The impact of cybercrime on businesses: a novel conceptual framework and its application to Belgium

  • Letizia Paoli
  • Jonas Visschers
  • Cedric Verstraete
Article

Abstract

Despite growing indications and fears about the impact of cybercrime, only few academic studies have so far been published on the topic to complement those published by consultancy firms, cybersecurity companies and private institutes. The review of all these studies shows that there is no consensus on how to define and measure cybercrime or its impact. Against this background, this article pursues two aims: 1) to develop a thorough conceptual framework to define and operationalize cybercrime affecting businesses as well as its impact, harms, and costs; and 2) to test this conceptual framework with a survey of businesses based in Belgium, which was administered in summer 2016 and elicited 310 valid responses. Consisting of five types, our conceptualization of cybercrime is, unlike others, technology-neutral and fully compatible with the legislation. Drawing on Greenfield and Paoli’s Harm Assessment Framework (The British Journal of Criminology, 53, 864–885, 2013), we understand impact as the overall harm of cybercrime, that is, the “sum” of the harms to material support, or costs, and the harms to other interest dimensions i.e., functional (or operational) integrity, reputation and privacy. Whereas we ask respondents to provide a monetary estimate of the costs, respondents are invited to rate the severity of the harms on the basis of an ordinal scale. We claim that this “double track” gives a fuller, more valid assessment of cybercrime impact. Whereas most affected businesses do not report major costs or harm, 15% to 20% of them rate the harms to their internal operational activities as serious or more, with cyber extortion regarded as most harmful.

Notes

Acknowledgements

We thank Dr. Elke Van Hellemont (University of Kent, previously KU Leuven) for her help in developing the questionnaire and organizing the data collection.

Funding

Project funded by BELSPO (Belgian Science Policy Office) under the BRAIN (Belgian Research Action through Interdisciplinary Networks) program: BR/132/A4/BCC.

