uses. The technical and policy infrastruc-
tures of cyber terrorism deterrence should support the
free Internet service providers.
Organizations’ responsibilities include (1) adopting
the latest authentication technologies and (2) training
employees to prevent cyber terrorism. By adopting the
latest authentication technologies, organizations can
tighten the access control of their wired network and

wireless access points. It will be difficult for cyber ter-
rorists to use the evil twin method to intrude wireless
access points. By training employees against cyber ter-
rorism, organizations can minimize the vulnerabilities
of human beings. It will be difficult for cyber ter-
rorists to utilize social engineering and rogue access
points, which are unauthorized access points built by
an individuals or a department. The technical and pol-
icy infrastructures of cyber-terrorism deterrence should
support organizations.
All nations should adopt similar policies. However,
not all nations may have the resources to fund all lev-
els of deterrence. Nations at risk, such as the United
States, can fund the adoption of the latest Internet
authentication technologies and share that informa-
tion. They should tighten their access control of the
Internet usage along with the help of their local ISPs.
If a country refuses to adopt anti-cyber-terrorism pro-
cedure, policies can be implemented that monitor
their incoming Internet IP packets and slow down
the rate at which Internet packets are handled within
the affected nation. That country may be put on a
black list (e.g., Financial Action Task Force blacklist)
until that country implements the satisfactory level of
anti-cyber-terrorism procedures. An international legal
infrastructure needs to be created for cyber-terrorism
deterrence.
Figure 3 shows the impact of increasing resources
in each of the three infrastructures. The lowest most
FIGURE 3 Impact of improved resource allocations in cyber
terrorism infrastructures. (color figure available online.)

plot (in red) shows a base deterrence function – it
takes considerable resources to achieve a significant
deterrence level. Improvements in the legal infras-
tructure result in shifting the plot to the left; that
is, fewer resources are needed to achieve the same
deterrence level (shown in blue). By improvements in
resources allocated towards the policy infrastructure
along with improvements in the legal infrastructure,
lesser resources are needed to achieve the same deter-
rence level (shown in green). By further improving
the technical infrastructure, fewer resources are needed
for a target deterrence level (shown in purple). In this
figure, the placement of improvements in the techni-
cal, policy, and legal infrastructures can be swapped
without loss of generality. However, to achieve any
meaningful benefit for deterrence for cyber terror-
ism, resources need to be expended for all the three
infrastructures.
5. CONCLUSION
Cyber terrorism is threatening our national secu-
rity and a major attack can be mounted at any time.
This paper explores the literature on cyber terrorism,
cyber terrorists, and deterrence aspects. In order to
deter cyber terrorism, we customarily think of increas-
ing the punishment severity unilaterally. However, the
effect of deterrence depends not only on the punish-
ment severity but also on the proper identification of
the terrorists. To increase the identification probability,
we must increase the probability of successfully track-
ing cyber terrorists. However, the tracking mechanisms
have many legal and technical challenges, which are

discussed in this paper. We proposed a framework to
overcome these challenges and enhance our capabili-
ties to deter cyber terrorism. We propose three types of
infrastructures to deter cyber terrorism: technical, pol-
icy, and legal. Each of the three infrastructures must be
present in order for a deterrence policy to be effective.
For each of the three infrastructures, we have listed key
areas that need to be examined.
In this paper, while we have listed the key areas to
be examined, we have not done any sensitivity anal-
ysis on each of the key areas. For example, we have
not addressed the issue of determining the marginal
benefits of expending resources on each of the key
areas. Our future work addresses this by developing an
optimal resource allocation model to deter cyber ter-
rorism. This paper provides a foundation to work on
such extensions that may be of interest to practitioners
and academic researchers alike.
This paper has discussed several issues with respect
to deterring cyber terrorists, focusing on the identifica-
tion aspects of terrorists. However, an open issue still
remains on how to signal the identification and punish-
ment level to the cyber-terrorist community. We sug-
gest that positive news reports disseminated on TVs
or newspapers can alert potential cyber terrorists (e.g.,
http://www.cybercrime.gov/). Cyber terrorists will be
warned that this is not a “catch me if you can” game but
a “we can catch if you do” game. Evaluating the effect
of sending signals to the cyber-terrorist community is
the focus of our ongoing research project.
REFERENCES
Aitoro, J. R. (2009a). Cyber attacks against critical U.S.

