Journal of Computer and System Sciences 80 (2014) 973–993
Contents lists available at ScienceDirect
Journal of Computer and System Sciences
www.elsevier.com/locate/jcss
A survey of emerging threats in cybersecurity
Julian Jang-Jaccard, Surya Nepal ∗
CSIRO ICT Centre, Australia
a r t i c l e i n f o a b s t r a c t
Article history:
Received 25 September 2012
Received in revised form 15 March 2013
Accepted 27 August 2013
Available online 10 February 2014
Keywords:
Cybersecurity
Malware
Emerging technology trends
Emerging cyber threats
Cyber attacks and countermeasures
The exponential growth of the Internet interconnections has led
to a significant growth
of cyber attack incidents often with disastrous and grievous
consequences. Malware is the

primary choice of weapon to carry out malicious intents in the
cyberspace, either by ex-
ploitation into existing vulnerabilities or utilization of unique
characteristics of emerging
technologies. The development of more innovative and effective
malware defense mech-
anisms has been regarded as an urgent requirement in the
cybersecurity community. To
assist in achieving this goal, we first present an overview of the
most exploited vulner-
abilities in existing hardware, software, and network layers.
This is followed by critiques
of existing state-of-the-art mitigation techniques as why they do
or don’t work. We then
discuss new attack patterns in emerging technologies such as
social media, cloud comput-
ing, smartphone technology, and critical infrastructure. Finally,
we describe our speculative
observations on future research directions.
Crown Copyright © 2014 Published by Elsevier Inc. All rights
reserved.
1. Introduction
Our society, economy, and critical infrastructures have become
largely dependent on computer networks and information
technology solutions. Cyber attacks become more attractive and
potentially more disastrous as our dependence on informa-
tion technology increases. According to the Symantec
cybercrime report published in April 2012 [17], cyber attacks
cost
US$114 billion each year. If the time lost by companies trying
to recover from cyber attacks is counted, the total cost of
cyber attacks would reach staggering US$385 billion [17].
Victims of cyber attacks are also significantly growing. Based

on
the survey conducted by Symantec which involved interviewing
20,000 people across 24 countries, 69% reported being the
victim of a cyber attack in their lifetime. Symantec calculated
that 14 adults become the victim of a cyber attack every
second, or more than one million attacks every day [105].
Why cyber attacks flourish? It is because cyber attacks are
cheaper, convenient and less risky than physical attacks [1].
Cyber criminals only require a few expenses beyond a computer
and an Internet connection. They are unconstrained by
geography and distance. They are difficult to identity and
prosecute due to anonymous nature of the Internet. Given that
attacks against information technology systems are very
attractive, it is expected that the number and sophistication of
cyber attacks will keep growing.
* Corresponding author.
E-mail addresses: [email protected] (J. Jang-Jaccard),
[email protected] (S. Nepal).
http://dx.doi.org/10.1016/j.jcss.2014.02.005
0022-0000/Crown Copyright © 2014 Published by Elsevier Inc.
All rights reserved.
http://dx.doi.org/10.1016/j.jcss.2014.02.005
http://www.ScienceDirect.com/
http://www.elsevier.com/locate/jcss
mailto:[email protected]
mailto:[email protected]
http://dx.doi.org/10.1016/j.jcss.2014.02.005
http://crossmark.crossref.org/dialog/?doi=10.1016/j.jcss.2014.0
2.005&domain=pdf
974 J. Jang-Jaccard, S. Nepal / Journal of Computer and System
Sciences 80 (2014) 973–993

Fig. 1. Vulnerabilities and defense strategies in existing
systems.
Cybersecurity concerns with the understanding of surrounding
issues of diverse cyber attacks and devising defense
strategies (i.e., countermeasures) that preserve confidentiality,
integrity and availability of any digital and information tech-
nologies [18].
• Confidentiality is the term used to prevent the disclosure of
information to unauthorized individuals or systems.
• Integrity is the term used to prevent any modification/deletion
in an unauthorized manner.
• Availability is the term used to assure that the systems
responsible for delivering, storing and processing information
are accessible when needed and by those who need them.
Many cybersecurity experts believe that malware is the key
choice of weapon to carry out malicious intends to breach
cybersecurity efforts in the cyberspace [12]. Malware refers to a
broad class of attacks that is loaded on a system, typically
without the knowledge of the legitimate owner, to compromise
the system to the benefit of an adversary. Some exemplary
classes of malware include viruses, worms, Trojan horses,
spyware, and bot executables [15]. Malware infects systems in a
variety of ways for examples propagation from infected
machines, tricking user to open tainted files, or alluring users to
visit
malware propagating websites. In more concrete examples of
malware infection, malware may load itself onto a USB drive
inserted into an infected device and then infect every other
system into which that device is subsequently inserted. Malware
may propagate from devices and equipments that contain
embedded systems and computational logic. In short, malware
can be inserted at any point in the system life cycle. Victims of

malware can range anything from end user systems, servers,
network devices (i.e., routers, switches, etc.) and process
control systems such as Supervisory Control and Data
Acquisition
(SCADA). The proliferation and sophistication of fast growing
number of malware is a major concern in the Internet today.
Traditionally, malware attacks happened at a single point of
surface amongst hardware equipments, software pieces or at
network level exploiting existing design and implementation
vulnerabilities at each layer. Rather than protecting each asset,
the perimeter defense strategy has been used predominantly to
put a wall outside all internal resources to safeguard every-
thing inside from any unwanted intrusion from outside. The
majority of perimeter defense mechanism utilizes firewall and
anti-virus software installed within intrusion
prevention/detection systems. Any traffic coming from outside
is intercepted
and examined to ensure there is no malware penetrating into the
inside resources. General acceptance of this perimeter
defense model has occurred because it is far easier and
seemingly less costly to secure one perimeter than it is to secure
a large volume of applications or a large number of internal
networks. To give more defined access to certain internal re-
sources, the access control mechanisms have been used in
conjunction with the perimeter defense mechanism. On top of
perimeter defense and access control, accountability is added to
identify or punish for any misbehaviors, as represented
in Fig. 1. However, the combined efforts of perimeter defense
strategy have been found to be increasingly ineffective as the
advancement and sophistication of malware improves. Ever
evolving malware always seems to find loopholes to bypass the
perimeter defense altogether. We describe in details the most
common exploitations in the three distinct layers of existing
information system at hardware, software and network layers.
We then discuss the pros and cons of the most representative

