A new way to design, prioritise and apply defence in depth efforts using traditional situational crime prevention strategies.
Cybercrime is growing year on year and in some countries has superseded traditional crime types in volume and financial impact as the internet enables motivated and resourceful individuals, organised gangs and even nation states to target victims anywhere they spend time online.
The transnational nature of cybercrime – where offenders can be located in one jurisdiction and prey upon victims and commit crimes in another enabled by internet and communications technologies – introduces a range of complexities when compared with traditional policing efforts to prevent and investigate offences, identify and prosecute criminals and apply sanctions and penalties.
There are often many domestic parties involved in reporting and policing cyber crimes. In the absence of clear reporting taxonomies and with competing interests or fragmented responsibilities, the victim can find it confusing on where and how to report and can give up or ‘fall between stools’. Cooperation and coordination across multiple bodies including international partners can eventually leave victims frustrated and subject to uncertain outcomes.
The true volume of cybercrimes being committed remains unknown as reporting levels are impacted by hesitance, embarrassment and confusion among victims. In New Zealand, research undertaken has found that only 10% of fraud or cybercrime incidents were reported to the Police (Ministry of Justice’s New Zealand Crime and Victims Survey results, Cycle 2 – 2019). And of those crimes reported, very few will ever be investigated and even fewer lead to prosecutions and effective penalties or reparations.
Policing resources are often limited and investigations focused on crimes that are likely to be solved. A threshold assessment of many cyber-enabled crimes will highlight the low likelihood of being able to identify an offender and even lower likelihood of securing a conviction across international borders.
It must be acknowledged that criminals benefit from this complexity and confusion. The possibility of getting caught and punished remains highly unlikely which results in law enforcement and the criminal justice system from having little ability to deter offenders from committing crimes.
Disruption and prevention are key
When criminal sanctions are not possible and opportunities to identify and modify the behaviours and motivations of international offenders are limited, efforts must instead be focused on disrupting and preventing offenders from successfully committing crimes.
Strategic crime prevention has been a key part of policing efforts since the 1970s with the development of the ‘crime triangle’ or problem analysis triangle which looks to analyse situational or environmental factors to find ways to disrupt the opportunities offered to motivated and resourceful offenders to commit crimes.
Routine Activity Theory (RAT) developed by Lawrence Cohen and Marcus Felson states that crime occurs when a likely offender and a suitable target come together in time and place, without a capable guardian present:
The target can be a human victim or an inanimate object since both meet the offender’s key intent of profiting from their law breaking. A capable guardian can be both a human or security devices. Thus the three sides of the problem analysis triangle represent the offender, the target, and the location or place.
- An ‘offline crime’ example is a burglar (offender) seeking to steal electronic goods (target) and finding an empty home with the ground floor windows left open (place).
- An ‘online crime’ example is a cybercriminal (offender) using phishing emails to lure an unsuspecting internet user (place) into divulging their account credentials (target) to a fake website.
A motivated criminal in both scenarios seeks the opportunity to commit a crime using the tools and abilities they have access to. It’s evident from the online crime example given that the number of opportunities to profit will be substantially higher and require the offender to put themselves at less risk of being caught and punished. The place is any user or system connected to the global internet and the targets are exponentially higher in number, many lacking a capable guardian in the form of digital literacy, security software or awareness of common cybercrime attack techniques.
The internet has become a profitable environment for motivated and resourceful offenders from around the world to locate suitable targets and commit crimes without fear of punishment. If crime is associated with increased opportunity, the rapid adoption of the internet for many aspects of business and leisure has lead to individuals spending more time online and thus the likelihood of more cyber-enabled crimes occurring.
Modifying the environment to reduce criminal opportunities
Research has shown that the more time you spend browsing, buying, communicating and creating in digital environments the risk of becoming a victim increases. The answer to this situation thus rests upon three factors – demotivating offenders, reducing the pool of suitable targets and making guardians more effective.
Situational Crime Prevention (SCP) techniques were developed that focused on modifying the environment and reducing the opportunities for crime to occur. SCP, invented by Ron Clarke, is often used by Police to tackle common categories of ‘traditional’ crime like burglary and vehicle theft. Through 5 main categories and 25 techniques tailored to crime specific patterns, prevention efforts are designed to make it harder, more risky or less rewarding for offenders to commit criminal acts.
The five main mechanisms aim to reduce the opportunity for offenders to commit crime by:
- Increasing the effort
- Increasing the risks
- Reducing the reward
- Reducing provocations
- Removing excuses
Critics of SCP believe that by modifying the environment alone and not tackling the root causes of crime that offenders are simply displaced and may go on to commit cries against other targets or in other territories. Whilst that may be true to a limited extent, the identification of the 25 SCP techniques and proactive use by potential victims does provide information about specific crime risks and guidance on how to avoid them. In the offline environment, a burglar may choose to target a home in another street that is less well secured; in the online environment, a cybercriminal may successfully compromise an account that is lacking MFA.
Noting the current practical limitations on law enforcement personnel identifying and punishing international offenders, situational crime prevention techniques offer the most pragmatic path for potential cybercrime victims to take responsibility for their own online safety and security and follow actionable steps to minimise opportunities for motivated offenders to victimise them.
Situational crime prevention and the Cyber Self Defence Framework
Clarke has proposed prevention examples for many forms of volume property crimes to modify key environmental factors and reduce the opportunity and ability of offenders to commit crimes.
The application of SCP techniques to cyber-enabled crimes has so far been limited but it’s evident that if technology assists offenders to repackage, modify and update traditional crimes to be undertaken in the online environment, that a crime specific prevention approach could be developed to effectively reduce the opportunity for offenders to find suitable targets in the absence of capable guardians.
The Cyber Self Defence Framework (CSDF) proposes a set of situational security measures – tailored to common cyber enabled crimes including phishing, social engineering, malware and online scams and fraud – that could be applied by the average home internet user to help break the causal chain to prevent cybercrime occurring. Created using Clarke’s situational crime prevention theory it identifies a range of activities across the 25 techniques you can follow to deter, deflect and defend against cybercriminals.
Policing practice notes that any tactical SCP interventions should be not too ambitious or costly, focused on near, direct causes to have an immediate impact and be easily articulated and understood.
Through developing the CSDF we’ve applied that policing mindset and assessed how internet users should best spend their time, effort and money in securing their digital world. Each of the 25 cybercrime prevention techniques lists a series of steps that can be taken to harden targets, disrupt markets or screen exits in the digital domain. We’ve provided specific actions and have also quantified benefits, cost, efforts, effectiveness, risks and likelihood.
Prioritisation has been applied through three implementation groups to focus immediate prevention efforts. Users of the framework can pick and choose which techniques to apply and can rate their preparedness using our self assessment tool to quickly identify gaps in their existing defences.