Cybersecurity and Theft:

Cybersecurity and Theft:

Examining the Relationship between Cybercrime, Government Regulation, and Privacy Concerns

Thesis Submitted for Graduation with Interdisciplinary Honors in the Departments of Mathematical Methods in the Social Sciences and Economics

Northwestern University

Weinberg College of Arts and Sciences

Authors: Christina Letsou, Hanchen Wang, Merry Xiao Advisor: Professor Robert Porter

May 2014

1

Table of Contents:

Acknowledgements: ... 2

Abstract: ... 3

Introduction: ... 4

Literature Review: ... 6

Survey of Data: ... 19

Methodology: ... 27

Formal Model: ... 37

Results: ... 44

Further Discussion: ... 60

Conclusion: ... 63

Appendix: ... 64

Bibliography: ... 205

2

Acknowledgements:

This research paper would not have come together without the guidance and dedication

of several people. We would like to thank Sarah Ferrer for putting up with us and answering all

of our questions for four years, and making the Mathematical Methods in the Social Sciences

(MMSS) program what it is today. Thanks to Professor William Rogerson and all he has done

for the MMSS program. Thanks for Professor Joseph Ferrie for coordinating the MMSS thesis

program. Thanks to Professor Robert Porter for being our thesis advisor and for tirelessly giving

us contacts to ask for information. Thanks to Avi Goldfarb, Patrick Greenlee, Shane Greenstein,

Keith Anderson, and Aviv Nevo for being these contacts and providing us with many different

directions to run from in the beginning. Thanks to Jonathan Forman for helping us find the

effective years for our legislation. Finally, thanks to our parents - Peter and Felicity Letsou,

Haiyun and Helen Xiao, and Wenjia Wang and Feihong Gao - for providing unquestioning

support throughout our four years of education, and many years before and after.

3

Abstract:

This paper examines if legislative responses to cybercrime have produced effective results. The primary hypothesis is that legislations that define and attempt to proscribe activities associated with cybercrime will decrease reported instances of victimization. Furthermore, this paper also studies how varying degrees and types of legislation affect instances of cybercrime.

The secondary hypothesis is that the more specific and onerous various legislation are, the

greater the extent of their impact. The evidence from the data collated for this study refutes the

primary hypothesis, while providing only partial and conditional support for the secondary

hypothesis. Nonetheless, some firm conclusions stand out as noteworthy. First, to date,

implementation of legislation lags victimization, and also has not been successful at curbing the

growth of cybercrime. Next, individual state based effects are dominant in almost every domain

of analysis, namely trend growth rates of victimization, effectiveness of legislation, as well as

strictness of legislation. This suggests that local effects are important and hence compels the

need to obtain more data. Furthermore, this study found substantial covariation within the pool

of available victimization data as well as legislative data.

4

Introduction:

The inception of the Internet has led to new and fantastic capabilities for people all around the world. Users can communicate, share thoughts and ideas, and buy products through the Internet, even though the participants may be thousands of miles apart. This online marketplace for users has evolved at a rapid rate; simultaneously, the Internet as a new frontier for commerce, exchange, and interaction has led to the inception of an entirely different realm of crime - cybercrime. In recent years, people have become more aware of as well as concerned about some dangers of the Internet, which include identity theft, illegal pirating, hacking, and even cyberbullying. Given the novelty and pace of technological innovation, the appropriate response to such cybercrimes is still unclear. While much of the criminal activity online has a counterpart in the offline world, the parallels between cybercrime and traditional crime are rapidly breaking down, and along with that, the ability to apply existing legislative frameworks is also proving less effective.

First, conflicting interests make it difficult to negotiate a middle ground when it comes to legislation. The expanding pervasiveness of the Internet has compelled governments to react in order to mitigate these new forms of cybercrimes by enhancing and modifying existing enforcement policies, or else by passing new laws. These policies fostered heated public debate.

On the side of the proposition for tougher rules regarding online behavior, advocates point to the

record of damage done by misuse of computer resources, as well as the potential for even greater

losses in future. On the side of the opposition, there has been substantial resistance against type

of monitoring, disclosure, and reporting requirements necessary for many of these types of

legislations to be effective: unsurprisingly, there is reluctance to give up freedoms and liberties

online to the government in exchange for a safer cyber-experience. Consequently, the objectives

5 of maintaining user privacy and promoting online freedom are at odds. Nonetheless, the topic of cybercrime will only gain more importance over time.

Second, there is an urgency to develop appropriate legislative responses to cybercrime.

As a greater share of activities, both public and private, takes place in the online world, all parties become ever more vulnerable to criminal activity. Furthermore, cyber-criminals are also developing sophistication and gaining audacity, intruding into ever more sensitive domains of information. They are finding more subtle and less detectable means to become privy to confidential information and exploiting such knowledge with ever more malicious intent. The prevalence of cybercrime is so widespread that most people probably know someone who has been affected by some degree of cybercrime.

Given the dual premise outlined above: the importance of legislative responses to

cybercrime as well the appropriately ambivalent response to such legislation, further action from

the government should be taken with sensitivity to the nuances and subtleties of the potential

impact of policies. It seems reasonable to believe that the existing government regulation of the

Internet should decrease the instances of cybercrime or at least curtail its growth, otherwise it

would be difficult to ever justify a push for such legislation. This paper aims to identify the

relationship between cybercrime legislation and victimization. Primarily, have legislative

responses to cybercrime produced effective results? The hypothesis is that legislations that

define and attempt to proscribe activities associated with cybercrime will decrease reported

instances of victimization. Secondly, how do varying degrees and types of legislation affect

instances of cybercrime? The hypothesis is that the more specific and onerous various

legislation are, the greater the extent of their impact.

