Organizational and Organized Cybercrime

Cybercrime has been on the rise since the internet became widespread in the 1990s, affecting individuals as well as private organizations and public agencies. There is an increasing involvement of organizations, both legitimate businesses and organized crime groups, in cybercrime, either as offenders or facilitators, but also as victims of cybersecurity attacks and cyber-enabled fraud. Given the growing ‘organizational’ aspect of cybercrime, it appears urgent for cybercrime research to shift the attention toward better understanding, theorizing and preventing cybercrimes with direct or indirect involvement of organizations. In this chapter we describe the state of the art about organizational and organized cybercrime research. That is, we describe what research has found regarding the role of organizations, both legitimate businesses and organized crime groups, in cybercrime, either as offenders, facilitators or victims. Consequently, we identify common themes emerging from research, and illustrate frequent research findings with case studies of cybercrime incidents recorded in France, USA, Costa Rica and the UK. Studies focusing on organized cybercrime groups show that offending networks have a spectrum of organizational complexity - from loosely-connected actors driven by common interests instead of stated leaders on one extreme, to enduring and tightly connected groups of core members who coordinate the division of labor on the other extreme - with both illicit online sites and pre-existing relations in offline settings playing important roles in criminal network development. Cybercriminals may be parasitical on legitimate organizational structures and procedures in creating an outlook of legitimacy for concealment. Legitimate businesses may also facilitate white-collar cybercrime by providing the organizational means and resources for employees to carry out generally low-tech data breaches during their occupations, as well as directly engaging in cybercriminal activities such as cyber-espionage and cyber-enabled tax avoidance. Regarding the role of organizations as victims of cybercrime, research shows that the risk, nature and harm of cybersecurity incidents varies extensively depending on the sector and size of organizations, and while not all forms of technical protection equally prevent organizational cybercrime victimization, improving cybersecurity awareness of employees (e.g., through training and seminars) seems to have strong impacts in preventing future incidents. We finalize the chapter by identifying important gaps in research and pointing researchers toward areas in which further research is needed.