ITM 6000 Research Study: The Cost Of Cyber-Crime

ITM 6000 Research Study – The Cost of Cyber-Crime
Submitted by
R. Allen Green
Prepared for
Professor Philip D. Whittle
ITM 6000 Information Technology Management
Fall II, 2013
Webster University
December 16, 2013

CERTIFICATE OF AUTHORSHIP: I certify that I am the author. I have cited all sources from which I used data, ideas, or words, either quoted directly or paraphrased. I also certify that this paper was prepared by me specifically for this course.
Abstract
Cyber-crime, also known as e-crime, costs companies billions of dollars every year in stolen assets and lost business. Cyber-crime can thoroughly disrupt a company’s marketing actions. Additionally, when a business falls victim to cyber criminals, which could cause a
great deal of worry to their customers with the security practices of their business transactions. Consequently, if a company appears susceptible to cyber-crime then it can lose future business. Such exposure can lead to a decline in the market value of the company, due to justifiable concerns of financial analysts, investors, and creditors. This paper researched several case studies of companies affected by cyber-crime, and the impacts on marketing activity and shareholder value. The paper also explains some of the chief categories of cyber-crime. Results show that the cost of cyber-crime goes far beyond stolen assets, lost business, and company reputation; cyber-crime has a significant negative effect on shareholder value.
TABLE OF CONTENTS
Cover Page……...…………………………………………………………………………………1
Abstract…………………………………………………………………………………………....2
Table of Contents…………....…………………………………………………………………….3
Executive Summary...…………………………………………………………………………......5
Key takeaways ………..…………………………………………………………….…………….5
Introduction…………………………………………………………………………………..……6
Body of the Research………………………………………….…………………………………..7
Data Crime…………………………..……………………………………………………...……10
Network Crime..,,………………………………….…………………………………………..…12
Access Crime………………………………………………………………………………...…..12
Related Crimes………………………………………………………………………………...…12
Cost Basis Analogy………………………..……………………………………………………..13
Does it really cause Harm?........................................……………………………………………15
Estimation Steps………………...………………………………………………………………..16
What is cyber-crime?...........………………………………………………………………......…16
Cyber-crime Review……………….……………………………………………………….……17
Cyber-crime Legislation…..………………………………………………………………..……17
Federal Law…….....………...………………………………………………………..….18
State Law…………..…………………………………………………………………….20
Economic Impact………………………………………………………………………………...22
Market Value Impact……………………………………………………………………...…..…24
Consumer Trust Impact…………………………………………………………………………..26
National Security, an area Ripe for Exploitation………………………………………………...27
How well does crime pay……………………………………………………………………..….27
Cyber-Crime Evolution…………………………………………………………………………..30
Trends of the Future……………………………………………………………………………...30
A focus on the world’s exchanges…………………………………………………………….....34
Size, complexity and incentive structure……………………………………………………..….34
Theory Review…………………………………………………………………………...………36 Self Control Theory……………………………………...………………………………37 Routine Activity Theory……………………………………………………………..…..41
Areas For Future Research……………………………………………………………….………44
Recommendations………………………………………………………………………..………49
Conclusion……………………………………………………………………………………….53
References………………………………………………………………………………………..55

Executive Summary
Cyber-crime is commonly referred to as criminal behavior conducted with the use of the Internet. Examples of these attacks include such things as theft an organization’s academic property, seizing online bank accounts, crafting and dispensing viruses on other computers, posting private organizational information on the Internet and disrupting a country’s important national infrastructure. In line with all of the research conducted for this paper, the loss or misuse of information is the most significant outcome of cyber-crime. As a result of this research, organizations must be more wary in defending their most sensitive and confidential information. The cost to defend against cyber-crime can be significant as shown by the following research.
Key takeaways from this research include:
Cyber-crimes continue to be costly. We found that the average annualized cost of cyber-crime for 56 organizations in our study is $8.9 million per year, with a range of $1.4 million to $46 million. In 2011, the average annualized cost was $8.4 million. This represents an increase in cost of 6 percent or $500,000 from the results of our cyber cost study published last year.
Cyber attacks have become common occurrences. The companies in our study experienced 102 successful attacks per week and 1.8 successful attacks per company per week. This represents an increase of 42 percent from last year’s successful attack experience. Last year’s study reported 72 successful attacks on average per week.
The most costly cyber-crimes are those caused by denial of service, malicious insiders and web-based attacks. Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, application security testing and enterprise governance, risk management and compliance (GRC) solutions. (Ponemon, 2012)
The intention of this paper is to measure the cost of cyber-crime and examine those trends for the past few years. The belief is that a better understanding about the cost of cyber-crime will aid organizations in determining what the appropriate amount to invest and correct amount of resources needed to thwart or minimize the demoralizing consequences of an attack.
The goal is to be able to calculate with as much precision as possible the costs taken on by organizations when they have discovered that they have been the subject of cyber-crime. As experience and research has shown, a traditional survey approach is not necessarily the best way to capture the essential details needed to accurately calculate the cost of cyber-crime. For that reason, field-based research that has involved interviewing senior-level employees and collecting information about actual cyber-crime incidents will be the main focus of the research. The result of that research has covered a few years and an effort to recruit companies, build an activity-based cost model, collect source information and analyze results.
This paper will conclud with the research of case studies involving numerous organizations. For consistency purposes, the research focus consists of mainly larger-sized organizations (i.e., more than 1,000 enterprise seats). The focus of the research was the direct, indirect and opportunity costs that ends in the loss or theft of information, disruption to business operations, revenue loss and destruction of property, plant and equipment. Along with calculating the outside cost of cyber-crime, this paper will attempt to capture the total cost spent on detection, investigation, incident response, containment, recovery and after-the-fact response.
Introduction
With the Rapid evolution of Information Technology, criminals find inventive was to commit crimes. This paper will shed some light on how much companies are spending on preventing Cyber-crime. The time factor in this modern era progresses far too fast to improve the performance factor. The use of the Internet is what makes it possible. One way of defining the term Internet is the collection of millions of computers that provide a network of electronic connections between the computers. There are literally millions of these computers linked to the internet. With the Internets rapid evolution it has allowed everyone to appreciate its use but on the other side of that coin is the cyber-crime that has also evolved just as rapidly, if not faster.
E-commerce has become an essential part of all marketing activity. With the rapid evolution of the Internet the majority of e-commerce has transferred to take place on the websites of publicly traded companies. With all of this rapid evolution there has been the need to define all aspects that occur on the Internet and one of them is the term ‘cyberspace’ which refers to the electronic medium of computer networks, primarily the Web, where the bulk of online communication takes place. E-business or cyber-business are facing the challenge of being highly vulnerable to e-crime, also known as cyber-crime. Cyber-crime can thoroughly disrupt a company’s marketing activities and in turn ends up costing publicly traded companies billions of dollars yearly in stolen goods, lost business, and damaged reputations just to name a few. Cyber-crime costs the US economy over $100 billion per year (Smith, J.; Smith, K. & Smith, L., 2011). Literally with a key stroke, currency can be stolen before anyone would be aware. If a company website crashes or experiences numerous shutdowns then customers will seek those services elsewhere.
This has been expressed in most of the research. In addition to the direct losses associated with cyber-crime, a company that falls prey to cyber criminals may lose the confidence of customers who worry about the security of their business transactions. As a result, a company can lose future business if it is perceived to be vulnerable to cyber-crime. Such vulnerability may even lead to a decrease in the market value of the company, due to legitimate concerns of financial analysts, investors, and creditors. (Smith et al. 2011)
As countries scramble to invest in information security, governments want to know how large that investment should be, and what the money should be spent on. This creates a demand among rational policy-makers for accurate statistics of online/electronic crime and abuse. However, many of the existing surveys are carried out by organizations (such as antivirus software vendors or police agencies) with a particular view of the world and often a special agenda. (Weis, 2012) This concern is not limited to just one area and all countries must take an active part in the efforts to mitigate cyber-crime. One country unfortunately will not be enough to even put a dent in the efforts to prevent cyber-crime but with the consolidated efforts of many countries it can be mitigated to a minimal effect. Cyber-crime will never be eliminated, sorry to break that to you but with every new defense that is created a new vulnerability is exploited by cybercriminals. This is one of the main reasons why the cost of cyber-crime goes into the billions of dollars each year and it appears that there is no end in sight.
Body of the Research To have a better understanding of what cyber-crime is and the terms associated with it some definitions are provided throughout this paper as a result of the research conducted. All the definitions provided are not the only definition for each term but are what are considered the most appropriate for research conducted. Since the Internet and cyber-crime are still fairly new the definitions evolve just as fast as they do. The term cyber-crime can be defined as an act committed or omitted in violation of a law forbidding or commanding it and for which punishment is imposed upon conviction. Other words represents the cyber-crime as ―Criminal activity directly related to the use of computers, specifically illegal trespass into the computer system or database of another, manipulation or theft of stored or on-line data, or sabotage of equipment and data. The Internet space or cyber space is growing very fast and as the cyber-crimes. Some of the kinds of Cyber-criminals are mentioned as below. (Panda, T.; Rao, Y. & Saini, H., 2012)
Crackers: These individuals are intent on causing loss to satisfy some antisocial motives or just for fun. Many computer virus creators and distributors fall into this category.
Hackers: These individuals explore others ' computer systems for education, out of curiosity, or to compete with their peers. They may be attempting to gain the use of a more powerful computer, gain respect from fellow hackers, build a reputation, or gain acceptance as an expert without formal education.
Pranksters: These individuals perpetrate tricks on others. They generally do not intend any particular or long-lasting harm.
Career criminals: These individuals earn part or all of their income from crime, although they Malcontents, addicts, and irrational and incompetent people: "These individuals extend from the mentally ill do not necessarily engage in crime as a full-time occupation. Some have a job, earn a little and steal a little, then move on to another job to repeat the process. In some cases they conspire with others or work within organized gangs such as the Mafia. The greatest organized crime threat comes from groups in Russia, Italy, and Asia. "The FBI reported in 1995 that there were more than 30 Russian gangs operating in the United States. According to the FBI, many of these unsavory alliances use advanced information technology and encrypted communications to elude capture"
Cyber terrorists: There are many forms of cyber terrorism. Sometimes it 's a rather smart hacker breaking into a government website, other times it 's just a group of like-minded Internet users who crash a website by flooding it with traffic. No matter how harmless it may seem, it is still illegal to those addicted to drugs, alcohol, competition, or attention from others, to the criminally negligent.
Cyber bulls: Cyber bullying is any harassment that occurs via the Internet. Vicious forum posts, name calling in chat rooms, posting fake profiles on web sites, and mean or cruel email messages are all ways of cyber bullying.
Salami attackers: Those attacks are used for the commission of financial crimes. The key here is to make the alteration so insignificant that in a single case it would go completely unnoticed e.g. a bank employee inserts a program into bank‘s servers, which deducts a small amount from the account of every customer. (Panda et al. 2012)
If anyone has had a computer or laptop affected by a virus then you have been the victim of Crackers. The only intent is to cause loss for their own pleasure, there is no real monetary gain based on the definition, not to say that some Crackers could be hired to do what they do but for the most part they do it for the sheer pleasure of making others suffer. One example that comes to mind is the “I Love You” virus from a couple of years past.
Then there are Hackers who attempt to gain access to ones computer for the purpose of gathering information/educational, curiosity, or to compete with other Hackers to gain recognition or popularity. Hackers have been known to hack into such computer networks as those of the U. S. Government which is of major concern to the U. S. Government because of all the classified and sensitive information contained within that network. The other concern would be the access to all the money of the employees as well as the government accounts. Gaining access to all this type of data could completely cripple any country.
One of the less harmful ones is the Pranksters who are generally set to carry out practical jokes. They generally do not intend for these pranks or jokes to have any long lasting effects or harm. All the same they still can cost money in some way, whether sending people home, shutting down a system for a time and so on.
Career Criminals are not just criminals in the cyber-crime arena, they are from all areas and this is one that is listed here because Career Criminals are using the cyber arena more and more to assist them in the commission of their crimes. The cyber arena allows them much easier access and they can often commit crimes in a more efficient manner and with a higher possibility of evading detection.