References

  1. 1.
    Goldman, R. (2017, May 12). What we know and don’t know about the international cyberattack. The New York Times. www.nytimes.com/2017/05/12/world/europe/international-cyberattack-ransomware.html?_r=0. Accessed 10 Sept 2017.
  2. 2.
    McGuire, M., & Dowling, S. (2013). Cyber crime: a review of the evidence. London: Home Office.Google Scholar
  3. 3.
    Wall, D. S. (2007). Cybercrime: the transformation of crime in the information age. Malden: Polity Press.Google Scholar
  4. 4.
    Reiner, R. (2016). Crime: the mystery of the common-sense concept. Cambridge: Polity Press.Google Scholar
  5. 5.
    Federale Regering (2016). Kadernota integrale veiligheid 2016–2019 [Framework document integrated security 2016–2019]. www.besafe.be/sites/besafe.localhost/files/u19/2016-06-7_kadernota_integrale_veiligheid_nl.pdf. Accessed 18 Feb 2018.
  6. 6.
    Volz, D., & Hosenball, M. (2016, February 10). Concerned by cyber threat, Obama seeks big increase in funding. www.reuters.com/article/us-obama-budget-cyber-idUSKCN0VI0R1. Accessed 10 Sept 2017.
  7. 7.
    Holt, J. H., & Bossler, A. M. (2014). An assessment of the current state of cybercrime scholarship. Deviant Behavior, 35, 20–40.CrossRefGoogle Scholar
  8. 8.
    Levi, M. (2017). Assessing the trends, scale and nature of economic cybercrimes: overview and issues. Crime, Law and Social Change, 67, 3–20.CrossRefGoogle Scholar
  9. 9.
    Leukfeldt, E. R., Kleemans, E. R., & Stol, W. P. (2017). A typology of cybercriminal networks: from low-tech all-rounders to high-tech specialists. Crime, Law and Social Change, 67, 21–37.CrossRefGoogle Scholar
  10. 10.
    Williams, M. L., & Levi, M. (2017). Cybercrime prevention. In N. Tilley & A. Sidebottom (Eds.), Handbook of crime prevention and community safety (pp. 454–469). London: Routledge.Google Scholar
  11. 11.
    Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M. J. G., Levi, M., Moore, T., & Savage, S. (2013). Measuring the cost of cybercrime. In R. Böhme (Ed.), The economics of information security and privacy (pp. 265–300). New York: Springer.CrossRefGoogle Scholar
  12. 12.
    Klahr, R., Amili, S., Shah, J. N., Button, M., & Wang, V. (2016). Cyber security breaches survey 2016. www.gov.uk/government/uploads/system/uploads/attachment_data/file/521465/Cyber_Security_Breaches_Survey_2016_main_report_FINAL.pdf. Accessed 10 Sept 2017.
  13. 13.
    Klahr, R., Shah, J. N., Sheriffs, P., Rossington, T., Pestell, G., Button, M., & Wang, V. (2017). Cyber security breaches survey 2017. www.gov.uk/government/statistics/cyber-security-breaches-survey-2017. Accessed 10 Sept 2017.
  14. 14.
    Rick, M., Böhme, R., Lucica, E., Johnson, A., & Sõmer, T. (2015). Executive summary and brief: survey and interview results including detailed appendixes on survey and interview results. www.ecrime-project.eu/wp-content/uploads/2015/02/E-CRIME-Deliverable-4.2.pdf. Accessed 10 Sept 2017.
  15. 15.
    Greenfield, V. A., Paoli, L., & Zoutendijk, A. (2016). The harms of human trafficking: demonstrating the applicability and value of a new framework for systematic, empirical analysis. Global Crime, 17(2), 152–180.CrossRefGoogle Scholar
  16. 16.
    Dubourg, R., & Prichard, S. (2007). The impact of organised crime in the UK: revenues and economic and social costs, in organised crime: revenues, economic and social costs, and criminal assets available for seizure, 1–53, London: Home Office.Google Scholar
  17. 17.
    Heaton, P. (2010). Hidden in plain sight. What cost-of-crime research can tell us about investing in police. Santa Monica: RAND Corporation.Google Scholar
  18. 18.
    Paoli, L., & Greenfield, V. A. (2013). Harm: a neglected concept in criminology, a necessary benchmark for crime-control policy. European Journal of Crime, Criminal Law and Criminal Justice, 21(3–4), 359–377.CrossRefGoogle Scholar
  19. 19.
    Paoli, L., & Greenfield, V. A. (2015). Starting from the end: a plea for focusing on the consequences of crime. European Journal of Crime, Criminal Law and Criminal Justice, 23(2), 87–100.CrossRefGoogle Scholar
  20. 20.
    Detica. (2011). The cost of cybercrime: a detica report in partnership with the office of cyber security and information assurance in the cabinet office. Guilford: Detica.Google Scholar
