Abstract
The use of information and communication technologies in business has opened several new ways for employees to commit cybercrimes against their employers. Utilizing opportunity theory, the current paper investigates the characteristics of businesses victimized by employee-committed cyberattacks and compares insider- and outsider-committed cybercrime in terms of the damage they cause to the business. We used online sampling to obtain information on 350 businesses in the Commonwealth of Virginia, revealing 29 outsider cases and 17 insider attacks that were clearly identified. We found that insider attacks were more costly, resulting in more damage than external attacks; the most frequent attack type was impersonating the organization online for insiders, and viruses, spyware, and malware for outsiders. Our data suggested restricting personal devices, making cybersecurity a priority, cybersecurity updates among management, and employee training do not significantly lessen the risk or mitigate the effects of insider attacks. We suggest that organizational security culture must be refined and strengthened to identify and prevent insider attacks successfully.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Adds to more than 46 as attack categories were not mutually exclusive and could belong to more than one category.
References
Akter, S., Uddin, M. R., Sajib, S., Lee, W. J. T., Michael, K., & Hossain, M. A. (2022). Reconceptualizing cybersecurity awareness capability in the data-driven digital economy. Annals of Operations Research. https://doi.org/10.1007/s10479-022-04844-8. Published Ahead of Print.
Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M. J. G., Levi, M., Moore, T., & Savage, S. (2013). Measuring the cost of cybercrime. In R. Böhme (Ed.), The economics of information security and privacy (pp. 265–300). Springer.
Atkinson, R. D. (2018). How ICT can restore lagging european productivity growth. Information Technology & Innovation Foundation.
Bell, R. (2021). Employee time theft: How to uncover and prevent it. Workforcehttps://workforce.com/news/time-theft.
Brantingham, P. J., & Brantingham, P. L. (1984). Patterns in crime. New York: Macmillan.
Brock, M. E., Martin, L. E., & Buckley, M. R. (2013). Time theft in Organizations: The development of the Time Banditry Questionnaire. International Journal of Selection and Assessment, 21(3), 309–321.
Cappelli, D. M., Moore, A. P., & Trzeciak, R. F. (2012). The CERT guide to insider threats: How to prevent, detect, and respond to information technology crimes. Sabotage, Fraud). Addison-Wesley: Theft.
Chilingerian, N., & Schafer, T. (2019). Hiscox Study Confirms Prominence of U.S. Employee Theft. https://www.cutimes.com/2019/03/29/hiscox-study-confirms-prominence-of-u-s-employee-theft/?slreturn=20220931112146.
Clarke, R. V., & Felson, M. (Eds.). (1993). Routine activity and rational choice: Advances in Criminological Theory (5.). New Brunswick, NJ: Transaction Books.
Close, A. G., Zinkhan, G. M., Finney, R. Z., & Center, N. O. (2004). Cyber-identity theft: A conceptual model and implications for public policy. In Proceedings of the American Marketing Association Summer Educator’s Conference.
Code42 (2022). Annual Data Exposure Report, 2022. https://www.code42.com/resources/reports/2022-data-exposure?utm_source=google&utm_medium=cpc&utm_campaign=ENT_Data%20Security%20-%20Search%20%7 C%20cpg-evergreen&utm_term=employee%20stealing%20data&_bt=582231881890&_bk=%2Bemployee%20%2Bstealing%20%2Bdata&_bm=b&_bn=g&_bg=111371611886&gclid=CjwKCAjw5P2aBhAlEiwAAdY7dOP69NivG4BNYgkOkHIa_1lMpfKhXf_u0rkvGpvtUZJUxL17an8utRoC7vYQAvD_BwE.
Cohen, L. E., & Felson, M. (1979). Social change and crime rate trends: A routine activity approach. American Sociological Review, 44, 588–608.
Collins, M., Theis, M., Trzeciak, R., Strozer, J., Clark, J., Costa, D., Cassidy, T., Albrethsen, M., & Moore, M. (2016). Common sense guide to Mitigating Insider threats (5th ed.). Pittsburgh, PA: Software Engineering Institute.
Complete Controller (2019). Employee theft: Why most small businesses don’t report it. https://www.completecontroller.com/employee-theft-why-most-small-businesses-dont-report-it/.
Cornish, D. B., & Clarke, R. V. (Eds.). (2014). Reasoning criminal: Rational choice perspectives on offending. New Brunswick: Transaction Publishers.
Cressey, D. R. (1953). Other people’s money: A study in the Social psychology of Embezzlement. Glencoe: The Free Press.
