Patching the patchwork: appraising the EU regulatory framework on cyber security breaches

Breaches of security, a.k.a. security and data breaches, are on the rise, one of the reasons being the well-known lack of incentives to secure services and their underlying technologies, such as cloud computing. In this article, I question whether the patchwork of six EU instruments addressing breaches is helping to prevent or mitigate breaches as intended. At a lower level of abstraction, the question concerns appraising the success of each instrument separately. At a higher level of abstraction, since all laws converge on the objective of network and information security – one of the three pillars of the EU cyber security policy – the question is whether the legal ‘patchwork’ is helping to ‘patch’ the underlying insecurity of network and information systems thus contributing to cyber security. To answer the research question, I look at the regulatory framework as a whole, from the perspective of network and information security and consequently I use the expression cyber security breaches. I appraise the regulatory patchwork by using the three goals of notification identified by the European Commission as a benchmark, enriched by policy documents, legal analysis, and academic literature on breaches legislation, and I elaborate my analysis by reasoning on the case of cloud computing. The analysis, which is frustrated by the lack of adequate data, shows that the regulatory framework on cyber security breaches may be failing to provide the necessary level of mutual learning on the functioning of security measures, awareness of both regulatory authorities and the public on how entities fare in protecting data (and the related network and information systems), and enforcing self-improvement of entities dealing with information and services. I conclude with some recommendations addressing the causes, rather than the symptoms, of network and information systems insecurity

Cascade and Chain Effects in Big Data Cybercrime: Lessons from the TalkTalk hack

Big data and cybercrime are creating 'upstream', big data related cyber-dependent crimes such as data breaches. They are essential components in a cybercrime chain which forms a cybercrime ecosystem that cascades 'downstream' to give rise to further crimes, such as fraud, extortion, etc., where the data is subsequently monetized. These downstream crimes have a massive impact upon victims and data subjects. The upstream and downstream crimes are often committed by entirely different offending actors against different victim groups, which complicates and frustrates the reporting, recording, investigative and prosecution processes. Taken together the crime stream's cascade effect creates unprecedented societal challenges that need addressing in the face of the advances of AI and the IoT. This phenomenon is explored here by unpacking the TalkTalk case study to conceptualize how big data and cloud computing are creating cascading effects of disorganized, distributed and escalating data crime. As part of the larger CRITiCal project, the paper also hypothesizes key factors triggering the cascade effect and suggests a methodology to further investigate and understand it

Modelling the Cybercrime Cascade Effect in Data Crime

This article contributes to the growing debate about the increasing importance of ‘data’ in modern cybercrime offending. In so doing, it illustrates the linkages between cyber-dependent and cyber-enabled crime bringing into focus the inability of current cybercrime legal categories to reflect such linkages which ultimately reflects how practitioners interpret them. Drawing upon data from court cases the article models the cybercrime cascade effect that results from data crimes. We argue that cybercrime is not a single action, but a process of interconnected social and technical actions in which data from ‘upstream’ cyber-dependent data crimes cascades ‘downstream’ to enable additional cyber-enabled crimes, such as scams, frauds and deceptions. By modelling the various tipping points at which stolen data cascades downstream we increase knowledge about the cybercrime ecosystem to highlight points at which interventions can be more effectively targeted. The ‘cascade effect’ is modelled by using mixed methods from law and criminology which include the “intermediate-N” configurational comparative method. By refining the tipping points of the cascade into decision trees, additional hypotheses, and the identification of the means to test them can be formulated. The article suggests that tipping points occur at each stage of the cascade model, however, the cascade into more crime is not found to be an automatic outcome as more social factors may be involved. Moreover, there exist layers of victimisation, which highlights the need to further research ways to incentivize early-offender interventions. Finally, the article illustrates the complexities of online offending, which include the presence of diverse, distributed and even disorganized actors within organised groups which do not easily fit into the traditional organized crime narrative