{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:18:41Z","timestamp":1754158721010,"version":"3.41.2"},"reference-count":56,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2022,4,14]],"date-time":"2022-04-14T00:00:00Z","timestamp":1649894400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2022,10,20]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>Nonexperts do not always follow the advice in cybersecurity warning messages. To increase compliance, it is recommended that warning messages use nontechnical language, describe how the cyberattack will affect the user personally and do so in a way that aligns with how the user thinks about cyberattacks. Implementing those recommendations requires an understanding of how nonexperts think about cyberattack consequences. Unfortunately, research has yet to reveal nonexperts\u2019 thinking about cyberattack consequences. Toward that end, the purpose of this study was to examine how nonexperts think about cyberattack consequences.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>Nonexperts sorted cyberattack consequences based on perceived similarity and labeled each group based on the reason those grouped consequences were perceived to be similar. Participants\u2019 labels were analyzed to understand the general themes and the specific features that are present in nonexperts\u2019 thinking.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The results suggested participants mainly thought about cyberattack consequences in terms of what the attacker is doing and what will be affected. Further, the results suggested participants thought about certain aspects of the consequences in concrete terms and other aspects of the consequences in general terms.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This research illuminates how nonexperts think about cyberattack consequences. This paper also reveals what aspects of nonexperts\u2019 thinking are more or less concrete and identifies specific terminology that can be used to describe aspects that fall into each case. Such information allows one to align warning messages to nonexperts\u2019 thinking in more nuanced ways than would otherwise be possible.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-11-2020-0184","type":"journal-article","created":{"date-parts":[[2022,4,13]],"date-time":"2022-04-13T13:57:17Z","timestamp":1649858237000},"page":"473-489","source":"Crossref","is-referenced-by-count":1,"title":["How do non experts think about cyber attack consequences?"],"prefix":"10.1108","volume":"30","author":[{"given":"Keith S.","family":"Jones","sequence":"first","affiliation":[]},{"given":"Natalie R.","family":"Lodinger","sequence":"additional","affiliation":[]},{"given":"Benjamin P.","family":"Widlus","sequence":"additional","affiliation":[]},{"given":"Akbar","family":"Siami Namin","sequence":"additional","affiliation":[]},{"given":"Emily","family":"Maw","sequence":"additional","affiliation":[]},{"given":"Miriam E.","family":"Armstrong","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2022,4,14]]},"reference":[{"key":"key2022102015354177100_ref001","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1109\/SecDev.2016.013","article-title":"You are not your developer, either: a research agenda for usable security and privacy research beyond end users","volume-title":"2016 IEEE Cybersecurity Development (SecDev)","year":"2016"},{"key":"key2022102015354177100_ref002","first-page":"260","article-title":"Do you see the warning? Cybersecurity warnings via nonconscious processing","volume-title":"2020 ACM Southeast Conference (ACMSE 2020)","year":"2020"},{"first-page":"257","article-title":"Alice in Warningland: a large-scale field study of browser security warning effectiveness","year":"2013","key":"key2022102015354177100_ref003"},{"key":"key2022102015354177100_ref004","doi-asserted-by":"crossref","first-page":"624","DOI":"10.1016\/j.procs.2017.12.198","article-title":"Usable security: revealing end-users comprehensions on security warnings","volume":"124","year":"2017","journal-title":"Procedia Computer Science"},{"key":"key2022102015354177100_ref005","first-page":"367","article-title":"Mental models of computer security risks","volume-title":"Financial Cryptography and Data Security","year":"2007","edition":"Eds"},{"key":"key2022102015354177100_ref006","first-page":"289","article-title":"The multiple sorting procedure (MSP)","volume-title":"Doing Social Psychology