Mapping the global geography of cybercrime with the World Cybercrime Index

Miranda Bruce; Jonathan Lusthaus; Ridhi Kashyap; Nigel Phair; Federico Varese

doi:10.1371/journal.pone.0297312

. 2024 Apr 10;19(4):e0297312. doi: 10.1371/journal.pone.0297312

Mapping the global geography of cybercrime with the World Cybercrime Index

Miranda Bruce ^1,^2,^*, Jonathan Lusthaus ^1,³, Ridhi Kashyap ^1,⁴, Nigel Phair ⁵, Federico Varese ⁶

Editor: Naeem Jan⁷

PMCID: PMC11006133 PMID: 38598553

Abstract

Cybercrime is a major challenge facing the world, with estimated costs ranging from the hundreds of millions to the trillions. Despite the threat it poses, cybercrime is somewhat an invisible phenomenon. In carrying out their virtual attacks, offenders often mask their physical locations by hiding behind online nicknames and technical protections. This means technical data are not well suited to establishing the true location of offenders and scholarly knowledge of cybercrime geography is limited. This paper proposes a solution: an expert survey. From March to October 2021 we invited leading experts in cybercrime intelligence/investigations from across the world to participate in an anonymized online survey on the geographical location of cybercrime offenders. The survey asked participants to consider five major categories of cybercrime, nominate the countries that they consider to be the most significant sources of each of these types of cybercrimes, and then rank each nominated country according to the impact, professionalism, and technical skill of its offenders. The outcome of the survey is the World Cybercrime Index, a global metric of cybercriminality organised around five types of cybercrime. The results indicate that a relatively small number of countries house the greatest cybercriminal threats. These findings partially remove the veil of anonymity around cybercriminal offenders, may aid law enforcement and policymakers in fighting this threat, and contribute to the study of cybercrime as a local phenomenon.

Introduction

Although the geography of cybercrime attacks has been documented, the geography of cybercrime offenders–and the corresponding level of “cybercriminality” present within each country–is largely unknown. A number of scholars have noted that valid and reliable data on offender geography are sparse [1–4], and there are several significant obstacles to establishing a robust metric of cybercriminality by country. First, there are the general challenges associated with the study of any hidden population, for whom no sampling frame exists [5, 6]. If cybercriminals themselves cannot be easily accessed or reliably surveyed, then cybercriminality must be measured through a proxy. This is the second major obstacle: deciding what kind of proxy data would produce the most valid measure of cybercriminality. While there is much technical data on cybercrime attacks, this data captures artefacts of the digital infrastructure or proxy (obfuscation) services used by cybercriminals, rather than their true physical location. Non-technical data, such as legal cases, can provide geographical attribution for a small number of cases, but the data are not representative of global cybercrime. In short, the question of how best to measure the geography of cybercriminal offenders is complex and unresolved.

There is tremendous value in developing a metric for cybercrime. Cybercrime is a major challenge facing the world, with the most sober cost estimates in the hundreds of millions [7, 8], but with high-end estimates in the trillions [9]. By accurately identifying which countries are cybercrime hotspots, the public and private sectors could concentrate their resources on these hotspots and spend less time and funds on cybercrime countermeasures in countries where the problem is limited. Whichever strategies are deployed in the fight against cybercrime (see for example [10–12]), they should be targeted at countries that produce the largest cybercriminal threat [3]. A measure of cybercriminality would also enable other lines of scholarly inquiry. For instance, an index of cybercriminality by country would allow for a genuine dependent variable to be deployed in studies attempting to assess which national characteristics–such as educational attainment, Internet penetration, or GDP–are associated with cybercrime [4, 13]. These associations could also be used to identify future cybercrime hubs so that early interventions could be made in at-risk countries before a serious cybercrime problem develops. Finally, this metric would speak directly to theoretical debates on the locality of cybercrime, and organized crime more generally [11–14]. The challenge we have accepted is to develop a metric that is both global and robust. The following sections respectively outline the background elements of this study, the methods, the results, and then discussion and limitations.

Background

Profit-driven cybercrime, which is the focus of this paper/research, has been studied by both social scientists and computer scientists. It has been characterised by empirical contributions that have sought to illuminate the nature and organisation of cybercrime both online and offline [15–20]. But, as noted above, the geography of cybercrime has only been addressed by a handful of scholars, and they have identified a number of challenges connected to existing data. In a review of existing work in this area, Lusthaus et al. [2] identify two flaws in existing cybercrime metrics: 1) their ability to correctly attribute the location of cybercrime offenders; 2) beyond a handful of examples, their ability to compare the severity and scale of cybercrime between countries.

Building attribution into a cybercrime index is challenging. Often using technical data, cybersecurity firms, law enforcement agencies and international organisations regularly publish reports that identify the major sources of cyber attacks (see for example [21–24]). Some of these sources have been aggregated by scholars (see [20, 25–29]). But the kind of technical data contained in these reports cannot accurately measure offender location. Kigerl [1] provides some illustrative remarks:

Where the cybercriminals live is not necessarily where the cyberattacks are coming from. An offender from Romania can control zombies in a botnet, mostly located in the United States, from which to send spam to countries all over the world, with links contained in them to phishing sites located in China. The cybercriminal’s reach is not limited by national borders

(p. 473).

As cybercriminals often employ proxy services to hide their IP addresses, carry out attacks across national boundaries, collaborate with partners around the world, and can draw on infrastructure based in different countries, superficial measures do not capture the true geographical distribution of these offenders. Lusthaus et al. [2] conclude that attempts to produce an index of cybercrime by country using technical data suffer from a problem of validity. “If they are a measure of anything”, they argue, “they are a measure of cyber-attack geography”, not of the geography of offenders themselves (p. 452).

Non-technical data are far better suited to incorporating attribution. Court records, indictments and other investigatory materials speak more directly to the identification of offenders and provide more granular detail on their location. But while this type of data is well matched to micro-level analysis and case studies, there are fundamental questions about the representativeness of these small samples, even if collated. First, any sample would capture cases only where cybercriminals had been prosecuted, and would not include offenders that remain at large. Second, if the aim was to count the number of cybercrime prosecutions by country, this may reflect the seriousness with which various countries take cybercrime law enforcement or the resources they have to pursue it, rather than the actual level of cybercrime within each country (for a discussion see [30, 31]). Given such concerns, legal data is also not an appropriate approach for such a research program.

Furthermore, to carry out serious study on this topic, a cybercrime metric should aim to include as many countries as possible, and the sample must allow for variation so that high and low cybercrime countries can be compared. If only a handful of widely known cybercrime hubs are studied, this will result in selection on the dependent variable. The obvious challenge in providing such a comparative scale is the lack of good quality data to devise it. As an illustration, in their literature review Hall et al. [10] identify the “dearth of robust data” on the geographical location of cybercriminals, which means they are only able to include six countries in their final analysis (p. 285. See also [4, 32, 33]).

Considering the weaknesses within both existing technical and legal data discussed above, Lusthaus et al. [2] argue for the use of an expert survey to establish a global metric of cybercriminality. Expert survey data “can be extrapolated and operationalised”, and “attribution can remain a key part of the survey, as long as the participants in the sample have an extensive knowledge of cybercriminals and their operations” (p. 453). Up to this point, no such study has been produced. Such a survey would need to be very carefully designed for the resulting data to be both reliable and valid. One criticism of past cybercrime research is that surveys were used whenever other data was not immediately available, and that they were not always designed with care (for a discussion see [34]).

Methods

In response to the preceding considerations, we designed an expert survey in 2020, refined it through focus groups, and deployed it throughout 2021. The survey asked participants to consider five major types of cybercrime–Technical products/services; Attacks and extortion; Data/identity theft; Scams; and Cashing out/money laundering–and nominate the countries that they consider to be the most significant sources of each of these cybercrime types. Participants then rated each nominated country according to the impact of the offenses produced there, and the professionalism and technical skill of the offenders based there. Using the expert responses, we generated scores for each type of cybercrime, which we then combined into an overall metric of cybercriminality by country: the World Cybercrime Index (WCI). The WCI achieves our initial goal to devise a valid measure of cybercrime hub location and significance, and is the first step in our broader aim to understand the local dimensions of cybercrime production across the world.

Participants

Identifying and recruiting cybercrime experts is challenging. Much like the hidden population of cybercriminals we were trying to study, cybercrime experts themselves are also something of a hidden population. Due to the nature of their work, professionals working in the field of cybercrime tend to be particularly wary of unsolicited communication. There is also the problem of determining who is a true cybercrime expert, and who is simply presenting themselves as one. We designed a multi-layered sampling method to address such challenges.

The heart of our strategy involved purposive sampling. For an index based entirely on expert opinion, ensuring the quality of these experts (and thereby the quality of our survey results) was of the utmost importance. We defined “expertise” as adult professionals who have been engaged in cybercrime intelligence, investigation, and/or attribution for a minimum of five years and had a reputation for excellence amongst their peers. Only currently- or recently-practicing intelligence officers and investigators were included in the participant pool. While participants could be from either the public or private sectors, we explicitly excluded professionals working in the field of cybercrime research who are not actively involved in tracking offenders, which includes writers and academics. In short, only experts with first-hand knowledge of cybercriminals are included in our sample. To ensure we had the leading experts from a wide range of backgrounds and geographical areas, we adopted two approaches for recruitment. We searched extensively through a range of online sources including social media (e.g. LinkedIn), corporate sites, news articles and cybercrime conference programs to identify individuals who met our inclusion criteria. We then faced a second challenge of having to find or discern contact information for these individuals.

Complementing this strategy, the authors also used their existing relationships with recognised cybercrime experts to recruit participants using the “snowball” method [35]. This both enhanced access and provided a mechanism for those we knew were bona fide experts to recommend other bona fide experts. The majority of our participants were recruited in this manner, either directly through our initial contacts or through a series of referrals that followed. But it is important to note that this snowball sampling fell under our broader purposive sampling strategy. That is, all the original “seeds” had to meet our inclusion criteria of being a top expert in the first instance. Any connections we were offered also had to meet our criteria or we would not invite them to participate. Another important aspect of this sampling strategy is that we did not rely on only one gatekeeper, but numerous, often unrelated, individuals who helped us with introductions. This approach reduced bias in the sample. It was particularly important to deploy a number of different “snowballs” to ensure that we included experts from each region of the world (Africa, Asia Pacific, Europe, North America and South America) and from a range of relevant professional backgrounds. We limited our sampling strategy to English speakers. The survey itself was likewise written in English. The use of English was partly driven by the resources available for this study, but the population of cybercrime experts is itself very global, with many attending international conferences and cooperating with colleagues from across the world. English is widely spoken within this community. While we expect the gains to be limited, future surveys will be translated into some additional languages (e.g. Spanish and Chinese) to accommodate any non-English speaking experts that we may not otherwise be able to reach.