Cyber Terrorist, as we have learned, has many forms from a highly intelligent hacker to a group of like-minded Internet users with the same goal. These goals can be to crash a website, hacking into a government website or threatening large financial institutions but the end result is still the same.
A Cyber bull is another one that the name doesn’t seem to fit the definition and maybe cyber bullying would be more fitting. Cyber bullying is the act of using the internet to pester or bully someone and this can get very serious and has been in the national news in recent months with one girl ending her life as a result of cyber bullying.
Finally, Salami attackers are in the realm of financial gain because they are committed for the sole purpose of financial gain or causing financial loss. Salami attackers attempt to make the financial loss so slight that it would go unnoticed. Another example comes from the movie “Superman III” when actor Richard Pryor inserted a code or program into his company’s computer system to send all the decimal points that were not rounded off of every employee’s paychecks to him. Now this amount was very insignificant from each employee but when added all together the results can be enormous as was seen when Richard Pryor’s character received the first check and his reaction.
That was just some of the cyber criminals but what about cyber-crimes? To those who are not as versed in the cyber arena they seem to be in the same category but one deals with the individuals who commit the offense (cyber criminals) and the other is that actual offence itself (cyber-crimes). Categorizing cyber-crimes can be an endless task based on the rapid evolution of the internet but one study categorized them into four general crimes with sub-categories in each as follows:
1. Data Crime
a. Data Interception
An attacker monitors data streams to or from a target in order to gather information.
This attack may be undertaken to gather information to support a later attack or the data collected may be the end goal of the attack. This attack usually involves sniffing network traffic, but may include observing other types of data streams, such as radio. In most varieties of this attack, the attacker is passive and simply observes regular communication, however in some variants the attacker may attempt to initiate the establishment of a data stream or influence the nature of the data transmitted. However, in all variants of this attack, and distinguishing this attack from other data collection methods, the attacker is not the intended recipient of the data stream. Unlike some other data leakage attacks, the attacker is observing explicit data channels (e.g. network traffic) and reading the content. This differs from attacks that collect more qualitative information, such as communication volume, not explicitly communicated via a data stream.
b. Data Modification
Privacy of communications is essential to ensure that data cannot be modified or viewed in transit. Distributed environments bring with them the possibility that a malicious third party can perpetrate a computer crime by tampering with data as it moves between sites.
In a data modification attack, an unauthorized party on the network intercepts data in transit and changes parts of that data before retransmitting it.
An example of this is changing the dollar amount of a banking transaction from $100 to $10,000.
In a replay attack, an entire set of valid data is repeatedly interjected onto the network. An example would be to repeat, one thousand times, a valid $100 bank account transfer transaction.
c. Data Theft
Term used to describe when information is illegally copied or taken from a business or other individual. Commonly, this information is user information such as passwords, social security numbers, credit card information, other personal information, or other confidential corporate information. Because this information is illegally obtained, when the individual who stole this information is apprehended, it is likely he or she will be prosecuted to the fullest extent of the law.

2. Network Crime
a. Network Interferences
Network Interfering with the functioning of a computer Network by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing Network data.
b. Network Sabotage 'Network Sabotage ' or incompetent managers trying to do the jobs of the people they normally are in charge of? It could be the above alone, or a combination of things. But if Verizon is using the help of the children, hindering first responders line then they might be using network problems as an excuse to get the federal government to intervene in the interest of public safety. Of course if the federal government forces these people back to work what is the purpose of unions and strikes anyway.
3. Access Crime
a. Unauthorized Access
"Unauthorized Access" is an insider‘s view of the computer cracker underground. The filming took place all across the United States, Holland and Germany. "Unauthorized Access" looks at the personalities behind the computers screens and aims to separate the media hype of the 'outlaw hacker ' from the reality.
b. Virus Dissemination
Malicious software that attaches itself to other software (virus, worms, Trojan Horse, Time bomb, Logic Bomb, Rabbit and Bacterium are examples of malicious software that destroys the system of the victim).
4. Related Crimes
a. Aiding and Abetting Cyber-crimes
There are three elements to most aiding and abetting charges against an individual.
The first is that another person committed the crime. Second, the individual being charged had knowledge of the crime or the principals ' intent. Third, the individual provided some form of assistance to the principal. An accessory in legal terms is typically defined as a person who assists in the commission of a crime committed by another or others. In most cases, a person charged with aiding and abetting or accessory has knowledge of the crime either before or after its occurrence. A person who is aware of a crime before it occurs, and who gives some form of aid to those committing the crime, is known in legal terms as an "accessory before the fact. "He or she may assist through advice, actions, or monetary support. A person who is unaware of the crime before it takes place, but who helps in the aftermath of the crime, is referred to as an "accessory after the
fact.”
b. Computer-Related Forgery and Fraud: Computer forgery and computer-related fraud constitute computer-related offenses.
c. Content-Related Crimes: Cyber sex, unsolicited commercial communications, cyber defamation and cyber threats are included under content-related offenses.
The total cost to pay by victims against these attacks is in millions of millions Dollar per year which is a significant amount to change the state of un-developed or under-developed countries to developed countries. (Panda et al. 2012)
Furthermore this is the U.S. Governments take on any definition of cyber-crime. The U.S. government does not appear to have an official definition of cyber-crime that distinguishes it from crimes committed in what is considered the real world. Similarly, there is not a definition of cyber-crime that distinguishes it from other forms of cyber threats, and the term is often used interchangeably with other Internet- or technology-linked malicious acts. Federal law enforcement agencies often define cyber-crime based on their jurisdiction and the crimes they are charged with investigating. And, just as there is no overarching definition for cyber-crime, there is no single agency that has been designated as the lead investigative agency for combating cyber-crime. (Finklea, K. & Theohary, C., 2013)
Cost Basis Analogy To really get an understanding of the cost of cyber-crimes it is necessary to use some analogies where costs have already been calculated to provide an idea of the extent of the problem, permitting the setting of rough estimates—a top and a bottom—for the cost of malicious cyber activity, by comparing it to other types of crime and loss. • Automobile accident: One way to consider the costs of malicious cyber-crime is that people accept the cost of automobile accidents in exchange for the convenience of automobiles; likewise they may accept the cost of cyber-crime and espionage in exchange for the pluses to doing business with information technology. The Center for Disease Control estimated the cost of car crashes in the US at $99 billion in 2010. The American Automobile Association estimated the 2010 cost of at $168 billion. (Center for Strategic and International Studies, July, 2013)
• Piracy: A feebly ruled area where criminals have control could illustrate some oceanic regions as well as the internet. The International Maritime Bureau estimated the annual cost of piracy as somewhere between $1 billion and $16 billion in 2005 (cyber is not the only field where estimation is difficult). To put these figures in context, the annual value of maritime trade in 2005 was $7.8 trillion, which means piracy costs equaled at most 0.02 percent of the total. (Center for Strategic and International Studies, July, 2013)
• Pilferage: Companies accept rates of “pilferage” or “inventory shrinkage” as part of the cost of doing business. For retail companies in the US, this falls between 1.5% and 2.0% of annual sales—one 2008 estimate put pilferage losses at 1.7%. Using a “pilferage” approach that assumed the same rate of loss for malicious cyber activity would put the upper limit somewhere between 0.5% and 2% of national income. For the US, this would be $70 billion to $280 billion. A central problem for the “pilferage theory,” however, is that many companies do not know the extent of their losses, leading them to make decisions about what is an acceptable loss based on inadequate information. (Center for Strategic and International Studies, July, 2013)
• Crime and Drugs: One frequently heard comparison is that malicious cyber activity is more lucrative than the drug trade. This begs the question of whether we know the drug trade’s value. In 2012 the UN Office on Drugs and Crime estimated the cost of all transnational organized crime as $870 billion, or 1.2% of global GDP. It estimated $600 billion of this figure came from illegal drug trafficking. If cyber losses also cost the same share of global GDP, the cost could be more than $600 billion. (Center for Strategic and International Studies, July, 2013)
The trend here is one that it is difficult to estimate what the losses are because no one knows what the extent of the losses could be. This also leads to someone setting what they think is an acceptable loss that is using data that is not 100% correct. This will lead to those that are setting these parameters to be tempted to set them in a way that will benefit them, whether that is for job security or possibly in a monetary manner. This could also be grouped into the cyber-crime realm because they would be utilizing the cyber-crime excuse for their benefit.
Does it really cause Harm?
Assuming that “tolerated costs” from malicious cyber-crime falls into the same range as automobile accidents, pilferage, and drugs, creates a “ceiling” for estimated loss. It is suggested that at most, cyber-crime and cyber espionage could costs less than 1% of GDP. For example, losses may reach $100 billion every year in the US as an estimate. To put this in perspective, annual expenditures on research and development in the US are $400 billion a year and $100 million in stolen IP does not translate into $100 million in gain for the acquirer (Center for Strategic and International Studies, July, 2013).
One challenge lies in calculating the price to national security and the damage it could cause. Theft of military technology could affect nations that are less secure by fortifying likely threats or damaging export markets in aerospace, advanced materials, or other high-tech products. There is a relationship connecting cyber-crime intended for commercial targets and cyber-crime intended for military technology. It is often the same players chasing an arena that encompasses both military as well as commercial sources. You can increase cyber attack capabilities by being involved in cyber-crime. The monetary value cannot be accurately assessed by the loss in military technology but it can be said that cyber-crime alters the conditions to favor foreign competitors.
The cause of cruel cyber-crimes on jobs needs additional investigation. The Commerce Department estimated in 2011 that $1 billion in exports equaled 5,080 jobs. Meaning that an elevated guess of $100 billion in losses from cyber-crime would be converted to 508,000 in lost jobs. While this can be converted into a third of a percent drop in jobs, it is not the “net” loss because many of those workers will find jobs elsewhere. What to really think about is if the lost jobs are in other high paying or manufacturing sectors. If workers that are uprooted by cyber-crime are unable to find jobs that pay just as good or better, the effected country would be worse off. The effect of cyber-crime could be to relocate workers from high paying manual labor jobs into lower paying jobs or unemployment.
Estimation Steps
Assigning a number to the cost of cyber-crime and cyber espionage is the goal, but the fact is the effect on trade, technology, and competitiveness. Responding to these queries will help by putting the problem into context. Despite the fact that the cost of cyber-crime and cyber espionage to the world market is possibly in the billions of dollars annually, the dollar total, large as it may be, probably does not reflect the true damage to the world economy. Cyber espionage and crime possibly slows the pace of modernism, warp trade, and produce social costs from job loss. This greater outcome may be more essential than any tangible figure.
What is cyber-crime? A very good question and in all the research there are many different answers that can be used and all of them are effective in their own ways.
Cyber-crime is most commonly understood as involving an attack on the confidentiality, integrity and accessibility of an entity’s online/computer presence or networks. The IOSCO Research Department tentatively defines 'Cyber-Crime ' as: a harmful activity, executed by one group (including both grassroots groups or nationally coordinated groups) through computers, IT systems and/or the internet and targeting the computers, IT infrastructure and internet presence of another entity. An instance of cyber-crime can be referred to as a cyber-attack.
There is some contention and ambiguity around exactly what activities fall under the classification of cyber-crime, however generally cyber-crime can be categorized as follows:
Traditional crimes e.g. fraud, forgery, which are now committed via electronic networks and information systems;
Publication of harmful, illegal or false information via electronic media;
New crimes that have emerged due to the unique opportunities presented by the internet e.g. denial of service, hacking;
And ‘platform crimes’ which use computer and information systems as a platform for performing other crimes e.g. use of botnets. (Tendulkar, 2013)
Cyber-crime Review
Prior to exploring diverse criminological theories that have been useful in all the cyber-crime studies that were used to assist with this paper but a better understanding of cyber-crime would be helpful. It is practical to list the types of laws that have been passed to help clarify what cyber-crime is and the jurisdiction it falls under. This in turn helps us gain a more informed perception of cyber-crime and what forms of crimes should be listed with the label of cyber-crime. Together with the brief knowledge of cyber-crime legislation, it is also important to look at what enforces and battles this problem. Gaining a brief understanding cyber law enforcement allows for insight into how the crime is being addressed which leads to an improved incite of the problem. Lastly, it is vital to have an understanding of the exact impact of the crime by looking at the levels of cyber-crime among businesses and individuals.
