Using Situational Crime Prevention (SCP)-C³ cycle and common inventory of cybersecurity controls from ISO/IEC 27002:2022 to prevent cybercrimes

Abstract

Situational Crime Prevention (SCP) is a well-documented crime prevention approach that reduces criminal opportunities for a range of different crimes. However, SCP adoption in combating cybercrimes is currently limited. Current cybersecurity controls are not mapped to crime prevention techniques, and consequently, it is hard to gauge if existing controls are actually effective in reducing crime opportunities. The dynamic environments and complex nature of cybercrimes—spanning from human-centric cyber-enabled crimes to highly technical cyber-focused crimes—exacerbate the inability to apply or measure cybersecurity controls for crime prevention effectiveness. Using best practices from the globally adopted ISO/IEC 27002:2022 standard, our paper aligns industry best-practice cybersecurity controls with the five SCP strategies and 25 techniques. We conduct a comprehensive review of 1788 peer-reviewed academic articles across computer science, criminal justice, and criminology literature using the PRISMA method. We elucidate how our common inventory of SCP-based cybersecurity controls is developed and the rationale behind the mapping of ISO/IEC controls to SCP classification. We propose our SCP-C³ (Concentrate, Comprehend, and Consider) cycle as an instrument to facilitate multi-disciplinary research in cybercrime prevention and illustrate conceptually how our SCP-C³ cycle and common inventory can be applied at intervention points in cybercrime modelling techniques in a multi-disciplinary environment.

Introduction

The Digital 2023 Global Overview Report [1] indicates that internet users have grown by 98 million over the past year, and the number of global internet users stands at 5.16 billion at the start of 2023. Cybercriminal opportunities have also grown, with the Federal Bureau of Investigation’s (FBI’s) Internet Crime Complaint Center [2] noting that cybercrime complaints have grown from almost 50 000 in 2001 to nearly 850 000 in 2021 [2, 3].

Situational Crime Prevention (SCP) is a criminological approach that seeks to prevent crimes by reducing opportunities for crimes [4]. There are 25 techniques in SCP [5], which are grouped into five main strategies, with routine activities theory [6] ‘Crime Triangle’ [7] providing a conceptual way to consider operationalization of the 25 SCP techniques. SCP has been effective in combating crimes such as robberies and vehicle crimes [8], wildlife crimes [9–12], and terrorism [13–15]. Recent research demonstrates the potential of using SCP to prevent a diverse range of cybercrimes [16]. Despite SCP’s potential and success in preventing a range of crimes, at the time of writing, SCP’s application in cybercrime prevention is rare ([16], see [17, 18] as exceptions). Cybercrimes generally comprise cyber-enabled, such as cyberbullying and cyberstalking, and cyber-focused crimes [16], such as hacking and Distributed Denial of Service (DDoS). Effective cybercrime prevention requires a multi-disciplinary understanding of human and technical elements in criminology, cybersecurity, and computer science [16, 18–20].

One way to aid a multi-disciplinary approach to cybercrime prevention is to build a common inventory of cybersecurity controls that is mapped to the 25 SCP techniques [16]. This common inventory can accommodate cybersecurity controls from a variety of industry and government cybersecurity standards and guidelines such as the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) 27002 controls [21], National Institute of Standards and Technology (NIST) Cybersecurity Framework [22], ISACA Control Objectives for Information Technology (COBIT) [23], and the Australian Cyber Security Centre (ACSC) Essential Eight [24]. With this inventory, both criminologists and cybersecurity professionals or researchers can leverage on each other’s expertise and choose the appropriate cybersecurity controls (that are already mapped to the appropriate SCP techniques) and apply them when modelling their cybercrimes.

The research question in this study is how to create a common inventory of cybersecurity controls from cybersecurity standards that is mapped to the 25 SCP techniques. Our study provides a structured approach that maps the cybersecurity controls listed in the ISO/IEC 27002:2022 into the SCP techniques. ISO/IEC 27002 details the security controls mentioned in ISO/IEC 27001. The ISO/IEC 27001 standard is one of the most widely adopted information systems management systems (ISMS) by most organizations around the world [25]. An ISMS seeks to maintain the confidentiality, integrity, and availability of information through a risk management process and gives confidence to organizations that their risks are managed appropriately [26]. We seek to explore how to improve multi-disciplinary collaboration between criminologists and cybersecurity researchers through our SCP-C³ (Concentrate, Comprehend, and Consider) cycle and common inventory.

Our study is structured into nine main sections. The section ‘Introduction’ introduces the background, motivations, purpose, and structure of this study. In the section ‘Literature review’, we review the extant research on SCP and ISO/IEC 27001 ISMS. In the section ‘Methodology’, we describe the methodology used to search existing literature to understand how SCP techniques are applied to cybercrimes and present the results of the literature in the section ‘Results’. In the section ‘Development of common inventory’, we discuss the development of the common inventory. In the section ‘SCP-C³ cycle and common inventory’, we propose the SCP-C³ cycle to facilitate multi-disciplinary research in SCP to prevent cybercrimes. We highlight the limitations of this study and future research in the section ‘Limitations and future works’ and provide a summary of our study in the final concluding section.

Literature review

Situational Crime Prevention

Table 1 shows the 25 SCP techniques, which are distributed equally under five key strategies [5]. Clarke [4] highlighted that the SCP theoretical background originates from three environmental criminological theories, namely (i) Routine Activities Theory, which forms the basis for the Crime Triangle [6]; (ii) crime pattern theory [27]; and (iii) the rational choice perspective [28, 29]. These three theoretical perspectives complement one another because they operate at different levels of crime aggregation. Routine Activities Theory (RAT) operates at the macro-level and deals with crime opportunities at the broad societal change level. Crime pattern theory discusses how offenders discover crime opportunities in their daily lives and focuses on cities or neighbourhoods at the meso-level. Finally, the rational choice perspective operates at the micro-level and deals with individual decisions that rational offenders make when committing crimes. SCP uses these theories to understand situational precipitators [30] that can stimulate crimes [31]. The three environmental criminological theories—RAT, crime pattern, and rational choice—are applicable to the cyberspace environment, where offenders converge to rationally seek criminal opportunities in cyberplaces [32, 33].

Willison [34] first looked into how SCP can be applied to prevent information security breaches in organizations. Subsequent research [35, 36] explored how the rational choice perspective and SCP can be applied to the information security domain to understand and overcome the perpetration of employee computer crime in organizations. Beebe and Rao [37] also examined the appropriateness of using SCP to address computer crime and subsequently proposed that the combination of the meso-level application of SCP and the risk management process can reduce information security risks [38]. Other researchers expanded the use of SCP on other IT areas such as insider threat and hacking [39–42], cloud security [43], campus employee computer misuse [44], cybercrime science [45], blockchain security [46], public Wi-Fi protection [47], cyberstalking [48], risk avoidance behaviour on darknet market places [19] and automotive cybersecurity [49]. There were also researchers [35, 37, 50–52] who proposed cybersecurity controls for the SCP techniques. However, their classification of cybersecurity controls is limited, not well explained, and focused heavily on technical controls—hindering the development of a well-accepted inventory of cybersecurity controls for SCP [16].

ISO/IEC 27001 ISMS

There are many cybersecurity standards and frameworks that organizations could adopt to improve their cybersecurity postures such as the NIST Cybersecurity Framework [22], ISACA COBIT [23], and the ISO/IEC 27001. These standards are usually developed by authoritative third-party entities and organizations adopt these standards because the standards help to secure the organizations’ cybersecurity assets in a recognized manner [53, 54]. This is especially true in a globally connected world such as the global outsourcing markets, where cybersecurity solutions are not standardized due to different regulations, legislations, and risks across different industries and geographies [55].

