Deterrence in Cyberspace: An Interdisciplinary Review of the Empirical Literature

  • David MaimonEmail author
Reference work entry


The popularity of the deterrence perspective across multiple scientific disciplines has sparked a lively debate regarding its relevance in influencing both offenders and targets in cyberspace. Unfortunately, due to the invisible borders between academic disciplines, most of the published literature on deterrence in cyberspace is confined within unique scientific disciplines. This chapter therefore provides an interdisciplinary review of the issue of deterrence in cyberspace. It begins with a short overview of the deterrence perspective, presenting the ongoing debates concerning the relevance of deterrence pillars in influencing cybercriminals’ and cyberattackers’ operations in cyberspace. It then reviews the existing scientific evidence assessing various aspects of deterrence in the context of several disciplines: criminology, law, information systems, and political science. This chapter ends with a few policy implications and proposed directions for future interdisciplinary academic research.


Deterrence Cybercrime Empirical evidence 


  1. Akers, R. (2017). Social learning and social structure: A general theory of crime and deviance. New York: Routledge.CrossRefGoogle Scholar
  2. Anderson, L. S., Chiricos, T. G., & Waldo, G. P. (1977). Formal and informal sanctions: A comparison of deterrent effects. Social Problems, 25(1), 103–114.CrossRefGoogle Scholar
  3. Atzeni, A., & Lioy, A. (2006). Why to adopt a security metric? A brief survey. In Quality of Protection (pp. 1–12). Springer, Boston, MA.Google Scholar
  4. Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2013). Don’t make excuses! Discouraging neutralization to reduce IT policy violation. Computers and Security, 39, 145–159.CrossRefGoogle Scholar
  5. Beccaria, Cessare. (1963). On crimes and punishments (H. Paolucci, Trans.). Indianapolis: Bobbs-Merrill. (Original work published 1764).Google Scholar
  6. Bentham, J. (1789). The principles of morals and legislation. Amherst: Prometheus Books.Google Scholar
  7. Blakely, B. (2002) Consultants Can Offer Remedies to Lax SME Security. TechRepublic, 6 February 2002,
  8. Boss, S., Galletta, D., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly (MISQ), 39(4), 837–864.CrossRefGoogle Scholar
  9. Braga, A. A., & Weisburd, D. L. (2012). The effects of focused deterrence strategies on crime: A systematic review and meta-analysis of the empirical evidence. Journal of Research in Crime and Delinquency, 49(3), 323–358.CrossRefGoogle Scholar
  10. Brenner, S. (2001). Cybercrime investigation and prosecution: The role of penal and procedural law. Murdoch University Electronic Journal of Law, 8(2), 2–42.Google Scholar
  11. Chen, Y., Ramamurthy, K., & Wen, K. W. (2012). Organizations’ information security policy compliance: Stick or carrot approach? Journal of Management Information Systems, 29(3), 157–188.CrossRefGoogle Scholar
  12. Cheng, L., Li, Y., Li, W., Holm, E., & Zhai, Q. (2013). Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers and Security, 39, 447–459.CrossRefGoogle Scholar
  13. Cram, W. A., Proudfoot, J. G., & D’Arcy, J. (2017). Organizational information security policies: A review and research framework. European Journal of Information Systems, 26(6), 605–641.CrossRefGoogle Scholar
  14. D’Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 20, 643–658.CrossRefGoogle Scholar
  15. D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20, 79–98.CrossRefGoogle Scholar
  16. Denning, D., & Baugh, W. (2000). Hiding crimes in cyberspace. In D. Thomas & D. Loader (Eds.), Cybercrime: Law enforcement, security and surveillance in the information age (pp. 105–132). London: Routledge.Google Scholar
  17. Dupont, B. (2017). Bots, cops, and corporations: On the limits of enforcement and the promise of polycentric regulation as a way to control large-scale cybercrime. Crime, Law, and Social Change, 67, 97–116.CrossRefGoogle Scholar
  18. Farinholt, B., Rezaeirad, M., Pearce, P., Dharmdasani, H., Yin, H., Le Blond, S., McCoy, D., & Levchenko, K. (2017). To catch a ratter: Monitoring the behavior of amateur darkcomet rat operators in the wild. In 2017 IEEE symposium on Security and Privacy (SP) (pp. 770–787).CrossRefGoogle Scholar