Cyber-crime Legislation
The widespread use of computers and the internet has led to new and expanded forms of crime, resulting in the need for new legislation. These new types of crime have left governments and law enforcement agencies with many questions. How does one define what cyber activities are legal and what activities are illegal? How does one enforce cyber laws when the relationship between the victim and the offender is often purely virtual? The internet allows people to interact with each other across borders, so whose jurisdiction is it? The Federal Government and the various state governments have all attempted to address these issues. (Grzybowski, 2012) All very good questions each with its own challenges. It becomes increasing difficult to define which cyber activities are legal and which ones are not because of the nature of how fast the internet evolves. By the time cyber activities are defined as legal or illegal there are numerous new ones that need to be defined. Then you have the relationship that is purely virtual between the victim and the offender that makes it difficult to enforce any type of law. The enforcement of laws has always relied on a close interaction between victim and offender but with the advent of the internet law enforcement has been forced to evolve as well. If that is not hard enough then you there is also the issue of jurisdiction and where the two parties are located. The victim could be located in Florida and the offender could be located in Germany and that causes numerous issues with jurisdiction. It could also elevate to the international incident level if high profile personnel are involved. All of these questions have to be addressed on the world level for any progress to take affect and for everyone to be on the same page.
Federal Law In order to fight the mounting cyber-crime issue, the U. S. Government has instituted laws to address many cyber-crimes including, but not all inclusive by any means, computer intrusions, cyber-terrorism, and copyright infringements. These crimes cover three victim areas which include the government, the business, and the individual. The rationale of these laws is to help characterize what cyber activity is and is not illegal. The jurisdiction of these various crimes will also be established by these laws. The main focus of all laws in this paper will be U.S. based with some international laws being looked at. The Federal government has developed laws to deal with many cyber-crime issues including computer intrusions. Individuals, businesses, and the government can all be victimized by cyber intrusions. The federal law that deals with computer intrusions, which includes crimes such as hacking, viruses, and malware, comes primarily from Title 18 U.S. Code § 1030. This law defines computer intrusions as an illegal computer activity. In order to fall under this federal law, the computer being intruded must fall under federal jurisdiction, which means that the computer must be used by either a financial institution or government agency or be used in interstate or foreign commerce. This helps alleviate questions of jurisdiction by defining the types of computers that fall under federal jurisdiction. Federal jurisdiction for prosecuting computer intrusions against computers used by the government and financial institutions comes from Title 18 U.S. Code § 1030. (Grzybowski, 2012) Establishing that the computer that suffered an intrusion must be under federal jurisdiction is the first step in being able to combat cyber-crime in the U.S. Another cyber-crime issue that has been addressed by Federal law is cyber- terrorism. Federal cyber-crime law dealing with terrorism is based primarily in Title 18 U.S. Code§ 2331. Under title 18, terrorism is defined as “acts dangerous to human life that violate the criminal laws of the United States; appear to be intended to intimidate of coerce a civilian population…occur primarily within the territorial jurisdiction of the United States.” Terrorists can use computers to perform acts which might be harmful or intimidate individuals and when this is the case, the Federal government has jurisdiction. According to Gordon and Ford, computers can perform important functions for terrorists above and beyond being potential targets (2002). Terrorists’ computer usage is an important issue facing governments around the world. Terrorism is an important issue facing governments today and under United States Federal law, cyber-terrorism falls under the jurisdiction of the Federal government. (Grzybowski, 2012) This designation is one that really defines cyber-terrorism because when the word terrorism is mentioned, most view the acts like the bombings of the U.S. Embassy in Benghazi, the attacks of 9/11 or the attach on the U.S. Cole. One thing that all of these acts of terrorism have in common is that they had results that could be seen, the destruction and the casualties. Cyber-terrorism on the other hand doesn’t have such visible results. The United States government has also developed laws to deal with issues of copyright infringement. Federal copyright law can be found in several statutes. Title 18 U.S. Code § 2319, makes it “a crime for someone willfully to infringe a copyright (a) for purposes of commercial advantage or private financial gain.” This law establishes that copyright infringement falls under the Federal government’s jurisdiction. The Digital Millennium Copyright Act makes it illegal to “circumvent measures used to protect copyrighted works…to tamper with copyright management information” Computers have made it easier to engage in acts that violate copyright law, such as illegally downloading music and software. This law makes acts that violate copyright law illegal and gives the Federal government jurisdiction for the investigation and prosecution of this crime. (Grzybowski, 2012) One of the areas affected the most by cyber-crime is the entertainment industry and this law is one that aids them in their fight against all the copy right infringement that occurs. Technology has benefitted the entertainment industry by making it easier to get their product out but it also made it easier for entertainment pirates to steal that product for their own monetary gain. Summing up the Federal Laws, laws are in constant flux and are formulated to address existing concerns facing governments or organizations. The advancement and increase of cyber-crimes since the inception of the internet has forced the Federal government to deal with concerns associated to cyber intrusion, terrorism, and the violation of copyright law. These kinds of crimes are placed under the Federal government’s jurisdiction to investigate and prosecute. As cyber-crime continues to increase, there will be a need for additional laws to be created that will address the issues that computer usage presents.
State Law The United States is a very unique country compared to the rest of the world in that we fall under one government but each state is almost treated like a country of its own. So it goes without saying that State law needs to be addressed as well. Each state has its own cyber-crime legislation defining what is and is not considered a cyber-crime, making it difficult to comprehensively review current state level laws dealing with cyber-crime. State governments have developed different laws to deal with many cyber-crime issues including, but not limited to, computer intrusions and computer fraud. (Grzybowski, 2012) With there being fifty different states that could mean that there are fifty different laws but in most cases when it comes to laws, the states will try to be as close to federal law as possible. One cyber-crime issue that states have addressed is cyber intrusions that occur on computers that are not used by the government or financial institutions. Both businesses and individuals can be potential targets for cyber intrusions. According to Brenner, all states have some provision which prohibit computer intrusions such as hacking; however, states have varying definitions of what defines simple hacking (2004). While lawmakers realize the dangers of computer intrusions, they do not agree on what constitutes computer intrusions. Brenner defines simple hacking as, “unauthorized access to a computer or computer system” (2004). However, according to the Arizona Revised Statutes § 13-2316 this is called computer tampering and involves, “Accessing, altering, damaging or destroying any computer, computer system or network.” States can have varying ideas as to what to include under the definition of computer intrusions. Each state has made decisions about what to include in legislation aimed at defining and combating cyber-crime. (Grzybowski, 2012) The states have taken steps to address the types of cyber intrusions that the federal government did not. The federal government claimed jurisdiction over computers that are used by the government or financial institutions so the states claim jurisdiction over computers that are not used in those categories. That should aid to cover much more of the crimes as possible but with technology evolving as it does that will be an ever changing category. Another cyber-crime issue that states have needed to address is computer fraud, which can affect both businesses and individuals. Like computer intrusions, lawmakers have differed on how they define and classify computer fraud. A few states make this type of fraud its own crime. These states view computer fraud as its own type of offense separate from other types of fraud and other computer crimes. Other states, according to Brenner “simply include using a computer to commit fraud in their basic aggravated hacking statute.” These states include various cyber-crimes under one statute or offense category. Various states have taken different positions on how to define and classify cyber fraud. (Grzybowski, 2012) This just adds to the fact of how difficult cyber-crime is to define and combat. As stated, some states have made computer fraud its own crime and if we were to do that each crime then there would be an infinite number of laws on the books. Summing up the State Law, the advancement and increase of cyber-crimes since the inception of the internet has forced the different individual state governments in the U. S. to make laws that will deal with concerns related to cyber intrusion and fraud. The investigation and prosecution of these types of crimes would fall under the jurisdiction of each individual state government. Even with the laws between states differing, law makers in every state understand that cyber-crime legislation is a significant concern which needs to be dealt with. Whether it is at the state or at the federal level, legislator across the United States have developed legislation to address various types of cyber-crime. These laws help to define offenses and allow law enforcement agencies jurisdiction to combat these crimes. This section has briefly reviewed a few types of legislation that has been passed in response to the growing threat of cyber-crime and cyber-crime victimization. (Grzybowski, 2012) There are numerous crimes that are labeled with the tag “cyber-crime”, for example hacking, denial of service, software piracy, online pornography, and many others, making it more complicated to study cyber-crime. Researchers have discussed at length on how cyber-crimes should be categorized and not all have been in agreement. Generally cyber-crimes can be placed into three categories. First, crimes in which a different computer is the focal point of a crime. Second, crimes in which a computer is used to carry out a crime. Third, crimes in which a computer is an incidental aspect of the commission of the crime.
Economic Impact The 2011 Norton Cyber-crime disclosed that over 74 million people in the United States were victims of cyber-crime in 2010. These criminal acts resulted in $32 billion in direct financial losses. Further analysis of this growing problem found that 69 percent of adults that are online have been victims of cyber-crime resulting in 1 million cyber-crime victims a day. Many people have the attitude that cyber-crime is a fact of doing business online! (Panda et al., 2012) Those numbers are astonishing to say the least but the fact that a great number of people have adopted the attitude that cyber-crime is a part of online business is even more astonishing. People have the tendency to adapt to just about anything but for them to adapt to the fact of being victimized is unexplainable. A person wouldn’t stand by and watch their home be victimized.
As today’s consumer has become increasingly dependent on computers, networks, and the information these are used to store and preserve, the risk of being subjected to cyber-crime is high. Some of the surveys conducted in the past have indicated as many as 80% of the companies’ surveyed acknowledged financial losses due to computer breaches. The approximate number impacted was $450 million. Almost 10% reported financial fraud. Each week we hear of new attacks on the confidentiality, integrity, and availability of computer systems. This could range from the theft of personally identifiable information to denial of service attacks. (Panda et al., 2012) With businesses acknowledging financial loss as a result of computer breaches does that lead to them accepting those losses? One would hope not.
As the economy increases its reliance on the internet, it is exposed to all the threats posed by cyber-criminals. Stocks are traded via internet, bank transactions are performed via internet, purchases are made using credit card via internet. All instances of fraud in such transactions impact the financial state of the affected company and hence the economy. (Panda et al., 2012) Putting so much trust in something that seems to be that vulnerable is a big risk but one that the companies seem to want to take. In the long run they have to determine if it is really worth it for them to accept those losses and that is when the management gets involved. How much do they involve the consumer on these decisions? Probably not very much.
The disruption of international financial markets could be one of the big impacts and remains a serious concern. The modern economy spans multiple countries and time zones. Such interdependence of the world 's economic system means that a disruption in one region of the world will have ripple effects in other regions. Hence any disruption of these systems would send shock waves outside of the market which is the source of the problem. (Panda et al., 2012) The U. S. is one of the major players in the international market and anything the seriously effects its economy would have a worldwide effect. Just take the recent government shutdown for example; the whole world was closely watching how it would play out because of how it would touch their part of the world and their economy. That is a very hefty responsibility or burden, depending on how you want to look at it, but one that needs to be closely watched.
Productivity is also at risk. Attacks from worms, viruses, etc take productive time away from the user. Machines could perform more slowly; servers might be in accessible, networks might be jammed, and so on. Such instances of attacks affect the overall productivity of the user and the organization. It has customer service impacts as well, where the external customer sees it as a negative aspect of the organization. (Panda et al., 2012) With the speed that the internet allows everyone access to information, to buy and sell things, having the productivity affected can be devastating to a company and the customer. Everyone has gotten so acclimated to that speed that when they experience any type of performance slowdown they react like it is the end of the world. Take the recent launch of the new healthcare.gov, it launched on October 1, 2013 and the website has had nothing but issues and it seems like every news agency is blowing it out of proportion. I won’t get into how the politicians are reacting to this but it shows how everyone can react.
