See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/258189987

Routine Activity Theory and the Determinants of High

Cybercrime Countries

Article in Social Science Computer Review · November 2012

DOI: 10.1177/0894439311422689

CITATIONS READS
101 2,784

1 author:

Alex Kigerl
University of Nebraska at Omaha
29 PUBLICATIONS 462 CITATIONS

SEE PROFILE

All content following this page was uploaded by Alex Kigerl on 18 August 2015.

The user has requested enhancement of the downloaded file.

 Social Science Computer Review
http://ssc.sagepub.com/

Routine Activity Theory and the Determinants of High Cybercrime Countries

Alex Kigerl
Social Science Computer Review 2012 30: 470 originally published online 5 October 2011
DOI: 10.1177/0894439311422689

The online version of this article can be found at:

http://ssc.sagepub.com/content/30/4/470

Published by:

http://www.sagepublications.com

Additional services and information for Social Science Computer Review can be found at:

Email Alerts: http://ssc.sagepub.com/cgi/alerts

Subscriptions: http://ssc.sagepub.com/subscriptions

Reprints: http://www.sagepub.com/journalsReprints.nav

Permissions: http://www.sagepub.com/journalsPermissions.nav

Citations: http://ssc.sagepub.com/content/30/4/470.refs.html

>> Version of Record - Oct 4, 2012

OnlineFirst Version of Record - Oct 5, 2011

What is This?

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

 Social Science Computer Review
30(4) 470-486
ª The Author(s) 2012
Routine Activity Theory Reprints and permission:
sagepub.com/journalsPermissions.nav
and the Determinants of DOI: 10.1177/0894439311422689
http://ssc.sagepub.com
High Cybercrime Countries

Alex Kigerl1

Abstract
Cybercrime and the threat it creates are growing in its reach, in accordance with similar growth in
information technology. Some countries account for more of the variation in cybercrime activity
than others, which affects less criminally involved nations as well, considering that cybercrime
does not respect national borders over the Internet. Routine activity theory (RAT) has been
used to explain cybercrime at the individual level, but not at the national level. Much research has
focused on high cybercrime countries, but this research is often conducted by cybersecurity
firms and is exclusively descriptive, making no inferences. This research sought to determine
what characteristics predict whether a nation is high in either spamming activity or phishing
activity. In a sample of 132 countries, it was found that wealthier nations with more Internet
users per capita had higher cybercrime activity. Unemployment was also found to interact with
Internet users such that the effect of the proportion of Internet users on spam was strongest in
nations with higher unemployment. The implications these findings have for policy and
suggestions for future research are discussed.

Keywords
routine activity theory, cybercrime, spam, phishing, unemployment, Internet, convention on
cybercrime

Introduction
There is little doubt in the significant amount of growth that can be attributed to cybercrime activ-
ities over the preceding decades. Illegal activities using computers or computer networks have
grown just as fast as technology has expanded and improved. Cybercriminals have become orga-
nized in such a way that has allowed the crimes they commit to become part of a booming business
model.
Cybercriminals are often both versatile and specialized as a group with regard to the crimes they
commit. The creation and distribution of malware is a booming business, with a profitable market-
place and division of labor (Schiller et al., 2007). A common theme throughout most cybercrime

1
Washington State University, Pullman, WA, USA

Corresponding Author:
Alex Kigerl, Washington State University, 1401 NE Merman Drive, Apt. 103, Pullman, WA 99163, USA
Email: alex@alexkigerl.com

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

Kigerl 471

operations is the defrauding of victims for profit. Phishing costs the United States 52.6 billion a year
alone (Brody, Mulig, & Kimball, 2007) and advance fee fraud costs individuals an average of
$3,864.00 per scam (Dyrud, 2005).
Some countries account for a disproportionate amount of the cybercrime activity (Bookman,
2010; Fossi et al., 2010; IBM X-Force, 2010; Security Threat Report, 2010). Even if someone does
not reside in one of these countries, the security threats of cybercrime are often not reduced.
Cybercrime attacks are most often directed over the Internet, and the Internet, for the most part,
knows no national borders. A cybercriminal in China can still be a threat to citizens within the
United States. Therefore, it is important that attempts be made to fight cybercrime anywhere it
occurs in the world. But to fight cybercrime, it must be known what influences it.
There is some literature on the theories of cybercrime. Among the most prominent theories is
routine activity theory (RAT), formerly used to predict aggregate street crime rates but has since
been adapted to fit the cybercriminal. There is some evidence to support RAT in terms of predicting
cybercrime (Bossler & Holt, 2007; Choi, 2008; Holt & Bossler, 2009; Hutchings & Hayes, 2009;
Pratt, Holtfreter, & Reisig, 2010). However, RAT has been used only to predict whether an individ-
ual will be the recipient of cybercrime and will engage in deviance online. There has not yet been
research linking RAT with cybercrime at an aggregate level such as that of nations.
Research has focused on which countries are high in cybercrime activities. But this research does
not report why these countries are at such security risk. Furthermore, the bulk of this research has not
used rigorous scientific practices. The reports are mostly descriptive, with few to no inferential sta-
tistics used.
This research is intended to fill these gaps. What characteristics of each country predict its
cybercrime activity? There are three research questions here related to the three conditions of
RAT. One question is whether the number of Internet users per capita, considered a measure of
potential victims, relates to cybercrime. The second concerns whether unemployment rates, pos-
sibly motivating some individuals to commit crime, also relate to cybercrime. Finally, it is asked
whether a nation’s willingness to create anticybercrime legislation has any kind of effect on cyber-
crime at the national level.
The best approach for fighting cybercrime is through international treaties and cooperation,
considering the global nature of the crime involved. But policy might also be advised to target what
predicts a country’s cybercrime involvement in the first place. Perhaps equipped with a better the-
oretical foundation of national cybercrime, international law can also take a preventative approach
to fighting cybercrime abroad as well as its normal reactive approach.

International Laws on Cybercrime

Perhaps the best long-term strategy for fighting cybercrime is through international agreements to
collaborate on bringing computer crime offenders to justice. Given the global reach of the Internet,
cybercrime itself can originate anywhere on the globe and target any country that has Internet users.
A recurring problem is the mix of jurisdictions that cybercrime crosses.
Most efforts in the fight against cybercrime are through technical security measures, such as anti-
virus, spam filtering, and encryption (Balkin, Grimmelmann, Kozlovski, Wagman, & Zarsky, 2007).
This prevents cyberattacks from succeeding where these security measures are sufficient, but does
not prevent the cybercriminal from finding suitable targets elsewhere. Potentially, the best means to
eliminate a cybercriminal’s attacks completely is by incarcerating the offender, which requires law
enforcement. Ideally, incarceration would also have a deterrent effect beyond incapacitation, but it is
uncertain to what degree law enforcement is capable of having this effect. Hopefully, incapacitation
alone would have an effect, but it may also be that cybercriminals fill a niche that is easily refilled
with other offenders willing to take the jailed cybercriminal’s place.

