When do businesses report cybercrime? Findings from a UK study
| Published date | 01 July 2023 |
| DOI | http://doi.org/10.1177/17488958211062359 |
| Author | Steven Kemp,David Buil-Gil,Fernando Miró-Llinares,Nicholas Lord |
| Date | 01 July 2023 |
| Subject Matter | Articles |
https://doi.org/10.1177/17488958211062359
Criminology & Criminal Justice
2023, Vol. 23(3) 468 –489
© The Author(s) 2021
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/17488958211062359
journals.sagepub.com/home/crj
When do businesses report
cybercrime? Findings from a
UK study
Steven Kemp
University of Girona, Spain; Miguel Hernández University of Elche, Spain
David Buil-Gil
The University of Manchester, UK
Fernando Miró-Llinares
Miguel Hernández University of Elche, Spain
Nicholas Lord
The University of Manchester, UK
Abstract
Although it is known that businesses report cybercrime to public authorities at a low rate,
and this hinders prevention strategies, there is a lack of research on companies’ decisions to
report cyber victimisation. This paper analyses the UK Cyber Security Breaches Survey to
explore factors associated with cybercrime reporting by businesses. Results indicate that the
type of cybercrime is relevant to the reporting decision, and that the likelihood of reporting
increases when cybersecurity incidents generate negative impacts and when the company places
high priority on cybersecurity. However, we find no association between having cybersecurity
insurance and reporting. Finally, while having outsourced cybersecurity management is associated
with reporting to anyone outside the organisation but not to public authorities, in-house
cybersecurity teams seem more inclined to report to public authorities. Findings are discussed
in relation to the role of the private cybersecurity sector and the criminal justice system in
combatting cybercrime.
Corresponding author:
Steven Kemp, Facultat de Dret, Department of Public Law, University of Girona, C/ Universitat de Girona,
12, 17003 Girona, Spain.
Email: steven.kemp@udg.edu
1062359CRJ0010.1177/17488958211062359Criminology & Criminal Justice X(X)Kemp et al.
research-article2021
Article
Kemp et al. 469
Keywords
Corporate, cybersecurity, dark figure of crime, financial crime, organisations
Introduction
Cybercrime poses a growing threat to private organisations in the United Kingdom. The
National Crime Agency (n.d.) has stated that cyber criminality is rising and criminals are
increasingly targeting businesses, while Williams et al. (2019) describe cybercrime as
one of the main threats to economic security in the United Kingdom. Greater levels of
homeworking related to COVID-19 may have further exacerbated existing cybercrime
threats, and research has shown that reports of certain types of online fraud against
organisations rose during the pandemic (Kemp et al., 2021). It should also be noted that
the issue does not only affect large businesses. As the National Cyber Security Centre
(2020: 3) states, ‘[i]f you’re a small or medium-sized enterprise (SME) then there’s
around a 1 in 2 chance that you’ll experience a cyber security breach’.
Yet, despite the widespread recognition that cybercrime is a salient issue for busi-
nesses of all sizes, criminological research on the topic is relatively scarce, which has
been attributed to a lack of reliable data (Buil-Gil et al., 2021; Williams et al., 2019).
In this regard, one particular problem may be that reporting of crime victimisation by
businesses is particularly low (Caneppele and Aebi, 2017; Lavorgna, 2020), which
means the dark figure hidden from official statistics hinders research on the topic. This
is concerning as, in addition to aiding academic research, reporting is key to the design
of effective prevention and response strategies to cybercrime and fraud threats (Kemp
et al., 2020; Reep-van den Bergh and Junger, 2018; van de Weijer et al., 2019). If data
are lacking with respect to cybercrime against businesses, current prevention strategies
may be inadequately informed (Levi et al., 2017). Furthermore, reports are a means to
start police investigations into crime, and, thus, low levels of reporting may signify
that private organisations consider that formally involving the police or other govern-
ment agencies is not the most suitable response to cybercrime victimisation. This in
turn may exemplify the expectations and challenges faced by the criminal justice sys-
tem with regard to cybercrime, as well as the fact that responses to cybercrime are
often based on a private model of justice or public-private partnerships (Dupont, 2017;
Wall, 2007).
In order to improve crime reporting rates, and therefore shed light on the dark figure
of cybercrime against businesses and better inform strategies to combat the issue, it is
necessary to first understand which factors are associated with the decision to report
cybercrime. This may also improve comprehension of the expected role of the criminal
justice system with regard to this type of criminal activity. There is extensive research on
crime reporting by individuals, but research on the crime reporting practices of busi-
nesses is scarce (Isenring et al., 2016; van de Weijer et al., 2021). In fact, to the authors’
knowledge there have been no academic attempts to empirically explore cybercrime
reporting by businesses in the United Kingdom and, thus, the present paper aims to begin
to fill this salient gap in the literature.
To continue reading
Request your trial