5 October 2018 • Gideon Wille
SMEs already know exactly where to find the brand new professor of cyber crime.
There is a great need for SMEs to protect themselves from cyber crime. Even before Rutger Leukfeldt’s research group had begun, SMEs were knocking on his door. He jumped in head first. ‘There are major questions that need answering in criminology. Are the prevailing theories still valid? Maybe cyber criminals’ personalities are different than ordinary crooks. If so, they need different interventions.
When I think of cyber crime, I think of nerdy people who sit in a darkened corner at a flickering screen till deep in the night. Do you need to be nerdy too to fight cyber crime?
“I do some programming, but I’m not a techie, I’m a social scientist. As a criminologist I look at the behaviour of people, from the victims, and especially, the criminals. Cyber crime may appear to be a technical issue, but it in fact involves many human aspects. Research has been done for years into the technology, but it is humans that carry out cyber attacks and humans who use the system, and they sometimes do it wrong.”
What do you find appealing about researching cyber crime?
“The perspective that we have on cyber crime is new. There are major questions that still need answering in criminology. I like that. One example is whether the criminological theories about cyber criminals apply. A hacker in an attic may have a completely different personality than the average criminal. This means that you may have to design different interventions. But first you need to understand if you are dealing with a new type of criminal.
“We see that traditional criminals also embrace cyber, such as youth gangs that robbed but then step over to phishing. How they get their money does not matter to them. If someone in their network comes along who can programme, they will start doing cyber crime as well. But you also have a new type of criminal. In criminology, we know that home, work and partner are the most important reasons that make a criminal stop. However, working in the IT sector gives people the opportunity to carry out cyber crimes.
“We also know that criminals often have a low level of self-control. But is this the same for cyber criminals? There is a scientific discussion about this because for some types of cyber crime, it is useful if you can programme. But you need to learn how to programme, and it takes some time before you are skilled enough so self-control is an important factor. In terms of cyber crime, the facts about criminality which guide our policy are changing.”
Why are you concentrating on the SME sector?
“If there is one group that does not appear much in research into cyber crime, it’s the SMEs. There are many reasons for this. For example, a lot of attention was on essential infrastructure such as sluice gates and power stations. This is completely understandable because if it goes wrong, it goes really wrong. Even large companies like banks are easier to reach. There are four large banks in The Netherlands. If you make sure that they work on the research, then you have most of the payment traffic involved in your research in one go. The other banks will then join in. Citizens and students are also relatively easy to reach for researchers. But entrepreneurs devote all their time to their businesses and are thus more difficult to reach. Researchers need to put more time and energy into them.
“Our baseline shows that 20 percent of SMEs have had problems with cyber crime. This is a high proportion. Our research group wants to find out how we can make entrepreneurs cyber savvy so that they can better protect themselves against cyber attacks. Or if they were already victims of an attack, how they can make themselves more resilient so that they can limit the damage.”
But how are you going to do that if SMEs are so hard to reach?
“When the trade associations got wind of the fact that we were setting up this research group, they contacted us themselves. This is a good sign as it showed that they felt the urgency. The fact that an organisation like MKB Nederland (SME the Netherlands) is closely involved in our research group helps.
“We cannot design a general course on cyber crime as the SME sector is too large and diverse. You need to pick out some issues such as phishing and ransomware and develop specific interventions for them. Our research group is mapping the major problems. What are the biggest issues for entrepreneurs? How have they organised their affairs? What are their needs? We will use these to develop interventions and give people tools.
“We are now running a pilot with the Municipality of The Hague in two shopping areas,which conducts the resilience scan for the SMEs. Researchers and students are doing the rounds offering a free cyber security scan. But the entrepreneurs tell them that, while they think it is important, they must come back later because they are busy. The entrepreneurs just want help, but we need to look at how and why SMEs are attacked before we can come up with effective solutions. We have now done some pilots, and if we later have good outcomes, people will say that these will really help them.”
Is it hard to find out what criminals are thinking?
“It is more time consuming than doing research on the potential victims because they are people who want to be under the radar, who don’t want to be interviewed. I am examining police files and talking to cyber criminals. This is long-term research that I am primarily doing from my position at the NSCR. We have a few doctoral candidates there too who are doing research in this area.”
So you also work at the NSCR. How does this relate to your work at The Hague University of Applied Sciences?
“We do practice oriented research at the University of Applied Sciences. This tends to be short term research to solve urgent problems for entrepreneurs. I explicitly use my theoretical knowledge from the NSCR for this. At the University of Applied Sciences we find out what the issues are for the entrepreneurs. I couple this information back to the NSCR that can then guide the long term basic research.”
On Tuesday, 9 October 2018, Dr Rutger Leukfeldt will give his inaugural lecture as professor of Cyber Security in SMEs. Prior to the inaugural lecture, researchers will give presentations on cyber crime and cyber security. For more information, see the website of The Hague University of Applied Sciences.
Lines of research
The Cyber security in the SME sector research group has four main lines of research.
1) Understanding what is happening. Who are the victims? What are the attacks about? What are the risk factors?
2) Resilience. How is the business organised? How do you prepare for an attack and can you improve the preparations? How can you learn from past crises?
3) Understanding criminality. Who are they, why do they do it, how do they think? Is there a business model and can you intervene?
4) Improving how cyber crime is dealt with.
The cyber security research group in SMEs is working with two other research groups at The Hague University of Applied Sciences in the Centre of Expertise Cyber Security.
Rutger Leukfeldt: ‘Cyber crime may appear to be a technical issue, but it involves many human aspects.’