Introduction: new directions in cybercrime research
The Internet, computers, cell phones, and other forms of technology have revolutionized every aspect of human life over the last several decades, including how we communicate, bank, shop, obtain the news, and entertain ourselves (Holt and Bossler 2016). These technological advancements have also created myriad opportunities for offenders to commit various forms of crime. Online crimes are often referred to as cybercrime and occur because ‘the perpetrator uses special knowledge of cyberspace’ (Furnell 2002, 21). Cybercrime can therefore be viewed as a large umbrella term that encompasses computer-assisted crime in which computers and technology are used in a supporting role, such as the use of a computer to send harassing messages. At the same time, the term cybercrime also includes computer-focused crimes that are a direct result of computer technology and would not exist without it, such as unauthorized computer system trespassing (Furnell 2002; McGuire and Dowling 2013).
Cybercrimes can be classified into different categories, including cyber-trespass (e.g., unauthorized system access), cyber-deception/theft (e.g., identity theft, online fraud, digital piracy), cyber-porn/obscenity (e.g., child sexual exploitation materials), and cyber-violence (e.g., cyberstalking; cyber terrorism) (Holt, Bossler, and Seigfried-Spellar 2018; Wall 2001). It is nearly impossible to estimate the amount of cybercrime that occurs in most nations across the world because of a lack of standardized legal definitions for these offenses and few valid, reliable official statistics (Holt and Bossler 2016). Evidence demonstrates, however, that cybercrime rates are increasing as the rates for many forms of traditional street crimes continue to decrease (Tcherni et al. 2016).
The amount of research on cybercrime has grown exponentially over the last few decades. Much of the preliminary work in this area focused on exploring how the nature of cybercrime and cyberspace differed from traditional crime and terrestrial space (e.g., Grabosky 2001; Wall 1998). A significant challenge for cybercrime scholars, both historically and currently, is the lack of official statistics on most forms of cybercrime. In the United States, the Federal Bureau of Investigation’s Uniform Crime Report’s Summary Reporting System (SRS), the most commonly used source for crime data, provides no information on cybercrime or whether any form of technology was involved in the commission of a crime. The National Incident-Based Reporting System (NIBRS), which the U.S. is fully moving to in 2021, also does not provide a specific cybercrime category, but does allow agencies to indicate whether a computer was involved in the commission of a crime. Since necessity is the mother of invention, scholars studying cybercrime were required to collect primary data in innovative ways, such as by analyzing forum discussions, bulletin boards, and blogs, deploying honeypots, and developing field experiments (see Holt and Bossler 2016 for review). In addition, many scholars surveyed different populations, with a heavy emphasis on college samples.
Scholars became particularly interested in testing whether traditional criminological theories, such as routine activities theory, social learning theory, and the general theory of crime, applied to various forms of cybercrime. As a result, scholars collected primary data and measured key concepts of traditional criminological theories. The focus shifted from analyzing the similarities and differences of cybercrime in general to examining whether the same theoretical causes and correlates of traditional crime applied equally well to cybercrime. Considering that these studies were often based on college and youth samples, scholars examined simpler forms of cybercrime and cyberdeviance, such as online harassment, digital piracy, and account password guessing, rather than more complex forms of cybercrime requiring technical skills.
Data limitations were not the only hurdle for cybercrime researchers. It was not that long ago (a little over a decade ago for the first co-editor) that cybercrime researchers shared stories about the challenges they experienced in publishing cybercrime studies in traditional criminal justice journals. Authors often heard from editors that their manuscripts were interesting, but that ‘cybercrime was not a crime, and the topic would not appeal to a wide-ranging audience.’ Scholars started discussing federal and state statutes early in their manuscripts to illustrate that the online behavior studied in the manuscript was, in fact, illegal and punished by fines and imprisonment. Yet, cybercrime scholars still heard that their manuscripts were not sufficiently ‘criminal’ enough and that the manuscript would be more appropriate in cybersecurity, computer science, and IT journals.
Today, it seems that the general mood of the field is changing. There is a significant and growing number of cybercrime-related presentations at national and international conferences each year. The European Society of Criminology (ESC) Working Group on Cybercrime, which was created in the last several years, organizes panels and discussions on cybercrime at the ESC meetings. In addition, the Division of Cybercrime was just approved by the American Society of Criminology (ASC). Such officially sanctioned and recognized groups did not seem possible just a few short years ago. Furthermore, undergraduate and graduate offerings in cybercrime are increasing throughout the country. Some programs are even offering specific certificates and undergraduate and graduate degrees in cybercrime, such as Georgia Southern University and the University of South Florida.
These developments inspired the creation of the first annual Conference on the Human Factor in Cybercrime held at Hebrew University in Jerusalem, Israel in October 2018. Criminologists and social scientists sought an opportunity to come together to share their focused research on cybercrime with others in the field and identify potential collaborators in computer science and engineering. The second annual Conference on the Human Factor in Cybercrime was recently held in October 2019 in the Netherlands with future possible conferences in Canada, the U.S., and other participating countries.