Daks, M. C. (2005). Banks need to bolt the door twice. NJBIZ, 18(24), 3–4.
Das, S., & Nayak, T. (2013). Impact of cybercrime: Issues and challenges. International journal of engineering sciences & Emerging Technologies, 6(2), 142–153.
Demirkaya, H., Aslan, M., Güngör, H., Durmaz, V., & Rodoplu Şahin, D. (2022). COVID-19 and quitting Jobs. Frontiers in Psychology, 13, 916222. https://doi.org/10.3389/fpsyg.2022.916222.
eMarketer (2022). Worldwide E-commerce Forecast. Updated 2022. https://www.insiderintelligence.com/content/worldwide-ecommerce-forecast-update-2022.
Farahbod, K., Shayo, C., & Varzandeh, J. (2020). Cybersecurity indices and cybercrime annual loss and economic impacts. Journal of Business and Behavioral Sciences, 32(1), 63–71.
Felson, M., & Clarke, R. (1998). Opportunity makes the thief: Practical theory from crime prevention (,98Police Research Series, 98 vol.). London: Home Office, Research, Development and Statistics Directorate. https://popcenter.asu.edu/sites/default/files/opportunity_makes_the_thief.pdf.
Finkelhor, D., & Asdigian, N. L. (1996). Risk factors for youth victimization: Beyond lifestyle / routine activities theory approach. Violence and victims, 11(1), 3–19.
Greenberg, J. (1997). The STEAL motive: Managing the social determinants of employee theft. In R. A. Giacalone, & J. Greenberg (Eds.), Antisocial behavior in organizations (pp. 85–108). Thousand Oaks, CA: SAGE Publications.
Hawdon, J., Parti, K., Dearden, T., Vandecar-Burdin, T., Albanese, J., & Gainey, R. (forthcoming). Cybercrime victimization among Virginia businesses: Frequency, vulnerabilities, and consequences of cybervictimization. Criminal Justice Studies.
Hiscox (2020). Hiscox cyber readiness report 2020. https://www.hiscox.co.uk/sites/uk/files/documents/202006/Hiscox_Cyber_Readiness_Report_2020_UK.PDF.
Hollinger, R. C., & Clark, J. R. (1983). Theft by employees. Lexington, MA: Lexington Books.
Hollinger, R., Slora, K. B., & Terris, W. (1992). Deviance in the fast-food restaurant: Correlates of employee theft, altruism, and counterproductivity. Deviant Behavior, 13, 155–184.
ISBS (2015). Information Breaches Survey: Technical Report. London: Department for Business, Energy and Industrial Strategy.
Kantor, S. (1983). How to foil employee crime (pp. 38–39). Nation’s Business.
Khando, K., Gao, S., Islam, S. M., & Salman, A. (2021). Enhancing employees’ information security awareness in private and public organisations: A systematic literature review. Computers & Security, 106. https://doi.org/10.1016/j.cose.2021.102267.
Kim, J., Park, M., Kim, H., Cho, S., & Kang, P. (2019). Insider threat detection based on user behavior modeling and anomaly detection algorithms. Applied Sciences, 9, 4018. https://doi.org/10.3390/app9194018.
Klahr, R., Shah, J. N., Sheriffs, P., Rossington, T., Pestell, G., Button, M., & Wang, V. (2017). Cyber security breaches survey 2017www.gov.uk/government/statistics/cyber-security-breaches-survey-2017.
Lee, M. R. (2000). Community cohesion and violent predatory victimization: A theoretical extension and cross-national test of opportunity theory. Social Forces, 79(2), 683–706.
Maalem Lahcen, R. A., Caulkins, B., Mohapatra, R., & Kumar, M. (2020). Review and insight on the behavioral aspects of cybersecurity. Cybersecurity, (3)10. https://doi.org/10.1186/s42400-020-00050-w.
Mehta, C. R., & Patel, N. R. (1995). Exact logistic regression: Theory and examples. Statistics in medicine, 14(19), 2143–2160.
Milenkovic, M. (2021). Ripping Off the Boss: 33 Surprising Employee Theft Statistics. SmallBizGenius. https://www.smallbizgenius.net/by-the-numbers/employee-theft-statistics/#gref.
Mustaine, E. E., & Tewksbury, R. (2002). Workplace theft: An analysis of student-employee offenders and job attributes. American Journal of Criminal Justice, 27(1), 111–127.
Padayachee, K. (2015). A framework of opportunity-reducing techniques to mitigate the insider threat. Proceedings of the Information Security for South Africa, 1–8, https://doi.org/10.1109/ISSA.2015.7335064.
