What Motivates Cyberattacks: Lack of Consequences or Abundance of Attack Vectors?

Authors

  • Matthias Schulze Institute for Peace Research and Security Policy at the University of Hamburg (IFSH)
  • Florian Erdle Institute for Peace Research and Security Policy at the University of Hamburg (IFSH)

DOI:

https://doi.org/10.34190/eccws.25.1.4902

Keywords:

Deterrence by Denial, Common Vulnerabilities and Exposures (CVEs), Cyberattacks, correlation analysis

Abstract

This study examines whether cyber-attacks are motivated by attacker impunity due to lack of deterrence or ease-of-attack due to offense dominance. We empirically measure whether ease-of-attack, measured through Common Vulnerabilities and Exposures (CVEs), drives cyberattack activity. Using global CVE and cyberattack data from 2000 to 2024, we find a statistically significant—though modest—correlation, with the strongest alignment appearing at a one-year lag. This suggests attackers typically take about a year to exploit new vulnerabilities. The findings lend conditional support to deterrence-by-denial, indicating that reducing vulnerabilities can meaningfully influence adversary.

 

Author Biographies

Matthias Schulze, Institute for Peace Research and Security Policy at the University of Hamburg (IFSH)

Dr. Matthias Schulze is a Non-Resident Fellow in the International Cyber Security project at the Institute for Peace Research and Security Policy at the University of Hamburg (IFSH). Previously, he was head of the International Cyber Security research project.

Florian Erdle, Institute for Peace Research and Security Policy at the University of Hamburg (IFSH)

Florian Erdle is a Research Assistant in the International Cyber Security research project at the Institute for Peace Research and Security Policy at the University of Hamburg (IFSH). He is currently completing a double-degree Master's programme at the Johns Hopkins University and the University of Bologna.

Downloads

Published

2026-06-15

Issue

Vol. 25 No. 1 (2026): The Proceedings of the 25th European Conference on Cyber Warfare & Security (ECCWS 2026)

Section

Academic Papers

License

Copyright (c) 2026 European Conference on Cyber Warfare and Security

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.