The manuscripts in this special issue were culled from research presented at the first conference, and illustrate several points about the current state of cybercrime research. First, they highlight the international nature of cybercrime research. The authors hail from the United States, Canada, Israel, the Netherlands, and Germany. Second, they demonstrate that theory is at the heart of all criminology research, even when the focus is on complex forms of cybercrime. Scholars in this special issue use traditional criminological theories, such as routine activities theory, deterrence theory, and social control, to better understand the causes and correlates of online fraud, website defacement, cyberattacks against critical infrastructure, system trespassing, and cyberattacks against automobiles. These studies demonstrate the need to understand the human element of cybercrime as well as its technical components.
Third, most of the manuscripts in this special issue focus on more complex forms of cybercrime, demonstrating that the field is now able to better tackle these issues with innovative data collection methods. Only two of the manuscripts collected primary data through the administration of surveys. The other manuscripts all collected data in different and rich ways, such as the examination of police, court, or probation records and files, emailing online fraudsters, scraping online platforms, and downloading website defacement data.
The research of cybercrime scholars should be the key information source for policymakers, the public, security professionals, and other academics on how to decrease various forms of cybercrime. Unfortunately, there is a lack of evidence-based studies testing the effectiveness of cybercrime policies. In Dupont’s ‘Enhancing the Effectiveness of Cybercrime Prevention through Policy Monitoring,’ he argues that countries around the world have spent massive sums to invest in cybersecurity, but have not spent the resources to develop tools to assess the effectiveness of government interventions in reducing cybercrime. Dupont illustrates that policy monitoring would lead to a more robust knowledge base regarding the effectiveness of cybercrime policies because it would lead to a systematic collection of data, rigorous evaluations, and wide dissemination of the evaluation results. In his analysis of 18 policy surveillance platforms, he outlines their main features and discusses how they could be applied to cybercrime prevention efforts. He argues that the creation of a cybercrime prevention surveillance tool should be considered a priority considering the harms of cybercrime. Dupont writes: ‘It is now up to cyber-criminologists to determine the relevance of this framework, its feasibility, and the collaborative resources that would be need to translate it into reality.’
Maimon, Santos, and Park use a criminal event perspective in their manuscript entitled, ‘Online Deception and Situations Conducive to the Progression of Non-Payment Fraud,’ to examine how online fraudsters use urgency cues in their interactions with potential victims. Maimon and colleagues posted ‘for sale’ advertisements in order to exchange emails with potential fraudsters to examine whether verbal cues of urgency in the early stages of a criminal event are followed by verbal and non-verbal urgency cues in later stages. Their findings demonstrate the utility of the criminal event perspective to better understand the dynamic aspect of online fraud specifically and cybercrime in general.
Howell, Burruss, Maimon, and Sahani provide one of the first studies, if not the first study, examining the causes and correlates of website defacement at the macro-level in ‘Website Defacement and Routine Activities: Considering the Importance of Hackers’ Valuations of Potential Targets.’ This manuscript provides a rare examination into how structural characteristics are related to the frequency of website defacements at the national level. Collecting data on website defacements, Howell et al. use routine activities theory as a framework to find that website defacements were less likely to occur within a country that had capable guardianship and more likely to occur when target suitability was present. These findings only applied to the frequency of recreational website defacement and not political website defacements. Howell et al. demonstrate that routine activities theory continues to be a useful framework to study cybercrime, regardless of whether the test occurs at the individual or macro level.
Madarie, Ruiter, Steenbeek, and Kleemans also use a criminal event perspective in their manuscript, ‘Stolen Account Credentials: An Empirical Comparison of Online Dissemination on Different Platforms,’ to examine how stolen account credentials were offered on an online discussion forum, online marketplace, and a paste website. In their analysis of data collected from web scrapes, they found that variation existed among the three online platforms regarding the type of account information available, the average asking price, rules for transactions, and the services provided after the transaction. The manuscript should make the reader consider the importance of understanding the criminal event (i.e., knowing the answers to who, what, when, where, and how) before we can develop deeper theoretical understanding of online behavior (i.e., answering the why question).
The next two manuscripts of the special issue analyze data collected from official sources. In ‘Money Talks: Money Laundering Choices of Organized Crime Offenders in a Digital Age,’ Krulsbergen, Leukfeldt, Kleemans, and Roks examine case reports from 30 large-scale criminal investigations into organized crime from the Dutch Organized Crime Monitor. They explore whether information technology alters how organized crime spend and launder their criminal earnings. The use of cryptocurrencies seemed to be limited to that of IT-related crime. Offenders of both traditional crime and cybercrimes, however, preferred cash. Krulsbergen et al.’s findings do not support the growing concern regarding organized crime becoming more involved in complex cybercrimes.
Harbinson and Selzer use data from the Administrative Office of the United States Courts, Probation and Pretrial Services Office in their manuscript, ‘The Risk and Needs of Cyber-Dependent Offenders Sentenced in the United States,’ to conduct one of the few studies that examine cyber offenders from a corrections perspective. They examine the demographics and risk and needs of cyber-dependent offenders serving community supervision in the federal probation system. Cyber offenders generally scored low on risk to reoffend. When the cyber offenders had risk factors, they were primarily found in criminal history and family and marital issues. These findings should make the reader consider whether assessment tools created for ‘traditional’ offenders are appropriate for cyber offenders and whether special assessments are needed. In addition, the findings show the importance of additional research on the risk and needs of cyber offenders to help the courts and probation departments modify their supervision conditions and interventions.