networks ris-
ing at a faster rate. Retrieved from
http://www.nextgov.com/nextgov/
ng_20091208_4177.php
Aitoro, J. R. (2009b). Terrorists nearing ability to launch big
cyber
attacks against U.S. Retrieved from
http://www.nextgov.com/nextgov/
ng_20091002_9081.php
Anandarajan, M., & Simmers, C. (2004). Personal web usage in
the work-
place: A guide to effective human resources management.
Hershey:
Idea Group Inc (IGI).
Becker, S. G. (1968). Crime and punishment: An economic
approach.
Journal of Politic Economy, 76(2), 167–217.
Bellovin, S. M. (2004). A look back at “security problems in the
TCP/IP protocol suite”. Proceedings of the 20th Annual
Computer
Security Applications Conference (pp. 229–249). Washington,
D.C.:
IEEE Computer Society.
Benoist, E. (2008). Collecting data for the profiling of web
users.
In Profiling the European citizen cross-disciplinary perspective
(pp.
169–184). Houten, Netherlands: Springer.
Cameron, S. (1988). The economics of crime deterrence: A

survey of
theory and evidence. Kyklos, 41(2), 301–323.
Carns, M. P. C. (2001). Reopening the deterrence debate:
Thinking about
a peaceful and prosperous tomorrow. Small Wars &
Insurgencies,
11(2), 7–16.
Chu, H., Deng, D., Chao, H., & Huang, Y. (2009). Next
generation
of terrorism: Ubiquitous cyber terrorism with the accumulation
of
all intangible fears. Journal of Universal Computer Science,
15(12),
2373–2386.
Desouza, K. C., & Hensgen, T. (2003). Semiotic emergent
framework to
address the reality of cyber terrorism. Technological
Forecasting and
Social Change, 70(4), 385–396.
Embar-Seddon, A. (2002). Cyberterrorism. American Behavioral
Scientist,
45(6), 1033–1043.
Foltz, C. B. (2004). Cyber terrorism, computer crime, and
reality.
Information Management & Computer Security, 12(2/3), 154–
166.
Frey, B. S., & Luechinger, S. (2002). How to fight terrorism:
Alternatives
to deterrence. Retrieved from http://ssrn.com/abstract=359824

Gable, K. A. (2009). Cyber-Apocalypse now: Securing the
Internet
against cyber terrorism and using universal jurisdiction as a
deterrent.
Retrieved from http://ssrn.com/abstract=1452803
Gengler, B. (1999). Politicians speak out on cyber terrorism.
Network
Security, 1999(10), 6.
Ginges, J. (1997). Deterring the terrorist: A psychological
evaluation of
different strategies for deterring terrorism. Terrorism and
Political
Violence, 9(1), 170–185.
Gordon, S., & Ford, R. (2002a). Cyberterrorism? Computer &
Security,
21(7), 636–647.
Griffith, D. A. (1999). Organizing to minimize a cyber-terrorist
threat?
Marketing Management, 8(2), 9–15.
Hansen, J. V., Lowry, P. B., Meservy, R., & McDonald, D.
(2005). Genetic
programming for prevention of cyber terrorism through dynamic
and evolving intrusion detection. Decision Support Systems,
43(4),
1362–1374.
Hassan, N. (2001). An arsenal of believers: Talking to the

human bombs.
The New Yorker, 77(36).
Hua, J., & Bapna, S. (2009). The impact of cyber terrorism on
invest-
ment for information system security. Proceedings of the 40th
Annual
Meeting of Decision Science Institute, New Orleans, LA.
IWAR. (2008). How might IW attacks on the United States be
deterred? Retrieved from
http://www.iwar.org.uk/iwar/resources/
deterrence/iwdCh2.htm
Jormakka, J., & Molsa, J. V. E. (2005). Modeling information
warfare as a
game. Journal of Information Warfare, 4(2), 12–25.
Keet, M. (2003). Terrorism and game theory: Coalitions,
negotiations
and audience costs. Retrieved from http://keetwitnie.tripod.com/
TerrorismGameTheory.pdf
Krueger, A., & Maleckova, J. (2003). Education, poverty,
political vio-
lence, and terrorism: Is there a connection? Journal of
Economic
Perspectives, 17(4), 119–144.
Lipson, H. F. (2002). Tracking and tracing cyber attacks.
Retrieved from
http://www.cert.org/archive/pdf/02sr009.pdf
Morgan, M. J. (2004). The origins of new terrorism. Parameters,
34, 9–42.
Morris, D. A. (2001). Tracking a computer hacker. Retrieved