6

Literature Review:

Research into the virtual world and its social implications has taken on ever increasing importance as the usage of the internet proliferates and a greater proportion of our productive and leisurely activities are taken online. This paper attempts to focuses on the topic of cybercrime in general and how it extends to public and legislative responses. Literature produced more recently gives insights into present world Internet issues and concerns, though more dated articles are still applicable to the issue of cybercrime and Internet security. These studies tend to spread themselves across a wide spectrum of topics and there has yet to be a strong body of work that focuses with great specificity on any particular issue. Moreover, existing literature leans to a much greater degree towards qualitative rather than quantitative analysis. Thus, the existing body of literature on social issues, particularly with respect to public policy, justifies the work of this paper: a data driven analysis of quantitative models, in order to produce an initial catalog of evidence to advance debates about internet regulation. In particular, this paper seeks to augment the body of quantitative work on cybercrime. With regards to existing literature, this paper will first discuss the qualitative research on cybercrime and Internet security, address the quantitative studies that have been executed, and finally, examine the commonalities between the literatures.

The qualitative literature regarding cybercrime and Internet security subdivides into three

main categories: general cybercrime, privacy rights, and legislative responses. General

cybercrime pertains to the types of dangers prevalent in the cyber-world today. One main type

of cybercrime that is widespread is harmful software, also known as malware, which can have a

range of effects including identity thefts, spreading viruses, stealing email addresses, and stealing

7 other pieces of personal information. The development of the Internet and technology increased the creation of malware, which can infect a vast network of both companies’ and individuals’

computers. Niels Provos discussed the prominence of malware attacks in his article “Cybercrime 2.0: When the Clouds Turn Dark”. This article found that attackers are driven by economic incentives to turn their malware product into profit. Economic incentives are known to be effective, which perpetuates the development of malware and the prominence of attacks in the cyber-world. Provos also addressed the pitfalls of the Internet circa 2009 such as rapid browser development and the increasing complexity of web pages. Rapid development of web pages introduces new vulnerabilities that require more effort to detect attacks since web pages are composed of more elements. Provos suggested possible solutions to this issue such as securing web services, providing more security updates, and detecting social engineering attacks to prevent malware attacks. This article is relevant because it highlighted the importance of security on the Internet in response to a main type of cybercrime. While the article suggests that Internet regulation can help to decrease instances of data breaching and identity thefts, it does not provide evidence to this end (Provos, 2009).

Further expounding on the topic of malware, Thomas Holt examined the various forms of

malware that exist in recent society in his article “Examining the Forces Shaping Cybercrime

Markets Online”. He discussed the extent to which hackers use this information to acquire

private information and execute attacks on firms and individuals. Malware can have detrimental

effects on its victims as Holt reported from the Computer Security Institute survey in 2009 that

participating companies lost an average of $40,000 dollars per respondent due to viruses and

another $400,000 due to another form of malware called botnet infections (Holt, 2013). What is

unique about this article is that it examined the relationship between buyers and sellers of

8 malware. Holt determined that price, customer service, and trust drive the market for malware - work that can be used to study hacker and attacker habits to hinder the effectiveness of the market for malware. This article is relevant as it provides a background on types of hacking techniques, but this study delves deeper into determining whether bolstering security on the Internet diminishes the spreading of malware (Holt, 2013).

As evidenced by the works of Holt and Provos, literature on tools of cybercrime mainly centers on malware, as opposed to network intrusion, phishing, and software piracy. Of these, malware, network intrusions, and phishing are the primary tools for data breaches which can result in identity theft, fraud, and dissemination of confidential information. In particular, malware appears to be the most common tool for cybercrime. The consequences of malware and other tools are of primary concern in society today as they are affecting an ever increasing number of people. In addition to the increased instances of identity theft and fraud as a result of cybercrime, public reaction and concern over privacy rights has increasing importance as well.

The arrival of the Internet allowed for ecommerce and various social media to develop, which have proven to be extremely useful, as shown by the success of major ecommerce retailers such as Amazon.com and major social networks such as Facebook, Twitter, and Instagram. Though ecommerce and social media are extremely popular and have been useful in recent years, their development also has cause for concern. Many users of popular websites are not aware that data about them is recorded and kept by companies for market research or advertising purposes.

Occasionally this personal data can be breached by hackers, providing them access to users’

personal information without direct consent from the users. The emergence of hacking and

personal data collection by major companies has caused individuals to fight for their privacy

rights.

9 The definition of privacy rights on the internet is relatively nuanced, and requires some degree of subtlety. Does the personal information collected by an ecommerce website belong to the user who inputted their personal data or to the company? There are arguments for each case and it is clear that an attempt to define such a privacy right is necessary.

First, consider one of the ways that websites collect their users’ personal information:

cookies. Cookies are short snippets of code that web services use to identify computers and have become prominent in the cybersphere. Nichoel Forrett, in his article "Cookie Monster:

Balancing Internet Privacy with Commerce, Technology, and Terrorism", analyzed the effect of cookies on consumers’ usage of the Internet and the implications that cookies have on consumers’ privacy rights. There are certainly advantages to cookies because they are useful for online advertising purposes and analysis of website activity. However there are a multitude of disadvantages as well. Forrett discussed the negative consequences of cookies including identity theft, stealing email addresses, spreading viruses, and stealing personal information (Forrett, 2004). Consequently, consumers become angry with the bombardment of advertisements and the implications for their privacy. The article then discussed the legitimacy of privacy rights on the Internet and current legislation in place to address this issue. There is concern over whether or not the Internet constitutes a zone of privacy, especially since the Internet is a public domain.

Forrett concluded by proposing several solutions to the threat of decreased Internet privacy, one

such solution being to better inform users of the dangers of the Internet and to be cautious of the

data they are revealing (Forrett, 2004). Forrett’s research on cookies is clearly relevant to the

topic at hand, as cookies provide access to private consumer information that can be used to steal

a consumer’s identity. The article also provides useful information about the current regulation

of the Internet, which will be discussed later.

10 Furthermore, there has also been research into the valuation that users of the Internet place of their privacy. One such valuation is a willingness to pay for better Internet privacy.

Nicole Piquero, Mark Cohen, and Alex Piquero, in their publishing “How Much is the Public Willing to Pay to Be Protected from Identity Theft?”, used survey data from residents in the four states of Illinois, Louisiana, Pennsylvania, and Washington to assess the public’s willingness to pay for a government program that would reduce the likelihood of online identity theft. This topic is one of high importance and controversy, since identity theft is something that can happen to anyone, yet can be prevented by personal precautions. Because of this the consequences of additional government intervention are debated. The authors found that between 40% and 66%

of people would be willing to pay for a program that would reduce the likelihood of identity theft under two proposed programs: one promised a 25% reduction in identity theft and the other promised a 75% reduction. When promised a higher reduction in identity theft, the percentage of the public willing to pay for such a program increased. On average, the public would pay $87, the number being higher among ethnic people with multiple credit cards, and who already take steps to protect themselves (Piquero, Cohen, and Piquero, 2010).