defense mechanisms that have been used in these layers.
Malware evolves through time capitalizing on new approaches
and exploiting the flaws in the emerging technologies
to avoid detection. We describe a number of new patterns of
malware attacks present in the emerging technologies. In
choosing emerging technologies for illustration, we focus a few
that have changed the way we live our daily life. These
include social media, cloud computing, smartphone technology,
and critical infrastructure. We discuss unique characteristics
of each of these emerging technologies and how malware
utilizes the unique characteristics to proliferate itself. For
example,
social media, such as social networking sites and blogs, are now
an integral part of our life style as many people are
journaling about their life events, sharing news, as well as
making friends. Realizing its potential to connect millions
people
at one go, adversaries use social media accounts to befriend
unsuspecting users to use as vehicles for sending spam to
the victim’s friends while the victim’s machine is repurposed
into a part of botnet. Cloud computing paradigm allows the
J. Jang-Jaccard, S. Nepal / Journal of Computer and System
Sciences 80 (2014) 973–993 975
Fig. 2. Types of malware and mediums to spread them [101].
use of computer resources like utilities where the users pay only
for the usage without having to set up any upfront
expense or requiring any skills in managing complex computing
infrastructure. The growing trove of data concentrated in
the cloud storage services is now attracting attackers. In June
2012, attackers compromised Distributed Denial of Service
(DDoS) mitigation service on CloudFlare by using flaws in

AT&T’s voicemail service for its mobile users; similarly,
Google’s
account-recovery service for its Gmail users [19]. With the
subjected growth by 2 billion smartphone users by 2015, a
significant growth in mobile malware has been witnesses in
recent times. For example, the number of unique detections of
malware for Android increased globally by 17 times in 2012
from the previous year [107]. There is also growing concerns
in cyber threats to critical infrastructure such as electricity
grids and healthcare systems to use in terrorism, sabotage
and information warfare. Apart from investigating exploitations
through unique characteristics in the selected emerging
technologies, we also discuss general malware attack patterns
appear in them to understand the methods and trends of the
new attacks.
Finally, we provide our speculative observations as where
future research directions are heading. These include: (1) pri-
vacy concerns to safeguard increasing volumes of personal
information entered in the Internet, (2) requirement to have a
new generation of secure Internet from scratch with careful
consideration of the subjected growth and usage patterns which
was not the case with the internet we use today, (3) trustworthy
system whose fundamental architecture is different from
their inception to withstand from ever evolving malware, (4)
being able to identify and trace the source of attacks assisted
by the development of global scale identity management system
and traceback techniques, and (5) a strong emphasis on
usable security to give individuals security controls they can
understand and control.
The remainder of the article is organized as follows. Section 2
provides an insight of the malware. Section 3 provides
an overview on how malware penetrates in exiting systems and
efforts to mitigate any existing vulnerabilities exploited
by adversaries. Section 4 reviews emerging approaches to

malware infiltration and discusses the general attack patterns
and methods. Section 5 discusses future research directions we
identified; this will be followed by concluding remarks in
Section 6.
2. Malware as attack tool
In early days, malware was simply written as experiments often
to highlight security vulnerabilities or in some cases to
show off technical abilities. Today, malware is used primarily
to steal sensitive personal, financial, or business information
for the benefit of others [129,131]. For example, malware is
often used to target government or corporate websites to
gather guarded information or to disrupt their operations. In
other cases, malware is also used against individuals to gain
personal information such as social security numbers or credit
card numbers. Since the rise of widespread broadband
Internet access that is cheaper and faster, malware has been
designed increasingly not only for the stealth of information
but strictly for profit purposes [130]. For example, the majority
of widespread malware have been designed to take control
of user’s computers for black market exploitation such as
sending email spam or monitoring user’s web browsing
behaviors
and displaying unsolicited advertisements. Based on Anti-
Phishing group report [101], there was a total of 26 million new
malware reported in 2012. Fig. 2 describes relative proportions
of the types of new malware samples identified in the
second half of 2012 reported by the Anti-Phishing group.
According to this report, Trojans continued to account for most
of the threats in terms of malware counting as the
number grows spectacularly. In 2009, Trojans were reported to
have made up 60 percent of all malware. In 2011, the
number has jumped up to 73 percent. The current percentage
indicates that nearly three out of every four new malware

strains created in 2011 were Trojans and shows that it is the
weapon of choice for cyber criminals to conduct network
intrusion and data stealing.
976 J. Jang-Jaccard, S. Nepal / Journal of Computer and System
Sciences 80 (2014) 973–993
Fig. 3. Common attacks and examples of countermeasures in
existing system.
Malware authors use a number of different intermediaries to
spread malware to infect a victim’s system. Traditionally,
spam, phishing and web download have been the most
commonly used mediums for the purpose.
– Spam refers to sending irrelevant, inappropriate and
unsolicited messages to thousands or millions of recipients.
Spam
has turned out to be a highly profitable market since spam is
sent anonymously with no costs involved beyond the
management of mailing lists. Due to such low barrier to entry,
spammers are numerous, and the volume of unsolicited
mail has grown enormously. In the year 2011, the estimated
figure for spam messages is around seven trillion [2]. This
figure includes the cost involved in lost productivity and fraud,
and extra capacity needed to cope with the spam. Today,
most widely recognized form of spam is email spam. According
to the Message Anti-Abuse Working Group report [1],
between 88–92% of email messages sent in the first half of 2010
carried spam.
– Phishing is a way of attempting to acquire sensitive
information such as username, password or credit card details
by
masquerading as a trustworthy entity. Most phishing scams rely