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

472 Social Science Computer Review 30(4)

Considering that only a portion of cybercrimes committed in any given country actually
originated in that country (Balkin et al., 2007), many offenders may not fall under the law enforcing
nation’s jurisdiction. The most promising type of anticybercrime legislation will be that which
multiple nations agree to enforce in addition to the agreement to aid other nations when multiple
countries are involved.
One treaty between nations includes the Tripartite Memorandum of Understanding on
Spam Enforcement Cooperation. This is a law internationally agreed upon between the United
States, Australia, Canada, and the European Union including the United Kingdom (Moustakas,
Ranganathan, & Duquenoy, 2005). Cybercrime is exclusively limited to bulk unsolicited commer-
cial electronic messages, such as the varying types of spam (e.g., e-mail spam, instant message spam,
and comment spam).
Other international spam legislation includes the London Action Plan on Spam, which is an
action plan agreed by 19 bodies from 15 countries. The agreement involves the active collaboration
among member countries in sharing information and consenting to aid other nations when the
source of a spamming offense originates within their territory (London Action Plan on Spam,
2004). Member states include the United Kingdom, the United States, Switzerland, Ireland, Japan,
Chile, and nine other states.
However, the number of member states agreeing to these treaties is not large and the type of
cybercrime is limited to spam. Although spam is probably the most common form of cybercrime
to cross national borders, other legislation has taken on a broader number of countries and range
of criminal acts under the umbrella of cybercrime. One prominent and ongoing piece of legislation
includes the Convention on Cybercrime. The treaty was set forth by a committee under the Council
of Europe in Strasbourg (Eccles, 2001).
The intent was to establish a minimum set of laws to combat high-tech crimes. The range of
crimes that fall under the scope of this legislation includes copyright infringement, unauthorized
access to networks or network resources, child pornography, and data interference (Eccles, 2001).
The aims of the convention are to unify laws between nations in the pursuit of cybercrime violations,
providing domestic procedural law powers for investigating and prosecuting offences that transgress
cybercrime laws, as well as sharing evidence between participating states when investigating such
offenders (Convention on Cybercrime, 2001). Not just member states of the Council of Europe are
encouraged to sign the treaty. As of this writing, 46 countries have signed the treaty, with 29 ratify-
ing and enforcing the legislative agreement (Convention on Cybercrime, 2010). The treaty is open to
be signed by both member states of Europe and nonmember states that have participated in the trea-
ties elaboration. This includes a total of 58 nations that have participated in the law’s creation (Con-
vention on Cybercrime, 2010).
While this legislation sounds expansive enough to pose a plausible threat to cybercrime to some
degree, it is too early to determine the efficacy of such efforts. The number of countries ratifying the
Convention on Cybercrime may not be of sufficient number to pose a serious threat to many coun-
tries that are known to harbor cybercriminals when those nations are not participants in such legis-
lation. Fortunately, the Convention on Cybercrime is still open for additional signatures by other
countries and may be largely beneficial to the fight against cybercrime in the future.

Theories of Cybercrime
Criminal law is only as good as the theory underlying the behavior it is intended to deter or limit.
There has been some debate about applying new theories of crime to cybercrime that is different
from street crime (Adams, 1998; Capeller, 2001; Dodge & Kitchin, 2001; Snyder, 2001). However,
RAT, formerly applied to aggregate level crime rates in general, has been considered appropriate for
cybercrimes (Pease, 2001; Yar, 2005).

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

Kigerl 473

RAT is an ecological approach to crime causation, and the accessibility, location, and presence or
absence of environmental characteristics, and certain types of people are what proves predictive of
criminal behavior. The RAT requires three situations to be true and meet in space for there to be a
crime that is committed. These include (a) a motivated offender, (b) a suitable target, and (c) the
absence of a capable guardian (Cohen & Felson, 1979).
A motivated offender must be someone willing to commit a crime should opportunity allow it
(Akers & Sellers, 2004). A suitable target is one the motivated offender values (credit card informa-
tion). It is also visible, accessible, and able to be misappropriated by the offender (Felson & Clarke,
1998). Finally, a capable guardian must be absent, which is anything that obstructs the offender’s
ability to acquire the target (encryption, antivirus; Cohen & Felson, 1979). Research has linked
aggregate routine activities (number of available automobiles, unoccupied homes) to crime rates
(Cohen & Felson, 1979) as well as individual routine activities (proximity to delinquent peers, time
away from home) to crime and crime victimization (Schreck & Fisher, 2004; Schreck, Stewart, &
Fisher, 2006).
Research has also found some support for the three RAT conditions and whether a crime in cyber-
space occurs. Surveys and interviews have found that people’s actions that make them more suitable
to offenders, such as time spent online, more use of Internet banking, making more online purchases,
and risky online behavior (e.g., using P2P file sharing), often are more likely to be the recipients of
cyberbullying (Holt & Bossler, 2009), receive more phishing attacks (Hutchings & Hayes, 2009),
are more often targeted by Internet fraud (Pratt et al., 2010) as well as other forms of fraud (Holtfr-
eter, Reisig, & Pratt, 2008), and lose more time due to malware infection (Bossler & Holt, 2007).
Additionally, lack of antivirus, antispyware, and firewalls (capable guardians) are associated with
more malware victimizations (Choi, 2008).
In light of this research, there appears to be some support for RAT in explaining the likelihood of
being the target or victim of a cybercrime attack. However, most research to date only attempts to
explain cybercrime at the individual level. That is, whether individual characteristics predict subse-
quent cybercrime victimization for that individual. There does not appear to be literature testing
RAT at the national level when cybercrime is the crime type of interest. It is not easy to predict
whether a country will more likely be the source of a cyberattack or be the place of residence for
a disproportionate number of cybercriminals.
Therefore, it becomes beneficial to apply RAT to countries when investigating cybercrime. Some
countries are known to be more problematic than others in terms of cybercrime activity. It is thus
important to know what influences and variables can explain the variation in countries by cyber-
crime activity; and whether RAT is sufficient to explain these differences or whether a new theory
is necessary.

