Article

Statistiques et menaces numériques: Comment les organisations de sécurité quantifient la cybercriminalité

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Considérée comme la forme de criminalité du XXIe siècle, la cybercriminalité est un phénomène complexe. L’écosystème de la cybersécurité doit répondre à un large éventail de menaces numériques dont les causes et les impacts sont rarement très bien compris. Les données et les statistiques sur la problématique sont innombrables, accentuant ainsi la confusion sur la compréhension. Cet article a pour objectif de comparer la conceptualisation de la cybercriminalité d’un échantillon diversifié d’organisations œuvrant dans le domaine de la cybersécurité. Ainsi, cette recherche analyse le contenu de treize rapports portant sur la cybercriminalité, produits par le même nombre d’organisations, pour l’année 2014. Plusieurs éléments sont comparés, dont les définitions opérationnelles employées, les typologies de cybermenaces mesurées, les concepts analogues à la cybercriminalité abordés, les méthodologies utilisées et les prédictions envisagées. Les résultats suggèrent que, malgré les préoccupations partagées à l’égard de cette problématique, il demeure une grande hétérogénéité dans les définitions des concepts centraux dans les rapports, dans les typologies de cybermenaces ainsi que dans les tendances prédictives.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Ils s'avèrent implicitement reconnaissants envers les services marketing de ces sociétés de leur fournir la matière première qui leur permet de rendre tangibles des risques techniquement complexes et encore mal compris des profanes. Dans un article récemment publié, Côté et al. (2016) montrent ainsi que les treize principaux rapports annuels produits par des entreprises de sécurité informatique ou des associations professionnelles se caractérisent par la multiplicité des méthodologies utilisées pour recueillir les données (du sondage à l'utilisation de données internes collectées de manière automatisée par des capteurs installés sur les machines des clients) et l'opacité préoccupante de la démarche empirique employée (seulement deux des rapports décrivent en détail les protocoles suivis). Les auteurs soulignent aussi la triple hétérogénéité analytique qui caractérise ces documents: l'hétérogénéité structurelle observée révèle des différences importantes dans les stratégies analytiques en fonction de la culture organisationnelle de l'entreprise à l'origine du rapport et des priorités commerciales, alors que l'hétérogénéité conceptuelle soulève l'imprécision de la terminologie employée et de la définition des problèmes. ...
Article
The disruptive effects of technology, far from being limited to transforming private and governmental organizations through a barrage of innovations, also apply to research institutions, which are being radically reconfigured by the differential capacity of various disciplinary fields to embrace the new themes that have emerged in its wake, as well as the theoretical and methodological tools that are needed to study them. In that context, this article aims to examine three issues that are at the core of the transformations that our discipline will most likely experience. The first issue concerns the measurements of digital risks and the integration of those statistics to existing crime indicators. We will discuss the reliability of established measurement instruments and the missing metrics that are needed to better intervene against cybercrime. The second issue is of a methodological nature and focuses on a better integration of qualitative and quantitative approaches, to promote a mixed method strategy better suited to capture the complexity of the problem at hand. Finally, the third issue deals with changing regulatory mechanisms, and suggests that we discard the theoretical blinkers that prevent us from acknowledging the full extent of the plural modes of governance that are being implemented to prevent and respond to online harms.
Article
Full-text available
Les botnets, ou réseaux d'ordinateurs compromis par des pirates informa-tiques, représentent à l'heure actuelle la menace criminelle la plus sérieuse, servant de support à la fraude bancaire, aux attaques distribuées par déni de service (DDoS), ou encore à la fraude au clic. Au cours des dernières années, deux approches distinctes ont été privilégiées pour combattre ces botnets : d'une part, les services de police ont procédé à l'arrestation fortement médiatisée de quelques pirates de haut vol et au démantèlement de leurs infrastructures de commandement et de contrôle. D'autre part, dans certains pays, et notamment au Japon, en Corée du Sud, en Australie, mais aussi en Hollande ou en Allemagne, les gouvernements ont favorisé l'émergence de partena-riats public-privé impliquant des fournisseurs d'accès et des entreprises de sécurité informatique. Dans une démarche régulatoire, ces initiatives visent à identifier les ordinateurs infectés, à notifier leurs propriétaires et à aider ces derniers à nettoyer leur machine. Cet article a donc pour objectif de comparer les deux approches (judiciarisa-tion vs régulation), en essayant notamment d'évaluer les effets produits par chacune d'elles sur le niveau général de sécurité de l'écosystème numérique.