One advantage of this quantitative type of survey is that it assigns a dollar amount to the

public’s willingness to pay for increased security. Another is that it is more accurate than a

simple approval or disapproval choice, since respondents have to perform a quick cost-benefit

analysis, allowing a more direct comparison to other policies. A disadvantage is that online

privacy is a public good, so the bystander effect (where people are less likely to take action when

there are many people around them witnessing the same phenomenon) may be visible, as well as

the hypothetical bias since no one is actually paying money at the time (Piquero, Cohen, and

Piquero, 2010). Though Piquero, Cohen, and Piquero’s article is very useful since it assigned a

11 quantitative amount to a user’s willingness to pay for increased protection from identity theft, a problem with this study is that it assumed that the property right for personal data belongs to companies or web services rather than the users of the Internet. It is not clear to whom this right should be assigned, again giving a nod to the intricacies of Internet privacy rights. This article also walks the line between qualitative and quantitative; because the methodology involves surveys and stated preferences instead of real-world data; this seems to be a mostly qualitative article, giving insight into people’s preferences.

A different direction into the valuation of individual privacy rights is offered by James Nehf, who explored the behavioral reasons why people make online decisions and whether or not they divulge a lot of information in his paper “Shopping for Privacy on the Internet”. Consumers in controlled studies have revealed their preferences for privacy: people are willing to trade their privacy for other benefits, but only small, trivial pieces of information; more educated and experienced users tend to take more steps to protect their personal information; and that more information is shared when the user feels a personal connection with the data collector.

However, as expected, real-life decisions do not fit nicely and rationally with these controlled expectations - usually because in the real world, people do not have the full information needed to make these rational decisions. Users also need to choose between three goals (accuracy, cognitive ease, and emotional comfort) when making decisions and try to rationalize choosing one goal over the other (for example, taking a website at face value when it says it is private and not digging deeper into the truth, telling themselves that a privacy issue will be solved in the future, when in fact they won't know most of the time if their privacy has been breached, etc.).

Therefore, when consumers are making online decisions regarding privacy, they make irrational

decisions compared to the controlled studies (Nehf, 2014). These studies are useful to the topic

12 at hand because they reveal the behavior of Internet users. Further research could be done to determine precisely what aspects of the Internet tend to cause people to make dangerous decisions that could result in dangerous consequences such as identity theft. This type of information could suggest how the public needs to be educated to use the Internet in a safer way.

Put together, these authors inform a reasonable perspective of the kinds of data that would pose a threat to individual or organization well-being of the data was breached. However, the definition of privacy rights requires a further degree of refinement; the value placed on privacy on the Internet does not in and of itself provide a sufficient justification for users to claim a right to their personal information or even begin to examine how companies or web services might be obligated to respect and defend such a right. To gain a foothold on this discussion, the following paper surveys the efforts that have been undertaken in the legislative sphere in the United States to directly address Internet privacy rights.

M. S. Smith provided an early review into questions regarding Internet privacy.

Although the landscape of services and interactions available on the Internet barely resemble what Smith would have been looking at, her insights are a useful starting point for discussions about the fundamental issues and questions that policies designed for the Internet must address.

Smith began with a discussion about websites’ responsibilities to notify users of the collection of

their personal data. The article also described the methods available at that time for obtaining

consumer information and the options that consumers had to avoid collection of their private

information. Importantly, Smith also posed the question (but did not offer an answer) as to

whether federal websites should be subject to the same information practices as suggested for

general websites, since there is concern over government access of personal information as

evidenced by WikiLeaks and Edward Snowden’s disclosure of many classified documents.

13 Smith also identified a set of policy recommendations to advocate for consumer privacy such as four fair information practices for web sites, seals to show that websites abide by privacy principles, and the National Advertising Initiative (Smith, 2000).

One key step towards crafting reasonable policy is to identify the relevant stakeholders in privacy concerns. Nigel Martin and John Rice offered some insights into this complex issue by specifying groups based on the nature of their interaction with the internet, discussing some the concerns that arise from their participation, before offering some insights on how best to address these concerns. They analyzed the views from the perspective of a diverse array of private computer users as well as organizations to demonstrate that are a range of concerns over the frequency and severity of security breaches and incursions. Furthermore, they also present the view of law enforcement agencies, as well as from the groups responsible for the technical deployment and maintenance of the infrastructure necessary to support computer users. Finally, the authors consider how users have taken steps to reduce their risk to cybercrime (Martin and Rice, 2011).

A more recent attempt at crafting policy to address privacy concerns was made through

the proposed Privacy and Cybercrime Enforcement Act of 2007, which was introduced to

legislature and discussed, but ultimately not enacted. The act provided victims of identity theft

the ability to seek restitution in federal court for their losses, demanded that agencies and

companies provide appropriate notification when they experience major breaches, and provided

increased funding to investigate and establish programs to fight cybercrime. The hearing

demonstrated the extent of consumer anxiety over identity theft; this concern was motivated at

least in part by reports that between 15,000 and 20,000 consumers contacted the Federal Trade

Commission each week for how to protect against and recover from identity theft (Privacy and

14 Cybercrime Enforcement Act of 2007). Though ultimately not enacted, the hearing provided valuable information about attempts that have been done to regulate the Internet and revealed the level of concern over identity theft in the United States.

Looking across the Atlantic ocean, at comparable legislative debates in the United Kingdom, provides a useful sense of perspective (and also introduces some contrast into the discussion). Brian Runciman described the meetings held at the Conservative and Labour political party conferences on the topic of cybercrime in the United Kingdom. Cybercrime has become a major issue to the extent that the National Crime Agency (dubbed the “British Federal Bureau of Investigation”) has created a cybercrime unit to support national and regional law enforcement on the Internet. The article stated that a major problem with cybercrime is the amazing rate of growth enjoyed by the market for telecommunications and information technology as well as for internet penetration. This growth outstrips the rate at which the public has been able to develop an awareness of the new dangers of cybercrime. The article suggested that the quantitative effects of cybercrime are lacking. Runciman proposed creating a standard protocol for treating cybercrime, which has not been enacted (Runciman, 2013). Since the internet is in many ways borderless, Runciman’s discussion further compels the need the gather the necessary quantitative evidence that begins examining localized legislation and their effects, and then building towards looking at the question internationally.