from http://
www.leetupload.com/database/Misc/Papers/Asta%20la%20Vista
/
Web%20Papers/tracking_a_computer_hacker.doc
Nelson, B., Choi, R., Lacobucci, M., Mitchell, M., & Gagnon,
G. (1996).
Cyber terror: Prospects and Implications. Retrieved 16 May
2008.
Oksanen, V., & Valimaki, M. (2007). Theory of deterrence and
individual
behavior. Can lawsuits control file sharing on the Internet?
Review of
Law and Economics, 3(3), 693–714.
Oprea, D., & Mesnita, G. (2005). The information system and
the global
terrorism. Retrieved from http://ssrn.com/abstract=906289
Parks, R. C., & Duggan, D. P. (2001, June). Principle of cyber-
warfare.
Proceedings of the 2001 IEEE Workshop on Information
Assurance
and Security, West Point, NY.
Pearson, F. S., & Weiner, N. A. (1985). Toward an integration
of crimi-
nological theories. Journal of Criminal Law and Criminology,
76(1),
116–150.
Pedahzur, A., Perliger, A., & Weinberg, L. (2003). Altruism and
fatalism:
The characteristics of Palestinian suicide terrorists. Deviant

Behavior:
An Interdisciplinary Journal, 24, 405–423.
Rasmusen, E. (1995). How optimal penalties change with the
amount
of harm. International Review of Law and Economics, 15(1),
101–108.
Rebellon, C., & Manasse, M. (2004). Do “bad boys” really get
the girls?
Delinquency as a cause and consequence of dating behavior
among
adolescents. Justice Quarterly, 21(2), 355–390.
Rogers, M. (1999). Psychology of computer criminals. In
Proceedings
of the Annual Computer Security Institute Conference, St.
Louis, MO.
Rollins, J., & Wilson, C. (2007). Terrorist capabilities for cyber
attack:
Overview and policy issues. Retrieved from
http://italy.usembassy.gov/
pdf/other/RL33123.pdf
Sageman, M. (2004). Understanding terror networks.
Philadelphia, PA:
University of Pennsylvania Press.
Sherizen, S. (1995). Can computer crime be deterred? Security
Journal,
6, 177–181.
Skibell, R. (2003). Cybercrime & misdemeanors: A reevaluation
of the
computer fraud and abuse act. Berkeley Technology Law

Journal, 18,
909–944.
Stanton, J. J. (2002). Terror in cyberspace. American
Behavioral Scientist,
45(6), 1017–1032.
Straub, D. W., & Welke, R. J. (1998). Coping with systems risk:
Security
planning models for management decision making. MIS
Quarterly,
22(4), 441–469.
Sunstein, C. (2003). Why societies need dissent. Cambridge,
MA: Harvard
University Press.
Trachtman, J. P. (2004). Global cyber terrorism, jurisdiction
and interna-
tional organization. Retrieved from
http://ssrn.com/abstract=566361
U.S. Government. (2009). 2009 report to Congress of the U.S.-
China eco-
nomic and security review commission. Retrieved from
http://www.
uscc.gov/annual_report/2009/annual_report_full_09.pdf
US-CERT. (2005). Vulnerabilities in TCP. Retrieved from
http://www.us-
cert.gov/cas/techalerts/TA04-111A.html
Velasco, E., Chen, W., Ji, P., & Hsieh, R. (2008, August).
Challenges
of location tracking techniques in wireless forensics.
Proceedings

of International Conference on Intelligent Information Hiding
and
Multimedia Signal Processing, Harbin, China.
Verton, D. (2003). Black ice: The invisible threat of cyber
terrorism.
Emeryville, CA: McGraw Osborne Media.
Victoroff, J. (2005). The mind of terrorist: A review and
critique of
psychological approach. The Journal of Conflict Resolution,
49(1),
3–41.
Walker, C. (2006). Cyber terrorism: Legal principle and the law
in the
United Kingdom. Penn State Law Review, 110, 625–665.
Wehde, E. (1998). U.S. vulnerable to cyber terrorism. Computer
Fraud &
Security, 1, 6–7.
Wible, B. (2003). A site where hackers are welcome: Using
hack-in con-
tests to shape preferences and deter computer crime. The Yale
Law
Journal, 112(6), 1577–1623.
Workman, M., & Gathegi, J. (2007). Punishment and ethics
deterrents:
A study of insider security contravention. Journal of the
American
Society for Information Science and Technology, 58(2), 212–
222.
Zeidanloo, H., & Ngadi, M. (2009). Intruder Location Tracking.

