Cybercrime Victimisation and Polyvictimisation in Finland—Prevalence and Risk Factors

This study examines the prevalence of different types of cybercrime victimisation and their shared risk factors among the population of Finland. We examine how respondents’ socio-economic background variables, past offline victimisation experiences, online activity, user skills, and protective measures impact the risk of the most common forms of online victimisation and online polyvictimisation. Our nationally representative survey data were collected from 5455 Finns aged 15 to 74 years (response rate 39%) as part of the Finnish National Crime Survey in 2018. According to our findings, the five most common forms of victimisation were malware, harassment, sexual harassment, hacking, and fraud. Online routines and exposure to potential offenders, along with past offline victimisation experiences, served as notable risk factors for a range of different victimisation experiences online. Our findings show slightly different SES risk factors for victimisation of different online offences, thereby indicating the diverse nature of different types of online victimisation. Our findings also show that young age, better financial situation, high internet use, and user skills, along with past offline victimisation of property crime and violence, associate with increased risk of online polyvictimisation. High user protection decreased the risk of online polyvictimisation.


Introduction
Over the last few decades, new information and communication technologies have become an integral part of modern societies. From the premise of crime, this "technologisation" of societies has expanded both the toolset for many traditional forms of crime, as well as the environment where crime can occur, thereby enabling a new playground and new forms of criminal behaviour to ensue. In order to better understand the relationship between crime 1 3 and technology, it is important to try to establish a comprehensive, population-level, basic understanding of the role of cybercrime in today's society.
Cybercrime, which in a broad sense serves as a collective term for all crime that either occurs in the online space or is aided by the use of technology (Näsi et al., 2015;Yar & Steinmetz, 2019), is as an umbrella term for a wide range of different offences. Although cybercrime is not a particularly new phenomenon, research that relies on nationally representative data sets remain relatively scarce (see, e.g. Oksanen & Keipi, 2013;van Wilsem, 2013;Holt et al., 2018;Reep-van den Bergh and Junger 2018;see also, Virtanen, 2017), and the range of victimisation prevalence tends to vary notably between the surveys (see Reep-van den Bergh and Junger 2018 for an overview of victim prevalence in the existing population-level cybercrime victim surveys in Europe).
Further challenges in existing research on cybercrime are that many of the more notable and cited studies rely on college sample data, or data that is not representative at a wider age range of the general population (e.g. Holt & Bossler, 2008;Ngo & Paternoster, 2011;Bossler & Holt, 2010;Reyns et al., 2011;Bossler et al., 2012;Holt et al., 2016;Marcum et al., 2014;; see also e.g., Kigerl, 2012;Räsänen et al., 2016;Reyns et al., 2019). This means that information on the prevalence of different types of cybercrime victimisation and their risk factors on the level of the whole population is still lacking.
Much of the existing research has focused on specific online offence types. Only few studies have examined polyvictimisation in the online context, often combining both online and offline victimisation experiences in the context of interpersonal violence. Our research therefore provides a new approach and information concerning cybercrime victimisation. Cénat and colleagues (Cénat et al., 2019), for example, found an association between offline polyvictimisation and cybervictimisation, as offline polyvictimisation increased the risk of online victimisation. Sargent and colleagues (Sargent et al., 2016) found that experiences of cybervictimisation and psychological intimate partner violence are associated with problematic mental health outcomes. A study by Hamby and colleagues (Hamby et al., 2018) found that digital polyvictimisation is associated with an increased risk for anxiety and post-traumatic stress symptoms.
The aim of this study, however, is to extend our understanding of cybercrime victimisation by examining the risk factors for not only a variety of different types of online victimisation, but also the risk factors for online polyvictimisation in a population-level context. Our aim is to contribute to the existing research by relying on nationally representative survey data from Finland. In this study, we will provide information on population-level victim prevalence of a wide range of different online offences. We will then focus on the most common forms of online victimisation to try answer the following questions: How do respondents' (1) socio-economic background variables, (2) online behaviour, and (3) past victimisation experiences of traditional crime associate with the risk of victimisation of different types of cybercrime as well as online polyvictimisation?