Although countries and governments have started to take the issue of addressing

criminality on the internet much more seriously, Watney criticized the current approach and

attempted to shed more light on the issue in the hopes of introducing much needed nuance in

policy discussion. Broadly, he considered the legal balancing act between the increased

surveillance that can detect or deter crimes and terrorism and the need to defend privacy rights

15 for citizens. He explored the juxtaposition between the technical (increasing security) and the legal aspects of policy and discussed the extent to which users of an open and global internet should expect to enjoy privacy.

Further developing on the topic of legislative responses to cybercrime, Hildebrandt explored the relationship between the technical features of security responses and how issues of private rights apply to activities if they were conducted offline (such as rights to privacy, due process, freedom of speech, and non-discrimination) map onto online activities. By presenting key considerations from both perspectives and allowing notions of rights to evolve in response to how technology shapes consumer behavior, the author offered a reasonable approach to the trade-offs that are ultimately necessary for policies to offer a well-balanced solution.

Vrhovec looked at the question from the perspective of organizations and looked at how they should answer the question of compliance with privacy legislations as well as the need to be transparent in their behavior. In particular, there are positive effects for all users from some degree of information sharing and limited erosion of privacy. The author considered how the desire to realize these benefits must be balanced against the need to respect the standards enforced by legislation. Ultimately, Vrhovec proposed possible institutional features that could support the resolution of conflicts and ambiguity as they happen, in order to meet their obligations while pursuing the course of action most beneficial to the firm and to users.

It is evident that there is a wide expanse of qualitative literature regarding general

cybercrime issues, privacy rights, and policy responses. This study now turns to examining the

existing quantitative studies which focus on these topics. Initially, a game theoretic model of the

interaction between an anti-terrorist agency and a terrorist organization was analyzed as a guide

for how to map observations in the real world to a theoretical framework. The purpose of the

16 model was to see how varying the level of privacy protection in a country affects the likelihood of a terrorist attack. Tiberiu Dragu determined that privacy and security protection from terrorism do not have to be in conflict and that decreased privacy protection does not necessarily increase security from terrorism. However, he also found that the antiterrorist agency will always want less privacy. The results suggested that hackers will want less regulation of users’

privacy on the Internet, but increasing regulation of users’ privacy will not necessarily decrease instances of data breaching and identity thefts (Dragu, 2010).

With this in mind, it becomes important to understand user behavior and preferences in the context of currently available policies. Given the relative novelty of the Internet, and especially of social media, the literature on quantitative methods to approach the question of online privacy tends to be sparse and relatively unconnected. However, fruitful advances have been made through rigorous surveys of attitudes, including work by Monika Taddicken who conducted a web survey experiment of 3,030 participants to test her multiple hypotheses that terms such as social relevance, number of social networks used, general willingness to self- disclose, age, and gender all affect how much information people are willing to disclose online.

She found that factors such as social relevance, number of social networks, willingness to

disclose, and gender affect an individual's online self-disclosure behavior, while other such as

age do not. For example, individuals might be more willing to disclose more information online

if they thought they could raise their social capital by doing so. Additionally, women's

willingness to self-disclose online was more strongly affected by their online privacy concerns

and general willingness than men's. However, age didn't seem to have any indication of how

much someone was willing to disclose online - interestingly enough, there was a linear

relationship between age and willingness (Taddicken, 2013).

17 Yao, Rice and Wallis also attempted to determine the extent to which individuals are concerned with online privacy. Their experiment was implemented through a survey conducted on college students to test the model that expectations for online privacy as a function of various aspects of individual psychology and attitudes. A key finding from the report was that individual perceptions of the generic concept of privacy rights were a strong determinant of expectation for specific privacy protections (i.e. online privacy), but other factors also had varying degrees of impact, such as internet use fluency, as well as internet use experience (Yao, Rice and Wallis, 2007).

David Siegel, in his paper "Will You Accept the Government's Friend Request? Social Networks and Privacy Concerns", considered the willingness to share personal information online by framing it within the context of the question of security. He tested the dual hypothesis that framing a question with an anti-terrorism bias increases respondent support for online government monitoring, but that an increase in social network usage decreases the sensitivity of users to the same question. He found strong support for both hypotheses. In the first case, he found that there was a statistically significant difference between the favorability of government interference in the treatment group that was asked about terrorism. In the second case, he found that frequent social media users had already considered online privacy losses when on these sites and were less sensitive to the terrorism case; in fact, their sensitivity to the terrorism case was statistically insignificantly different than zero (Siegel, 2013).

Abstracting to the level of the firm, Rochelandet and Tai looked at how legislation

concerning the degree of protection for consumer privacy affected firms’ willingness to locate

within its jurisdiction. The authors argued that in an age of easily accessible data and many ways

to exploit this data for the benefit of firm revenues (e.g. through price discrimination or targeted

18 marketing), laws advocating for consumer become a relative cost to the firms’ operations.

Hence, they hypothesized that increased privacy protection deters firms from settling down in a jurisdiction. Through their survey of corporate activity, they found evidence to support their hypothesis and identified security havens or geopolitical hot-spots where either legislation is weak or enforcement is lax. The authors concluded with the remark that legislation that advocates too strongly for consumers may have the opposite of its intended effect because it takes firms and their actions out of the jurisdiction of these consumer protection laws entirely (Rochelandet and Tai, 2012).