In this study, we selected cybersecurity controls from ISO/IEC 27002:2022 for mapping to the SCP techniques. ISO/IEC 27002:2022 is aligned to cybersecurity controls listed in ISO/IEC 27001:2022 ISMS. The ISO/IEC 27001 ISMS is widely adopted globally by many organizations. The newest version of ISO/IEC 27001:2022 ISMS was published in 2022 and is mainly about editorial updates, a new clause on planning for changes, and alignment with the 27002:2022 list of cybersecurity controls [56]. The ISO/IEC 27001:2022 requirement document provides organizations with the requirements to establish, implement, maintain, and continually improve an ISMS [26]. ISO/IEC 27002:2022 details the security controls mentioned in ISO/IEC 27001:2022. ISO/IEC 27001 is ISO’s fourth largest-adopted standard certification [57]. The number of organizations that have obtained the ISO/IEC 27001 certifications has steadily increased over the years [58]. For example, the ISO 2020 Survey registered a total of 44 499 valid ISO/IEC 27001 certifications [57], which is an increase of 22% over the ISO 2019 Survey. Organizations typically seek certification to the ISO/IEC 27001 standard to assure their stakeholders that they have complied with the standard.

The ISO/IEC 27001 standard is also popularly referred to as a cybersecurity standard in research. Ramalingam et al. [59] selected the ISO/IEC 27001 standard when they proposed a novel approach to measuring effectiveness and efficiency of information technology governance, risk management, and compliance (IT-GRC) controls using the Decision Making Trial and Evaluation Laboratory (DEMATEL). Antunes et al. [60] also used data from an ISO/IEC 27001 auditing project when developing a customisable web platform cybersecurity auditing information system. Theoharidou et al. [61] compared several criminological theories, including SCP and noted that a medium relationship between SCP and ISO/IEC 17799. ISO/IEC 17999:2005 was the predecessor of ISO/IEC 27002:2005 [53, 62]. Therefore, given the wide use and popularity of ISO/IEC 27001 in research, our study aims to classify the widely adopted cybersecurity controls in ISO/IEC 27002:2022 into the 25 SCP techniques to develop a common inventory for cybercrime prevention.

Methodology

This section presents our structured approach to classifying the cybersecurity controls in ISO/IEC 27002 to SCP techniques. Our overall approach was to search prevailing literature for examples of how SCP is presently used for cybercrime prevention, using appropriate SCP keywords. The purpose of this systematic review is to understand how cybersecurity controls can be related to SCP so that during the subsequent classification process, we can map the ISO/IEC 27002 cybersecurity controls appropriately to the correct SCP strategies and techniques. Figure 1 shows the flowchart of our approach, which consists of four key steps. Our search methodology followed the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) 2020 flow diagram [63]. PRISMA aims to assist authors in improving the quality of reporting of systematic reviews and meta-analyses [64]. We used this method to ensure that the searches followed a robust framework with clear methods of how searches were conducted, as well as to ensure that the results are reproducible. The search results were then identified, screened, assessed for eligibility, and finally included for analysis using the PRISMA 2020 flow diagram, which is available in Appendix  A.

We began our first step in Fig. 1 by choosing the appropriate research databases to perform the PRISMA review. We selected three research databases, namely the ACM Digital Library, IEEE Xplore, and Criminal Justice Abstracts EBSCO (CJA) because they are acknowledged and known for quality publications in computer science, cybersecurity, and criminology. Many of the publications in these databases are highlighted in the 2022 Journal Citation Reports [65] and ranked by the Computing Research and Education Association of Australasia (CORE) [66]. We completed this PRISMA review in February 2023.

Our second step identified the appropriate keywords to search for in the research databases. We broke down the SCP techniques into suitable keywords for searching. The SCP techniques in Table 1 generally followed a verb and noun structure. For example, SCP technique ‘#1 Harden targets’ comprised the words ‘harden’, which is a verb, and ‘targets’, which is a noun. Our keyword searches were made of a combination of (i) ‘Verb Noun’, and (ii) ‘Cyber’ AND ‘Noun’, where AND is an operator. The former keyword explicitly spelled out the actual SCP techniques, while the latter searched for cyber-related SCP articles. Hence, for the SCP technique ‘#1 Harden targets’, we searched for the keywords (i) ‘harden targets’ and (ii) ‘cyber’ AND ‘targets’. There were instances where the search resulted in few or no articles. In such scenarios, we supplemented the search with keywords that were more general: (iii) ‘Verb’ AND ‘Noun’ and (iv) ‘Noun’ itself. However, such general keywords can result in hundreds or thousands of articles. For example, the general keyword ‘targets’ resulted in more than 20 000 articles. Hence, we concentrated our reviews on the first two keyword searches, which were more explicit and targeted, and supplemented them with the last two keywords where necessary. Next, in Step 3, detailed in the section ‘Results’, we reviewed the search results of the existing research on the application of SCP techniques in cybercrimes. After which, in Step 4, detailed in the section ‘Development of common inventory’, we classified the ISO/IEC 27002:2022 controls into the 25 SCP techniques. We provide the list of articles returned from our PRISMA search at: https://doi.org/10.48610/71aa67b.

We selected the keyword approaches above of (i) ‘Verb Noun’ because, to the best of our knowledge, there have not been any focused systematic reviews that examine in detail the application of SCP in this manner. As SCP techniques are reflected in its ‘Verb Noun’ structure, the selection of such keywords is fundamental to the focused systematic review of SCP, and the results can provide relevant and appropriate selection of articles that are specifically based on the individual SCP techniques. Our selection of keywords using (ii) ‘Cyber’ AND ‘Noun’ is a general synonym structure where we look for SCP articles that are related to cyber. The choice of ‘Cyber’ as the synonym is because we want to gain insights on how SCP techniques are presently used in cyberspace or cyber-related matters, which will allow us to classify the ISO/IEC 27002:2022 cybersecurity controls more appropriately to the SCP strategies and techniques. There are other possible synonyms that can be used to widen the scope of the review. One way is to use synonyms for each individual SCP technique and strategy, such as synonyms for the keywords ‘harden’ and ‘targets’. However, we did not do so because our current selection of keywords had already resulted in a large set of eligible articles to review (see the section ‘Results’). For a more thorough literature review of each individual SCP strategy and technique, future research could look into selecting keywords that are a permutation of relevant and appropriate synonyms of each individual SCP strategy or technique.

Results

In this section, we present an overview of the search results. Subsequently, we present the search results for each individual SCP strategy and technique. We then discuss the findings from the search results.

Overview of results

We screened 1788 eligible articles following our search methodology. The breakdown of the number of eligible articles for each SCP strategy is shown in Table 2. Following the PRISMA 2020 flow diagram (see Appendix  A), we excluded inapplicable articles such as those that were duplicated, not in English, and did not have any research content, like court transcripts, interviews, and book reviews. We then reviewed the remaining articles.

The objective of our analysis of the eligible articles was to look into how SCP techniques were currently applied in the existing research literature to prevent cybercrimes. We started by analysing articles that were relevant to the application of SCP and its techniques to cybercrimes. We also looked separately at Cornish and Clarke’s [5] original definitions as well as the explanation provided by Smith and Clarke [31] and Eck and Clarke [67] on how to apply SCP to reduce criminal opportunities for crimes. We then combined both to arrive at a suitable interpretation of how SCP techniques can be adapted to be cyber relevant and prevent cybercrimes.

Search results

We present Table 3, which shows the number of eligible and relevant articles for the 25 SCP techniques, grouped under their respective SCP strategies.

SCP strategy ‘S1 Increase the Efforts’ comprises five SCP techniques that increase the efforts needed by criminal offenders by either blocking or limiting their actions or movements [5, 31, 67]. SCP technique ‘#1 Harden Targets’ makes it more difficult for the offender to get to or use the target to achieve their criminal ends. An example would be using a steering wheel lock to make it harder for criminals to steal a vehicle. SCP technique ‘#2 Control Access to Facilities’ aims to block access to places where an offender can carry out their criminal actions, such as having fences and gates. SCP technique ‘#3 Screen Exits’ makes it difficult for offenders to leave a place after they complete their criminal action or when they want to remove their criminal proceeds, such as needing a valid ticket/pass to exit a building. SCP technique ‘#4 Deflect Offenders’ changes offender existing or potential movement patterns, such as having separate bathrooms for different genders. SCP technique ‘#5 Control Tools/Weapons’ limits offender access to or use of instruments that are associated with their modus operandi, such as controlling or banning guns. When reviewing the eligible articles for relevancy, we examined whether the articles discussed the application of SCP to prevent cybercrimes and whether the articles provided insights on how SCP can be used according to the SCP technique description described by Smith and Clarke [31], as discussed in this paragraph. The insights obtained from this review can aid in the subsequent classification of the ISO/IEC 27002:2022 controls to SCP strategies and techniques.