By doing so, we aim to facilitate a better understanding of how these aspects reflect on the risk of victimisation regarding different types of cybercrime, as well accumulation of different victimisation experiences. Furthermore, it will also provide information on whether victims of cybercrime are a separate group of crime victims compared to victims of traditional crime. As the majority of existing cybercrime research has focused on adolescents and young adults (see, e.g. Notten & Nikken, 2016), we expand on the current field by studying victims of all ages. Although Finland is a small country, it has a history of being a very tech-savvy nation, having been dubbed as a forerunner country in technology adoption as early as the turn of the millennium (Castells & Himanen, 2002). Finland continues to not only have one of the highest Internet penetration rates in the world (Eurostat, 2021), while also being among the most ICT-skilled nations in the world (ITU, 2021). It is therefore interesting to examine how this premise reflects on the rate and risk factors of cybercrime victimisation and polyvictimisation.
In the next section, we highlight past research on cybercrime victimisation and related theoretical perspective and follow up with a description of data and methodology. We then describe our main results, before moving on to a final discussion of our key findings.

Cybercrime Victimisation and Risk Factors
Existing research regarding different forms of online victimisation and their risk factors is multifaceted. Not only is there variance in risk factors, such as victims' SES, when comparing different types of online victimisation (see, e.g. Ngo & Paternoster, 2011), but research on specific types of online victimisation has resulted in somewhat inconsistent findings. For example, although young age has been found to be a common risk factor for various forms of online victimisation (e.g. Näsi et al., 2015;Reyns et al., 2019;van Wilsem, 2013), the challenge is that a majority of the existing research focuses on adolescents and young adults; thus, the picture concerning older age groups remains incomplete.
In terms of gender, females are commonly found to be more likely victims of sexual harassment (Eckert, 2018;Henry and Powell, 2018;Holt & Bossler, 2008), but the results concerning more general forms of online harassment are mixed (e.g. Näsi et al., 2015Näsi et al., , 2017van Wilsem, 2013), and that males have commonly been found to be more likely victims of other types of online offences (e.g. Bergmann et al., 2018;Milani et al., 2020;Näsi et al., 2015). Education and financial status do not appear to be more notable factors regarding online victimisation than they do in relation to offline crime. There is some evidence suggesting that financial challenges serve as a risk factor for online victimisation in general (e.g. Näsi et al. 2015;Oksanen & Keipi, 2013), whereas a recent study by Milani and colleagues (Milani et al., 2020), for example, found that higher education served as a risk factor for malware, fraud, and hacking victimisation.
Existing research has also examined the relationship between offline and online victimisation. A common finding is that those who have been victims online were more likely to report offline victimisation experiences as well. However, again, majority of these studies examine adolescents and young adults, with a strong focus on different forms of harassment victimisation (e.g. Choi et al., 2019;Ioannou et al., 2018;Mitchell et al., 2011;Räsänen et al., 2016;Reyns & Fisher, 2018;Sumter et al., 2012;Zetterström Dahlqvist & Gillander Gådin, 2018). Therefore, there is a need for more information concerning overlapping offline-online victimisation experiences with regard to a wider range of online offences and among a wider range of age categories (see also Oksanen & Keipi, 2013).

Cybercrime and Theory
From a theoretical perspective, the existing research on cybercrime victimisation is relatively one-dimensional as much of the prior research on cybercrime relies on routine activity theory (RAT). Like the vast majority of previous research, this study relies on routine activity theory in examining cybercrime victimisation. Although RAT was developed to explain why traditional crime occurs, it has also been widely adopted in the online context.