High Cybercrime Countries

There are two ways to measure which countries are high in cybercrime. One is to measure where
most cybercriminals live in physical space. Surely, some countries are home to more cybercriminals
than others. The second means of measuring high cybercrime countries is to determine from which
nations cyberattacks are coming from. For instance, which countries host the most phishing servers,
which are the source of most spam messages, and which countries contain the most botnet zombies.
Where the cybercriminals live is not necessarily where the cyberattacks are coming from. An
offender from Romania can control zombies in a botnet, mostly located in the United States, from
which to send spam to countries all over the world, with links contained in them to phishing sites
located in China. The cybercriminal’s reach is not limited by national borders.
Perhaps the most important measure is where cybercriminals themselves reside. This is difficult
to measure as cybercriminals maintain significant anonymity over the networks they exploit, and

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

474 Social Science Computer Review 30(4)

there are few cybercriminals in prison. There is some consensus, however, as to which regions retain
more offenders. Many have been known to reside in Eastern Europe, Russia, and Asia (Alganandam,
Mittal, Singh, & Fleizach, 2005). Countries such as these with fewer anticybercrime regulations and
many absolute Internet users are suspected of being home to more offenders. Particularly, Russia is
known to have tolerated cybercriminals in its past. Many among Russia’s law enforcement were
known to take bribes from cybercriminals and only pursue offenders should they target victims in
their own country (Barham, 2008).
Some efforts to measure cybercriminal location are more quantifiable than simply describing
events in each country. There are methods available to determine what verbal language was used
to compile software. In order to write software, software tools such as a compiler are required. Com-
pilers can be acquired that vary in the spoken language they were meant for. Some efforts to measure
the spoken language a compiler was intended for that was used to write malware from a malware
sample itself has been carried out. The four most common spoken languages were, in descending
order, non-British English, Chinese, Brazilian, and Russian (Greenberg, 2007). However, this does
not necessarily relate to the exact country the malware was written in.
While it is important to know where cybercriminals reside, it is much easier to measure from
where cyberattacks originate across the globe. Many cyberattacks travel across the Internet, and
in order to get anywhere on the Internet, routers and servers must know the transmission’s address
in cyberspace at one point during a message’s transit through a network. Cyberattacks are digital in
nature, consisting of data that reside, at least temporarily, on computers. Determining where cyber-
attacks come from is simply a matter of acquiring these data. Fortunately many firms, especially
cybersecurity companies, have tremendous amounts of these data. Cybersecurity firms that sell
spam filters can track spam; firms that distribute antivirus software can track malware; and compa-
nies that offer website security can track attacks on those websites. These cyberattacks can be geo-
located to specific countries.
A blog entry released by security firm TrendMicro reported on the breakdown of spam-sending
continents. Thirty-eight percent originated from Europe, 31% from Asia, and 14% of spam was sent
from North America (Bookman, 2010).
Another effort to measure spam is that by Project Honey Pot. Project honey pot is an organization
that allows any registrant at the site with his or her own website hosting to help gather spam statistics
for them. Today Project Honey Pot has statistics on over a billion spam messages (Project Honey Pot
Statistics, 2010). According to the project’s statistics, the top spamming countries in descending
order are China, Brazil, the United States, Germany, and Russia. Bots that harvest e-mail addresses
off the Internet are also tracked. Countries that contain the most harvesters in descending order are
China, Spain, the United States, Romania, and Germany (Project Honey Pot Statistics, 2010).
Multiple cybersecurity firms regularly release detailed reports on the state of cybercrime activ-
ities within their networks, often including a section on countries. Symantec has created an index
of cybercrime activity that includes hosting malware, botnets, phishing server hosting, and how
many botnet command and control (C&C) servers are there within the nation. The top Five nations
on this index include the United States, China, Brazil, Germany, and India. Russia stands seventh
(Fossi et al., 2010).
The International Business Machines (IBM) also has an annual report on cybercrime. IBM ranked
the top spam uniform resource locator (URL) countries. Spam messages often include links to either
spamvertised product websites (e.g., Viagra) or malicious websites that distribute malware. The five
countries that hosted the most spamvertised websites include China, the United States, South Korea,
Moldova, and Russia. Brazil was sixth in place (IBM X-Force, 2010).
Sophos released a report in 2010 measuring malware hosting countries. Servers that host malware
can exploit vulnerabilities in a visitor’s browser to install the malicious software. The top countries
in terms of malicious hosting were the United States, Russia, China, Peru, and Germany. South

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

Kigerl 475

Korea was sixth and the United Kingdom was tenth (Security Threat Report, 2010). These two
countries are suspected to be high in cybercrime as well.
Knowing which countries are the source of cyberattacks is important. It is possible that there exists
a relationship between cyberattack source and cybercriminal source. The research by cybersecurity
firms can be a useful measure of high cybercrime countries. However, the reports and statistics
released by these companies are purely descriptive. They describe which countries are higher or lower
in terms of cyberattacks. No use of multivariate statistics is mentioned. There is no effort to determine
relationships among variables that contribute to whether a country is the source of a cyberattack. That
is why no theoretical foundation can be extracted from these reports regarding cybercrime countries.
It is the purpose of this research to find not only which countries are high in terms of cybercrime
but also what influences can explain the reasons for these criminal activities. What variables are pre-
dictive of why North America is a bigger spamming continent than Africa? Why is Brazil assumed
to house more cybercriminals than India? It is the hope of this article that some of these questions
can be answered.

Method
Sample
The population from which the sample was drawn from includes all sovereign countries on Earth.
The exact number of countries in the world varies depending on how the number is estimated
(Rosenberg, 2010). The count of countries can range from 193 to 200. The Bureau of Intelligence
and Research (2009) estimates the count to be 194.
The data used in this research come from multiple sources. Not all of these sources are exhaustive
in tabulating data on approximately all 194 countries. The nations used in the sample were selected
based on convenience and on whether the data for all variables could be acquired for each country.
Listwise deletion eliminated any case with one or more missing values, resulting in n ¼ 132 nations
or 68% of the population of countries. There may be systematic reasons why data were missing for
certain countries, such as those countries being smaller, poorer, or less advanced and therefore hav-
ing less data on them.

Measures
There are three predictor variables based on theory: Internet users per capita, unemployment rates,
and international cybercrime law enforcement and cooperation. Internet users per capita was taken
from the Internet World Stats Website (http://www.internetworldstats.com/stats.htm, retrieved
December 2, 2010), which contain only such data. This site provides data on the percentage of the
population of each country who were Internet users during 2010. There are data on 216 countries at
the time of this writing. The number of Internet users is hoped to reflect the number of potential vic-
tims of cybercrime (both people willing to fall prey to social engineering and the number of Internet-
ready computers to infect).

Unemployment rate. Data on unemployment were acquired for 198 nations from the 2008 World
Factbook (http://www.photius.com/rankings/economy/unemployment_rate_2008_1.html, retrieved
February 13, 2011). This variable was significantly skewed (p < .0001). A log transform was suffi-
cient in eliminating skew (p ¼ .68). It is hoped that high unemployment also means lack of legiti-
mate information technology (IT) jobs, motivating those with IT skills to rely on cybercrime.

