‘Cybercrime’ is an umbrella concept used by criminologists to refer to traditional crimes that are enhanced via the use of networked technologies (i.e. cyber-enabled crimes) and newer forms of crime that would not exist without networked technologies (i.e. cyber-dependent crimes). Cybersecurity is similarly a very broad concept and diverse field of practice. For computer scientists, the term ‘cybersecurity’ typically refers to policies, processes and practices undertaken to protect data, networks and systems from unauthorised access. Cybersecurity is used in subnational, national and transnational contexts to capture an increasingly diverse array of threats. Increasingly, cybercrimes are presented as threats to cybersecurity, which explains why national security institutions are gradually becoming involved in cybercrime control and prevention activities. This paper argues that the fields of cyber-criminology and cybersecurity, which are segregated at the moment, are in much need of greater engagement and cross-fertilisation. We draw on concepts of ‘high’ and ‘low’ policing (Brodeur, 2010) to suggest it would be useful to consider ‘crime’ and ‘security’ on the same continuum. This continuum has cybercrime at one end and cybersecurity at the other, with crime being more the domain of ‘low’ policing while security, as conceptualised in the context of specific cybersecurity projects, falls under the responsibility of ‘high’ policing institutions. This unifying approach helps us to explore the fuzzy relationship between cyber-crime and cyber-security and to call for more fruitful alliances between cybercrime and cybersecurity researchers.
The authors argue
Cybercrime and cybersecurity are increasingly being presented among the major social, political and economic challenges of our time. Cybercrime is an umbrella concept used to refer to cyber-enabled crimes (i.e. traditional crimes that are enhanced via the use of networked technologies) and cyber-dependent crimes (i.e. crimes that would not exist without networks technologies; see McGuire & Dowling, 2013; Wall, 2001). For the most part, criminological research has focused more on cyber-enabled crime and, to a lesser extent, on policing responses to those crimes. Research in this domain is loosely referred to as ‘cyber-criminology’ (Grabosky, 2016). Cybersecurity is a very broad concept and diverse field of practice. For computer scientists, the term is typically used to refer to policies, processes and practices undertaken to protect data, networks and systems from unauthorised access (Carley, 2020; Fichtner, 2018). It does not matter, from a definitional point of view, whose systems are being considered, with cybersecurity being used in the context of personal devices, the home, workplace and institutions. Rather, the different types and purposes of data, networks and systems are more questions for the precise makeup of cybersecurity. Much like the idea of ‘security’, cybersecurity is a slippery concept meaning very different things to different people.
The ‘securitisation’ of cybersecurity cannot be ignored (Kremer, 2014). Indeed, some argue that the term ‘cybersecurity’ can be understood ‘as “computer security” plus “securitisation”’ (Hansen & Nissenbaum, 2009, p. 1160), reflecting the view that shifting from computer to cyber security shifts from a technical discourse based on protecting systems to a securitising discourse portraying cybersecurity as a specialised domain of national security. An increasingly diverse array of cybersecurity issues are captured under this conceptualisation, including threats posed from espionage emanating from a foreign state, hacking by (state or non-state) terrorists and various forms of cyber-crime. Increasingly, cybercrimes are presented as threats to cybersecurity. Many of the agencies responsible for cybersecurity, particularly signals intelligence agencies, have historically had very little to do with crimes. Interestingly, governments are also potential threats to cybersecurity, as in the cases over-reaching state surveillance. As a field of practice, cybersecurity is concerned largely with the protection of digital infrastructures such as communications, financial and transportation systems (Fichtner, 2018). At the same time, individuals and organisations of all sizes are increasingly being encouraged and responsibilised to practise cybersecurity.
As cyber-criminology and cybersecurity are both concerned with the study of online harms and responses to such harms, it would be logical to assume that these fields share many theoretical and empirical approaches. Upon a closer examination, however, it becomes clear that they are more accurately understood as two discrete academic fields, each mobilising differentiated conceptual frameworks, research questions, datasets, publication outlets and career paths. This paper argues that the concept and field of cybersecurity is in much need of greater conceptualisation. In doing so, we recognise that ‘all that we can know about security is what people do in its name’ (Valverde, 2011, p. 5), suggesting that efforts should not be caught up in only theorising security but also addressing the practices of security governance. These practices, it is argued, need to be considered in the context of the logics, scale and scope of specific security projects. Our focus in this paper is to consider these questions within the diverse and, at times, contradictory set of actors and practices that make up the field of cybersecurity. The paper therefore proceeds as follows. First, we consider in more depth the origins of the cyber-criminology and cybersecurity fields. This allows us to not only further explain the divergence between these cyber fields but also provide insights into how these differences can be better navigated. We therefore hope to promote further integration between these disciplines in future research on cybercrime and cybersecurity. Second, we focus the rest of the paper on the relational dynamics connecting the cybercrime and cybersecurity fields, including cyber harms and the actors responsible for preventing and controlling such harms. Drawing on concepts of ‘high’ and ‘low’ policing (Brodeur, 2010), we suggest it is useful to consider ‘crime’ and ‘security’ on a continuum. This continuum has crime at one end and security at the other, with crime being more the domain of ‘low’ policing while security, as conceptualised in the context of cybersecurity projects, is more that of ‘high’ policing. In the middle of this continuum, we see a convergence, where crime and security meet. An increasing amount of cybersecurity problems are occupying this territory, which has significant implications for the cyber field as a whole. We conclude the paper by reflecting on these points of convergence and suggest areas for future research in this field.