3
The basic premise of routine activity theory is that in order for crime to occur, a motivated offender, a suitable target, and the absence of a capable guardian must converge in space and time (Cohen & Felson, 1979). The presence of a motivated offender tends to be a given whether it is an offline or online space. Target suitability and the role and presence of capable guardians in the online context, however, require a slightly modified approach compared to traditional crime. There have also been attempts to further develop the core premises of RAT to be more applicable in the online context. Holt and Bossler (2008), for example, brought forward a slightly updated theoretical approach dubbed as lifestyleroutine activities theory (see also, e.g. Reyns et al., 2011Reyns et al., , 2019. However, most studies on cybercrime continue to rely on the "traditional" version of RAT. As noted, the role of online routines is at core of much the existing cybervictimisation research, which covers a wide range of different offences, such as identity theft (e.g. Burnes et al., 2020;Reyns, 2013;; malware, ransomware, and misuse of personal data (e.g. Bergmann et al., 2018;Holt & Bossler, 2008;Holt et al., 2020;Kigerl, 2021); spam and phishing (e.g. Kigerl, 2012Kigerl, , 2021, online hate (e.g., Kaakinen et al., 2018;Räsänen et al., 2016;Wachs et al., 2021); online harassment (e.g., Näsi et al., 2017;Reyns et al., 2011;van Wilsem, 2011); and online bullying (e.g. Aboujaoude et al., 2015;Li et al., 2020;Tokunaga, 2010), grooming (Wachs et al., 2020), fraud (Whitty, 2019), business crime (e.g. Williams et al., 2019), and with personality traits of the victims (e.g. van de Weijer et al., 2017). This has resulted in one of the most systematic, and not altogether surprising finding that the more time spent online contributes to greater exposure to potential offenders and for victimisation (see also, Milani et al., 2020;Leukfeldt & Yar, 2016).
Some studies suggest that it is not merely excessive time spent online, but what users actually do while online that counts (Kaakinen et al., 2021). Therefore, noting that both online target suitability and the role of guardianship are influenced by how visible one is online, what types of activities they undertake, as well as what kind of protective measures they have in place, both in relation to hardware and the services they use (e.g., Álvarez-García et al., 2019;Miró-Llinares et al., 2020;Branley & Covey, 2017;Notten & Nikken, 2016; see also, Macaulay et al., 2020;White et al., 2017;Reyns et al., 2019;Reyns et al., 2011;Holt & Bossler, 2008). Furthermore, elements such as user skills can function as a protective or target-hardening factor that makes users less suitable victims for potential offenders. However, earlier research has also reported user skills to be positively associated with the risk of cybercrime victimisation (see, e.g. van Wilsem, 2013). This may reflect the qualitative differences between the least and most fluent internet users as the most skilled users tend to show more diverse use of online services (Hargittai, 2010;Hargittai & Hinnant, 2008, see also Cheng et al., 2020), suggesting that the most skilled internet users would also be more exposed to a wider variety of online offenders. However, a recent study by Milani and colleagues (Milani et al., 2020) found IT skills to have little impact with regard to cybervictimisation; thus, the role of user skills is somewhat mixed (see also Hawdon et al., 2020). We are therefore also keen to examine in our analysis how the level of online activity and thus visibility, level of user skills, along with level of user protection, associate with the risk of different forms of cybervictimisation as well as polyvictimisation. This makes for an interesting analysis, particularly since Finns have been found to be among the most active and skilled users of Information and Communication Technologies (ICT) in the world, (Eurostat, 2021;ITU, 2021).
Beyond online activity and routines, few studies have examined the association between self-control and cybervictimisation. A study by Whitty (2019) found that in addition to online routines, people who score high on the scale of impulsivity, as well as sensation seeking and addictive behaviour (along with being older in age), had a higher risk of fraud victimisation. Studies by Bossler and Holt (2010) and Reyns and Fisher (2018) found weak connections with low self-control and cybervictimisation, whereas a study by Holt and colleagues (Holt et al., 2020) found a connection between low self-control and malware victimisation, and van Wilsem (2011) found a similar connection with regard to online hacking and harassment victimisation (see also Louderback & Antonaccio, 2020). These aspects of self-control, however, are not examined in this study.