In addition, user concern over potential fraud prevents a substantial cross-section of online shoppers from transacting business. It is clear that a considerable portion of e-commerce revenue is lost due to shopper hesitation, doubt, and worry. These types of consumer trust issues could have serious repercussions and bear going into more detail. (Panda et al., 2012)

Market Value Impact The economic impact of security breaches is of interest to companies trying to decide where to place their information security budget as well as for insurance companies’ that provide cyber-risk policies. For example, a ruling in favor of Ingram Micro stated that ―physical damage is not restricted to physical destruction or harm of computer circuitry but includes loss of use and functionality. This new and evolving view of damage becomes even more important as many firms rely on information systems in general and the Internet in particular to conduct their business. This precedent may force many insurance companies to compensate businesses for damage caused by hacker attacks and other security breaches. As the characteristics of security breaches change, companies continually reassess their IS environment for threats. In the past, CIO’s have relied on FUD—fear, uncertainty, and doubt—to promote IS security investments to upper management. Recently, some insurance companies created actuarial tables that they believe provide ways to measure losses from computer interruptions and hacker attacks. However, these estimates are questionable mostly due to the lack of historical data. Some industry insiders confess that the rates for such plans are mostly set by guesswork. As cited: ―These insurance products are so new, that the $64,000 question is: Are we charging the right premium for the exposure? Industry experts cite the need for improved return on security investment (ROSI) studies that could be used by insurance companies to create ―hacking insurance, with adjustable rates based on the level of security employed in the organization and by the organization to justify investments in security prevention strategies. (Panda et al., 2012) With all of the things that can affect this you would believe that companies have to put into their budget how to combat and prepare for cyber-crime and with that the need for insurance arises.
Depending on the size of the company, a comprehensive assessment of every aspect of the IS environment may be too costly and impractical. IS risk assessment provides a means for identifying threats to security and evaluating their severity. Risk assessment is a process of choosing controls based on the probabilities of loss. In IS, risk assessment addresses the questions of what is the impact of an IS security breach and how much will it cost the organization. However, assessing the financial loss from a potential IS security breach is a difficult step in the risk assessment process for the following reasons:
1. Many organizations are unable or unwilling to quantify their financial losses due to security breaches.
2. Lack of historical data. Many security breaches are unreported. Companies are reluctant to disclose these breaches due to management embarrassment, fear of future crimes, and fear of negative publicity. Companies are also wary of competitors exploiting these attacks to gain competitive advantage.
3. Additionally, companies maybe fearful of negative financial consequences resulting from public disclosure of a security breach. Previous research suggests that public news of an event that is generally seen as negative will cause a drop in the firm‘s stock price. (Panda et al., 2012)
Risk assessment can be performed using traditional accounting based measures such as the Return on Investment (ROI) approach. However, ROI cannot easily be applied to security investments. To justify investment in IS security, CIOs will need to (1) present evidence that the costs of a potential IS security problem outweigh the capital investment necessary to acquire such a system and, (2) prove the expectation that the IS security system‘s return on investment will equal or exceed that of competing capital investment opportunities. This is difficult to accomplish since if the security measures work—the number of security incidents are low and there are no measurable returns. Accounting-based measures such as ROI are also limited by the lack of time and resources necessary to conduct an accurate assessment of financial loss. Instead, companies’ IT resources are devoted to understanding the latest technologies and preventing future security threats. In addition, potential intangible losses such as ―loss of competitive advantage‖ that result from the breach and loss of reputation are not included because intangible costs are not directly measurable. (Panda et al., 2012) Everything that you do in business has to have a risk assessment done. Knowing what the consequences could be will aid in making better decisions and coming up with a plan of action. Having a well thought out and effective risk assessment plan is key for the business being successful.
Therefore, there is a need for a different approach to assess the risk of security breaches. One such approach is to measure the impact of a breach on the market value of a firm. A market value approach captures the capital market‘s expectations of losses resulting from the security breach. This approach is justifiable because often companies are impacted more by the public relations exposure than by the attack itself. Moreover, managers aim to maximize a firm‘s market value by investing in projects that either increase shareholder value or minimize the risk of loss of shareholder value. Therefore, in this study we elected to use market value as a measure of the economic impact of security breach announcements on companies. (Panda et al., 2012) The need to be fluent and able to adapt to the always evolving cyber world has become a must and unlike the days before the internet they can’t be stagnant. As we evolve as a society we know this, just as we evolved with the industrial revolution we have to evolve now.
Consumer Trust Impact Given that cyber-attackers infringe into others’ space and tear down the logic of the page, the end customer visiting the page in question will be annoyed and disheartened to use that site on a long term basis. The site in question is labeled a shame, while the criminal behind the unseen assault is not acknowledged as the main reason. This shakes the customers’ confidence in the internet and all that it can provide along with its strengths.
According to reports sponsored by the Better Business Bureau Online, over 80% of online shoppers cited security as a primary worry when conducting business over the Internet. About 75% of online shoppers terminate an online transaction when asked for the credit card information. The perception that the Internet is rife with credit card fraud and security hazards is growing. This has been a serious problem for e-commerce. (Panda et al., 2012) Those are very high percentages and as an online shopper, one of the items that one should also look for is that the site has some form of secure checkout system. That does not mean that the site is completely secure but the added security makes it that much more difficult for someone to gain access.
Making matters worse, consumer opinion of fraud normally turns out to be worse than it truly is. Consumer opinion can be just as influential - or detrimental - as truth. Therefore users’ apprehension over fraud stops many online shoppers from conducting business. Unease over the reliability of an e-business in terms of being unsafe or disorderly makes a shopper unwilling to complete business. Even the smallest amount of a security risk or unprofessional business practice greatly endangers likely business.

National Security, an area Ripe for Exploitation
The current military of nearly every country relies greatly on superior computers. Information Warfare, or IW, as well as network attack, misuse, and defense, are not new national security challenges, but since 9/11 it has achieved some further meaning. IW is attractive because it can be inexpensive, extremely successful and offer deniability to the assailant. It can simply spread malware, forcing networks to crash and spread false information. Since there is more focus on non-information warfare, information warfare is certainly ready for exploration.
There are 90 percent bad security systems on the Internet and 10 percent first-class security systems. When criminals find easy to break into systems, they merely break into the system. All the bad guys use IT to arrange and implement their criminal actions. The rise in global contact and the extensive reach of IT has eased the increase of crime and terrorism. For that reason advanced communication technology people don’t need to be in the same place or country to carry out such crime. That 's why terrorists and criminals can discover security vulnerabilities in the system and can operate from strange areas without having to be in their country of residence.
Many of these similar crimes have found their origins in developing countries. The extensive criminal activities in these countries increase the frequency of these security hacks. Fraudulent bank transactions, money transfers etc. via the internet have facilitated such crimes. Superior encryption technology is assisting with the protection of these criminal activities.
How well does crime pay
Extorting value from computers of innocent businesses and government agencies is a thriving industry. The magnitude of any loss, still, is the focus of strong debate. Is this what one senior official called “the greatest transfer of wealth in human history,” or is it what a leading economist called a “rounding error in a fourteen trillion dollar economy (Center for Strategic and International Studies, July, 2013)?”
Cyber-crimes directed at banks and other financial organizations most likely cost countless hundreds of millions of dollars annually. Intellectual assets and business-classified information cyber-crime in all probability costs developed countries billions of dollars—how many billions is a question that will need to be answered. Could these losses just be the cost of conducting business or could they be a significant new risk for companies and countries as these unlawful purchases harm world financial competitiveness and weaken technological gain.
Earlier guesses of the yearly losses to businesses from cyber-crime show an astonishing disparity, varying from few billion dollars to hundreds of billions. The broad scale of guessing reveals the trouble of gathering data. Businesses hide their losses with some not even aware of what they have lost. Intellectual goods are difficult to price as real property and estimates are frequently based on guesses or surveys. These challenges come together to leave some earlier guesses open to question.
The price of criminal cyber activity entails more than the loss of monetary possessions or intellectual assets. There are opportunity expenses, harm to name and reputation, buyer losses from fraud, the opportunity expenses of service troubles “cleaning up” after cyber attacks, and the increased cost going toward cyber security. Each of these groups must be approached cautiously, but together, they help us measure the cost to economies. In most cases the U. S. has been used as the model. This illustrates, above all else, the reality that data is more accessible from U. S. sources.
In a perfect world, combining the various issues would be simple, unfortunately this is not possible. The data is incomplete due to all the different types of cyber-crime. By definition data collection is complicated already. With that knowledge, should cyber-crime incorporate all crimes committed via cyber means or just crimes that could only be accomplished with cyber tools, excluding crimes that in other circumstances would have been committed with what would be categorized as traditional criminal means. One way to categorize this is to think, if the internet didn’t exist, would this crime have taken place?
Two essential conditions shape this broad examination. First, trying to guess “net” loss, this is of real significance for guessing the cause of a temporary disruption of service. A shop taken offline for a day could lose $10,000, but if their clients wait or shop somewhere else, the net loss to the economy could see little change. Second, using market values instead of a value determined by the victim. An organization could spend billions of dollars on research, but it is the projected results of the research that decides the value, not the expenditure.
A rough guess? Losses to the U. S. (where data is most accessible) could top $100 billion yearly. The price of cyber-crime and cyber espionage to the world market is some multiple that is likely calculated in hundreds of billions of dollars. To put this in perspective, the World Bank says that global GDP was about $70 trillion in 2011 (Center for Strategic and International Studies, July, 2013). A $300 billion loss—in addition to losses that are most likely in this area—is about four tenths of one percent of the world income. But this apparently insignificant total uncovers numerous key questions about the full benefit to everyone and the harm to the victims from the overall effect of constant losses in cyberspace. The question of the cause and penalty of the loss is more vital than any real figure.
To help with understanding of the problem a review of other studies is a very good way to obtain that understanding. Take the 2010 estimate by a German company security association that reviewed losses of intellectual assets in Germany and puts them at a minimum of possibly $24 billion (mainly, but not all, from cyber-crime). Given that the U. S. GDP is nearly five times that of Germany, a very rough guess would estimate the size of the German loss on the larger U. S. market and put a higher jump for U. S. losses at $120 billion. A different report, broadly questioned, put the price to the UK at $27 billion. These statistics symbolized about 2% of UK’s GDP and would convert into about $280 billion for the U. S. Three quarters of these losses were ascribed to losses of intellectual property by companies, based on a series of projections and assumptions about IP valuation that others questioned (Center for Strategic and International Studies, July, 2013).
Some earlier guesses of the cost of cyber-crime used surveys, which are infamously inaccurate unless very cautiously built. Reviewing a few companies or even a few hundred companies and then guessing the costs from their answers is a risky methodology. There are major variations among financial sectors in susceptibility. There are guidelines for choosing a test size and assortment, but flawed samples are a frequent mistake with surveys. Many earlier studies use a model populace that is too minute to feel confident in the outcome. One general dilemma with cyber security surveys is that those who answer the questions “self-select” and it is hard to tell if their experience was similar to those who opted not to respond. Businesses that have hidden huge losses, for example, might elect not to react, setting up a potential basis of misrepresentation into the survey.
Cyber-Crime Evolution
Recently, cyber-crime has developed into a progressively more sophisticated act, making it increasingly complex to fight, identify and lessen. A fairly new class of cyber-attack that is on the rise is particularly disturbing. Advanced Persistent Threat (APT) is how this new class is referred to.
The costs of cyber-crime to the world so far may already be extensive. Some studies cite figures as high as $388 billion or $ 1 trillion (Tendulkar, R., 2013). Although these elevated figures are arguable due to lack of accuracy when it comes to reporting all the costs involved, a mounting number of sophisticated cyber-attacks, lofty monetary losses sustained, and other real-world signs imply an impending prevalent impact.
Trends of the Future
One of the major issues is if there is a break in of a critical government system, a company, financial institutions and so on. This might end up as malware in vital systems ending up with data loss, misuse or even destroying those vital systems. Given that the communication flow is effortless via the internet, the crime associations could combine and collaborate even more than they are presently.
