UK Perspectives on Cyber Crime: victims, offences and offenders

Samantha Dowling Head of Cyber Crime Research Team

Office for Security and Counter-Terrorism Research and Analysis Unit (OSCT R&A),

Home Office Science

March 2017

OFFICIAL

OFFICIAL

Presentation overview

2

1.The changing nature of crime – crime trends in England and

Wales

2.Developments in our understanding of cyber crime

3. New challenges: understanding cyber offenders and effective

approaches to preventing involvement in cyber offending

Our story of crime: crime in England and Wales has been

declining since the mid-90s

3

A new headline crime estimate of 11.8m crimes in England and Wales for

the year ending Sept 2016 - now including cyber crime and fraud

4

X

11.8m(inc fraud and cyber)

6.2m(exc. fraud and cyber)

An estimated 2m computer misuse and 3.6m fraud offences

occurred in the year ending Sept 2016

5

CSEW Experimental data: Estimated number of fraud and computer misuse incidents, year ending Sept 2016 Note: Based on approx. 17,900 interviews over 12 months

Just over half of these (53%) were cyber-related.

• There were over 1.5 million victims of computer misuse, with 2 million incidents in total.

Our ability to understand the scale and nature of cyber

crime has improved considerably in recent years

• The Crime Survey for England and Wales now captures cyber crime and fraud. It also includes:

• Victim characteristics

• Losses from cyber crime

• Take-up of cyber security behaviours

• Volume of recorded cyber crime (and fraud) is captured centrally through a National Reporting

Centre: Action Fraud

• New business surveys (e.g. the Cyber Security Breaches Survey) now provide more robust

assessments of the scale and nature of cyber attacks experienced by businesses

• An online crime flag has been introduced to police recorded crime

• The Home Office has completed a programme of work considering how to improve assessments of

the Costs of Cyber Crime

But other notable gaps remain in our knowledge. 6

Cyber offenders are a key knowledge gap, a priority area for policy

development and the focus of our current research programme

7

The involvement of young people in high profile cyber attacks (e.g. Talk-Talk) has raised

awareness of the need to identify how, why and when people may become involved in

cyber crime.

The National Cyber Security Strategy emphasises the need to:

‘deter individuals from being attracted to, or becoming involved in, cyber crime by building

on our early intervention measures’.

There is growing interest in these ‘Prevent’ interventions – although ‘Pursue’ strategies

(i.e. catching the criminals) are still important.

Intervening in this area sounds a great idea, but…

8

• Who are we aiming our interventions at?

• How do we identify those most at risk?

• When, how and by whom should interventions be delivered?

• What types of interventions might be effective - and with different types

of cyber offenders?

• How do we best evaluate how effective they are?

9

So what do we know already?

(1) Survey knowledge regarding prevalence of cyber offending behaviours

in the general population is out of date / unknown

10

The Offending Crime and Justice Survey (2003-6): the first - and only - nationally

representative UK survey of self-reported offending behaviours

Key findings• 1 % of internet users aged 10 to 25 years had sent a computer virus in the 12 months prior to the

survey

• 1% reported using a computer to access another person’s computer files without permission.

• 10- to 17-year-olds were more likely than 18- to 25-year-olds to participate in both activities (2%

versus 1% for both viruses and hacking).

• 0.1% 12-25 year olds reported buying goods or services over the internet using someone else’s

card details without the owner’s permission

• The survey is unfortunately no longer running.

(2) Qualitative evidence from Crown Prosecution Service case files

provides some insight, but relates only to a subset of convicted offenders

dealt with by local police

11

A Home Office case file analysis of Crown Prosecution Service data examined a sample convicted of

cyber offences (including computer misuse act and online fraud).

Key findings

• Most of the victims and offenders knew each other ‘offline’ either personally or professionally.

• In these cases often a simple security update could have prevented the crimes happening – a

very simple message came from this work regarding trust and changes in relationships.

• Offenders were reasonably, but not excessively technical in their computer skill.

• Insider-enabled crimes were relatively common

• Finance, revenge, challenge, ‘for fun’ – were all motivators

(3) Offender debriefs undertaken by the UK National Cyber Crime

Unit provide indicative evidence from the offender perspective.

12

The National Cyber Crime Unit undertook offender debriefs and consulted with security specialists

and law enforcement regarding pathways into cyber crime.

Key findings

- Average age of suspects and arrests in NCCU investigations in 2015 was 17 years old

-‘Gaming’ was a key pathway into cyber crime

- Legality was not considered by young offenders and the perceived likelihood of encountering law

enforcement was low

- Cyber crime was not solitary and anti-social, but led to building of key social relationships and online

interaction

- Positive diversions / opportunities, role models and mentors, early targeted intervention were

perceived as potentially helpful in deterring young people from cyber crime

(4) Much of our knowledge is based on anecdote / opinion and we

lack empirical testing of well-known theories in the cyber world

13

Middlesex University (2016) reviewed available literature and undertook practitioner interviews to better

understand pathways into cyber crime.

Key Findings

Frameworks and approaches from a range of disciplines are key for understanding pathways into cyber

crime (criminology, developmental psychology, neurobiology and cyber-psychology).

However, little empirical evidence exists to validate and test the various theories and frameworks.

There is a need to re-evaluate well-known theories in the cyber world.

Better metrics and evaluation are required as new interventions and ‘best practice’ are tested.

Overall, our knowledge is insufficient for providing well-informed advice to

policy makers and law enforcement regarding appropriate intervention for cyber

offenders

14

What do we need to know?