The path through the existing body of work suggests a reasonable outline for the

approach this paper should take to examine the question of cybersecurity. This paper will

concern itself with legislation within the United States defining instances of data breaches, where

such incidences are of interest only when information material to individuals’ privacy rights are

breached. Furthermore, as Holt suggests, it is also of value to consider a broader array of

legislations relating to the misuse of computer resources. In particular, victimization and the

consequences of cybercrime will be considered almost entirely from the perspective of identity

theft, and breaches of networks for the purposes of obtaining personal information (i.e. hacking

and malicious control of systems to manipulate, abuse, or disable systems as well as property

offences such as internet privacy are beyond the scope of this paper’s analysis). Given the

wealth of discussion on legislation, the models of greatest interest will also be those with relation

to legislation, specifically within the United States. Finally, this paper will attempt to minimize

the overlap with existing quantitative analysis by acquiring new data wherever possible,

especially primary evidence about legislation or cybercrime victimization.

19

Survey of Data:

To begin the process of determining how cybercrime legislation affects instances of cybercrime, the first step was to collect as much data as possible on the total instances of cybercrime in the United States as well as any related data. The dependent variables of interest throughout this analysis are any instance of cybercrime, while the independent variables include legislation as well as any related data. Originally included in the definition of cybercrime for data mining purposes were all types of cybercrime such as hacking, identity theft, illegal pirating of movies or music, cyberbullying, data breaches, and more. However, it was difficult to find data for all of these categories, but data for data breaches, identity theft, and fraud was readily available. For this reason, the scope of cybercrime was narrowed down to only include these dependent variables.

The original panel of independent variables found for this analysis included seven different measures. First the year was included to determine the effect over time in the United States. Two of the independent variables represent indicators of the state of the economy: GDP (in 2012 dollars from the Federal Reserve Economic Data (FRED)) and median income (also in 2012 dollars, FRED). Indicators of the economy were included in the original dataset because instances of cybercrime will vary based on the economic and social environment. The four remaining independent variables account for internet usage and financial accounts which may be accessible via the internet. These include the number of households with internet usage (U.S.

Census Bureau), the number of individuals that live in a household with internet access (U.S.

Census Bureau), the number of registered credit cards (Nilson Report), and number of credit

union members (National Credit Union Administration). This panel of independent variables

was selected to account for the state of the economy, the increase in internet usage and traffic

20 over time, and the total number of available opportunities for identity theft and data breaches.

The panel of dependent variables selected to examine included data on data breaches, identity theft, and fraud, as noted previously. Specifically, the dependent variables included total number of cybercrime instances reported as collated (Internet Crime Complaint Center (ICCC, or IC3)), total cybercrime dollar loss (IC3), total number of fraud complaints (Federal Trade Commission(FTC)), total number of identity theft complaints (FTC), number of other network complaints (FTC), number of SSN breaches (Identity Theft Resource Center (ITRC)), several types of breaches including: data on the move, electronic, paper, and hacking (ITRC), total number of data breaches (for categories: all breaches, banking, business, government, medical, and education), and total number of exposed records from data breaches (across the same six categories). These dependent variables were selected because they are all good measures of the different types of cybercrime in the United States.

Once this national data was collected and compiled it was evident that there was insufficient data to make significant conclusions. Some variables had more than 20 years of data while others had merely three or four. In particular, there were only nine years of data from 2004 to 2012 for which a decent amount of the data overlapped due to the relatively young age of the internet and cybercrime as a relevant issue. The period from 2004 to 2012 seemed like a good range to concentrate on since it is plausible to believe that this is when internet penetration was the strongest and cybercrime and online identity theft would become a prominent issue.

However, there were still years in which each variable did not contain data for each year and it

was necessary to extrapolate to create a complete panel of data. Specifically, 18 variables

needed to be extrapolated: households with internet use, individuals with Internet access, all of

the breaches data, number of registered credit cards, and number of credit union members. This

21 left seven combined independent and dependent variables with complete information: GDP, median income, number of fraud complaints, number of identity theft complaints, number of other network complaints, total cybercrime instances reported, and total cybercrime dollar loss.

To extrapolate the variables with missing data points a simple selection scheme was implemented. This simple selection scheme iterated through all possible combinations of two variables with complete information against each variable to be extrapolated. This model computed all possible permutations of variable combinations in order to ascertain the two variables with complete information that produced the best fit for the model, where best fit is analogous to maximizing the F-statistic. By construction, this led to the model with the highest ratio of explained variance to unexplained variance. If one variable had incomplete data, this model of iterative selection would reveal which one of the seven complete variables was most correlated with the variable of interest, or which variables was the best indicator by year for the insufficient variable. After determining which complete variable was the best indicator, a multivariate ordinary least squares regression model of the incomplete variable was run on the selected complete variable and the year. Using the resulting coefficients, the incomplete variable was then extrapolated using a linear estimation to produce predicted values for the missing data points. (Note: linear extrapolation was chosen for simplicity.) This process was repeated for each incomplete variable. Once extrapolation was complete, the dataset contained no missing values.

From here it was necessary to run preliminary regressions in the statistical software

program Stata to see if the extrapolated dataset revealed any useful results. Since the data

contained 18 extrapolated variables, it was important to make sure that regressions involving an

extrapolated variable did not include the complete variable that was used in the extrapolation

22 process. Doing so would result in false results between the two variables, since the variables were correlated by design. Another issue with the dataset is that it only contained nine data points for each variable. This meant that regressing a dependent variable on four or five independent variables would result in strikingly low degrees of freedom. Due to these restrictions, the preliminary regressions began with merely pairwise regressions of the seven variables with complete information across 2004 to 2012. The following is the Stata output of the first preliminary regression:

The above regression is of GDP on the number of fraud complaints. This regression has

a low R-squared value of 0.4656, but a statistically significant p-statistic on the F-test for the

joint significance of the model of 0.0429. This means that a linear relationship may be accurate

to compare GDP and fraud complaints; however the low R-squared implies that this model does

not account for a good portion of the variance. Hence a more detailed regression could better

explain the relationship. Despite this, the coefficient on son GDP is statistically significant at the

5% level with a p-value of 0.043. This low p-value indicates that the relationship between GDP

and total fraud complaints is statistically significant and positive - i.e. that increasing the

instances of fraud complaints increases GDP.

23 The above regression is the second preliminary regression of GDP on the number of identity theft complaints. This regression has a very high R-squared value of 0.9602 as well as a p-statistic on the F-test for the joint significance of the model of 0, as reported by Stata. Also, the coefficient on identity theft complaints is statistically significant at the 5% level with a p- value of 0. This means that there is significantly positive relationship between GDP and the total number of identity theft complaints, and that a linear regression is a good fit for these two variables.

