Skip to main content

Advertisement

SpringerLink
Log in

The impact of cybercrime on businesses: a novel conceptual framework and its application to Belgium

  • Published:
Crime, Law and Social Change Aims and scope Submit manuscript

Abstract

Despite growing indications and fears about the impact of cybercrime, only few academic studies have so far been published on the topic to complement those published by consultancy firms, cybersecurity companies and private institutes. The review of all these studies shows that there is no consensus on how to define and measure cybercrime or its impact. Against this background, this article pursues two aims: 1) to develop a thorough conceptual framework to define and operationalize cybercrime affecting businesses as well as its impact, harms, and costs; and 2) to test this conceptual framework with a survey of businesses based in Belgium, which was administered in summer 2016 and elicited 310 valid responses. Consisting of five types, our conceptualization of cybercrime is, unlike others, technology-neutral and fully compatible with the legislation. Drawing on Greenfield and Paoli’s Harm Assessment Framework (The British Journal of Criminology, 53, 864–885, 2013), we understand impact as the overall harm of cybercrime, that is, the “sum” of the harms to material support, or costs, and the harms to other interest dimensions i.e., functional (or operational) integrity, reputation and privacy. Whereas we ask respondents to provide a monetary estimate of the costs, respondents are invited to rate the severity of the harms on the basis of an ordinal scale. We claim that this “double track” gives a fuller, more valid assessment of cybercrime impact. Whereas most affected businesses do not report major costs or harm, 15% to 20% of them rate the harms to their internal operational activities as serious or more, with cyber extortion regarded as most harmful.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. The researchers of the FP7 project “eCrime” [14] report having conducted 25 interviews with businesses representatives in six countries (Estonia, Germany, Italy, the Netherlands, the UK, and Poland), but have yet to publish their findings.

  2. With a broad conceptualization of cybercrime, Detica [20] concluded in 2011 that the annual cost of cybercrime to the UK most likely was £27bn (about 1.8% of GDP). On behalf of the anti-virus company McAfee, CSIS [22] claimed that high-income countries lose as much as 0.9% of GDP, annually. According to the CSIS report’s most conservative scenario, the total global cost of cybercrime would amount to $375 billion (see also, e.g., [23, 24]).

  3. Detica [20] does not fully achieve technological neutrality, as its list of cybercrimes also includes the technique of scareware.

  4. It also reflects the criminal offences defined by the 2013 EU Directive on attacks against information systems.

  5. We speak, though, of cyber espionage rather than “illegal interception” (art. 3) and combine the offences of “data” and “system interference” (art. 5–6) in a single category.

  6. We foresee no type for the last computer-integrity crime introduced by the Council of Europe’s Convention, that is, “misuse of device,” because this is a mere preparatory offence.

  7. This conceptualization heavily relies on Greenfield and Paoli [28].

  8. To help the respondents clearly understand the meaning of the answer categories, we provide the following guideline: “In assessing the severity of a harm please consider the ability of your business to fulfil its mission in the mid and long-term (thus six months or longer) as a benchmark:

    • A “catastrophic” harm would be a harm that prevents your business from fulfilling its mission for six months or longer;

    • At the opposite end, a “marginal” harm is a harm that affects only lightly and/or shortly your business’ ability to fulfil its mission;

    • Given this long-term perspective, an incident that shuts down all business’ services for one day or two would be “serious” or “grave” but not “catastrophic”;

    • “Not applicable” means that this type of cyber incident cannot (according to you) have an effect upon the item being asked.”

  9. Other studies only report the number of respondents (e.g., [34, 55]).

  10. For the business size, we follow the standard classification of the European Commission [56].

  11. The Ministry provides no figures for businesses separate from individuals liable to VAT.

  12. The assumption of equality of covariance matrices was violated (Box’s M = 122.208, F (30, 118,770) = 3.948, p < .001). In addition, the assumption of equal error variances was violated for data/system interference (F (2, 265) = 7.103, p < .001), cyber extortion (F (2, 265) = 39.763, p < .001) and internet fraud (F (2, 265) = 7.340, p < .001). As indicated in the methodology section, we have used a significance level of .01 instead of .05 in the latter cases.

  13. This distinction is not possible for cyber extortion, because the number of repeat victims was below the cut-off point for reporting percent values.

  14. We assumed that this cost is only relevant for cyber espionage, data/system interference and cyber extortion.

  15. As for the costs of internet fraud, we asked respondents to estimate the revenue lost. Twenty-two of the 33 victimized businesses report revenue losses lower than €1000, four report losses between €1000 and €9999 and three report losses of €10,000 or more. Two businesses do not provide an amount.

  16. In all these cases, there are no major differences between last/only and all/most serious incidents.

  17. Ponemon (e.g., [30, 58]) has published studies on data breaches in several countries, but these breaches only constitute a subset of cybercrime.

