Using Situational Crime Prevention (SCP) to Prevent Cybercrimes

Abstract

The COVID-19 pandemic accelerated digital growth in cyberspace for consumers and businesses alike. The increase in digital growth also brings greater opportunities for cybercrimes. Situational crime prevention (SCP) is a well-documented crime prevention approach that has successfully reduced criminal opportunities for a wide range of crimes. However, the research on the application of SCP to prevent cybercrimes has been sparse. This thesis aims to understand and investigate the reasons behind the limited use of SCP in preventing cybercrime. Following this, the thesis proposes several methods that can further extend and improve the application of SCP to prevent cybercrimes. In addition, the thesis examines the effectiveness of using SCP techniques to cybercrimes. The thesis also discusses the possible implications and impact of the thesis’ research work to the existing theory, practice and policy of using SCP to prevent cybercrimes.

This thesis starts by clarifying SCP and cybercrime terminologies, followed by exploring the rise of cybercrimes, examining the current role of the cybersecurity industry in cybercrime prevention as well as explaining the value and relevance of SCP in responding to cybercrimes. To better understand the present state of how SCP is generally used to prevent cybercrimes, I conduct a focused systematic review of 352 articles across computer science, criminal justice and criminology literature using the PRISMA method. My focused systematic review indicates several research gaps and identifies potential future research opportunities, such as the need for greater multi-disciplinary synthesis in studying cybercrimes, exploring cybersecurity controls in SCP, applying SCP to prevent specific cybercrimes and designing robust experiments to demonstrate the validity of SCP techniques in preventing cybercrimes.

To address part of the research opportunities, I propose the SCP-C3 Cycle and common inventory of SCP-based cybersecurity controls, which can be used as instruments to aid multi-disciplinary research and collaboration in applying SCP to prevent cybercrimes. I provide a structured approach on how the common inventory can be developed using cybersecurity controls from ISO/IEC 27002:2022. I also explain how the SCP-C3 Cycle is developed. The SCP-C3 Cycle combines ideas and concepts from SCP and the Plan-Do-Check-Act (PDCA) continuous improvement cycle. I illustrate conceptually how the SCP-C3 Cycle and common inventory can be applied to a ransomware prevention case study.

Place management is central to Routine Activities Theory and proactive utilisation of place managers is one of the 25 SCP techniques. Yet little is known about the effectiveness of using place managers to prevent cybercrimes. I conduct a vignette experimental survey of 213 cybersecurity professionals to explore their perceptions of utilising place managers to prevent cybercrime. I also examine and discuss the relationships between physical space, cyberspace and place management theories.

My research work in this thesis results in several implications and impact to the theory, practice and policy of applying SCP to prevent cybercrimes. On the theoretical side, I explain how the cyberspace environment and prevalent use of virtual artefacts such as data, malware and bots can impact existing SCP terminologies and the Routine Activities Theory’s Crime Triangle. I discuss how SCP and the Crime Triangle’s core components of target/victims, offenders and place managers, its associated controllers and super controllers can be adapted and extended to accommodate the cyberspace and cybercrime context. I also discuss the implications of the cyberspace environment on place management theories.

On the policy and practice side, I elucidate the value that my SCP-C³ Cycle and common inventory of SCP-based cybersecurity controls can have in facilitating multi-disciplinary research in preventing cybercrimes. My SCP-C³ Cycle and common inventory can help in the modelling and identification of intervention measures of specific cybercrimes. For organisations who adopt ISO/IEC 27002 controls, this can provide great value for them because they can choose to focus their limited energy and resources to implement the ISO/IEC 27002 controls that are identified from my SCP-C³ Cycle and common inventory. The common inventory can also grow in richness and comprehensiveness because it can accommodate content from other popular industry or government cybersecurity standards, frameworks and guidelines. In addition, my review of the ISO/IEC 27002 controls as part of the development of the common inventory can provide further policy insights on how to develop the ISO/IEC 27002 controls in a more holistic manner that balances both human and technical factors via SCP. The research results from my vignette experimental study can also assist organisations to make better informed decisions on the hiring of cybersecurity professionals as the assigned place managers to oversee the safety of their organisational cyberplaces. My vignette findings can also help cyberplace managers to make a more informed decision on which of the ISO/IEC 27002 controls to focus their limited time and resources on.