Juraj Sikra, Computer and Information Sciences, University of Strathclyde (Glasgow, UK); 2 Faculty of Psychology, Taras Shevchenko National University of Kyiv (Kyiv, Ukraine); e-mail: [email protected]
Karen V. Renaud, Computer and Information Sciences, University of Strathclyde (Glasgow, UK); Department of Information Systems, Rhodes University (Grahamstown, South Africa); School of Computing, University of South Africa (Pretoria, South Africa); Division of Cybersecurity, Abertay University (Dundee, UK)
Daniel R. Thomas, Computer and Information Sciences, University of Strathclyde (Glasgow, UK); Computer Laboratory, University of Cambridge (Cambridge, UK)
To comprehend cybercrime underreporting, we need to explore the nature of UK cybercrime and its impact on UK-based victims. We investigated the entire landscape by carrying out a systematic literature review, covering both academic and grey literature. This review sought to answer three research questions.
- What characterises cybercrime in the UK?
- What is known about UK cybercrime victims?
- What influences and deters cybercrime reporting in the UK?
Our investigation revealed three types of reportable cybercrime, depending on the target: individuals, private organisations and public organisations.
Victimhood varies depending on a number of identified dimensions, including vulnerability aspects, psychological perspectives, age-related differences and researcher attempts to model the victims of cybercrime. We also explored UK victims’ reported experiences in dealing with the consequences of falling victim to a cybercrime.
In terms of cybercrime reporting, we identified three kinds of reporting: human-to-human, human-to-machine and machine-to-machine. In examining factors deterring reporting, we incorporated discussions of policing, and the challenges UK police forces face in coping with this relatively novel crime. Unlike in traditional crimes, perpetrators possess sophisticated technological skills and may reside outside of the UK’s police jurisdiction. We discovered a strong social dimension to reporting incidence, with the UK government’s cyber-responsibilisation agenda likely playing a major role in deterring reporting. This strategy involves the government providing a great deal of advice and then expecting citizens to take care of their own cybersecurity. Within this, if citizens do not act on the advice, they have to accept the consequences.
Improvements in cybercrime reporting have to date been technologically focused. This neglects the social dimensions of cybercrime victimhood and does not acknowledge the reporting-deterring side-effects of the UK’s cyber-responsibilisation agenda. We thus conclude with suggestions for improving cybercrime reporting in the UK.