Throwback Thursday: Computer Viruses: Electronically Transmitted Disease? (March 2003)

(This article was first published in Virus Bulletin in March 2003.)

In the summer of 2001, W32/Sircam (see VB, September 2001, p.8) infiltrated the server at Tulane University, New Orleans, infecting both personal and institutional computers. Tulane University Health Sciences Center was the seat from which we began to observe the psychological effects of computer virus infection (CVI).

The self-propagating worm grabbed documents from infected computers and sent them to email address book contacts. As one might imagine, the medical doctors at the Center were especially concerned about the possibility of sensitive documents being sent to other individuals. This stressor was compounded by other potential outcomes, for example: had the worm damaged their personal computers?, could the damage be repaired?, would they lose any important personal documents or information?, how much time and money would they have to expend to repair this damage?

We observed anxiety, frustration and anger among those affected by this CVI. What became increasingly interesting was that the action of a single person (the virus creator) had caused such stress in the lives of people at Tulane University, and Tulane University was a mere ‘drop in the bucket’ when it came to the number of people affected by CVI worldwide.

What was the actual psychological toll inflicted by computer viruses?

In response to this question, an online survey was developed to explore the emotional, behavioural, and cognitive reactions of computer users who had been affected by CVI. We also wanted to assess risk/protective factors for these psychological reactions (e.g., level of computer experience, number of prior infections) and potential social/interpersonal consequences of transmitting a CVI.

We hypothesized that if CVI was associated with the development of significant psychological symptoms in computer users, the term ‘electronically transmitted disease’ might be appropriate in describing the syndrome they experience.

An online version of the Computer Virus Infection Survey (CVIS) was completed by 308 college students from The University of Southern Mississippi, all of whom had previous experience with CVI. The CVIS assesses personal reactions to CVI across three separate domains: affective, behavioural, and cognitive. For each of these domains, students were asked questions about the presence and severity of their reactions in terms of anger, anxiety and depression.

Psychological symptoms were a common reaction to CVI across all domains (see Figure 1). The most severe reactions to CVI were feelings and behaviours associated with anger.

Figure 1. Psychological reactions to CVI across affective, behavioural and cognitive domains.

The authors identified both risk factors and protective factors in development of significant elevations of anger, anxiety, and depression (as compared to other study subjects). Female gender and African-American race were factors associated with elevated responses on several measures. Level of computer experience was not a significant risk factor. Interestingly, a self-reported history of a psychological problem was a protective factor on several measures, suggesting that absence of a prior psychological problem does not obviate computer users from experiencing psychological symptoms.

Identification of the immediate source of virus transmission was found to protect from development of feelings of anger; however, we did not investigate differences based upon intentional vs. inadvertent virus transmission. This may be an important factor when assessing victims of cybercrime, in which virus transmission is intentional. Another important factor to examine may be identification of the virus writer. For instance, if a religious extremist group, a terrorist group, or a hate organization were to be the perpetrator of a virus, knowledge of this fact may serve to heighten psychological symptoms.

Computer users who had experienced property damage as a result of CVI were found to have significant elevations on affective measures of anger, anxiety, and depression. In contrast, privacy violations and downtime were not found to result in significantly elevated measures of psychological reactions among the survey participants.

Anti-virus software ownership prior to CVI was found to reduce angry and depressive thoughts associated with CVI, suggesting a prophylactic effect against psychological morbidity. We also identified treatment interventions associated with less severe psychological symptoms, such as purchase of anti-virus software following CVI, and rapid removal (< 24 hours) of the computer virus. Frequency of anti-virus updates and data backup were not significant factors, despite these practices being important in preventing subsequent CVI or data loss. The brand of anti-virus software employed did not have an impact on psychological reactions.

We also studied the social/interpersonal consequences of CVI. Participants were asked whether they had identified the immediate source of CVI (i.e. the person or institution that had passed the computer virus to them). 35 per cent of participants said they identified the immediate source of the CVI. Of these, 80 per cent said they would change the way they communicated with the person/institution identified as the immediate source: 40 per cent would limit email contact with the source, 36 per cent would not open email attachments sent by the source, and 4 per cent would limit personal contact with the source.

It is known that computer viruses inflict an enormous financial toll [1] on society. The psychological toll of CVI has previously been alluded to [2], but not formally evaluated. This study demonstrates that CVI is associated with important psychological reactions, and that risk factors for more severe symptoms may be identified. Additionally, treatment interventions may reduce these symptoms.

Professionals who develop anti-virus software and other techniques to prevent CVI may take credit not only for preventing financial loss, but also for protecting computer users from the development of psychological symptoms.

As additional techniques that lessen psychological symptoms are found, these techniques could be incorporated into anti-virus software. For instance, if literature that educates computer users on methods to prevent privacy violations (following a successful virus attack) is found to lessen psychological symptoms, then such literature could be included with anti-virus packages.

For those using email as an integral form of communication, the social/interpersonal implications of being identified as the source of CVI should not be overlooked. A majority of participants who identified the immediate source reported that they would somehow limit/change their future electronic relationship with the person or institution.

A CVI-related communication breakdown between businesses and their employees/customers could result in a huge loss in productivity and/or sales. A minority of participants who identified the immediate source affirmed that they would limit personal contact with the immediate source, suggesting that CVI may affect social relationships outside of electronic communication.

The punishment for criminals that develop and propagate computer viruses has been relatively lenient in Western societies, considering the damage caused by their criminal acts [3]. For instance, David Smith, creator of the Melissa virus, was sentenced to 20 months in federal prison and fined $5,000 for causing more than $80 million in financial damage [1] [see also VB, March 2003, p.3]. Individuals have called for harsher sentences in order to deter further such criminal acts [3]. Perhaps the judges who determine sentencing in such cases should take into consideration the psychological toll inflicted upon society by those who create and propagate computer viruses.

Presently, it is not known whether CVI leads to psychological reactions sufficient to warrant psychiatric diagnoses, such as adjustment disorders with anxious or depressed mood or phobias involving the use of technological equipment. The authors plan to interview those subjects reporting more severe psychological reactions or to incorporate standard measures of psychopathology into subsequent surveys in order to investigate this possibility. Until such time, the authors assert that the term ‘electronically transmitted disease’ should be considered when referring to the psychological symptoms associated with contraction of a computer virus.