  21. 21.
    PwC (2016). Information security breaches survey 2016: a matter of when, not if, a breach will occur. www.pwc.be/en/documents/media-centre/publications/2016/information-security-breaches-survey-2016.pdf. Accessed 10 Sept 2017.
  22. 22.
    CSIS, Center for Strategic and International Studies (2014). Estimating the global cost of cybercrime: economic impact of cybercrime II. www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf. Accessed 10 Sept 2017.
  23. 23.
    Verizon (2016). 2016 Data breach investigations report. http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf. Accessed 10 Sept 2017.
  24. 24.
    Ponemon (2016). 2016 cost of cybercrime study & the risk of business innovation. www.ponemon.org/local/upload/file/2016%20HPE%20CCC%20GLOBAL%20REPORT%20FINAL%203.pdf. Accessed 10 Sept 2017.
  25. 25.
    Armin, J., Thompson, B., & Kijewski, P. (2016). Cybercrime economic costs: no measure, no solution. In B. Akhgar & B. Brewster (Eds.), Combatting cybercrime and cyberterrorism: challenges, trends and priorities (pp. 135–156). Basel: Springer.CrossRefGoogle Scholar
  26. 26.
    Morgan, S. (2016, January 17). Cyber crime costs projected to reach $2 trillion by 2019. Forbes. www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#3cbe9e353a91. Accessed 10 Sept 2017.
  27. 27.
    Ponemon (2015). The cost of malware containment. www.ponemon.org/local/upload/file/Damballa%20Malware%20Containment%20FINAL%203.pdf. Accessed 10 Sept 2017.
  28. 28.
    Greenfield, V. A., & Paoli, L. (2013). A framework to assess the harms of crimes. The British Journal of Criminology, 53, 864–885.CrossRefGoogle Scholar
  29. 29.
    Caulkins, J. P., Reuter, P., & Coulson, C. (2011). Basing drug scheduling decisions on scientific ranking of harmfulness: false promise from false premises. Addiction, 106, 1886–1890.CrossRefGoogle Scholar
  30. 30.
    Ponemon (2016b). 2016 cost of data breach study: global analysis. www.www-01.ibm.com/marketing/iwm/dre/signup?source=mrs-form-1995&S_PKG=ov49542. Accessed 10 Sept 2017.
  31. 31.
    CSI, Computer Security Institute. (2011). 15th annual 2010/2011 computer crime and security survey. www.cours.etsmtl.ca/gti619/documents/divers/CSIsurvey2010.pdf. Accessed 10 Sept 2017.
  32. 32.
    FSB, Federation of Small Businesses (2012). Cyber security and fraud: the impact on small businesses. www.fsb.org.uk/LegacySitePath/frontpage/assets/fsb_cyber_security_and%20_fraud_paper_2013.pdf. Accessed 10 Sept 2017.
  33. 33.
    CPNI, Centre for the Protection of National Infrastructure (2014). Cyber-attacks: effects on UK companies. www.oxfordeconomics.com/my-oxford/projects/276032. Accessed 18 Feb 2018.
  34. 34.
    PwC UK (2015). 2015 Information security breaches survey: technical report. www.pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-digital.pdf. Accessed 10 Sept 2017.
  35. 35.
    PwC (2016b). Global economic crime survey 2016: adjusting the lens on economic crime: preparation brings opportunity back into focus. www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf. Accessed 10 Sept 2017.
  36. 36.
    PwC [Netherlands] (2014). Cybercriminaliteit tegen Nederlandse organisaties: een digitale dreiging [Cybercrime against Dutch organisations: a digital threat]. www.pwc.nl/. Accessed 10 Sept 2017.
  37. 37.
    Wickramasekera, N., Wright, J., Elsey, H., Murray, J., & Tubeuf, S. (2015). Cost of crime: a systematic review. Journal of Criminal Justice, 43, 218–228.CrossRefGoogle Scholar
  38. 38.
    Paoli, L., Visschers, J., Verstraete, C., & van Hellemont, E. (2017). The impact of cybercrime on Belgian businesses. www.bcc-project.be/. Accessed 10 Sept 2017.
  39. 39.
    European Commission (2013). Cybersecurity strategy of the European union: an open, safe and secure cyberspace. www.eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf. Accessed 10 Sept 2017.
  40. 40.
    UNODC, United Nations Office on Drugs and Crime. (2013). Comprehensive study on cybercrime. Vienna: United Nations Office on Drugs and Crime.Google Scholar
  41. 41.
    European Commission (2017a). Country report Belgium 2017. Available: www.ec.europa.eu/info/sites/info/files/2017-european-semester-country-report-belgium-en.pdf. Accessed 18 Feb 2018.