This regression of GDP on other network complaints as reported by the FTC has a low R-

squared value of 0.5929 and a good p-statistic on the F-test for the joint significance of the model

of 0.0152. Similarly to the regression of GDP on the number of fraud complaints, these values

and the statistically significant coefficient on other network complaints reveal that while there is

certainly a significantly positive relationship between GDP and other network complaints, the

24 regression is probably not the best model to test the relationship since the R-squared is quite low.

Therefore, further regressions are required to determine a better fit between GDP and other network complaints.

Although these three preliminary regressions give reassurance that there is a strong correlation between GDP and indicators of cybercrime, there are still things to be wary of. In particular, the low R-squared values in two out of the three regressions imply that the regression does not account for an acceptable amount of the variance in the relationship. However, if a more detailed regression were to be run there would be a significant decrease in the degrees of freedom and meaningful results could not be confidently drawn from the model. Additionally, there are only nine data points from which to draw any conclusions. Although there seems to be a statistically significant relationship between GDP and indicators of cybercrime given the available, it is difficult to be very confident in these conclusions due to the lack of data.

Several more preliminary regressions were completed relating three of the indicators of the cybercrime for which there is complete data (total number of fraud complaints, total number of identity theft complaints, and total number of other network complaints):

The above regression compares the total instances of cybercrime from the IC3 report with

25 the number of fraud complaints. The R-squared is only 0.5929 and the p-statistic on the F-test for the joint significance of the model is 0.0152, which again implies that the model does not explain a significant amount of the variance. However, with a p-value of 0.015 the coefficient on fraud complaints is statistically significant at the 5% level and it can be concluded that occurrences of fraud complaints has a slightly positive effect on the instances of cybercrime.

Thus fraud complaints may be an indicator of cybercrime, validating the belief that fraud complaints is a relevant part of cybercrime.

This regression compares the instances of cybercrime to the instances of identity theft

complaints. Not much can be concluded from this regression as the R-squared is very low at

0.1845 and the p-statistic on the F-test for the joint significance of the model is insignificant at

0.2485.

26 The final preliminary regression relates cybercrime instances with other network complaints. The R-squared is once again not ideal at 0.5901 while the p-statistic on the F-test for the joint significance of the model is significant at 0.0156. The coefficient on other network complaints is significant with a p-value of 0.016, implying that other network complaints has a slightly positive relationship with cybercrime instances. This seems to give evidence that other network complaints may be a good indicator of cybercrime instances, as with the total number of fraud complaints.

After examining these preliminary regressions, it seems to be clear that the dataset in its

described state does not provide very meaningful results, since the R-squared values for each

regression seem to be quite low and the dataset contains very few data points. Additionally,

these results were found before including any of the cybercrime legislation in question, thus it

does not reveal anything useful about government’s effect on cybercrime, as this analysis is

attempting to answer.

27

Methodology:

Because of the drawbacks to the limited national dataset, the direction of exploration on the issue of cybercrime shifted to focus on state data rather than national data. This seemed to be a fruitful direction to proceed in as in the process of looking for legislation, it was discovered that many cybercrime legislations are formulated and implemented at the state level. Proceeding at the state level also would allow regression analysis to be more robust since there would be 51 data points (each state and the District of Columbia) for each year for each variable, increasing the dataset by a significant number. Instead of having only approximately 225 data points, the data set increased to consist of approximately 11,475 data points (51 times the original number of data points). This also meant that some of the variables need to be changed in the preliminary regressions, since state data for some of the previously used variables were unavailable at the state level. (For a list of all the variables used, what they represent, and the source, see Appendix A.)

The variables that translated the most seamlessly from the national level to the state level were GDP (FRED), median income (FRED), total cybercrime instances reported (IC3), total cybercrime dollar loss reported (IC3), all of the FTC data (including fraud complaints, identity theft complaints, total amount paid, and amount paid as a percentage of total reported), and all of the ITRC data breaches and exposed records data. When the GDP and median income data was first retrieved, each state’s value was recorded in real dollars. In order to make accurate comparisons, the yearly GDP deflator index from FRED was used to discount all the real dollar values to 2009 dollars.

In moving to the state level the existing data on internet usage was compromised since

state data for the relevant years (2004 through 2009) did not exist. To obtain data on internet

28 usage by state, an estimate was obtained using two existing data sources: state population estimates from the US Census Bureau and estimates of percentage of internet usage in the United States from the International Telecommunication Union. To compute the estimate, the percentage of individuals in the United States was multiplied by each state’s population. There are drawbacks to this method, since each state’s internet use may not be directly proportional to the nationwide estimate, but it is reasonable to believe that this is a fairly accurate estimate. In particular, differences in the estimates produced by this means of extrapolation can err in two ways: a fixed effect for each state leading to a persistent offset to the estimates, and idiosyncratic growth patterns in internet usage, which leads to a growing divergence between estimates and the true value. The first error is not significant, since the estimates are used within the context of a panel dataset that assumes state-based fixed effects; this negates the persistent offset. The second error is more pernicious; however, a statistical comparison against actual data for internet usage (albeit across a very limited time period) provided the necessary confidence in the quality of the estimated data. Specifically, a linear longitudinal panel model with state fixed-effects was implemented. (For all regression outputs, see Appendix B.) From the fitted values for the regression, it is relatively evident that the estimates are appropriate. In particular, the statistical significance of the linear coefficient provides confidence that the growth trend did not suffer from excessive idiosyncrasies. Furthermore, the R-squared values reported finds that the model explained at least 55% of the state-variant changes, and at least 99% of the time-variant changes.

Some other variables brought issues when converting to state level analysis. For

instance, the total number of credit cardholders and the number of credit union members were

not available by year and state. Instead, data on credit card debt per capita and percent of credit

card debt 90+ days delinquent from the Federal Reserve Bank of New York (FRBNY) Consumer

29 Credit Panel was used as a substitute for data on credit cards. While this data does not measure the same factors, it is still useful because it provides insight into credit card usage and behavior in the economy.

