IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Virginia Researchers Study Gaps in Cyber Crime Reporting

States still don’t know how much cyber crime actually occurs or how residents are trying to protect themselves. A research team in Virginia is hoping to fill in the knowledge gap with a newly launched study.

Cyber attack
Whole-of-state approaches to cybersecurity emphasize mobilizing everyone against threats — even regular residents. But limited data about how well-defended constituents actually are can make it harder for agencies to understand the full scope of the problem and advise residents about reducing cyber risks.

A recently launched Virginia study aims to fill in such knowledge gaps.

James Hawdon, professor of sociology at Virginia Tech and director of its Center for Peace Studies and Violence Prevention, is co-leading a study with assistant professors of sociology Thomas Dearden and Katalin Parti, who both have background in criminology.

“We really have no good clue — no reasonable estimate — of how widespread cyber crime victimization is,” Hawdon told GovTech.

The FBI’s annual Internet Crime Report aims to chart cyber crime’s scope. It found, for example, that California had the most cyber crime victims and greatest cyber crime losses of all states in 2021, at 67,000 individuals victimized and nearly $1.3 billion lost.

But these figures are unlikely to capture the full picture. Studies of traditional crimes show many victims never inform law enforcement, and Hawdon expects cyber crime is no different.

Years of surveys reveal that roughly 310 of every 1,000 sexual assaults and only 619 out of every 1,000 robberies are reported to police, according to national sexual violence prevention and survivor support organization Rape, Abuse and Incest National Network (RAINN).

No such comprehensive victim survey yet exists for cyber crimes, Hawdon said.

His team recently received a grant from Virginia’s Commonwealth Cyber Initiative to research cyber crime victimization among Virginian residents and businesses. The effort looks to identify any cyber crime reporting gap and learn how respondents defend themselves before and after falling victim.

In early April, the study was just getting underway. It will survey “a representative sample of the entire state population,” per Virginia Tech, including both individuals and 400 businesses. Hawdon said the study’s broad survey pool makes it stand out from prior victimization studies that have often focused on more limited respondent groups.

HOW DO CYBER VICTIMS REACT?


Hawdon’s team will look at the behaviors and tools Virginians use to stay safe online, including both technological defenses — like firewalls and encryption —and behavioral defenses, like setting strong, unique passwords.

“We tend to think of cybersecurity solely in terms of target hardening … [such as applying] technological solutions. But there are also social behaviors that put you at greater risk of victimization,” Hawdon said.

The study will examine various measures’ effectiveness at reducing likelihood of residents and businesses falling victim to cyber attacks or experiencing significant impact from attacks. It will also look at how much people change their habits after being hit by cyber crime.

Victims of home break-ins tend to react by seeking new defenses, such as installing alarm systems and/or getting a guard dog or weapon, Hawdon explained. The study hopefully will reveal whether and how such reactions play out in cyber.

The results could help agencies and others create targeted efforts to educate individuals on how they can conduct online behaviors more securely.

“We want to design information pamphlets we can disseminate to police agencies and other public agencies to just get the word out there of what can be done to make online experiences safer,” Hawdon said.

The grant only supports studying Virginia, but Hawdon hopes the resulting research will show the value of conducting a similarly “comprehensive” national survey. It’s unclear how exactly the commonwealth’s results will translate for the rest of the nation, because Virginians may be more likely than the average American to work in certain industries that carry unique cyber risks, such as defense and maritime.

CYBER BEST BEHAVIOR AND SECURITY BY DESIGN


Management consulting firm Oliver Wyman Forum publishes a Cyber Risk Literacy and Education Index that compares 49 nations and the European Union. Its 2022 Index ranks the U.S. fourth on “Public Motivation,” a category reflecting “the population’s commitment to practicing cybersecurity,” including “the rate of adherence to specific safe Internet practices.”

Still, members of the public could do with more information on how to respond to events: Oliver Wyman reports that, “64 percent of Americans have never checked to see if they were impacted by a data breach, and 56 percent would not know what steps to take if they knew their data had been compromised.”

Residents equipped with both the knowledge and tools to reduce their cyber risks can better defend themselves as well as reduce risks to organizations and important systems.

A single person’s mistake can have outsized effects and give hackers purchase in a system, if organizations lack other mitigating protections. Colonial Pipeline, for example, saw a former employee re-use a password from another account; when that latter account became compromised, malicious actors got a password they were then able to use to enter Colonial’s systems.

Theoretically, better password habits on the part of the former employee might have prevented a weakness at one website from translating into a weakness at Colonial, while stronger authentication and access management at Colonial might have ensured an unused account got deactivated or detected the account takeover.

Governments included in the Oliver Wyman Forum Index often turn to a mix of two strategies: user education and security by design. The former focuses on infusing a base level of cybersecurity knowledge and skills among the population, so individuals can better defend themselves and make more informed choices about risk.

Security by design, meanwhile, sees software and hardware developers create products with security measures baked in so that user mistakes only result in minimal harm, much in the same way that cars are designed with features to minimize injury from crashes.

An earlier university study suggests both strategies may be key.

COMMUNICATING CYBER RISKS


A Feb. 2017study of 508 University of Michigan students examined whether exposing participants to different kinds of fake news articles about cybersecurity incidents would prompt them to consider cyber risks more seriously.

It found that personally relevant stories were most likely to inspire students to want to adopt more cyber secure practices — but that this caring didn’t necessarily translate into action.

Participants who read a fake article about student data being breached at their university were “marginally more likely” to say they would follow various “safer online security behaviors.” Researchers suggested that people may not perceive cyber attacks as something that affects their daily lives, unless communications about cybersecurity make the individual impact clear.

“Only personally relevant data breaches can shift citizens’ risk perceptions and behaviors,” wrote co-authors Nadiya Kostyuk, assistant professor of information and communications technology at the Georgia Institute of Technology, and Carly Wayne, assistant professor of political science at Washington University-St. Louis.

Still, communications alone may not be enough. Students who said they wanted to be more cyber secure were no more likely to open a follow-up email sent that same day or click on links included within that directed to various resources about online safety. They also were just as likely as other participants to hand over personal information to a fake spam message sent the next day.

“While we find that subjects expressed a willingness to improve their cybersecurity practices online after exposure to a personally relevant data breach, we do not observe any difference in actual online behavior,” Kostyuk and Wayne wrote. “These results suggest that steps by government and corporate actors to remove agency from individuals and automate cybersecurity … This so-called security by design may be a more effective cybersecurity method than placing the burden on average users.”

Because the study only involved university students, there may be limits to how well its findings reflect the general population — a limit that wider-ranging research efforts like Hawdon’s aim to expand beyond.
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.