For the SCP technique ‘#1 Harden Targets’, there were 33 eligible articles for review. However, we only identified one relevant article, by Miró-Llinares et al. [68], which discussed using a comparative research design to investigate cyber victims as cybercrime targets using routine activity theory. Their work concluded that cyber victimization should focus on identifying nuances of online users’ daily activities instead of the broader constructs of interactions and visibilities. The remainder of the articles mainly discussed research topics related to moving target defence (MTD) for cyber-physical systems, which is about changing the attack surface areas of a system to limit information gained from reconnaissance (John et al., 2014) and making computer networks less homogeneous, less static, and less deterministic to increase attack complexities (Priest et al., 2015). These articles were not identified as relevant because they did not discuss the application of SCP into cybercrimes or hardening the targets [31].

For the SCP technique ‘#2 Control Access to Facilities’, there were 67 eligible articles for review. We identified only one article as relevant: Zhang et al. [69], who suggested using wireless personal devices such as mobile phones as a two-factor authentication device to control access to facilities. The remaining articles mainly discussed facilities-related topics such as controlling and preventing infections at healthcare facilities and were therefore not relevant because they did not discuss the application of SCP to cybercrimes or were about blocking offender access to facilities [31].

For the SCP technique ‘#3 Screen Exits’, there were 75 eligible articles for review. However, we did not identify any relevant articles. The articles mainly discussed research topics related to Deep Neural Networks and computer programming, algorithms and architecture and were therefore not relevant because they did not discuss the application of SCP into cybercrimes or were about making it difficult for offenders to leave a place with their proceeds after a criminal event [31].

For the SCP technique ‘#4 Deflect Offenders’, there were 61 eligible articles for review. There was one relevant paper by Willison [70] who discussed the feasibility of applying SCP techniques and crime scripts [71] to combat cybercrimes. The remaining articles mainly discussed research topics related to the analysis, identification, detection, and attributes of offenders, such as their profiles, and were therefore not relevant because they neither discussed the application of SCP into cybercrimes nor discussed deflecting or changing offender movement patterns [31].

For the SCP technique ‘#5 Control Tools/Weapons’, there were 415 eligible articles for review. There was one relevant paper by Prunckun [72], who discussed how information and communication technology can be used as cyber weapons and argued that there was a need to legislate cyber weapons in order to control their misuse for criminal purposes. The remaining articles mainly discussed research topics related to conventional weapon systems and cyber-physical systems and were therefore not relevant because they neither discussed the application of SCP into cybercrimes nor discussed limiting offender access to or the use of instruments in committing cybercrimes [31].

For the remaining SCP strategies and associated techniques, see Appendix  B for a more detailed discussion of their purpose and description of their relevant articles.

Analysis of search results

We present an analysis of our search results in Table 4 and Fig. 2.

As Table 4 shows, there are only 53 relevant articles out of 1788 (3.1%) eligible articles that discuss the application of SCP into cybercrimes. Our findings are in line with prevailing research that indicates that SCP is not widely applied in cybercrime prevention [16–18].

Our SCP search methodology used the actual naming of SCP techniques as keywords (such as ‘Harden Targets’). Based on these keywords, the bulk of the articles focused on SCP strategies ‘S5 Remove Excuses’ (24 relevant articles or 45%) and ‘S2 Increase the Risks’ (17 relevant articles or 32%). The former presents techniques that clarify the responsibility of potential offenders in a setting, while the latter focuses on increasing the risks of detection for potential offenders.

SCP strategy ‘S3 Reduce the Rewards’, which focuses on techniques that reduce the rewards of crimes for offenders had the fewest number of relevant articles (2% or 4%). This is followed by SCP strategy ‘S1 Increase the Efforts’ (4% or 8%), which increases the efforts of offenders by either blocking or limiting their actions or movements; and SCP strategy ‘S4 Reduce Provocations’ (6% or 11%), which focuses on limiting provocative situation stimuli.

Development of common inventory

In this section, we seek to develop a common inventory of cybersecurity controls to facilitate multi-disciplinary research in cybercrime prevention using SCP. Cybersecurity and criminology researchers can use the mapped controls when designing appropriate intervention measures for cybercrimes. Our study classifies the 93 controls from ISO/IEC 27002:2022 into the 25 SCP techniques. The 93 controls in ISO/IEC 27002:2022 are divided into four sets of control clauses:

• 37 organizational controls that focus on the cybersecurity posture for organizations.

• 8 people controls, which focus on human resource matters such as employee background checks.

• 14 physical controls that focus on physical security such as physical perimeters.

• 34 technological controls, which focus on using technology to secure information assets.

We classified each ISO/IEC control into the most appropriate SCP technique within a single SCP strategy and did not classify an ISO/IEC control into more than one SCP strategy to prevent duplication.

‘S1 Increase the Efforts’

From our understanding of SCP in the previous sections, we begin by classifying the first SCP strategy ‘S1 Increase the Efforts’ and its associated SCP techniques in Table 5 and briefly explain our reasons for the classification. The column on ‘ISO/IEC Control’ in Table 5 is the title of the ISO/IEC control from the ISO/IEC 27002:2022, and as such, provides a brief description. A more thorough explanation of the ISO/IEC controls such as the controls’ description and purpose, and a more thorough explanation on the rationale of our classification are presented in Appendix  C.

SCP strategy ‘S1 Increase the Efforts’ increases the efforts needed by offenders (such as cybercriminals and malware) and makes it more difficult for them to commit criminal actions by blocking or limiting offender actions or movements [31]. With this in mind, we classify a total of 46 ISO/IEC controls in Table 5 for this SCP strategy. We explain more about SCP vocabularies in the cyberspace context, such as malware as offenders, in the subsequent section ‘SCP-C³ cycle and common inventory’.

The SCP technique ‘#1 Harden Targets’ aims to make it more difficult for offenders (such as cybercriminals and malware) to get to or use the target (such as computing devices and virtual artefacts like data) to achieve their cybercriminal purposes (such as hacking and ransomware). Therefore, the ISO/IEC controls such as mandating information security in project management (ISO/IEC 27002 Clause 5.08; for brevity, we will use the ‘ISO/IEC number’ notation to depict ISO/IEC 27002 clauses), supplier agreements and relationships (ISO/IEC 5.19, 5.20), ICT supply chain (ISO/IEC 5.21), and cloud security (ISO/IEC 5.23) harden these targets and make it difficult for cybercriminals to achieve their purposes. Likewise, protective actions such as securing records (ISO/IEC 5.33), offices (ISO/IEC 7.3), secure areas (ISO/IEC 7.6), equipment (ISO/IEC 7.8), and storage media (ISO/IEC 7.10) also harden these targets and make it difficult for cybercriminals to get to these targets.

The SCP technique ‘#2 Control Access to Facilities’ aims to block physical places (such as data centres) and virtual places (such as applications and websites) from cybercriminals. Hence, we classified controls such as securing access controls (ISO/IEC 5.15), access rights (ISO/IEC 5.18), privileged access rights (ISO/IEC 8.02), networks (ISO/IEC 8.20), network services (ISO/IEC 8.21), physical perimeters (ISO/IEC 7.01), and physical entry (ISO/IEC 7.02) under this SCP technique.

The SCP technique ‘#3 Screen Exits’ aims to make it difficult for offenders to leave a place after a criminal action with their criminal proceeds (such as data). Hence, the control on preventing data leakages (ISO/IEC 8.12) from an organization is suited to be classified under this SCP technique. The ISO/IEC 7.01 control on physical security perimeters is about defining security perimeters to prevent unauthorized access rather than making it difficult for offenders to leave a place and hence is more suited to be classified under the previous SCP technique ‘#2 Control Access to Facilities’. The SCP technique ‘#4 Deflect Offenders’ changes the movement patterns of offenders. Therefore, we can classify the controls that segregate networks (ISO/IEC 8.22) and development, test, and production environments (ISO/IEC 8.31) under this SCP technique.