Our survey design, detailed below, received ethics approval from the Human Research Advisory Panel (HREAP A) at the University of New South Wales in Australia, approval number HC200488, and the Research Ethics Committee of the Department of Sociology (DREC) at the University of Oxford in the United Kingdom, approval number SOC_R2_001_C1A_20_23. Participants were recruited in waves between 1 August 2020 and 30 September 2021. All participants provided consent to participate in the focus groups, pilot survey, and final survey.

Survey design

The survey comprised three stages. First, we conducted three focus groups with seven experts in cybercrime intelligence/investigations to evaluate our initial assumptions, concepts, and framework. These experts were recruited because they had reputations as some of the very top experts in the field; they represented a range of backgrounds in terms of their own geographical locations and expertise across different types of cybercrime; and they spanned both the public and private sectors. In short, they offered a cross-section of the survey sample we aimed to recruit. These focus groups informed several refinements to the survey design and specific terms to make them better comprehensible to participants. Some of the key terms, such as “professionalism” and “impact”, were a direct result of this process. Second, some participants from the focus groups then completed a pilot version of the survey, alongside others who had not taken part in these focus groups, who could offer a fresh perspective. This allowed us to test technical components, survey questions, and user experience. The pilot participants provided useful feedback and prompted a further refinement of our approach. The final survey was released online in March 2021 and closed in October 2021. We implemented several elements to ensure data quality, including a series of preceding statements about time expectations, attention checks, and visual cues throughout the survey. These elements significantly increased the likelihood that our participants were both suitable and would provide full and thoughtful responses.

The introduction to the survey outlined the survey’s two main purposes: to identify which countries are the most significant sources of profit-driven cybercrime, and to determine how impactful the cybercrime is in these locations. Participants were reminded that state-based actors and offenders driven primarily by personal interests (for instance, cyberbullying or harassment) should be excluded from their consideration. We defined the “source” of cybercrime as the country where offenders are primarily based, rather than their nationality. To maintain a level of consistency, we made the decision to only include countries formally recognised by the United Nations. We initially developed seven categories of cybercrime to be included in the survey, based on existing research. But during the focus groups and pilot survey, our experts converged on five categories as the most significant cybercrime threats on a global scale:

Technical products/services (e.g. malware coding, botnet access, access to compromised systems, tool production).
Attacks and extortion (e.g. DDoS attacks, ransomware).
Data/identity theft (e.g. hacking, phishing, account compromises, credit card comprises).
Scams (e.g. advance fee fraud, business email compromise, online auction fraud).
Cashing out/money laundering (e.g. credit card fraud, money mules, illicit virtual currency platforms).

After being prompted with these descriptions and a series of images of world maps to ensure participants considered a wide range of regions/countries, participants were asked to nominate up to five countries that they believed were the most significant sources of each of these types of cybercrime. Countries could be listed in any order; participants were not instructed to rank them. Nominating countries was optional and participants were free to skip entire categories if they wished. Participants were then asked to rate each of the countries they nominated against three measures: how impactful the cybercrime is, how professional the cybercrime offenders are, and how technically skilled the cybercrime offenders are. Across each of these three measures, participants were asked to assign scores on a Likert-type scale between 1 (e.g. least professional) to 10 (e.g. most professional). Nominating and then rating countries was repeated for all five cybercrime categories.

This process, of nominating and then rating countries across each category, introduces a potential limitation in the survey design: the possibility of survey response fatigue. If a participant nominated the maximum number of countries across each cybercrime category– 25 countries–by the end of the survey they would have completed 75 Likert-type scales. The repetition of this task, paired with the consideration that it requires, has the potential to introduce respondent fatigue as the survey progresses, in the form of response attrition, an increase in careless responses, and/or increased likelihood of significantly higher/lower scores given. This is a common phenomenon in long-form surveys [36], and especially online surveys [37, 38]. Jeong et al [39], for instance, found that questions asked near the end of a 2.5 hour survey were 10–64% more likely to be skipped than those at the beginning. We designed the survey carefully, refined with the aid of focus groups and a pilot, to ensure that only the most essential questions were asked. As such, the survey was not overly long (estimated to take 30 minutes). To accommodate any cognitive load, participants were allowed to complete the survey anytime within a two-week window. Their progress was saved after each session, which enabled participants to take breaks between completing each section (a suggestion made by Jeong et al [39]). Crucially, throughout survey recruitment, participants were informed that the survey is time-intensive and required significant attention. At the beginning of the survey, participants were instructed not to undertake the survey unless they could allocate 30 minutes to it. This approach pre-empted survey fatigue by discouraging those likely to lose interest from participating. This compounds the fact that only experts with a specific/strong interest in the subject matter of the survey were invited to participate. Survey fatigue is addressed further in the Discussion section, where we provide an analysis suggesting little evidence of participant fatigue.

In sum, we designed the survey to protect against various sources of bias and error, and there are encouraging signs that the effects of these issues in the data are limited (see Discussion). Yet expert surveys are inherently prone to some types of bias and response issues; in the WCI, the issue of selection and self-selection within our pool of experts, as well as geo-political biases that may lead to systematic over- or under-scoring of certain countries, is something we considered closely. We discuss these issues in detail in the subsection on Limitations below.

Measures

Using the survey responses, we define the following two metrics: (i) a cybercriminality “type” score for each of the five crime types; (ii) an “overall” score across all types of cybercrime, which we term the World Cybercrime Index (WCI). We calculate the cybercriminality score for each crime type–the WCI_type score–in two steps. First, we first calculate the average score across the three dimensions (impact, professionalism and technical skill) across all nominations for that country within one of the five cybercrime types. The average score of each measure is then averaged into a “type” score for each country, as shown in Eq (1):

C o u n t r y S c o r e_{t y p e} = \frac{1}{n o m i n a t i o n s} \sum_{i = 1}^{n o m i n a t i o n s} \frac{(I + P + T S)}{3}

(1)

This “type” score is then multiplied by the proportion of experts who nominated that country. Within each cybercrime type, a country could be nominated a possible total of 92 times–once per participant. We then multiply this weighted score by ten to produce a continuous scale out of 100 (see Eq (2)). This process prevents countries that received high scores, but a low number of nominations, from receiving artificially high rankings.

W C I_{t y p e} = C o u n t r y S c o r e_{t y p e} * (\frac{n o m i n a t i o n s}{92}) * 10

(2)

We calculate the WCI_overall score for each country using a similar process. First, we calculate the country’s average score (Country Score_type from Eq 1) for all five cybercrime types. We then average these five type scores together into an overall score. This overall score is then multiplied by the sum of nominations across all crime types,divided by the total possible nominations for each country, which is increased to 460 (once per 92 participants, per 5 cybercrime types). This score is then multiplied by ten to produce a continuous scale out of 100, as shown in Eq (3):

W C I_{o v e r a l l} = (\frac{1}{5}) * \sum_{i = 1}^{t y p e} * (\frac{\sum_{i = 1}^{t y p e} n o m i n a t i o n s}{460}) * 10

(3)

The analyses for this paper were performed in R. All data and code have been made publicly available so that our analysis can be reproduced and extended.

Results

We contacted 245 individuals to participate in the survey, of which 147 agreed and were sent invitation links to participate. Out of these 147, a total of 92 people completed the survey, giving us an overall response rate of 37.5%. Given the expert nature of the sample, this is a high response rate (for a detailed discussion see [40]), and one just below what Wu, Zhao, and Fils-Aime estimate of response rates for general online surveys in social science: 44% [41]. The survey collected information on the participants’ primary nationality and their current country of residence. Four participants chose not to identify their nationality. Overall, participants represented all five major geopolitical regions (Africa, the Asia-Pacific, Europe, North America and South America), both in nationality and residence, though the distribution was uneven and concentrated in particular regions/countries. There were 8 participants from Africa, 11 participants from the Asia Pacific, 27 from North America, and 39 from Europe. South America was the least represented region with only 3 participants. A full breakdown of participants’ nationality, residence, and areas of expertise is included in the Supporting Information document (see S1 Appendix).

Table 1 shows the scores for the top fifteen countries of the WCI_overall index. Each entry shows the country, along with the mean score (out of 10) averaged across the participants who nominated this country, for three categories: impact, professionalism, and technical skill. This is followed by each country’s WCI_overall and WCI_type scores. Countries are ordered by their WCI_overall score. Each country’s highest WCI_type scores are highlighted. Full indices that include all 197 UN-recognised countries can be found in S1 Indices.

Table 1. World Cybercrime Index overall–top 15 countries.

Rank	Country	I	P	TS	WCI Score	Tech	Attacks	Data	Scams	Cash
1	Russia	8.96	8.81	8.73	58.39	82.17	81.34	65.18	21.70	41.56
2	Ukraine	8.37	8.29	8.24	36.44	52.97	50.76	36.01	11.20	31.27
3	China	8.22	7.70	7.81	27.86	40.22	24.24	34.89	15.83	24.13
4	United States	7.99	7.21	7.21	25.01	27.64	17.68	30.36	22.72	26.63
5	Nigeria	8.25	6.49	5.80	21.28	7.93	8.41	23.04	52.17	14.86
6	Romania	7.12	7.04	7.15	14.83	17.83	9.17	22.50	13.15	11.49
7	North Korea	7.91	7.23	7.38	10.61	8.66	25.33	13.01	2.17	3.88
8	United Kingdom	7.86	7.21	6.75	9.01	5.04	4.75	5.80	7.86	21.63
9	Brazil	6.90	6.35	6.32	8.93	13.70	8.77	10.29	7.28	4.64
10	India	7.90	6.60	6.65	6.13	4.46	3.62	6.81	12.75	3.01
11	Iran	6.88	6.45	6.64	4.78	8.62	10.00	3.59	0.94	0.72
12	Belarus	6.84	7.20	7.32	3.87	11.92	5.58	1.85	--	--
13	Ghana	8.57	6.83	6.09	3.58	1.23	0.76	2.97	10.36	2.57
14	South Africa	6.95	5.35	5.50	2.58	1.20	0.65	0.58	7.17	3.30
15	Moldova	7.38	7.19	7.56	2.57	6.70	0.98	2.43	0.83	1.88

Open in a new tab

I = Impact; P = Professionalism; TS = Technical skill, Technical = Technical products/services, Attacks = Attacks and extortion, Data = Data/identity theft, Cash = Cashing out and money laundering. I, P, and TS are scored out of 10. ‘WCI Score’, and all columns following, are scored out of 100. Each country’s top score across all cybercrime types is shaded in grey.

Some initial patterns can be observed from this table, as well as the full indices in the supplementary document (see S1 Indices). First, a small number of countries hold consistently high ranks for cybercrime. Six countries–China, Russia, Ukraine, the US, Romania, and Nigeria–appear in the top 10 of every WCI_type index, including the WCI_overall index. Aside from Romania, all appear in the top three at least once. While appearing in a different order, the first ten countries in the Technical products/services and Attacks and extortion indices are the same. Second, despite this small list of countries regularly appearing as cybercrime hubs, the survey results capture a broad geographical diversity. All five geopolitical regions are represented across each type. Overall, 97 distinct countries were nominated by at least one expert. This can be broken down into the cybercrime categories. Technical products/services includes 41 different countries; Attacks and extortion 43; Data/identity theft 51; Scams 49; and Cashing out/money laundering 63.