Data and Methods
Our data were collected as part of the Finnish National Crime Survey (FNCS-2018), a nationally representative victim survey conducted in the fall of 2018. The FNCS has been conducted annually since 2012 and consists of standard sections on victimisation and fear of crime as well as a thematic module. In 2018, the thematic module focused on cybercrime victimisation, internet use, and behaviour in the online environment. A gross sample of 14,000 persons aged 15 to 74 years and with permanent residence in Finland was sampled from the Population Information System using a stratified random sampling with gender, age-group, and region as the strata. Younger age groups were oversampled relative to the older age groups. All respondents were sent a paper questionnaire with an option to participate online. The paper questionnaire was available in Finnish or Swedish, the main official languages in Finland, while the online questionnaire was additionally available in English and Russian. The availability of multiple languages in the online survey was indicated in a multi-language cover letter that was sent along with the Finnish-language paper questionnaire to persons whose registered native language was neither Finnish nor Swedish. Altogether, 5455 persons participated in the survey, making for a 39.0% response rate. For the analysis, the data were weighted to account for varying inclusion probabilities and unit non-response in each stratum.

Dependent Variables and Independent Variables
The survey included a list of 10 different cybervictimisation items (see appendix for a more detailed description of the items). In short, these items included phishing, fraud, identity theft, malware, hacking, sexual harassment, other harassment, violation of personal privacy, defamation, and threat of violence. The items were measured both as lifetime experience and in the preceding 12 months. In the following, we provide descriptive statistics for both measures, but focus on victimisation in the preceding 12 months in the models. For the multivariate analyses, as well as Poisson regression analysis of polyvictimisation, we restrict the analysis to the five most common forms of victimisation: malware, other/ general harassment, sexual harassment, hacking, and fraud (see also Table 2). In short, in the survey, these five items were described as follows: "Your computer or smart device has been infected by malware" (malware), "You have received sexually harassing messages on the internet" (sexual harassment), "You have received other harassing messages on the internet" (general harassment), "Your email or social media account has been hacked" (hacking), "Your debit or credit card has been used on the internet without your permission" (fraud). Therefore, we included in our more detailed analysis only the five most common forms of cybervictimisation. This was done so that both analyses would focus on the same forms of victimisation. The prevalence rates for the other forms of victimisation were too low for a more nuanced analysis and were thus excluded from further exploration. All the outcomes are binary, with 0 indicating no victimisation and 1 indicating being victimised at least once in the prior 12 months. In terms of polyvictimisation, the dependent variable was constructed as counts with values ranging from 0 to 5 types of victimisation during the previous 12 months. Six percent of the respondents reported at least some type of online victimisation experience in the prior 12 months.
As for independent variables (see Table 1 for descriptive statistics of the independent variables), we included both SES background variables, namely gender, age-group, educational level, and perceived financial situation, along with items that measure activity and behaviour in an online environment. Furthermore, as we were also keen to examine whether there was and overlap with online and offline victimisation experiences, we included prior offline victimisation, both property and violence, as control variables. The measures for gender and 10-year age-group were derived from the Population Information System, which is a computerised national register containing all the basic information about Finnish citizens and foreign citizens residing in Finland on a permanent or temporary basis, while the measures for educational level and the perceived financial situation of the household were obtained from the survey. Age was classified into four groups: 15 to 24, 25 to 34, 35 to 54, and 55 to 74-year olds. Educational level was classified into three groups: primary, secondary, and tertiary education (see the appendix for a more detailed description). The measure for perceived financial situation was constructed as a dichotomised variable, where the group with financial difficulties included respondents who indicated that, considering all of the combined income in their household, it was "very hard", "hard", or "somewhat hard" to manage financially with that income, whereas the group with no financial difficulties included respondents who reported that it was "somewhat easy", "easy", or "very easy" to manage financially with their combined income.