The apprehension is that because of improved mobility, funds and people could transfer easily. The Internet is more and more likely to be used for money laundering. As the Internet transforms into the standard through which more and more global trade occurs, the chances for laundering money through over-invoicing and under-invoicing will likely increase. Online auctions present related openings to transfer money via apparently valid transactions, except with higher prices for goods than they are worth. Online gambling is another method that makes it feasible to transfer money particularly to offshore financial centers.
Recruitment into crime agencies over internet will be easier than before. Secret messages can be transferred over the internet to a large group of people very easily without being conspicuous. (Panda et al., 2012)
Since great deals of the IT businesses are privately owned, the spotlight would be on ensuring that the customer is satisfied as opposed to worrying about the international crime. Additionally, valid civil freedoms could be argued in support of not keeping an eye on IT. All of these things make it more complicated when dealing with cyber-crime.
Enhanced Social Engineering Attacks in the foreseeable future will be the trend. Cyber Criminals will more and more make use of social-engineering methods to bypass hi-tech security controls, enhancing their methods to take advantage of natural human tendencies. This moves us closer to erasing the line linking external and internal threat agents, because social engineering will permit external criminals to rapidly add an internal vantage point regardless of conventional boundary security measures.
Social Media will offer the stage for the cyber-crimes. More businesses will take on social media as the main facet of their advertising approach. They will have difficulties balancing the need of activity as an element of on-line social communities while corresponding compliance and legal risks related with such activities. Equally, businesses will have a difficult time calculating online social networking activities of their users. Cyber Criminals will continue to take advantage of the constantly evolving kind of online social networking safety practices to deceive people and businesses. Security merchants will locate their goods as a means of solving all these problems; some of them will be notable by allowing businesses to little by little manage and check on-line social networking activities, while being wary of users ' privacy expectations.
People are the weakest link; no matter how technology evolves cyber criminals know they can always break into an employee’s system. In 2012 and 2013 these cyber criminals will only grow in complexity and numbers. Cyber criminals will take the road with the least resistance every time because that is a benefit to them. Businesses and management will in the end start doing something about it to secure people.
It‘s the sensitive issue for the people relying on iPhones for their day to day working that without issuing a dire warning that some worm will eat all the iPhones and convert the Androids to bricks. However, the biggest issue seems to be apps with spyware. Even the apps that come loaded on the phone are likely to phone home, it is a sure thing with 3rd party apps. AT&T has proved they cannot be trusted by signing their customers up for Asurion road side assistance without even asking them. And it matters big time. (Panda et al., 2012) As it is shown by all the research every company is concerned about cyber-crime but because of the nature of technology and being able to use information technology to get apps, software and so on but it is very hard to stop cyber criminals.
Memory Scraping Will Become More Common in the coming time. This has been around for a long time, but is more aggressively targeting data such as credit card records, passwords, PIN 's, keys, as of late. The reason they are successful is that they get around PCI/GLBA/HIPAA/ETC security requirements that data must be encrypted while in transit and at rest. Data in transit is decrypted on the system and often stored in memory during the lifetime of a process, or at least during a decryption routine. Depending on how a process cleans up after itself, it may stay resident even after the fact. The data is encrypted on the hard disk, but again, the RAM likely maintains the clear-text version of the data. Browsers are notorious for leaving things sitting around in memory during web sessions. The RAM Scraping malware also targets encryption keys in memory to decrypt anything for session data to encrypted files. As far as the emerging security threat part, we are seeing RAM scraping more commonly now as attackers focus on client-side attacks, shifting away from server-side attacks. Browsers are often miss configured, allowing malware to get onto a user 's system, stealing credit card data and passwords. They are mostly an annoyance where if a customer or fraud department detects fraudulent transactions, the account must be credited and changed. This requires the banks to write-off these transactions, which can add up quickly. AV products can 't keep up with the aggressive rate and polymorphic characteristics of this type of malware. We discover a ton of new malware every week, reverse it to some extent, and send the details to AV vendors to be added as a new signature. The other emerging component is the threat of RAM scraping malware targeting Point Of Sale (POS) systems. (Panda et al., 2012) One of the themes in all the research of the cost of cyber-crime is the fact that all companies admit that they can’t keep up with the aggressive style of cyber criminals. It is hard to be reactive when you know that billions of dollars are at stake.
Wireless adoption will persist, expanding into a greater number of purpose-focused practices that caters to the needs of individual technology. Wi-Fi technology will evolve continually, but other practices will also surface with extensive implementation outfitting the needs of rooted technology with a range of focus areas including ZigBee, WirelessHART and Z-Wave, as well as proprietary protocols. With this increasing alternate wireless adoption, already we are seeing past mistakes from previously unsuccessful protocols being repeated. With this revelation, and the tendency of Wi-Fi collapse and enhancement, history will be doomed to repeating itself because vendors will go to the market fast to take advantage of new opportunities, failing to thoroughly study the history from previously failed and successful wireless technologies.
An issue that could be a major concern is the use of cloud computing and the issues it will have for security purposes as the research alludes to.
More Cloud Computing Issues will be at the eye of the cyber attackers. While there are many possible benefits to Cloud Computing, the honeymoon will end. Many organizations will soon discover that they do not have the flexibility they need for their businesses, and many others will discover that any security issues (from audit to compromise) are far more complex in the cloud. Many security professionals will come to terms with security risks of cloud computing. They will do so under pressure from the businesses they support, as companies will continue to migrate to cloud platforms. The infosec community will better understand cloud environments, while the technologies implementing cloud platforms will reach an acceptable level of maturity. Security professionals will continue to apply extra scrutiny to scenarios that involve processing sensitive or regulated data in shared cloud environments. (Panda et al., 2012) Cloud Computing will be a very big concern for all Security teams at every business whether they are a large or small organization. They will face many challenges and as they come up with fixes to those challenges they will have to address a new ones and that cycle will continue.
With the speed that information technology is evolving virtual infrastructure will become more important and have more exposure as all the research has been pointing to.
Security Continues to become part of Virtual Infrastructure. As more and more organizations add virtualization technologies into their environment, particularly server and desktop virtualization, security will be more embedded in the native technologies, and less of an "add-on" after the implementation is complete. For server virtualization, new firewalls and monitoring capabilities are being integrated into some of the leading platforms now. For desktop virtualization, native integration with remote access technologies and client-side sandbox capabilities are common. Vendors will continue to push the envelope and offer new tools to enhance virtual environments, but virtualization platforms will evolve to easily allow existing security technologies to interoperate more natively, as well. In addition, security architecture design will be a "must have" element of virtual infrastructure planning and deployment, not a "nice to have". (Panda et al., 2012) With all the new ways that being discovered every day the security concerns will never go away, which is a good thing for those who work in the Information Technology security area. They will fix one threat and have to move on to the next threat.
A focus on the world’s exchanges
To gather unique insights into the cyber-crime threat from a securities market perspective, the IOSCO Research Department, jointly with the World Federation of Exchanges Office, conducted a cyber-crime survey (hereafter the WFE/IOSCO survey) to some of our core financial market infrastructures - the world’s exchanges.
This survey is intended as part of a series of surveys exploring perspectives and experiences with cyber-crime across different groups of securities market actors, financial institutions and regulators.
In this first survey, a vast majority of respondents agree that cyber-crime in securities markets can be considered a potentially systemic risk (89%). The following factors shed light on why:
Size, complexity and incentive structure
Cyber-crime is already targeting a number of exchanges. Over half of exchanges surveyed report experiencing a cyber-attack in the last year (53%).
Attacks tend to be disruptive in nature (rather than aiming for immediate financial gain). The most common forms of attack reported in the survey are Denial of Service attacks and malicious code (viruses). These categories of attack were also reported as the most disruptive. Financial theft did not feature in any of the responses.
This suggests a shift in motive for cyber-crime in securities markets, away from financial gain and towards more destabilizing aims. It also distinguishes cyber-crime in securities markets from traditional crimes against the financial sector e.g. fraud, theft. (Tendulkar, R., 2013)
Even before computers started to make things more complicated, it was already hard to define and measure white-collar crimes. While it 's clearly a crime to set up a fly-by-night mail-order firm, collect payments and ship no goods, the situation is less clear when goods are mis-described or defective. Periodic scandals (McKesson & Robbins in 1938, IOS and Equity Funding in 1973, Enron in 2001, the banking crisis in 2008) raise questions about the boundary between business and crime, leading to changes in definitions as well as regulations. These shifts are associated with changes in social attitudes and political discourse. (Weis, 2012) As white-collar crimes have been historically difficult to define you add in cyber-crimes to that mix and the difficulty rises. Will there ever be set definitions that encompass all cyber-crime? I think not and that will never occur because of the speed at which technology evolves.
While tying down fraud was hard enough a decade ago, globalization and technology are making the problem harder still today. Many corporations are transnational, as are many cyber-crimes. If a Chinese gang steals secrets from BAE, is this a UK crime as BAE has its primary stock market listing in London, or a US one as it does more business there? Furthermore, while there are some online and electronic crimes for which we have UK figures (such as card fraud) there are others for which we have only global figures (such as the incomes of gangs selling fake pharmaceuticals or operating botnets). In the circumstances the sensible way forward is to estimate global figures. We will work from the fact that the UK accounts for about 5% of world GDP to scale our national estimates up or down as appropriate. Where there is reason to believe that the UK figures are out of line with other countries, we will say so and make an appropriate allowance. (Weis, 2012) The trend here is that there are numerous challenges to combating cyber-crimes and it needs to be a world effort, one country cannot tackle this alone.
Twenty-first century criminals increasingly rely on the Internet and advanced technologies to further their criminal operations. These criminals can easily leverage the Internet to carry out traditional crimes such as distributing illicit drugs and sex trafficking. In addition, they exploit the digital world to facilitate crimes that are often technology driven, including identity theft, payment card fraud, and intellectual property theft. Cyber-crimes have economic, public health, and national security implications, among others. For over three decades, Congress has been concerned about cyber-crime and its related threats. Today, these concerns often arise among a larger discussion surrounding the federal government’s role in ensuring U.S. cyber security. (Finklea et al., 2013) With the turn of every new century you see the human race go through some sort of evolution and the cyber age is the evolution that we are going through in this century.
Conceptualizing cyber-crime involves a number of key elements and questions that include where do the criminal acts exist in the real and digital worlds (and what technologies are involved in carrying out the crimes), why are malicious activities initiated, and who is involved in carrying out the malicious acts? (Finklea et al., 2013)
Theory Review
With the review of numerous aspects of cyber-crime including current legislation, law enforcement, and the prevalence of cyber-crime, crime theories have been reviewed that have been applied to the study of cyber-crime. During the past couple hundred years various theories have been conjectured in an effort to clarify why crimes take place. A number of these theories, like self-control theory and routine activity theory, have been used toward the study of cyber-crime. The focus of these theories are on individual level characteristics in individuals or the circumstances they are in that add to the likelihood of a crime taking place. The research of cyber-crime will turn out to be more and more significant as we look for resolutions to this mounting predicament. A review a several theories and their pragmatic lessons which have been used toward the research of cyber-crime.
Prior to investigating the diverse theories that have been used toward the research of cyber-crime it is useful to identify with the diverse schools of criminological thought. There are two main schools of thought in criminology which are the classical school and the positivist school. Classical theorists believe that people are rational and that they commit crimes through their own free will in order to satisfy their own self- interest (Grzybowski, 2012). Classical Theorists believe that people will not partake in crime if they realize the ramifications of the punishment; they understand that it will be administered swiftly, and they know that penalty is definite because when it is administered the penalty from doing the crime overshadows the possible rewards an individual could receive from a crime. People logically opt to participate in criminal acts; in order to avoid such crimes from taking place people have to understand that the penalty will overshadow the rewards. If people realize and believe that the penalty overshadows the rewards then they will freely decide not to take part in the criminal actions. On the other hand the positive school of criminology believes that individuals participate in crime because of forces beyond individual control and relies on the scientific method to prove its theories (Grzybowski, 2012). Individuals should not be held exclusively accountable for their actions because not every person is cogent. External dynamics can be a vital part in deciding one’s involvement in crime. After the examination of the two principal schools of criminological theory an examination how the two theories of self-control and routine activity have been used toward the study of cyber-crime and cyber-crime victimization.
