Public views inform what acts are considered to be crimes and how those crimes are punished. Measuring public perception provides insight beyond assessing impact on victims or the economic cost of crimes and penalties. Gauging perceptions is a delicate task of distinguishing how people understand their world. In the case of perceptions of cybercrime, these attitudes can be hard to define and measure using standard scales. What makes a crime ‘serious’? What types of crime does the public define as serious?
This study is informed by online surveys completed by 2440 participants from across the U.S.. Each participant read a description of a fictional cybercrime scenario. In each case, the situation involved the intentional breach of consumer personal information, with slight variations in the causes and consequences of the breach in different scenarios. The study compares how responses might differ according to the characteristics described in the scenario. The features that varied were:
Type of data stolen - whether name and contact information or medical records;
Scope - amount of data stolen;
Motivation of the attack – profiteer, activist, or student;
Organisational responsibility – the company’s diligence and disclosure;
Consequences – the cost and who paid (i.e. the business or its customers); and
Context – if the victim firm was a bank, government agency or non-profit.
The results show people distinguish between features of cybercrimes. People judged an attack as more serious when larger amounts of data were stolen. The motivation of the attacker also held significant weight in the perception of seriousness. If the intention was profit-making, the seriousness was perceived as greater. Also when the cost of consequences was higher or when the data breached more sensitive, such as personal health information, people perceived the attack as more harmful and recommended harsher punishment. Individual attitudes towards privacy, including experiences of identity theft and data protection, are related to views on the seriousness of crimes. Someone more concerned about privacy will tend to rank crimes as more harmful and wrongful, and thus recommend harsher punishment.
Public views suggest serious crime is perceived as acts that are wrongful and harmful, in particular those that have a widespread impact or are motivated by personal profit of the attacker. This suggests the types of crime that might be of greatest concern to consumers – such as those that breach sensitive information and have a high cost of remediation. In responding to a cybercrime, firms can employ breach disclosure strategically recognising that the details of a breach can impact public perception of a crime.
Not all cyber thefts are considered equal. The perceived seriousness of an event depends on value and motivation of the theft but also on the response of the organisation attacked.