Reviewing Estimates of Cybercrime Victimisation and Cyber Risk Likelihood

Daniel W. Woods, Lukas Walter

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Across both the public and private sector, cyberse-curity decisions could be informed by estimates of the likelihood of different types of exploitation and the corresponding harms. Law enforcement should focus on investigating and disrupting those cybercrimes that are relatively more frequent, all else being equal. Similarly, firms should account for the likelihood of different forms of cyber incident when tailoring risk management policies. This paper reviews the quantitative evidence available for both cybercrime victimi-sation and cyber risk likelihood, providing a bridge between the academic fields of criminology and cybersecurity. We extract estimates from 48 studies conducted by a mix of academics, statistical institutes, and cybersecurity vendors using a range of data sources including victim surveys, case-control studies, and the insurance market. The victimisation estimates are categorised into: cyber attack; malware; ran-somware; fraudulent email; online banking fraud; online sales fraud; unauthorised access; Denial of Service; and identity theft. For each category, we display all estimates in the years 2017–2021. Our review shows: (i) firms face higher victimisation rates than individuals, which increases in the number of employees; (ii) global surveys reveal a consistent relative ranking of countries in ransomware victimisation; (iii) although trends could be identified within studies that collect longitudinal data, these trends tended to contradict each other when compared across studies; and (iv) broad categories with unclear consequences (e.g. malware and fraudulent emails) displayed higher variance and average values than categories associated with specific outcomes (e.g. identity theft or online banking fraud). We discuss the outlook for cybercrime and cyber risk research.
Original languageEnglish
Title of host publicationProceedings of the 7th IEEE European Symposium on Security and Privacy Workshops 2022
Number of pages13
ISBN (Electronic)978-1-6654-9560-8
ISBN (Print)978-1-6654-9561-5
Publication statusPublished - 27 Jun 2022
Event7th IEEE European Symposium on Security and Privacy 2022 - Genoa, Italy
Duration: 6 Jun 202210 Jun 2022
Conference number: 7

Publication series

NameIEEE European Symposium on Security and Privacy Workshops
ISSN (Print)2768-0649
ISSN (Electronic)2768-0657


Symposium7th IEEE European Symposium on Security and Privacy 2022
Abbreviated titleEuro S and P 2022
Internet address


Dive into the research topics of 'Reviewing Estimates of Cybercrime Victimisation and Cyber Risk Likelihood'. Together they form a unique fingerprint.

Cite this