Just as in other types of victimization, victims of cybercrime can experience serious consequences, emotional or not. First of all, a repeat victim of a cyber-attack might face serious financial or emotional hardship. These victims are also more likely to require medical attention as a consequence of online fraud victimization. This means repeat victims have a unique set of support needs, including the need for counselling, and seeking support from the criminal justice system. There are also cases, such as in cyberbullying or sextortion, where victims will not speak to their family and friends. These victims feel too ashamed to share details with others and they will probably not receive any support. In such cases trauma can even lead to self-harm. Therefore, we see that online victimization can actually lead to physical harm.
As a member of the National Risk Assessment (NRA) Behavioural Science Expert Group in the UK, working on the social and psychological impact of cyber-attacks on members of the public, I have identified for years now that the actual social or psychological impact of different types of cyber-attacks to victims or society as a whole is still not explored. Governments have been slow in identifying and analysing potential events online that may negatively impact individuals. In the UK, as well as in other countries, cybercrime has been added as part of a national risk assessment exercise only a few years ago. Therefore, our knowledge about the potential impact of cyber-attacks and their cascading effects are still being under research.
This is often a very difficult area for lawyers and the courts to understand. Understanding victims’ needs and the responsibilities of the police, the judiciary and other authorities in dealing with such crimes is very important. This is why we need to further explore how and to what extent the situation and needs of victims of online crimes differ from those of traditional offline crimes. By sharing experiences and openly discussing about this issue, we will be able to engrain the cybersecurity mindset in our societies thus preventing victimization in some level.
In this post I would like to introduce recent work in this area. The first one explores the social and psychological impact of cyber-attacks to individuals as well as nations, the second one explores the differences between the situation and needs of online and offline crime victims while the third one discusses the relationship between offending and victimization online.
The Social and Psychological Impact of Cyber-Attacks. By Maria Bada and Jason Nurse (Elsevier, 2019).
In this article, the authors seek to further advance discussions on cyber threats, cognitive vulnerabilities and cyberpsychology through a critical reflection on the social and psychological aspects related to cyber-attacks. In particular, the main aim here is understanding how members of the public perceive and engage with risk and how they are impacted during and after a cyber-attack has occurred. This research focuses on key cognitive issues relevant to comprehending public reactions to malicious cyber events including risk perception; locus of control; culture of fear; the online disinhibition effect and protection motivation amongst others. Also, the authors assess the range of potential factors which can influence the public’s level of perceived risk, such as the perpetrator’s identity and the scale of the cyber-attack.
As stated, members of the public are more likely to respond to the effects of a cyber-attack rather than the attack itself. One example of this is a cyber-attack where malware infects a national power station causing the hundreds of thousands of citizens to be without power. A user’s beliefs about the perceived severity of an event, the susceptibility to the threat, the perceived self-efficacy and the cost and efficacy of preventative or mitigating behaviours are important components shaping online behaviour especially in applying security mechanisms.
Another element of relevance is the general culture of fear related to crime and cyber-events. Fear of crime can prompt people to change their behaviour. At the level of the individual, people generally respond to the fear of crime by adopting protective or avoidance behaviours. Phobophobia – the psychological fear of fears can lead to stress, intense anxiety, and unrealistic and persistent public fear of crime and danger, regardless of the actual presence of such fear factors.
Depending on who the attackers and the victims are, the psychological effects of cyber threats may even rival those of traditional terrorism. Victims of online attacks and crime can suffer emotional trauma which can lead to depression. As an example, the impact of identity theft on a victim at an emotional level can lead the person becoming distressed and be left feeling violated, betrayed, vulnerable, angry and powerless. Often, victimization can lead victims to feelings of outrage, anxiety, a preference for security over liberty, and little interest of adopting new technology due to loss of confidence in cyber. The victim can go into stages of grief, suffer from anger or rage. In some cases, victims may even blame themselves and develop a sense of shame; sextortion is a good example of this given how it initially starts. Often, due to a sense of learned helplessness and a lack of knowledge about online attacks and ways to resolve an incident, users may simply accept the possibility of being victims.
The authors reflect on two real-world cyber-attack scenarios from 2017: the global WannaCry attack and the denial-of-service (DoS) attack on the Lloyds Banking Group. Reflecting on the social impact of the WannaCry attach which infected over 200,000 victims in at least 150 countries, including members of the public, but also healthcare organizations, car manufacturers, telecoms companies, delivery services and the education sector, the authors explain that the disruption it caused at the social level was quite significant. Organizations closed, production stopped and many businesses were unaware of how best to restore services. Overall, people felt a loss of control as the threat was so pervasive and the only option for recovery was to pay the ransom. In total, these disruptions led to an estimated $8 billion in economic costs globally. Regarding the psychological impact of WannaCry attack, for many it resulted in worry, anguish, disbelief, and a sense of helplessness.
