Social scientists do not directly study cyberattacks; they draw inferences from attack reports that are public and visible. Like human rights violations or war casualties, there are missing cyberattacks that researchers have not observed. The existing approach is to either ignore missing data and assume they do not exist or argue that reported attacks accurately represent the missing events. This article is the first to detail the steps between attack, discovery and public report to identify sources of bias in cyber data. Visibility bias presents significant inferential challenges for cybersecurity – some attacks are easy to observe or claimed by attackers, while others take a long time to surface or are carried out by actors seeking to hide their actions. The article argues that missing attacks in public reporting likely share features of reported attacks that take the longest to surface. It builds on datasets of cyberattacks by or against Five Eyes (an intelligence alliance composed of Australia, Canada, New Zealand, the United Kingdom and the United States) governments and adds new data on when attacks occurred, when the media first reported them, and the characteristics of attackers and techniques. Leveraging survival models, it demonstrates how the delay between attack and disclosure depends on both the attacker’s identity (state or non-state) and the technical characteristics of the attack (whether it targets information confidentiality, integrity, or availability). The article argues that missing cybersecurity events are least likely to be carried out by non-state actors or target information availability. Our understanding of ‘persistent engagement,’ relative capabilities, ‘intelligence contests’ and cyber coercion rely on accurately measuring restraint. This article’s findings cast significant doubt on whether researchers have accurately measured and observed restraint, and informs how others should consider external validity. This article has implications for our understanding of data bias, empirical cybersecurity research and secrecy in international relations.

中文翻译：

---

发现网络攻击的过程如何影响我们对网络安全的理解

社会科学家并不直接研究网络攻击；而是直接研究网络攻击。他们从公开且可见的攻击报告中得出推论。就像侵犯人权或战争伤亡一样，存在研究人员尚未观察到的缺失网络攻击。现有的方法是要么忽略丢失的数据并假设它们不存在，要么认为报告的攻击准确地代表了丢失的事件。本文首次详细介绍了攻击、发现和公开报告之间的步骤，以识别网络数据中的偏见来源。可见性偏差给网络安全带来了重大的推理挑战——一些攻击很容易被攻击者观察到或被攻击者声称，而另一些攻击则需要很长时间才能浮出水面，或者是由试图隐藏其行为的行为者实施的。文章认为，公开报告中遗漏的攻击可能与所报告的攻击需要最长时间才能浮出水面的特征相同。它建立在五眼联盟（由澳大利亚、加拿大、新西兰、英国和美国组成的情报联盟）政府发起或针对的网络攻击数据集的基础上，并添加了有关攻击发生时间、媒体首次报道时间的新数据，以及攻击者的特征和技术。利用生存模型，它演示了攻击和泄露之间的延迟如何取决于攻击者的身份（状态或非状态）和攻击的技术特征（是否针对信息机密性、完整性或可用性）。文章认为，缺失的网络安全事件最不可能是由非国家行为者或目标信息可用性造成的。我们对“持续交战”、相对能力、“情报竞赛”和网络胁迫的理解依赖于准确衡量克制。本文的研究结果对研究人员是否准确测量和观察了克制提出了重大质疑，并告知其他人应如何考虑外部效度。本文对我们理解数据偏见、实证网络安全研究和国际关系保密具有重要意义。