Abstract
Despite growing indications and fears about the impact of cybercrime, only few academic studies have so far been published on the topic to complement those published by consultancy firms, cybersecurity companies and private institutes. The review of all these studies shows that there is no consensus on how to define and measure cybercrime or its impact. Against this background, this article pursues two aims: 1) to develop a thorough conceptual framework to define and operationalize cybercrime affecting businesses as well as its impact, harms, and costs; and 2) to test this conceptual framework with a survey of businesses based in Belgium, which was administered in summer 2016 and elicited 310 valid responses. Consisting of five types, our conceptualization of cybercrime is, unlike others, technology-neutral and fully compatible with the legislation. Drawing on Greenfield and Paoli’s Harm Assessment Framework (The British Journal of Criminology, 53, 864–885, 2013), we understand impact as the overall harm of cybercrime, that is, the “sum” of the harms to material support, or costs, and the harms to other interest dimensions i.e., functional (or operational) integrity, reputation and privacy. Whereas we ask respondents to provide a monetary estimate of the costs, respondents are invited to rate the severity of the harms on the basis of an ordinal scale. We claim that this “double track” gives a fuller, more valid assessment of cybercrime impact. Whereas most affected businesses do not report major costs or harm, 15% to 20% of them rate the harms to their internal operational activities as serious or more, with cyber extortion regarded as most harmful.
Similar content being viewed by others
Notes
The researchers of the FP7 project “eCrime” [14] report having conducted 25 interviews with businesses representatives in six countries (Estonia, Germany, Italy, the Netherlands, the UK, and Poland), but have yet to publish their findings.
With a broad conceptualization of cybercrime, Detica [20] concluded in 2011 that the annual cost of cybercrime to the UK most likely was £27bn (about 1.8% of GDP). On behalf of the anti-virus company McAfee, CSIS [22] claimed that high-income countries lose as much as 0.9% of GDP, annually. According to the CSIS report’s most conservative scenario, the total global cost of cybercrime would amount to $375 billion (see also, e.g., [23, 24]).
Detica [20] does not fully achieve technological neutrality, as its list of cybercrimes also includes the technique of scareware.
It also reflects the criminal offences defined by the 2013 EU Directive on attacks against information systems.
We speak, though, of cyber espionage rather than “illegal interception” (art. 3) and combine the offences of “data” and “system interference” (art. 5–6) in a single category.
We foresee no type for the last computer-integrity crime introduced by the Council of Europe’s Convention, that is, “misuse of device,” because this is a mere preparatory offence.
This conceptualization heavily relies on Greenfield and Paoli [28].
To help the respondents clearly understand the meaning of the answer categories, we provide the following guideline: “In assessing the severity of a harm please consider the ability of your business to fulfil its mission in the mid and long-term (thus six months or longer) as a benchmark:
-
A “catastrophic” harm would be a harm that prevents your business from fulfilling its mission for six months or longer;
-
At the opposite end, a “marginal” harm is a harm that affects only lightly and/or shortly your business’ ability to fulfil its mission;
-
Given this long-term perspective, an incident that shuts down all business’ services for one day or two would be “serious” or “grave” but not “catastrophic”;
-
“Not applicable” means that this type of cyber incident cannot (according to you) have an effect upon the item being asked.”
-
For the business size, we follow the standard classification of the European Commission [56].
The Ministry provides no figures for businesses separate from individuals liable to VAT.
The assumption of equality of covariance matrices was violated (Box’s M = 122.208, F (30, 118,770) = 3.948, p < .001). In addition, the assumption of equal error variances was violated for data/system interference (F (2, 265) = 7.103, p < .001), cyber extortion (F (2, 265) = 39.763, p < .001) and internet fraud (F (2, 265) = 7.340, p < .001). As indicated in the methodology section, we have used a significance level of .01 instead of .05 in the latter cases.
This distinction is not possible for cyber extortion, because the number of repeat victims was below the cut-off point for reporting percent values.
We assumed that this cost is only relevant for cyber espionage, data/system interference and cyber extortion.
As for the costs of internet fraud, we asked respondents to estimate the revenue lost. Twenty-two of the 33 victimized businesses report revenue losses lower than €1000, four report losses between €1000 and €9999 and three report losses of €10,000 or more. Two businesses do not provide an amount.