  18. In the 2017 Eurobarometer on cybersecurity ([59]: T23) 13% of Belgian residents admitted having been victim of online banking fraud, 4% more than in 2014 and 2% more than the EU average.

References

  1. Goldman, R. (2017, May 12). What we know and don’t know about the international cyberattack. The New York Times. www.nytimes.com/2017/05/12/world/europe/international-cyberattack-ransomware.html?_r=0. Accessed 10 Sept 2017.

  2. McGuire, M., & Dowling, S. (2013). Cyber crime: a review of the evidence. London: Home Office.

    Google Scholar 

  3. Wall, D. S. (2007). Cybercrime: the transformation of crime in the information age. Malden: Polity Press.

    Google Scholar 

  4. Reiner, R. (2016). Crime: the mystery of the common-sense concept. Cambridge: Polity Press.

    Google Scholar 

  5. Federale Regering (2016). Kadernota integrale veiligheid 2016–2019 [Framework document integrated security 2016–2019]. www.besafe.be/sites/besafe.localhost/files/u19/2016-06-7_kadernota_integrale_veiligheid_nl.pdf. Accessed 18 Feb 2018.

  6. Volz, D., & Hosenball, M. (2016, February 10). Concerned by cyber threat, Obama seeks big increase in funding. www.reuters.com/article/us-obama-budget-cyber-idUSKCN0VI0R1. Accessed 10 Sept 2017.

  7. Holt, J. H., & Bossler, A. M. (2014). An assessment of the current state of cybercrime scholarship. Deviant Behavior, 35, 20–40.

    Article  Google Scholar 

  8. Levi, M. (2017). Assessing the trends, scale and nature of economic cybercrimes: overview and issues. Crime, Law and Social Change, 67, 3–20.

    Article  Google Scholar 

  9. Leukfeldt, E. R., Kleemans, E. R., & Stol, W. P. (2017). A typology of cybercriminal networks: from low-tech all-rounders to high-tech specialists. Crime, Law and Social Change, 67, 21–37.

    Article  Google Scholar 

  10. Williams, M. L., & Levi, M. (2017). Cybercrime prevention. In N. Tilley & A. Sidebottom (Eds.), Handbook of crime prevention and community safety (pp. 454–469). London: Routledge.

    Google Scholar 

  11. Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M. J. G., Levi, M., Moore, T., & Savage, S. (2013). Measuring the cost of cybercrime. In R. Böhme (Ed.), The economics of information security and privacy (pp. 265–300). New York: Springer.

    Chapter  Google Scholar 

  12. Klahr, R., Amili, S., Shah, J. N., Button, M., & Wang, V. (2016). Cyber security breaches survey 2016. www.gov.uk/government/uploads/system/uploads/attachment_data/file/521465/Cyber_Security_Breaches_Survey_2016_main_report_FINAL.pdf. Accessed 10 Sept 2017.

  13. Klahr, R., Shah, J. N., Sheriffs, P., Rossington, T., Pestell, G., Button, M., & Wang, V. (2017). Cyber security breaches survey 2017. www.gov.uk/government/statistics/cyber-security-breaches-survey-2017. Accessed 10 Sept 2017.

  14. Rick, M., Böhme, R., Lucica, E., Johnson, A., & Sõmer, T. (2015). Executive summary and brief: survey and interview results including detailed appendixes on survey and interview results. www.ecrime-project.eu/wp-content/uploads/2015/02/E-CRIME-Deliverable-4.2.pdf. Accessed 10 Sept 2017.

  15. Greenfield, V. A., Paoli, L., & Zoutendijk, A. (2016). The harms of human trafficking: demonstrating the applicability and value of a new framework for systematic, empirical analysis. Global Crime, 17(2), 152–180.

    Article  Google Scholar 

  16. Dubourg, R., & Prichard, S. (2007). The impact of organised crime in the UK: revenues and economic and social costs, in organised crime: revenues, economic and social costs, and criminal assets available for seizure, 1–53, London: Home Office.

  17. Heaton, P. (2010). Hidden in plain sight. What cost-of-crime research can tell us about investing in police. Santa Monica: RAND Corporation.

    Google Scholar 

  18. Paoli, L., & Greenfield, V. A. (2013). Harm: a neglected concept in criminology, a necessary benchmark for crime-control policy. European Journal of Crime, Criminal Law and Criminal Justice, 21(3–4), 359–377.

    Article  Google Scholar 

  19. Paoli, L., & Greenfield, V. A. (2015). Starting from the end: a plea for focusing on the consequences of crime. European Journal of Crime, Criminal Law and Criminal Justice, 23(2), 87–100.

    Article  Google Scholar 

  20. Detica. (2011). The cost of cybercrime: a detica report in partnership with the office of cyber security and information assurance in the cabinet office. Guilford: Detica.