Internet use was measured using 10 items (see the appendix for the full item list) asking "How often do you use the internet for the following purposes", such as, for example online banking, and reading news online, with a 5-point response scale ranging from "never" to "daily". We then summarised responses to all 10 items and formed three equal-sized (33/66 tertile) activity groups based on the item scores: high activity, medium activity, low activity.
Computer skills were measured using seven items (see appendix for a detailed description of the items) based on how often the respondent used certain types of programmes, or used a computer for certain purposes (use spreadsheets such as Microsoft Excel, use word processors such as Microsoft Word, use programming languages for programming or writing computer code, draw up diagrams, figures, or tables on a computer, write up reports on a computer, use a computer for basic mathematical calculations or formulae), with a 5-point response scale ranging from "never" to "daily". We then summarised responses to all seven items and formed three equal-sized (33/66 tertile) skills groups based on the item scores: high skills, medium skills, low skills.
The measure for user protection was constructed from six items (see appendix for a detailed description of the items) focusing on the protective measures respondents took in their online behaviour, where the respondents were asked, for example, how often they used protective measures such as long and complicated passwords, with a 5-point response scale ranging from "never" to "always". We then summarised responses to all six items and formed three equal-sized (33/66 percentiles) protection-level groups based on the item scores: high protection, medium protection, low protection.
Offline victimisation was measured both in terms of property and violence. Property crime victimisation in the survey was measured by asking respondents whether "in the past 12 months they had experienced theft of personal property, such as wallet, purse, credit card or mobile phone, taking place outside your home." with yes/no listed as the options for responses. Offline violence victimisation in the past 12 months was measured using a question set with 11 different types of violence victimisation (see appendix for full item list). The question set had a 4-point response scale which included the response options "Nobody", "Former or present spouse, cohabiting partner or dating partner", "Some other person you know closely", and "An unknown person or a person you know only remotely". We then summarised responses to all 11 items and formed combined binary item of victims of any violent crime in the past 12 months.

Analysis
For our analysis, firstly, we provide descriptive statistics of all the victimisation items, secondly, estimate logistic regression models, and thirdly Poisson regression models for the selected outcomes. The estimates from the logistic regression models are reported in average marginal effects (AME) (see also Bergmann et al., 2018). The reason for this is to give a more descriptive picture of the results. Compared to the more conventional odds ratios, average marginal effects give a more descriptive, and perhaps more straightforward interpretation of the results, as the risk is expressed as a percentage point change in probability. We chose to use dichotomous and polychotomous variables in order to present marginal effects more easily. Marginal effects for continuous variables tend to be less informative and difficult to interpret. Average marginal effects are reported in Table 3. We estimated Poisson regression models with the numbers of crimes as a dependent variable with regard to our analysis of polyvictimisation. The estimates from the Poisson regression models are reported in incidence rate ratio (IRR). These results are reported in Table 4. The data were analysed using Stata. Table 2 presents the estimated prevalence rates for 10 different forms of cybercrime victimisation, both over one's lifetime and in the 12 months preceding the survey. By far, the most common form of victimisation was malware, followed by other harassment, sexual harassment, hacking, and fraud. For the other five forms of victimisation, the lifetime prevalence rate was less than 5% and prevalence in the preceding 12 months was circa 1%. For further analysis, we focus on the five most common forms of cybervictimisation.

Results
In Table 3, we show the results from the logistic regression models in terms of victimisation in the prior 12 months. We present the estimates for statistically significant coefficients in average marginal effects.
Malware Gender and age were associated with being a victim of malware. Women were 6.5 percentage points less likely to report being a victim of malware, while the probability for respondents in the oldest age group was 9.7 percentage points higher compared to the youngest age group. Respondents with secondary education were 2.4 percentage points  Significance levels: *p < 0.05; **p < 0.01; ***p < 0.001 more likely to report being victims than respondents with tertiary education. Respondents in challenging financial situations were 5.7 percentage points less likely to report being victims compared to respondents with a good financial situation. Both higher internet use and user skills were associated with malware victimisation. Intermediate (AME 3.5) and high (AME 5.0) internet usage were associated with higher victimisation risk, while higher perceived skills (medium skills AME 5.8 and high skills AME 6.4) in computer use were likewise positively associated with a higher risk of malware victimisation. Personal protective measures were negatively associated with becoming a victim of malware (AME − 4.8 percentage points for highest protection). Notably, malware victimisation was the only outcome where the personal protective measures were statistically significant. In terms of offline victimisation, respondents who had been victims of violence were 9.4 percentage points more likely to report malware victimisation.