The SCP technique ‘#5 Control Tools/Weapons’ limits offenders’ access to tools (such as operating system software tools) that can be used for cybercriminal actions. As such, actions to control the use of privileged utility programs (ISO/IEC 8.18) that can be inadvertently used in hacking scripts and to control the installation of software (ISO/IEC 8.19) so that they cannot be hijacked or turned to malware can be classified under this SCP technique. Furthermore, the control to require employees to return their assets (ISO/IEC 5.11) upon change or termination of their employment can be classified under this SCP technique. This is especially pertinent when the employee feels disgruntled upon sudden or forceful termination and misuses assets such as computing devices, keys, or access cards to data centres that allow certain access to the organization’s places [73].

‘S2 Increase the Risks’

The SCP strategy ‘S2 Increase the Risks’ increases the risks faced by offenders by providing more or better guardianship that increases the likelihood of detecting criminal activities [31]. We classified a total of 17 ISO/IEC controls, shown in Table 6, for this SCP strategy.

The SCP technique ‘#6 Extend Guardianship’ encourages unofficial guardians (such as other non-cybersecurity employees) to act or be more effective. Therefore, the ISO/IEC 6.08 control on ‘information security event reporting’, which is a mechanism for employees to report observed or suspected information security events (ISO/IEC 6.08) is suited for this SCP technique. By doing so, this ISO/IEC 6.08 control increases the risk of detection of offenders and is similar to the community safety applications that were highlighted by Reynald [74] on digital guardianships.

The SCP technique ‘#7 Assist Natural Surveillance’ increases the likelihood of potential guardians seeing criminal actions occurring in places. Hence, regularly monitoring and reviewing the changes in the supplier information security practices and service delivery (ISO/IEC 5.22) can help to detect criminal actions occurring at suppliers’ places.

The SCP technique ‘#8 Reduce Anonymity’ increases the likelihood that potential guardians can identify the features of offenders. Controls that focus on knowing potential offenders, such as identify management (ISO/IEC 5.16), authentication (ISO/IEC 5.17), background screening (ISO/IEC 6.01) and secure authentication (ISO/IEC 8.05) can be classified under this SCP technique. Furthermore, liaising with external specialist security groups (ISO/IEC 5.06), such as Forum of Incident Response and Security Teams (FIRST) and online cybersecurity information sharing platforms such as CIAC can reduce the anonymity of cyber offenders [75, 76].

The SCP technique ‘#9 Utilise Place Managers’ uses existing or new employees as potential guardians in places such as data centres and virtual places such as websites. The control that defines information security roles and responsibilities in an organization (ISO/IEC 5.02) is therefore suitable for this SCP technique. This is also in line with research from Ho et al. [33], where their vignette experimental study highlights that preventing cybercrimes requires a team of skilled and assigned place managers, such as cybersecurity professionals working in the SOC.

The SCP technique ‘#10 Strengthen Formal Surveillance’ increases the ability of official or formal guardians such as cybersecurity professionals working in a Security Operations Centre (SOC) to be more effective. Therefore, common SOC activities that increase cyber capability, such as managing threat intelligence (ISO/IEC 5.07), collecting and assessing information security events (ISO/IEC 5.25, 5.28) and conducting cybersecurity monitoring (ISO/IEC 7.04, 8.16), are classified under this SCP technique. Technological controls such as data collection and logging information (ISO/IEC 8.15) and clock synchronization (ISO/IEC 8.17) also improve the monitoring abilities of cybersecurity professionals in the SOC and thereby strengthen the formal surveillance capability of official guardians. These controls contain features similar to the CyberTrafficking Surveillance System (CyTraSS) that Chung et al. [77] propose on the analysis of social media content to counter cyber-trafficking. Furthermore, the control on segregation of duties (ISO/IEC 5.03) such as requiring superuser accounts to be created and approved formally by two different administrators in an application can help the administrators (acting as guardians) to detect the unauthorized creation of superuser accounts.

‘S3 Reduce the Rewards’

The SCP strategy ‘S3 Reduce the Rewards’ reduces the rewards for offenders by limiting the value of their target (such as data stolen in a ransomware attack) or their ability to find the target [31]. We classified a total of 17 ISO/IEC controls, shown in Table 7, for this SCP strategy.

The SCP technique ‘#11 Conceal Targets’ limits offenders’ ability to see targets such as data. Therefore, we classified controls that are related to information classification (ISO/IEC 5.12), restriction (ISO/IEC 8.03), and access (ISO/IEC 8.04) under this SCP technique along with controls that deal with hiding or obscuring information such as clearing desks and screens (ISO/IEC 7.07), data masking (ISO/IEC 8.11), and cryptography (ISO/IEC 8.24).

The SCP technique ‘#12 Remove Targets’ takes potential targets away from places or removes the valuable aspects of it. Hence, the control on secure disposal of storage media (ISO/IEC 7.14) that can contain important data and secure deletion of information (ISO/IEC 8.10) fit well under this SCP technique.

The SCP technique ‘#13 Identify Property’ marks potential targets such as data to make them traceable to the owner or make it more difficult for the offender to claim ownership. Controls that are suitable to be classified under this SCP technique are those that require the labelling of information (ISO/IEC 5.13) and maintaining the inventory of information and computing assets (ISO/IEC 5.09).

The SCP technique ‘#14 Disrupt Markets’ makes it difficult for offenders to transfer the proceeds of their crimes to others, such as selling the data they have obtained. Therefore, controls about contacting with authorities on potential cybercrimes (ISO/IEC 5.05), having strict rules on transferring information (ISO/IEC 5.14) and responding effectively and efficiently on information security incidents (ISO/IEC 5.26) can make it difficult for cybercriminals to realize the benefits of their actions because they face difficulties in transferring the results of the proceeds elsewhere.

The SCP technique ‘#15 Deny Benefits’ makes it difficult for offenders to use their crime targets, such as stolen data, for their intended purposes. Controls that provide IT availability and redundancies such as managing information processing capacities (ISO/IEC 8.06), additional facilities (ISO/IEC 8.14), business continuity (ISO/IEC 5.30), and backup of information (ISO/IEC 8.13), make it difficult for perpetrators of DDoS and ransomware attacks to be successful, thereby denying them the benefits of these attacks.

‘S4 Reduce Provocations’

The SCP Strategy ‘S4 Reduce Provocations’ limits situational stimuli that can precipitate negative emotional outbursts such as anger, frustration, and stress that could result in criminal actions [31]. We could not observe any suitable ISO/IEC controls that are appropriate to be classified under this SCP strategy. There are organizational rules that regulate employees’ behaviour such as Acceptable Use Policy (AUP) and employment terms and conditions but we find it more appropriate to classify them under the next SCP strategy.

‘S5 Remove Excuses’

The SCP strategy ‘S5 Remove Excuses’ removes excuses that offenders give, such as pleading ignorance, by presenting or reminding or implementing situational controls that clarify offenders’ responsibilities [31]. The offenders could be people who directly caused the crimes, such as jaywalkers who claimed ignorance because they saw others jaywalking. It could also be about people who ‘indirectly’ facilitated crimes to happen due to their behaviour such as being careless, inattentive, ignorant, negligent, lack of due care and due diligence. For example, an employee negligently leaving a key or access card unattended on the table, which subsequently led to thefts. In the context of ISO/IEC 27002:2022, this SCP strategy focuses on human behaviour in the organization, which involves the people in organization such as employees, vendors, and users. For example, one key activity of a successful ransomware attack is usually an ignorant or negligent employee clicking on a malicious link in a phishing email [78]. We classified a total of 13 ISO/IEC controls, shown in Table 8, for this SCP strategy.

The SCP technique ‘#21 Set Rules’ provides information about unacceptable behaviours in a setting. Therefore, we found it more appropriate to classify controls that regulate employees’ behaviour, such as having information security policies (ISO/IEC 5.01), AUP (ISO/IEC 5.10), responsibilities, terms and conditions of employment (ISO/IEC 6.02, 6.05), a formalized disciplinary process (ISO/IEC 6.04) and confidentiality or non-disclosure agreements (ISO/IEC 6.06), under this SCP technique.

The SCP technique ‘#22 Post Instructions’ focuses on providing detailed information on how to meet behavioural requirements in a setting. Therefore, controls that provide detailed instructions on employees’ behaviour, such as having documented operating procedures for information processing facilities (ISO/IEC 5.37) and information security awareness, education, and training (ISO/IEC 6.03), are suited for this SCP technique.