on deceiving a user into visiting a malicious web site
claiming to be from legitimate businesses and agencies.
Unsuspecting user enters private information in the malicious
web site which is then subsequently used by malicious
criminals. Most methods of phishing use some form of technical
deception designed to make a link in an email (and spoofed
website) appear to belong to a legitimate organization, such
as well known bank. Misspelled URLs or the use of sub-
domains are common tricks used by phishers. The Anti-Phishing
technical report [101] stated that, there was a visible trend of
phishers in 2011 to hide their intentions by avoiding the
use of obvious IP host to host their fake login pages. Instead the
phishers preferred to host on a compromised domain
to avoid detection. It is reported that there was 16 percent drop
in the number of phishing URLs containing the spoofed
company name in the URL. These combined trends show how
phishers are adapting as users becoming more informed
and knowledgeable about the traits of a typical phish.
– Drive-by Downloads concerns the unintended downloads of
malware from the Internet and have been increasingly used
by the attackers to spread malware fast. Drive-by downloads
happen in a variety of situations; for example, when a user
visits a website, while viewing an email message by user or
when users click on a deceptive pop-up window. However,
the most popular drive-by downloads occur by far when visiting
websites. An increasing number of web pages have
been infected with various types of malware. According to
Osterman Research survey [3], 11 million malware variants
were discovered by 2008 and 90% of these malware comes from
hidden downloads from popular and often trusted
websites. Before a download takes place, a user is first required
to visit the malicious site. To lure the user into visiting
a website with malicious content, attackers would send spam
emails that contain links to the site. When unsuspecting
user visits the malicious website, malware is downloaded and

installed in the victim’s machine without the knowledge
of the user. For example, the infamous Storm worm makes use
of its own network, multiple of infected computers, to
send spam emails containing links to such attack pages [102].
3. Exploiting existing vulnerabilities
Once malware is carried out to the victim’s system, cyber
criminals could utilize many different aspects of existing
vulnerabilities in the victim’s system further to use them in
their criminal activities. We examine most commonly exploited
existing vulnerabilities in hardware, software, and network
systems. This is followed by the discussion on existing efforts
that have been proposed to mitigate negative impacts from the
exploitations. The summary of the common attacks in the
hardware, software and network layers are presented along with
the examples of countermeasures in Fig. 3.
3.1. Hardware
Hardware is the most privileged entity and has the most ability
to manipulate a computing system. This is the level
where it has the potential to give attackers considerable
flexibility and power to launch malicious security attacks if the
hardware is compromised [23,24]. Compare to software level
attacks where many security patches, intrusion detection tools,
J. Jang-Jaccard, S. Nepal / Journal of Computer and System
Sciences 80 (2014) 973–993 977
and anti-virus scanners exist to detect malicious attacks
periodically, many of the hardware-based attacks have the
ability
to escape such detection. Taking advantage in lack of tools
support in hardware detection, the hardware-based attacks have

been reported to be on the rise [23].
Among different types of hardware misuse, hardware Trojan is
the most hideous and common hardware exploits [24].
The hardware Trojans are malicious and deliberately stealthy
modification made to electronic devices such as Integrity
Circuits (IC) in the hardware [25]. The hardware Trojans have a
variety of degrees which cause different types of undesirable
effects. A hardware Trojan might cause an error detection
module to accept inputs that should be rejected. A Trojan might
insert more buffers in the chip’s interconnections and hence
consume more power, which in turn could drain the battery
quickly. In more serious case, Denial-of-Service (DoS) Trojans
prevent operation of a function or resource. A DoS Trojan can
cause the target module to exhaust scarce resources like
bandwidth, computation, and battery power. It could also
physically
destroy, disable, or alter the device’s configuration, for
example, causing the processor to ignore the interrupt from a
specific
peripheral.
Illegal clones of hardware become source of hardware-based
exploitation since the chances of illegally counterfeited
hardware to contain malicious backdoor or hardware Trojans
increase. The chance to produce unauthentic hardware has
increased with a new trend in IT companies trying to reduce
their IT expense via outsourcing and buying off untrusted
hardware from online sites. Karri et al. [26] discusses how
today’s IT model of outsourcing has contributed to the
increased
chance of producing tampered hardware components from
untrusted factories in the foreign countries. Similarly, it is also
pointed out that IT companies often buy untrusted hardware
such as chipsets and routers from online auction sites or
resellers which in turn may contain harmful hardware-based

Trojans. These practices are not only problematic for IT com-
panies operated on the tampered hardware with potential
backdoor entry, it also increases the chance that the original
design and the details of internal states of system to be leaked
to unauthorized personnel.
Side channel attacks occur when adversaries gain information
about a system’s internal states by the examination of
physical information of device such as power consumption,
electromagnetic radiation and timing information of data in and
out of CPU. Sensitive data can be leaked via the results of such
side channel attacks. An approach has been reported in [22]
that examines a number of way cryptographic algorithm’s secret
key leaked as a result of analyzing radio frequency.
A number of techniques have been proposed to thwart attacks on
hardware level. Tamper-resistant hardware devices
have become an important consideration due to its criticality as
an entry point to the overall system security. Trusted
Platform Module (TPM) provides cryptographic primitives and
protected storage along with the functionality to exchange
tamper resistant evidence with remote servers [29–31,28]. The
term Trusted Computing Base (TCB) has been defined to
refer to parts of a system, the set of all hardware and software
components, to be critical to the overall security of the
system. The TCB must not contain any bugs or vulnerabilities
occurring inside because this might jeopardize the security
of the entire system. An exhaustive and rigorous examination of
its code base is conducted through computer-assisted
software audit or program verification to ensure the security of
TCB. In a hardware watermarking, the ownership information
is embedded and concealed in the description of a circuit
preventing the host object from illegal counterfeit. Hardware
Obfuscation is a technique to modify the description or the
structure of electronic hardware to intentionally conceal its
functionality [22]. These techniques are used to prevent

adversaries from obtaining the original design or counterfeiting
/cloning important parts of the hardware such as IC units. Some
of the countermeasures to count against side channel
attacks includes introducing noises so that the physical
information cannot be directly displayed, filtering some parts of
physical information, and making/blinding which seeks to
remove any correlation between the input data and side channel
emission [23,24].
3.2. Software defects
A software bug is the common term used to describe an error,
flaw, mistake, or fault in a computer program such as
internal OS, external I/O interface drivers, and applications
[103]. Cyber attacks utilize the software bugs in their benefits
to cause the systems to behave unintended ways that are
different from their original intent. The majority of cyber
attacks
today still occur as a result of exploiting software
vulnerabilities caused by software bug and design flaws [104].
Software-based exploitation occurs when certain features of
software stack and interface is exploited. Most common
software vulnerabilities happen as a result of exploiting
software bugs in the memory, user input validation, race
conditions
and user access privileges [40,39,42]. Memory safety violations
are performed by attackers to modify the contents of a
memory location. Most exemplary technique is buffer overflow.
The buffer overflow occurs when a program tries to store
more data in a buffer than it was intended to hold. Since buffers
are created to contain a finite amount of data, the extra
information can overflow into adjacent buffers, corrupting or
overwriting the valid data held in them. It allows attackers
to interfere into existing process code. Input validation is the
process of ensuring that the input data follows certain rules.