Other (Non-sexual) Harassment Women were 2.8 percentage points more likely to report victimisation than men. In terms of age, respondents in the age group 25 to 34 were 4.8 percentage points less likely to report victimisation compared to the youngest age group. Financial difficulties were negatively associated with harassment (AME − 2.5). Both higher internet use (medium use AME 3.8 and high use AME 6.9) and higher user skills were positively associated with harassment victimisation. Respondents belonging to the intermediate skills group were 4.6 percentage points less likely to report victimisation, while the estimate for the high skills group was 5.3 percentage points. In terms of past offline victimisation, respondents who had been victims of property crime were 10.6 percentage points more likely to report online harassment victimisation. In addition, those who had been victims of violence were 7.0 percentage points more likely to report victimisation.

Sexual Harassment
Unlike with non-sexual harassment, gender differences were not statistically significant. Respondents in the youngest age group were more likely to report being victims of sexual harassment, as the marginal effects in the older groups ranged from 3.9 to 6.1 percentage points less likely compared than the youngest age group. Respondents with self-reported financial difficulties were less likely to report sexual harassment (AME − 2.3). In line with the bulk of the other outcomes in the study, respondents with an intermediate (AME 3.6) or high (AME 5.4) level of internet activity were more likely to become victims compared to those with low internet activity. Again, as with other forms of cybercrime, higher computing skills were positively associated with sexual harassment victimisation as those with the highest skills were 3.8 percentage points more likely to report victimisation compared to respondents with the lowest skills. Respondents who had been victims of offline property crime were 7.7 percentage points more likely to report online sexual harassment victimisation. Respondents who had been victims of violence were 8.2 percentage points more likely to report victimisation.
Hacking In terms of hacking, respondents in the oldest age group were 2.7 percentage points less likely to report victimisation of hacking compared to the youngest age group. Similarly to malware victimisation, internet usage and high self-reported computer skills were positively associated with being a victim of hacking. AME for respondents in medium usage group was 1.4 and 1.9 for respondents in the high usage group. Respondents in both the intermediate and high user skills groups were 1.6 percentage points more likely to become victims compared to those with the lowest user skills. In addition, respondents who had been victims of offline violence were 3.6 percentage points more likely to report hacking victimisation.
Fraud The result regarding fraud shows that respondents in the age group 35 to 54 had a 2.8 percentage point higher probability to report being victims of fraud compared to respondents in the youngest age group. AME in the oldest age group was 1.8 percentage points. Respondents with secondary education had a 1.2 percentage points lower and respondents with primary education had a 2.1 percentage points lower probability to report being victimised compared to respondents with tertiary education. In addition, respondents who had been offline victims of property crime were 8.7 percentage points more likely to report victimisation and respondents who had been victims of violence were 2.9 percentage points more likely to report fraud victimisation.
In Table 4, we show the results from the Poisson regression models for polyvictimisation in the past 12 months. Here, we describe results that were statistically significant. Our findings show that compared to the youngest age group, those in the age group 25-34 years were less at risk of polyvictimisation (IRR 0.8). However, this risk was not significant in older age groups. In terms of financial situation, those who were in a challenging financial situation were less at risk of polyvictimisation (IRR 0.7) compared to those in a better financial situation. Respondents reporting medium (IRR 1.5) and high (IRR 1.8) internet use and medium (IRR 1.6) and high (IRR 1.7) user skills were more at risk of polyvictimisation compared to those with low activity and skills. Those reporting high user protection (IRR 0.8) were less at risk of polyvictimisation compared to those reporting low user protection. Finally, both victims of property crime (IRR 1.9) and violence (IRR 2.0) were more at risk of polyvictimisation compared to those who had not been victims.