The SCP technique ‘#24 Assist Compliance’ creates situations that make it easier for people to carry out acceptable behaviours in a setting. Hence, controls such as having organizational and management support to apply information security in the organization (ISO/IEC 5.04), complying with legal, regulatory, and contractual requirements (ISO/IEC 5.31), intellectual property rights (ISO/IEC 5.32), privacy and protection of Personable Identifiable Information (PII) (ISO/IEC 5.34), and conformance with policies and standards for information security (ISO/IEC 5.36), are appropriate for this SCP technique.

We have not classified any ISO/IEC controls under the SCP technique ‘#23 Alert Conscience’ and SCP technique ‘#25 Control Drugs and Alcohol’. The former is about providing situational reminders of unacceptable aspects of certain behaviours. The latter is about limiting the ingestion of substances, such as drugs and alcohol, that distort thinking or disinhibit behaviours. One possible reason why there are no suitable ISO/IEC controls for the latter SCP technique could be that not ingesting substances is already part of the employment terms.

ISO/IEC 27002:2022 and SCP strategies

Analysis of classification

We present our analysis of the results of the classification in Table 9. Almost half of the ISO/IEC controls centre on the SCP Strategy ‘S1 Increase the Efforts’ (46 ISO/IEC controls or 49%). Out of these 46 ISO/IEC controls, almost half of these (22 ISO/IEC controls or 48%) focus on technology. There is only one ISO/IEC control that focuses on people. We classified an equal number of 17 (18%) ISO/IEC controls for the second and third SCP strategies ‘S2 Increase the Risks’ and ‘S3 Reduce the Rewards’. We did not classify any controls for SCP strategy ‘S4 Reduce Provocation’. The fifth SCP strategy has 13 (15%) ISO/IEC controls, which are mainly related to organizational and people.

Areas of improvements for ISO/IEC 27002:2022 from SCP perspective

The large number of ISO/IEC controls (49%) classified in the SCP Strategy ‘S1 Increase the Efforts’ could be because ISO/IEC 27002:2022 focuses on cybersecurity and therefore emphasizes preventing (or making it harder to commit) cybercrimes. On the other hand, there are zero and 13 ISO/IEC controls (15%) for the SCP Strategies ‘S4 Reduce Provocation’ and ‘S5 Remove Excuses’, respectively, which focus more on the human elements of crime. In addition, out of the 93 ISO/IEC controls, there are 34 ISO/IEC controls (37%) for technological clauses while there are only 8 ISO/IEC controls (9%) for the people clauses.

There could be several reasons for the underemphasis on the human elements in ISO/IEC 27002. One possible reason is that the development of the ISO/IEC 27002 controls is led by cybersecurity professionals who are more likely to be familiar with technological controls and less familiar with criminology and human behaviour [16]. Furthermore, the ISO/IEC 27002 controls are formulated by common practice and authority through the anecdotal experiences of cybersecurity professionals rather than through robust validation methods [54].

Another reason could be that employees are expected to behave in a professional manner and not behave carelessly or recklessly or be prone to provocations. Therefore, it may be seen as unnecessary to include any ISO/IEC controls for the SCP Strategy ‘S4 Reduce Provocation’. However, it is unwise to rely on this professional code of conduct because disgruntled employees who are dissatisfied with their organizations have been shown to commit cybercrimes [73, 79]. The psychological aspects and human factors are important elements in having effective cybersecurity in an organization [80, 81], especially when it comes to insider or employee threats [42]. Therefore, there is room for further thoughts and research to improve the ISO/IEC 27002 controls to accommodate more SCP strategies and techniques on human factors. One example would be to anticipate and manage negative issues in the workplace by having clear and consistent human resource policies to deal with employee issues justly, so that situational precipitators such as perceived injustices, frustrations, and anger that could result in IT sabotage or cybercrimes can be avoided [82]. Another could be to involve employees during the cybersecurity design and implementation processes to reduce possible user friction and situational precipitators, especially when cybersecurity controls can lead to inconveniences and frustrations for employees. The SCP perspective is not just useful for and applicable to the ISO/IEC 27002 but also to other cybersecurity standards such as NIST Cybersecurity Framework [22] and ISACA COBIT [23].

SCP-C³ cycle and common inventory

Facilitating multi-disciplinary approach using SCP

Offenders do not pigeonhole themselves into committing only cyber-enabled or cyber-focused crimes. A cybercrime can include elements of both cyber-enabled and cyber-focused crimes. An IT-savvy cyberstalker, for example, can stalk the victim’s social media accounts (cyber-enabled) as well as hack the victim’s IT assets (cyber-focused). Therefore, there is an awareness among the research community that a multi-disciplinary approach is necessary to handle complex societal issues such as crime science and cybercrimes [16, 18–20, 83].

One possible way to facilitate multi-disciplinary research into cybercrimes is to provide instruments, such as frameworks and models, which combine criminology and cybersecurity concepts and ideas. This can provide a shortcut, where criminologists can use these instruments (that have cybersecurity elements) in their cybercrime research and vice versa for the cybersecurity researcher. However, our research indicates that no such instruments exist. Therefore, in addition to the development of the common inventory where we mapped ISO/IEC controls to SCP, we also propose the development of the SCP-C³ cycle in the sub-sections below and discuss how this SCP-C³ cycle can be used in conjunction with our common inventory of SCP cybersecurity controls as instruments to facilitate multi-disciplinary research by cybercrime researchers regardless of their original criminology or cybersecurity background.

SCP-C³ cycle

SCP-C³ cycle background

Our SCP-C³ cycle is developed by incorporating key ideas from SCP and the Plan-Do-Check-Act (PDCA) continuous improvement cycle. SCP emphasizes five principles of intervention [4]. SCP Principle #1 (SP1) focuses on highly specific categories of crimes such as domestic violence rather than on broad categories of crimes such as general violence or robberies at commercial establishments rather than all robberies. SCP Principle #2 (SP2) emphasizes the need to focus on crime concentrations following the 80-20 Pareto Principle [84]. Opportunities for crimes are infinite, so SCP stresses designing situational interventions on crime concentrations to obtain the largest preventive benefits. SCP Principle #3 (SP3) stresses that it is important to understand how the crime is committed, especially from the offender’s perspective, in order to use the appropriate SCP interventions. A more detailed understanding of the crime processes can lead to a more diverse choice of SCP interventions. SCP Principle #4 (SP4) advocates an action-research model when analysing a crime problem because SCP solutions to the crime problem must be assessed for effectiveness. The 25 SCP techniques generate many ways to reduce opportunities for crimes and therefore SCP Principle #5 (SP5) states that the most suitable solutions should be used after careful assessments of their costs and benefits. These five SCP principles can be applied to cybercrimes as well.

The PDCA cycle [85] is a continuous quality management approach that is popularly used in many diverse fields such as production and cybersecurity standards such as ISO/IEC 27001 [86]. Cybersecurity professionals who are familiar with ISO/IEC 27001 ISMS are already familiar with the PDCA cycle. On the other hand, criminologists are also likely to be familiar with SCP. Hence, combining both of them into the SCP-C³ cycle is a middle ground approach that will allow both criminologists and cybersecurity professionals to speak in a unified and common language by using SCP to prevent cybercrimes.

SCP- C³ cycle details

Figure 3 shows a visual diagram of our proposed SCP-C³ cycle, which was developed based on the five SCP principles and the PDCA cycle. Our SCP-C³ cycle compromises three key nodes, namely (1) Concentrate, (2) Comprehend, and (3) Consider, which are cyclical to denote its continuous improvement nature. The first node on Concentrate is about focusing on specific and important cybercrimes. In this activity node, we determine the specific type of cybercrime to concentrate on (SP1). The type of cybercrime to concentrate on should also be cybercrimes that have great impact and crime concentrations (SP2).

The second node on Comprehend is about understanding cybercrimes and their possible SCP invention measures. Once the specific type of cybercrime is determined, the next step is to understand (SP3) how the cybercrime is committed using an action-research approach (SP4) and how we can prevent it using SCP cybersecurity controls. One way to do so is by first modelling cybercrimes using an established modelling methodology such as the Lockheed Martin Cyber Kill Chain [87], crime scripts [71], and business process modelling [88]. Subsequently, we identify potential intervention points in the model that can prevent cybercrimes. Once the potential intervention points are identified, we can then select appropriate intervention measures from the common inventory of SCP cybersecurity controls and apply them to the intervention points that were identified previously. The effectiveness of the intervention measures that were selected previously can also be assessed.