Some key findings emerge from these results, which are further illustrated by the following Figs 1 and 2. First, cybercrime is not universally distributed. Certain countries are cybercrime hubs, while many others are not associated with cybercriminality in a serious way. Second, countries that are cybercrime hubs specialise in particular types of cybercrime. That is, despite a small number of countries being leading producers of cybercrime, there is meaningful variation between them both across categories, and in relation to scores for impact, professionalism and technical skill. Third, the results show a longer list of cybercrime-producing countries than are usually included in publications on the geography of cybercrime. As the survey captures leading producers of cybercrime, rather than just any country where cybercrime is present, this suggests that, even if a small number of countries are of serious concern, and close to 100 are of little concern at all, the remaining half are of at least moderate concern.

Fig 1 — Base map and data from OpenStreetMap and OpenStreetMap Foundation.

To examine further the second finding concerning hub specialisation, we calculated an overall “Technicality score”–or “T-score”–for the top 15 countries of the WCI_overall index. We assigned a value from 2 to -2 to each type of cybercrime to designate the level of technical complexity involved. Technical products/services is the most technically complex type (2), followed by Attacks and extortion (1), Data/identity theft (0), Scams (-1), and finally Cashing out and money laundering (-2), which has very low technical complexity. We then multiplied each country’s WCI score for each cybercrime type by its assigned value–for instance, a Scams WCI score of 5 would be multiplied by -1, with a final modified score of -5. As a final step, for each country, we added all of their modified WCI scores across all five categories together to generate the T-score. Fig 3 plots the top 15 WCI_overall countries’ T-scores, ordering them by score. Countries with negative T-scores are highlighted in red, and countries with positive scores are in black.

Fig 3 — Negative values correspond to lower technicality, positive values to higher technicality.

The T-score is best suited to characterising a given hub’s specialisation. For instance, as the line graph makes clear, Russia and Ukraine are highly technical cybercrime hubs, whereas Nigerian cybercriminals are engaged in less technical forms of cybercrime. But for countries that lie close to the centre (0), the story is more complex. Some may specialise in cybercrime types with middling technical complexity (e.g. Data/identity theft). Others may specialise in both high- and low-tech crimes. In this sample of countries, India (-6.02) somewhat specialises in Scams but is otherwise a balanced hub, whereas Romania (10.41) and the USA (-2.62) specialise in both technical and non-technical crimes, balancing their scores towards zero. In short, each country has a distinct profile, indicating a unique local dimension.

Discussion

This paper introduces a global and robust metric of cybercriminality–the World Cybercrime Index. The WCI moves past previous technical measures of cyber attack geography to establish a more focused measure of the geography of cybercrime offenders. Elicited through an expert survey, the WCI shows that cybercrime is not universally distributed. The key theoretical contribution of this index is to illustrate that cybercrime, often seen as a fluid and global type of organized crime, actually has a strong local dimension (in keeping with broader arguments by some scholars, such as [14, 42]).

While we took a number of steps to ensure our sample of experts was geographically representative, the sample is skewed towards some regions (such as Europe) and some countries (such as the US). This may simply reflect the high concentration of leading cybercrime experts in these locations. But it is also possible this distribution reflects other factors, including the authors’ own social networks; the concentration of cybercrime taskforces and organisations in particular countries; the visibility of different nations on networking platforms like LinkedIn; and also perhaps norms of enthusiasm or suspicion towards foreign research projects, both inside particular organisations and between nations.

To better understand what biases might have influenced the survey data, we analysed participant rating behaviours with a series of linear regressions. Numerical ratings were the response and different participant characteristics–country of nationality; country of residence; crime type expertise; and regional expertise–were the predictors. Our analysis found evidence (p < 0.05) that participants assigned higher ratings to the countr(ies) they either reside in or are citizens of, though this was not a strong or consistent result. For instance, regional experts did not consistently rate their region of expertise more highly than other regions. European and North American experts, for example, rated countries from these regions lower than countries from other regions. Our analysis of cybercrime type expertise showed even less systematic rating behaviour, with no regression yielding a statistically significant (p < 0.05) result. Small sample sizes across other known participant characteristics meant that further analyses of rating behaviour could not be performed. This applied to, for instance, whether residents and citizens of the top ten countries in the WCI nominated their own countries more or less often than other experts. On this point: 46% of participants nominated their own country at some point in the survey, but the majority (83%) of nominations were for a country different to the participant’s own country of residence or nationality. This suggested limited bias towards nominating one’s own country. Overall, these analyses point to an encouraging observation: while there is a slight home-country bias, this does not systematically result in higher rating behaviour. Longitudinal data from future surveys, as well as a larger participant pool, will better clarify what other biases may affect rating behaviour.

There is little evidence to suggest that survey fatigue affected our data. As the survey progressed, the heterogeneity of nominated countries across all experts increased, from 41 different countries nominated in the first category to 63 different countries nominated in the final category. If fatigue played a significant role in the results then we would expect this number to decrease, as participants were not required to nominate countries within a category and would have been motivated to nominate fewer countries to avoid extending their survey time. We further investigated the data for evidence of survey fatigue in two additional ways: by performing a Mann-Kendall/Sen’s slope trend test (MK/S) to determine whether scores skewed significantly upwards or downwards towards the end of the survey; and by compiling an intra-individual response variability (IRV) index to search for long strings of repeated scores at the end of the survey [43]. The MK/S test was marginally statistically significant (p<0.048), but the results indicated that scores trended downwards only minimally (-0.002 slope coefficient). Likewise, while the IRV index uncovered a small group of participants (n = 5) who repeatedly inserted the same score, this behaviour was not more likely to happen at the end of the survey (see S7 and S8 Tables in S1 Appendix).

It is encouraging that there is at least some external validation for the WCI’s highest ranked countries. Steenbergen and Marks [44] recommend that data produced from expert judgements should “demonstrate convergent validity with other measures of [the topic]–that is, the experts should provide evaluations of the same […] phenomenon that other measurement instruments pick up.” (p. 359) Most studies of the global cybercrime geography are, as noted in the introduction, based on technical measures that cannot accurately establish the true physical location of offenders (for example [1, 4, 28, 33, 45]). Comparing our results to these studies would therefore be of little value, as the phenomena being measured differs: they are measuring attack infrastructure, whereas the WCI measures offender location. Instead, looking at in-depth qualitative cybercrime case studies would provide a better comparison, at least for the small number of higher ranked countries. Though few such studies into profit-driven cybercrime exist, and the number of countries included are limited, we can see that the top ranked countries in the WCI match the key cybercrime producing countries discussed in the qualitative literature (see for example [3, 10, 32, 46–50]). Beyond this qualitative support, our sampling strategy–discussed in the Methods section above–is our most robust control for ensuring the validity of our data.

Along with contributing to theoretical debates on the (local) nature of organized crime [1, 14], this index can also contribute to policy discussions. For instance, there is an ongoing debate as to the best approaches to take in cybercrime reduction, whether this involves improving cyber-law enforcement capacity [3, 51], increasing legitimate job opportunities and access to youth programs for potential offenders [52, 53], strengthening international agreements and law harmonization [54–56], developing more sophisticated and culturally-specific social engineering countermeasures [57], or reducing corruption [3, 58]. As demonstrated by the geographical, economic, and political diversity of the top 15 countries (see Table 1), the likelihood that a single strategy will work in all cases is low. If cybercrime is driven by local factors, then mitigating it may require a localised approach that considers the different features of cybercrime in these contexts. But no matter what strategies are applied in the fight against cybercrime, they should be targeted at the countries that produce the most cybercrime, or at least produce the most impactful forms of it [3]. An index is a valuable resource for determining these countries and directing resources appropriately. Future research that explains what is driving cybercrime in these locations might also suggest more appropriate means for tackling the problem. Such an analysis could examine relevant correlates, such as corruption, law enforcement capacity, internet penetration, education levels and so on to inform/test a theoretically-driven model of what drives cybercrime production in some locations, but not others. It also might be possible to make a kind of prediction: to identify those nations that have not yet emerged as cybercrime hubs but may in the future. This would allow an early warning system of sorts for policymakers seeking to prevent cybercrime around the world.

Limitations

In addition to the points discussed above, the findings of the WCI should be considered in light of some remaining limitations. Firstly, as noted in the methods, our pool of experts was not as large or as globally representative as we had hoped. Achieving a significant response rate is a common issue across all surveys, and is especially difficult in those that employ the snowball technique [59] and also attempt to recruit experts [60]. However, ensuring that our survey data captures the most accurate picture of cybercrime activity is an essential aspect of the project, and the under-representation of experts from Africa and South America is noteworthy. More generally, our sample size (n = 92) is relatively small. Future iterations of the WCI survey should focus on recruiting a larger pool of experts, especially those from under-represented regions. However, this is a small and hard-to-reach population, which likely means the sample size will not grow significantly. While this limits statistical power, it is also a strength of the survey: by ensuring that we only recruit the top cybercrime experts in the world, the weight and validity of our data increases.

Secondly, though we developed our cybercrime types and measures with expert focus groups, the definitions used in the WCI will always be contestable. For instance, a small number of comments left at the end of the survey indicated that the Cashing out/money laundering category was unclear to some participants, who were unsure whether they should nominate the country in which these schemes are organised or the countries in which the actual cash out occurs. A small number of participants also commented that they were not sure whether the ‘impact’ of a country’s cybercrime output should be measured in terms of cost, social change, or some other metric. We limited any such uncertainties by running a series of focus groups to check that our categories were accurate to the cybercrime reality and comprehensible to practitioners in this area. We also ran a pilot version of the survey. The beginning of the survey described the WCI’s purpose and terms of reference, and participants were able to download a document that described the project’s methodology in further detail. Each time a participant was prompted to nominate countries as a significant source of a type of cybercrime, the type was re-defined and examples of offences under that type were provided. However, the examples were not exhaustive and the definitions were brief. This was done partly to avoid significantly lengthening the survey with detailed definitions and clarifications. We also wanted to avoid over-defining the cybercrime types so that any new techniques or attack types that emerged while the survey ran would be included in the data. Nonetheless, there will always remain some elasticity around participant interpretations of the survey.

Finally, although we restricted the WCI to profit-driven activity, the distinction between cybercrime that is financially-motivated, and cybercrime that is motivated by other interests, is sometimes blurred. Offenders who typically commit profit-driven offences may also engage in state-sponsored activities. Some of the countries with high rankings within the WCI may shelter profit-driven cybercriminals who are protected by corrupt state actors of various kinds, or who have other kinds of relationships with the state. Actors in these countries may operate under the (implicit or explicit) sanctioning of local police or government officials to engage in cybercrime. Thus while the WCI excludes state-based attacks, it may include profit-driven cybercriminals who are protected by states. Investigating the intersection between profit-driven cybercrime and the state is a strong focus in our ongoing and future research. If we continue to see evidence that these activities can overlap (see for example [32, 61–63]), then any models explaining the drivers of cybercrime will need to address this increasingly important aspect of local cybercrime hubs.