Discussion
The aim of this study was to analyse the prevalence of different types of cybercrime victimisation and their shared risk factors among Finnish population. In addition, it also examined risk factors for polyvictimisation in the online context, thus providing advanced approach in cybercrime research. Earlier studies using nationally representative data have also been relatively rare (see, e.g. Oksanen & Keipi, 2013;van Wilsem, 2013;Holt et al., 2018;Reep-van den Bergh and Junger 2018;see also, Virtanen, 2017), which may explain variation in reported victimisation prevalence between different studies. Studies that also examine polyvictimisation in the online context are even rarer (e.g. Hamby et al., 2018).
Our findings indicate that there is substantial variation in the prevalence of different forms of cybercrime victimisation at the population level. Malware and different forms of harassment are by far the most common forms of online victimisation, with circa 10% of the respondents reporting victimisation experiences during the past year. The victimisation prevalence for the five least common forms of online victimisation was only about 1%. Interestingly, the prevalence rates for the most common online offences were roughly at the same level as the prevalence estimates for the "offline" offences in the Finnish National Crime Victim Survey. This is notable, as the fear of cybercrime victimisation greatly exceeds the fear of traditional forms of violence (see Danielsson & Näsi, 2019). Although not shown in the tables, our survey findings also show that 25% of the respondents reported some form of cybervictimisation in the past 12 months. This seems to be significantly higher than Oksanen and Keipi's (2013) findings from a 2009 survey, in which 2.5% of Finns reported experiencing some form of cybervictimisation over the past 3 years. Besides just the increase in different types of online threats, it may also be that people are increasingly more aware of cybercrime, and thus may be more sensitive in recognising and reporting online offences.

Risk Factors for Cybercrime Victimisation
Our main findings concerning the different risk factors for different forms of online victimisation were threefold. Firstly, online routines and activity play a significant role, both in the variety of different types of online victimisation as well as polyvictimisation. Therefore, the theoretical premise of Routine Activity Theory (RAT) also lines up well with our findings. The more active people are online, the more exposed to potential offenders and other dangers, the more likely they are to become victims. Our findings are in line with much of the existing research on online of victimisation (e.g. Leukfeldt & Yar, 2016). While we controlled for internet usage in our models, it is also possible that only certain types of online behavioural patterns expose individuals to, for example, harassment or malware, which may explain the observed results (e.g. Bergmann et al., 2018;Branley & Covey, 1 3 2017; Reyns et al., 2019). It appears that our measure of user skills behaves similarly to internet use activity. According to our findings, user skills do not function as a protective factor that would make any given individuals less suitable victims for cyber offenders. This makes sense, however, since earlier research has suggested that the most fluent users also report more diverse internet use (see, e.g. Hargittai, 2010;Hargittai & Hinnant, 2008). This means that users' skills generally tend to reflect more active use of various forms of new technology, thus mirroring the window of exposure. Therefore, it is not surprising that these same elements are associated with a greater risk of polyvictimisation as well. It also shows that in the online context, a more active presence appears to diversify the risk range of victimisation.
The results concerning user protection were not very surprising. Protective measures work better to counteract risks related to malware and viruses than they do with social actions and behaviour. For the average user, the different protective measures are undertaken by the manufacturers, developers, and platform providers of the new forms of technology matter when the machine is the target. The challenge is what to do when a specific person is the target. Future studies would also benefit from a more detailed analysis on malware victimisation, particularly when it comes to specific forms of malware. However, high user protection did reduce the risk of polyvictimisation. It may be that those respondents who pay more attention to aspects of user protection are slightly more wary in their general online behaviour.