Even after collecting all of the state data there were some issues that needed to be addressed with the resulting dataset. First, the multitude of sources used to collect state data could lead to measurement error since some sources could be compiling their data from overlapping records and reports. Hence this analysis runs the risk of double counting certain instances of cybercrime. However, usually the following regressions include only one measure of cybercrime instances, so this is not a major concern. Second, there are still years for which certain data is missing. It is important to recognize that having several years of missing data and needing to extrapolate a significant amount of data points also dilutes our dataset. However, there is little that could have been done to mitigate these effects since the amount of available data was quite limited. The significance of the extrapolation of missing data points will be analyzed later.

Mentioned above was the prevalence of state cybercrime legislation. State legislation on

cybercrime was obtained in two different categories: internet privacy legislation from the

National Conference of State Legislatures (NCSL), and data breach reporting legislation from

the Commercial Law League of America. The internet privacy legislations in the following

categories related to cybercrime were used in this analysis: computer crime, phishing, spyware,

and computer tampering. From these legislations, a variable for each category was developed to

indicate whether a state had that type of legislation in a given year. The dates for the last

amendments to each legislation were obtained through the WestLaw database. Because there

were four different types of laws and each piece of legislation had so many nuances that would

30 have been very time consuming and subjective to compare and rank, these laws were measured on a binary scale. For each category of internet privacy legislation, a value of 1 was assigned to each state and year if the state in question had that type of legislation in the year in question and 0 to each state if they did not.

Data breach legislation data proved to be a bit more complicated to construct. To obtain a measure of the strictness of each state’s data breach legislations, the definitions of personal information as described by the state laws were examined and found to contain 19 different qualifiers of personal information (including name, address, SSN, financial account numbers, etc.). Tallying these qualifiers for each state law on data breaches gave an estimate of the severity of the data breach legislation. Some states only named a few of the 19 different qualifiers as pieces of personal information that, if leaked, would lead to a data breach report, while others named several, and a couple, all 19. It naturally follows that the states that have more qualifiers have more stringent data breach reporting policies, since there will be more reports.

Furthermore, some state data breach laws allow certain exceptions to submitting a data

breach report. The exceptions are if information is redacted, encrypted, or public; for instance,

Arizona’s data breach law does not require a report to be submitted if personal information is

redacted. This means that Arizona will report a substantially less amount of data breaches than a

state that requires a report even if the personal information is redacted. Some states do not have

any exceptions. An estimate of about 40% of all data breaches contain encrypted personal

information was found from the Data Breach Report of 2012 by the California Department of

Justice. Based on this estimate, approximately 60% of all personal information from data

breaches is public and 10% is redacted. Once the tallies of qualifiers of personal information

31 were obtained, a multiplier was used to adjust for the exceptions based on the type of exception allowed. The multiplier is equal to:

1 − 𝑋

where X

equals the decimal percentage of personal information from exception-type-i. For instance, the multiplier for an exception on redacted data is 1 - 0.1 = 0.9. If a state has no exception, then the multiplier is 1. This measure seems to be meaningful since it provides a rough percentage of data breaches that are required to be reported, based on the state exception rule.

Counting the qualifiers in a state’s data breach law and using the respective multiplier based on the state’s exception rule results in raw score from ranging from 1 to 19 (including decimals). To obtain a scaled score from 1 to 10 (integers only) the following scheme was used:

Figure I: Scaled Personal Information Definition Score

Raw Score (0-19) Scaled Score (1-10)

0 0

2 1

2.1 - 2.5 2

2.6 - 3 3

3.1 - 4 4

4.1 - 4.4 5

4.5 - 5 6

5 - 7 7

7.1 - 8 8

8.1 - 15 9

15.1 - 19 10

The above scheme gives us an even distribution of strictness of state data breach laws.

32 To verify, a histogram of the score was plotted, and based on the distribution of the score over the range, this scheme gives the following distribution:

Figure II: Distribution of Scaled Scores

This scoring scheme distributes the raw scores of the personal information definition of each data breach law so that each scaled score encompasses at least one data breach law. Scaling the scores in this way allows for accurate differentiation between the severity of each state’s definition of personal information within their data breach law. At each year in the time period of study, the stringency of state definitions of a “breach of personal information” by the strictness of the last enacted law effective in that year were encoded. As with most laws that deal with technology, data breach laws tend to be updated to keep pace with technical progress, and often override their preceding laws; hence, it is reasonable to believe it is justified to score a state based on its most recent legislation.

Each state also had different requirements for actions that firms, organizations, and

33 government agencies must take in the event of a data breach. In this case, another scale from 1 to 10 was used to score reporting requirement. The scheme started with a base score of 7 for each state that had any reporting requirements, and then proceeded to adjust the score according to stipulations below:

Figure III: Score Adjustments for Reporting Requirements

Stipulation Score adjustment

Each exception to reporting requirements, which allow for a period

of delay or appeal action -1

Each case of exemption on any class of data -2

Each punitive measure imposed on reporting organization +1

Each requirement for future preventive action +2

Similar to the encoding scheme for definitions of personal information, the score was encoded each year for each state based on the score for the last piece of legislation (i.e. the prevailing rule in each state that are in effect for that year). Hypothetically, if Rhode Island had two reporting exceptions for law enforcement and national security, its reporting requirement score would be 5. One last measure of data breach legislation was compiled as well, which is similar to the variables for the internet privacy legislation. This final variable is a binary which assigns a value of 1 to each state and year if the state in question had data breach legislation in the year in question and 0 to each state if they did not.

After collecting all available state data for the 2004-2012 time period, several independent and dependent variables did not have complete information for each year. To solve this problem, each variable with incomplete information across years needed to be we extrapolated. In particular, there were a total of 18 variables which needed to be extrapolated:

IC3 dollar loss, fraud complaints, identity theft complaints, dollar amount paid from fraud

34 complaints, percentage of fraud complaints reporting amount paid, projected amount paid if all fraud complaints reported, total number of data breaches (for categories: all breaches, banking, business, government, medical, and education), and total number of exposed records from data breaches (across the same six categories). This left us with six variables with complete information that we used to extrapolate the incomplete variables: IC3 complaints, GDP, median income, number of individuals with access to the internet, credit card debt balance per capita, and percent of credit card debt 90+ days delinquent.