In all these cases, there are no major differences between last/only and all/most serious incidents.
In the 2017 Eurobarometer on cybersecurity ([59]: T23) 13% of Belgian residents admitted having been victim of online banking fraud, 4% more than in 2014 and 2% more than the EU average.
References
Goldman, R. (2017, May 12). What we know and don’t know about the international cyberattack. The New York Times. www.nytimes.com/2017/05/12/world/europe/international-cyberattack-ransomware.html?_r=0. Accessed 10 Sept 2017.
McGuire, M., & Dowling, S. (2013). Cyber crime: a review of the evidence. London: Home Office.
Wall, D. S. (2007). Cybercrime: the transformation of crime in the information age. Malden: Polity Press.
Reiner, R. (2016). Crime: the mystery of the common-sense concept. Cambridge: Polity Press.
Federale Regering (2016). Kadernota integrale veiligheid 2016–2019 [Framework document integrated security 2016–2019]. www.besafe.be/sites/besafe.localhost/files/u19/2016-06-7_kadernota_integrale_veiligheid_nl.pdf. Accessed 18 Feb 2018.
Volz, D., & Hosenball, M. (2016, February 10). Concerned by cyber threat, Obama seeks big increase in funding. www.reuters.com/article/us-obama-budget-cyber-idUSKCN0VI0R1. Accessed 10 Sept 2017.
Holt, J. H., & Bossler, A. M. (2014). An assessment of the current state of cybercrime scholarship. Deviant Behavior, 35, 20–40.
Levi, M. (2017). Assessing the trends, scale and nature of economic cybercrimes: overview and issues. Crime, Law and Social Change, 67, 3–20.
Leukfeldt, E. R., Kleemans, E. R., & Stol, W. P. (2017). A typology of cybercriminal networks: from low-tech all-rounders to high-tech specialists. Crime, Law and Social Change, 67, 21–37.
Williams, M. L., & Levi, M. (2017). Cybercrime prevention. In N. Tilley & A. Sidebottom (Eds.), Handbook of crime prevention and community safety (pp. 454–469). London: Routledge.
Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M. J. G., Levi, M., Moore, T., & Savage, S. (2013). Measuring the cost of cybercrime. In R. Böhme (Ed.), The economics of information security and privacy (pp. 265–300). New York: Springer.
Klahr, R., Amili, S., Shah, J. N., Button, M., & Wang, V. (2016). Cyber security breaches survey 2016. www.gov.uk/government/uploads/system/uploads/attachment_data/file/521465/Cyber_Security_Breaches_Survey_2016_main_report_FINAL.pdf. Accessed 10 Sept 2017.
Klahr, R., Shah, J. N., Sheriffs, P., Rossington, T., Pestell, G., Button, M., & Wang, V. (2017). Cyber security breaches survey 2017. www.gov.uk/government/statistics/cyber-security-breaches-survey-2017. Accessed 10 Sept 2017.
Rick, M., Böhme, R., Lucica, E., Johnson, A., & Sõmer, T. (2015). Executive summary and brief: survey and interview results including detailed appendixes on survey and interview results. www.ecrime-project.eu/wp-content/uploads/2015/02/E-CRIME-Deliverable-4.2.pdf. Accessed 10 Sept 2017.
Greenfield, V. A., Paoli, L., & Zoutendijk, A. (2016). The harms of human trafficking: demonstrating the applicability and value of a new framework for systematic, empirical analysis. Global Crime, 17(2), 152–180.
Dubourg, R., & Prichard, S. (2007). The impact of organised crime in the UK: revenues and economic and social costs, in organised crime: revenues, economic and social costs, and criminal assets available for seizure, 1–53, London: Home Office.
Heaton, P. (2010). Hidden in plain sight. What cost-of-crime research can tell us about investing in police. Santa Monica: RAND Corporation.
Paoli, L., & Greenfield, V. A. (2013). Harm: a neglected concept in criminology, a necessary benchmark for crime-control policy. European Journal of Crime, Criminal Law and Criminal Justice, 21(3–4), 359–377.
Paoli, L., & Greenfield, V. A. (2015). Starting from the end: a plea for focusing on the consequences of crime. European Journal of Crime, Criminal Law and Criminal Justice, 23(2), 87–100.
