The Better Cybercrime Metrics Act directs the Bureau of Justice Statistics (BJS), in coordination with the Bureau of the Census, to include questions relating to cybercrime victimization on the National Crime Victimization Survey (NCVS). This report, developed through a cooperative agreement between the Bureau of Justice Statistics (BJS) and RTI International, provides an environmental scan of existing definitions and measures, federal and state laws, and the extant literature on the topic of cybercrime and cyber-enabled crimes in an effort to determine if and how the NCVS could expand and improve measurement of cybercrime; the additional questions or crime types that would need to be added to the core survey or supplements to generate national estimates; and how BJS should proceed with testing and adding additional measures.
Although cybercrime has existed and been studied for decades, there is no currently agreed-upon definition or taxonomy of cybercrime in the empirical literature, in the educational and governmental classifications systems, or even in legislation (no jurisdiction has a single agreed-upon definition of cybercrime). Classification systems approach cybercrime based on the method that was used to commit the crime, while federal and state laws approach cybercrimes based on the level of harassment to the victim. The seemingly conflicting approaches regarding how to define and classify cybercrime are reflected in the massive amount of theoretical and empirical research on cybercrime against persons and/or institutions. Researchers have attempted to mitigate this issue by suggesting various taxonomies for organizing and classifying cybercrime. However, the speed at which cybercrime is evolving, coupled with the variability in terminology and inconsistencies across legislation, has made this difficult and resulted in multiple organizing frameworks. In recent years, researchers have begun exploring a taxonomical approach to classifying cybercrime. This approach allows for the categorization of various types of cybercrime without getting hindered by terminologies.
A comprehensive meta-analysis revealed a complete and thorough taxonomy by Phillips and colleagues (2022). Phillips and colleagues’ (2022) taxonomy incorporates previous classification and taxonomy approaches while also incorporating the Council of Europe’s Convention of Cybercrime definition, widely recognized as “the only globally recognized agreement around cybercrime.” The authors of this report used Phillips and colleagues’ taxonomy as a basis for comparison to the existing NCVS.
Although the NCVS covers a broad range of crime victimization types, it does not systematically assess victimization experiences committed via cyber-enabled means compared to victimization experiences committed in person or measure crimes that can only be committed via cyber means. This report describes cybercrime types from the taxonomy and identifies whether they are already being measured through the NCVS either partially or fully. For those covered only partially, this report discusses how they are currently being measured and any recommended revisions for expanding the scope of those measures. Relevant state or federal laws relating to the crime type are also referenced. The report also details crimes from the taxonomy that are not currently assessed in the NCVS, but that should be considered for inclusion in future iterations. The report details crimes from the taxonomy not currently assessed in the NCVS and not recommended for inclusion in future iterations because they are out of scope for the NCVS.
In addition to examining cybercrime types collected through the NCVS, this report presents recommendations on whether estimates should be presented individually by cybercrime type or aggregately as a composite measure that reflects total cybercrime victimization.
A measure could be created through (1) the development of a single survey question, or a short series of questions, used to generate a single estimate of cybercrime, or (2) by aggregating across multiple cyber related measures as is done to create composite measures for violent and property crime. However, there are several challenges with this approach. These include, but are not limited to, the following:
The range of victimization experiences included under the heading of cybercrime is diverse enough that it might be difficult to effectively define the various crime types in the context of one question or a few questions.
- The ages of focus for the cybercrime types vary (i.e., cyberbullying is currently measured for persons 12-18; identity theft is only asked of people 16 or older).
- Some cybercrime types overlap or could occur in the context of the same incident (cyber fraud and forgery; stalking and nonconsensual porn), but there would not be a way to parse this out to the same extent the NCVS does this currently.
- The NCVS supplements, some of which cover certain cybercrime types, have different reference periods than the core NCVS, focus on producing prevalence rates rather than incident rates, do not have a bounding adjustment, have different rules related to proxy respondents, and have different weights.
- Finally, defining and measuring incidents will be especially challenging because it is hard to determine the start/stop of cybercrime victimization types. For that reason, it is recommended that BJS focus on measuring prevalence only.
These differences make combining estimates from the supplements and core somewhat problematic. We recommend that BJS focus on measuring individual types of cybercrime, rather than an aggregate or composite approach.