UK Perspectives on Cyber Crime - MSU Criminal...
Transcript of UK Perspectives on Cyber Crime - MSU Criminal...
UK Perspectives on Cyber Crime: victims, offences and offenders
Samantha Dowling Head of Cyber Crime Research Team
Office for Security and Counter-Terrorism Research and Analysis Unit (OSCT R&A),
Home Office Science
March 2017
OFFICIAL
OFFICIAL
Presentation overview
2
1.The changing nature of crime – crime trends in England and
Wales
2.Developments in our understanding of cyber crime
3. New challenges: understanding cyber offenders and effective
approaches to preventing involvement in cyber offending
A new headline crime estimate of 11.8m crimes in England and Wales for
the year ending Sept 2016 - now including cyber crime and fraud
4
X
11.8m(inc fraud and cyber)
6.2m(exc. fraud and cyber)
An estimated 2m computer misuse and 3.6m fraud offences
occurred in the year ending Sept 2016
5
CSEW Experimental data: Estimated number of fraud and computer misuse incidents, year ending Sept 2016 Note: Based on approx. 17,900 interviews over 12 months
Just over half of these (53%) were cyber-related.
• There were over 1.5 million victims of computer misuse, with 2 million incidents in total.
Our ability to understand the scale and nature of cyber
crime has improved considerably in recent years
• The Crime Survey for England and Wales now captures cyber crime and fraud. It also includes:
• Victim characteristics
• Losses from cyber crime
• Take-up of cyber security behaviours
• Volume of recorded cyber crime (and fraud) is captured centrally through a National Reporting
Centre: Action Fraud
• New business surveys (e.g. the Cyber Security Breaches Survey) now provide more robust
assessments of the scale and nature of cyber attacks experienced by businesses
• An online crime flag has been introduced to police recorded crime
• The Home Office has completed a programme of work considering how to improve assessments of
the Costs of Cyber Crime
But other notable gaps remain in our knowledge. 6
Cyber offenders are a key knowledge gap, a priority area for policy
development and the focus of our current research programme
7
The involvement of young people in high profile cyber attacks (e.g. Talk-Talk) has raised
awareness of the need to identify how, why and when people may become involved in
cyber crime.
The National Cyber Security Strategy emphasises the need to:
‘deter individuals from being attracted to, or becoming involved in, cyber crime by building
on our early intervention measures’.
There is growing interest in these ‘Prevent’ interventions – although ‘Pursue’ strategies
(i.e. catching the criminals) are still important.
Intervening in this area sounds a great idea, but…
8
• Who are we aiming our interventions at?
• How do we identify those most at risk?
• When, how and by whom should interventions be delivered?
• What types of interventions might be effective - and with different types
of cyber offenders?
• How do we best evaluate how effective they are?
(1) Survey knowledge regarding prevalence of cyber offending behaviours
in the general population is out of date / unknown
10
The Offending Crime and Justice Survey (2003-6): the first - and only - nationally
representative UK survey of self-reported offending behaviours
Key findings• 1 % of internet users aged 10 to 25 years had sent a computer virus in the 12 months prior to the
survey
• 1% reported using a computer to access another person’s computer files without permission.
• 10- to 17-year-olds were more likely than 18- to 25-year-olds to participate in both activities (2%
versus 1% for both viruses and hacking).
• 0.1% 12-25 year olds reported buying goods or services over the internet using someone else’s
card details without the owner’s permission
• The survey is unfortunately no longer running.
(2) Qualitative evidence from Crown Prosecution Service case files
provides some insight, but relates only to a subset of convicted offenders
dealt with by local police
11
A Home Office case file analysis of Crown Prosecution Service data examined a sample convicted of
cyber offences (including computer misuse act and online fraud).
Key findings
• Most of the victims and offenders knew each other ‘offline’ either personally or professionally.
• In these cases often a simple security update could have prevented the crimes happening – a
very simple message came from this work regarding trust and changes in relationships.
• Offenders were reasonably, but not excessively technical in their computer skill.
• Insider-enabled crimes were relatively common
• Finance, revenge, challenge, ‘for fun’ – were all motivators
(3) Offender debriefs undertaken by the UK National Cyber Crime
Unit provide indicative evidence from the offender perspective.
12
The National Cyber Crime Unit undertook offender debriefs and consulted with security specialists
and law enforcement regarding pathways into cyber crime.
Key findings
- Average age of suspects and arrests in NCCU investigations in 2015 was 17 years old
-‘Gaming’ was a key pathway into cyber crime
- Legality was not considered by young offenders and the perceived likelihood of encountering law
enforcement was low
- Cyber crime was not solitary and anti-social, but led to building of key social relationships and online
interaction
- Positive diversions / opportunities, role models and mentors, early targeted intervention were
perceived as potentially helpful in deterring young people from cyber crime
(4) Much of our knowledge is based on anecdote / opinion and we
lack empirical testing of well-known theories in the cyber world
13
Middlesex University (2016) reviewed available literature and undertook practitioner interviews to better
understand pathways into cyber crime.
Key Findings
Frameworks and approaches from a range of disciplines are key for understanding pathways into cyber
crime (criminology, developmental psychology, neurobiology and cyber-psychology).
However, little empirical evidence exists to validate and test the various theories and frameworks.
There is a need to re-evaluate well-known theories in the cyber world.