Incorrect data validation can lead to data corruption such as
seen in SQL injection. SQL injection is one of the most well
known techniques that exploit a program bug in a website’s
software. An attacker injects SQL commands from the web form
either to change the database content or dump the database
information like credit cards or passwords to the attacker.
Adversary exploits a flaw in a process where the output of the
process is unexpectedly and critically dependent on the
timing of other events. The time of check to time of use is a bug
caused by changes in a system between the checking of a
condition and the use of the results of that check. It is also
called exploiting race condition error. Privilege confusion is an
978 J. Jang-Jaccard, S. Nepal / Journal of Computer and System
Sciences 80 (2014) 973–993
act of exploiting a bug by gaining elevated access to resources
that are normally protected from an application or user. The
result is that adversaries with more privileges perform
unauthorized actions such as accessing protected secret keys.
In the programming community, a number of projects have been
initiated that are devoted to increasing the security
as a major goal [36–38]. Not only attending to fix inherent
common set of security flaws, the primary concern of these
projects is to provide new ideas in an attempt to create a secure
computing environment. In a code review-based secure
coding practice, software engineers identify common
programming errors that lead to software vulnerabilities,
establish
standard secure coding standards, educate software developers,
and advance the state of the practice in secure coding. In
a language-based secure coding practice, techniques are
developed to ensure that programs can be relied on not to
violate

important security policies. The most widely used techniques
include analysis and transformation. A well-known form of
analysis is “type checking” where the program detects any
unsafe type of objects before the program is run. Another
well-known form of program transformation is the addition of
runtime checks where the program is instrumented in a
way that prevents the program from making any policy-violating
transformation [42]. Code obfuscation is a process of
producing source or machine code that has been made difficult
to understand for humans [43,44]. Programmers often
deliberately obfuscate code to conceal its purpose or its logic to
prevent any possibility with reverse engineering. Secure
design and development cycle has also been proposed in [41,27]
which provides a set of design techniques enabling efficient
verification that a piece of system component is free of any
potential defects from its original design. Though they are not
straightforward approaches, formal methods provide the ability
to comprehensively explore the design and identify intricate
security vulnerabilities. Tools [34,35] and techniques [32,33]
have been developed to facilitate the verification of mission
critical security properties. These tools and techniques help to
translate higher-level security objectives into a collection of
atomic properties to be verified.
3.3. Network infrastructure and protocol vulnerabilities
The early network protocol was developed to support entirely
different environment we have today in a much smaller
scale and often does not work properly in many situations it is
used today. Weaknesses in network protocols are complicated
when both system administrators and users have limited
knowledge of the networking infrastructure [46,47]. For
example,
the system administrators do not use efficient encryption
scheme, do not apply recommended patches on time, or forget to
apply security filters or policies.

One of the most common network attacks occurs by exploiting
the limitations of the commonly used network protocols
Internet Protocol (IP), Transmission Control Protocol (TCP) or
Domain Name System (DNS) [14]. The IP is the main protocol
of the network layer. It provides the information needed for
routing packets among routers and computers of the network.
The original IP protocol did not have any mechanism to check
the authenticity and privacy of data being transmitted. This
allowed the data being intercepted or changed while they are
transmitted over unknown network between two devices. To
prevent the problem, IPSec was developed to provide encryption
of IP traffic. In many years, IPSec has been used as one of
the main technology for the creation of a virtual private network
(VPN) which creates a secure channel across the Internet
between a remote computer and a trusted network (i.e., company
intranet). TCP sits on top of the IP to transmit the packets
in reliable (i.e., retransmitting lost packets) and ordered
delivery of the packets. SSL was originally developed to
provide
end-to-end security, as oppose to only layer-based protocol,
between two computers which sits over the transmission control
protocol (TCP). SSL/TLS is commonly used with http to form
https for secure Web pages. The domain name server (DNS)
is the protocol that translates the human-readable host names
into 32-bit Internet protocol (IP) addresses. It is essentially
works as a directory book for the Internet telling routers to
which IP address to direct packets when the user gives a url.
Because DNS replies are not authenticated, an attacker may be
able to send malicious DNS messages to impersonate an
Internet server. Another major concern about DNS is its
availability. Because a successful attack against the DNS
service
would create a significant communication disruption in the
Internet, DNS has been the target of several Denial-of-Service
(DoS) attacks.

Cryptography is an essential tool to protect the data that
transmits between users by encrypting the data so that only in-
tended users with appropriate keys can decrypt the data.
Cryptography is the most commonly used mechanism in
protecting
data. A survey conducted by Computer …
Things to Know
Quiz: Authenticity Reading
· Meaning of the term “Authenticity”
· Limit or Boundary situation
· Self-Deception
· Aesthetic sphere
· Ethical sphere
· Religious sphere
· Suspension of the Ethical
· Will to Power: what is it? What is its aim?
· Who is the Ubermensch?
· Heidegger: falling; being-toward-the-end; being-in-the-world;
Dasein; resoluteness
· Two aspects of the self: “double property”
40
6
Authenticity
What does your conscience say? – ”You shall become who you
are.”
Friedrich Nietzsche

