What We Do in the Shadows: How does Experiencing Cybercrime Affect Response Actions; Protective Practices?

Despite the increasing prevalence of cybercrimes, there is limited understanding of the response strategies and protective (privacy, security) practices of individuals who have experienced at least one attempted or successful cybercrime incident. To address this gap, we conduct an online survey across an N=605 sample from the UK, eliciting firsthand accounts of cybercrime experiences, actions taken in response to such incidents, as well as their level of engagement with security and privacy (SP) methods and technologies. We identify the occurrence of 8 distinct types of cybercrime and 9 corresponding response strategies amongst 319 cybercrime reports, encompassing IT and protective themes. We depict the association between the experience of cybercrime and the utilisation of response strategies through visual representation. In parallel with IT-related or protective SP theme response strategies, we find that the type of cybercrime experienced (e.g., malware) and the frequency of experiences (e.g., multiple cybercrimes or repeated experiences of the same cybercrime type) influence the engagement with SP technologies. This paper provides empirical insights into experiences of different types of cybercrimes, including their multiple occurrences, and (protective) actions. We also provide recommendations for research and practical implementation, emphasising the importance of addressing the specific needs of individuals who have experienced multiple or repeat cybercrimes. Our paper suggests the adoption of a de-responsibiling cyber-strategy that complements individual guardianship — while promoting infrastructure that caters to the diverse range of users.