The third node on Consider is about deciding suitable SCP cybersecurity controls to use. We consider which of the SCP cybersecurity controls that we identified in the previous activity node to be suitable for final implementation. When considering the SCP cybersecurity controls, the assessment should also consider (SP5) both the financial and non-financial aspects such as social and ethical costs like intrusiveness, inconvenience, and discrimination [4].

Applying SCP-C³ cycle and common inventory

We illustrate how to apply the SCP-C³ cycle through a ransomware example. We begin by concentrating our efforts on specific and important types of cybercrimes. We concentrate on ransomware or RaaS, which is a specific form of malware/cybercrime and a top cybercrime threat [89]. Next, we seek to comprehend how ransomware work. We can start by modelling the key activities of ransomware in Fig. 4. The model breaks down the ransomware activity into a series of key actions performed by the various entities. Next, in the model, we identify potential intervention points and select suitable controls from the common inventory of SCP cybersecurity controls. There can be many controls that can be applied within the SCP intervention points, so research can be conducted to assess the effectiveness of these controls. Finally, with all the research information available, organizations can consider the type of SCP cybersecurity controls that is suitable to be implemented, taking into account the financial and non-financial aspects.

Advantages of common inventory

With our common inventory, criminologists who are well versed in SCP but not knowledgeable about cybersecurity need not worry about the types of suitable ISO/IEC cybersecurity controls to use in their models and vice versa for the cybersecurity professionals. For example, in Fig. 4, a criminologist may propose to increase the efforts (S1) needed by the offender (ransomware) before the victim receives material such as a phishing email that contains the link to the ransomware. Among the various SCP techniques, the criminologist could consider ways to harden (SCP #01) the ransomware target. Even if the criminologist is unfamiliar with cybersecurity controls, they can refer to our common inventory to select suitable cybersecurity controls under this SCP technique, such as applying web filtering techniques (ISO 8.23), securing user endpoint devices (8.01), and applying protection measures against malware (ISO 8.07). In another example, the criminologist may be thinking of ways to reduce the rewards of a ransomware attack, such as disrupting the cybercriminal markets (SCP #14) to make it difficult for the offender to dispose of the data taken using ransomware and denying benefits (SCP #15) of the ransomware attack. From our common inventory, the criminologist can consider using controls on information backups (ISO 8.13) that can restore data lost from ransomware attacks or work with the authorities (ISO 5.06) on the aftermath of ransomware attacks.

Another advantage of our common inventory is that it espouses SCP strategies and its principles as its key pillars and is built using the popular ISO/IEC 27002 controls. By doing so, it adopts a more holistic approach to cybercrime prevention by covering the people (such as psychology and sociology), processes (such as organizational), and technology elements rather than overly focusing on a single-dimensional approach. Our study contributes to research calls for cybercrimes to be more multi-disciplinary [16, 18, 83].

Furthermore, organizations, especially those who have ISO certifications or are already implementing ISO/IEC controls, are more likely to accept the relevance of the research. Additionally, with its sheer number of controls, ISO/IEC 27002 is meant to provide a comprehensive and general all-purpose cybersecurity protection rather than targeting any specific cybercrimes [16]. It takes a lot of time, human resources and financial ability to fully implement ISO/IEC 27002, which organizations, especially smaller ones, may lack. It may be of greater value for organizations to focus first on ISO/IEC controls in our common inventory that target specific cybercrimes, especially those that are listed as top threats, such as ransomware [89]. This is in line with the Concentrate activity node of our SCP-C³ cycle.

Extending common inventory to other standards

Our common inventory can accept controls from other popular cybersecurity industry and government regulations, frameworks, standards, and guidelines such as ACSC Essential Eight [90], MITRE ATT&CK [91], NIST Cybersecurity Framework [22], other ISO/IEC Technical References, and Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines [92]. This can supplement the ISO/IEC controls and further enrich the common inventory. This is especially true for standards that are also widely adopted by organizations and the industry such as the NIST Cybersecurity Framework [22], and standards that are more technical such as the MITRE ATT&CK [91].

Our common inventory would then be structured around the widely adopted SCP criminology practice and comprise (eventually) cybersecurity controls from all popular cybersecurity industry and government frameworks and standards. Once the common inventory is widely used by researchers and organizations, this can also make it easier for researchers to investigate the effectiveness of SCP techniques and ISO/IEC controls because there will be a large pool of samples from organizations that implement ISO/IEC controls that researchers can draw from. This aligns well with our Comprehend and Consider activity node of our SCP-C³ cycle.

Limitations and future works

Our study reviews the extant literature on applying SCP techniques to cybercrimes. The result of our review is in line with the existing research [16–18], which indicates that the use of SCP in preventing cybercrimes, while not exactly new, is still limited. Our review methodology, while structured, relied on using the SCP keywords to search for related SCP articles. One possible limitation of our keyword selection is that we may have unknowingly missed SCP-related articles that did not use the SCP techniques keyword. However, the chances of this occurring should be low because an article that discusses a particular SCP technique should logically mention the SCP technique keyword in its title. Our keyword search also can have another limitation where a popular cybersecurity control, such as cryptography, does not mention its corresponding SCP techniques in its title because the researchers may not be aware or are unfamiliar with SCP. On the other hand, part of our research objective is to investigate how cybersecurity controls are consciously used as an SCP technique in cybercrime prevention, so missing out these articles does not greatly impact our research outcome.

We have attempted to rationalize and explain our classification of ISO/IEC controls into the appropriate SCP techniques. However, this is by no means final. There is still room for adjustments in the classification as new thoughts and ideas develop in the use of SCP in cyberspace. It is possible that SCP techniques may need to evolve to take into account the nature of cyberspace and cybercrimes. Furthermore, our development of the common inventory is based on a cybersecurity industry standard (i.e. ISO/IEC), which focuses mainly on addressing organizational-level ‘non-compliant’ behaviours that can lead to cybercrimes. There are also other types of individual and societal-wide behaviours (such as spreading misinformation and cyberbullying) that need to be addressed as well. Hence, there is room for more research on expanding our common inventory and utilizing our SCP-C³ cycle in terms of their usage as instruments to facilitate multi-disciplinary research in cybercrime prevention.

Our SCP-C³ cycle provides an instrument for both criminologists and cybersecurity researchers to apply a holistic criminology and cybersecurity perspective to cybercrime prevention while our common inventory provides a ready-made toolkit of SCP cybersecurity controls. However, presently both are untested. For example, the ransomware event described in Fig. 4 is only a conceptual illustration on how ransomware may be investigated and prevented through a combination of criminology and cybersecurity perspectives via our SCP-C³ cycle and common inventory. More in-depth research is needed to investigate the prevention of ransomware using our SCP-C³ cycle and common inventory. The usefulness and applicability of the SCP-C³ cycle and the common inventory will subsequently depend on how they are used in future research.

Our common inventory presently focused on mapping the ISO/IEC cybersecurity controls to SCP due to the popularity and global adoption of the ISO/IEC cybersecurity standard in the industry. Yet, despite ISO/IEC popularity, there are also other competing standards that are popular in the industry such as MITRE and those from governments such as ACSC in Australia and NIST in the United States. Therefore, there is space for our common inventory to grow in terms of comprehensiveness and richness by incorporating the different cybersecurity controls from other standards, frameworks, and guidelines. For example, the MITRE mitigation techniques and controls are more technically specific compared to ISO/IEC controls and incorporating them to our common inventory can provide more technical solutions. In another example, future research could explore embedding our SCP-C³ into the NIST Core Cybersecurity Framework Core ‘Govern’ function, which could then allow organizations to consider their risk management strategy with a criminology perspective and potentially result in policies that are more appropriate and effective in controlling cybercrimes.