Internet users × unemployment interaction. Internet users per capita and the unemployment rate were
multiplied together to measure an interaction between the two. It is questioned whether countries

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

476 Social Science Computer Review 30(4)

with many Internet users but high unemployment in their economic environments may have a wor-
sening effect on cybercrime outcomes, as this might measure many citizens with IT skills but no
legal means to employ them.

International cybercrime laws. A country’s willingness to fight cybercrime was measured by a four-
level ordinal variable that was dummy coded. The anticybercrime legislation used was the Conven-
tion on Cybercrime proposed by the Council of Europe. The first level of this variable includes all
countries that have neither participated in creating the legislation nor signed it. The second level
includes all countries that have participated in the legislation but have not signed it. The third level
includes countries that have signed but not ratified the legislation. Finally, the fourth category rep-
resents countries that have ratified and enforced the treaty (30 countries; Convention on Cybercrime,
2010). An additional dichotomous variable was created to represent nations that have participated in
the legislation (54) versus ones that have not (78). This will be to prevent relying on too many
predictor variables in subsequent regression models. One limitation of this variable is that it may
represent the countries of the Council of Europe better than countries that are not member countries
of Europe. As of February 6, 2010, 11 nonmember countries have participated in the legislation, 4
have signed it, and 1 has ratified it (the United States). There are 47 member states that have at least
participated in the legislation. The validity of this measure is therefore uncertain, and any interpre-
tation of such a variable will have to be done with skepticism. Fortunately, continents such as Europe
will be controlled for, as discussed below, although this is unlikely to be a sufficient correction to the
limitation of this measure. Ideally, this measure indicates the willingness of a nation to punish cyber-
criminals within their jurisdiction (capable guardians), which could have an effect on cyberattacks.
There are three control variables: continent, gross domestic product (GDP), and population size.
Continent will be a dummy coded measure of seven relevant continents/regions of the world (North
America, Latin America, Europe, Asia, Africa, the Middle East, and Oceania). This is intended to
control for spatial dependency to some degree. Africa will be used as the reference category because
Africa is assumed to be the least active as a continent in terms of cybercrime activity. African nations
rarely show up in top 10 lists of cybercrime activity and the continent is known to send less spam
than other continents/regions (Fossi et al., 2010; IBM X-Force, 2010; Security Threat Report, 2010).

GDP per capita. A measure of GDP was taken from the International Monetary Fund’s 2009 report
(http://bit.ly/cU3qXZ, retrieved November 23, 2010). The report contains a table of GDP per coun-
try that totals 181 countries. This measure was divided by population size (described below) and
multiplied by 1 billion (GDP is represented in billions of dollars). GDP allows for the wealth of each
nation to be controlled for. These variables were significantly skewed (p < .0001). A log transform
resulted in no significant skewness (p ¼ .86).

Population. Population size was acquired from the same data set from which the Internet users per
capita measure was obtained from. There are data for 216 countries and their population sizes.
Using the same source for these two variables is preferable because the Internet users per capita
measure is computed using population size. Refer to the Internet users per capita variable above
for further details. Population was skewed (p < .001), and therefore had to be logarithmically
transformed (p ¼ .81).

Spam rate. One dependent variable (DV) is intended to represent spam sent per country in 2008 as
a rate based on population size. The spam rate data were taken from a sample of 725,037 spam
e-mail messages received in honey net bait e-mail addresses within the United States. The spam
messages were gathered from spam archives by Untroubled Software (http://www.untroubled.org/
spam, retrieved January 3, 2009). A data set was created from this sample of spam e-mails by a script

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

Kigerl 477

written in PERL (practical extraction and report language). The script read each individual spam
e-mail, extracted the originating Internet protocol (IP) address from each e-mail (which is assumed
to be the bottom-most IP address in the message’s headers), and looked up the IP address in a
database of world addresses (which was downloaded from Webnet77, http://software77.net/cgi-bin/
ip-country/geo-ip.pl, retrieved March 20, 2009) and saved each message’s country code to a spread-
sheet. The data were then aggregated by nation, creating a count of spam messages sent per country.
The variable was then used as a rate based on population size. This variable was created from a
larger data set taken from Kigerl (2009). Aggregated by nation, there were 169 countries that had
sent one or more spam message in 2008. This variable most likely represents cyberattack source
or where spam is being sent from (which may be spoofed, but it is not known how much of spam
this applies to). The variable is not a measure of cybercriminal location, however, although it is pos-
sible that there is a relationship between the two.

Phishing top-level domain (TLD) rate. A second DV was intended to measure which countries were
associated with more phishing attacks. Phishing TLD is the count of unique phishing servers that use
a TLD representing a certain nation. TLDs (such as .com and .net) can also represent a country code
(.us, .uk). For example, in 2010, 197 phishing domain names had the form ‘‘http://www.{Domain-
Name}.us,’’ resulting in the United States being coded as being the source of 197 phishing attacks.
The TLD count was used as a rate based on population size. The data were taken from a report
authored by the Anti-Phishing Working Group (APWG; Rasmussen, Aaron, & Aaron, 2010). The
TLD may or may not represent the physical location of which phishing server was actually hosted,
however. Some nation’s TLDs are only able to be registered by its citizens, so it is possible that this
variable is a better measure of cybercriminal location than is spam rate.

Analytic Plan
Initially, a zero-order correlation matrix will be computed for most variables considered. It will be
important to determine the relationships among the variables before controlling for spurious factors.
It will also be a precaution to investigate potential multicollinearity issues.
Both DVs are represented as count data based on a rate: spam per population size and phishing
TLDs per population size. Therefore, regression models that utilize count data as an outcome mea-
sure and that assume a Poisson distribution are required (Long, 1997). While Poisson regression is
the most basic model for count-based data, it is often not appropriate for the social sciences because
its assumptions of equidispersion, or the variance being equal to the mean on average, are often vio-
lated (Lawless, 1987). Instead, data tend to be overdispersed, where variance exceeds the mean for
the count-based data. This is the case for both spam and phishing data used in this research, and
therefore a negative binomial regression model is used instead of Poisson regression, as negative
binomial regression does not make this assumption and is intended to better fit the data (Gardner,
Mulvey, & Shaw, 1995). Two separate regression models will be produced, one for each DV (count
of spam and phishing servers). Negative binomial regression is also appropriate for count data that
are based on a rate (Frome, 1983). For both regression models, nation population size will be used as
the exposure variable, so that the outcome measure will be treated as a rate of spam/phishing attacks
per person in the population.

Questions and Hypotheses

The research questions of this article concern the three main predictor variables, Internet users per
capita, unemployment rate, and participation in the Convention on Cybercrime international treaty.