  19. Farrington, D. P., & Burrows, J. N. (1993). Did shoplifting really decrease? The British Journal of Criminology, 33, 57–69.CrossRefGoogle Scholar
  20. Geerken, M. R., & Gove, W. R. (1974). Deterrence: Some theoretical considerations. Law and Society Review, 9, 497.CrossRefGoogle Scholar
  21. Gibbs, J. (1975). Crime, punishment, and deterrence. New York: Elsevier Scientific Publishing Company.Google Scholar
  22. Goodman, W. (2010). Cyber-deterrence: Tougher in theory than in practice? Strategic Studies Quarterly Fall, 102–135.Google Scholar
  23. Gorwa, R., & Smeets, M. 2019. Cyber Conflict in Political Science: A Review of Methods and Literature. SocArXiv. July 25.
  24. Guitton, C. (2012). Criminals and cyber attacks: The missing link between attribution and deterrence. International Journal of Cyber Criminology, 6(2), 1030.Google Scholar
  25. Guo, K. H. (2013). Security-related behavior in using information systems in the workplace: A review and synthesis. Computers and Security, 32, 242–251.CrossRefGoogle Scholar
  26. Harknett, R. (1996). Information warfare and deterrence. Parameters, 26, 93–107.Google Scholar
  27. Harknett, R., Callaghan, J., & Kauffman, R. (2010). Leaving deterrence behind: War-fighting and national cybersecurity. Journal of Homeland Security and Emergency Management, 7(1), 1–24.CrossRefGoogle Scholar
  28. Herath, T., & Rao, H. R. (2009a). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154–165.CrossRefGoogle Scholar
  29. Herath, T., & Rao, H. R. (2009b). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18, 106–125.CrossRefGoogle Scholar
  30. Holt, T. J. (2017). On the value of honeypots to produce policy recommendations. Criminology and Public Policy, 16(3), 739–747.CrossRefGoogle Scholar
  31. Holt, T. J., Kilger, M., Chiang, L., & Yang, C. (2017). Exploring the correlates of individual willingness to engage in ideologically motivated cyberattacks. Deviant Behavior, 38, 356–373.CrossRefGoogle Scholar
  32. Hovav, A., & D’Arcy, J. (2012). Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the US and South Korea. Information and Management, 49, 99–110.CrossRefGoogle Scholar
  33. Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM, 54, 54–60.CrossRefGoogle Scholar
  34. Hui, K. L., Kim, S. H., & Wang, Q. H. (2017). Cybercrime deterrence and international legislation: Evidence from distributed denial of service attacks. MIS Quarterly, 41(2), 497.CrossRefGoogle Scholar
  35. Iasiello, E. (2014). Is cyber-deterrence an illusory course of action? Journal of Strategic Security, 7(1), 54–67.CrossRefGoogle Scholar
  36. Jeffrey, C. R., Hunter, R. D., & Griswold, J. (1987). Crime prevention and computer analysis of convenience store robberies in Tallahassee. Florida Police Journal, 34, 65–69.Google Scholar
  37. Jervis, R. (1979). Deterrence theory revisited. World Politics, 31(2), 289–324.CrossRefGoogle Scholar
  38. Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34, 549–566.CrossRefGoogle Scholar
  39. Kigerl, A. C. (2009). CAN SPAM act: An empirical analysis. International Journal of Cyber Criminology, 3(2), 566.Google Scholar
  40. Kigerl, A. C. (2015). Evaluation of the CAN SPAM ACT: Testing deterrence and other influences of e-mail spammer legal compliance over time. Social Science Computer Review, 33(4), 440–458.CrossRefGoogle Scholar
  41. Kigerl, A. C. (2016). Deterring spammers: Impact assessment of the CAN SPAM act on email SPAM rates. Criminal Justice Policy Review, 27(8), 791–811.CrossRefGoogle Scholar
  42. Kigerl, A. C. (2018). Email SPAM origins: Does the CAN SPAM act shift spam beyond United States jurisdiction? Trends in Organized Crime, 21(1), 62–78.CrossRefGoogle Scholar
  43. Kostyuk, N., & Zhukov, Y. M. (2019). Invisible digital front: Can cyberattacks shape battlefield events? Journal of Conflict Resolution, 63(2), 317–347.CrossRefGoogle Scholar
  44. Krebs, B. (2014). Spam nation: The inside story of organized cybercrime-from global epidemic to your front door. Naperville: Sourcebooks, Inc.Google Scholar
  45. Lessig, L. (2009). Code 2.0. Seattle: Amazon CreateSpace Publishing.Google Scholar