Conclusion

This study makes use of an expert survey to better measure the geography of profit-driven cybercrime and presents the output of this effort: the World Cybercrime Index. This index, organised around five major categories of cybercrime, sheds light on the geographical concentrations of financially-motivated cybercrime offenders. The findings reveal that a select few countries pose the most significant cybercriminal threat. By illustrating that hubs often specialise in particular forms of cybercrime, the WCI also offers valuable insights into the local dimension of cybercrime. This study provides a foundation for devising a theoretically-driven model to explain why some countries produce more cybercrime than others. By contributing to a deeper understanding of cybercrime as a localised phenomenon, the WCI may help lift the veil of anonymity that protects cybercriminals and thereby enhance global efforts to combat this evolving threat.

Supporting information

S1 Indices. WCI indices.

Full indices for the WCI Overall and each WCI Type.

(PDF)

pone.0297312.s001.pdf^{(127.6KB, pdf)}

S1 Appendix. Supporting information.

Details of respondent characteristics and analysis of rating behaviour.

(PDF)

pone.0297312.s002.pdf^{(104.8KB, pdf)}

Acknowledgments

The data collection for this project was carried out as part of a partnership between the Department of Sociology, University of Oxford and UNSW Canberra Cyber. The analysis and writing phases received support from CRIMGOV. Fig 1 was generated using information from OpenStreetMap and OpenStreetMap Foundation, which is made available under the Open Database License.

Data Availability

The dataset and relevant documents have been uploaded to the Open Science Framework. Data can be accessed via the following URL: https://osf.io/5s72x/?view_only=ea7ee238f3084054a6433fbab43dc9fb.

Funding Statement

This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation program (Grant agreement No. 101020598 – CRIMGOV, Federico Varese PI). FV received the award and is the Primary Investigator. The ERC did not play any role in the study design, data collection and analysis, decision to publish, or preparation of the manuscript. Funder website: https://erc.europa.eu/faq-programme/h2020.

References

1.Kigerl A. Routine Activity Theory and the Determinants of High Cybercrime Countries. Soc Sci Comput Rev. 2012;30: 470–486. doi: 10.1177/0894439311422689 [DOI] [Google Scholar]
2.Lusthaus J, Bruce M, Phair N. Mapping the geography of cybercrime: A review of indices of digital offending by country. 2020. [Google Scholar]
3.Lusthaus J, Varese F. Offline and Local: The Hidden Face of Cybercrime. Polic J Policy Pract. 2021;15: 4–14. [Google Scholar]
4.McCombie S, Pieprzyk J, Watters P. Cybercrime Attribution: An Eastern European Case Study. Proceedings of the 7th Australian Digital Forensics Conference. Perth, Australia: secAU—Security Research Centre, Edith Cowan University; 2009. pp. 41–51. https://researchers.mq.edu.au/en/publications/cybercrime-attribution-an-eastern-european-case-study
5.Heckathorn D. Respondent-Driven Sampling: A New Approach to the Study of Hidden Populations. Soc Probl. 1997;44. doi: 10.2307/3096941 [DOI] [Google Scholar]
6.Heckathorn D, Salganik M. Sampling and Estimation in Hidden Populations Using Respondent-Driven Sampling. 2004;34. doi: 10.1111/j.0081-1750.2004.00152.x [DOI] [Google Scholar]
7.Anderson R, Barton C, Bohme R, Clayton R, van Eeten M, Levi M, et al. Measuring the cost of cybercrime. The Economics of Information Security and Privacy. Springer; 2013. pp. 265–300. https://link.springer.com/chapter/10.1007/978-3-642-39498-0_12
8.Anderson R, Barton C, Bohme R, Clayton R, Ganan C, Grasso T, et al. Measuring the Changing Cost of Cybercrime. California, USA; 2017.
9.Morgan S. 2022 Official Cybercrime Report. Cybersecurity Ventures; 2022. https://s3.ca-central-1.amazonaws.com/esentire-dot-com-assets/assets/resourcefiles/2022-Official-Cybercrime-Report.pdf
10.Hall T, Sanders B, Bah M, King O, Wigley E. Economic geographies of the illegal: the multiscalar production of cybercrime. Trends Organised Crime. 2021;24: 282–307. doi: 10.1007/s12117-020-09392-w [DOI] [Google Scholar]
11.Shelley L. Transnational Organized Crime: An Imminent Threat to the Nation-State? J Int Aff. 1995;48: 463–489. [Google Scholar]
12.Wall D. Cybercrime: The Transformation of Crime in the Information Age. Polity Press; 2007.
13.Grabosky P. The Global Dimension of Cybercrime. Glob Crime. 2010;6: 146–157. https://www.tandfonline.com/doi/abs/10.1080/1744057042000297034 [Google Scholar]
14.Varese F. Mafias on the move: how organized crime conquers new territories. Princeton University Press; 2011. [Google Scholar]
15.Dupont B. Skills and Trust: A Tour Inside the Hard Drives of Computer Hackers. Crime and networks. Routledge; 2013.
16.Franklin J, Paxson V, Savage S. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. Proceedings of the 2007 ACM Conference on Computer and Communications Security. Alexandria, Virginia, USA; 2007.
17.Hutchings A, Clayton R. Configuring Zeus: A case study of online crime target selection and knowledge transmission. Scottsdale, AZ, USA: IEEE; 2017.
18.Musotto R, Wall D. More Amazon than Mafia: analysing a DDoS stresser service as organised cybercrime. Trends Organised Crime. 2020;25: 173–191. [Google Scholar]
19.Hall T. Where the money is: the geographies of organised crime. Geography. 2010;95. doi: 10.1080/00167487.2010.12094277 [DOI] [Google Scholar]
20.Levesque F, Fernandez J, Somayaji A, Batchelder. National-level risk assessment: A multi-country study of malware infections. 2016. https://homeostasis.scs.carleton.ca/~soma/pubs/levesque-weis2016.pdf
21.Crowdstrike. 2022 Global Threat Report. Crowdstrike; 2022. https://go.crowdstrike.com/crowdstrike/gtr
22.EC3. Internet Organised Crime Threat Assessment (IOCTA) 2021. EC3; 2021. https://www.europol.europa.eu/publications-events/main-reports/internet-organised-crime-threat-assessment-iocta-2021
23.ENISA. ENISA threat Landscape 2021. ENISA; 2021. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2021
24.Sophos. Sophos 2022 Threat Report. Sophos; 2022. https://www.sophos.com/ en-us/labs/security-threat-report
25.van Eeten M, Bauer J, Asghari H, Tabatabaie S, Rand D. The Role of Internet Service Providers in Botnet Mitigation. An Empirical Analysis Based on Spam Data WEIS. 2010. van Eeten, Michel and Bauer, Johannes M. and Asghari, Hadi and Tabatabaie, Shirin and Rand, David, The Role of Internet Service Providers in Botnet Mitigation an Empirical Analysis Based on Spam Data (August 15, 2010). TPRC 2010, SSRN: https://ssrn.com/abstract=1989198
26.He S, Lee GM, Quarterman JS, Whinston A. Cybersecurity Policies Design and Evaluation: Evidence from a Large-Scale Randomized Field Experiment. 2015. https://econinfosec.org/archive/weis2015/papers/WEIS_2015_he.pdf
27.Snyder P, Kanich C. No Please, After You: Detecting Fraud in Affiliate Marketing Networks. 2015. https://econinfosec.org/archive/weis2015/papers/WEIS_2015_snyder.pdf
28.Srivastava S, Das S, Udo G, Bagchi K. Determinants of Cybercrime Originating within a Nation: A Cross-country Study. J Glob Inf Technol Manag. 2020;23: 112–137. doi: 10.1080/1097198X.2020.1752084 [DOI] [Google Scholar]
29.Wang Q-H, Kim S-H. Cyber Attacks: Cross-Country Interdependence and Enforcement. 2009. http://weis09.infosecon.net/files/153/paper153.pdf
30.Holt TJ. Regulating Cybercrime through Law Enforcement and Industry Mechanisms. Ann Am Acad Pol Soc Sci. 2018;679: 140–157. doi: 10.1177/0002716218783679 [DOI] [Google Scholar]
31.Lee JR, Holt TJ, Burruss GW, Bossler AM. Examining English and Welsh Detectives’ Views of Online Crime. Int Crim Justice Rev. 2021;31: 20–39. doi: 10.1177/1057567719846224 [DOI] [Google Scholar]
32.Lusthaus J. Industry of Anonymity: Inside the Business of Cybercrime. Harvard University Press; 2018. [Google Scholar]
33.Kshetri N. The Global Cybercrime Industry: Economic, Institutional and Strategic Perspectives. Berlin: Springer; 2010.
34.Moitra S. Developing Policies for Cybercrime. Eur J Crime Crim Law Crim Justice. 2005;13. doi: 10.1163/1571817054604119 [DOI] [Google Scholar]
35.Goodman L. Snowball sampling. Ann Math Stat. 1961;32: 148–170. [Google Scholar]
36.Backor K, Golde S, Nie N. Estimating Survey Fatigue in Time Use Study. Washington, DC.; 2007. https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=401f97f2d7c684b295486636d8a84c627eb33446
37.Crawford S, Couper M, Lamias M. Web surveys: perceptions of burden. Soc Sci Comput Rev. 2001;19: 146–162. [Google Scholar]
38.Marcus B, Bosnjak M, Lindner S, Pilischenko S, Schuetz A. Compensating for low topic interest and long surveys: a field experiment on nonresponse in web surveys. Soc Sci Comput Rev. 2007;25: 372–383. [Google Scholar]
39.Jeong D, Aggarwal S, Robinson J, Kumar N, Spearot A, Park DS. Exhaustive or exhausting? Evidence on respondent fatigue in long surveys. J Dev Econ. 2022;161. doi: 10.1016/j.jdeveco.2022.102992 [DOI] [Google Scholar]
40.Vis B, Stolwijk S. Conducting quantitative studies with the participation of political elites: best practices for designing the study and soliciting the participation of political elites. Qual Quant. 2021;55: 1281–1317. [Google Scholar]
41.Wu M-J, Zhao K, Fils-Aime F. Response rates of online surveys in published research: A meta-analysis. Comput Hum Behav Rep. 2022;7. doi: 10.1016/j.chbr.2022.100206 [DOI] [Google Scholar]
42.Reuter P. Disorganized Crime: Illegal Markets and the Mafia. MIT Press; 1985.
43.Huang JL, Curran PG, Keeney J, Poposki EM, DeShon RP. Detecting and deterring insufficient effort responding to surveys. J Bus Psychol. 2012;27: 99–114. [Google Scholar]
44.Steenbergen M, Marks G. Evaluating expert judgments. Eur J Polit Res. 2007;46: 347–366. doi: 10.1111/j.1475-6765.2006.00694.x [DOI] [Google Scholar]
45.Chen S, Hao M, Ding F, Jiang D, Zhang S, Guo Q, et al. Exploring the global geography of cybercrime and its driving forces. Humanit Soc Sci Commun. 2023;10. doi: 10.1057/s41599-023-01560-x [DOI] [PMC free article] [PubMed] [Google Scholar]
46.Hall T, Ziemer U. Exploring the relationship between IT development, poverty and cybercrime: an Armenia case study. J Cyber Policy. 2022;7: 353–374. doi: 10.1080/23738871.2023.2192234 [DOI] [Google Scholar]
47.Sotande E. Transnational Organised Crime and Illicit Financial Flows: Nigeria, West Africa and the Global North. University of Leeds, School of Law. 2016. https://etheses.whiterose.ac.uk/15473/1/Emmanuel%20Sotande%20Thessis%20at%20the%20University%20of%20Leeds.%20viva%20corrected%20version%20%281%29.pdf
48.Lusthaus J. Modelling cybercrime development: the case of Vietnam. The Human Factor of Cybercrime. Routledge; 2020. pp. 240–257.
49.Van Nguyen T. The modus operandi of transnational computer fraud: a crime script analysis in Vietnam. Trends Organ Crime. 2022;25: 226–247. doi: 10.1007/s12117-021-09422-1 [DOI] [Google Scholar]
50.Hwang J, Choi K-S. North Korean Cyber Attacks and Policy Responses: An Interdisciplinary Theoretical Framework. Int J Cybersecurity Intell Cybercrime. 2021;4: 4–24. 10.52306/04020221NHPZ9033 [DOI] [Google Scholar]
51.Lusthaus J. Electronic Ghosts. In: Democracy: A Journal of Ideas [Internet]. 2014. https://democracyjournal.org/author/jlusthaus/
52.Brewer R, de Vel-Palumbo M, Hutchings A, Maimon D. Positive Diversions. Cybercrime Prevention. 2019. https://www.researchgate.net/publication/337297392_Positive_Diversions
53.National Cyber Crime Unit / Prevent Team. Pathways Into Cyber Crime. National Crime Agency; 2017. https://www.nationalcrimeagency.gov.uk/who-we-are/publications/6-pathways-into-cyber-crime-1/file
54.Nizovtsev Y, Parfylo O, Barabash O, Kyrenko S, Smetanina N. Mechanisms of money laundering obtained from cybercrime: the legal aspect. J Money Laund Control. 2022;25. [Google Scholar]
55.Spiezia F. International cooperation and protection of victims in cyberspace: welcoming Protocol II to the Budapest Convention on Cybercrime. ERA Forum. 2022;23: 101–108. doi: 10.1007/s12027-022-00707-8 [DOI] [Google Scholar]
56.Levi M, Leighton Williams. Multi-agency partnerships in cybercrime reduction: Mapping the UK information assurance network cooperation space. Inf Manag Comput Secur. 2013;21. [Google Scholar]
57.Kayser C, Mastrorilli M, Cadigan R. Preventing cybercrime: A framework for understanding the role of human vulnerabilities. Cyber Secur Peer-Rev J. 2019;3: 159–174. [Google Scholar]
58.Smith R, Jorna P. Chapter 14: Corrupt Misuse of Information and Communications Technologies. Handbook of Global Research and Practice in Corruption. 2011. [Google Scholar]
59.Erickson BH. Some problems of interference from chain data. Sociol Methodol. 1979;10: 276–302. [Google Scholar]
60.Christopoulos D. Peer Esteem Snowballing: A methodology for expert surveys. 2009. https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=63ac9f6db0a2fa2e0ca08cd28961385f98ec21ec
61.Whelan C, Martin J. Ransomware through the lens of state crime: conceptualizing ransomware groups as cyber proxies, pirates, and privateers. State Crime J. 2023;12: 4–28. [Google Scholar]
62.Davina S. A New State of Organized Crime: An Analysis of Cybercrime Networks, Activities, and Emerging Threats. J Intell Confl Warf. 2020;3: 1–11. [Google Scholar]
63.Lavorgna A. Unpacking the political-criminal nexus in state-cybercrimes: a macro-level typology. Trends Organ Crime. 2023. doi: 10.1007/s12117-023-09486-1 [DOI] [Google Scholar]