Proceedings of the 2009 Second International Conference on
Computer and Electrical Engineering (507–511). Washington,
D.C.:
IEEE Computer Society.
Zimring, F., & Hawkins, G. (1973). Deterrence. Chicago, IL:
University of
Chicago Press.
BIOGRAPHIES
Jian Hua is an associate professor in the Department
of Marketing, Legal Studies, and Information Systems
at the School of Business and Public Administration,
the University of the District of Columbia. His
research interests include information security, cyber
internal control, and cyber auditing. His paper
has been published or accepted by several aca-
demic journals and conferences. His research has
won the Best Interdisciplinary Research Paper in
2009 Decision Science National Conference. He also
served as a chair of Information Systems Security ses-
sion in 2010 Decision Science National Conference.
He received his BS in Power Engineering from
Southeast University (China), his MS in Information
Engineering, and PhD in Business Administration
from Morgan State University.
Sanjay Bapna is an associate professor in the
Information Sciences and Systems Department at
Morgan State University. He has more than 20 years of

experience in data gathering and modeling techniques.
He has worked extensively as a principal investigator
for numerous funded studies related to commercial
vehicle operations with the State of Maryland. His
peer-reviews papers on computer security, privacy, and
decision making have been published in top-quality
journals including Decision Sciences and Decision Support
Systems. A joint paper with Dr. Jian Hua was recently
awarded the prestigious 2009 Best Interdisciplinary
Paper Award by the National Decision Sciences
Institute. Another of his papers has been awarded
the Best Paper by the International Association
of Computer Information Systems. He obtained a
B. Tech. in Chemical Engineering from the Indian
Institute of Technology and MBA and PhD with spe-
cialization in information systems from the University
of Iowa.
Copyright of Information Security Journal: A Global
Perspective is the property of Taylor & Francis Ltd and its
content may not be copied or emailed to multiple sites or posted
to a listserv without the copyright holder's
express written permission. However, users may print,
download, or email articles for individual use.
2/15/2018 EBSCOhost

http://web.b.ebscohost.com/ehost/delivery?sid=a044cfde-323a-
4432-ab13-
0153ed2567f1%40sessionmgr102&vid=15&ReturnUrl=http%3a
%2f%2fweb.… 1/4
EBSCO Publishing Citation Format: APA (American
Psychological Assoc.):
NOTE: Review the instructions at
http://support.ebsco.com/help/?int=ehost&lang=&feature_id=AP
A and make
any necessary corrections before using. Pay special attention to
personal names, capitalization, and
dates. Always consult your library resources for the exact
formatting and punctuation guidelines.
References
CYBER-TERRORISM. (2011). International Debates, 9(9), 10-
13.

CYBER-TERRORISM
Cyber-attacks, Terrorist Capabilities, and Federal Action
Although terrorists have been adept at spreading propaganda
and attack instructions on the Web, it
appears that their capacity for offensive computer network
operations may be limited. The Federal
Bureau of Investigation (FBI) reports that cyber-attacks
attributed to terrorists have largely been limited
to unsophisticated efforts such as email bombing of ideological

foes, denial-of-service attacks, or
defacing of websites. However, it says, their increasing
technical competency is resulting in an emerging
capability for network-based attacks. The FBI has predicted that
terrorists will either develop or hire
hackers for the purpose of complementing large conventional
attacks with cyber-attacks.
During his testimony regarding the 2007 Annual Threat
Assessment, FBI Director Robert Mueller
observed that "terrorists increasingly use the Internet to
communicate, conduct operational planning,
proselytize, recruit, train, and to obtain logistical and financial
support. That is a growing and increasing
concern for us." In addition, continuing publicity about Internet
computer security vulnerabilities may
encourage terrorists' interest in attempting a possible computer
network attack, or cyber-attack, against
U.S. critical infrastructure.
Possible Terrorist Objectives
The Internet, whether accessed by a desktop computer or by the
many available handheld devices, is
the medium through which a cyber-attack would be delivered.
However, for a targeted attack to be
successful, the attackers usually require that the network itself
remain more or less intact, unless the
attackers assess that the perceived gains from shutting down the
network entirely would offset the
accompanying loss of their own communication. A future
targeted cyber-attack could be effective if
directed against a portion of the U.S. critical infrastructure, and
if timed to amplify the effects of a
simultaneous conventional physical or chemical, biological,
radiological, or nuclear (CBRN) terrorist
attack. The objectives of a cyber-attack may include the

