eBook - ePub

The Human Factor of Cybercrime

Name: The Human Factor of Cybercrime
Author: Rutger Leukfeldt, Thomas J. Holt, Rutger Leukfeldt, Thomas J. Holt

Rutger Leukfeldt, Thomas J. Holt, Rutger Leukfeldt, Thomas J. Holt

Share book

432 pages
English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

The Human Factor of Cybercrime

Rutger Leukfeldt, Thomas J. Holt, Rutger Leukfeldt, Thomas J. Holt

Book details

Book preview

Table of contents

Citations

About This Book

Cybercrimes are often viewed as technical offenses that require technical solutions, such as antivirus programs or automated intrusion detection tools. However, these crimes are committed by individuals or networks of people which prey upon human victims and are detected and prosecuted by criminal justice personnel. As a result, human decision-making plays a substantial role in the course of an offence, the justice response, and policymakers' attempts to legislate against these crimes. This book focuses on the human factor in cybercrime: its offenders, victims, and parties involved in tackling cybercrime.

The distinct nature of cybercrime has consequences for the entire spectrum of crime and raises myriad questions about the nature of offending and victimization. For example, are cybercriminals the same as traditional offenders, or are there new offender types with distinct characteristics and motives? What foreground and situational characteristics influence the decision-making process of offenders? Which personal and situational characteristics provide an increased or decreased risk of cybercrime victimization? This book brings together leading criminologists from around the world to consider these questions and examine all facets of victimization, offending, offender networks, and policy responses.

Chapter 13 of this book is freely available as a downloadable Open Access PDF at http://www.taylorfrancis.com under a Creative Commons Attribution-Non Commercial-No Derivatives (CC-BY-NC-ND) 4.0 license.

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is The Human Factor of Cybercrime an online PDF/ePUB?

Yes, you can access The Human Factor of Cybercrime by Rutger Leukfeldt, Thomas J. Holt, Rutger Leukfeldt, Thomas J. Holt in PDF and/or ePUB format, as well as other popular books in Informatique & Aspects sociaux de l'informatique. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Routledge

Year

2019

ISBN

9780429864179

Edition

Topic

Informatique

Subtopic

Aspects sociaux de l'informatique

Part I
Background

1 It ain't what it is, it's the way that they do it? Why we still don't understand cybercrime

Dr Michael McGuire

Introduction: definitions, concepts, and more definitions

On the face of it, our concept of cybercrime appears straightforward enough. It has usually been taken to signify “the occurrence of a harmful behaviour that is somehow related to a computer (Wall, 2001, p. 3) crime that is ‘mediated’ by a computer” (Thomas & Loader, 2000) or “crime that is facilitated or committed using a computer” (Gordon & Ford, 2006, p. 15). Put simply, cybercrime appears to ‘involve’ computers and to ‘involve’ crime. Of course, if defining cybercrime were that simple, this would be a very short chapter indeed. But upon closer inspection, it quickly becomes apparent that matters are not quite so simple as they first appear. Aside from the obvious need for a few more qualifications (what type of crime does cybercrime involve, for example?), this ostensibly straightforward definition soon begins to unravel when scrutinized in more detail. It is not just that agreeing upon an appropriate concept of ‘computer’ has been far from straightforward. The scope of such a definition also appears too wide. It would, for example, entail that the mere theft of a computer or that listening to a podcast whilst committing a burglary might ‘involve’ cybercriminality. A workable concept of cybercrime therefore seems to require a more precise sense of what being ‘involved’ in a criminal act entails. But defining what involvement means has been a recurring problem for any definition of cybercrime (Fafinski, Dutton, & Margetts, 2010; McGuire, 2012; Ngo & Jaishankar, 2017; Furnell, 2017).

Two wholly opposed responses to this conundrum seem possible:

To argue that a viable concept/definition of cybercrime doesn’t matter and that we can get on perfectly well measuring and responding to acts we call ‘cybercrime’ without any need for more developed conceptions.

To argue that a viable concept of cybercrime is an essential element of any successful response to it.

For those who incline towards the former view, debates about ‘what cybercrime is’ or ‘how it should be defined’ will seem about as pointless as the medieval dispute about how many angels can dance on a pinhead. Surely, they might argue, any concept of cybercrime we elect to adopt has little or no effect upon what cybercriminals do or how police and the justice system respond to their actions? Thus, whilst such debates might be of interest in the seminar room, they distract from the ‘real’ purpose of dealing with cybercrime.