PLoS One. doi: 10.1371/journal.pone.0297312.r001

Decision Letter 0

Naeem Jan

8 Nov 2023

PONE-D-23-32959Mapping the global geography of cybercrime with the World Cybercrime IndexPLOS ONE

Dear Dr. Bruce,

Thank you for submitting your manuscript to PLOS ONE. After careful consideration, we feel that it has merit but does not fully meet PLOS ONE’s publication criteria as it currently stands. Therefore, we invite you to submit a revised version of the manuscript that addresses the points raised during the review process.

Please submit your revised manuscript by Dec 23 2023 11:59PM. If you will need more time than this to complete your revisions, please reply to this message or contact the journal office at plosone@plos.org. When you're ready to submit your revision, log on to https://www.editorialmanager.com/pone/ and select the 'Submissions Needing Revision' folder to locate your manuscript file.

Please include the following items when submitting your revised manuscript:

A rebuttal letter that responds to each point raised by the academic editor and reviewer(s). You should upload this letter as a separate file labeled 'Response to Reviewers'.
A marked-up copy of your manuscript that highlights changes made to the original version. You should upload this as a separate file labeled 'Revised Manuscript with Track Changes'.
An unmarked version of your revised paper without tracked changes. You should upload this as a separate file labeled 'Manuscript'.

If you would like to make changes to your financial disclosure, please include your updated statement in your cover letter. Guidelines for resubmitting your figure files are available below the reviewer comments at the end of this letter.

If applicable, we recommend that you deposit your laboratory protocols in protocols.io to enhance the reproducibility of your results. Protocols.io assigns your protocol its own identifier (DOI) so that it can be cited independently in the future. For instructions see: https://journals.plos.org/plosone/s/submission-guidelines#loc-laboratory-protocols. Additionally, PLOS ONE offers an option for publishing peer-reviewed Lab Protocol articles, which describe protocols hosted on protocols.io. Read more information on sharing protocols at https://plos.org/protocols?utm_medium=editorial-email&utm_source=authorletters&utm_campaign=protocols.

We look forward to receiving your revised manuscript.

Kind regards,

Naeem Jan, PhD

Academic Editor

PLOS ONE

Journal Requirements:

When submitting your revision, we need you to address these additional requirements.

1. Please ensure that your manuscript meets PLOS ONE's style requirements, including those for file naming. The PLOS ONE style templates can be found at

https://journals.plos.org/plosone/s/file?id=wjVg/PLOSOne_formatting_sample_main_body.pdf and

https://journals.plos.org/plosone/s/file?id=ba62/PLOSOne_formatting_sample_title_authors_affiliations.pdf.

2. We note that you have stated that you will provide repository information for your data at acceptance. Should your manuscript be accepted for publication, we will hold it until you provide the relevant accession numbers or DOIs necessary to access your data. If you wish to make changes to your Data Availability statement, please describe these changes in your cover letter and we will update your Data Availability statement to reflect the information you provide.

3. Please update your submission to use the PLOS LaTeX template. The template and more information on our requirements for LaTeX submissions can be found at http://journals.plos.org/plosone/s/latex.

4. We note that Figure 1 in your submission contain [map/satellite] images which may be copyrighted. All PLOS content is published under the Creative Commons Attribution License (CC BY 4.0), which means that the manuscript, images, and Supporting Information files will be freely available online, and any third party is permitted to access, download, copy, distribute, and use these materials in any way, even commercially, with proper attribution. For these reasons, we cannot publish previously copyrighted maps or satellite images created using proprietary data, such as Google software (Google Maps, Street View, and Earth). For more information, see our copyright guidelines: http://journals.plos.org/plosone/s/licenses-and-copyright.

We require you to either (1) present written permission from the copyright holder to publish these figures specifically under the CC BY 4.0 license, or (2) remove the figures from your submission:

a. You may seek permission from the original copyright holder of Figure 1 to publish the content specifically under the CC BY 4.0 license.

We recommend that you contact the original copyright holder with the Content Permission Form (http://journals.plos.org/plosone/s/file?id=7c09/content-permission-form.pdf) and the following text:

“I request permission for the open-access journal PLOS ONE to publish XXX under the Creative Commons Attribution License (CCAL) CC BY 4.0 (http://creativecommons.org/licenses/by/4.0/). Please be aware that this license allows unrestricted use and distribution, even commercially, by third parties. Please reply and provide explicit written permission to publish XXX under a CC BY license and complete the attached form.”

Please upload the completed Content Permission Form or other proof of granted permissions as an "Other" file with your submission.

In the figure caption of the copyrighted figure, please include the following text: “Reprinted from [ref] under a CC BY license, with permission from [name of publisher], original copyright [original copyright year].”

b. If you are unable to obtain permission from the original copyright holder to publish these figures under the CC BY 4.0 license or if the copyright holder’s requirements are incompatible with the CC BY 4.0 license, please either i) remove the figure or ii) supply a replacement figure that complies with the CC BY 4.0 license. Please check copyright information on all replacement figures and update the figure caption with source information. If applicable, please specify in the figure caption text when a figure is similar but not identical to the original image and is therefore for illustrative purposes only.

The following resources for replacing copyrighted map figures may be helpful:

USGS National Map Viewer (public domain): http://viewer.nationalmap.gov/viewer/

The Gateway to Astronaut Photography of Earth (public domain): http://eol.jsc.nasa.gov/sseop/clickmap/

Maps at the CIA (public domain): https://www.cia.gov/library/publications/the-world-factbook/index.html and https://www.cia.gov/library/publications/cia-maps-publications/index.html

NASA Earth Observatory (public domain): http://earthobservatory.nasa.gov/

Landsat: http://landsat.visibleearth.nasa.gov/

USGS EROS (Earth Resources Observatory and Science (EROS) Center) (public domain): http://eros.usgs.gov/#

Natural Earth (public domain): http://www.naturalearthdata.com/

Additional Editor Comments (if provided):

Thank you for submitting your manuscript to PLOS ONE. Expert reviewers have carefully reviewed your manuscript and determined that it could be considered for publication in PLOS ONE after a thorough and careful revision. I am therefore inviting you to revise your manuscript according to the reviewers’ comments. Please revise your paper and provide very convincing point-to-point responses according to the comments raised by the reviewers. When you revise your manuscript, please highlight the changes you make in the manuscript by using the track changes mode in MS Word or by using highlighted text.

[Note: HTML markup is below. Please do not edit.]

Reviewers' comments:

Reviewer's Responses to Questions

Comments to the Author

1. Is the manuscript technically sound, and do the data support the conclusions?

The manuscript must describe a technically sound piece of scientific research with data that supports the conclusions. Experiments must have been conducted rigorously, with appropriate controls, replication, and sample sizes. The conclusions must be drawn appropriately based on the data presented.

