Cyber crime in Scotland: evidence review research findings

Cyber-crime in Scotland: A Review of the Evidence

This desk-based review has found that cyber-technology can impact on any type of crime. Therefore, it is helpful to conceptualise cyber-crime in terms of the method or locus of a crime, rather than it being a distinct type or group of crime. This is in line with the definition adopted by Police Scotland and also the way in which cyber-crime is defined in the Scottish Institute for Policing Research ( SIPR) international review.

The review looked systematically at the crime groupings used to categorise police recorded crime statistics. While we have found some evidence gaps and our knowledge is not complete, we have been able to identify four ways in which cyber-technology has impacted on crime in Scotland:

1. Cyber-crime is forming a large proportion of certain crime types.
2. The internet and cyber technologies are changing the volume of certain crime types.
3. The internet and cyber technologies are changing the nature and victimisation of certain crimes.
4. Cyber-technologies have given rise to the introduction of an entirely new and high volume category of crime – computer misuse (incorporates activities involving unauthorised access to and attacks on computer systems, networks and data e.g. hacking and computer viruses and Ransomware).

Applying this to the crime groupings allows us to begin to understand these different types of impact that cyber-technology has on different types of crime, and also where the impact of cyber-technology has been limited:

• Group 1 (Non-sexual crimes of violence): The available evidence suggests cyber technology appears to be having no significant influence on the scale or nature of non-sexual crimes of violence.
• Group 2 (Sexual crimes): Cyber-technology has had an impact on both the scale and the nature of some types of sexual crimes in Scotland.
• Group 3 (Crimes of dishonesty): Fraud is one of the most frequently experienced crimes and a large proportion, although by no means all, is cyber-crime. There is also evidence of underreporting, which is likely linked to incidents generally being viewed as low impact and low harm.
• Group 4 (Fire raising, vandalism etc.): Computer misuse is a new category of crime which is almost entirely driven by the growth of the internet and cyber technology ( e.g. computer viruses, hacking, Ransomware etc.). However, it is underreported to the police and in most cases impacts and harm are not severe.
• Group 5 (Other Crimes): Cyber technology has not had much of an impact here. There are concerns around the potential impact of cyber on two areas within this grouping which do not appear to have been borne out: (i) sourcing drugs (the majority of this is still via traditional means rather than online) and (ii) contempt of court issues (there is no evidence from police data that that increases in the amount and accessibility of information online have increased the likelihood of these types of issues).
• Group 6 (Misc. Offences): The impact of cyber technology has been limited. While the internet features in cases of stalking and harassment, being pestered, intimidated or insulted in person is much more prevalent than experiences carried out via electronic means.
• For businesses' experience of cyber-crime, the available UK evidence is complex. Many organisations collect data on the impact of cyber-crime on businesses, however as there is not consistency in how these data are collected across these organisations, it is not possible to present a robust overview of the impact of cyber-crime on business. Nevertheless, it is clear from the available evidence that cyber-crime is an issue for businesses. For example, whilst not including all sectors, the UK Cyber Breaches Survey estimates that 46% of UK businesses (covered by the survey) experienced at least one cyber breach or attack between 2016 and 2017.
• This review has also identified gaps in our knowledge. We still need to know more about cyber-crime in Scotland, such as the prevalence of different types of cyber-crime, the extent of underreporting, the cost and the harm of cyber-crime.

Cyber influence on crime: Summary of overall findings

Cyber-technology can impact on any type of crime. We conceptualise cyber-crime in terms of the method or locus of a crime, rather than it being a distinct type or group of crime.

From the available evidence, we know that:
Cyber-technology has had an impact on

• The scale and nature of some types of sexual crimes in Scotland
• The proportion of fraud conducted online. However still a lot of fraud is offline. As a whole, fraud is under-reported and mostly low impact
• Computer misuse – now a commonly experienced crime. But it is under-reported and mostly low impact.

There has been less influence of cyber-technology on the following:

• Cyber appears to have no real influence on the scale and nature of violent crime
• Drugs are still mainly sourced via traditional means rather than online.
• The internet features in cases of stalking and harassment but this is still more prevalent in-person than online.

Information of businesses’ experiences of cyber-crime is limited and fragmented, however most sources indicate that cyber-crime is an issue for them.

For example, the UK Cyber Breaches Survey, whilst not covering all sectors, estimates that between 2016 and 2017, 46% of responding business sectors experienced at least one cyber breach or attack.

(Cyber Breaches Survey, 2017.)

Justice Analytical Services