This position echoes what philosophers of science have called ‘instrumentalism’¹ – a way of avoiding commitments to unnecessary concepts or entities (cf. Worrall, 1982). Instead of assuming that our concepts or definitions refer to real features of the world, instrumentalists argue that they are best viewed as tools for getting a job done. For example, Ernst Mach, the Austrian physicist and philosopher of science, famously refused to accept the reality of the (as yet undetected) atom in the late 19th century (Mach, 1893). For Mach, atoms were no more than a ‘provisional aid’ for more important tasks, such as collecting data, organizing and classifying it, and using this to make scientific predictions.

An instrumentalist position on the concept of cybercrime might involve similar reservations. That is, whilst it might be accepted that there is something ‘out there’ which we call cybercrime, debates about how we should define or conceptualize it are secondary issues to a more pressing concern – what we do about it.²

Do concepts or definitions of cybercrime matter?

The limited consensus around the objectivity of concepts has been a notorious problem within social science (Weber, 1904; Cunningham, 1973; Goodman, 1978). An instrumentalist approach to concepts and definitions of cybercrime might therefore be appealing in terms of theoretical as well as ontological economy. For just as we can use socio-economic metrics like ‘poverty levels’ or theoretical constructs like a ‘habitus’ whilst remaining agnostic about their existence or their precise conceptual conditions, our thinking about criminal justice issues appears similarly underdetermined by what we hold to exist or to be the case (Quine, 1975). For example, many legal theorists have held that criminal law is merely a tool or technique that can be used for certain useful ends and that any theoretical constructs they entail are not decisively real things (Duff& Green, 2011). Legal characterizations of crime play an inferior role to all that really matters – the consequences or outcomes of such characterizations (see Walker, 1980; Braithwaite & Pettit, 1990). In more overtly criminological terms, it could equally be argued that we can get on with thinking about and measuring crime without being beholden to absolute definitional and conceptual precision about crime. For example, we don’t need to have an exhaustive consensus on what the concept of labelling amounts to, or even to accept it as a real factor in causing crime, in order to use it as a background assumption in shaping our responses to certain criminal acts. Something like this view can be discerned in the crime science approach, which has been notoriously keen to evade questions about the causes of crime (in particular, the social-cultural factors which lead to it) in favour of a focus on the outcomes of crime and the elements which contribute to this (the opportunity, the means, the outcome, etc.). Thus, for crime scientists, our conceptions of ‘crime’ or of ‘criminals’ have been far less important than our methods of preventing or responding to crime (Clarke, 2004).

But an instrumentalist position on crime/cybercrime would be just as unsatisfying (and ultimately unproductive) as instrumentalism about natural science objects like the atom has been. For whilst it might help in evading theoretical difficulties about the precise nature of computer-based offending, instrumentalism would simply postpone the question of what cybercrime may or may not be. Nor would it quite get us off the conceptual hook. Even if the measurement of cybercrime is preferred over its explanation, some reasonably clear conceptions about what is being measured need to be in place if measurement is to be accurate, or even possible at all. As Popper suggested when demonstrating the inadequacy of empiricist assumptions (1962), the imperative to go out and ‘observe’ always comes with a set of implicit conceptual pre-conditions (‘observe what?,’ ‘observe how?,’ etc.). Thus, whilst we might want to be agnostic about the reality of – say – IQ levels or absolute versus relative ‘poverty,’ effective measurement of intelligence or poverty requires us to be very clear about the boundaries of such concepts. More seriously, imprecision about concepts in social science contexts can often have negative (and very real) socio-economic consequences for at-risk groups in society. Ill-defined notions of poverty may result in inadequate support for the neediest, just as poorly formulated concepts of ‘intelligence’ might deprive worthy candidates of employment, promotion, or other opportunities. In other words, where key social variables or indicators are improperly conceptualized, direct and evidenced impacts upon the quality of everyday life may follow. This risk holds equally for conceptualizations within the criminal justice field. Indeed, the risk of inadequate conceptualization is arguably far more serious here, given the potential damage from issues like excess criminalization or miscarriages of justice which this might lead to.

It does not take too much reflection then to see how even slight variations in the way cybercrime is conceptualized can produce wildly differing ways of measuring or responding to it. For example:

Prevalence and seriousness. A familiar way in which the seriousness of any crime type is evaluated is in terms of the volume of recorded offending. This enables us to say (for example) that a crime has risen or fallen from previous years or that it is ‘more or less’ serious than other forms of offending. Claims around prevalence and seriousness have been especially common in discussions of cybercrime. For example, most researchers will be all too familiar with the alarming assertions about spectacular year-on-year increases in the volume of offending (see amongst many others Europol, 2016 or Ismail, 2017. See also McGuire, 2012, p. 77ff). In turn, such assertions have been used to justify claims that cybercrime is not just ‘more serious’ than traditional crime but is the most serious kind of criminal risk we now face (Muncaster, 2010; Allen, 2018). But imprecise conceptualizations about cybercrime and its measurement pose challenges to the credibility of such claims. Over what period has it been the ‘most prevalent’ form of crime? At what rate is it growing? And how can we be sure that the data chosen are appropriate for a particular definition/conceptualization of cybercrime? Even slight variations in what cybercrime is thought to encompass can produce radically different evaluations of how serious or how common it is assumed to be. Take, for example, an ‘archetypical’ cybercrime like card fraud. If our conceptualization of this were based solely on cards used over the Internet to purchase goods (called variously ‘card not present’ fraud, ‘remote purchase’ fraud, or ‘e-commerce’ fraud), then the fact that losses on this rose every year in the UK between 2011 and 2016 (FFA, 2018) might justify the claim that cybercrime exhibits a year-on-year upward trend and is therefore a ‘very serious’ from of crime.³ If, on the other hand, this conceptualization was based more upon the use of counterfeit cards, then such claims might be less plausible, given that losses here have fallen from nearly £150 million annually in 2007 to only around £25 million annually in 2017. Indeed, such a drop in prevalence might suggest that cybercrime is far less serious than it is often portrayed.

Costings. Attempts to measure the cost of cybercrime have been a recurring feature of research in the area (Detica, 2011; Anderson et al., 2012, CSIS, 2014/2018). This economic focus has, more recently, been supplemented by attempts to construct metrics around the revenues which cybercrime generates (McGuire, 2018). But even the most cursory inspection of data in this area again demonstrates how sensitive cost estimates of cybercrime are to particular conceptualizations of cybercrime. For example, a recent evaluation of cybercrime costs by the UK Home Office (HO, 2018) found that by defining defacements to websites in terms of ‘cybercriminal activity,’ anything up to £1.6m in costs could be added to the overall total. Similarly, the estimate that, at a minimum, around $1.5tn worth of revenues is now being generated annually by cybercriminals (McGuire, 2018) is significantly contingent upon what kind of concept of cybercrime is being utilized. Where ‘cybercrime’ is defined more rigidly – that is, in terms of explicit computer-related misuse alone (such as the sale of exploits or malware), then revenues from activities like illicit online sales presumably ought not to be included. But the sale of items like counterfeit pharmaceuticals in online markets is a highly lucrative activity – generating up to $400bn annually (Scott, 2016). Thus, a decision to conceptualize cybercrime in certain ways can have major impacts upon the way its financial impacts are evaluated. And significantly lower cost/revenue estimates might produce very different kinds of criminal justice responses.

Legal responses. Notoriously, the legal background to cybercrime is riddled with conceptual ambiguities – not least because there is no specific offence of cybercrime within any jurisdiction (Wall, 2001). Instead, legislation typically relates to a variety of actions, often with little obvious unity or conceptual continuity. This has produced inevitable conceptual inconsistencies in the way cybercrimes are defined across differing jurisdictions (Brenner, 2012; Clough, 2014) and little clarity on how far the ‘involvement’ of a computer/network in a crime is required for it to be a cybercrime, rather than just a crime. Whilst current legislation is closely informed by the kinds of computer misuse deemed undesirable or harmful, it is equally clear that simple definitions of such misuse will produce mala prohibita offences – where it is the definition of illegality which produces the crime, rather than any conceptualization of cybercrime itself. Such definitional decisions do not just affect the legality/illegality of certain behaviours, but have a range of other important ancillary outcomes, for example, changes in crime figures, imprisonment levels, policing resources, and so on. Thus, if it was decided that legal definitions of cybercrimes should incorporate any kind of harm resulting from the use of computers, many more acts would now be criminal than is currently the case – such as addictive gaming, exploitative online pornography, and so on (McQuade, Gentry, Colt, & Rodgers, 2012; Nair, 2019). And this, of course, would then affect perceptions of the scale, seriousness, and so on of cybercrime.

Perpetrators and victims. The way that certain definitions and concepts of crime are developed often include or exclude certain types of offenders. For example, crimes falling under the definition of ‘youth crime’ would rule out crime committed by 60-year-olds, just as crimes conceptualized in terms of knife violence would probably not be classified under the concept of ‘green crime.’ Because the term ‘cybercrime’ does not quite so obviously correlate with specific perpetrator/victim types, profiling cybercriminals and their typical victims has been a highly uncertain method (see Rogers, 2006; Shoemaker & Kennedy, 2009; Kigerl, 2017; Martellozzo & Jane, 2017; Weulen Kranenbarg et al., 2019 for some ...