Chapter
Full-text available
The commercial internet has now been in existence for almost fifteen years, but it seems that Western government have barely realized the extent to which this technology is redefining security issues, and are scrambling to design policies specifically addressing this new class of risks. Until then, the folklore associated with computer hackers and their supposed ability to launch a nuclear war from their parents' basement or to bankrupt the whole financial system remained mostly a Hollywood myth 1. Although the spectre of cyber-terrorism was raised at regular intervals in the late 90s and early 2000s by some scholars (Denning, 2000), the event of 9/11 and following attacks in Madrid, London or Bali, to name a few, clearly demonstrated that none of the existing terrorist groups realistically considered that computers could generate the same amount of terror among their opponents than crudely assembled explosive devices detonated in public areas by suicide bombers. Of course, I am not arguing that governments have been idle over the years. On the contrary, they developed technical and investigative capacities that were responsible for some high profile hackers' arrests and managed to shut down underground criminal online markets through the use of creative infiltration strategies (see for example Poulsen, 2011). Computer emergency response teams have also benefited from the institutional support of various government agencies. But this approach was fragmented at best, and it was only very recently that the internet captured the attention of national security policy makers, leading to the proliferation of national cybersecurity strategies (CSS) that rely on a more integrated 'whole of government' approach. Their stated objectives are to more systematically address the diversity of risks associated with the embededdness of this recent technology into every aspect of our lives, from the daily operations of key infrastructures to the flow of transactions that irrigate our financial system and the personal communication tools that sustain our social interactions. Hence, this short contribution will examine the common features that seem to define these CSS, from the way they frame the risks they seek to protect us from, to the specific initiatives they advocate and the financial and institutional resources they plan to mobilize in the process. I will also discuss what is not included in these strategies, as what is deliberately left unsaid or kept very vague can highlight the decisions that were made, and therefore the alternatives that were discarded. The potential implications these CSS will have on online privacy will also be discussed in a final section, where I will argue that privacy advocates have underestimated the disruptive role CSS might play in framing a new internet regulatory regime mainly defined through security.
Book
Full-text available
Chapter 1 introduces two paradigms used in the governance of security--one based on punishment and the other on risk. The main argument of the book is that the governance of security in modern society is increasingly oriented around the paradigm of risk. In chapter 2, the authors outline the eight general dimensions of governance and illustrate how the governance of security in contemporary societies has been changing along each of these dimensions. Understanding these changes requires an understanding that the distinctions commonly made between “public” and “private” spheres are increasingly problematic. Chapter 3 explores the role of punishment in the governance of security. The authors examine the punishment mentality and argue that this mentality is grounded in past events, emphasizes coercive physical force, and involves direct governance through the state. Chapter 4 focuses on the modern police institution, arguing that while the institutions and technologies of policing have changed, it is still linked to the underlying mentality of punishment. This chapter also explores the recent shift from punishment-centered to problem-oriented modes of security governance. Chapter 5 explores how risk management has developed with the corporate sector, including an examination of its philosophy, techniques, and practices. Chapter 6 illustrates how Zero-Tolerance Policing (ZTP) is informed by the old punishment paradigm while at the same time displaying key elements of the new risk paradigm. They focus on a single example--ZTP in Middlesbrough, England. Chapter 7 reviews some of the key changes in security governance by focusing on Britain as an exemplar of “the new security governance.” The final chapter presents the model of “nodal governance,” using the Zwelethemba model as an example of how a nodal approach can restructure relations between security and justice. Nodal approaches to security governance are becoming more apparent and deserve serious consideration.
Article
Full-text available
Using the literature on the networked society as a starting point, this article argues that security can also be conceptualized as being produced by various networks of actors—public and private. This approach eschews the usual debate between those who defend the pre‐eminence of the state (general interest) and those in favour of a plural mode of security production (market‐oriented) to focus instead on the shared complex morphology that characterizes security assemblages in the present era: networks. Security networks are found in both Anglo‐Saxon and Continental societies at the local, institutional, international and informational levels. In order to overcome the descriptive tendency of network approaches, a dynamic framework based on the capital metaphor shows how each actor of a security network mobilizes distinct forms of resources in order to maximize its position in the network. This framework can be applied to chart the emergence and transformation of security networks and the strategies deployed by their nodes.