Better metrics and evaluation are required as new interventions and ‘best practice’ are tested.
Overall, our knowledge is insufficient for providing well-informed advice to
policy makers and law enforcement regarding appropriate intervention for cyber
offenders
14
What do we need to know?
- Characteristics / backgrounds of different types of cyber offenders
- The extent / volume of cyber offending / offenders.
- The range of pathways into cyber crime
- Evidence regarding causal mechanisms and drivers of onset, persistence and desistance in cyber
offending.
- What’s the role of co-offending and delinquent peers in encouraging online offending behaviour.
- What works in terms of preventing and deterring cyber offenders?
- How is cyber offending tackled at an international level?
- Do traditional theories of crime apply to cyber offenders?
- Do we need to develop (and test) new theories?
It is important we develop this knowledge – if not, the interventions put
into place may be inappropriate and result in unintended consequences.
15
How is the Home Office addressing this?
- Exploring the evidence available from traditional crime interventions and their applicability to
cyber crime – identifying feasible interventions for testing.
- We have commissioned a one-off short survey to look at prevalence
- We are exploring law enforcement offender data to help inform what works
- We are exploring criminal histories of convicted CMA offenders
What else could be done to resolve our evidence gaps?
During 2012/13, fraud and computer misuse offences transitioned to central
recording by Action Fraud. CIFAS and FFA data also became included within the
crime count. Total recorded fraud has steadily increased each year.
18
There were over 620,000
recorded fraud offences in
the year ending Sept 2016,
up 3% from previous year.
The main driver of the
increase was reports of
banking and credit industry
fraud (up 8%).
Action Fraud
transition
Volume of police, Action Fraud, CIFAS and FFA recorded fraud offences,
from Yr ending March 2011 to Yr ending Sept 2016
The total volume of computer misuse crimes reported to Action Fraud has been
declining. This is largely due to decreases in reports of viruses and hacking of
social media and email accounts.
There were 13,424
computer misuse
incidents reported to
Action Fraud in the
year to September
2016. This is 6% of
all crime reports
received by AF.
It also represents a
10% decrease from
the previous 12
months.
19
However, it’s clear underreporting is still an issue. Just 14% of all CSEW fraud
and computer misuse crimes were reported to Action Fraud or the Police.
20
Why not reported to AF?
•Never heard of Action Fraud (66%)
•Thought incident would be reported by another authority (10%)
•Too trivial, not worth reporting (8%)
•Dealt with the matter ourselves (6%)
•No loss/ damage occurred (3%)
(NB. for fraud and computer misuse victims, who did not report to AF, they could select more than one reason)
The new DCMS breaches survey reports that 24% of all businesses experienced
one or more cyber security breaches in the 12 months prior to survey in Feb
2016
21
Small Business: 33% Breached
Medium Business: 51% Breached
Large Business: 65% Breached
Base = 428 who experienced a breach
The estimated median loss from a breach for businesses was £200, with a
mean cost of £3,480. Impacts can go beyond just immediate financial losses.
22
Cost to businesses of
breaches experienced in last 12 months
All businesses
Micro /Small
Medium Large
Mean cost £3,480 £3,100 £1,860 £36,500
Median cost £200 £200 £180 £1,300
Base 406 107 173 126
Base = 428 that had a breach
Source: DCMS Cyber Security Breaches Survey, 2016
Annual fraud losses recorded by FFA from online card-not-present fraud and online banking
fraud have increased since lows seen around 2010.
23
£m
Analysis of losses reported by CSEW victims shows that one of the
biggest myths is that victims will always be reimbursed
• 66% fraud incidents resulted
in a loss. Of those cases
71% were fully reimbursed.
• 36% computer viruses
resulted in loss. Where
losses did occur they were
generally unable to fully
recover their losses (less
than 1%).
• The majority of fraud loss is
also concentrated in lower
end of the spectrum (77% of
losses were less than £500).
24
The introduction of an online crime flag means we will be better able to
understand the proportions of other crime types that are committed online.
25
• Offences are flagged where the reporting officer believes the offences committed in full, or in part, by computer, computer network or other internet- enabled device.
• In year ending Sept 2016, just 1% of all offences recorded, were flagged as committed ‘online’.
• However, anecdotal evidence suggests the flag is being underused.
Experimental Stats: Offences recorded by the police in England and Wales which were flagged as online crime, year ending September 2016
Grouping
Number of offences
flagged as online crime
Proportion of total offences
flagged as online crime
Harassment and stalking 21,839 11Obscene publications 6,342 43Child sexual offences 5,143 12Blackmail 2,270 32
Other violence against the person offences 1,310 0Public order offences 1,085 0
Sexual offences (exc. child sexual offences) 420 1Criminal damage and arson 141 0Other offences 1,652 0
Total 40,202 1
Establishing effective approaches to
improving cyber security behaviours
to protect against cyber crime
remains a key challenge.
Individuals:
A significant decrease in the proportion of individuals claiming to adopt several basic cyber hygiene steps reported between 2014/15 and 2015/16 (CSEW).
Businesses:– 29% had a cyber-security policy– 51% attempted to identity security
risks– 62% had security controls on
company owned devices– 10% had a formal incident
management plan (DCMS breaches survey)
Note: Several questions did not feature in the 2013/14 versions
CSEW Question asks: In the past 12 months have you typically done any of these things to keep yourself safe online?
26