  42. 42.
    European Commission (2017b). Report from the commission to the European parliament and the council assessing the extent to which the member States have taken the necessary measures in order to comply with directive 2013/40/EU on attacks against information systems and replacing council framework decision 2005/222/JHA. www.eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52017DC0474&from=EN. Accessed 18 Feb 2018.
  43. 43.
    ENISA, European Union Agency for Network and Information Security (2016). ENISA threat landscape 2015. Available: www.enisa.europa.eu/. Accessed 10 Sept 2017.
  44. 44.
    Europol. (2016). Internet organised crime threat assessment 2016. The Hague: Europopl.Google Scholar
  45. 45.
    Clough, J. (2010). Principles of cybercrime. Cambridge: Cambridge University Press.CrossRefGoogle Scholar
  46. 46.
    Carter, J. S. (2016). Pay up or else: the ins and outs of cyber extortion insurance coverage. Risk Management, 63, 32–35.Google Scholar
  47. 47.
    Domenie, M. M. L., Leukfeldt, E. R., van Wilsem, J. A., Jansen, J., & Stol, W. P. (2013). Victimisation in a digitised society – a survey among members of the public concerning e-fraud, hacking and other high-volume crimes. The Hague: Eleven.Google Scholar
  48. 48.
    Levi, M., & Burrows, J. (2008). Measuring the impact of fraud in the UK: a conceptual and empirical journey. British Journal of Criminology, 48, 293–318.CrossRefGoogle Scholar
  49. 49.
    Feinberg, J. (1984). Harm to others. New York, NY: Oxford University Press.Google Scholar
  50. 50.
    von Hirsch, A., & Jareborg, N. (1991). Gauging criminal harm: A living-standard analysis. Oxford Journal of Legal Studies, 11(1), 1–38.Google Scholar
  51. 51.
    Sen, A. (1987). The standard of living: lecture I, concepts and critiques; the standard of living: lecture II, lives and capabilities. In G. Hawthorn (Ed.), The standard of living: the tanner lectures (pp. 1–38). Cambridge: Cambridge University Press.CrossRefGoogle Scholar
  52. 52.
    Cohen, M. A. (2005). The costs of crime and justice. London: Routledge.CrossRefGoogle Scholar
  53. 53.
    Eurostat (2017). GDP per capita, consumption per capita and price level indices. www.ec.europa.eu/eurostat/statistics-explained/index.php/GDP_per_capita,_consumption_per_capita_and_price_level_indices#Relative_volumes_of_GDP_per_capita. Accessed 18 Feb 2018.
  54. 54.
    Eurostat (n.d.). Business demography main variables - NACE Rev. 2 (B-N excluding K64.2). www.ec.europa.eu/eurostat/tgm/table.do?tab=table&init=1&language=en&pcode=tin00170&plugin=1. Accessed 18 Feb 2018.
  55. 55.
    PwC Belgium (2017). Redefining the security culture – a better way to protect your business. www.pwc.be/en/documents/20170315-Information-security-breaches-survey.pdf. Accessed 10 Sept 2017.
  56. 56.
    European Commission. (2003). Commission recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. Official Journal of the European Union, 124, 36–41.Google Scholar
  57. 57.
    FOD Economie (2016). Aantal actieve btw-plichtige ondernemingen volgens werknemersklasse en plaats maatschappelijke zetel, meest recente jaar [Webpage]. www.bestat.economie.fgov.be/bestat/crosstable.xhtml?view=9d19ebe2-f35a-4b51-ac1a-c153e6d77d67. Accessed 10 Sept 2017.
  58. 58.
    Ponemon (2016c). 2016 cost of data breach study: Germany. http://www.ibm.com. Accessed 10 Sept 2017.
  59. 59.
    European Commission. (2017c). Special eurobarometer 464a: Europeans’ attitudes towards cyber security. Brussels: European Union.Google Scholar
  60. 60.
    Williams, M. L. (2015). Guardians upon high: an application of routine activities theory to online identity theft in Europe at the country and individual level. British Journal of Criminology, 56, 21–48.CrossRefGoogle Scholar
  61. 61.
    Florêncio, D., & Herley, C. (2013). Sex, lies and cyber-crime surveys. In B. Scheier (Ed.), Economics of information security and privacy III (pp. 35–54). New York: Springer.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media B.V., part of Springer Nature 2018

Authors and Affiliations

  1. 1.KU Leuven Faculty of Law, Leuven Institute of CriminologyLeuvenBelgium

Personalised recommendations