Reviewer #1: Partly

Reviewer #2: Yes

**********

2. Has the statistical analysis been performed appropriately and rigorously?

Reviewer #1: Yes

Reviewer #2: Yes

**********

3. Have the authors made all data underlying the findings in their manuscript fully available?

The PLOS Data policy requires authors to make all data underlying the findings described in their manuscript fully available without restriction, with rare exception (please refer to the Data Availability Statement in the manuscript PDF file). The data should be provided as part of the manuscript or its supporting information, or deposited to a public repository. For example, in addition to summary statistics, the data points behind means, medians and variance measures should be available. If there are restrictions on publicly sharing data—e.g. participant privacy or use of data from a third party—those must be specified.

Reviewer #1: Yes

Reviewer #2: Yes

**********

4. Is the manuscript presented in an intelligible fashion and written in standard English?

PLOS ONE does not copyedit accepted manuscripts, so the language in submitted articles must be clear, correct, and unambiguous. Any typographical or grammatical errors should be corrected at revision, so please note any specific errors here.

Reviewer #1: Yes

Reviewer #2: Yes

**********

5. Review Comments to the Author

Please use the space provided to explain your answers to the questions above. You may also include additional comments for the author, including concerns about dual publication, research ethics, or publication ethics. (Please upload your review as an attachment if it exceeds 20,000 characters)

Reviewer #1: ybercrime is a major challenge facing the world, with estimated costs in the hundreds

of billions. Despite the threat it poses, cybercrime is largely an invisible phenomenon.

Offenders hide behind online nicknames and technical protections, and are dispersed

throughout the world. This means law enforcement faces many obstacles, and existing

technical data is not well suited to establishing the true location of offenders. This

paper proposes a solution: an expert survey with leading cybercrime professionals

from across the world. From March to October 2021 we invited recognized experts in

cybercrime intelligence/investigations to participate in an anonymized online survey on

the geographical location of cybercrime offenders and the severity of their attacks. The

survey asked participants to consider five major categories of cybercrime, nominate

the countries that they consider to be the most significant sources of each of these

cybercrimes, and then rank each nominated country according to the impact,

professionalism, and technical skill of its offenders. The result of the survey is the

World Cybercrime Index, a global metric of cybercriminality organised around five

types of cybercrime. The results indicate that a relatively small number of countries

house the greatest cybercriminal threats. These findings partially remove the veil of

anonymity around cybercriminal offenders, may aid law enforcement and policymakers

in fighting this threat, and contributes to the understanding of cybercrime as a local

phenomenon.

Please see attached file.

Reviewer #2: 1. My suggestion if the paper should address the impact of cybercrime, emphasizing the severity of the issue based on a comprehensive estimation drawn from previous studies.

2. Are there any prior studies similar to this one that employed expert surveys? If so, how does this paper differ from them?

3. Additionally, it's important to outline the limitations associated with using expert surveys.

4. When referring to 'experts,' what criteria have been employed to define them? Are non-technical experts, such as writers, included?

5. Wonder if the survey was conducted in English?

6. During the survey, were there any language barriers encountered?

7. Issues related to biases, as discussed in the Discussion Section, should also be addressed in the Method section.

8. The paper should thoroughly examine the limitations of this study.

**********

6. PLOS authors have the option to publish the peer review history of their article (what does this mean?). If published, this will include your full peer review and any attached files.

If you choose “no”, your identity will remain anonymous but your review may still be made public.

Do you want your identity to be public for this peer review? For information about this choice, including consent withdrawal, please see our Privacy Policy.

Reviewer #1: Yes: Timothy C. Haas

Reviewer #2: No

**********

[NOTE: If reviewer comments were submitted as an attachment file, they will be attached to this email and accessible via the submission site. Please log into your account, locate the manuscript record, and check for the action link "View Attachments". If this link does not appear, there are no attachment files.]

While revising your submission, please upload your figure files to the Preflight Analysis and Conversion Engine (PACE) digital diagnostic tool, https://pacev2.apexcovantage.com/. PACE helps ensure that figures meet PLOS requirements. To use PACE, you must first register as a user. Registration is free. Then, login and navigate to the UPLOAD tab, where you will find detailed instructions on how to use the tool. If you encounter any issues or have any questions when using PACE, please email PLOS at figures@plos.org. Please note that Supporting Information files do not need this step.

Attachment

Submitted filename: brucerev.pdf

pone.0297312.s003.pdf^{(63.9KB, pdf)}

PLoS One. 2024 Apr 10;19(4):e0297312. doi: 10.1371/journal.pone.0297312.r002

Author response to Decision Letter 0

22 Dec 2023

Many thanks to the reviewers for their very helpful comments. We have taken these on board and made a number of changes, which have significantly strengthened the paper. Below we highlight each suggestion and how we have addressed it in the text. Line numbers mentioned below correspond to the clean Manuscript file.

Reviewer 1

1) How long is the survey? As you know, there is a literature on respondent fatigue when answering a long survey. Please reference this literature and explain in more detail why you don’t believe that respondents resorted to random answers due to fatigue. See for example, https://www.nber.org/papers/w30439

Controlling the length of the survey was a significant concern during the survey design phase, and we thank the reviewer for prompting us to discuss this in more detail. The duration of the survey for each respondent depended on how many cybercrime categories they addressed, and how many countries they nominated in each of these categories. The maximum number of countries that could be nominated and ranked by a single respondent was 25 countries, which would result in the participant completing a maximum of 75 Likert-types scales. We recognised this as a potential cognitive burden on participants, so we designed the survey accordingly. Based on practice estimates the survey took around 30 minutes to complete, which is not overly long. When we contacted them, we also made it clear to participants to allocate 30 minutes so they could complete the survey in a thoughtful way (and a specific warning was delivered at the beginning of the survey not to undertake it, if they could not dedicate 30 minutes). We now address the issue of survey fatigue in more detail, and assess whether it may have had a significant effect on our results, at lines 216-236. In short, we have evidence that leads us to believe that respondent fatigue did not have a significant effect on the results.

2) How accurate are your cybercrime professionals at correctly identifying the physical location of cybercriminals? I think you need to provide some measure of this accuracy rather than simply relying on the reputation of your respondents because, as you state, correctly identifying the physical location of a cyberattack’s author is very difficult given the nearly untraceable nature of internet traffic.

Ensuring the accuracy of our expert participants’ judgements was an essential aspect of our survey design. We therefore included a number of controls to ensure we received the highest quality responses possible. This included deterring respondents who did not have the time/commitment to offer thoughtful responses, our strict eligibility requirements for experts who have extensive experience deciphering true offender locations, and frequent visual stimulants to ensure participants consider each survey question with care. These controls are included at lines 134-143 and 185-194. In summary, our sampling strategy and survey design is intended to ensure the highest quality responses from our expert pool as possible.

Regardless of the care we took, the reviewer makes an important point that we should be more explicit in verifying the accuracy of the responses we did receive. As stated in the Introduction, previous attempts to accurately map cybercrime hubs have relied on technical data that doesn’t capture the true physical location of offenders. As such, these existing data sources do not make meaningful points of comparison. Instead, we follow Steenbergen and Marks’ (2006) argument that expert judgements should be compared to external measures of the same phenomena to assess their broader validity. While more limited in coverage than the WCI, qualitative cybercrime studies have identified the same key hubs that have attained the higher ranks within the index. This provides strong support for the accuracy of the WCI for the higher ranked countries, and the robustness of the index more broadly. This comparison can be found at lines 422-434.

3) The manuscript implicitly assumes all cybercrime is conducted by non-state actors: either individuals or by members of criminal networks (organized crime). But it is well-known that many cybercriminals are employed and supported within state-sponsored facilities. Examples include Russia and North Korea. Please explain how your WCI could be used to reduce the amount of cybercrime generated by this population.

We agree with the reviewer that there is an important distinction between non-state and state cyber attacks. This study focuses on profit-driven cybercrime, rather than cybercrime that is motivated by state (or other) interests. Studying state attacks is an important academic concern, but is outside the scope of the WCI. To avoid any confusion, we have made this clearer at line 63 and at lines 190-194.

The broader issue raised by the reviewer, around profit-driven cybercriminals that may be connected to the state in some way, is an interesting and important one. It is correct that some of the countries with high rankings within this index may house profit-driven cybercriminals that are protected by corrupt state actors of various kinds or have other kinds of relationships with the state. We have now made clear that, while the WCI excludes state attacks, it does indeed include profit-driven cybercriminals that might be protected by states. While the WCI has tremendous impact/policy potential, this paper is focused on the empirical presentation and discussion of the index, and is not a policy paper. We agree this policy application is very important, and is the subject of ongoing research, which makes use of the WCI to more directly answer these kinds of questions (see our response to point 4 below). Discussion of state corruption/protection and cybercrime will be a central theme within this future analysis. We have now added discussion in the paper on this issue at lines 526-537.

4) Many of the discussed approaches to fighting cybercrime implicitly assume these criminals reside in developing countries. But the four top offenders, Russia, China, Ukraine, and the United States are developed countries. What strategies that use your WCI might be effective at turning cybercriminals in these countries away from cybercrime? Specifically, many of these individuals are educated and fully employed.

The reviewer has correctly assessed that one of the WCI’s major contributions is to enable policy-makers to develop well-informed policies targeted at preventing cybercrime. But at this stage, we cannot make any specific recommendations regarding the prevention of cybercrime in specific countries. Answering this question adequately requires formulating a theoretically-driven model of cybercrime hub formation. This model could then be tested with this survey data, along with existing datasets on a series of other indicators (e.g. corruption, law enforcement capacity and so on). This is a very important undertaking, and we are keen to carry out this analysis in the future (now noted in lines 467-470). But this is beyond the scope of the current paper. Similarly, the reviewer’s broader point about the role of economic development in cybercrime hub development is an important one, and will be central to these future theoretical models. There are many different factors that can be used to define a country’s economic status, and determining which of these factors are most relevant to cybercrime hub development will require more analysis. However, we now address the socio-economic diversity of the top cybercrime hubs at lines 460-463 and note what this implies for future research directions and prevention policies.

5) There are no equation numbers.

Equation numbers have now been inserted at lines 252, 259, and 267.

Reviewer 2

1) My suggestion if the paper should address the impact of cybercrime, emphasizing the severity of the issue based on a comprehensive estimation drawn from previous studies.

This is a good suggestion. We have now included the more common estimations of cybercrime impact at lines 49-51.

2) Are there any prior studies similar to this one that employed expert surveys? If so, how does this paper differ from them?

Although there are previous small-N qualitative studies that touch on cybercrime geography, using interview data with cybercrime experts, there are no previous studies that have attempted to map the geographical distribution of cybercrime offenders using an expert survey. We have noted this more clearly at lines 111-112.

3) Additionally, it's important to outline the limitations associated with using expert surveys.

We have added further details regarding the limitations associated with expert surveys at lines 485-508. This is an important part of our methodology, and we thank the reviewer for encouraging us to delve into this more deeply.