Research","year":"2004"},{"key":"key2022102015354177100_ref007","first-page":"1971","article-title":"Effectively communicate risks for diverse users: a mental-models approach for individualized security interventions","volume-title":"INFORMATIK 2013","year":"2013"},{"key":"key2022102015354177100_ref008","first-page":"205","article-title":"Contextualized web warnings, and how they cause distrust","volume-title":"International Conference on Trust and Trustworthy Computing","year":"2013"},{"key":"key2022102015354177100_ref009","first-page":"1","article-title":"Warning design guidelines","volume":"13","year":"2013","journal-title":"CMU-CyLab"},{"issue":"2","key":"key2022102015354177100_ref010","doi-asserted-by":"publisher","first-page":"18","DOI":"10.1109\/MSP.2010.198","article-title":"Bridging the gap in computer security warnings: a mental model approach","volume":"9","year":"2011","journal-title":"IEEE Security and Privacy Magazine"},{"issue":"3","key":"key2022102015354177100_ref011","doi-asserted-by":"publisher","first-page":"286","DOI":"10.1093\/hcr\/hqz001","article-title":"Documenting the truth- default: the low frequency of spontaneous unprompted veracity assessments in deception detection","volume":"45","year":"2019","journal-title":"Human Communication Research"},{"key":"key2022102015354177100_ref012","doi-asserted-by":"crossref","first-page":"359","DOI":"10.1016\/j.chb.2016.11.044","article-title":"Cyber-victimization preventive behavior: a health belief model approach","volume":"68","year":"2017","journal-title":"Computers in Human Behavior"},{"article-title":"Security as a practical problem: some preliminary observations of everyday mental models","volume-title":"Proceedings of CHI 2003 workshop on HCI and security systems","year":"2003","key":"key2022102015354177100_ref013"},{"key":"key2022102015354177100_ref014","doi-asserted-by":"crossref","first-page":"35","DOI":"10.1145\/3450329.3476862","article-title":"Scaring people is not enough: an examination of fear appeals within the context of promoting good password hygiene","volume-title":"Proceedings of the 22st Annual Conference on Information Technology Education","year":"2021"},{"key":"key2022102015354177100_ref015","first-page":"1065","article-title":"You\u2019ve been warned: an empirical study of the effectiveness of web browser phishing warnings","volume-title":"CHI 2008: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems","year":"2008"},{"issue":"3","key":"key2022102015354177100_ref016","doi-asserted-by":"crossref","first-page":"89","DOI":"10.1111\/j.1468-0394.2005.00299.x","article-title":"Making sense of card sorting data","volume":"22","year":"2005","journal-title":"Expert Systems"},{"key":"key2022102015354177100_ref017","first-page":"265","article-title":"User perceptions of phishing consequence severity and likelihood, and implications for warning message design","volume-title":"International Conference on Applied Human Factors and Ergonomics","year":"2021"},{"issue":"3","key":"key2022102015354177100_ref018","doi-asserted-by":"crossref","first-page":"32","DOI":"10.1145\/1125864.1125887","article-title":"To download or not to download: an examination of computer security decision making","volume":"13","year":"2006","journal-title":"Interactions"},{"key":"key2022102015354177100_ref019","first-page":"133","article-title":"So long, and no thanks for the externalities: the rational rejection of security advice by users","volume-title":"Proceedings of the 2009 Workshop on New Security Paradigms Workshop (NSPW \u201809)","year":"2009"},{"key":"key2022102015354177100_ref020","first-page":"177","article-title":"Assessing the usability of end-user security software","volume-title":"International Conference on Trust, Privacy and Security in Digital Business","year":"2010"},{"first-page":"327","article-title":"\u2018\u2026 no one can hack my mind\u2019: comparing expert and non-expert security practices","year":"2015","key":"key2022102015354177100_ref021"},{"key":"key2022102015354177100_ref022","first-page":"1","article-title":"\u2018Lime\u2019, \u2018open lock\u2019, and \u2018blocked\u2019 children's perception of colors, symbols, and words in cybersecurity warnings","volume-title":"Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems","year":"2020"},{"issue":"18","key":"key2022102015354177100_ref023","doi-asserted-by":"crossref","first-page":"1709","DOI":"10.1080\/10447318.2021.1908691","article-title":"Do warning message design recommendations address why non-experts