- Characteristics / backgrounds of different types of cyber offenders

- The extent / volume of cyber offending / offenders.

- The range of pathways into cyber crime

- Evidence regarding causal mechanisms and drivers of onset, persistence and desistance in cyber

offending.

- What’s the role of co-offending and delinquent peers in encouraging online offending behaviour.

- What works in terms of preventing and deterring cyber offenders?

- How is cyber offending tackled at an international level?

- Do traditional theories of crime apply to cyber offenders?

- Do we need to develop (and test) new theories?

It is important we develop this knowledge – if not, the interventions put

into place may be inappropriate and result in unintended consequences.

15

How is the Home Office addressing this?

- Exploring the evidence available from traditional crime interventions and their applicability to

cyber crime – identifying feasible interventions for testing.

- We have commissioned a one-off short survey to look at prevalence

- We are exploring law enforcement offender data to help inform what works

- We are exploring criminal histories of convicted CMA offenders

What else could be done to resolve our evidence gaps?

16

Any Questions?

Contact Details:

Samantha.Dowling1@homeoffice.x.gsi.gov.uk

020 7035 8532

» Additional slides if needed for Q&A

During 2012/13, fraud and computer misuse offences transitioned to central

recording by Action Fraud. CIFAS and FFA data also became included within the

crime count. Total recorded fraud has steadily increased each year.

18

There were over 620,000

recorded fraud offences in

the year ending Sept 2016,

up 3% from previous year.

The main driver of the

increase was reports of

banking and credit industry

fraud (up 8%).

Action Fraud

transition

Volume of police, Action Fraud, CIFAS and FFA recorded fraud offences,

from Yr ending March 2011 to Yr ending Sept 2016

The total volume of computer misuse crimes reported to Action Fraud has been

declining. This is largely due to decreases in reports of viruses and hacking of

social media and email accounts.

There were 13,424

computer misuse

incidents reported to

Action Fraud in the

year to September

2016. This is 6% of

all crime reports

received by AF.

It also represents a

10% decrease from

the previous 12

months.

19

However, it’s clear underreporting is still an issue. Just 14% of all CSEW fraud

and computer misuse crimes were reported to Action Fraud or the Police.

20

Why not reported to AF?

•Never heard of Action Fraud (66%)

•Thought incident would be reported by another authority (10%)

•Too trivial, not worth reporting (8%)

•Dealt with the matter ourselves (6%)

•No loss/ damage occurred (3%)

(NB. for fraud and computer misuse victims, who did not report to AF, they could select more than one reason)

The new DCMS breaches survey reports that 24% of all businesses experienced

one or more cyber security breaches in the 12 months prior to survey in Feb

2016

21

Small Business: 33% Breached

Medium Business: 51% Breached

Large Business: 65% Breached

Base = 428 who experienced a breach

The estimated median loss from a breach for businesses was £200, with a

mean cost of £3,480. Impacts can go beyond just immediate financial losses.

22

Cost to businesses of

breaches experienced in last 12 months

All businesses

Micro /Small

Medium Large

Mean cost £3,480 £3,100 £1,860 £36,500

Median cost £200 £200 £180 £1,300

Base 406 107 173 126

Base = 428 that had a breach

Source: DCMS Cyber Security Breaches Survey, 2016

Annual fraud losses recorded by FFA from online card-not-present fraud and online banking

fraud have increased since lows seen around 2010.

23

£m

Analysis of losses reported by CSEW victims shows that one of the

biggest myths is that victims will always be reimbursed

• 66% fraud incidents resulted

in a loss. Of those cases

71% were fully reimbursed.

• 36% computer viruses

resulted in loss. Where

losses did occur they were

generally unable to fully

recover their losses (less

than 1%).

• The majority of fraud loss is

also concentrated in lower

end of the spectrum (77% of

losses were less than £500).

24

The introduction of an online crime flag means we will be better able to

understand the proportions of other crime types that are committed online.

25

• Offences are flagged where the reporting officer believes the offences committed in full, or in part, by computer, computer network or other internet- enabled device.

• In year ending Sept 2016, just 1% of all offences recorded, were flagged as committed ‘online’.

• However, anecdotal evidence suggests the flag is being underused.

Experimental Stats: Offences recorded by the police in England and Wales which were flagged as online crime, year ending September 2016

Grouping

Number of offences

flagged as online crime

Proportion of total offences

flagged as online crime

Harassment and stalking 21,839 11Obscene publications 6,342 43Child sexual offences 5,143 12Blackmail 2,270 32

Other violence against the person offences 1,310 0Public order offences 1,085 0

Sexual offences (exc. child sexual offences) 420 1Criminal damage and arson 141 0Other offences 1,652 0

Total 40,202 1

Establishing effective approaches to

improving cyber security behaviours

to protect against cyber crime

remains a key challenge.

Individuals:

A significant decrease in the proportion of individuals claiming to adopt several basic cyber hygiene steps reported between 2014/15 and 2015/16 (CSEW).

Businesses:– 29% had a cyber-security policy– 51% attempted to identity security

risks– 62% had security controls on

company owned devices– 10% had a formal incident

management plan (DCMS breaches survey)

Note: Several questions did not feature in the 2013/14 versions

CSEW Question asks: In the past 12 months have you typically done any of these things to keep yourself safe online?

26

A new headline crime estimate of 11.8m crimes in England and Wales for

the year ending Sept 2016 - now including cyber crime and fraud

27

11.8m(inc fraud and cyber)

6.2m(exc. fraud and cyber)

X