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

478 Social Science Computer Review 30(4)

The questions concern whether any of these three variables will be shown to impact either spam or
phishing output that is associated with each country.
There are two hypotheses regarding these three variables: (a) countries with more Internet users
per capita will have higher spam output and (b) countries with higher unemployment, controlling for
Internet users, will have a higher spam output. Countries with more Internet users are assumed to
have more suitable targets, that being Internet-ready computers (from which to install spambots
on). Internet users could also be a measure of motivated offenders (as cybercriminals, no doubt, are
Internet users). It is possible that countries with a higher unemployment also have higher unemploy-
ment for those with IT backgrounds. So long as Internet users are controlled for, so that two coun-
tries have an equal number of Internet users, but unequal unemployment, the country with high
unemployment may have bigger problems with spam. This is hoped to be a measure of motivated
offenders, as an Internet user might be more motivated to profit from cybercrime, were there few
legal economic opportunities available.
Note that the hypotheses are predicting spam output, not phishing TLD output (which is the sec-
ond DV). While spam is thought to originate from botnets and other spam sending servers, it is less
clear how phishing TLDs relate to location. Some countries do not require citizenship to register a
TLD associated with them, so the fact that a TLD represents a location (a country) is purely artificial.
Therefore, there is no prediction regarding the phishing TLD variable.
The question concerning cybercrime laws is not as certain, which is hoped to be a measure of
capable guardians. There are significant limitations of this measure, considering only 11 nonmember
states have participated in the treaty’s creation. Even were there no limitations, the impact of this
variable on spam would still not be clear. Perhaps countries high in anticybercrime laws suppress
criminal activity better and therefore cybercrime law is inversely related to cybercrime rates. How-
ever, it could also be considered probable that countries with high rates of cybercrime activities have
more cause to legislate anticybercrime laws. So, perhaps cybercrime laws are shown to increase
cybercrime rates. Whatever the case, cybercrime laws that exist within a country are considered a
wildcard and their effects appear difficult to predict.

Results
Bivariate Analysis
Table 1 contains the Spearman correlation matrix of all variables except the continent dummies.
Most predictors are significantly related to the two DVs (spam rate and phishing rate). Population
size is not significantly related to either DV as a rate, although it is related to absolute spam sent
(r ¼ .62, p < .001) and absolute phishing TLDs (r ¼ .48, p < .001; not shown in table), which sup-
ports the decision to convert these two outcome measures to a rate based on population size.
As is expected, more Internet users per capita are positively associated with both spam (r ¼ .73,
p < .001) and phishing (r ¼ .57, p < .001) rates. Unemployment is inversely related to spam (r ¼
.37, p < .001) and phishing (r ¼ .31, p < .001) rates. Higher unemployment means less cyber-
crime, likely because countries with higher unemployment are less wealthy (i.e., have lower
GDP per capita; r ¼ .41, p < .001) and also have fewer Internet users (r ¼ .44, p < .001). High
cybercrime nations tend to be wealthier.
The Convention on Cybercrime variables seems to be mostly related to cybercrime in a predict-
able direction. Nations that have not participated in the Convention on Cybercrime (CC not partici-
pant variable) tend to have lower spam (r ¼ .53, p < .001) and phishing (r ¼ .56, p < .001) rates.
Whereas nations that have signed (CC signed variable) or ratified (CC ratified variable) are posi-
tively and significantly associated with both spam and phishing rates. Nations that have participated
but not signed the Convention on Cybercrime (CC participant variable) do not show a significant

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

Kigerl 479

Table 1. Spearman Correlation Matrix of Outcome and Predictor Variables (n ¼ 132)

1 2 3 4 5 6 7 8 9 10 11

1. Spam rate 1.0

2. Phishing rate .47*** 1.0
3. Population .04 .16 1.0
4. Percent Internet users .73*** .57*** .02 1.0
5. Unemployment .37*** .31*** .02 .44*** 1.0
6. GDP per capita .7*** .56*** .08 .88*** .41*** 1.0
7. CC not participant .53*** .56*** .03 .63*** .22* .57*** 1.0
8. CC participant .17 .04 .21* .11 .05 .08 NA 1.0
9. CC signed .23** .33*** .07 .35*** .12 .39*** NA NA 1.0
10. CC ratified .33*** .37*** .15 .4*** .14 .32*** NA NA NA 1.0
11. d_Participant .53*** .56*** .03 .63*** .22* .57*** NA NA N/A NA 1.0
Note. CC ¼ convention on cybercrime; GDP ¼ gross domestic product.
* p < .05. ** p < .01. *** p < .001

effect. Considering the small sample size relative to the total number of predictors for regression,
the four dummies were converted into a single dichotomous variable to cut back on the number of
predictors. The binary measure (d_Participant) represents whether a nation has participated in the
Convention on Cybercrime (regardless of signing/ratifying it or not). Participating nations appear
to send more spam (r ¼ .53, p < .001) and have more phishing TLDs associated with them (r ¼ .56,
p < .001).

Multivariate Predictors of Spam Rate

Table 2 displays the negative binomial regression model used to predict spam rates. The likelihood
ratio test suggests that at least one coefficient in the model is significantly different from zero, w2 ¼
152.14, p < .001. Internet users per capita is significant, suggesting a 1 SD unit increase in Internet
users increases the expected count of spam sent by 1.86 (p < .05), holding all else constant. It may be
that more Internet users represent bigger botnets from which to send spam.
Unemployment is no longer related to spam after controlling for spurious factors. However, the
interaction between Internet users and unemployment is significant (p < .001). The effect of Internet
users on spam is conditional on a nation’s unemployment rate. The interaction suggests that the rela-
tionship between Internet users and spam is strongest in countries with high unemployment. It may
be that unemployment motivates offenders to commit crime, but it could also mean that the unem-
ployed spend more time online (and are more likely to be victims).
Nations with higher GDP per capita are also associated with more spam. A 1 SD unit increase in
GDP per capita predicts a 1.9 increase in the expected count of spam sent (p < .05), controlling for
other predictors. Wealthier nations send more spam, even when Internet users per capita are held
constant. Population size and whether a nation participated in the Convention on Cybercrime
(d_Participant) are not significant. The Convention on Cybercrime variable was biased in favor
of European countries and is not significant with the continent of Europe included as a dummy vari-
able. Without the continent dummy indicators, d_Participant was actually significant (not shown in
table). It was therefore fortunate to have controlled for continent.
However, the only continent that is significantly related to spam is North America. North Amer-
ica is associated with more spam, relative to the reference category, which is Africa. North America
is likely significant because the spam bait addresses were all collected on English-speaking websites
and received within the United States of America. Of all cases, America received the most spam.