do not protect themselves from cybersecurity threats? A review","volume":"37","year":"2021","journal-title":"International Journal of Human\u2013Computer Interaction"},{"issue":"3","key":"key2022102015354177100_ref024","doi-asserted-by":"crossref","first-page":"192","DOI":"10.1016\/j.lisr.2010.04.001","article-title":"Exploitation of folksonomies in subject analysis","volume":"32","year":"2010","journal-title":"Library and Information Science Research"},{"first-page":"39","article-title":"\u2018My data just goes everywhere\u2019: user mental models of the internet and implications for privacy and security","year":"2015","key":"key2022102015354177100_ref025"},{"key":"key2022102015354177100_ref027","first-page":"100","article-title":"A comparison of American and German folk models of home computer security","volume-title":"International Conference on Human Aspects of Information Security, Privacy, and Trust","year":"2013"},{"key":"key2022102015354177100_ref026","first-page":"187","article-title":"It is not about the design \u2013 it is about the content! Making warnings more efficient by communicating risks appropriately","volume-title":"SICHERHEIT 2012 \u2013 Sicherheit, Schutz Und Zuverlassigkeit","year":"2012","edition":"Eds"},{"year":"1999","key":"key2022102015354177100_ref028","article-title":"The threats to our products"},{"issue":"4","key":"key2022102015354177100_ref029","doi-asserted-by":"crossref","first-page":"378","DOI":"10.1177\/0261927X14535916","article-title":"Truth-default theory (TDT): a theory of human deception and deception detection","volume":"33","year":"2014","journal-title":"Journal of Language and Social Psychology"},{"issue":"1","key":"key2022102015354177100_ref030","doi-asserted-by":"crossref","first-page":"13","DOI":"10.1093\/biomet\/73.1.13","article-title":"Longitudinal data analysis using generalized linear models","volume":"73","year":"1986","journal-title":"Biometrika"},{"issue":"4","key":"key2022102015354177100_ref031","doi-asserted-by":"crossref","first-page":"587","DOI":"10.1111\/j.1468-2958.2002.tb00826.x","article-title":"Content analysis in mass communication: assessment and reporting of intercoder reliability","volume":"28","year":"2002","journal-title":"Human Communication Research"},{"volume-title":"The Psychology of Human Values","year":"2016","key":"key2022102015354177100_ref032"},{"key":"key2022102015354177100_ref033","doi-asserted-by":"crossref","first-page":"71","DOI":"10.1016\/j.chb.2014.09.014","article-title":"Reading this may harm your computer: the psychology of malware warnings","volume":"41","year":"2014","journal-title":"Computers in Human Behavior"},{"issue":"4","key":"key2022102015354177100_ref034","doi-asserted-by":"crossref","first-page":"815","DOI":"10.1016\/j.dss.2008.11.010","article-title":"Studying users' computer security behavior: a health belief perspective","volume":"46","year":"2009","journal-title":"Decision Support Systems"},{"key":"key2022102015354177100_ref035","unstructured":"Optimal Workshop Ltd. (2020), \u201cOptimalSort\u201d, available at: www.optimalworkshop.com\/optimalsort\/"},{"key":"key2022102015354177100_ref036","first-page":"260","article-title":"Privacy and security in the brave new world: the use of multiple mental models","volume-title":"International Conference on Human Aspects of Information Security, Privacy, and Trust","year":"2015"},{"key":"key2022102015354177100_ref037","unstructured":"Princeton University (2010), \u201cAbout WordNet\u201d, available at: http:\/\/wordnetweb.princeton.edu\/perl\/webwn"},{"key":"key2022102015354177100_ref038","first-page":"8555","article-title":"Why doesn\u2019t Jane protect her privacy","volume-title":"Privacy Enhancing Technologies (PETS). Lecture Notes in Computer Science","year":"2014","edition":"Eds"},{"article-title":"Shame in cyber security: effective behavior modification tool or counterproductive foil?","volume-title":"New Security Paradigms Workshop","year":"2021","key":"key2022102015354177100_ref039"},{"issue":"3","key":"key2022102015354177100_ref040","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1109\/MSP.2015.65","article-title":"Scaring and bullying people into security won't work","volume":"13","year":"2015","journal-title":"IEEE Security and Privacy"},{"issue":"3","key":"key2022102015354177100_ref041","doi-asserted-by":"publisher","first-page":"122","DOI":"10.1023\/A:1011902718709","article-title":"Transforming the \u2018weakest link\u2019: a human-computer interaction