Concluding remarks

Since its inception in the seventies [4], the SCP approach has been successfully embraced by governments in combating a variety of crimes [8, 9, 13]. However, despite crime perpetuation evolving from just physical to also include cyber-focused and cyber-enabled crimes, the adoption of SCP to combat cybercrimes appears to be less widespread. Although there have been early attempts since 2000s to extend SCP to cybercrimes [34], the momentum has not picked up much as expected given SCP’s successful track record in dealing with other crimes. This was supported by recent SCP research [16, 17] and our review results, where we note that there are only 53 out of 1788 (3%) articles directly related to SCP techniques in cybercrime prevention.

Part of this could be the inherently complex nature of cybercrimes. Cybercrimes span from the more human-centric cyber-enabled crimes to the more technology-centric cyber-focused crimes. Collectively, preventing cybercrimes effectively can demand in-depth knowledge from a variety of fields such as computer science, criminology, and cybersecurity. The awareness that preventing cybercrimes encompasses multiple fields is not new and there have been research calls in recent years for multi-disciplinary efforts to study cybercrimes, including using SCP [16, 18–20]. However, from our literature review and review results, we argue that despite these calls, there has not been any significant headway made to promote multi-disciplinary collaboration or facilitate research from a different discipline such as criminology to another discipline such as cybersecurity. In addition, while we note that while there have been attempts to map cybersecurity controls to SCP [35, 37, 50–52], these efforts were unstructured, incomprehensive, and lacked proper explanation, leading to uncertainties. This could be the reason why these SCP cybersecurity controls are not widely recognized and used [16].

Therefore, we propose the SCP-C³ cycle in an effort to provide a viable instrument to ease criminologists and cybersecurity professionals to a common ground where they can apply their combined expertise and overcome their inherent unfamiliarity with cybercrime prevention. We have illustrated how the SCP-C³ cycle can be applied and the benefits it can bring to a multi-disciplinary SCP research environment. We also have demonstrated a structured approach on how to develop a common inventory of SCP cybersecurity controls using the ISO/IEC 27002:2022 and how the common inventory can be extended to accommodate other popular industry and government cybersecurity standards, frameworks, and guidelines. By doing so, we have created a common inventory that can be used with greater confidence even by researchers who may not be well versed in cybersecurity, SCP, or criminology.

Acknowledgements

The authors would like to acknowledge the University of Queensland Cyber Research Centre (UQ Cyber) strategic funding, and the Singapore Institute of Technology for Ho’s PhD scholarship. The authors would also like to thank the journal editors and anonymous expert reviewers for their time and constructive feedback when reviewing this manuscript.

Author contributions

Heemeng Ho (Conceptualization [lead], Investigation [lead], Methodology [lead], Project administration [lead], Writing – original draft [lead]), Ryan Ko (Conceptualization [supporting], Supervision [lead], Writing – review & editing [lead]), Lorraine Mazerolle (Conceptualization [supporting], Supervision [lead], Writing – review & editing [lead]), John Gilmour (Conceptualization [supporting], Supervision [supporting], Writing – review & editing [supporting]), and Cheng Miao (Investigation [supporting], Project administration [supporting], Writing – review & editing [supporting])

Appendix A

PRISMA 2020 Flow Diagram.

Appendix B

Detailed Discussion on Search Results for SCP Strategies and Techniques in the section ‘Results’.

‘S2 Increase the Risks’

The SCP strategy ‘S2 Increase the Risks’ comprises five SCP techniques that increase the risks of detection for potential criminal offenders [5, 31, 67]. The SCP technique ‘#6 Extend Guardianship’ intends to provide incentives to encourage unofficial guardians to act or to be more effective. Examples include having people go out in groups at night and leaving signs of occupancy. The SCP technique ‘#7 Assist Natural Surveillance’ is about creating situations where guardians are more likely to see criminal actions occurring in places, such as having improved street lighting. The SCP technique ‘#8 Reduce Anonymity’ is about creating circumstances where guardians are more likely to identify features of offenders, such as having school uniforms. The SCP technique ‘#9 Utilise Place Managers’ is about having existing or new employees emerge as potential guardians, such as providing Close Circuit Televisions (CCTVs) for bus drivers in double-decker buses. The SCP technique ‘#10 Strengthen formal surveillance’ is about creating circumstances that make formal or official guardians more effective, such as employing security guards. Table B.1 shows the number of eligible and relevant articles for this SCP strategy.

For the SCP techniques ‘#6 Extend Guardianship’, there were 135 eligible articles for review. There were six relevant articles. Bossler and Holt [93] used RAT as a framework to explain the relationships between online activities, guardianship, and malware infections and noted that reducing malware infection requires both cybersecurity solutions and behavioural changes. Vakhitova and Reynald [94] presented an empirical analysis of guardianship against cyber abuse such as cyberstalking and noted that active guardianship processes such as contextual awareness in the physical world worked in a similar manner in cyberspace. Reyns et al. [95] used RAT to examine the concept of guardianship and its role in reducing cyberstalking victimization. Reynald et al. [96] examined the importance of micro-level environmental factors in the development of new directions in guardianship research such as in cyberspace. Reynald [74] proposed a conceptual paper to advance and extend digital guardianships using technological advancements such as digital neighbourhood watch or community safety applications. Ylang [97] discussed the concept of guardianships against online identity theft and examined the demographic differences in individuals who practice self-guardianship. The remaining articles were not relevant because they did not discuss the application of SCP to cybercrimes or were not about encouraging unofficial guardians to act or be more effective [31].

The SCP techniques ‘#7 Assist Natural Surveillance’ and ‘#10 Strengthen Formal Surveillance’ share the common keyword ‘surveillance’ and both resulted in the same list of 35 eligible research articles. There were four relevant articles that offered insights on cyber-related surveillance that could help guardians detect offenders. Huey and Rosenberg [98] discussed the growth in internet surveillance and policing after the signing by countries of the Convention on Cybercrime in 2001 that mandates Internet Service Providers to provide assistance to law enforcement. Palasinki and Bowman-Grieve [99] highlighted the tension and the need to balance surveillance with counter communication in tackling cyberterrorism. Snášel et al. [100] proposed a framework for cyber-surveillance for critical infrastructure using computational grids, which could assist guardians in identifying cybercriminal activities. Chung et al. [77] proposed a Cyber-Trafficking Surveillance System that supports analysis of social media content to counter cyber-trafficking. The remaining articles discussed technical details on surveillance largely in the areas of cyber-physical systems, drone, video, and air traffic surveillance and were not relevant because they did not discuss the application of SCP to cybercrimes or were not about creating situations where guardians are more likely to see criminal actions [31].

For the SCP technique ‘#8 Reduce Anonymity’, there were 94 eligible articles for review. There were two relevant articles. David and Sakurai [75] and Murdoch and Leaver [76] both proposed the creation of cyber-entities, such as the Cyber Intelligence Analysis Center (CIAC) to develop and share information to reduce offenders’ anonymity. The remaining articles were not relevant. They mainly discussed the impact, preservation, and improvements of anonymity and were not related to the application of SCP into cybercrimes or suggested any ways to make it easier for guardians to reduce offenders’ anonymity [31].

For the SCP technique ‘#9 Utilise Place Managers’, there were 10 eligible articles for review. There was one relevant article. Reyns [48] discussed the use of SCP techniques, especially by cyberplace managers to control and limit cyberstalking. The remaining articles were not relevant because they did not discuss the role of existing or new employees or managers as guardians in cyberspace to limit cybercrime opportunities [31].

‘S3 Reduce the Rewards’

The SCP strategy ‘S3 Remove the Rewards’ aims to present situational control techniques that can reduce the rewards of the crime for the offender [5, 31, 67]. The SCP technique ‘#11 Conceal Targets’ and the SCP technique ‘#12 Remove Targets’ limit the offender’s ability to see the target or victim either through concealment or by removing them or their value. This makes it difficult for the offender to find the target or victim in a situation, for example, using unmarked armoured trucks to transport valuables. The third SCP technique in this strategy, ‘#13 Identify Property’, marks items to make them traceable to the owner or makes it more difficult for the offender to claim ownership. For example, vehicle licensing makes it hard for offenders to claim ownership of stolen vehicles when stopped by law enforcement. The SCP techniques ‘#14 Disrupt Markets’ and ‘#15 Deny Benefits’ make it difficult for offenders to realize the benefits of their crimes. The former increases the difficulty for offenders to transfer or dispose of their illegal criminal proceeds while the latter makes it hard for offenders to use their crime targets for their intended purpose. For example, putting speed humps on roads makes it difficult for offenders to speed. Table B.2 shows the number of eligible and relevant articles for this SCP strategy.