4) When referring to 'experts,' what criteria have been employed to define them? Are non-technical experts, such as writers, included?

As described in lines 136-138, we define cybercrime experts as “professionals who have been engaged in cybercrime intelligence, investigation, and/or attribution for a minimum of five years and had a reputation for excellence amongst their peers”.

Only currently- or recently-practicing intelligence officers and investigators were included in the participant pool. We explicitly exclude professionals working in the field of cybercrime research who are not actively involved in tracking offenders, which includes writers and academics. In short, we only include experts with first-hand knowledge of cybercriminals. This was a strict condition in our sampling strategy. We have clarified this point at lines 138-142.

5) Wonder if the survey was conducted in English?

The survey was conducted in English, as were all communications with participants. The manuscript has been edited to clarify this at lines 159-165, and we have included the reasoning for this choice.

6) During the survey, were there any language barriers encountered?

Participants did not report any language barriers or issues in the comment section at the end of the survey, nor in any personal communication. All participants were contacted by email first, which introduced a basic requirement for English proficiency at the earliest stage. This has been clarified at lines 159-160 to include these details. As noted in the text, English is widely spoken by cybercrime experts from across the globe.

7) Issues related to biases, as discussed in the Discussion Section, should also be addressed in the Method section.

We have now included an outline of biases in the Methods section at lines 237-242, in addition to a more thorough discussion of biases throughout the Discussion section.

8) The paper should thoroughly examine the limitations of this study.

The limitations of the study are now discussed in much greater detail in a new Limitations subsection at lines 475-537. We thank the reviewer for prompting us to address the limitations of the study much more explicitly; this has strengthened and clarified the paper’s contribution.

Attachment

Submitted filename: Response to Reviewers.pdf

pone.0297312.s004.pdf^{(135KB, pdf)}

PLoS One. doi: 10.1371/journal.pone.0297312.r003

Decision Letter 1

Naeem Jan

3 Jan 2024

Mapping the global geography of cybercrime with the World Cybercrime Index

PONE-D-23-32959R1

Dear Dr. Bruce,

We’re pleased to inform you that your manuscript has been judged scientifically suitable for publication and will be formally accepted for publication once it meets all outstanding technical requirements.

Within one week, you’ll receive an e-mail detailing the required amendments. When these have been addressed, you’ll receive a formal acceptance letter and your manuscript will be scheduled for publication.

An invoice for payment will follow shortly after the formal acceptance. To ensure an efficient process, please log into Editorial Manager at http://www.editorialmanager.com/pone/, click the 'Update My Information' link at the top of the page, and double check that your user information is up-to-date. If you have any billing related questions, please contact our Author Billing department directly at authorbilling@plos.org.

If your institution or institutions have a press office, please notify them about your upcoming paper to help maximize its impact. If they’ll be preparing press materials, please inform our press team as soon as possible -- no later than 48 hours after receiving the formal acceptance. Your manuscript will remain under strict press embargo until 2 pm Eastern Time on the date of publication. For more information, please contact onepress@plos.org.

Kind regards,

Academic Editor

PLOS ONE

Additional Editor Comments

I am happy to inform you that According to the reviewers comments your paper now been accepted for publication in PLOS ONE.

thank You

PLoS One. doi: 10.1371/journal.pone.0297312.r004

Acceptance letter

Naeem Jan

19 Mar 2024

PONE-D-23-32959R1

PLOS ONE

Dear Dr. Bruce,

I'm pleased to inform you that your manuscript has been deemed suitable for publication in PLOS ONE. Congratulations! Your manuscript is now being handed over to our production team.

At this stage, our production department will prepare your paper for publication. This includes ensuring the following:

* All references, tables, and figures are properly cited

* All relevant supporting information is included in the manuscript submission,

* There are no issues that prevent the paper from being properly typeset

If revisions are needed, the production department will contact you directly to resolve them. If no revisions are needed, you will receive an email when the publication date has been set. At this time, we do not offer pre-publication proofs to authors during production of the accepted work. Please keep in mind that we are working through a large volume of accepted articles, so please give us a few weeks to review your paper and let you know the next and final steps.

Lastly, if your institution or institutions have a press office, please let them know about your upcoming paper now to help maximize its impact. If they'll be preparing press materials, please inform our press team within the next 48 hours. Your manuscript will remain under strict press embargo until 2 pm Eastern Time on the date of publication. For more information, please contact onepress@plos.org.

If we can help with anything else, please email us at customercare@plos.org.

Thank you for submitting your work to PLOS ONE and supporting open access.

Kind regards,

PLOS ONE Editorial Office Staff

on behalf of

Dr. Naeem Jan

Academic Editor

PLOS ONE

Associated Data

This section collects any data citations, data availability statements, or supplementary materials included in this article.

Supplementary Materials

S1 Indices. WCI indices.

Full indices for the WCI Overall and each WCI Type.

(PDF)

pone.0297312.s001.pdf^{(127.6KB, pdf)}

S1 Appendix. Supporting information.

Details of respondent characteristics and analysis of rating behaviour.

(PDF)

pone.0297312.s002.pdf^{(104.8KB, pdf)}

Attachment

Submitted filename: brucerev.pdf

pone.0297312.s003.pdf^{(63.9KB, pdf)}

Attachment

Submitted filename: Response to Reviewers.pdf

pone.0297312.s004.pdf^{(135KB, pdf)}

Data Availability Statement

The dataset and relevant documents have been uploaded to the Open Science Framework. Data can be accessed via the following URL: https://osf.io/5s72x/?view_only=ea7ee238f3084054a6433fbab43dc9fb.

[pone.0297312.ref001] 1.Kigerl A. Routine Activity Theory and the Determinants of High Cybercrime Countries. Soc Sci Comput Rev. 2012;30: 470–486. doi: 10.1177/0894439311422689 [DOI] [Google Scholar]

[pone.0297312.ref002] 2.Lusthaus J, Bruce M, Phair N. Mapping the geography of cybercrime: A review of indices of digital offending by country. 2020. [Google Scholar]

[pone.0297312.ref003] 3.Lusthaus J, Varese F. Offline and Local: The Hidden Face of Cybercrime. Polic J Policy Pract. 2021;15: 4–14. [Google Scholar]

[pone.0297312.ref004] 4.McCombie S, Pieprzyk J, Watters P. Cybercrime Attribution: An Eastern European Case Study. Proceedings of the 7th Australian Digital Forensics Conference. Perth, Australia: secAU—Security Research Centre, Edith Cowan University; 2009. pp. 41–51. https://researchers.mq.edu.au/en/publications/cybercrime-attribution-an-eastern-european-case-study

[pone.0297312.ref005] 5.Heckathorn D. Respondent-Driven Sampling: A New Approach to the Study of Hidden Populations. Soc Probl. 1997;44. doi: 10.2307/3096941 [DOI] [Google Scholar]

[pone.0297312.ref006] 6.Heckathorn D, Salganik M. Sampling and Estimation in Hidden Populations Using Respondent-Driven Sampling. 2004;34. doi: 10.1111/j.0081-1750.2004.00152.x [DOI] [Google Scholar]

[pone.0297312.ref007] 7.Anderson R, Barton C, Bohme R, Clayton R, van Eeten M, Levi M, et al. Measuring the cost of cybercrime. The Economics of Information Security and Privacy. Springer; 2013. pp. 265–300. https://link.springer.com/chapter/10.1007/978-3-642-39498-0_12

[pone.0297312.ref008] 8.Anderson R, Barton C, Bohme R, Clayton R, Ganan C, Grasso T, et al. Measuring the Changing Cost of Cybercrime. California, USA; 2017.

[pone.0297312.ref009] 9.Morgan S. 2022 Official Cybercrime Report. Cybersecurity Ventures; 2022. https://s3.ca-central-1.amazonaws.com/esentire-dot-com-assets/assets/resourcefiles/2022-Official-Cybercrime-Report.pdf

[pone.0297312.ref010] 10.Hall T, Sanders B, Bah M, King O, Wigley E. Economic geographies of the illegal: the multiscalar production of cybercrime. Trends Organised Crime. 2021;24: 282–307. doi: 10.1007/s12117-020-09392-w [DOI] [Google Scholar]

[pone.0297312.ref011] 11.Shelley L. Transnational Organized Crime: An Imminent Threat to the Nation-State? J Int Aff. 1995;48: 463–489. [Google Scholar]

[pone.0297312.ref012] 12.Wall D. Cybercrime: The Transformation of Crime in the Information Age. Polity Press; 2007.

[pone.0297312.ref013] 13.Grabosky P. The Global Dimension of Cybercrime. Glob Crime. 2010;6: 146–157. https://www.tandfonline.com/doi/abs/10.1080/1744057042000297034 [Google Scholar]

[pone.0297312.ref014] 14.Varese F. Mafias on the move: how organized crime conquers new territories. Princeton University Press; 2011. [Google Scholar]

[pone.0297312.ref015] 15.Dupont B. Skills and Trust: A Tour Inside the Hard Drives of Computer Hackers. Crime and networks. Routledge; 2013.

[pone.0297312.ref016] 16.Franklin J, Paxson V, Savage S. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. Proceedings of the 2007 ACM Conference on Computer and Communications Security. Alexandria, Virginia, USA; 2007.

[pone.0297312.ref017] 17.Hutchings A, Clayton R. Configuring Zeus: A case study of online crime target selection and knowledge transmission. Scottsdale, AZ, USA: IEEE; 2017.