Self-Control Theory
One common crime theory that has been applied to cyber-crime study is the self-control theory. Self-control theory was first proposed by Travis Hirschi and Michael Gottfredson in their 1990 publication A General Theory of Crime (Grzybowski, 2012). Self-control theory states that criminal impulse is out of control, but that people act on this impulse only when they have low self-control. Much of the research has discussed the crucial elements of the self-control theory, as well as studies that have supplied proof to support the strength of this theory. The review of all the research has included a review of experimental studies that have used self-control theory to the study of cyber-crime and cyber victimization and looked at the positives of using this theory to the study of cyber-crime.
In their 1990 book, A General Theory of Crime, Travis Hirschi and Michael Gottfredson describe the major characteristics that define individuals with and without self-control (Grzybowski, 2012). Individuals with minimal self-control are rash, thoughtless, physical (instead of mental), risk-taking, thoughtless, and nonverbal, and they will tend to engage in criminal and similar acts. People that demonstrate signs of low self-control are thought to be more likely to take part in illegal acts because they crave instant satisfaction. Put those individuals who show signs of low self-control side by side with individuals who show signs of good self-control are not in need of instant satisfaction and are more likely to be observant, emotional, vocal, and have continuing familiarity. People that show signs of self-control are more likely able to appreciate the penalty of taking part in criminal acts and have the strength needed to fight that urge for instant satisfaction. To sum up, those who show signs of low self-control are more likely to exhibit such signs as impulsivity and short-sightedness, that make crime and its instant satisfaction more appealing to them, in contrast to those who exhibit signs of high self-control that include being vigilant and have continuing familiarity. The important question is brought up is does a person’s level of self-control grow over time or is every person born with one level of self-control that never changes during their life. According to Hirschi and Gottfredson individuals are not born with one certain level of self-control, rather they learn self-control most often through their parents (Grzybowski, 2012). There is not only one level of self-control a person can have; as they age they may form a more diverse level of self-control compared to what they exhibited at a younger age. However, they do suggest that, “…individual differences may have an impact on the prospects for effective socialization” (Grzybowski, 2012). Such as, people with mental health issues may have an elevated chance of not being well socialized. The research indicates that self-control is learned during one’s life span, but particularly during the childhood years.
The research has also revealed why some people show signs of self-control. It suggests that people form signs of self-control as a product of how they were raised. Although parents do not purposely teach their kids to have lapses of self-control, the research suggest that “in order to teach the child self-control, someone must (1) monitor the child’s behavior; (2) recognize deviant behavior when it occurs; and (3) punish such behavior…all that is required to activate the system is affection for or investment in the child.” (Grzybowski, 2012) They imply that an absence in any one of these areas will unintentionally permit the adolescent to exhibit signs of low self-control. Signs of low self-control can be the product of unsuccessful parenting. Low self-control makes crime more appealing to people who exhibit learned characteristics such as recklessness and lawlessness. Good quality parenting is vital in forming people who possess high levels of self-control, nevertheless good quality parenting can only take place if parents care about their kids and are capable to watch, distinguish, and efficiently discipline their kids for abnormal behavior.
Self-control theory has been the subject of many empirical studies, which have attempted to test the validity of the theory in explaining crime (Grzybowski, 2012). In 2000, there was a meta-analysis conducted of experimental studies of the self-control theory in an attempt to establish whether experimental studies uphold the suggestion that low self-control can forecast criminal or abnormal behavior. After analyzing twenty-one empirical studies which included tests for self-control, they found that the lack of self-control is a strong predictor of involvement in criminal or other negative behaviors (Grzybowski, 2012). Self-control is helpful in clearing up why some people take part in criminal actions while others choose not to. Researchers also discovered that self-control is not the only judge of abnormal behavior, but that variables from the social learning theory are also helpful in clearing up a person’s involvement in criminal activities. Criminal behavior cannot be made clear exclusively by one theory; it involves the linking of a number of theories. Experimental studies have usually found support for self-control theory as a significant issue in forecasting criminal activity.
Some researchers have expanded self-control theory to the study of why some people commit cyber-crimes or take part in abnormal cyber activities. For example, researchers have applied self-control to the study of why some individuals participate in online piracy (Grzybowski, 2012). One empirical study of 358 college student found that individuals who possessed characteristics of low levels of self-control, such as impulsivity, were likely to commit acts of digital piracy (Grzybowski, 2012). People who exhibit signs of low levels of self-control are prone to take part in abnormal behavior both on and offline because of their yearning for instant satisfaction. Another research study using the self-control theory for the study of cyber-crime discovered that people with low levels of self-control were more prone to view internet pornography than people with high levels of self-control. Experimental research such as these illustrate that self-control theory can be helpful in explaining the cyber-crime. These claims of self-control theory can aid researchers and policy makers have improved understanding of why people take part in criminal online behavior and recommend potential ways to fight this mounting issue.
Researchers have also expanded the study of the self-control theory to victimization in an effort to explain why some people are more susceptible to being a casualty of cyber-crime than others. A 2010 study of college students found that students who identified characteristics of low levels of self-control were more likely to engage in behavior that increased their likelihood of becoming victims of fraud (Grzybowski, 2012). People with low levels of self-control are more susceptible of putting themselves in circumstances where they will probably be victimized. Furthermore, they found that there is “overlap in fraud offending and victimization exposure” (Grzybowski, 2012). People who lack self-control and take part in criminal behavior will probably suffer from victimization. Expanding the self-control theory to the research of victimization can make the theory more helpful because it would not only clarify why some people would more likely commit crimes, but also why some people are more likely to turn into victims of crime.
This comprehensive theory of self-control clarifies why some people are more prone to victimization and has been useful for the study of cyber-crime. For instance, a study of college students uncovered that people that showed signs of low self-control, such as impulsivity, had the impression that they were at a higher risk of victimization, but fail to do anything to change their behavior. Even people who have low levels of self-control can recognize the risks of online victimization; yet, they are not as likely as people with high levels of self-control to alter their behavior to reduce the chances of being victimized online. Some experimental studies that have been done on cyber-crime shows that self-control theory can be valuable in helping to clarify why some people turn out to be victims of cyber criminals. This will allow researchers and policy makers to develop potential ways to fight this mounting issue. Self-control theory can be helpful in making sense of victimization, both in the real world and in the cyber world.
Empirical studies have shown that self-control theory is useful in explaining why some individuals are more likely to participate in deviant behavior, as well as why some individuals are more likely to be victimized (Grzybowski, 2012). On the other hand, even as self-control theory is valuable in explaining why people may act in a particular way, it does not explain the circumstances that have to be met for a crime to take place. Routine activity theory explains the situational factors that have to be in place for a crime to take place. Together with self-control theory, routine activity theory helps clarify why cyber-crime takes place, in fact some studies have already started to look at combining self-control and routine activity theory to clarify victimization. For example, scholars found that as a result of remote purchasing activities, individuals with low self-control have an increased possibility of being the victim of fraud (Grzybowski, 2012). A person’s low self-control in conjunction with their normal behavior can amplify a person’s risk of being victimized. Self-control, together with routine activity theory, could establish a functional model for explaining cyber-crime.
The research on self-control theory is a helpful because it can be broadened to the study of cyber-crime. Self-control theory clarifies why some people are more likely to partake in crime and other harmful activities. People with low self-control have a tendency of being reckless, short-sighted, and desire the instant satisfaction that comes from crime or other behavior. Their lack of self-control is the product of how they were raised. Empirical studies of self-control theory find that an individual’s level of self-control is an important predictor of his or her participation in deviant behavior (Grzybowski, 2012). Self-control theory can also lend a hand to clarify why some people are more vulnerable to victimization. This theory can be applied to the research of why some people are more likely to be engage in cyber-crimes and/or to be the victims of cyber-crime. Self-control theory is an excellent theory for explaining personal behavior; though, it may not be adequate to clarify the trend of cyber-crime.
Routine Activity Theory
Self-control theory by itself is not adequate to fully clarify the cyber-crime racket phenomenon. Nevertheless, in combination with other theories, like the routine activity theory, scholars can create an improved model to clarify cyber-crime victimization. Routine activity theory was first suggested by Lawrence Cohen and Marcus Felson in 1979 in their article Social Change and Crime Rate Trends: A Routine Activity Approach. Routine activity theory believes that, “Crime occurs when there is an intersection in time and space of a motivated offender, an attractive target, and a lack of capable guardianship.” (Grzybowski, 2012) The research for this paper revealed the basic elements of the routine activity theory and helped clarify how it relates to cyber-crime. It also reviewed experimental studies that have used the routine activity theory to the study of cyber-crime, and discussed the results of relating this theory to the study of cyber-crime.
In the Cohen and Felson article, they defined three essential conditions that are required to be met in order for a crime to happen. Unlike many theories that focused on why people commit crimes, the authors argued that motivation is commonplace, however, in order for a crime to take place there needs to be concurrence in time and space of “an offender with both criminal inclinations and the ability to carry out those inclinations, a person or object providing a suitable target for the offender, and absence of a guardian capable of preventing violations.” (Grzybowski, 2012) It does not make a difference why people are moved to take part in crimes, what makes the difference is that a person with the inclination to take part in crime is in the right place to move against their target at the opportune time when nobody is around to stop the criminal. The authors also argued that the absence of any one of the conditions would be sufficient to prevent a crime from occurring (Grzybowski, 2012). If a person is encouraged to steal an article from a victim’s house, but there is constantly somebody home, then the criminal will be incapable of committing the crime. What that means is that according to the routine activity theory a crime can only take place if there is a criminal, an appropriate target, and no caretakers around to safeguard the objective.
The research also spoke to what makes an appropriate target. They identified four items: value, physical visibility, access, and inertia that are likely to affect target suitability (Grzybowski, 2012). Rationally these are logical, for instance, if a crook wishes to take something they have to recognize that it is present in the first place, therefore being in plain sight would be significant to determining the suitability of a target. Another significant factor is availability that will help in determining the suitability of a target. The easier it is to engage an item, let 's say, if a home is left unsecured it is considerably easier to enter it then it is to enter into a home that is secured. The authors found that high value items, such as cars and electronics, were more likely to get stolen (Grzybowski, 2012). If crooks are successful in their attempts to steal something, for which there is continually the likelihood for punishment, they are going to steal objects that have the highest value possible. Research also discovered that the mass and magnitude of the article, which in some research was called inertia, affects target appropriateness. The best scenario for a crook to steal any item is for that item to be as compact as possible, that will allow for easy transport and will draw less attention as they depart with it. Most research concludes that routine activity theory recognizes individualities of people and items that make them much more suitable targets, specifically their worth, their physical visibility, the ease of access for the criminal, and the mass and magnitude of the item.
Scholars have started to broaden the routine activity theory to include research on the effects of cyber-crime. In one study of college students, researchers examined the applicability of applying routine activity theory to the study cyber-crime and found that students that disregard their participation in online activities and do not use computer-security software are more likely to be victimized (Grzybowski, 2012). Individuals who disregard the precariousness of their conduct are not likely to guard themselves by reducing their actions or using someone to protect them and therefore are more likely to be victimized. Another study testing the applicability of routine activity theory to the study cyber-crime found that the number of hours a student spent on online communication sites, such as chat-rooms, and his or her engagement in computer crime impacted the student’s risk of cyber victimization (Grzybowski, 2012). Individuals whose consistent actions place them in positions where they have the likelihood of interacting with criminals are at a higher risk of being victimized. Scholars have discovered some backing for linking the routine activity theory to the research of cyber-crime.