Detica. (2011). The cost of cybercrime: a detica report in partnership with the office of cyber security and information assurance in the cabinet office. Guilford: Detica.
PwC (2016). Information security breaches survey 2016: a matter of when, not if, a breach will occur. www.pwc.be/en/documents/media-centre/publications/2016/information-security-breaches-survey-2016.pdf. Accessed 10 Sept 2017.
CSIS, Center for Strategic and International Studies (2014). Estimating the global cost of cybercrime: economic impact of cybercrime II. www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf. Accessed 10 Sept 2017.
Verizon (2016). 2016 Data breach investigations report. http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf. Accessed 10 Sept 2017.
Ponemon (2016). 2016 cost of cybercrime study & the risk of business innovation. www.ponemon.org/local/upload/file/2016%20HPE%20CCC%20GLOBAL%20REPORT%20FINAL%203.pdf. Accessed 10 Sept 2017.
Armin, J., Thompson, B., & Kijewski, P. (2016). Cybercrime economic costs: no measure, no solution. In B. Akhgar & B. Brewster (Eds.), Combatting cybercrime and cyberterrorism: challenges, trends and priorities (pp. 135–156). Basel: Springer.
Morgan, S. (2016, January 17). Cyber crime costs projected to reach $2 trillion by 2019. Forbes. www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#3cbe9e353a91. Accessed 10 Sept 2017.
Ponemon (2015). The cost of malware containment. www.ponemon.org/local/upload/file/Damballa%20Malware%20Containment%20FINAL%203.pdf. Accessed 10 Sept 2017.
Greenfield, V. A., & Paoli, L. (2013). A framework to assess the harms of crimes. The British Journal of Criminology, 53, 864–885.
Caulkins, J. P., Reuter, P., & Coulson, C. (2011). Basing drug scheduling decisions on scientific ranking of harmfulness: false promise from false premises. Addiction, 106, 1886–1890.
Ponemon (2016b). 2016 cost of data breach study: global analysis. www.www-01.ibm.com/marketing/iwm/dre/signup?source=mrs-form-1995&S_PKG=ov49542. Accessed 10 Sept 2017.
CSI, Computer Security Institute. (2011). 15th annual 2010/2011 computer crime and security survey. www.cours.etsmtl.ca/gti619/documents/divers/CSIsurvey2010.pdf. Accessed 10 Sept 2017.
FSB, Federation of Small Businesses (2012). Cyber security and fraud: the impact on small businesses. www.fsb.org.uk/LegacySitePath/frontpage/assets/fsb_cyber_security_and%20_fraud_paper_2013.pdf. Accessed 10 Sept 2017.
CPNI, Centre for the Protection of National Infrastructure (2014). Cyber-attacks: effects on UK companies. www.oxfordeconomics.com/my-oxford/projects/276032. Accessed 18 Feb 2018.
PwC UK (2015). 2015 Information security breaches survey: technical report. www.pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-digital.pdf. Accessed 10 Sept 2017.
PwC (2016b). Global economic crime survey 2016: adjusting the lens on economic crime: preparation brings opportunity back into focus. www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf. Accessed 10 Sept 2017.
PwC [Netherlands] (2014). Cybercriminaliteit tegen Nederlandse organisaties: een digitale dreiging [Cybercrime against Dutch organisations: a digital threat]. www.pwc.nl/. Accessed 10 Sept 2017.
Wickramasekera, N., Wright, J., Elsey, H., Murray, J., & Tubeuf, S. (2015). Cost of crime: a systematic review. Journal of Criminal Justice, 43, 218–228.
Paoli, L., Visschers, J., Verstraete, C., & van Hellemont, E. (2017). The impact of cybercrime on Belgian businesses. www.bcc-project.be/. Accessed 10 Sept 2017.
European Commission (2013). Cybersecurity strategy of the European union: an open, safe and secure cyberspace. www.eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf. Accessed 10 Sept 2017.
UNODC, United Nations Office on Drugs and Crime. (2013). Comprehensive study on cybercrime. Vienna: United Nations Office on Drugs and Crime.
European Commission (2017a). Country report Belgium 2017. Available: www.ec.europa.eu/info/sites/info/files/2017-european-semester-country-report-belgium-en.pdf. Accessed 18 Feb 2018.