approach for usable and effective security","volume":"19","year":"2001","journal-title":"BT Technology Journal"},{"key":"key2022102015354177100_ref042","first-page":"223","article-title":"Attributes affecting user decision to adopt a virtual private network (VPN) app","volume-title":"International Conference on Information and Communications Security","year":"2020"},{"issue":"4","key":"key2022102015354177100_ref043","first-page":"1","article-title":"A comparison of consensus, consistency, and measurement approaches to estimating interrater reliability","volume":"9","year":"2004","journal-title":"Practical Assessment, Research and Evaluation"},{"key":"key2022102015354177100_ref044","doi-asserted-by":"publisher","first-page":"1","DOI":"10.14722\/usec.2017.23006","article-title":"Be prepared: how US government experts think about cybersecurity","volume-title":"Network and Distributed System Security Symposium (NDSS)","year":"2017"},{"key":"key2022102015354177100_ref045","doi-asserted-by":"crossref","first-page":"3748","DOI":"10.1145\/2858036.2858546","article-title":"Do users\u2019 perceptions of password security match reality?","volume-title":"Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems","year":"2016"},{"key":"key2022102015354177100_ref046","doi-asserted-by":"publisher","first-page":"2671","DOI":"10.1145\/2556288.2557275","article-title":"Betrayed by updates: how negative experiences affect future security","volume-title":"Proceedings of the SIGCHI Conference on Human Factors in Computing Systems","year":"2014"},{"key":"key2022102015354177100_ref047","first-page":"255","article-title":"Mental models \u2013 general introduction and review of their application to human-centred security","volume-title":"Number Theory and Cryptography","year":"2013"},{"key":"key2022102015354177100_ref048","first-page":"1","article-title":"Folk models of home computer security","volume-title":"Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS) 2010","year":"2010"},{"first-page":"309","article-title":"Too much knowledge? Security beliefs and protective behaviors among United States internet users","year":"2015","key":"key2022102015354177100_ref049"},{"first-page":"137","article-title":"Pretty good persuasion: a first step towards effective password security in the real world","year":"2001","key":"key2022102015354177100_ref050"},{"key":"key2022102015354177100_ref051","doi-asserted-by":"crossref","first-page":"43","DOI":"10.4018\/978-1-60566-036-3.ch004","article-title":"The weakest link: a psychological perspective on why users make poor security decisions","volume-title":"Social and Human Elements of Information Security: Emerging Trends and Countermeasures","year":"2009"},{"first-page":"395","article-title":"When is a tree really a truck? Exploring mental models of encryption","year":"2018","key":"key2022102015354177100_ref052"},{"issue":"1","key":"key2022102015354177100_ref053","first-page":"8","article-title":"Literature studies on security warnings development","volume":"2","year":"2016","journal-title":"International Journal on Perceptive and Cognitive Computing"},{"key":"key2022102015354177100_ref054","first-page":"1","article-title":"Don\u2019t work. Can\u2019t work? Why it\u2019s time to rethink security warnings","volume-title":"7th International Conference of Risks and Security of Internet Systems (CRISIS)","year":"2012"},{"key":"key2022102015354177100_ref055","first-page":"15","article-title":"Some observations on mental models","volume-title":"Mental Models","year":"2014"},{"key":"key2022102015354177100_ref056","unstructured":"Rumelhart, D.E. and Norman, D.A. (1983), \u201cRepresentation in memory\u201d, Working paper [ONR 8302], University of California, San Diego, La Jolla, CA, June."}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2020-0184\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2020-0184\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:20Z","timestamp":1753406600000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/30\/4\/473-489\/107988"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4,14]]},"references-count":56,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2022,4,14]]},"published-print":{"date-parts":[[2022,10,20]]}},"alternative-id":["10.1108\/ICS-11-2020-0184"],"URL":"https:\/\/doi.org\/10.1108\/ics-11-2020-0184","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"},{"type":"electronic","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2022,4,14]]}}}