The past few years have seen a growing interest in combining cybercrime economics and decision
research to understand the causes and consequences of cybercrime. Much effort has been directed towards studying attacker behavior, attacker psychology , and the psychology of victims, particularly with respect to the biases attackers exploit in their victims.
To our knowledge, attitudes towards cybercrime have been relatively less explored. But how
society—including victims and potential victims of cybercrime—views cybercrime is an important
topic for study. Public perceptions of crime can affect how cybercrimes are defined, what punishments they carry, whether those punishments are believed to be fair, and how resources are allocated to enforcement.
Accurately assessing perceptions of cybercrime is especially important considering that cybercrimes may be punished differently from equivalent real-world crimes . Consider, for example, the case of Matthew Keys, a journalist who gave a member of Anonymous the password to the Chicago Tribune’s content management system. Anonymous used the access (which they had for about 30 minutes) to change a story online. Keys was charged with three felonies, which a U.S. Department of Justice press release claimed carried a combined maximum sentence of up to 25 years. The similar real-world crime of vandalism is punishable in California by a maximum of 3
years, if charged as a felony. Some have, in fact, argued that the punishments for cybercrime are not harsh enough: a writer for Slate argued that cybercriminals should be given the death penalty. On the other hand, cybercrimes for profit are sometimes punished less severely than the corresponding real-world offences. In fact, a case that started the discussions which led to the work described in this paper took place in March 2011, when a student at Greenwich University defrauded a professor at Oxford of £18,000—and got a sentence of 120 hours community service. The perpetrator had been a mule in a phishing scam, so the fraud was online, and victim and attacker never met. Had it been face-to-face, sentencing guidelines would have set the starting point at 3 years.
Our investigation contributes to that debate by offering the first analysis (of which we are
aware) of individuals’ attitudes and perceptions of cybercrime. Our work extends the literature on
general crime seriousness [41, 32] by exploring how attributes of a particular type of cybercrime
affect perception of that crime. Our work is also inspired by the burgeoning field of experimental
philosophy, which uses experimental techniques to measure attitudes about ethical questions.
We measure attitudes towards cybercrime using a series of six survey experiments. Each experiment randomly assigned participants to one of two or more conditions. Participants assigned to any condition answered a survey that presented a vignette description of a fictional cybercrime. The vignettes varied according to the condition a participant was assigned. The dimensions on which we focused were the type of data, scope, motivation, the organization’s co-responsibility for the crime, consequenes, and context. We find that scope (the number of records downloaded) and the attacker’s motivation had significant effects on the perceived seriousness of the crime. Participants also recommended harsher punishments when the monetary costs of the cybercrime were higher. Perhaps most interestingly, our participants (who were U.S. residents) considered cybercrimes committed by activists to be significantly less blameworthy, and deserving of significantly lighter sentences, than cybercrimes committed for profit—contrary to the position sometimes taken by U.S. prosecutors.
Read the entire article at https://www.econinfosec.org/archive/weis2014/papers/GravesAcquistiAnderson-WEIS2014.pdf
Read more at Woods LLP