Article
Full-text available
Although the Internet is now two decades old, a second generation of applications (known as web 2.0) has experienced exponential growth over the past few years. These sites are characterized by their high level of interactivity, their connectivity and their social network dimension. After a quick overview of the web 2.0’s technical features, we will examine in this article the complex relationship that the law entertains with information and communication technologies whose development happens at a much faster pace than what the justice system is used to. In the second half of the article, we use an incident database we developed in order to examine the criminal and reputational risks associated with the web 2.0. We are especially interested in the exaggerated and distorted claims made in the mainstream media about those risks.
Article
Full-text available
Some obese subjects repeatedly fail to lose weight even though they report restricting their caloric intake to less than 1200 kcal per day. We studied two explanations for this apparent resistance to diet--low total energy expenditure and underreporting of caloric intake--in 224 consecutive obese subjects presenting for treatment. Group 1 consisted of nine women and one man with a history of diet resistance in whom we evaluated total energy expenditure and its main thermogenic components and actual energy intake for 14 days by indirect calorimetry and analysis of body composition. Group 2, subgroups of which served as controls in the various evaluations, consisted of 67 women and 13 men with no history of diet resistance. Total energy expenditure and resting metabolic rate in the subjects with diet resistance (group 1) were within 5 percent of the predicted values for body composition, and there was no significant difference between groups 1 and 2 in the thermic effects of food and exercise. Low energy expenditure was thus excluded as a mechanism of self-reported diet resistance. In contrast, the subjects in group 1 underreported their actual food intake by an average (+/- SD) of 47 +/- 16 percent and overreported their physical activity by 51 +/- 75 percent. Although the subjects in group 1 had no distinct psychopathologic characteristics, they perceived a genetic cause for their obesity, used thyroid medication at a high frequency, and described their eating behavior as relatively normal (all P < 0.05 as compared with group 2). The failure of some obese subjects to lose weight while eating a diet they report as low in calories is due to an energy intake substantially higher than reported and an overestimation of physical activity, not to an abnormality in thermogenesis.
Book
Comment s'organise l'action collective? Comment les acteurs coopèrent-ils ? La recherche en sciences sociales a donné des réponses très diverses à ces questions. A partir de la notion d'instrumentation, Charlotte Halpern, Pierre Lascoumes et Patrick Le Galès proposent de centrer l'attention sur les aspects concrets, les supports matériels de l'action collective: les instruments, les outils, les dispositifs, tels qu'ils ont été à l'origine valorisés par les sciences de gestion et la sociologie des sciences et des techniques, et tels qu'ils sont aujourd'hui mobilisés dans des secteurs très divers des sciences sociales pour analyser les marchés, le capitalisme, les entreprises et différentes formes d'action collective liées à l'autorité publique. Dix ans après la parution de " Gouverner par les instruments ", ce nouvel opus dresse un bilan des débats et des controverses sur l'instrumentation en dialoguant avec d'autres champs d'études (sciences de gestion, histoire et économie). Les auteurs rassemblés ici discutent la notion d'instrumentation à partir de travaux de recherche récents, qui portent sur le climat, les services environnementaux, les droits de propriété, la dette publique, les journées mémorielles et la gestion des squats etc. La richesse des débats confirme le caractère fécond de la réflexion sur l'instrumentation pour penser les sciences sociales et l'action collective aujourd'hui.
Article
Cybercrime is now well-established and there are plenty of opportunities for cyber-criminals to make money – by stealing money from victims’ bank accounts and by selling stolen data on the underground market. As such, it is hardly surprising that government agencies, security vendors and businesses have sought to quantify the scale and cost of attacks. Some try to quantify the global impact, some focus on the impact within a specific geo-political region, and others try to estimate the cost of a specific attack.1–3 Although it is a widely recognised problem, attempts to quantify cyber-dependent crime have resulted in dramatically varied numbers, highlighting the difficulty of trying to establish the scale, cost and impact of attacks. Prof Steven Furnell and Dr Maria Papadaki of Plymouth University, and David Emm of Kaspersky Lab examine various published sources in order to determine the nature (and potential quality) of the information, and underlying measures, relating to cyber-dependent crime. They find that it is more important to understand the impact of incidents (and how to prevent them) than to focus on metrics.