Paoli, L., Visschers, J., & Verstraete, C. (2018). The impact of cybercrime on businesses: A novel conceptual framework and its application to Belgium. Crime Law and Social Change, 70, 397–420. https://doi.org/10.1007/s10611-018-9774-y.
Peters, S., & Maniam, B. (2016). Corporate fraud and employee theft: Impacts and costs on business. Journal of Business and Behavioral Sciences, 28(2), 104–117.
Ponemon (2013). The risk of Insider Fraud Second Annual Study. Traverse City, MI: Ponemon Institute.
Powell, T. (2014). The changing face of fraud. CPA Practice Management Forum, 20–25.
Rantala, R. (2008). Cybercrime against businesses. Bureau of Justice Statistics Special Report. U.S. Department of Justice.
Sao, R., Chandak, S., Patel, B., & Bhadade, P. (2020). Cyberloafing: Effects on employee job performance and behaviour. International Journal of Recent Technology and Engineering (IJRTE), 8(5), 1509–1515.
Sauser, W. I. Jr. (2007). Employee theft: Who, how, why, and what can be done. SAM Advanced Management Journal, 72(3), 13–25.
Schuchter, A., & Levi, M. (2016). The fraud triangle revisited. Security Journal, 29, 107–121. https://doi.org/10.1057/sj.2013.1.
Shreve, M. (2004). Employers slow to recognize identity theft. Business Insurance, 38(36), 4–5.
The Investopedia Team (2022). 6 ways cybercrime impacts business. Investopedia. https://www.investopedia.com/financial-edge/0112/3-ways-cyber-crime-impacts-business.aspx#citation-4.
Tucker, J. (2018). Employee theft as social control. In G. Mars (Ed.), Occupational Crime (pp. 65–80). Routledge.
UK Cyber Security Breaches Report (2020). UK cyber security breaches survey Department for Digital, Culture, Media, and Sports & Ipsos MORI. Retrieved Aug 5, 2022 from https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/893399/Cyber_Security_Breaches_Survey_2020_Statistical_Release_180620.pdf.
UNODC (2013). Comprehensive study on cybercrime United Nations Office on Drugs and Crime. Retrieved Aug 10, 2022 from https://www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf.
van de Weijer, S. G. A., Leukfeldt, E. R., & van der Zee, S. (2020). Reporting cybercrime victimization: Determinants, motives, and previous experiences. Policing: An International Journal. https://doi.org/10.1108/PIJPSM-07-2019-0122.
Veenstra, S., Zuurveen, R., & Stol, W. (2015). Cybercrime onder bedrijven. Een onderzoek naar slachtofferschap van cybercrime onder het Midden- en Kleinbedrijf en Zelfstandigen Zonder Personeel in Nederland. Lectoraat Cybersafety, NHL Hogeschool & Politie Academie Faculteit Cultuuren Rechtswetenschappen, Open Universiteit. Cybersafety Research and Education Network. Retrieved Aug 14, 2022 from https://cybersciencecenter.nl/media/1054/2015-05-13-cybercrime-onder-bedrijven-def.pdf.
Verizon (2019). Insider Threat Report. Verizon. https://www.verizon.com/business/resources/reports/insider-threat-report/.
Wanamaker, K. A. (2019). Profile of canadian businesses who report cybercrime to police. Public Safety Canada.
Warkentin, M., & Willison, R. (2009). Behavioral and policy issues in information systems security: The insider threat. European Journal of Information Systems, 18(2), 101–105. https://doi.org/10.1057/ejis.2009.12.
Weisbrot, E. (2021). 35 + Shocking Employee Theft Statistics to Know in 2022. JW Surety Bonds. https://www.jwsuretybonds.com/blog/employee-theft-statistics.
Williams, M., Levi, M., Burnap, P., & Gunder, R. V. (2019). Under the corporate radar: Examining insider business cybercrime victimization through an application of routine activities theory. Deviant Behavior, 40(9), 1119–1113.
Willison, R. (2000). Understanding and addressing criminal opportunity: The application of situational crime prevention to IS security. Journal of Financial Crime, 7(3), 201–221.
Acknowledgements
The research was funded by the Coastal Virginia Center for Cyber Innovation (COVA CCI), 2021/2022.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Dearden, T.E., Parti, K., Hawdon, J. et al. Differentiating Insider and Outsider Cyberattacks on Businesses. Am J Crim Just 48, 871–886 (2023). https://doi.org/10.1007/s12103-023-09727-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12103-023-09727-7