  46. Li, H., Zhang, J., & Sarathy, R. (2010). Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems, 48(4), 635–645.CrossRefGoogle Scholar
  47. Libicki, M. C. (2009). Cyber-deterrence and cyberwar. Santa Monica: Rand Corporation.Google Scholar
  48. Lupovici, A. (2011). Cyber warfare and deterrence: Trends and challenges in research. Military and Strategic Affairs, 3(3), 49–62.Google Scholar
  49. Maimon, D., & Louderback, E. R. (2019). Cyber-dependent crimes: an interdisciplinary review. Annual Review of Criminology. 1–26Google Scholar
  50. Maimon, D., Antonaccio, O., & French, M. T. (2012). Severe sanctions, easy choice? Investigating the role of school sanctions in preventing adolescent violent offending. Criminology, 50(2), 495–524.CrossRefGoogle Scholar
  51. Maimon, D., Alper, M., Sobesto, B., & Culkier, M. (2014). Restrictive deterrent effects of a warning banner in an attacked computer system. Criminology, 52, 33–59.CrossRefGoogle Scholar
  52. Maimon, D., Becker, M., Patil, S., & Katz, J. (2017). Self-protective behaviors over public WiFi networks. In The {LASER} workshop: Learning from authoritative security experiment results ({LASER} 2017) (pp. 69–76). Usenix Association.Google Scholar
  53. Maimon, D., Testa, A., Sobesto, B., Cukier, M., & Ren, W. (2019). Predictably Deterrable? The case of system trespassers. In International conference on security, privacy and anonymity in computation, communication and storage (pp. 317–330). Cham: Springer.CrossRefGoogle Scholar
  54. Mayer, J. (2015). Cybercrime litigation. University of Pennsylvania Law Review, 164, 1453.Google Scholar
  55. McGuire, M., & Dowling, S. (2013). *Cyber-crime: A review of the evidence summary of key findings and implications []*. Home Office Research Report 75, Home Office, United Kingdom.
  56. Milne, S., Sheeran, P., & Orbell, S. (2000). Prediction and intervention in health-related behavior: A meta-analytic review of protection motivation theory. Journal of Applied Social Psychology, 30(1), 106–143.CrossRefGoogle Scholar
  57. Mohammadzadeh, H., Mansoori, M., & Welch, I. (2013). Evaluation of fingerprinting techniques and a windows-based dynamic honeypot. In Proceedings of the eleventh Australasian information security conference-Volume 138 (pp. 59–66). Australian Computer Society, Inc.Google Scholar
  58. Morris, R. G., & Blackburn, A. G. (2009). Cracking the code: An empirical exploration of social learning theory and computer crime. Journal of Crime and Justice, 32(1), 1–34.CrossRefGoogle Scholar
  59. Nagin, D. S. (1998). Criminal deterrence research at the outset of the twenty-first century. Crime and Justice, 23, 1–42.CrossRefGoogle Scholar
  60. Nagin, D. S. (2013). Deterrence: A review of the evidence by a criminologist for economists. Annual Review of Economy, 5(1), 83–105.CrossRefGoogle Scholar
  61. Nye, J. S., Jr. (2017). Deterrence and dissuasion in cyberspace. International Security, 41(3), 44–71.CrossRefGoogle Scholar
  62. Paternoster, R. (1987). The deterrent effect of the perceived certainty and severity of punishment: A review of the evidence and issues. Justice Quarterly, 4(2), 173–217.CrossRefGoogle Scholar
  63. Paternoster, R. (2010). How much do we really know about criminal deterrence. Journal of Criminal Law and Criminology, 100, 765.Google Scholar
  64. Pratt, T. C., Cullen, F. T., Blevins, K. R., Daigle, L. E., & Madensen, T. D. (2006). The empirical status of deterrence theory: A meta-analysis. Taking Stock: The Status of Criminological Theory, 15, 367–396.Google Scholar
  65. Quackenbush, S. L. (2011). Deterrence theory: Where do we stand? Review of International Studies, 37(2), 741–762.CrossRefGoogle Scholar
  66. Rezaeirad, M., Farinholt, B., Dharmdasani, H., Pearce, P., Levchenko, K. & McCoy, D. (2018). Schrödinger’s {RAT}: Profiling the stakeholders in the remote access trojan ecosystem. In 27th {USENIX} security symposium ({USENIX} Security 18) (pp. 1043–1060).Google Scholar
  67. Rid, T., & Buchanan, B. (2015). Attributing cyberattacks. Journal of Strategic Studies, 38(1–2), 4–37.CrossRefGoogle Scholar
  68. Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. Journal of Personality, 91, 93–114.Google Scholar