[pone.0297312.ref018] 18.Musotto R, Wall D. More Amazon than Mafia: analysing a DDoS stresser service as organised cybercrime. Trends Organised Crime. 2020;25: 173–191. [Google Scholar]

[pone.0297312.ref019] 19.Hall T. Where the money is: the geographies of organised crime. Geography. 2010;95. doi: 10.1080/00167487.2010.12094277 [DOI] [Google Scholar]

[pone.0297312.ref020] 20.Levesque F, Fernandez J, Somayaji A, Batchelder. National-level risk assessment: A multi-country study of malware infections. 2016. https://homeostasis.scs.carleton.ca/~soma/pubs/levesque-weis2016.pdf

[pone.0297312.ref021] 21.Crowdstrike. 2022 Global Threat Report. Crowdstrike; 2022. https://go.crowdstrike.com/crowdstrike/gtr

[pone.0297312.ref022] 22.EC3. Internet Organised Crime Threat Assessment (IOCTA) 2021. EC3; 2021. https://www.europol.europa.eu/publications-events/main-reports/internet-organised-crime-threat-assessment-iocta-2021

[pone.0297312.ref023] 23.ENISA. ENISA threat Landscape 2021. ENISA; 2021. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2021

[pone.0297312.ref024] 24.Sophos. Sophos 2022 Threat Report. Sophos; 2022. https://www.sophos.com/ en-us/labs/security-threat-report

[pone.0297312.ref025] 25.van Eeten M, Bauer J, Asghari H, Tabatabaie S, Rand D. The Role of Internet Service Providers in Botnet Mitigation. An Empirical Analysis Based on Spam Data WEIS. 2010. van Eeten, Michel and Bauer, Johannes M. and Asghari, Hadi and Tabatabaie, Shirin and Rand, David, The Role of Internet Service Providers in Botnet Mitigation an Empirical Analysis Based on Spam Data (August 15, 2010). TPRC 2010, SSRN: https://ssrn.com/abstract=1989198

[pone.0297312.ref026] 26.He S, Lee GM, Quarterman JS, Whinston A. Cybersecurity Policies Design and Evaluation: Evidence from a Large-Scale Randomized Field Experiment. 2015. https://econinfosec.org/archive/weis2015/papers/WEIS_2015_he.pdf

[pone.0297312.ref027] 27.Snyder P, Kanich C. No Please, After You: Detecting Fraud in Affiliate Marketing Networks. 2015. https://econinfosec.org/archive/weis2015/papers/WEIS_2015_snyder.pdf

[pone.0297312.ref028] 28.Srivastava S, Das S, Udo G, Bagchi K. Determinants of Cybercrime Originating within a Nation: A Cross-country Study. J Glob Inf Technol Manag. 2020;23: 112–137. doi: 10.1080/1097198X.2020.1752084 [DOI] [Google Scholar]

[pone.0297312.ref029] 29.Wang Q-H, Kim S-H. Cyber Attacks: Cross-Country Interdependence and Enforcement. 2009. http://weis09.infosecon.net/files/153/paper153.pdf

[pone.0297312.ref030] 30.Holt TJ. Regulating Cybercrime through Law Enforcement and Industry Mechanisms. Ann Am Acad Pol Soc Sci. 2018;679: 140–157. doi: 10.1177/0002716218783679 [DOI] [Google Scholar]

[pone.0297312.ref031] 31.Lee JR, Holt TJ, Burruss GW, Bossler AM. Examining English and Welsh Detectives’ Views of Online Crime. Int Crim Justice Rev. 2021;31: 20–39. doi: 10.1177/1057567719846224 [DOI] [Google Scholar]

[pone.0297312.ref032] 32.Lusthaus J. Industry of Anonymity: Inside the Business of Cybercrime. Harvard University Press; 2018. [Google Scholar]

[pone.0297312.ref033] 33.Kshetri N. The Global Cybercrime Industry: Economic, Institutional and Strategic Perspectives. Berlin: Springer; 2010.

[pone.0297312.ref034] 34.Moitra S. Developing Policies for Cybercrime. Eur J Crime Crim Law Crim Justice. 2005;13. doi: 10.1163/1571817054604119 [DOI] [Google Scholar]

[pone.0297312.ref035] 35.Goodman L. Snowball sampling. Ann Math Stat. 1961;32: 148–170. [Google Scholar]

[pone.0297312.ref036] 36.Backor K, Golde S, Nie N. Estimating Survey Fatigue in Time Use Study. Washington, DC.; 2007. https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=401f97f2d7c684b295486636d8a84c627eb33446

[pone.0297312.ref037] 37.Crawford S, Couper M, Lamias M. Web surveys: perceptions of burden. Soc Sci Comput Rev. 2001;19: 146–162. [Google Scholar]

[pone.0297312.ref038] 38.Marcus B, Bosnjak M, Lindner S, Pilischenko S, Schuetz A. Compensating for low topic interest and long surveys: a field experiment on nonresponse in web surveys. Soc Sci Comput Rev. 2007;25: 372–383. [Google Scholar]

[pone.0297312.ref039] 39.Jeong D, Aggarwal S, Robinson J, Kumar N, Spearot A, Park DS. Exhaustive or exhausting? Evidence on respondent fatigue in long surveys. J Dev Econ. 2022;161. doi: 10.1016/j.jdeveco.2022.102992 [DOI] [Google Scholar]

[pone.0297312.ref040] 40.Vis B, Stolwijk S. Conducting quantitative studies with the participation of political elites: best practices for designing the study and soliciting the participation of political elites. Qual Quant. 2021;55: 1281–1317. [Google Scholar]

[pone.0297312.ref041] 41.Wu M-J, Zhao K, Fils-Aime F. Response rates of online surveys in published research: A meta-analysis. Comput Hum Behav Rep. 2022;7. doi: 10.1016/j.chbr.2022.100206 [DOI] [Google Scholar]

[pone.0297312.ref042] 42.Reuter P. Disorganized Crime: Illegal Markets and the Mafia. MIT Press; 1985.

[pone.0297312.ref043] 43.Huang JL, Curran PG, Keeney J, Poposki EM, DeShon RP. Detecting and deterring insufficient effort responding to surveys. J Bus Psychol. 2012;27: 99–114. [Google Scholar]

[pone.0297312.ref044] 44.Steenbergen M, Marks G. Evaluating expert judgments. Eur J Polit Res. 2007;46: 347–366. doi: 10.1111/j.1475-6765.2006.00694.x [DOI] [Google Scholar]

[pone.0297312.ref045] 45.Chen S, Hao M, Ding F, Jiang D, Zhang S, Guo Q, et al. Exploring the global geography of cybercrime and its driving forces. Humanit Soc Sci Commun. 2023;10. doi: 10.1057/s41599-023-01560-x [DOI] [PMC free article] [PubMed] [Google Scholar]

[pone.0297312.ref046] 46.Hall T, Ziemer U. Exploring the relationship between IT development, poverty and cybercrime: an Armenia case study. J Cyber Policy. 2022;7: 353–374. doi: 10.1080/23738871.2023.2192234 [DOI] [Google Scholar]

[pone.0297312.ref047] 47.Sotande E. Transnational Organised Crime and Illicit Financial Flows: Nigeria, West Africa and the Global North. University of Leeds, School of Law. 2016. https://etheses.whiterose.ac.uk/15473/1/Emmanuel%20Sotande%20Thessis%20at%20the%20University%20of%20Leeds.%20viva%20corrected%20version%20%281%29.pdf

[pone.0297312.ref048] 48.Lusthaus J. Modelling cybercrime development: the case of Vietnam. The Human Factor of Cybercrime. Routledge; 2020. pp. 240–257.

[pone.0297312.ref049] 49.Van Nguyen T. The modus operandi of transnational computer fraud: a crime script analysis in Vietnam. Trends Organ Crime. 2022;25: 226–247. doi: 10.1007/s12117-021-09422-1 [DOI] [Google Scholar]

[pone.0297312.ref050] 50.Hwang J, Choi K-S. North Korean Cyber Attacks and Policy Responses: An Interdisciplinary Theoretical Framework. Int J Cybersecurity Intell Cybercrime. 2021;4: 4–24. 10.52306/04020221NHPZ9033 [DOI] [Google Scholar]

[pone.0297312.ref051] 51.Lusthaus J. Electronic Ghosts. In: Democracy: A Journal of Ideas [Internet]. 2014. https://democracyjournal.org/author/jlusthaus/

[pone.0297312.ref052] 52.Brewer R, de Vel-Palumbo M, Hutchings A, Maimon D. Positive Diversions. Cybercrime Prevention. 2019. https://www.researchgate.net/publication/337297392_Positive_Diversions

[pone.0297312.ref053] 53.National Cyber Crime Unit / Prevent Team. Pathways Into Cyber Crime. National Crime Agency; 2017. https://www.nationalcrimeagency.gov.uk/who-we-are/publications/6-pathways-into-cyber-crime-1/file

[pone.0297312.ref054] 54.Nizovtsev Y, Parfylo O, Barabash O, Kyrenko S, Smetanina N. Mechanisms of money laundering obtained from cybercrime: the legal aspect. J Money Laund Control. 2022;25. [Google Scholar]

[pone.0297312.ref055] 55.Spiezia F. International cooperation and protection of victims in cyberspace: welcoming Protocol II to the Budapest Convention on Cybercrime. ERA Forum. 2022;23: 101–108. doi: 10.1007/s12027-022-00707-8 [DOI] [Google Scholar]

[pone.0297312.ref056] 56.Levi M, Leighton Williams. Multi-agency partnerships in cybercrime reduction: Mapping the UK information assurance network cooperation space. Inf Manag Comput Secur. 2013;21. [Google Scholar]

[pone.0297312.ref057] 57.Kayser C, Mastrorilli M, Cadigan R. Preventing cybercrime: A framework for understanding the role of human vulnerabilities. Cyber Secur Peer-Rev J. 2019;3: 159–174. [Google Scholar]

[pone.0297312.ref058] 58.Smith R, Jorna P. Chapter 14: Corrupt Misuse of Information and Communications Technologies. Handbook of Global Research and Practice in Corruption. 2011. [Google Scholar]

[pone.0297312.ref059] 59.Erickson BH. Some problems of interference from chain data. Sociol Methodol. 1979;10: 276–302. [Google Scholar]

[pone.0297312.ref060] 60.Christopoulos D. Peer Esteem Snowballing: A methodology for expert surveys. 2009. https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=63ac9f6db0a2fa2e0ca08cd28961385f98ec21ec

[pone.0297312.ref061] 61.Whelan C, Martin J. Ransomware through the lens of state crime: conceptualizing ransomware groups as cyber proxies, pirates, and privateers. State Crime J. 2023;12: 4–28. [Google Scholar]

[pone.0297312.ref062] 62.Davina S. A New State of Organized Crime: An Analysis of Cybercrime Networks, Activities, and Emerging Threats. J Intell Confl Warf. 2020;3: 1–11. [Google Scholar]

[pone.0297312.ref063] 63.Lavorgna A. Unpacking the political-criminal nexus in state-cybercrimes: a macro-level typology. Trends Organ Crime. 2023. doi: 10.1007/s12117-023-09486-1 [DOI] [Google Scholar]

PERMALINK

Mapping the global geography of cybercrime with the World Cybercrime Index

Miranda Bruce

Jonathan Lusthaus

Ridhi Kashyap

Nigel Phair

Federico Varese

Roles

Abstract

Introduction

Background

Methods

Participants

Survey design

Measures

Results

Table 1. World Cybercrime Index overall–top 15 countries.

Fig 1. World map of the WCIoverall index–top 15 countries labelled.

Fig 2. Top 50 countries by WCIoverall score.

Fig 3. Technicality or T-score for the top 15 WCIoverall countries.

Discussion

Limitations

Conclusion

Supporting information

Acknowledgments

Data Availability

Funding Statement

References

Decision Letter 0

Naeem Jan

Roles

Author response to Decision Letter 0

Decision Letter 1

Naeem Jan

Roles

Acceptance letter

Naeem Jan

Roles

Associated Data

Supplementary Materials

Data Availability Statement

ACTIONS

PERMALINK

RESOURCES

Similar articles

Cited by other articles

Links to NCBI Databases

Fig 1. World map of the WCI_overall index–top 15 countries labelled.

Fig 2. Top 50 countries by WCI_overall score.

Fig 3. Technicality or T-score for the top 15 WCI_overall countries.