In the next two studies, both manuscripts demonstrate that college samples still have an important role in testing the applicability of criminological theories to cybercrime. Both manuscripts also emphasize the role of informal sanctions in influencing serious online behavior. ‘Perceived Formal and Informal Sanctions on the Willingness to Commit Cyber Attacks Against Domestic and Foreign Targets,’ by Adam Bossler examines the substantially under examined problem of cyberattacks against domestic and foreign targets. Collecting data from a college sample in the United States, Bossler finds that anticipated formal sanctions were not related with a willingness to commit website defacements and compromise bank and government servers. The findings support concerns about the ability of formal sanctions to effectively curtail various forms of cybercrime. Congruent with the traditional literature, anticipated informal sanctions, such as shame and embarrassment, were more likely to reduce all cyberattacks examined.
In Berenblum, Kranenbarg, and Maimon’s, ‘Out of Control Online? A Combined Examination of Peer Offending and Perceived Formal and Informal Social Control in Relation to System Trespassing,’ they examine the relationship between formal social control, informal social control, peer offending, and system trespassing in an Israeli college sample. Berenblum et al. find that peer offending is important in comparison to social control. They also find interesting interaction effects, such as those with stronger IT skills and who perceive informal social to be ineffective in cyberspace have the highest probability of offending. Their overall findings suggest that increasing the perception of online formal and informal social control for specific groups, such as those with online deviant friends or who have stronger IT skills, may reduce future offending.
The final manuscript explores an issue that significantly impacts our daily safety and privacy, although most individuals are unaware of it – the cybersecurity of our automobiles. An increasing amount of components within automobiles are both controlled by computers and provide information to remote systems. The security of these systems from outside intruders is essential for safety (e.g., auto-pilot, breaking). These systems also hold enormous amounts of information about ourselves (e.g., account information, where we have been, our daily routines, etc.). In Kennedy, Holt, and Cheng’s, ‘Automotive Cybersecurity: Assessing a New Platform for Cybercrime and Malicious Hacking,’ they use routine activities theory to identify effective guardianship strategies in the automotive supply chain, including automobile manufacturers and their suppliers, that can prevent or mitigate the cybersecurity risks threatening Connected and Autonomous Vehicles (CAVs). They specifically argue that the companies responsible for the creation and adoption of these technologies have the most important role in protecting CAVs from cybersecurity threats. After a through discussion of the key threats and intervention points, the authors discuss the need for additional research and standards for this field.
The field of cybercrime research is growing, scholars are exploring new innovative methods, and our research is making a larger impact. This special issue is hopefully another indicator that the field of cybercrime research has arrived, and that we are moving forward. The authors in this special issue are all suggesting new directions for the field, but they all point forward. New challenges await us. We would like to thank Mike Leiber and the staff at the Journal of Crime & Justice for the opportunity to highlight these new directions.
Adam M. Bossler
Dr. Adam M. Bossler is Professor and Chair of the Department of Criminal Justice and Criminology at Georgia Southern University. His research interests focus on the applicability of criminological theories to cybercrime offending and victimization and the law enforcement response to cybercrime. His research has been funded by the Department of Justice, National Science Foundation, and United Kingdom Home Office. He has co-authored three books (Cybercrime and Digital Forensics: an Introduction, 2nd edition; Cybercrime in Progress: Theory and Prevention of Technology-Enabled Offenses; and Policing Cybercrime and Cyberterror) and written extensively in peer-reviewed journals, including Criminology and Public Policy, Policing, International Journal of Offender Therapy and Comparative Criminology, Journal of Criminal Justice, and Deviant Behavior. He is also a board member on the International Interdisciplinary Research Consortium on Cybercrime (IIRCC) and the European Society of Criminology’s Working Group on Cybercrime.
Dr. Tamar Berenblum is the research director of the The Federmann Cyber Security Center – Cyber Law Program, Faculty of Law, the Hebrew University of Jerusalem, Israel, and the co-chair of the European Society of Criminology (ESC) Working Group on Cybercrime. Tamar is also a Post-Doc Research Fellow at the Netherlands Institute for the Study of Crime and Law Enforcement (NSCR), Netherlands, Rachel and Selim Benin School of Computer Science and Engineering, the Hebrew University of Jerusalem, Israel and at The Center for Cyber Law & Policy at the Haifa University (CCLP). Tamar’s research interests include victimology, sociology of knowledge, cybercrime, online social control and digital rights. Her Doctoral thesis at the Hebrew University of Jerusalem, Israel titled ‘The Internet as a Sphere of Social Control’ examines the internet both as a sphere for social control and as a tool for such control over deviant activities. The study focuses on mapping and analyzing online social control practices and the applicability of social control theories and policies in the context of cyberspace.