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

480 Social Science Computer Review 30(4)

Table 2. Negative Binomial Regression of Spam Messages Sent Per Capita (n ¼ 132)

Variable Unstandardized Standardized SE

Internet users per capita .622* 1.862 .254

Unemployment .088 .916 .148
Internet  Unemployment .487*** 1.628 .139
GDP per capita .435* 1.899 .182
d_Participant .316 1.169 .346
Population .103 1.195 .075
Continent
Europe .694 1.38 .556
Asia .446 1.195 .449
Latin America .664 1.25 .459
Middle East .28 1.087 .505
North America 2.943** 1.435 .999
Oceania .165 .966 .707
Intercept 16.905*** 2.209
Model diagnostics
Log likelihood 789.59
Likelihood ratio test 152.14***
McFadden’s R2 8.79%
Note. GDP ¼ gross domestic product.
*p < .05. **p < .01. ***p < .001.

The regression model was rerun once with the U.S. case removed (not shown in table), and the
significance and coefficient signs were all the same as with the United States included. Interestingly,
even North America is still significant with the United States removed.

Multivariate Predictors of Phishing TLDs Per Capita

Table 3 displays the negative binomial regression model used to predict phishing TLD rates. The
likelihood ratio test suggests that at least one coefficient in the model is significantly different from
zero, w2 ¼ 141.36, p < .001. Internet users per capita is not a significant predictor of phishing TLDs
once entered into the model. Phishing TLDs may be related to web hosting servers, which might not
be influenced by the number of Internet users.
Unemployment is now positively associated with phishing attacks, whereas before with bivariate
correlation the relationship was negative. A 1 SD unit increase in unemployment predicts a 1.63
increase in the expected count of phishing TLDs (p < .01). The reversing of the sign for unemploy-
ment suggests a suppression effect. It was determined in other regression models (not shown) that
adding either Internet users per capita or GDP per capita reverses the sign of unemployment. For
example, when two nations are equal in terms of wealth or Internet access, the nation having higher
unemployment will actually have more phishing TLDs associated with it.
The interaction between Internet users and unemployment is not significant, however, in contrast
with the spam model in Table 2. GDP per capita is related such that a 1 SD unit increase in GDP per
capita predicts a 2.78 increase in the expected count of phishing TLDs associated with that country,
controlling for all else in the model (p < .001). Whether a nation participated in the Convention on
Cybercrime (d_Participant) is not related to phishing. Interestingly, population size is now signifi-
cant (whereas it was not in the correlation table), but still inversely related to phishing.
More of the continents are significant predictors of phishing than they are for spam. Most are
shown to have more phishing TLDs associated with them relative to Africa. Europe, Asia, Latin

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

Kigerl 481

Table 3. Negative Binomial Regression of Unique Phishing TLDs by Country Per Capita (n ¼ 132)

Variable Unstandardized Standardized SE

Internet users per capita .091 1.095 .264

Unemployment .489** 1.63 .153
Internet  Unemployment .049 1.051 .135
GDP per capita .693*** 2.782 .168
d_Participant .553 1.314 .373
Population .267*** .629 .075
Continent
Europe 1.992*** 2.522 .523
Asia 1.933*** 2.164 .414
Latin America 1.353** 1.576 .421
Middle East .227 .934 .503
North America .703 1.09 .963
Oceania 4.89*** 2.78 .667
Intercept 16.201*** 2.044
Model diagnostics
Log likelihood 562.27
Likelihood ratio test 141.36***
McFadden’s R2 11.17%
Note. GDP ¼ gross domestic product; TLD ¼ top-level domain.
**p < .01. ***p < .001.

America, and Oceania have significantly more phishing TLDs associated with them than Africa.
North America and the Middle East are not shown to be associated with more phishing TLDs rela-
tive to Africa.

Discussion
This research has attempted to measure the three conditions of RAT (offender, target, and guardian)
at the national level and how that might relate to certain cybercrime variables. Suitable targets were
intended to be captured by Internet users per capita, hopefully relating to the number of computers
from which to send spam or host servers. Motivated offenders were intended to be measured by high
rates of unemployment, as lack of employment may be a motivator to commit crime. Finally, par-
ticipation in the Convention on Cybercrime was hoped to measure law enforcement or capable
guardians.
The three research questions relate to these three variables: (a) Does the number of Internet users
relate to cybercrime? (b) Does high unemployment relate to cybercrime? and (c) Does anticyber-
crime legislation relate to cybercrime? It was hypothesized that the variables of the first two ques-
tions are positively associated with spam. This research has found some support for the first two
questions, but not the third.

Predictors of Spam Rates

The percentage of the population that are Internet users was positively associated with spam, as pre-
dicted. The number of Internet users ought to relate to the number of Internet-ready computers avail-
able in a given nation. The number of these computers can possibly translate into the number of
potential hosts for malware, such as botnets that send spam. The Internet users themselves can also
be targets of cybercriminals, as they are often needed to click malicious links or buy fraudulent

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

482 Social Science Computer Review 30(4)

spamvertised goods. Internet users can also mean more motivated offenders as well, as it seem
necessary that spammers use the Internet.
Unemployment was not significantly related to spam activity alone. However, the interaction
involving unemployment and Internet users on spam was significant. It seems the effect of Internet
users on spam-sending activity is stronger in countries with high unemployment. One interpretation
of this is that nations with many Internet users with IT backgrounds but few IT jobs to seek
employment with could be more motivated to make money from illegal means, such as sending
spam. That is, if it can be assumed that unemployment rates affect those with IT jobs. As unem-
ployment tends to relate to street crime, especially property crime (Raphael & Winter-Ebmer,
2001), it could also have similar effects on cybercrime. However, this would suggest that the
measure of spam used actually represents where spammers physically reside, rather than where
spambots are located or what IP addresses spammers choose when falsifying headers. It cannot
be certain the relationship between where spam is sent from and where spammers live. Another
explanation is that unemployed Internet users have more time to spend online, and therefore are
more likely to be exposed to cybersecurity threats.
Although only a control variable, GDP per capita was positively associated with spam. That is,
wealthier nations send more spam. Wealthier nations probably have better technology and more
Internet-ready computers (regardless of the number of Internet users). It is also known that individ-
uals with higher socioeconomic status perceive there to be fewer risks online and subsequently spend
more time using the Internet and making online purchases (Reisig, Pratt, & Holtfreter, 2009). More
time online means a heightened probability of being the recipient of a malware threat. GDP could
potentially be a measure of suitable targets.

Predictors of Phishing TLD Rates

Contrary to the first question, Internet users per capita did not relate to whether phishing servers use
that nation’s country code as a TLD. This may suggest that Internet-ready computers do not relate to
phishing server domain registrations because the servers themselves may not be just any Internet
user’s computer, as is the case for spambots. Instead, phishing servers may relate to the quantity
of website hosting services, something of which this research did not control for. It could also be
that phishing TLDs are in no way related to where a phishing server is located.
The interaction involving unemployment was not significant, but employment itself was.
Employment was positively associated with phishing TLDs. Additionally, employment was inver-
sely related to phishing without controls, but adding either Internet users or GDP reversed the sign of
the relationship. This has similar implications as the significant interaction found for spam rates as
the outcome. Higher unemployment means more phishing TLDs associated with the highly unem-
ployed country, when either GDP or Internet users is controlled for.
Interestingly, population size was inversely related to phishing TLDs in the regression model,
whereas it was not significantly related when just zero-order correlations were conducted (p ¼ .07).
It is unclear why this may be.