Moods and the problem of the real self
The word ‘authentic’ derives from the Greek , meaning
‘original’ or ‘genuine.’ To say that I am authentic, then, is to
sayauthentikos
that I do not simply imitate the socially prescribed roles and
values of the public world. I am genuine or true to the concerns
and
commitments that matter to as an individual. Authenticity, as
Charles Taylor writes, “is a certain way of being human that is
me my
way. I am called upon to live my life in this way, and not in
imitation of anyone else's. But this gives a new importance to
being true to
myself. If I am not, I miss the point of my life, I miss what
being human is for ” (1991, 28–29). Although Heidegger is the
only oneme
who liberally uses the word, employing the German (from the
stem meaning ‘own’ or ‘proper’) that translatesEigentlichkeit
eigen
literally as ‘being one's own’ or ‘ownedness,’ existentialists are
generally united in emphasizing the significance of authenticity,
of
to oneself. But, as we have seen, the commitment to one's own
truth is difficult because our normal tendency is to driftbeing
true
along and conform to the average expectations and meanings of
the public world. We are, for this reason, usually alienated from
ourselves, living in a state of comfortable self-deception
because we simply do what ‘they’ do. As a ‘they-self,’ we have
no sense of
who or what to us, and we are unable to see how exactly we
are different from anyone else. Yet thewe really are really
matters
existentialists make it clear that it is possible to be shaken out

of self-deception, not by means of any kind of detached
reasoning but
through penetrating moods or emotional experiences that can
shatter the routinized familiarity of everyday life, forcing us to
confront
ourselves as finite beings thrown into a world with no pre-given
meaning that can justify our choices.
For Kierkegaard and Heidegger, this existential confrontation is
disclosed to us primarily through ‘anxiety’ ( ) or ‘dread.’Angst
Unlike fear, which is always directed toward some external
threat, anxiety is directed as an unsettled existencetoward
oneself
penetrated by dizzying freedom and the possibility of death.
“One may liken anxiety to dizziness,” writes Kierkegaard in The
Concept
. “He whose eye chances to look down into a yawning abyss
becomes dizzy. … Anxiety is the dizziness of freedom whichof
Dread
[when] freedom gazes down into its own possibility, grasping at
finiteness to sustain itself” (1944, 55). Anxiety puts me face-to-
face
with my own freedom, exposing me to the fact that I am not a
stable and enduring thing but . In this way, anxiety revealsa
possibility
existence as fundamentally insecure, that the public meanings I
rely on to make sense of things are precarious, and that any
sense I
have of rational control and mastery of the world is an illusion.
Coming from within, this feeling has the power to shake me out
of the
false security of everydayness and open me up to my own
structural nothingness. Although can certainly arise in the face
of aAngst
profound crisis such as the death of a loved one, a terminal

illness, or a divorce, the mood is largely ; it is a
fundamentalautochthonous
part of the human situation and can, therefore, arise
spontaneously on its own, without an identifiable cause or
reason.
Jaspers refers to these moments as ‘limit’ or ‘boundary’
situations, a reference to the experience “when everything that
is said to be
valuable and true collapses before my eyes” (1956, 117; cited in
Wallraff 1970, 137). Nietzsche describes this feeling in terms of
“the
terror” (2000, 36) that overwhelms us when language and reason
fail and our understanding of the world as a place of order and
reliability dissolves, shattering our sense of who we are as
secure, self-subsisting individuals. Sartre famously refers to the
“nausea”
that suddenly overtakes us when the veneer of public meanings
collapses and we are confronted with the superfluous and
unintelligible
‘is-ness’ of things. Speaking through his character Roquentin in
his novella , he writes:Nausea
And then all of a sudden, there it was, clear as day: existence
had suddenly unveiled itself. It had lost the harmless look of an
abstract category: it was the very paste of things, this root was
kneaded into existence. Or rather the root, the park gates, the
bench,
the sparse grass, all that had vanished: the diversity of things,
their individuality, were only an appearance, a veneer. This
veneer
had melted, leaving soft, monstrous masses, all in disorder –
naked, in a frightful, obscene nakedness. … This moment was
extraordinary. I was there, motionless and icy, plunged in a
horrible ecstasy; I understood the Nausea, I possessed it. (127)
For Sartre, nausea reveals the sheer contingency and “terrible

freedom” (1956, 55–56) of existence, where we alone are
responsible
for deciding who we are and what our fate will be. Marcel
develops this theme by describing the feeling of “mystery” that
intrudes into
our everyday lives and defies rational explanation. It is the
uncanny sense that “there is nothing in the realm of reality to
which I can
give credit – no security, no guarantee” (1956, 27), and I am
left alone with the burden to accept and create myself. These
feelings
expose us to the fact that there is no ground that can secure our
lives and that any project or identity we commit ourselves to is,
in the
end, futile.
Camus explores the possibility of suicide in the face of these
feelings. In , he refers to the feeling ofThe Myth of Sisyphus
“absurdity” that strikes out of the blue when our need for
reasons confronts the “unreasonable silence of the world”
(1955, 28),
destroying the comforting rhythm of our everyday lives.
C
o
p
y
r
i
g
h
t
2
0

1
4
.
P
o
l
i
t
y
.
A
l
l
r
i
g
h
t
s
r
e
s
e
r
v
e
d
.
M
a
y

n
o
t
b
e
r
e
p
r
o
d
u
c
e
d
i
n
a
n
y
f
o
r
m
w
i
t
h
o

u
t
p
e
r
m
i
s
s
i
o
n
f
r
o
m
t
h
e
p
u
b
l
i
s
h
e
r
,
e
x

c
e
p
t
f
a
i
r
u
s
e
s
p
e
r
m
i
t
t
e
d
u
n
d
e
r
U
.
S
.

o
r
a
p
p
l
i
c
a
b
l
e
c
o
p
y
r
i
g
h
t
l
a
w
.
EBSCO Publishing : eBook Collection (EBSCOhost) - printed
on 3/26/2020 12:03 PM via LOYOLA MARYMOUNT UNIV
AN: 1102043 ; Aho, Kevin.; Existentialism : An Introduction
Account: loyola.main.ehost

