Private organizations suffer great losses due to cybersecurity incidents, and they invest increasing resources to prevent attacks, but little is known about the effectiveness of cybersecurity measures for prevention. Based on the framework of Routine Activity Theory, this paper analyzes the impact of companiesâ online activities and cybersecurity measures on victimization. Our analysis of the UK Cybersecurity Breaches Survey shows that the most promising ways to minimize cyber-attacks and their impacts is to invest in in-house cybersecurity human resources and enhance the employeesâ online self-protection by providing cybersecurity training, rather than just basic software protection and guidance about strong passwords.
Introduction
The digital space and digital systems are core operating contexts for most businesses and their associated activities, whether entering into economic relations with customers purchasing goods and services, storing and sharing data, or undertaking commercially sensitive activities that involve confidential information (Office for National Statistics, 2019). As a result, one-eighth of the UK National Gross Domestic Product depends directly on the digital economy (National Audit Office, 2019). The digital space, however, offers many new opportunities for crimes, including frauds, that may be enabled by, or dependent on, Internet-connected systems. In 2017, the UK Annual Fraud Indicator estimated that frauds were responsible for ÂŁ140 billion losses for the private sector, ÂŁ40 billion losses for the public sector and ÂŁ6.8 billion losses for individuals (Crowe, 2017), and a report published by the National Audit Office (2017) identified that more than half of all frauds were committed online. Other cybersecurity risks, such as malware and denial of service attacks targeting businesses, have also increased in recent years (National Cyber Security Centre, 2017). Given that the private sector is a primary target of cybersecurity attacks and suffers from the greatest economic losses, private companies are investing more resources every day to prevent cybersecurity threats (EY, 2019; Levi et al., 2015), but little is known about the effectiveness of these measures to prevent cyber-attacks (e.g., Bilodeau et al., 2019; Rantala, 2008; Richards, 2009; Williams et al., 2019).
Despite the considerable financial losses suffered by businesses as a result of cybersecurity attacks, criminological research has typically focused on studying cyber-victimization among individual citizens (e.g., Holt & Bossler, 2016; Leukfeldt & Yar, 2016; Marcum et al., 2010). This is likely to be due to the lack of available and reliable sources of data to examine cybersecurity attacks on businesses. To fill this gap in literature, this article analyzes the dynamics of online business activities, cybersecurity measures, and cyber-victimization. This article aims to illuminate which cybersecurity measures are effective in preventing cybersecurity breaches and attacks, and which measures are inefficient or ineffective. Based on the theoretical framework of Routine Activity Theory (RAT; Cohen & Felson, 1979) and considering the suitability of crime targets by their value, inertia, visibility, and accessibility (âVIVAâ), this paper analyzes how certain online activities and protective measures implemented by organizations affect their likelihood of falling victims to cyber-attacks. Thus, the original contribution of this paper is to show the utility of RAT for understanding businessesâ victimization by cybersecurity attacks and breaches, and more specifically to foreground the internal guardian and personal self-protection as effective ways to minimize cybersecurity attacks and their impacts. This research is concerned mainly with businessesâ victimization by cyber-dependent crimes such as computer viruses, spam, hacking, and denial of service attacks (Wall, 2007).
The remainder of this paper is organized as follows. Section 2 examines the role of businessesâ online activities and cybersecurity measures for cybercrime prevention. Section 3 applies the notions of guardianship and the VIVA to business victimization by cybersecurity attacks. Section 4 introduces the data and methods used. Section 5 presents the results of our models. Finally, section 6 discusses the results and presents conclusions and implications.
Businesses online activities, cybersecurity and cyber-victimization
Few empirical studies have analyzed cybercrimes suffered by organizations. In this section we summarize the results of the main research analyzing the impact of organizationsâ cybersecurity measures and online activities on cybercrime victimization.
Rantala (2008) analyzed data from the 2005 US National Computer Security Survey and found that 67% of the 7,818 participant companies had suffered at least one cybersecurity incident in the previous year. The most common cybercrimes suffered by organizations were spyware, adware, phishing, and spoofing. Richards (2009) conducted a survey of 4,000 businesses in Australia and found that the most common types of cybercrime suffered by organizations were virus and malware infections, and the most prevalent impact of cybercrime on businesses was the corruption of hardware or software. Moreover, Richards (2009) showed that only 8% of victims reported cybersecurity incidents to the police, which highlights the value of survey data and the limitations of relying on police-recorded incidents for cybercrime research (Kemp et al., 2020). HISCOX (2018) surveyed 4,103 professionals responsible for the cybersecurity of UK small businesses and found that 30% had suffered cybersecurity breaches in the previous year. Incidents had an average direct cost of ÂŁ25,700 (e.g., ransom paid, hardware replaced). Bilodeau et al. (2019) analyzed a survey of 10,794 businesses in Canada and found that 21% of organizations were impacted by cybersecurity incidents at least once in the last 12 months (mainly scam, online fraud, phishing and computer viruses). Williams et al. (2019) surveyed 751 businesses in the UK in order to analyze insider cybercrime victimization and found that less than 10% of organizations reported experiencing insider cyber-victimization.
The prevalence of cybercrimes, however, varies across business sectors and sizes, and certain cybersecurity measures appear to have better results for cybercrime prevention than others. For example, Rantala (2008) found that telecommunication businesses, computer system design companies and manufacturers of durable goods have a higher prevalence of cyber-victimization, whereas administrative support, finance, and food service businesses suffer from greatest economic losses. Forestry, fishing, hunting, and agriculture businesses had the lowest victimization rates. Bilodeau et al. (2019) show that banking institutions, universities, and pipeline transportation companies suffer more cyber-attacks than other business sectors. Large companies tend to report the largest expenditures on cybersecurity, but these are also more likely to be targeted by cybercriminals and suffer the greatest financial losses (...