Secondly, offline victimisation matters. What is notable is that prior offline victimisation serves as a risk factor for such a wide range of online victimisation experiences as well as online polyvictimisation. This further supports and adds to the past research findings that have noted that online and offline victims are not completely separate groups of victims, but rather the online environment has expanded the victimisation environment among those who are already victims offline (Choi et al., 2019;Ioannou et al., 2018;Mitchell et al., 2011;Oksanen & Keipi, 2013;Räsänen et al., 2016;Reyns & Fisher, 2018;Sumter et al., 2012;Weulen Kranenbarg et al., 2019;Zetterström Dahlqvist & Gillander Gådin, 2018), thus, suggesting accumulation of negative experiences, in both an offline and online context where one is not protected even when the offender is not physically present. Recent research has noted how coercive control has expanded into the digital platforms and communication tools (e.g. Dragiewicz et al., 2018;Harris & Woodlock, 2019), therefore perhaps in part explaining the overlap in online harassment victimisation, as well as in having your email or social media account hacked, with offline violence victimisation. However, our findings do still raise further questions, such as why past experiences of violence victimisation raise the risk of victimisation regarding so many different types of online victimisation and polyvictimisation. Is it merely an accumulation of all kinds of negative experiences? There is clearly a need for further research.
Thirdly, our results indicate, not altogether surprisingly, that different types of online offences do have slightly different risk factors. Although offline victimisation increased the risk for online victimisation, the role of different socio-economic background variables was in some cases different compared to risk factors regarding many forms of offline victimisation. For example, a weaker financial situation has been found to be a risk factor for many types of offline victimisation (e.g. Aaltonen et al., 2012;Levitt, 1999;Nilsson & Estrada, 2003;Thacher, 2004;Tilley et al., 2011); yet in our findings, a good financial situation actually increased the risk of malware victimisation and different forms of online harassment, as well as polyvictimisation, even after controlling for age and activities in the online environment. Furthermore, education does not play a particularly clear role when it comes to online victimisation (see also, Bergmann et al., 2018).
It is possible that those in a better financial position are more at risk partly because they tend to be more active internet users (Statistics Finland, 2018) in ways that are not captured by our measures for online activity and thus are potentially more exposed to a wider range of online offenders and offences. It may also simply be that they have a larger "attack surface" or, in other words, have more devices at their disposal. Furthermore, in the online context, the (potentially protective) neighborhood effect also disappears (Thacher, 2004;Tilley et al., 2011). One does not have protective physical surroundings, such as living in a gated community, or living in an otherwise safe part of town, thus potentially levelling the playing field for crime to occur. These are certainly elements that warrant further research.
In terms of other risk factors, findings concerning age and gender were mixed. Men in the older age groups were more likely in harm's way with regard to malware and older respondents becoming victims of fraud (see also Whitty, 2019). In terms of fraud, it may be that older people use the likes of credit and debit cards more actively and in more diverse settings, thus facing greater risk of misuse. It may be that malware victimisation is in part due to the type of content consumption older men undertake, such as visiting sites with pornographic content (see Bergmann et al., 2018). It appears that those in the youngest age group were more at risk when it came to polyvictimisation. It may be that adolescents and young adults are more diverse in their online use and were therefore more exposed to a variety of different online risks. Young women were more at risk for non-sexual online harassment, yet gender did not play a significant role in sexual harassment. This is an interesting finding that warrants further research. A four-nation study by Näsi and colleagues (Näsi et al., 2015) from a few years ago found sexual harassment to be the least common form of online victimisation among adolescents and young adults from Finland, Germany, the UK, and the USA (also see the findings on online harassment from Reep-van den Bergh and Junger 2018). However, our results indicate that online harassment victimisation in general appears increasingly more common, and in many cases, a non-gender specific part of the harassment and abuse toolkit.
All in all, our results line up rather well with prior research on cybercrime victimisation, as well as raise a few points to note in future research. There are only a few studies that have examined online polyvictimisation; thus, our research also helps to extend our understanding of cybervictimisation. Furthermore, by relying on population-level data, our study provides cumulating empirical evidence in the study of online victimisation.