41
It happens that the stage sets collapse. Rising, streetcar, four
hours in the office or the factory, meal, streetcar, four hours of
work,
meal, sleep, and Monday Tuesday Wednesday Thursday Friday
and Saturday according to the same rhythm – this path is easily
followed most of the time. (13, my emphasis)But one day the
‘why’ arises.
Absurdity prompts ‘ ’ because it discloses reality , as
contingent, meaningless, and irrational, revealing that I am
“athe why as it is
stranger to myself and to the world” (20–21), and the only
certainty is freedom and the ever-present possibility of my own
death.
Comparing the empty repetitiveness of modern life to the futile
struggles of Sisyphus – who was condemned by the Greek gods
to
forever push a rock up a mountain only to watch it roll back
down – Camus introduces suicide for those who are unable to
bear the
truth of ‘the absurd.’ The temptation to kill ourselves, then, is
similar to our temptation to flee into the metaphysical comforts
of
religion or the tranquilizing routines of the public; they are all
incarnations of flight from who we are. For Camus, suicide is a
rejection
or “repudiation” of one's own freedom, a freedom that defiantly
and passionately affirms the absurdity of life and which alone
can be
“enough to fill a man's heart” (198).
Guilt is another mood that provides insight into our own
existence. For existentialists like Kierkegaard and Heidegger,
‘guilt’ is not

to be interpreted in the religious or moralistic sense as a feeling
that we have done something wrong on the basis of some set of
moral
absolutes. This view creates the illusion that there are binding
ethical norms that we can appeal to. Existential guilt dissolves
this
illusion, revealing that there is nothing – no God, no reason, no
moral principle – that can legitimize or justify our choices and
actions.
Guilt reveals that we have been thrown into a world that we did
not choose, and it is a world that has abandoned us to the extent
that it
lacks any objective measure that can tell us what we should or
should not do. Understood this way, guilt does not represent a
moral
failing; it represents the structural unsettledness of being
human. The fact that we are thrown into a world that offers no
guidance for
our lives means that guilt is invariably accompanied by anxiety.
“The relation of freedom to guilt is anxiety,” says Kierkegaard,
“because freedom and guilt are still a possibility” (1944, 97).
The human situation is one where we are faced with an
indefinite range
of possibilities that the world opens up for us but are provided
with in terms of guidance. Guilt, then, not only reveals
ournothing
structural unsettledness; it also reveals that we are answerable
only to ourselves.
These moods are important for the existentialists not only
because they disclose basic truths about what it means human
butto be
because they have the power to pull us out of inauthenticity, out
of our various modes of self-deception. But it is important not
to
confuse the transformative power that existentialists attribute to

these emotions with the popular ideas of ‘getting in touch with
one's
feelings,’ ‘being true to one's inner self,’ or ‘finding the child
within.’ These notions are largely holdovers of Romanticism,
the
sprawling and disjointed cultural reaction to Enlightenment
rationality and the dehumanizing aspects of modern society. On
the
Romantic account, it is by attending to one's deepest and
innermost feelings – rather than to disinterested reason – that
the ‘ self’real
can emerge and reclaim a primitive unity or oneness with the
natural world, a unity that we once had and is still present in the
simple
spontaneous goodness of children (see Guignon 2004a, 49–77).
This sentiment is perhaps most famously expressed in
Rousseau's
(1762) when he writes: “ , our feeling is undoubtedly earlier
than our intelligence, and we had feelings beforeEmile To exist
is to feel
we had ideas. … Let us be simpler and less pretentious; let us
be content with the first feelings we experience in ourselves,
since
science always brings us back to these, unless it has led us
astray” (1999, 210). This view suggests that beneath the
instrumental and
deforming conventions of rational society is a human nature that
consists of spontaneous feelings that are fundamentally good.
Existentialists challenge this notion of innate human goodness.
They, of course, do not deny the crucial role that feelings play
in our
lives or that humans are capable of spontaneous acts of
tenderness and love, but they also acknowledge our darker side,
for instance,

the pleasure derived from senseless acts of violence and cruelty.
In , Dostoevsky's character Ivan KaramazovThe Brothers
Karamazov
describes the voluptuous experience of a “well-educated and
intelligent” father beating his young daughter with a rod:
I know for certain that there are floggers who get more excited
with every stroke, to the point of sensuality, literal sensuality,
more
and more, progressively, with each new stroke. They flog for
one minute, they flog for five minutes, they flog for ten minutes
–
longer, harder, faster, sharper. The child is crying, the child
finally cannot cry, she has no breath left: “Papa, papa, dear
papa!”
(1990, 241)
Dostoevsky concludes that these kinds of behaviors are not
reserved for the sick and demented. They are sensual capacities
that we
all share, and it is naïve to think that they are not part of what it
means human. “There is, of course, a beast hidden in everyto
be
man,” writes Dostoevsky, “a beast of rage, a beast of sensual
inflammability at the cries of the tormented victim, an
unrestrained beast
let off the chain” (241–242). And if we were to suggest that this
kind of interpretation is irrational and absurd, Dostoevsky
replies, “I
tell you that absurdities are all too necessary on earth. The
world stands on absurdities and without them perhaps nothing
would
happen” (243).
Nietzsche makes a similar point in acknowledging the human
instinct for cruelty and violence, an aspect of our animal nature

expressed most explicitly in the pleasure we derive in hurting
others. Consider this passage from his :On the Genealogy of
Morals
To witness suffering does one good, to inflict it even more so –
that is a harsh proposition, but a fundamental one, an old-
powerful
human all-too-human proposition, one to which perhaps even
the apes would subscribe: it is said that in devising bizarre
cruelties
they already to a large extent anticipate and at the same time
‘rehearse’ man. No festivity without cruelty: such is the lesson
of the
earliest, longest period in the history of mankind – and even in
punishment there is so much that is festive. (1996, II, 6)
This interpretation suggests that the confluence of feeling that
lurks below rational thought can be tender cruel, creative and
and
destructive and, therefore, transcends the simple binary between
good and evil. In order to to ourselves, we have tobe true
acknowledge and accept the drives of , including those that are
darkest and most dangerous. This is why, forthe whole person
existentialists like Nietzsche, traditional moralists get it wrong.
They are not trying to sublimate or control our sensual natures;
they
are cultivating weakness and impotence by trying to deny them
altogether. “Instead of employing the great sources of strength,
those
impetuous torrents of the soul that are so often dangerous and
overwhelming, and economizing them, this most short-sighted
and
pernicious mode of thought, the moral code of thought, wants to
make them dry up” (1968, 383).
In acknowledging our unconscious drives for destruction and