Several studies have been conducted using routine activity theory in order to study cyber-crime victimization (Grzybowski, 2012). Such as the two experimental studies of college students that discovered that students who engaged in online communication sites, like chat rooms, had an amplified chance of being victimized. People who interact with others online as part of their normal routine are more likely to be the subject of online victimization then people who stay away from using online communication. In another empirical study of college students, the researchers found that individuals with multiple social networking accounts had a greater probability of suffering interpersonal victimization, including online harassment (Grzybowski, 2012). People who normally used numerous social networking sites have a higher probability of being cyber victims because of the higher probability of them coming into contact with online criminals. Countless studies have discovered evidence that offers backing for using the routine activity theory in the research of cyber-crime.
However, despite the research that has found evidence supporting the use of routine activity theory in the study of cyber-crime victimization, there are some researchers that have argued that routine activity theory cannot be applied to the study of cyber-crime victimization (Yar, 2005). In one study, Yar argued that some aspects of routine activity theory if adapted could possibly be applied to the study of cyber-crime; however, he also found evidence suggesting that because of the difference in time and space in the cyber world vs. the real world that routine activity theory could not be applied to the study of cyber-crime (2005). The nature of the internet can challenge the applicability of routine activity theory to the study of cyber-crime because unlike the terrestrial world, time and space does not exist in the same way in the cyber world. Yar argues that because cyber-crime exists in a world without any physical or time constraint, it is a new form of crime, and thus requires new and modified theories to explain it (2005). The unstructured nature of cyber-crime makes it difficult to explain using traditional crime theories, such as routine activity theory. Researchers have suggested that routine activity theory cannot be used to explain cyber-crime because one of the major tenets of routine activity theory, the convergence in time and space, does not occur in cyber-crime. (Grzybowski, 2012)
Scholars have discovered proof backing and not backing the broadening of the routine activity theory to the research of cyber-crime. The routine activity theory, intermixing with other theories, may perhaps provide a better explanation for the effects of cyber-crime. In any case, the internet delivers a venue where promising targets, like people and valuables, are easily accessible by criminals. Plus the free-flowing nature of the internet also creates a difficult arena to monitor and regulate, consequently excluding skilled protection. Impending research of the effects of cyber-crime may find it useful from using both the routine activity theory and the self-control theory to study the issue.
Hence, scholars have broadened both the self-control theory and the routine activity theory to the research of cyber-crime and its effects. Self-control theory provides valuable insight into why offenders may participate in cyber-crime, as well as why some individuals may be more likely to be victimized by cyber-crime (Grzybowski, 2012). Routine activity theory explores the situations necessary for a crime to occur and how an individual’s regular activities may put him or her at greater risk of being a cyber-crime victim (Grzybowski, 2012). Scholars have since started to look at applying both of these theories collectively to assist in clarifying the effects of cyber-crime. Together these theories have the potential in aiding the research of cyber-crime and its effects in the future.
Areas For Future Research
Cyber-crime and cyber-crime victimization is a growing problem that will continue to face legislators and law enforcement agents well into the future. As the problem grows so will the need to better understand it so that we can develop programs to combat it. (Grzybowski, 2012) The majority of the research has compared the implementation of two crime theories which were previously used toward the research of cyber-crime. Nevertheless, there are still numerous fields where additional research is still required to be performed.
One area that confirms the need for future study is the broadening of these studies to more diverse models. Numerous experimental research reviewed has asked college students about their participation in cyber-crime activities. Having a sample pool of college students can offer an essential aspect into the singularity since most college students frequently use computers and the internet. This frequent computer use, as well as student’s computer abilities, means that college students have the opportunity and skill to partake in cyber-crimes and are in greater danger of being victimized online. University pupils provide a significant pool of the populace for the study of cyber-crime, yet the entire populace is still not represented. University pupils are a self-selected cluster of people as a result future study must reach out and explore other clusters to conclude if results from research on university pupils can actually be categorized to the whole population.
A second area for future research is the study of business cyber victimization. There have been very few research studies examining cyber-crimes and business. The Bureau of Justice Statistics conducted the National Security Survey which measured the prevalence of business cyber-crime victimization. (Grzybowski, 2012) Nonetheless, this review did not look at the problems of why certain businesses were the subjects of cyber-crime, providing scholars with potential research to be studied in the future. Such as studies that could look at whether specific types of commercial practices, like banking online, is making that business more appealing to criminals? Recent cyber-crime research has studied which people are more susceptible to the outcomes of cyber-crime. Conversely, if scholars broaden their research to the examination of business victimization, then there could be the possibility of learning what causes certain businesses to be more vulnerable to cyber-crime and lead to likely standards that could lessen a business’s possibility of being victimized.
As scholars have struggled to clarify cyber-crime they have relied on outdated crime theories like the self-control theory. Their use of the self-control theory has revealed that this theory has grounds for clarifying cyber-crime. The research has revealed that people that show signs of low self-control are likely to partake in seemingly passive online crimes like online piracy and pornography. On the other hand, studies still need to be conducted to correlate if people that show signs of low self-control are just as likely to partake in violent online crimes like online harassment as they are to partake in nonviolent online crimes?
Researchers have also applied self-control theory to the study of cyber victimization. These studies found that individuals with characteristics of low self-control are more likely to place themselves in situations where they are vulnerable to victimization from crimes such as fraud and those individuals did little to protect themselves from this victimization. Again more research should be conducted in this area to expand self-control theory to the study of other types of cyber victimization. (Grzybowski, 2012)
Furthermore, Hirschi and Gottfredson said that characteristics of low self-control are a result of ineffective parenting (Grzybowski, 2012). The configuration of the internet makes it challenging for parents to monitor their kids’ conduct and as a consequence they are not able to prevent or correct the conduct. Could this end up with kids forming additional signs of low self-control? Scholars could examine the impact of the internet and how parenting is affected. There are numerous areas for which the study of cyber-crime can be applied to the self-control theory.
Additional inquiries into using the routine activity theory in the research of the effects of cyber-crime are also warranted. As the research has uncovered, there are various differences as to whether routine activity theory is practical when used to study cyber-crime. These differences are highlighted as to whether or not the coming together in time and space of a criminal and a victim is categorically essential for routine activity theory to operate. Scholars must perform more studies into this area to inspect whether routine activity theory can be useful in the study of cyber-crime and what answers this solicitation can offer. Various scholars believe that routine activity theory can be useful for the study of cyber-crime, but not all scholars agree. Supplemental applications of this theory would benefit with forming the legitimacy of correlating routine activity theory to online victimization.
Researchers have also begun to use routine activity theory to study cyber victimization. Their application of routine activity theory has shown that this theory holds promise for explaining cyber victimization. These studies found that an individual’s routine activities, such as the number of social networking sites he or she uses and an individual’s use of online communication, increases his or her likelihood of victimization for both violent and nonviolent cyber-crimes. However, researchers have not addressed aspects of routine activity theory such as inertia and physical visibility. Cohen and Felson argued that physical visibility and inertia were important aspects in determining target suitability. (Grzybowski, 2012) The internet, on the other hand, is repeatedly nameless. Anyone can list goods on craigslist and provide photographs, but there are no assurances of what you are buying until you physically see the item. Grown-ups can pretend to be teenagers in chat rooms in order to befriend with children. Studies have not been specifically performed to figure out how people on the internet conclude whether their target is truly what they believe it is and how they decide its true significance as a target. Impending study using the routine activity theory to correlate it to the study of cyber victimization should examine these issues more in depth.
Some scholars have also studied the validity of combining both self-control theory and routine activity theory for the study of cyber-crime. This research found evidence that suggests that together these theories can help scholars better understand fraud victimization (Grzybowski, 2012). Scholars must broaden these results to the research of other cyber victimizations, not just fraud, in order to define the validity of applying both of these theories in combination with the study of online victimization.
Scholars must also broaden cyber-crime study by using other crime theories in conjunction to the study of cyber-crime. Self-control theory and routine activity theory are not the only theories that criminologists have developed to explain crime and these other crime theories could be expanded to the study of online crime to help explain an individual’s participation in deviant acts and why some individuals are more likely to be victimized. Theories that hold promise for the study of cyber-crime include strain theory and social learning theory. Strain theory maintains that when an individual cannot achieve his or her goals, he or she experiences strain and as a result they may turn to crime. (Grzybowski, 2012) Scholars must study whether a person’s pressure in the “real world” has an impact on their criminal behavior in the virtual world. Such as, if a person feels tension because they have not accomplished financial success and do not have enough money for the most up-to-date software, might they turn to pirating it? Social learning theory believes that crime is learned through association with deviant peers (Grzybowski, 2012). Some studies have already discovered that there is a correlation concerning the number of criminal peers a person has and their involvement in music piracy. But scholars could look at whether the social learning theory can be used with all types of cyber-crimes or just certain cyber-crimes. Take the social learning theory into consideration; does it help clarify the manipulation of criminal online peers with brutal online crimes as well as it can clarify online passive crimes, like piracy and theft? Broadening these theories may possibly lend a hand to explaining the increasing cyber-crime issue, as these theories propose added elements that could manipulate a person’s chances of either partaking in or falling victim to cyber-crime.
Additional study should also research the outcome of victim’s dealings with law enforcement organizations. Victims can report their victimization to the IC3, as well as other state and federal organizations (Grzybowski, 2012). Nonetheless, there has not been much research conducted to establish whether people are pleased with the way their case is handled. For people who go through financial losses because of being victimized, it is not known if they were able to pull through all, part, or none of their losses. This sort of study may possibly supply an enhanced view at the victims of cyber-crime. It could possibly assist policy makers and law enforcement organizations to better deal with the issues of victims. Additional studies into the effects of cyber-crime should investigate concerns that victims encounter subsequent to being victimized.
Future research could extend the current study by analyzing a larger sample of publicly traded companies that have been the victim of cyber-crime. By employing a larger sample, future research might investigate the specific impact of different types of cyber-crime on firms according to industry type and/or specific categories of marketing activity (e.g. customer order processing, supply chain, etc.). In addition, a longitudinal study might investigate whether different time periods affect the impact of the cyber-crime. Perhaps as time goes by, investors may be less alarmed by news stories about cyber-crime if such crimes become more commonplace. (Smith et al., 2011)
Scholars have just actually started to look at the cyber-crime problem during the last ten years. Although a great deal research has been performed in this arena, there are still numerous areas where potential study needs to be performed. Scholars must test their results via bigger more definitive model to better set up the status of their findings. There are numerous areas that scholars may possibly combine self-control and routine activity theory. Additional study should be performed by examining the success of combining both of these theories to research cyber-crime. Criminologists must also examine the applicability of other crime theories, such as strain and social learning theory to the study of cyber-crime so that the problem can be better understood (Grzybowski, 2012). Chances are also available for scholars to look at business victimization, in addition to victim relations with law enforcement. These areas for potential study are just a few of the uncharted areas that scholars still need to look at in the pursuit to comprehend this trend. Cyber-crime study is vital to our understanding of crime as our civilization becomes increasingly reliant on technology.
Recommendations
Based on all of the studies that were used, one provided some very useful recommendations that could be of an asset in the fight against cyber-crime.
