The impact of cybercrime on businesses: a novel conceptual framework and its application to Belgium
Despite growing indications and fears about the impact of cybercrime, only few academic studies have so far been published on the topic to complement those published by consultancy firms, cybersecurity companies and private institutes. The review of all these studies shows that there is no consensus on how to define and measure cybercrime or its impact. Against this background, this article pursues two aims: 1) to develop a thorough conceptual framework to define and operationalize cybercrime affecting businesses as well as its impact, harms, and costs; and 2) to test this conceptual framework with a survey of businesses based in Belgium, which was administered in summer 2016 and elicited 310 valid responses. Consisting of five types, our conceptualization of cybercrime is, unlike others, technology-neutral and fully compatible with the legislation. Drawing on Greenfield and Paoli’s Harm Assessment Framework (The British Journal of Criminology, 53, 864–885, 2013), we understand impact as the overall harm of cybercrime, that is, the “sum” of the harms to material support, or costs, and the harms to other interest dimensions i.e., functional (or operational) integrity, reputation and privacy. Whereas we ask respondents to provide a monetary estimate of the costs, respondents are invited to rate the severity of the harms on the basis of an ordinal scale. We claim that this “double track” gives a fuller, more valid assessment of cybercrime impact. Whereas most affected businesses do not report major costs or harm, 15% to 20% of them rate the harms to their internal operational activities as serious or more, with cyber extortion regarded as most harmful.
We thank Dr. Elke Van Hellemont (University of Kent, previously KU Leuven) for her help in developing the questionnaire and organizing the data collection.
Project funded by BELSPO (Belgian Science Policy Office) under the BRAIN (Belgian Research Action through Interdisciplinary Networks) program: BR/132/A4/BCC.
- 1.Goldman, R. (2017, May 12). What we know and don’t know about the international cyberattack. The New York Times. www.nytimes.com/2017/05/12/world/europe/international-cyberattack-ransomware.html?_r=0. Accessed 10 Sept 2017.
- 2.McGuire, M., & Dowling, S. (2013). Cyber crime: a review of the evidence. London: Home Office.Google Scholar
- 3.Wall, D. S. (2007). Cybercrime: the transformation of crime in the information age. Malden: Polity Press.Google Scholar
- 4.Reiner, R. (2016). Crime: the mystery of the common-sense concept. Cambridge: Polity Press.Google Scholar
- 5.Federale Regering (2016). Kadernota integrale veiligheid 2016–2019 [Framework document integrated security 2016–2019]. www.besafe.be/sites/besafe.localhost/files/u19/2016-06-7_kadernota_integrale_veiligheid_nl.pdf. Accessed 18 Feb 2018.
- 6.Volz, D., & Hosenball, M. (2016, February 10). Concerned by cyber threat, Obama seeks big increase in funding. www.reuters.com/article/us-obama-budget-cyber-idUSKCN0VI0R1. Accessed 10 Sept 2017.
- 10.Williams, M. L., & Levi, M. (2017). Cybercrime prevention. In N. Tilley & A. Sidebottom (Eds.), Handbook of crime prevention and community safety (pp. 454–469). London: Routledge.Google Scholar
- 12.Klahr, R., Amili, S., Shah, J. N., Button, M., & Wang, V. (2016). Cyber security breaches survey 2016. www.gov.uk/government/uploads/system/uploads/attachment_data/file/521465/Cyber_Security_Breaches_Survey_2016_main_report_FINAL.pdf. Accessed 10 Sept 2017.
- 13.Klahr, R., Shah, J. N., Sheriffs, P., Rossington, T., Pestell, G., Button, M., & Wang, V. (2017). Cyber security breaches survey 2017. www.gov.uk/government/statistics/cyber-security-breaches-survey-2017. Accessed 10 Sept 2017.
- 14.Rick, M., Böhme, R., Lucica, E., Johnson, A., & Sõmer, T. (2015). Executive summary and brief: survey and interview results including detailed appendixes on survey and interview results. www.ecrime-project.eu/wp-content/uploads/2015/02/E-CRIME-Deliverable-4.2.pdf. Accessed 10 Sept 2017.
- 16.Dubourg, R., & Prichard, S. (2007). The impact of organised crime in the UK: revenues and economic and social costs, in organised crime: revenues, economic and social costs, and criminal assets available for seizure, 1–53, London: Home Office.Google Scholar
- 17.Heaton, P. (2010). Hidden in plain sight. What cost-of-crime research can tell us about investing in police. Santa Monica: RAND Corporation.Google Scholar
- 20.Detica. (2011). The cost of cybercrime: a detica report in partnership with the office of cyber security and information assurance in the cabinet office. Guilford: Detica.Google Scholar
- 21.PwC (2016). Information security breaches survey 2016: a matter of when, not if, a breach will occur. www.pwc.be/en/documents/media-centre/publications/2016/information-security-breaches-survey-2016.pdf. Accessed 10 Sept 2017.
- 22.CSIS, Center for Strategic and International Studies (2014). Estimating the global cost of cybercrime: economic impact of cybercrime II. www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf. Accessed 10 Sept 2017.
- 23.Verizon (2016). 2016 Data breach investigations report. http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf. Accessed 10 Sept 2017.
- 24.Ponemon (2016). 2016 cost of cybercrime study & the risk of business innovation. www.ponemon.org/local/upload/file/2016%20HPE%20CCC%20GLOBAL%20REPORT%20FINAL%203.pdf. Accessed 10 Sept 2017.
- 26.Morgan, S. (2016, January 17). Cyber crime costs projected to reach $2 trillion by 2019. Forbes. www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#3cbe9e353a91. Accessed 10 Sept 2017.
- 27.Ponemon (2015). The cost of malware containment. www.ponemon.org/local/upload/file/Damballa%20Malware%20Containment%20FINAL%203.pdf. Accessed 10 Sept 2017.
- 30.Ponemon (2016b). 2016 cost of data breach study: global analysis. www.www-01.ibm.com/marketing/iwm/dre/signup?source=mrs-form-1995&S_PKG=ov49542. Accessed 10 Sept 2017.
- 31.CSI, Computer Security Institute. (2011). 15th annual 2010/2011 computer crime and security survey. www.cours.etsmtl.ca/gti619/documents/divers/CSIsurvey2010.pdf. Accessed 10 Sept 2017.
- 32.FSB, Federation of Small Businesses (2012). Cyber security and fraud: the impact on small businesses. www.fsb.org.uk/LegacySitePath/frontpage/assets/fsb_cyber_security_and%20_fraud_paper_2013.pdf. Accessed 10 Sept 2017.
- 33.CPNI, Centre for the Protection of National Infrastructure (2014). Cyber-attacks: effects on UK companies. www.oxfordeconomics.com/my-oxford/projects/276032. Accessed 18 Feb 2018.
- 34.PwC UK (2015). 2015 Information security breaches survey: technical report. www.pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-digital.pdf. Accessed 10 Sept 2017.
- 35.PwC (2016b). Global economic crime survey 2016: adjusting the lens on economic crime: preparation brings opportunity back into focus. www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf. Accessed 10 Sept 2017.
- 36.PwC [Netherlands] (2014). Cybercriminaliteit tegen Nederlandse organisaties: een digitale dreiging [Cybercrime against Dutch organisations: a digital threat]. www.pwc.nl/. Accessed 10 Sept 2017.
- 38.Paoli, L., Visschers, J., Verstraete, C., & van Hellemont, E. (2017). The impact of cybercrime on Belgian businesses. www.bcc-project.be/. Accessed 10 Sept 2017.
- 39.European Commission (2013). Cybersecurity strategy of the European union: an open, safe and secure cyberspace. www.eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf. Accessed 10 Sept 2017.
- 40.UNODC, United Nations Office on Drugs and Crime. (2013). Comprehensive study on cybercrime. Vienna: United Nations Office on Drugs and Crime.Google Scholar
- 41.European Commission (2017a). Country report Belgium 2017. Available: www.ec.europa.eu/info/sites/info/files/2017-european-semester-country-report-belgium-en.pdf. Accessed 18 Feb 2018.
- 42.European Commission (2017b). Report from the commission to the European parliament and the council assessing the extent to which the member States have taken the necessary measures in order to comply with directive 2013/40/EU on attacks against information systems and replacing council framework decision 2005/222/JHA. www.eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52017DC0474&from=EN. Accessed 18 Feb 2018.
- 43.ENISA, European Union Agency for Network and Information Security (2016). ENISA threat landscape 2015. Available: www.enisa.europa.eu/. Accessed 10 Sept 2017.
- 44.Europol. (2016). Internet organised crime threat assessment 2016. The Hague: Europopl.Google Scholar
- 46.Carter, J. S. (2016). Pay up or else: the ins and outs of cyber extortion insurance coverage. Risk Management, 63, 32–35.Google Scholar
- 47.Domenie, M. M. L., Leukfeldt, E. R., van Wilsem, J. A., Jansen, J., & Stol, W. P. (2013). Victimisation in a digitised society – a survey among members of the public concerning e-fraud, hacking and other high-volume crimes. The Hague: Eleven.Google Scholar
- 49.Feinberg, J. (1984). Harm to others. New York, NY: Oxford University Press.Google Scholar
- 50.von Hirsch, A., & Jareborg, N. (1991). Gauging criminal harm: A living-standard analysis. Oxford Journal of Legal Studies, 11(1), 1–38.Google Scholar
- 53.Eurostat (2017). GDP per capita, consumption per capita and price level indices. www.ec.europa.eu/eurostat/statistics-explained/index.php/GDP_per_capita,_consumption_per_capita_and_price_level_indices#Relative_volumes_of_GDP_per_capita. Accessed 18 Feb 2018.
- 54.Eurostat (n.d.). Business demography main variables - NACE Rev. 2 (B-N excluding K64.2). www.ec.europa.eu/eurostat/tgm/table.do?tab=table&init=1&language=en&pcode=tin00170&plugin=1. Accessed 18 Feb 2018.
- 55.PwC Belgium (2017). Redefining the security culture – a better way to protect your business. www.pwc.be/en/documents/20170315-Information-security-breaches-survey.pdf. Accessed 10 Sept 2017.
- 56.European Commission. (2003). Commission recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. Official Journal of the European Union, 124, 36–41.Google Scholar
- 57.FOD Economie (2016). Aantal actieve btw-plichtige ondernemingen volgens werknemersklasse en plaats maatschappelijke zetel, meest recente jaar [Webpage]. www.bestat.economie.fgov.be/bestat/crosstable.xhtml?view=9d19ebe2-f35a-4b51-ac1a-c153e6d77d67. Accessed 10 Sept 2017.
- 58.Ponemon (2016c). 2016 cost of data breach study: Germany. http://www.ibm.com. Accessed 10 Sept 2017.
- 59.European Commission. (2017c). Special eurobarometer 464a: Europeans’ attitudes towards cyber security. Brussels: European Union.Google Scholar