cruelty, writers such as Dostoevsky and Nietzsche anticipate the
insights of depth psychology, psychoanalysis, and Sigmund
Freud's (1856–1939) seminal idea of the ‘Id.’ In fact, Freud
famously
remarked that Dostoevsky “cannot be understood without
psychoanalysis – i.e., he isn't in need of it because he illustrates
it himself in
EBSCOhost - printed on 3/26/2020 12:03 PM via LOYOLA
MARYMOUNT UNIV. All use subject to
https://www.ebsco.com/terms-of-use
42
every character and every sentence” (cited in Frank 1976, 381).
And Nietzsche had “more penetrating knowledge of himself
than any
man who ever lived or was likely to live” (cited in Jones 1955,
385). These existential insights informed the development of the
modern novel, introducing primal and subversive anti-heroes
such as Kurtz in Joseph Conrad's (1903), Jake BarnesHeart of
Darkness
in Ernest Hemingway's (1926), and, more recently, Tyler
Durden in Chuck Palahniuk's (1996). TheseThe Sun Also Rises
Fight Club
depictions suggest that if authenticity is the affective recovery
of the ‘ ,’ then we ought to be worried about what we mightreal
you
uncover. Indeed, it could be that the self-deceptive and
conformist routines of ‘the they’ are actually protecting us from
who we really
.are
The existentialist protest against the ideal of human goodness

reveals that being authentic has little to do with being morally
‘good’
because there is no pre-given core of goodness inside of us to
begin with, and, with the ‘death of God,’ there is no moral
absolute that
can determine what is, in fact, good. Indeed, as we turn to
different conceptions of authenticity in the existentialist
tradition, we see
that the commitment to to oneself may require us to suspend
our duty to universal moral principles. And it is preciselybeing
true
because we have to choose between being ethical (‘ ’) and being
an individual (‘ ’) that thedoing what is right being true to
oneself
prospect of authenticity can be so terrifying. This tension is
powerfully expressed in Kierkegaard's conception of
authenticity.
Becoming an individual
As we saw earlier, Kierkegaard pioneered the existentialist
critique of philosophical detachment and objectivity by arguing
that it has
no connection to ‘ ,’ that is, to the concrete and particular
concerns of the individual. By taking thethe highest truth
attainable
standpoint of a disinterested spectator, philosophers cut
themselves off from their own subjective truths. And it is these
kinds of truths
that are most important because they alone can tell me ‘ .’ For
Kierkegaard, it is only when we live our lives on thewhat I am
to do
basis of these passionate inward commitments that we actually
succeed in becoming a ‘self’ or ‘individual.’ This process
usually
involves moving through three stages or spheres of existence,

which he identifies as the ‘aesthetic,’ the ‘ethical,’ and the
‘religious’
stages.
The aesthetic sphere is the one that most of us live in as
children, adolescents, and young adults. In this stage, we are
caught up in
the sensual pleasures and intoxications of the present moment.
Using the character of Don Juan as an archetype, Kierkegaard
portrays
the aesthete as one who is unconcerned with moral obligations;
he or she is focused only on the satisfaction of immediate
pleasures,
whether it is sex, food and drink, travel, or shopping. The life
of the aesthete is reduced to the consumption of transitory
pleasures and
flight from the threat of pain and boredom. Kierkegaard sees the
aesthetic life as one that ultimately leads to despair, not merely
because temporal pleasures are short-lived and pull us into an
empty cycle of searching for the next thrill, but because the
aesthete is
not yet an ‘individual’ or a ‘self.’ To be a self, for Kierkegaard,
requires difficult, life-defining choices that synthesize and bind
together the temporal moments of one's life into a coherent and
lasting whole. “A human being is a synthesis of the infinite and
the
finite,” writes Kierkegaard, “of the temporal and the eternal. …
Looked at in this way, [the aesthete] is not yet a self” (1989, 43,
my
emphasis). To the extent that the aesthete is unable to make a
unifying commitment, he or she is fundamentally inauthentic,
dispersed,
and pulled apart by the finite pleasures of the moment and
suffers from the despair of “not wanting to be itself, [of]
wanting to be rid
of itself” (43).

It is possible, however, through a transformative emotional
crisis to become aware of the underlying emptiness of the
aesthetic life
and realize existence is more than a hedonistic masquerade. It is
at these times that we begin to grasp the seriousness of our own
existence, that life requires difficult commitments, and that
these commitments have the power to pull the fragmented and
disjointed
moments of our lives together and constitute us . In ,
Kierkegaard's character Judge Wilhelm warns theas selves
Either/Or
pleasure-seeking aesthete:
One … wishes that some day the circumstances of your life may
tighten upon you the screws in its rack and compel you to come
out
with what really dwells in you. … Life is a masquerade, you
explain, and for you this is inexhaustible ma-terial for
amusement; and
so far, no one has succeeded in knowing you. … In fact you are
nothing. … Do you not know that there comes a midnight hour
when everyone has to throw off his mask? … I have seen men in
real life who so long deceived others that at last their true
nature
could not reveal itself. … Or can you think of anything more
frightful than that it might end with your nature being resolved
into a
multiplicity, that you really might become many, become, like
those unhappy demoniacs, a legion and you thus would have
lost the
inmost and holiest of all in a man, the unifying power of
personality? (1946a, 99)
In taking a deliberate and principled stand on one's life, one
enters the ethical sphere by renouncing temporal pleasures and

committing oneself to eternal moral principles. Here,
Kierkegaard is drawing on Kant's ethics that regards the moral
agent as
duty-bound to a set of universal laws – such as the Ten
Commandments or the Golden Rule – that apply to everyone and
take priority
over one's own selfish interests and inclinations. “The ethical as
such is the universal,” writes Kierkegaard, “and as the universal
it
applies to everyone, which can be put from another point of
view by saying that it applies at every moment” (1985, 83).
With this
commitment, the individual is ‘willing to be oneself’ because he
or she has made the difficult ‘either/or’ choice that provides the
coherence and unity necessary in being a self. Judge Wilhelm
illustrates this distinction by articulating the moral duties of
marriage.
The ethical individual renounces the fleeting pleasures of
sensual love or lust and instead chooses to be a self by making a
life-defining
commitment to an eternal principle, to the universal ideal of
marriage. Thus, “the true eternity in love, as in true morality,
delivers it,
first of all from the sensual. But in order to produce this true
eternity, a determination of the will [a choice] is called for”
(Kierkegaard
1946a, 83).
The ethical sphere remains problematic, however, precisely
because it sets the universal the subjective needs of theabove
individual. In stoically committing oneself to universal
principles and renouncing one's own particular needs, the
ethical individual is
detached from the concrete realities of existence itself. The
husband, for instance, who devotes himself to the ideal of
marriage runs