  69. Rogers, R. W. (1983). Cognitive and psychological processes in fear appeals and attitude change: A revised theory of protection motivation. In Social psychophysiology: A sourcebook (pp. 153–176). New York: Guilford Press.Google Scholar
  70. Schelling, T. C. (1966). Arms and influence. New Haven: Yale University Press.Google Scholar
  71. Schelling, T. (1980). The Strategy of Conflict, 1960. Harvard University.Google Scholar
  72. Siponen, M., & Willison, R. (2009). Information security management standards: Problems and solutions. Information & Management 46.5: 267–270.Google Scholar
  73. Siponen, M., Pahnila, S., & Mahmood, M. A. (2010). Compliance with information security policies: An empirical investigation. Computer, 43, 64–71.CrossRefGoogle Scholar
  74. Skinner, W. F., & Fream, A. M. (1997). A social learning theory analysis of computer crime among college students. Journal of Research in Crime and Delinquency, 34, 495–518.CrossRefGoogle Scholar
  75. Sloan-Howitt, M., & Kelling, G. L. (1990). Subway graffiti in new York City: Gettin’up vs. meanin’it and cleanin’it. Security Journal, 1, 131–136.Google Scholar
  76. Snyder, G. H. (1961). Deterrence and defense. Princeton: Princeton University Press.CrossRefGoogle Scholar
  77. Sommestad, T., Hallberg, J., Lundholm, K., & Bengtsson, J. (2014). Variables influencing information security policy compliance: A systematic review of quantitative studies. Information Management and Computer Security, 22(1), 42–75.CrossRefGoogle Scholar
  78. Stafford, M. C., & Warr, M. (1993). A reconceptualization of general and specific deterrence. Journal of Research in Crime and Delinquency, 30(2), 123–135.CrossRefGoogle Scholar
  79. Stockman, M., Heile, R., & Rein, A. (2015). An open-source honeynet system to study system banner message effects on hackers. In Proceedings of the 4th annual ACM conference on research in information technology (pp. 19–22).CrossRefGoogle Scholar
  80. Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. NIST Special Publication, 800, 30.Google Scholar
  81. Taddeo, M. (2018). The limits of deterrence theory in cyberspace. Philosophy and Technology, 31(3), 339–355.CrossRefGoogle Scholar
  82. Testa, A., Maimon, D., Sobesto, B., & Cukier, M. (2017). Illegal roaming and file manipulation on target computers: Assessing the effect of sanction threats on system trespassers’ online behaviors. Criminology and Public Policy, 16, 687–724.CrossRefGoogle Scholar
  83. Tor, U. (2017). Cumulative deterrence as a new paradigm for cyber-deterrence. Journal of Strategic Studies, 40(1–2), 92–117.CrossRefGoogle Scholar
  84. Torres, J. M., Sarriegi, J. M., Santos, J., & Serrano, N. (2006, August). Managing information systems security: critical success factors and indicators to measure effectiveness. In International Conference on Information Security (pp. 530-545). Springer, Berlin, Heidelberg.Google Scholar
  85. Valeriano, B., & Maness, R. C. (2014). The dynamics of cyber conflict between rival antagonists, 2001–11. Journal of Peace Research, 51(3), 347–360.CrossRefGoogle Scholar
  86. Waldrop, M. M. (2016). How to hack the hackers: The human side of cybercrime. Nature News, 533(7602), 164.CrossRefGoogle Scholar
  87. Willison, R., Lowry, P. B., & Paternoster, R. (2018). A tale of two deterrents: Considering the role of absolute and restrictive deterrence to inspire new directions in behavioral and organizational security research. A Tale of two deterrents: Considering the role of absolute and restrictive deterrence in inspiring new directions in behavioral and organizational security. Journal of the Association for Information Systems (JAIS), 19(12), 1187–1216.CrossRefGoogle Scholar
  88. Wilner, A. S. (2019). US cyber-deterrence: Practice guiding theory. Journal of Strategic Studies, 1–36.Google Scholar
  89. Wilson, T., Maimon, D., Sobesto, B., & Cukier, M. (2015). The effect of a surveillance banner in an attacked computer system: Additional evidence for the relevance of restrictive deterrence in cyberspace. Journal of Research in Crime and Delinquency, 52, 829–855.CrossRefGoogle Scholar
  90. Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24, 2799–2816.CrossRefGoogle Scholar

Copyright information

© The Author(s) 2020

Authors and Affiliations

  1. 1.Georgia State UniversityCollege ParkUSA

Personalised recommendations