Limitations
The two outcome measures have some limitations. Both are not measures that can confidently be
assumed to represent cybercriminal country of origin. Ideally, these measures would represent the
cybercriminal’s location, but the next best thing would be the cyberattack location. There is a chance
that much of the spam data represent cyberattack location or where spambots, botnets, or servers
used to send spam are located. However, the IP addresses assumed to be the location from which
spam is sent can be spoofed, but it is not certain how much is falsified in this way.

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

Kigerl 483

The phishing TLD variable is also not clearly a representation of where a cybercriminal resides or
where a phishing server is located. Some countries require citizenship status in order to register one
of their nation’s TLDs. However, other nations do not require this. These differences may have
affected the findings.
Unemployment may not have been a valid measure of unemployment for those with IT skills.
There is some evidence to link unemployment of those with IT skills to cybercrime, such as unem-
ployed hackers surveyed at hacking conventions having carried out more computer intrusions
(Bachmann, 2010) and former company IT insiders hacking their former employers after being
fired (Schell & Melnychuk, 2011). However, it is not known whether unemployment rates affect
all professions equally, whether with IT backgrounds or not.
It is also possible that many of those who send spam and conduct phishing attacks do not have
formal training in computer science or other related IT skills. One sample of software crackers found
that most did not in fact have these backgrounds in their employment (Goode & Cruise, 2006). Much
of the crimeware available today also reduces the skill required to conduct cyberattacks, and there
are many user-friendly crimeware applications that can be set up with little skill (Stevens, 2010;
Trend Micro, 2010).
Finally, there is some selection bias in which countries were used. Listwise deletion removed all
nations with any missing data points. This likely, systematically, excluded countries that have less
data on them for whatever reasons. Less well-known countries that may be poorer, less technolo-
gically advanced, or have other differences, may have less data on them. Many nations low in
cybercrime activity might have been excluded.

Suggestions for Future Research

Probably, the variable used in this research which has the most room for improvement would be the
measure of anticybercrime legislation. It seems pretty clear that the measure is biased in favor of
European countries and possibly is one of the reasons the predictor was not significant. Future
research should opt for a better measure, such as the length of existing laws on cybercrime per coun-
try or the number of convictions of cybercrime offenders. The number of convictions would likely
be the better measure of legal capable guardians.
Additional variables should also be considered, such as the number of Internet-ready computers
or the number of individuals with IT-related degrees, both of which may be spuriously related to
Internet users per capita. Internet-ready computers could be a better measure of suitable targets than
Internet users, because spambots require infected machines more than they require users willing to
click malicious links. The number of IT jobs per capita would also be a better measure of motivated
offenders than the rate of unemployment.
For phishing TLDs, a second dichotomous variable representing whether the nation has citizen-
ship requirements for registering their TLD would be useful. Excluding countries that do not have
this requirement could also be an option. Of course, other measures of phishing could also be used,
such as phishing server location. Future research might also want to create a crowding measure, such
as population size per square kilometer, to perhaps help identify why population size is inversely
related to phishing TLD rates.

Conclusion
In some circumstances, high unemployment may actually increase cybercrime activity within a
given nation. If unemployment has any causal impact on cybercrime rates, maybe due to unem-
ployed IT professionals, then the solution seems obvious but highly difficult to implement. That
is, create more IT jobs. That is, however, easier said than done.

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

484 Social Science Computer Review 30(4)

If the number of Internet users per capita is associated with more spam being sent from within that
country, then perhaps better protective technology is required. Spambots require Internet capable
machines, so better immunization of each machine from infection might yield a better outcome.
However, it does not take research to motivate the creation of IT security tools. Such development
is occurring at its own, quite rapid, pace.

Declaration of Conflicting Interests

The author declared no potential conflicts of interest with respect to the research, authorship, and/or
publication of this article.

Funding
The author received no financial support for the research, authorship, and/or publication of this article.

References
Adams, P. (1998, March). Network topologies and virtual place. Annals of the Association of American
Geographers, 88, 88-106.
Akers, R. L., & Sellers, C. S. (2004). Criminological theories: Introduction, evaluation, and application (4th
ed., p. 33)Los Angeles, CA: Roxbury.
Alganandam, H., Mittal, P., Singh, A. & Fleizach, C. (2005). Cybercriminal activity. Retrieved September
11, 2011 from http://www.cs.washington.edu/education/courses/csep590/05au/whitepaper_turnin/White
Team-CyberCrime.pdf
Bachmann, M. (2010). The risk propensity and rationality of computer hackers. International Journal of Cyber
Criminology, 4, 643-656.
Balkin, J. M., Grimmelmann, J., Kozlovski, N., Wagman, S., & Zarsky, T. (2007). Cybercrime: Digital cops in
a networked environment. New York: New York University Press.
Barham, J. (2008). International—Cybercrime in Russia, countries share counter-terrorism information, and
illegal drugs travel through new markets. Security Management, 52, 36-41.
Bookman, E. (2010, October 6). EMEA spam growth, APAC infections, in global 1H 2010 threat report.
Global Threat Report: First half Trends. Retrieved November 12, 2010 from http://blog.trendmicro
.com/emea-spam-growth-apac-infections-in-global-1h-2010-threat-report/
Bossler, A. M., & Holt, T. J. (2007, November 14). Examining the utility of routine activities theory for cyber-
crime. Paper presented at the annual meeting of the American Society of Criminology, Atlanta Marriott
Marquis, Atlanta, GA.
Brody, R. G., Mulig, E., & Kimball, V. (2007). Phishing, pharming and identity theft. Academy of Accounting
and Financial Studies Journal, 11, 43-56.
Bureau of Intelligence and Research. (2009, July 29). Independent states in the world. U.S. Department of State.
Retrieved November 13, 2010, from http://www.state.gov/s/inr/rls/4250.htm
Capeller, W. (2001). Not such a neat net: Some comments on virtual criminality. Social Legal Studies, 10,
229-242.
Choi, K. S. (2008). Computer crime victimization and integrated theory: An empirical assessment. Interna-
tional Journal of Cyber Criminology, 2, 308-333.
Cohen, L. E., & Felson, M. (1979). Social change and crime rate trends: A routine activity approach. American
Sociological Review, 44, 588-608.
Convention on Cybercrime. 23.XI.2001 (2001). Council of Europe: European Treaty Series, 185.
Convention on Cybercrime. (2010, February 6). Council of Europe. Retrieved November 18, 2010, from http://
conventions.coe.int/Treaty/Commun/ChercheSig.asp? NT¼185&CM¼8&DF¼02/06/2010&CL¼ENG.
Dodge, M., & Kitchin, R. (2001). Geographies of cyberspace. In Mapping cyberspace. London, England:
Routledge.