Similarly, the denial-of-service (DoS) attack on the Lloyds Banking Group affected millions of bank customers at the broad social and societal levels. Analyzing the psychological impact of the Lloyds DDoS attack, it caused customers to be upset and frustrated – this was therefore mainly an emotional response. The authors suggest that lack of access to bank accounts and potentially personal funds (e.g., if money had to be transferred from one account to the another to facilitate a withdrawal), would have significantly increased customer stress and anxiety.
The authors suggest that further investigation of this area and the interaction between cybersecurity and cognitive factors is needed.
Online Crime Victimization Needs, Consequences and Responsibilities Following Victimization Through Cybercrime and Digital Crime. By Rutger Leukfeldt, Raoul Notté and Marijke Malsch (2019).
This study is a first step towards exploring the impact of online crime victimization in the Netherlands. In particular, it explores victims’ needs and the responsibilities of the police, the judiciary and other authorities in dealing with such crimes. Particular attention is paid to the question of how and to what extent the situation and needs of victims of online crimes differ from the situation and needs of victims of traditional offline crimes. The central question of this research is: in relation to the police/judiciary, how and to what extent the situation and needs of victims of online crimes (both cyber- enabled and cyber-dependent crimes) differ from the situation and needs of victims of traditional offline offenses. The method used in this study were:
- literature review on the consequences of traditional offline offenses and victim needs
- interviews with experts (police officers and Public Prosecutors engaged in the investigation and prosecution of online crime on a daily basis; employees of victim support agencies; and scientific researchers) as well as
- interviews with victims of all types of online crimes (victims of cyber-dependent crimes (hacking, ransomware), financially motivated cyber-enabled crime (phishing, dating fraud), interpersonal cyber-enabled crime (cyberstalking and threats) and sexual cyber- enabled crimes (sexting).
- Focus group discussion with experts from inside and outside the police and judiciary.
The findings of this study indicate that the characteristics of online crimes mean that their impact can be much more significant than the impact of offline offenses. The online aspect reinforces the consequences for the victim at different times. The victim’s perception is that the consequences could be repeated at any time. Furthermore, the interconnectedness of the online and offline world can increase the impact of the online variant of a traditional offline crime, such as stalking or threats.
In contrast to the more traditional offline offenses, online offenses often have multiple facets, each of which can provide a certain type of victimization. For example, financial consequences often go hand in hand with feelings of shame and guilt. Such far-reaching consequences can be reinforced if the police subsequently fail to actively seek out the offender or if police officers partly blame the victim or just victims are not taken seriously by police officers. Another consequence may be that the victim withdraws (in part) from (online) society. An important aspect here is that in many cases police officers do not have sufficient knowledge of online offenses and consider such offenses to be complex. As a result, people who report online crimes are victim blamed, or the crime is not investigated.
The authors suggest that further research is needed related to the impacting on multiple aspects of life for victims of online offences as well as the victims’ needs in this regard which could support policy development in this area.
Offending and Victimization in the Digital Age: Comparing Correlates of Cybercrime and Traditional Offending-Only, Victimization-Only and the Victimization-Offending Overlap, Deviant Behavior. By Marleen Weulen Kranenbarg, Thomas J. Holt and Jean-Louis van Gelder (2019).
This work explores the relationship between offending and victimization online. The authors examined both situational and personal correlates of cybercrime offending-only, victimization-only and victimization-offending separately and compared these with traditional crimes.
Similar aspects have been previously studied for offline crime showing that victims are likely to commit criminal acts, and that offenders have a relatively high probability of being victimized.
For this study, a Dutch high risk sample of former suspects of cybercrime and traditional crime was used. A survey was conducted including six types of cybercrime victimization: malware, hacking, phishing, defacing, data theft or damage, and DoS attacks.
In line with previous research, the results showed that there is a considerable victim-offender overlap for both cybercrime and traditional crime, even for adults and computer-dependent cyber- crime. Although the percentage of cybercrime victim-offenders is relatively small, the physical convergence of victims and offenders was not required to observe an overlap. For both cybercrime and traditional crime differences appeared between offenders-only, victims-only and victim-offenders in seriousness of victimization, types of victimization and offending, and the underlying correlates. Cybercrime results showed a considerable victim-offender overlap and correlates like low self-control and routine activities partly explain differences in victimization, offending, and victimization-offending.
More technical cybercrimes were more common in the offenders-only group than in the group of victim-offenders. It is therefore suggested that when traditional explanations of victimization and offending are updated to the digital context and studied in conjunction with their traditional counterparts, we are even better able to explain the differences between cybercrime victims-only, offenders-only and victim-offenders than we are for traditional crime.
As online threats and cyber-attacks continue to permeate the Internet, it is essential that we as a community develop a better understanding of these issues and how they can impact our lives. As shown from the studies presented, understanding what leads to victimization online is a complex issue depending on cognitive, social, or skill related factors. What is clearly illustrated is that further research is needed in order to better understand the impact on multiple aspects of life for victims of online crime as well as the victims’ needs and therefore develop policies in this area. In addition, we need to better assess the knowledge and skills of law enforcement and judiciary which might further impact the ways such victims are supported.