Reviewing Estimates of Cybercrime Victimisation and Cyber Risk Likelihood

Abstract

Across both the public and private sector, cyberse-curity decisions could be informed by estimates of the likelihood of different types of exploitation and the corresponding harms. Law enforcement should focus on investigating and disrupting those cybercrimes that are relatively more frequent, all else being equal. Similarly, firms should account for the likelihood of different forms of cyber incident when tailoring risk management policies. This paper reviews the quantitative evidence available for both cybercrime victimi-sation and cyber risk likelihood, providing a bridge between the academic fields of criminology and cybersecurity. We extract estimates from 48 studies conducted by a mix of academics, statistical institutes, and cybersecurity vendors using a range of data sources including victim surveys, case-control studies, and the insurance market. The victimisation estimates are categorised into: cyber attack; malware; ran-somware; fraudulent email; online banking fraud; online sales fraud; unauthorised access; Denial of Service; and identity theft. For each category, we display all estimates in the years 2017–2021. Our review shows: (i) firms face higher victimisation rates than individuals, which increases in the number of employees; (ii) global surveys reveal a consistent relative ranking of countries in ransomware victimisation; (iii) although trends could be identified within studies that collect longitudinal data, these trends tended to contradict each other when compared across studies; and (iv) broad categories with unclear consequences (e.g. malware and fraudulent emails) displayed higher variance and average values than categories associated with specific outcomes (e.g. identity theft or online banking fraud). We discuss the outlook for cybercrime and cyber risk research.