Article
Computers and the Internet have become a vital part of modern life across the world, affecting communications, finance, and governance. At the same time, technology has created unparalleled opportunities for crime and deviance on- and off-line. Criminological research has expanded its focus over the last two decades to address the various forms of technology-enabled crime and the applicability of traditional theories to account for offending. There is, however, a need for careful consideration of the state of the field in order to identify issues requiring further study and analysis. This study examines the current literature on virtually all forms of cybercrime and the theoretical frameworks used to address these issues. In turn, we hope to give direction to refine our understanding of criminological theory and social policies to combat these offenses.
Article
This paper addresses a serious impediment to theory and policy for cybersecurity: Trivial as it might appear on the surface, there is no agreed upon understanding of the issue, no formal definition, and not even a consensus on the mere spelling of the terms –– so that efforts to develop policies and postures, or capture relevant knowledge are seriously hampered. In this context, we present a “proof of concept” for a new research strategy based on a close examination of a large corpus of scholarly knowledge, and the extent to which it enables us to generate new knowledge about cybersecurity of relevance to international relations and to national security relevant to the nation’s security and to international relations. Given the new cyber realities, this paper is also a “proof” of how to create new knowledge through automated investigations of the record to date.
Article
Cybercrime essentially consists of using computer technology to engage in illegal activity. The activity can constitute traditional crime (e.g., fraud, theft, extortion) or new types of criminal behavior (e.g., denial of service attacks, malware). Cybercrime creates significant challenges for our current, reactive model of law enforcement: The current model of law enforcement evolved to deal with real-world crime, which is spatially-based and limited in scale due to the constraints of physical reality. Cybercrime ignores territorially borders and, since it can be automated crime, can be committed on a much greater scale than real-world crime. For these and other reasons, the hierarchical, reactive model we use to control real-world crime is not an effective means of dealing with cybercrime. It is therefore necessary to develop a new model to deal with cybercrime. The model cannot be a hierarchically-based system which is designed to concentrate personnel and other resources on controlling a population situated in a spatially defined area. It must be a lateral, flexible approach that shifts much of the responsibility for controlling crime from a cadre of designated professionals to the individuals and entities who use cyberspace. The focus of the model must be on prevention, not reaction. To implement this model is it necessary to impose certain responsibilities upon those who use cyberspace; the article explains how modified principles of criminal liability can be used to create incentives to prevent cybercrime.
Article
Much of the information we have on cyber-crime losses is derived from surveys. We examine some of the diffi-culties of forming an accurate estimate by survey. First, losses are extremely concentrated, so that representa-tive sampling of the population does not give represen-tative sampling of the losses. Second, losses are based on unverified self-reported numbers. Not only is it pos-sible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minor-ity of responses in the upper tail (i.e., a majority of the estimate is coming from as few as one or two re-sponses). Finally, the fact that losses are confined to a small segment of the population magnifies the diffi-culties of refusal rate and small sample sizes. Far from being broadly-based estimates of losses across the pop-ulation, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrap-olated to the whole population. A single individual who claims $50,000 losses, in an N = 1000 person survey, is all it takes to generate a $10 billion loss over the popu-lation. One unverified claim of $7,500 in phishing losses translates into $1.5 billion.
17 avril) « La cybercriminalité menace numéro un01-4862071-lacybercriminalite-menace-numero-un
  • Agence France-Presse
  • Barton C Böhme R
  • Clayton R Van Eeten M
  • Levi M Savage S
Agence France-Presse (2015, 17 avril). « La cybercriminalité menace numéro un », Cyberpresse, http:// http://www.lapresse.ca/international/201504/17/01-4862071-lacybercriminalite-menace-numero-un.php ANDERSON R., BARTON C., BÖHME R., CLAYTON R., VAN EETEN M., LEVI M., SAVAGE S. (2012, June), « Measuring the Cost of Cybercrime », WEIS.
« SHERLOC : renforcer la connaissance et la coopération pour lutter contre la criminalité », en ligne : http://www.securitepublique. gc.ca/cnt/ntnl-scrt/cbr-scrt/fdrl-gvrnmnt-fra
  • Paille P Aspx
  • Mucchielli A
Office des Nations Unies (2014), « SHERLOC : renforcer la connaissance et la coopération pour lutter contre la criminalité », en ligne : http://www.securitepublique. gc.ca/cnt/ntnl-scrt/cbr-scrt/fdrl-gvrnmnt-fra.aspx PAILLE P., MUCCHIELLI A. (2012), L'analyse qualitative en sciences humaines et sociales. Paris : Armand Colin.