European Commission (2017b). Report from the commission to the European parliament and the council assessing the extent to which the member States have taken the necessary measures in order to comply with directive 2013/40/EU on attacks against information systems and replacing council framework decision 2005/222/JHA. www.eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52017DC0474&from=EN. Accessed 18 Feb 2018.
ENISA, European Union Agency for Network and Information Security (2016). ENISA threat landscape 2015. Available: www.enisa.europa.eu/. Accessed 10 Sept 2017.
Europol. (2016). Internet organised crime threat assessment 2016. The Hague: Europopl.
Clough, J. (2010). Principles of cybercrime. Cambridge: Cambridge University Press.
Carter, J. S. (2016). Pay up or else: the ins and outs of cyber extortion insurance coverage. Risk Management, 63, 32–35.
Domenie, M. M. L., Leukfeldt, E. R., van Wilsem, J. A., Jansen, J., & Stol, W. P. (2013). Victimisation in a digitised society – a survey among members of the public concerning e-fraud, hacking and other high-volume crimes. The Hague: Eleven.
Levi, M., & Burrows, J. (2008). Measuring the impact of fraud in the UK: a conceptual and empirical journey. British Journal of Criminology, 48, 293–318.
Feinberg, J. (1984). Harm to others. New York, NY: Oxford University Press.
von Hirsch, A., & Jareborg, N. (1991). Gauging criminal harm: A living-standard analysis. Oxford Journal of Legal Studies, 11(1), 1–38.
Sen, A. (1987). The standard of living: lecture I, concepts and critiques; the standard of living: lecture II, lives and capabilities. In G. Hawthorn (Ed.), The standard of living: the tanner lectures (pp. 1–38). Cambridge: Cambridge University Press.
Cohen, M. A. (2005). The costs of crime and justice. London: Routledge.
Eurostat (2017). GDP per capita, consumption per capita and price level indices. www.ec.europa.eu/eurostat/statistics-explained/index.php/GDP_per_capita,_consumption_per_capita_and_price_level_indices#Relative_volumes_of_GDP_per_capita. Accessed 18 Feb 2018.
Eurostat (n.d.). Business demography main variables - NACE Rev. 2 (B-N excluding K64.2). www.ec.europa.eu/eurostat/tgm/table.do?tab=table&init=1&language=en&pcode=tin00170&plugin=1. Accessed 18 Feb 2018.
PwC Belgium (2017). Redefining the security culture – a better way to protect your business. www.pwc.be/en/documents/20170315-Information-security-breaches-survey.pdf. Accessed 10 Sept 2017.
European Commission. (2003). Commission recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. Official Journal of the European Union, 124, 36–41.
FOD Economie (2016). Aantal actieve btw-plichtige ondernemingen volgens werknemersklasse en plaats maatschappelijke zetel, meest recente jaar [Webpage]. www.bestat.economie.fgov.be/bestat/crosstable.xhtml?view=9d19ebe2-f35a-4b51-ac1a-c153e6d77d67. Accessed 10 Sept 2017.
Ponemon (2016c). 2016 cost of data breach study: Germany. http://www.ibm.com. Accessed 10 Sept 2017.
European Commission. (2017c). Special eurobarometer 464a: Europeans’ attitudes towards cyber security. Brussels: European Union.
Williams, M. L. (2015). Guardians upon high: an application of routine activities theory to online identity theft in Europe at the country and individual level. British Journal of Criminology, 56, 21–48.
Florêncio, D., & Herley, C. (2013). Sex, lies and cyber-crime surveys. In B. Scheier (Ed.), Economics of information security and privacy III (pp. 35–54). New York: Springer.
Acknowledgements
We thank Dr. Elke Van Hellemont (University of Kent, previously KU Leuven) for her help in developing the questionnaire and organizing the data collection.
Funding
Project funded by BELSPO (Belgian Science Policy Office) under the BRAIN (Belgian Research Action through Interdisciplinary Networks) program: BR/132/A4/BCC.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Paoli, L., Visschers, J. & Verstraete, C. The impact of cybercrime on businesses: a novel conceptual framework and its application to Belgium. Crime Law Soc Change 70, 397–420 (2018). https://doi.org/10.1007/s10611-018-9774-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10611-018-9774-y