By: David Maimon and Eric Chapman.
In October of 2010, the Securities and Exchange Commission issued a detailed guidance for publically-traded companies regarding their obligation to disclose information about their cybercrime victimization incidents. The stated goal of the guidance is to allow investors an opportunity to consider the risks associated with investing their money in the relevant company. Unfortunately, though, numerous reports suggest that major U.S. companies choose to ignore the guidance and refrain from reporting their digital security breaches to the public. Related to this, numerous public and private companies are uncomfortable about sharing their cybercrime victimization experiences with cyber security professionals and scholars. The tendency for companies to conceal this information is due to their fear that admitting digital breaches will scare away potential investors and current customers.
By keeping this valuable information to themselves, companies and governmental agencies exacerbate the magnitude of cybercrime and expose themselves to future attacks on their systems. Moreover, by preventing the scientific analysis of this valuable information, public and private companies sabotage experts’ efforts to develop a comprehensive understanding of cybercrime. Indeed, few public companies make cybercrime attacks data available to the public, so that only a small portion of cybercrime incidents can be analyzed. When allowing access to their records, companies insist that data are analyzed and observed out of context. Specifically, the information provided by these companies is given without any mention of the timing and patterns of the attacks or the type of activities network users were engaged in at the time. This makes the task of studying cybercrime and security breaches extremely difficult and inefficient, since while it may permit the development of technical knowledge, it prevents the accumulation of scientific understanding concerning social predictors of this phenomenon.
This is probably the place to remind readers that despite its heavy reliance on technical tools, cybercrime is nevertheless a human phenomenon! It is true that computers and electronic systems (for instance bot-nets) are employed for hacking, spamming, and web defacement, among other activities. However, in all cases, human players (including hackers, innocent network-users, and information technology managers) bear some responsibility for the success of this crime. Thus, alongside the work of criminologists who analyze crime incidents and data in specific social contexts (such as schools and neighborhoods), any investigation and analysis of cybercrime data should take place within the context of the victims’ social environment. The fact that we still do not know much about cyber criminals and victims is directly related to the resistance on the part of companies (both publicly and privately owned) and governmental agencies to report digital security breaches and allow access to their records (as they would following any other crime against them or their employees).
We encourage public and private companies, as well as governmental agencies, to support cybercrime prevention efforts by reporting data breaches and allowing cyber-security experts access to this valuable information. We believe that nowadays, everyone – including investors, customers, and trustee boards – must recognize the importance of studying cybercrime and the risks associated with failing to do so. (This is reminiscent of the common understanding among policy makers and social scientists 100 years ago that it was crucial to compile data on neighborhoods’ demographic and social characteristics in order to allow a comprehensive understanding of the underlying causes of crime).
In order to generate a better understanding of this problem, something needs to change. Sharing is caring!