the risk of being cut off from the subjective upheavals of
actually . Again, for Kierkegaard, the highest form of truth is
notbeing in love
objective and universal but and . This means that objective
moral principles are not universally binding. Theresubjective
particular
EBSCOhost - printed on 3/26/2020 12:03 PM via LOYOLA
MARYMOUNT UNIV. All use subject to
https://www.ebsco.com/terms-of-use
43
may be times in one's life when one must suspend his or her
obligations to the ethical and be guided by higher-order values
that arise
from one's own subjective passions. It is at this stage that one
enters the religious sphere, the sphere of faith.
For Kierkegaard, being true to oneself requires passing into the
religious sphere and ‘becoming a Christian,’ but this has
nothing to
do with being a member of a church and blindly accepting
‘Articles of Faith.’ Such a view creates the kind of self-satisfied
conformism that existentialists reject. On Kierkegaard's view,
becoming a Christian requires a passionate inward commitment
precisely because of the absurdity and irrationality of its
doctrines. It is not difficult to accept a set of plausible moral
principles, but it
is terrifying to be a Christian because of its implausibility.
Indeed, it is the absurdity that makes the religious life possible.
It requires
the highest form of individuation, a ‘leap’ into a paradox that
cannot be rationally justified and a willingness to suspend one's

obligations to the ethical sphere.
In , Kierkegaard uses the biblical figure of Abraham to illustrate
the experience of individuation that occurs asFear and
Trembling
one moves from the ethical to the religious sphere. The ethical
reveals to Abraham a universal commandment, that under any
and all
circumstances a father must protect and love his child. But he is
told by God to break this moral code and kill his son. He is
caught in a
horrifying conflict where he must either disobey the word of
God or violate a universal moral imperative. In his willingness
to
sacrifice his son, Abraham becomes a ‘knight of faith.’ He
breaks his commitment to ethical principles and chooses a
higher truth: the
truth embodied in the solitary individual who stands in
anguished freedom before himself and an absurd and
incomprehensible God.
With a religious conscience, Abraham makes the ‘leap of faith,’
accepting the maddening paradox that his own individual needs
are of
infinite importance and, therefore, higher than the universal and
ethical. “Faith is just this paradox,” writes Kierkegaard, “that
the
single individual is higher than the universal, though in such a
way, be it noted, that the movement is repeated, that is, that,
having
been in the universal, the single individual now sets himself
apart as the particular above the universal” (1985, 84). As a
paradox,
Abraham's choice is incomprehensible to others. In making the
leap he has “discover[ed] something that thought cannot think”
(1936,
29). There are no reasons to explain his actions. By all

appearances, “he is insane and cannot make himself understood
to anyone”
(1985, 103). This is because one's own subjective truth cannot
be expressed objectively; it can only be felt with the intensity
and
passion of the individual who makes the choice.
The philosopher Bernard Williams offers a secularized version
of Kierkegaard's ‘suspension of the ethical’ with an account
based
loosely on the life of the French painter Paul Gauguin. On
Williams's reading, Gauguin, in pursuing the life-defining
commitment to
be an artist, abandons his wife and children to a desperate
financial situation and moves to Tahiti, where he believes the
tropical setting
will allow him to develop more fully as a painter. Although he
feels a strong sense of moral duty to his family, he is drawn by
deeper
values that conflict with universal principles and rational
justifications. Williams describes the tension between the
values of morality
and the values of the individual, writing that “while we are
sometimes guided by the notion that it would be the best of
worlds in
which morality were universally respected and all men were of a
disposition to affirm it, we have, in fact, deep and persistent
reasons
that that is not the world we have” (1981, 23). Like
Kierkegaard, Williams sees traditional conceptions of morality
as generally
following the Kantian formula that moral values are rational and
universal. Yet in Gauguin's case we see that there are values –
grounded in the idiosyncratic passions of the individual – that
fall outside the purview of reason and morality, and this means
that

morality cannot be the sole source of value. Williams's
underlying point is not to claim that moral considerations are
unimportant, but
that “each person has a life to lead” (1985, 186), and this means
that, in to myself, I may have to make the painful choice
ofbeing true
breaking these binding commitments because they do not
adequately reflect the values that matter to me as an individual.
Similarly, when Kierkegaard claims that the ‘individual is
higher than the universal,’ he is not suggesting that religious
faith
requires getting rid of the ethical. This is impossible. The point
is that, in some cases, faith may supersede any moral obligation.
But
the ethical is still present in the anguished struggle that the
individual endures in breaking this obligation. If the content of
the ethical
sphere were completely absent, then Abraham would not be
overcome with ‘fear and trembling.’ The paradox that
Kierkegaard is
expressing is that the passionate, life-defining commitment
required in to oneself cannot be expressed or made
intelligiblebeing true
in ethical terms of right and wrong; it is a commitment that is
beyond rational comprehension. Becoming a self, then, “remains
in all
eternity a paradox, inaccessible to thought” (1985, 85). This
idea, that in order to be authentic we must be willing to go
beyond
universal moral principles, is developed further by Nietzsche,
who claims that these principles breed conformism and
weakness,
preventing individuals from wholly accepting themselves and
diminishing their ability to create their own lives.

Living with style
There is no way to access Nietzsche's conception of authenticity
without placing it within the context of . For Nietzsche,nihilism
nihilism means that the very idea of “truth is an error” (1968,
454, 540), and there is no objective or universal justification for
our
choices and actions. This, however, is not a cause for despair,
but for celebration. It frees us from the bourgeois values of the
Western
tradition so we can create new values and meanings that reflect
our own temperaments and …