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

Kigerl 485

Dyrud, M. (2005). I brought you a good news: An analysis of Nigerian 419 letters. Proceedings of the 2005
Association for Business Communication Annual Convention. Retrieved September 14, 2009, from
http://www.businesscommunication.org/conventions/Proceedings/2005/PDFs/07ABC05.pdf
Eccles, L. (2001, August 6). International treaty battles cybercrime. Electronic Design, 49(16), 34-35.
Felson, M., & Clarke, R. V. (1998). Opportunity makes the thief: Practical theory for crime prevention. Policing
and Reducing Crime Unit: Research, Development and Statistics Directorate, 98, 1-36.
Fossi, M., Turner, D., Johnson, E., Mack, T., Adams, T., Blackbird, J., Entwisle, S., Graveland, B., McKinney,
D., Mulcahy, J. & Wueest, C. (April, 2010). Symantec global internet security threat report. Symantec, 15,
19-22.
Frome, E. L. (1983, September). The analysis of rates using Poisson regression models. Biometrics, 39, 665-674.
Gardner, W., Mulvey, E. P., & Shaw, E. C. (1995). Regression analyses of counts and rates: Poisson, overdis-
persed Poisson, and negative binomial models. Quantitative Methods in Psychology, 118, 392-404.
Goode, S., & Cruise, S. (2006). What motivates software crackers? Journal of Business Ethics, 65, 173-201.
Greenberg, A. (2007, July 16). The top countries for cybercrime: China takes over the U.S. in hosting web pages
that install malicious programs. MSNBC. Retrieved September 16, 2010, from http://www.msnbc.msn.com/
id/19789995/
Holt, T. J., & Bossler, A. M. (2009). Examining the applicability of lifestyle-routine activities theory for cyber-
crime victimization. Deviant Behavior, 30, 1-25.
Holtfreter, K., Reisig, M. D., & Pratt, T. C. (2008). Low self-control, routine activities, and fraud victimization.
Criminology, 46, 189-220.
Hutchings, A., & Hayes, H. (2009). Routine activity theory and phishing victimization: Who got caught in the
‘net’? Current Issues in Criminal Justice, 20, 432-451.
IBM X-Force. (2010, August). Mid-year trend and risk report, 86-104.
Kigerl, A. C. (2009). CAN SPAM Act: An empirical analysis. International Journal of Cyber Criminology, 3,
566-589.
Lawless, J. F. (1987). Negative binomial and mixed Poisson regression. The Canadian Journal of Statistics, 15,
209-225.
London Action Plan on Spam. (2004, October 12). Office of fair trading. Retrieved November 18, 2010, from
http://www.oft.gov.uk/news-and-updates/press/2004/168-04
Long, S. J. (1997). Count outcomes: Regression models for counts. Regression Models for Categorical and
Limited Dependent Variables. Thousand Oaks, California: Sage.
Moustakas, E., Ranganathan, C., & Duquenoy, P. (2005). Combating spam through legislation: A comparative
analysis of US and European approaches. Proceedings of Second Conference on Email and Anti-Spam,
CEAS.
Pease, K. (2001). Crime futures and foresight: Challenging criminal behaviour in the information age. In
D. Wall (Ed.), Crime and the internet. London, England: Routledge.
Pratt, T. C., Holtfreter, K., & Reisig, M. D. (2010). Routine online activity and internet fraud targeting: Extend-
ing the generality of routine activity theory. Journal of Research in Crime and Delinquency, 47, 267-296.
Project Honey Pot Statistics. (2010, November 4). Project honey pot. Retrieved November 5, 2010, from http://
www.projecthoneypot.org/statistics.php
Raphael, S., & Winter-Ebmer, R. (2001, April). Identifying the effect of unemployment on crime. Journal of
Law and Economics, 44, 259-283.
Rasmussen, R., Aaron, G., & Aaron, R. (2010, October 18). Global phishing survey: Trends and domain name
use in 1H2010. Lexington, Massachusetts: Anti-Phishing Working Group.
Reisig, M. D., Pratt, T. C., & Holtfreter, K. (2009, January 6). Perceived risk of internet theft victimization:
Examining the effects of social vulnerability and financial impulsivity. Criminal Justice and Behavior,
36, 369-384.
Rosenberg, M. (2010, June 14). The number of countries in the world. About.com. Retrieved November 13,
2010, from http://geography.about.com/cs/countries/a/numbercountries.htm

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

486 Social Science Computer Review 30(4)

Schell, B. H. & Melnychuk, J. (2011). Chapter 8: Female and male hacker conferences attendees: Their autism-
spectrum quotient (AQ) scores and self-reported adulthood experiences. Corporate Hacking and Technol-
ogy-Driven Crime: Social Dynamics and Implications. IGI Global, 144-169.
Schiller, C. A., Binkley, J., Harley, D., Evron, G., Bradley, T., Willems, C. & Cross, M. (2007). Botnets: The
killer web app. Rockland, Massachusetts: Syngress Publishing.
Schreck, C. J., & Fisher, B. S. (2004). Specifying the influence of family and peers on violent victimization:
Extending routine activities and lifestyles theories. Journal of Interpersonal Violence, 19, 1021-1041.
Schreck, C. J., Stewart, E. A., & Fisher, B. S. (2006). Self-control, victimization, and their influence on risky
lifestyles: A longitudinal analysis using panel data. Journal of Quantitative Criminology, 22, 319-340.
Security threat report (2010). Sophos, 11-16.
Snyder, F. (2001). Sites of criminality and sites of governance. Social & Legal Studies, 10, 251-256.
Stevens, K. (2010, October). The SpyEye interface. Retrieved February 6, 2011, from http://blog.trendmicro.
com/the-spyeye-interface-part-1-cn-1/
Trend Micro (2010, March). ZeuS: A persistent criminal enterprise. Retrieved February 6, 2011 from http://
us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/zeusapersistentcriminalenterprise
.pdf
Yar, M. (2005). The novelty of ‘cybercrime’: An assessment in light of routine activity theory. European
Journal of Criminology, 2, 407-427.

Bio
Alex Kigerl is a PhD student in Criminal Justice at Washington State University. His research interests are in
cyberculture and cybercrime, with a focus on spam. He heads AlexKigerl.com (http://www.alexkigerl.com/)
and may be contacted at alex@alexkigerl.com.

Downloaded from ssc.sagepub.com at WASHINGTON STATE UNIVERSITY on July 6, 2013

View publication stats