When approaching cybercrime and its socioeconomic impact, where should one begin?
Getting our arms around such a broad multi-component issue is one of the key challenges to be addressed and, if done well, will lay the foundation for optimal data analysis, resolution proposals and cybercrime threat mitigation. We propose the answer is to develop a framework to guide our impact assessment. Given our task, no single unified framework exists so we must build on what models exist and flesh out the framework as much as possible.
To begin we need operational definitions of what the elements are, beginning with socio-economic impact assessment: We define socio-economic impact analysis as a procedure in which pros and cons for a whole community or various processes are shown and studied.
Then how to understand the various elements of cybercrime in a way that makes assessment of its impact possible?
The CC-DRIVER project has already defined categories of crime as a way to structure the impact question. These are:
Category I. ‘Crimes against the machine’
Category II. ‘Crimes using the machine’
Category III. ‘Crimes in the machine’ / ‘Content-related cyber-offences’
Cross Category I-III: Mass Information Manipulation (including behavioural manipulation using advanced technology and behavioural manipulation by spreading of false information.
We do not include ‘Category IV’. ‘Cyber-assisted crimes/incidental technology use’ (illegal gambling, gaming, online money laundering, muling, and criminal communications). We are not able to identify a sufficiently cohesive set of socio-economic impact factors as the literature is informed by only a small number of cybercriminal activities, i.e., money laundering and muling.
This offers a good starting point to develop the framework. Next, we list the various impacts cybercrime has on victims. In broad terms, we can delineate socio-economic impacts into qualitative and quantitative. There is more research around the quantitative impacts, usually measured in financial impact as these approaches more easily lend themselves to measurement. On the qualitative side, we see models which attempt to capture all effects and then either rank order them or simply acknowledge the effect without a measurement scale.
Given the wide base of potential framework stakeholders, each with specific research questions in mind, we elect to list the most prominent models in the research, categorise them by cybercrime type and list the impacts measured for each one.
Three models are included; these represent the most relevant approaches to cybercrime impact assessment from the literature. They can be summarised as: measuring costs incurred to affected assets measuring costs incurred according to a comprehensive list of all costs (incorporating qualitative and quantitative affects), and assessing costs via revenue gains made by cybercriminals.
Model 1 is a comprehensive review of assessment approaches and methods for valuing (tangible and intangible) assets losses from cybersecurity incidents. This model seeks to quantify the losses incurred by organisations from having assets compromised by cybersecurity attacks, for example, a virus rendering a system inoperable.
Model 2, a ‘Costs of Cybercrime’ assessment framework approaches impact measurement from the perspective of the victim and is the most comprehensive attempt at encompassing all impacts, not only from a financial loss standpoint. It lists 19 ‘Costs in anticipation’ of cybercrime that precede exposure to any cyber offending behaviours and encompass all the defensive and precautionary measures and resources being deployed in the attempt to reduce the likelihood of cybercrime victimisation including the costs of developing, deploying and maintaining cybersecurity technology products and services, training and awareness measures. Costs as a consequence of cybercrime typically manifest in the immediate aftermath of any online offence and may contemplate the costs of incident-handling and disruption-containment efforts (e.g., undertaken by remediating, restoring, rebuilding and replacing compromised tangible and intangible assets). Finally, ‘Costs in response’ of cybercrime include any reasonable cost invoked by the practices and course of actions undertaken by first-order crime responders and affected socio-economic groups – public agencies, law enforcement and criminal justice system, individuals and private sector organisations – responding to cybercrime victimisation. Therefore, unlike the first two cost categories, these subsequent impacts are highly contingent on human agency and situational characteristics (lower risk/degree of uncertainty).
Model 3, to assess revenues from cyber-offending behaviours: This looks to revenue generated by cybercriminals as impact; it does not consider impact to the victim. As such, this model serves more to measure macro effects on society as a whole.
Users should consider three limitations of the framework: First, impact assessment models must be refined along chosen variables (e.g., victim type, offence type, geographical scope) which makes a one-size-fits-all framework as yet impractical. Second, data types and sources lack uniformity; data across such a broad spectrum makes model comparison and validation difficult. Third, cybercrime measurement as a field is nascent and evolving and, as such, reference and baseline data are thin on the ground.
To address these limitations, users should preselect a model or models from the framework to suit their research needs, with the data validation challenges in mind. A proof-of-concept example is presented in the report that applies two of the three framework’s models to assess the impact of Cybercrime as a Service (CaaS), as it relates to extortion.
To access the full report, please click here. (tbd)
Read about the CC-DRIVER strategy for adressing the socio-economic aspects of cybercriminaliy in our Policy Brief No. 11.