following four areas:
* loss of integrity, such that information could be modified
improperly;
* loss of availability, where mission-critical information
systems are rendered unavailable to authorized
users;
javascript:openWideTip('http://support.ebsco.com/help/?int=eho
st&lang=&feature_id=APA');
http://search.ebscohost.com/login.aspx?direct=true&db=a9h&A
N=70080217&site=ehost-
live&authtype=uid&user=grantham&password=research
2/15/2018 EBSCOhost
4432-ab13-
%2f%2fweb.… 2/4
* loss of confidentiality, where critical information is disclosed
to unauthorized users; and
* physical destruction, where information systems create actual
physical harm through commands that
cause deliberate malfunctions.
Publicity would also potentially be one of the primary
objectives for a terrorist cyberattack.
Extensive media coverage has shown the vulnerability of the
U.S. information infrastructure and the
potential harm that could be caused by a cyber-attack. This

might lead terrorists to believe that even a
marginally successful cyber-attack directed at the United States
would garner considerable publicity.
Some suggest that were such a cyber-attack by an international
terrorist organization to occur and
become known to the general public, regardless of the level of
success of the attack, concern by many
citizens and cascading effects might lead to widespread
disruption of critical infrastructures.
For example, reports of an attack on the international financial
system's networks could create a fiscal
panic in the public that could lead to economic damage.
According to security experts, terrorist groups
have not yet used their own computer hackers nor hired hackers
to damage, disrupt, or destroy critical
infrastructure systems. Yet reports of a recent disruptive
computer worm that has spread through some
government networks, including that of the National
Aeronautics and Space Administration, have found
a possible link to a Libyan hacker with the handle "Iraq
Resistance" and his online hacker group
"Brigades of Tariq ibn Ziyad," whose stated goal is "to
penetrate U.S. agencies belonging to the U.S.
Army."
According to these reports, references to both the hacker and
group have been found in the worm's
code. However, this does not provide conclusive evidence of
involvement, as email addresses can be
spoofed and code can be deliberately designed to implicate a
target while concealing the true identity of
the perpetrator.
The recent emergence of the Stuxnet worm may have
implications for what potential future cyber-

attacks might look like. Stuxnet is thought to be the first piece
of malicious software (malware) that was
specifically designed to target the computer-networked
industrial control systems that control utilities, in
this case nuclear power plants in Iran. Although many experts
contend that the level of sophistication,
intelligence, and access required to develop Stuxnet all point to
nation-states, not only is the idea now in
the public sphere for others to build upon, but the code has been
released, as well. An industrious group
could potentially use this code as a foundation for developing a
capability intended to degrade and
destroy the software systems that control the U.S. power grid, to
name one example.
Federal Government Efforts to Address Cyber-terrorism
A number of U.S. Government organizations appear to monitor
terrorist websites and conduct a variety
of activities aimed at countering them. Given the sensitivity of
federal government programs responsible
for monitoring and infiltrating websites suspected of supporting
terrorism-related activities, much of the
information regarding the organizations and their specific
activities is deemed classified or law
enforcement-sensitive and is not publicly available.
The information listed below represents a sampling of what has
been publicly discussed about some of
the federal government organizations responsible for monitoring
and infiltrating jihadist websites. It
should be noted that the actions associated with the
organizations listed below could be conducted by
employees of the federal government or by civilian contract
personnel.

2/15/2018 EBSCOhost
4432-ab13-
%2f%2fweb.… 3/4
* Central Intelligence Agency -- development, surveillance, and
analysis of websites, commonly referred
to as honey pots, for purposes of attracting existing and
potential jihadists searching for forums to
discuss terrorism-related activities.
* National Security Agency -- surveillance of websites and
rendering them inaccessible.
* Department of Defense (DOD) -- surveillance of websites
focused on discussions of perceived
vulnerabilities of overseas U.S. military facilities or operational
capabilities and disabling those that
present a threat to operations.
* Department of Justice -- development of polices and
guidelines for creating, interacting within,
surveilling, and rendering inaccessible websites created by
individuals wishing to use the Internet as a
forum for inciting or planning terrorism-related activities.
* Federal Bureau of Investigation -- monitoring of websites and
analysis of information for purposes of
determining possible terrorist plans and threats to U.S. security
interests.
* Department of Homeland Security -- monitoring of websites
and analysis of information for purposes of

The psychological effects of cyber terrorismMichael L. Gross.docx

The psychological effects of cyber terrorismMichael L. Gross.docx

Recommended

Recommended

More Related Content

More from oreo10

More from oreo10 (20)

Recently uploaded

Recently uploaded (20)

The psychological effects of cyber terrorismMichael L. Gross.docx