It is critical that agencies take steps to prepare for computer crime investigation. Agencies should take a realistic look at their resources and priorities. At this point, computer crime may take a back seat to more pressing matters such as gang crime, domestic abuse, and drugs. Even with only limited resources however, significant steps can be taken to prepare for the inevitable increase which will present itself. Based on this research, it is recommended the following steps be taken by all agencies as a minimum contingency plan for dealing with computer crime. (Netterville, 2013)
1. Identify local computer resources. Personnel within the agency and adjacent agencies who have significant computer skills or abilities should be identified. If personnel in-house are not competent, are there experts available in local businesses, college campuses, high schools, etc. who can act as sources of information for your internal needs? (Netterville, 2013)
2. Identify professional resources available to assist your agency in conducting local investigations. As previously discussed, state or regional agencies may have extensive capabilities which are available for department use. Contact points and procedures should be identified and documented before they are needed. Clarification should be obtained as to what resources are available and under what conditions they can be requested. (Netterville, 2013)
3. Department wide training should be conducted in the basics of common computer crimes. Street officers should be versed in what to look for in identifying computer crime. The first part of investigation is identification of the occurrence. To better combat computer crime, we must first do a better job of recognizing it when we see it. (Netterville, 2013)
4. Provide selective specialized computer crime education. Key members of the department should be trained to handle computer crime investigations. The extent of the training should be based on the level of expertise and support. A small town with few resources and easy access to a regional computer crime investigative service such as FDLE’s CER may only need to learn to properly collect evidence for outside analysis. Larger areas or those with more capable in-house staff may wish to do more in-depth training, or even develop their own in-house computer crimes section. At the least, one investigator and the crime scene technician should receive additional training in this area. (Netterville, 2013)
5. Educate the community. Computer crime is vastly under-reported at present. Departments should work to gain the trust of the business community to bring these crimes forward. This is an area where law enforcement has an opportunity to be proactive instead of merely reactive. Crime prevention units can educate citizens to prevent theft of hardware and critical systems, much as they are taught to protect their homes from burglary. (Netterville, 2013)
6. Monitor computer crime trends with an eye toward long range resource allocation. As computer crimes become more prevalent, additional resources will have to be allocated to their investigation. Agencies should look toward their future needs several years down the line when formulating budgets, manpower requests, and training. (Netterville, 2013)
What is interesting is the fact that most people have become use to some type of cyber loss and have become desensitized to that loss. They will take the steps to recover the loss from their credit card company or bank and are unaware of all the steps and cost that goes with that process. The research is overwhelming on what the cost is or could be.
This initial research suggest an upper limit of the cost of cyber espionage and crime somewhere between 0.5% and 1% of national income—for the US, this would be about $70 billion to $140 billion. A lower limit might be $20 billion to $25 billion. This is a very broad range and we hope that our future work can narrow it. A starting point for a better estimate would be to reduce the reliance on anecdotes and surveys, and begin to compile and compare existing estimates, develop better data on value, and refine assumptions about loss. While a precise single figure for the cost of cyber-crime and cyber espionage is unattainable, a more accurate estimate of the range of potential losses can be developed, allowing us to better measure the problem. (Center for Strategic and International Studies, 2013)
A very rough hypothesis would be to apply this scope for the U. S. who comprise for slightly over a fifth of the global financial actions, and produce a scope of $100 billion to $500 billion for worldwide losses. This is virtually and undoubtedly an exaggeration. A preliminary modification would be to understand that less advanced economies depend less on networks and have less abstract assets than advanced economies. In just the ten leading economies the value of “intangible” goods and services ranges from 50% to 70% of GDP; taking this into account would suggest a range of $80 billion to $400 billion in global losses (Center for Strategic and International Studies, 2013). This scope is so general it is offered only as a preliminary idea for additional study on the worldwide consequence of malicious cyber activity. In the perspective of a $70 trillion international economy, these damages are insignificant, but that is not to say that it is ignored by governments in the nations interest to try to minimize the loss, and the larceny of delicate military technology produces losses where the total cost cannot be simply measured in financial languages.
It is also essential is to unravel the normal interaction of technology that has become a standard part of foreign investment. Cyber espionage is categorized best as a disturbing accumulation to this greater tendency of global technology transfer. Not all technology transfer and increases in foreign competitiveness should be attributed to cyber espionage, nor should the likelihood be ignored that cyber espionage can, over the long term, have a dramatic influence on economic development, because just a few tenths of a percentage point spanned over a few years can alter a country’s economic wellbeing.
Businesses have almost certainly misjudged the threat that lies ahead. Some businesses consider the harm from espionage is acceptable; the hazards associated with doing business in the world’s fastest developing areas, and that they can outrun the development, to construct new technologies and so decrease any loss. There could very well be economic justification for this, in that for a singular firm, there are immediate improvements. But prohibited technology transfer, even if by U. S. standards that technology is dated, increases military transformation. It increases upgrades in home-grown manufacturing and high-tech proficiencies, making the beneficiary more able to deal with stolen technology as it evolves and create products that can compete in the world markets. Businesses are in jeopardy of losing not only their strategic advantage or their intellectual assets but clientele, competitive analyses, and sales data as well.
The dollar value of malicious cyber activity may understate the actual damage if there is a “multiplier effect.” There are proponents of government funded research who argue strenuously, albeit self-interestedly, that a dollar spent on research produces more than a dollar of economic benefit. If this is true, the multiplier effect for cyber espionage could be far greater if the research is acquired for free. The loss of a dollar of IP due to cyber espionage could produce more than a dollar of benefit for a foreign competitor. If this is accurate, the loss of $20 billion in intellectual property translates into a much greater benefit for the acquiring nation. But this is uncertain ground, as the estimation of a multiplier effect remains in dispute in economic literature. Some economists assert that one dollar spent on biomedical research, for example, produces two dollars in benefits. Other estimates by critics of the multiplier effect suggest that one dollar in spending may have a multiplier effect of only 80 cents or even less. (Center for Strategic and International Studies, 2013)
Mentioned previously and in numerous studies an added challenge lies in measuring the monetary cost of damage to national security. There is a connection concerning cyber espionage and the expansion of cyber attack skills. Cyber espionage offers, if nothing else, information on possible targets and exercise for assailants. Then there is a connection concerning cyber espionage concentrating on commercial targets and cyber espionage concentrating on military technology. The ongoing trend is that it is often the same culprits who are tracking down a collection strategy that has both military and commercial sources as targets. In America, for instance, a solid case can be made that extensive damage to the American lead in stealth, submarine, missile, and nuclear capabilities has been made. We cannot correctly calculate the monetary value of the damage in military technology but it can be stated that cyber espionage, as well as commercial espionage, changes the rules of engagement to help out foreign competitors.
Conclusion
Computers and the internet have become common place in today’s society. This new technology has resulted in the development of a new form of crime, cyber-crime. This paper has provided a background to the cyber-crime problem and has reviewed two theories that have been applied to the study of cyber-crime and cyber victimization. It has reviewed current legislation on cyber-crime, current law enforcement responses to cyber-crime, and classified different forms of cyber-crime. As well as looked at the trends of cyber-crime to determine the importance of studying cyber-crime. (Grzybowski, 2012)
Reciprocally the Federal government and the many state governments have created a law which clarifies cyber-crimes, spells out jurisdiction, and establishes the lawful grounds for trying such crimes. Several Federal agencies have divisions that are tasked with the handling of computer crimes extending from computer intrusions to intellectual property theft. Research has noted, “various cyber-crimes and classified these crimes into three general categories, crimes against the computer, crimes where the computer is the tool used to commit the crime, and crimes where the computer is just incidental to the crime (Grzybowski, 2012).” Additionally, there has been an examination of the existing state of cyber-crime for both companies and people. Cyber-crime touches many people and companies in America and this challenge seems to have amplified as the use of computers and the use of the internet has grown over the last ten years.
As part of studying the existing state of cyber-crime in America, this paper looked at the use of the self-control and routine activity theories toward the study of cyber-crime. Together the self-control and routine activity theories can be used toward the study of computer crime and victimization. This paper also includes recommendations for areas of future exploration, like branching out recent studies to include additional groups, assessing the issue by means of other theories, and additional examination of research into the vulnerability of companies to cyber-crime.
This paper has stated what we know at present about cyber-crime and other cyber activities with just shade over ten years into the new century. This knowledge should be used to come up with research questions to enhance our knowledge about this type of crime and victimization. As the use of technology and the World Wide Web gets more entrenched into our culture this challenge will remain a factor that our lawmakers and law enforcement officials will face. The evolution of technology will make it challenging to formulate policies and technology that will help protect people and companies. Cyber-crime study will be a significant area of research for prospective criminologist as we travel deeper into the digital age, just imagine a day in the distant future where the amount of cyber-crimes that take place could be more than the amount of traditional crimes that take place. With the speed at which technology is evolving that might not be as distant as we would think.
Computer crime is a new area which should be of critical interest to law enforcement. For most agencies, it is an area which they are ill equipped to handle. At present, computer crimes are an oddity which attract curiosity and media attention. In the near future however, they may blossom to occupy a major portion of an agency’s resources. While for many agencies, it is too soon to prepare fully for this new phenomenon, steps should be taken to prepare for a change in the way we do business. The change will occur. The question is; will we be ready for it, or will we scramble to catch up? (Netterville, 2013) References
Anderson, Ross, (June 18, 2012). Debunking cybercrime myths. Retrieved from: http://www.lightbluetouchpaper.org/2012/06/18/debunking-cybercrime-myths/
Center for Strategic and International Studies, (July, 2013). The Economic Impact of
Cybercrime and Cyber Espionage. Retrieved from: http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf Charette, Robert N., (June 18, 2012). Preventing Cybercrime: Not Worth the Effort? Retrieved from: http://spectrum.ieee.org/riskfactor/telecom/security/preventing-cybercrime-not-worth-the-effort
Detica Report, (2011). The Cost of Cyber Crime. Retrieved from: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60943/the-cost-of-cyber-crime-full-report.pdf Finklea, Kristin M. & Theohary, Catherine A., (January 9, 2013). Cybercrime: Conceptual
Issues for Congress and U.S. Law Enforcement. Retrieved from: http://www.fas.org/sgp/crs/misc/R42547.pdf Greenberg, Adam, (October 8, 2013). Study: The cost of cyber-crime continues to rise.
Retrieved from: http://www.scmagazine.com/study-the-cost-of-cyber-crime-continues-to-rise/article/315397/
Grzybowski, Katherine M., (March 1, 2012). An Examination of Cybercrime and Cybercrime
Research: Self-control and Routine. Retrieved from: http://barrettdowntown.asu.edu/wp-content/uploads/2012/05/Grzybowski_An-Examination-of-Cybercrime-and-Cybercrime-Research_-Self-control-and-Routine-Activity-Theory_2012.pdf
International Cyber Security Protection Alliance (ICSPA), (May, 2013). Study of the Impact of
Cyber Crime on Businesses in Canada. Retrieved from: https://www.icspa.org/fileadmin/user_upload/Downloads/ICSPA_Canada_Cyber_Crime_Study_May_2013.pdf Mass, Peter & Rajagopalan, Megha, (August 1, 2012). Does Cybercrime Really Cost $1
Trillion? Retrieved from: http://www.propublica.org/article/does-cybercrime-really-cost-1-trillion
Moore, Tyler, (June 26, 2012). Measuring the cost of cybercrime. Retrieved from: http://lyle.smu.edu/~tylerm/weis12pres.pdf Netterville, William M., (November, 2013). Fighting Crime in the Cyber-Age: A new Challenge for Law Enforcement. Retrieved from: http://www.fdle.state.fl.us/Content/getdoc/c4032d7d-2213-474e-8555-588e500da962/Netterville.aspx
Panda, T. C.; Rao, Yerra S. & Saini, Hemraj (Mar-Apr, 2012). Cyber-Crimes and their Impacts:
A Review. Retrieved from: http://www.ijera.com/papers/Vol2_issue2/AG22202209.pdf
Ponemon Institute LLC., (October 2012). 2012 Cost of Cyber Crime Study: United States.
Retrieved from: http://www.ponemon.org/local/upload/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf
Ponemon Institute LLC., (August, 2011). Second Annual Cost of Cyber Crime Study:
Benchmark Study of U.S. Companies. Retrieved from: http://www.intellectualtakeout.org/library/research-analysis-reports/second-annual-cost-cyber-crime-study-benchmark-study-us-companies
Smith, Jacob L.; Smith, Katherine T. & Smith, L. Murphy, (2011). Case Studies of Cybercrime and their impact on marketing activity and shareholder value. Retrieved from: http://www.alliedacademies.org/Publications/Papers/AMSJ_Vol_15_No_2_2011%20p%2067-81.pdf Tendulkar, Rohini, (July 16, 2013). Cyber-crime, securities markets and systemic risk.
Retrieved from: http://www.world-exchanges.org/files/statistics/pdf/IOSCO_WFE_Cyber-crime%20report_Final_16July.pdf
Weis, Anderson, (2012). Measuring the Cost of Cybercrime. Retrieved from:
http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf