4 March 2022
Why do people convert to crime? Which thresholds might limit them and what “motivates” them into the wrong direction? Even though we have come a long way since Bonnie & Clyde, some of the same criminology principles can still be applied to cybercrime.
In a previous article we took a closer look at the definition and victims of Cy-X, the crime of Cyber Extortion. In this article, we explore the application of the criminology theory called Routine Activity Theory (RAT) to the problem of Cy-X. It will help us to understand Cy-X and explore how we can work towards reducing it.
The RAT, developed by Cohen & Felson in 1979, states that there are three elements that, when put together, lead to crime:
A motivated offender
A suitable target, either a person or an object
The absence of a capable guardian (which could also be a person or an object)
So, let’s explore these three elements and the possibilities to reduce any of these factors.
According to the RAT, a motivated offender can either be an individual or a group
that has both the tendency and the ability to commit a crime. It looks at the factors that contribute to a crime becoming a sufficiently attractive option to a ‘rational’ person.
Most cybercrime activities involve several individuals working together as a group, each with their own set of specialised skills. An offender is therefore usually only a single part in a larger chain. Additionally, criminals are no longer looking their victims in the eyes while holding them at gunpoint, waiting for the teller to fill out the bags at the bank. Moral objections towards a “digital” victim are more easily set aside when they remain abstract.
We identify three opportunities to reduce the motivation of a potential offender.
1. Targeted efforts to reduce criminals’ neutralization techniques
Extortionists deploy a technique known to criminologists as “neutralization” – a means of overcoming the moral obstacles to perpetrating a crime. They present themselves favourable to the world. Appealing of course to those who are just a small operator in a large group.
These neutralization techniques should be tackled as part of a broader strategy.
2. Coordinated law enforcement effort
The fear of being locked behind bars can set people off from committing a crime. Policing in cyberspace is challenging by nature, even more so as cybercrime isn’t limited to country borders. Effective international law enforcement cooperation will remain difficult until the global community collectively commits to a set of norms and standards that define the kinds of cyberattack activities that fall within the accepted realm of nation-on-nation competition, without having a detrimental impact on the broader civilian and business community.
3. Reducing the flow of funds from victims
Money is obviously a large motivator to commit a crime and the offender doesn’t have to wait for the teller anymore. In a previous blog we already mentioned that cryptocurrencies had helped turn ransomware into a viable cybercrime business model.
Therefore, disrupting the channels of payment is an effective, maybe even the only effective, means of countering cybercrime. There are three broad levers that could be used to choke the flow of payments, namely:
Regulation of payments by the victims.
Regulation of crypto currency systems and service providers.
Regulation of cyber insurance policies and payments.
RAT uses the acronym VIVA to describe the factors that make a victim suitable: Value, Inertia, Visibility and Access. These can all be applied to potential Cy-X victims, to which we added another V, namely Vulnerability.
Analyses of RAT with regards to real-world crime suggests that there are simple routine choices that can make you less vulnerable to attack. The more vulnerable the victim is, the
more likely the offender is to commit the crime.
The following steps can be taken to reduce the suitability of the victim in Cy-X
based on the VVIVA variables:
Guardians according to the RAT framework can be either a person or an object. Obvious guardians in the real world are the police and the lock on your front door.
In the world of cybersecurity, it is easy to see a guardian as a technical instrument, such as a firewall. The security technologies we deploy are analogous to real-world controls like gates, locks, and cameras.
The “absence” of a suitable guardian in this case would indicate a security controls failure, like patch management, but it can also refer to a shortage of cyber security experts, or to ordinary people who lack the security knowledge and awareness to be considered ‘capable’.
Because guardianship is much more than technology. It also encompasses people and groups acting in a formal or informal capacity.
In order to strengthen the guardianship in cyberspace we need to consider the technological element and the human factor.