From here it is necessary to determine the best way to extrapolate each variable. The methods of extrapolation considered in this process were a simple linear extrapolation and a logarithmic extrapolation. A first look at the list of variables that needed to be extrapolated immediately revealed that several should be extrapolated linearly. These variables were all of the data breach variables including every category of total number of data breaches and total number of exposed records from data breaches, for a total of 12 variables to be extrapolated linearly. It was evident that linear extrapolation should be used for these variables for two reasons: first, there were many years and states for which the value was zero and the data point would be dropped in Stata (the statistical program used for analysis) when taking the log of that value (since ln(0) is undefined); second, by looking at the data obtained, it seemed to be clearly following a linear path, rather than an exponential one.

To determine which method was the most appropriate for the remaining incomplete

variables, the difference between each year for each state and the percent change between each

year for each state were computed for all remaining variables. Comparing goodness-of-fit for

the difference and the percent change allows for an accurate choice of which method of

extrapolation to use: if the difference of the variable in question provided better goodness-of-fit,

35 linear extrapolation would be chosen and if the percent change was better, logarithmic extrapolation would be chosen. To see which parameter (difference or percent change) provided a better goodness-of-fit, the coefficients of variation for each parameter were compared. If both of the coefficients of variation were greater than three, the parameter for which the coefficient of variation was lower was selected. If only one of the coefficients of variation was less than three, the parameter with the coefficient of variation less than three was selected. If both of the coefficients of variation were less than three, the skew of the difference and the percent change were compared and the parameter for which the skew was lower was selected. Through this method, two additional variables were extrapolated linearly (IC3 dollar loss and fraud complaints) and four more variables were extrapolated logarithmically (identity theft complaints, dollar amount paid from fraud complaints, percentage of fraud complaints reporting amount paid, and projected amount paid if all fraud complaints reported). For the variables that underwent logarithmic extrapolation, the logarithm of each of these variables, l_variablename, and the logarithm of the six variables with complete data were generated. These logged values were then used in the following formal models for variables requiring logarithmic extrapolation.

Once the preferred method of extrapolation was selected for each incomplete variable, the extrapolation followed one of two processes. The first process is simple linear extrapolation based on year and the second process is a simple linear extrapolation using one of the variables for which we have complete data. To choose between the processes:

Step 1: Run a multilinear regression on panel data using fixed effects of the target

variable on one data variable, and year. Repeat for all the data variables for which we have

complete data.

36 Step 2: Compare F-statistic from the above regression. Choose the regression(s) where the probability that the variables are jointly insignificant is at a minimum. If the minimum value is greater than 10%, stop the process and do not extrapolate the variable. If the minimum value is less than 10% and there are multiple regressions for which the minimum is equal, choose the regression with the higher within-variable R-squared value.

Step 3: In the chosen regressions determine if the data variable and the year are statistically significant. If both are statistically significant choose the second model. If the data variable is not statistically significant choose the first model. (The data variable was chosen over the year whenever possible because of the assumption that variation in the data variable is more informative than the linear trend predicted by year.)

These steps helped to choose the data variable with the strongest statistical relation to the target variable. The second step ensured that the choice of variable has statistical importance and that it had the greatest degree of explanatory power within the simple linear fixed effects model in which states are allowed to have independent initial states, but move in the same direction.

The last step ensured that the data variable of choice is at least as good as a linear growth model;

if not, then simply use the year as a proxy for growth. Using this process all variables were

extrapolated except four (total number of exposed records from data breaches in the following

categories: all, business, banking, and medical) and the first process (based on year) was never

chosen for extrapolation. Because the first process was never chosen it makes sense to believe

that the extrapolation captures secular variations in our variables, at least to the extent that these

variations are correlated to the variable of choice.

37 (1)

Formal Model:

To begin, a base model is formulated to test for the effect of legislation on each dependent variable for which data was available.

𝑦

= 𝛼

+ 𝑢

+ 𝜷

𝑩𝒂𝒔𝒆 + 𝜷

𝑿

+ 𝜷

𝑿

+ 𝜀

where:

𝑩𝒂𝒔𝒆 =

𝐺𝐷𝑃 𝑀𝑒𝑑𝑖𝑎𝑛  𝐼𝑛𝑐𝑜𝑚𝑒 𝐼𝑛𝑡𝑒𝑟𝑛𝑒𝑡  𝑈𝑠𝑎𝑔𝑒  

𝑿

=

𝐶𝑜𝑚𝑝𝑢𝑡𝑒𝑟  𝐶𝑟𝑖𝑚𝑒 𝑃ℎ𝑖𝑠ℎ𝑖𝑛𝑔 𝑆𝑝𝑦𝑤𝑎𝑟𝑒 𝐶𝑜𝑚𝑝𝑢𝑡𝑒𝑟  𝑇𝑎𝑚𝑝𝑒𝑟𝑖𝑛𝑔

𝐷𝑎𝑡𝑎  𝐵𝑟𝑒𝑎𝑐ℎ𝑒𝑠  

𝑿

= 𝑃𝑒𝑟𝑠𝑜𝑛𝑎𝑙  𝐼𝑛𝑓𝑜𝑟𝑚𝑎𝑡𝑖𝑜𝑛 𝑅𝑒𝑝𝑜𝑟𝑡𝑖𝑛𝑔  𝑅𝑒𝑞𝑢𝑖𝑟𝑒𝑚𝑒𝑛𝑡  

This model attempts to answer two questions of interest. First, controlling for GDP,

Median Income, and Internet Usage, does the presence of cybersecurity laws (including

computer crime laws, phishing laws, spyware laws, computer tampering laws, and data breach

laws) produce a pronounced decrease in the indicators of cybercrime? GDP, Median Income,

and Internet Usage are controlled in the analysis because they reflect the state of the economy

and they might affect the amount of cybercrimes in some systematic way. Second, does the

strictness of data breach laws have any effect on indicators of cybercrime? The data was

controlled for state fixed-effects--however, the model primarily demonstrates the national effect

of the presence of laws and the strictness of laws, i.e. these laws have the same effect regardless

of which state they were implemented in. In sum, this model suggests a high level indicator of

the effectiveness of cybercrime legislation in the United States, controlling for relevant factors.