Enhancing relationships between criminology and cybersecurity

‘Cybercrime’ is an umbrella concept used by criminologists to refer to traditional crimes that are enhanced via the use of networked technologies (i.e. cyber-enabled crimes) and newer forms of crime that would not exist without networked technologies (i.e. cyber-dependent crimes). Cybersecurity is similarly a very broad concept and diverse field of practice. For computer scientists, the term ‘cybersecurity’ typically refers to policies, processes and practices undertaken to protect data, networks and systems from unauthorised access. Cybersecurity is used in subnational, national and transnational contexts to capture an increasingly diverse array of threats. Increasingly, cybercrimes are presented as threats to cybersecurity, which explains why national security institutions are gradually becoming involved in cybercrime control and prevention activities. This paper argues that the fields of cyber-criminology and cybersecurity, which are segregated at the moment, are in much need of greater engagement and cross-fertilisation. We draw on concepts of ‘high’ and ‘low’ policing (Brodeur, 2010) to suggest it would be useful to consider ‘crime’ and ‘security’ on the same continuum. This continuum has cybercrime at one end and cybersecurity at the other, with crime being more the domain of ‘low’ policing while security, as conceptualised in the context of specific cybersecurity projects, falls under the responsibility of ‘high’ policing institutions. This unifying approach helps us to explore the fuzzy relationship between cyber-crime and cyber-security and to call for more fruitful alliances between cybercrime and cybersecurity researchers

Beyond Norms: Using International Economic Tools to Deter Malicious State-Sponsored Cyber Activities

In thinking about strategy and doctrine for cyberspace, one cannot ignore either the cyber domain\u27s interaction with other domains or the applicability of existing legal tools to address cyberspace issues. This Comment focuses on the latter and argues that any discussion regarding deterrence and a playbook for consequences for cyber incidents by state actors ought necessarily to include a careful examination of existing plays, particularly where those incidents have an economic component as many do. Focusing on multilateral institutions, regional and bilateral trade and investment agreements, and unilateral tariff and non-tariff trade and investment tools, this Comment maintains that current and available international economic tools offer significant potential to shape cyber activities and norms and only now are beginning to be deployed this way

Criminal markets and networks in cyberspace

This is an introduction to the special issue of Trends in Organized Crime on ‘criminal markets and networks in cyberspace’. All the contributions to this special issue, even if from different standpoints and focuses, help us understand how cyberspace is (re)shaping offenses and offenders

CyberGuardians: Improving Community Cyber Resilience Through Embedded Peer-to-Peer Support

Older users are rapidly adopting internet-enabled devices, yet are often targeted by cyberattackers with possible disastrous consequences. We describe the CyberGuardians initiative where we train older members of the community to be knowledgeable about cybersecurity so they can spread the information to peers and help protect their communities from cyber harms. Specifically, we focus on a case study evaluating two CyberGuardians and their use of training materials to inform peers in their community about cybersecurity. We discuss the importance of flexible training materials that can be adapted by CyberGuardians for sharing with peers

If the Law Can Allow Takebacks, Shouldn\u27t it Also Allow Hackbacks?

None

Cyber Resilience: What Is It And How Do We Get It?

Prepare, Absorb, Recover, and Adapt: How organisations can better respond to cyber attacks and harms

A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate

Technological advances have resulted in organisations digitalizing many parts of their operations. The threat landscape of cyber-attacks is rapidly changing and the potential impact of such attacks is uncertain, because there is a lack of effective metrics, tools and frameworks to understand and assess the harm organisations face from cyber-attacks. In this paper, we reflect on the literature on harm, and how it has been conceptualised in disciplines such as criminology and economics, and investigate how other notions such as risk and impact relate to harm. Based on an extensive literature survey and on reviewing news articles and databases reporting cyber-incidents, cybercrimes, hacks and other attacks, we identify various types of harm and create a taxonomy of cyber-harms encountered by organisations. This taxonomy comprises five broad themes: physical or digital harm; economic harm; psychological harm; reputational harm; and social and societal harm. In each of these themes we present several cyber-harms that can result from cyber-attacks. To provide initial indications about how these different types of harm are connected and how cyber-harm in general may propagate, this article also analyses and draws insight from four real-world case studies, involving Sony (2011 and 2014), JPMorgan and Ashley Madison. We conclude by arguing for the need for analytical tools for organisational cyber-harm, which can be based on a taxonomy such as the one we propose here. These would allow organisations to identify corporate assets, link these to different types of cyber-harm, measure those harms and, finally, consider the security controls needed for the treatment of harm

An Impact and Risk Assessment Framework for National Electronic Identity (eID) Systems

Electronic identification (eID) systems allow citizens to assert and authenticate their identities for various purposes, such as accessing government services or conducting financial transactions. These systems improve user access to rights, services, and the formal economy. As eID systems become an essential facet of national development, any failure, compromise, or misuse can be costly and damaging to the government, users, and society. Therefore, an effective risk assessment is vital for identifying emerging risks to the system and assessing their impact. However, developing a comprehensive risk assessment for these systems must extend far beyond focusing on technical security and privacy impacts and must be conducted with a contextual understanding of stakeholders and the communities these systems serve. In this study, we posit that current risk assessments do not address risk factors for all key stakeholders and explore how potential compromise could impact them each in turn. In the examination of the broader impact of risks and the potentially significant consequences for stakeholders, we propose a framework that considers a wide range of factors, including the social, economic, and political contexts in which these systems were implemented. This provides a holistic platform for a better assessment of risk to the eID system.Comment: 10 page