    Google Scholar 

  21. PwC (2016). Information security breaches survey 2016: a matter of when, not if, a breach will occur. www.pwc.be/en/documents/media-centre/publications/2016/information-security-breaches-survey-2016.pdf. Accessed 10 Sept 2017.

  22. CSIS, Center for Strategic and International Studies (2014). Estimating the global cost of cybercrime: economic impact of cybercrime II. www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf. Accessed 10 Sept 2017.

  23. Verizon (2016). 2016 Data breach investigations report. http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf. Accessed 10 Sept 2017.

  24. Ponemon (2016). 2016 cost of cybercrime study & the risk of business innovation. www.ponemon.org/local/upload/file/2016%20HPE%20CCC%20GLOBAL%20REPORT%20FINAL%203.pdf. Accessed 10 Sept 2017.

  25. Armin, J., Thompson, B., & Kijewski, P. (2016). Cybercrime economic costs: no measure, no solution. In B. Akhgar & B. Brewster (Eds.), Combatting cybercrime and cyberterrorism: challenges, trends and priorities (pp. 135–156). Basel: Springer.

    Chapter  Google Scholar 

  26. Morgan, S. (2016, January 17). Cyber crime costs projected to reach $2 trillion by 2019. Forbes. www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#3cbe9e353a91. Accessed 10 Sept 2017.

  27. Ponemon (2015). The cost of malware containment. www.ponemon.org/local/upload/file/Damballa%20Malware%20Containment%20FINAL%203.pdf. Accessed 10 Sept 2017.

  28. Greenfield, V. A., & Paoli, L. (2013). A framework to assess the harms of crimes. The British Journal of Criminology, 53, 864–885.

    Article  Google Scholar 

  29. Caulkins, J. P., Reuter, P., & Coulson, C. (2011). Basing drug scheduling decisions on scientific ranking of harmfulness: false promise from false premises. Addiction, 106, 1886–1890.

    Article  Google Scholar 

  30. Ponemon (2016b). 2016 cost of data breach study: global analysis. www.www-01.ibm.com/marketing/iwm/dre/signup?source=mrs-form-1995&S_PKG=ov49542. Accessed 10 Sept 2017.

  31. CSI, Computer Security Institute. (2011). 15th annual 2010/2011 computer crime and security survey. www.cours.etsmtl.ca/gti619/documents/divers/CSIsurvey2010.pdf. Accessed 10 Sept 2017.

  32. FSB, Federation of Small Businesses (2012). Cyber security and fraud: the impact on small businesses. www.fsb.org.uk/LegacySitePath/frontpage/assets/fsb_cyber_security_and%20_fraud_paper_2013.pdf. Accessed 10 Sept 2017.

  33. CPNI, Centre for the Protection of National Infrastructure (2014). Cyber-attacks: effects on UK companies. www.oxfordeconomics.com/my-oxford/projects/276032. Accessed 18 Feb 2018.

  34. PwC UK (2015). 2015 Information security breaches survey: technical report. www.pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-digital.pdf. Accessed 10 Sept 2017.

  35. PwC (2016b). Global economic crime survey 2016: adjusting the lens on economic crime: preparation brings opportunity back into focus. www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf. Accessed 10 Sept 2017.

  36. PwC [Netherlands] (2014). Cybercriminaliteit tegen Nederlandse organisaties: een digitale dreiging [Cybercrime against Dutch organisations: a digital threat]. www.pwc.nl/. Accessed 10 Sept 2017.

  37. Wickramasekera, N., Wright, J., Elsey, H., Murray, J., & Tubeuf, S. (2015). Cost of crime: a systematic review. Journal of Criminal Justice, 43, 218–228.

    Article  Google Scholar 

  38. Paoli, L., Visschers, J., Verstraete, C., & van Hellemont, E. (2017). The impact of cybercrime on Belgian businesses. www.bcc-project.be/. Accessed 10 Sept 2017.

  39. European Commission (2013). Cybersecurity strategy of the European union: an open, safe and secure cyberspace. www.eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf. Accessed 10 Sept 2017.

  40. UNODC, United Nations Office on Drugs and Crime. (2013). Comprehensive study on cybercrime. Vienna: United Nations Office on Drugs and Crime.

    Google Scholar 

  41. European Commission (2017a). Country report Belgium 2017. Available: www.ec.europa.eu/info/sites/info/files/2017-european-semester-country-report-belgium-en.pdf. Accessed 18 Feb 2018.

  42. European Commission (2017b). Report from the commission to the European parliament and the council assessing the extent to which the member States have taken the necessary measures in order to comply with directive 2013/40/EU on attacks against information systems and replacing council framework decision 2005/222/JHA. www.eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52017DC0474&from=EN. Accessed 18 Feb 2018.

  43. ENISA, European Union Agency for Network and Information Security (2016). ENISA threat landscape 2015. Available: www.enisa.europa.eu/. Accessed 10 Sept 2017.

  44. Europol. (2016). Internet organised crime threat assessment 2016. The Hague: Europopl.

    Google Scholar 

  45. Clough, J. (2010). Principles of cybercrime. Cambridge: Cambridge University Press.

    Book  Google Scholar 

  46. Carter, J. S. (2016). Pay up or else: the ins and outs of cyber extortion insurance coverage. Risk Management, 63, 32–35.

    Google Scholar 

  47. Domenie, M. M. L., Leukfeldt, E. R., van Wilsem, J. A., Jansen, J., & Stol, W. P. (2013). Victimisation in a digitised society – a survey among members of the public concerning e-fraud, hacking and other high-volume crimes. The Hague: Eleven.

    Google Scholar 

  48. Levi, M., & Burrows, J. (2008). Measuring the impact of fraud in the UK: a conceptual and empirical journey. British Journal of Criminology, 48, 293–318.

    Article  Google Scholar 

  49. Feinberg, J. (1984). Harm to others. New York, NY: Oxford University Press.

  50. von Hirsch, A., & Jareborg, N. (1991). Gauging criminal harm: A living-standard analysis. Oxford Journal of Legal Studies, 11(1), 1–38.

    Article  Google Scholar 

  51. Sen, A. (1987). The standard of living: lecture I, concepts and critiques; the standard of living: lecture II, lives and capabilities. In G. Hawthorn (Ed.), The standard of living: the tanner lectures (pp. 1–38). Cambridge: Cambridge University Press.

    Chapter  Google Scholar 

  52. Cohen, M. A. (2005). The costs of crime and justice. London: Routledge.

    Book  Google Scholar 

  53. Eurostat (2017). GDP per capita, consumption per capita and price level indices. www.ec.europa.eu/eurostat/statistics-explained/index.php/GDP_per_capita,_consumption_per_capita_and_price_level_indices#Relative_volumes_of_GDP_per_capita. Accessed 18 Feb 2018.

  54. Eurostat (n.d.). Business demography main variables - NACE Rev. 2 (B-N excluding K64.2). www.ec.europa.eu/eurostat/tgm/table.do?tab=table&init=1&language=en&pcode=tin00170&plugin=1. Accessed 18 Feb 2018.

  55. PwC Belgium (2017). Redefining the security culture – a better way to protect your business. www.pwc.be/en/documents/20170315-Information-security-breaches-survey.pdf. Accessed 10 Sept 2017.

  56. European Commission. (2003). Commission recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. Official Journal of the European Union, 124, 36–41.

    Google Scholar 

  57. FOD Economie (2016). Aantal actieve btw-plichtige ondernemingen volgens werknemersklasse en plaats maatschappelijke zetel, meest recente jaar [Webpage]. www.bestat.economie.fgov.be/bestat/crosstable.xhtml?view=9d19ebe2-f35a-4b51-ac1a-c153e6d77d67. Accessed 10 Sept 2017.

  58. Ponemon (2016c). 2016 cost of data breach study: Germany. http://www.ibm.com. Accessed 10 Sept 2017.

  59. European Commission. (2017c). Special eurobarometer 464a: Europeans’ attitudes towards cyber security. Brussels: European Union.

  60. Williams, M. L. (2015). Guardians upon high: an application of routine activities theory to online identity theft in Europe at the country and individual level. British Journal of Criminology, 56, 21–48.

    Article  Google Scholar 

  61. Florêncio, D., & Herley, C. (2013). Sex, lies and cyber-crime surveys. In B. Scheier (Ed.), Economics of information security and privacy III (pp. 35–54). New York: Springer.

    Chapter  Google Scholar 

Download references

Acknowledgements

We thank Dr. Elke Van Hellemont (University of Kent, previously KU Leuven) for her help in developing the questionnaire and organizing the data collection.

Funding

Project funded by BELSPO (Belgian Science Policy Office) under the BRAIN (Belgian Research Action through Interdisciplinary Networks) program: BR/132/A4/BCC.

Author information

Authors and Affiliations

  1. KU Leuven Faculty of Law, Leuven Institute of Criminology, H. Hooverplein 10, 3000, Leuven, Belgium

    Letizia Paoli, Jonas Visschers & Cedric Verstraete

Authors
  1. Letizia Paoli
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jonas Visschers
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Cedric Verstraete
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Letizia Paoli.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Paoli, L., Visschers, J. & Verstraete, C. The impact of cybercrime on businesses: a novel conceptual framework and its application to Belgium. Crime Law Soc Change 70, 397–420 (2018). https://doi.org/10.1007/s10611-018-9774-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10611-018-9774-y

Search

Navigation