Cybercriminalité : enjeux, sources de données et faisabilité de recueillir des données auprès de la police. Ottawa : Ministère de l'Industrie
  • Statistique Canada
STATISTIQUE CANADA (2002), Cybercriminalité : enjeux, sources de données et faisabilité de recueillir des données auprès de la police. Ottawa : Ministère de l'Industrie.
CSEW fraud and cyber-crime development: field trial
TNS (2015). CSEW fraud and cyber-crime development: field trial. London: Crime Survey for England & Wales -Office of National Statistics.
Cisco 2014 annual security report
  • Cisco
Cisco (2015). Cisco 2014 annual security report. 81 p.
Panorama de la cybercriminalité pour l'année
  • Clusif
Clusif (2015). Panorama de la cybercriminalité pour l'année 2014. 118 p.
Deloitte-NASCIO Cybersecurity study. State governments at risk: time to move forward
  • Deloitte
  • Nascio
Deloitte-NASCIO (2015). 2014, Deloitte-NASCIO Cybersecurity study. State governments at risk: time to move forward. 31 p.
ENISA Threat Landscape 2014: Overview of current and emerging cyberthreats
  • Enisa
ENISA (2015). ENISA Threat Landscape 2014: Overview of current and emerging cyberthreats. 89 p.
Cybercrime: an overview of incidents and issues in Canada
  • Grc
GRC (2015). Cybercrime: an overview of incidents and issues in Canada. 16 p.
Group-IB report: High-tech crime trends
  • Group-Ib
Group-IB (2015). Group-IB report: High-tech crime trends, 2014. 70 p.
IBM Security services 2014, cyber security intelligence index: analysis of cyber attack and incident data from IBM's worldwide security operations
  • Ibm
IBM (2015). IBM Security services 2014, cyber security intelligence index: analysis of cyber attack and incident data from IBM's worldwide security operations. 12 p.
IT security risks survey 2014: a business approach to managing data security threats
  • Kaspersky
Kaspersky (2015). IT security risks survey 2014: a business approach to managing data security threats. 26 p.
McAfee labs threats report
  • Mcafee
McAfee (2015). McAfee labs threats report 2014. 93 p.
Exposing the cybersecurity cracks: Canada
  • Ponemon
Ponemon (2015). Exposing the cybersecurity cracks: Canada. 8 p.
Telus-Rotman, IT security study
  • Telus-Rotman
Telus-Rotman (2015). 2014, Telus-Rotman, IT security study. 26 p.
Magnified losses, amplified need for cyberattack preparedness
  • Trend Micro
Trend Micro (2015). Magnified losses, amplified need for cyberattack preparedness. 38 p.
2014 data breach investigations report
  • Verizon
Verizon (2015). 2014 data breach investigations report. 22 p.
17 avril). « La cybercriminalité menace numéro un
  • Agence France-Presse
Agence France-Presse (2015, 17 avril). « La cybercriminalité menace numéro un », Cyberpresse, http:// http://www.lapresse.ca/international/201504/17/01-4862071-lacybercriminalite-menace-numero-un.php
Les dérives de l'évaluation de la recherche: du bon usage de la bibliométrie
  • Y Gingras
GINGRAS Y. (2014), Les dérives de l'évaluation de la recherche: du bon usage de la bibliométrie, Paris : Raisons d'agir.
« Cyber security violations against businesses: a re-assessment of survey data », Indian Institute of Management Working Paper Series
  • S D Moitra
MOITRA S. D. (2005), « Cyber security violations against businesses: a re-assessment of survey data », Indian Institute of Management Working Paper Series, 571. Office des Nations Unies (2014), « SHERLOC : renforcer la connaissance et la coopération pour lutter contre la criminalité », en ligne : http://www.securitepublique. gc.ca/cnt/ntnl-scrt/cbr-scrt/fdrl-gvrnmnt-fra.aspx
« The use, misuse, and abuse of statistics in information security research
  • Ryan J I Jefferson T
RYAN J., JEFFERSON T. I. (2003, May), « The use, misuse, and abuse of statistics in information security research », Proceedings of the 2003 ASEM National Conference, St. Louis, MO.
The new school of information security
  • Shostack A
  • Stewart A
SHOSTACK A., STEWART A. (2008), The new school of information security, Boston: Pearson Education.
Cybercrime: The transformation of crime in the information age
  • Wall D
WALL D. (2007), Cybercrime: The transformation of crime in the information age (vol. 4), Cambridge: Polity.