There were 32 and 33 eligible articles for review on the SCP techniques ‘#11 Conceal Targets’ and ‘#12 Remove Targets’, respectively. These articles largely engage with the same concepts as the previous SCP technique ‘#1 Harden Targets’, including one relevant article by Miró-Llinares et al. [68] that was discussed in Section ‘4.1.1’. The remaining articles were not relevant because they did not discuss the application of SCP into cybercrimes or were not about concealing or removing targets from the offender [31].

There were 41 eligible articles for review on the SCP technique ‘#13 Identify Property’. The articles mainly discussed research topics related to investigation and analysis on the attributes and properties of cyber-physical systems, computer hardware, bioinformatics, and legal matters. There were no relevant articles related to the application of SCP to cybercrimes or about identifying or marking targets to make them traceable [31].

There were 40 eligible articles for review on the SCP technique ‘#14 Disrupt Markets’. The articles mainly discussed research topics related to the cyber insurance market, electrical and power energy markets, and dark net markets. There were no relevant articles related to the application of SCP to cybercrimes or about disrupting the criminal markets to make it difficult for offenders to transfer the proceeds of crime [31].

There were 15 eligible articles for review on the SCP technique ‘#15 Deny Benefits’. The articles mainly discussed research into cyber-physical systems. There were no relevant articles related to the application of SCP into cybercrimes or that suggested any ways to make it difficult for offenders to use crime targets for their intended purpose [31].

‘S4 Reduce Provocations’

The SCP strategy ‘S4 Reduce Provocations’ aims to address Wortley’s [30] emotionally driven situational precipitators such as frustrations and stress. It presents situational control techniques that limit situational stimuli that can lead to criminal actions [5, 31, 67]. The SCP technique ‘#16 Reduce Frustrations’ promotes settings that are calming or procedures that are efficient, which in turn reduces peoples’ frustrations. For example, having soothing music or ensuring efficient queues and creating polite service can reduce frustrations and stress and prevent aggressive behaviour. The SCP technique ‘#17 Avoid Disputes’ limits circumstances that promote conflicts or disputes or encourage their escalation, such as having fixed cab fares so that there will not be any fare disputes. The SCP technique ‘#18 Reduce Emotional Arousal’ limits emotional or insulting behaviours or stimuli in a setting, such as prohibiting racial slurs in a setting that could otherwise trigger aggressive reactions. The SCP technique ‘#19 Neutralise Peer Pressure’ reduces the desire to gain acceptance through criminal actions. The SCP technique ‘#20 Discourage Imitation’ seeks to limit access to details of the crime commission processes to prevent criminal copycats. Table B.3 shows the number of eligible and relevant articles for this SCP strategy.

There were 73 eligible articles for review on the SCP technique ‘#16 Reduce Frustrations and Stress’. There were two relevant articles. Sandoval et al. [101] discussed factors that can make cyber operations stressful and suggested the use of cyber-physical systems, biometric stress instrumentation, and new technologies such as augmented reality and virtual reality, to manage stress. Hone [102] suggested that female embodied agents may be more effective in reducing user frustrations in human–computer interaction systems. The remaining non-relevant articles mainly discussed issues related to material science and did not discuss the application of SCP to cybercrimes or to creating settings that were calming [31].

There were 136 eligible articles for review on the SCP technique ‘#17 Avoid Disputes’. There were three relevant articles. Sondheimer et al. [103] highlighted the need to prevent and resolve disputes in the networked health IT arena and suggested solutions such as designing the systems for privacy and providing support tools. Billings and Watts [104] described how conflicts in online text-based web communities such as Wikipedia can be effectively managed through appropriate policies and technical measures. Osterweil and Clarke [105] discussed how software technology can support dispute resolution. The remaining articles were mainly on resolving disputes in the facility construction or legal disputes and were not about the application of SCP into cybercrimes or about limiting situations that promote conflicts or disputes [31].

For the SCP technique ‘#18 Reduce Emotional Arousal’, there were 31 eligible articles for review. There was one relevant article. Lu et al. [106] highlighted that cyber scam prevention posters should focus on the emotions of potential victims to be more effective. The remaining articles were not relevant because they mainly discussed research on the effects of emotions and were not related to the application of SCP into cybercrimes or did not suggest any ways to remove or limit emotional or insulting behaviours or stimuli [31].

There were 48 eligible articles for review on the SCP technique ‘#19 Neutralise Peer Pressure’. The articles mainly discussed research topics related to adolescent peer pressure. There were no relevant articles related to the application of SCP to cybercrimes or about discouraging the desire to gain acceptance through criminal actions [31].

There were 151 eligible articles for review on the SCP technique ‘#20 Discourage Imitation’. The articles mainly discussed research topics related to young children or artificial intelligence. There were no relevant articles related to the application of SCP to cybercrimes or about limiting access to details of the crime processes that can prevent criminal copycats [31].

‘S5 Remove Excuses’

The SCP strategy ‘S5 Remove Excuses’ aims to present situational control techniques that can clarify the responsibility of a potential offender in a setting such as a workplace in an organization [5, 31]. It incorporates strategies that were adapted from Wortley [30] on situational precipitators. The SCP technique ‘#21 Set Rules’ is about providing information about what are unacceptable behaviours in a situation or setting, such as a rental agreement. The SCP technique ‘#22 Post Instructions’ provides information on how to meet the behavioural requirements of a setting, such as posting ‘No Parking’ signs. The SCP technique ‘#23 Alert conscience’ is about providing situational reminders on the unacceptable aspects of certain behaviours in a setting, such as having a roadside speed display board to remind drivers not to go beyond a certain speed limit. The SCP technique ‘#24 Assist compliance’ is about creating situations or aids that can make it easier for people to carry out acceptable behaviour, such as providing litter receptacles for easier waste disposal. The SCP technique ‘#25 Control drugs and alcohol’ is about limiting drugs and alcohol, which can influence a person’s thinking and behaviour. Table B.4 shows the number of eligible and relevant articles for this SCP strategy.

There were 77 eligible articles for review on the SCP technique ‘#21 Set Rules’. There were two relevant articles [107, 108] that highlighted the challenge and use of international rules and legislation to prevent unacceptable behaviours in cyberspace to combat cybercrimes. The remaining articles either referred to mathematical, logic, or software rules used in computer science domains such as databases or referred to trademark and maritime transportation rules. Such articles were not relevant to our study because they did not discuss the application of SCP to cybercrimes or were not about setting rules on unacceptable behaviours in a setting, especially on cyberspace [31].

There were 20 eligible articles for review on the SCP technique ‘#22 Post Instructions’. All the articles discussed research topics related to computer hardware and software instructions, court cases and post-traumatic stress disorder. There were no relevant articles related to the application of SCP to cybercrimes or about putting up instructions on meeting behavioural requirements in a setting [31].

There were 35 eligible articles for review on the SCP technique ‘#23 Alert Conscience’. All these articles discussed either human/political conscience in the context of professional activities and the use of anti-personnel mines or mainly discussed computer conscience mechanisms in the context of neural networks, AI, virtual reality (VR), data mining, and robotics. Such articles were not relevant as they were not related to the application of SCP to cybercrimes or about providing situational reminders on unacceptable aspects of certain behaviours in a setting [31].

For the SCP technique ‘#24 Assist Compliance’, there were 22 eligible articles for review. There were 11 relevant articles. These articles [109–119] described various tools and methods to aid compliance with cybersecurity practices in order to prevent cyberattacks and cybercrimes. For example, Kienzle et al. [109] proposed a system to monitor the endpoint configuration of an end-user system for compliance purposes. All approaches discussed in the articles essentially made it easier for people to carry out acceptable behaviour in an organizational setting to prevent cyberattacks and cybercrimes. The remaining non-relevant articles discussed non-cybersecurity or cybercrime compliances such as social distancing compliances, medication compliances, and electronic compliance controls with to mobility devices, such as wheelchairs and wearable power assist equipment. These articles were not relevant because they did not discuss the application of SCP to cybercrimes or were not about assisting people to comply with acceptable behaviours in a setting [31].

For the SCP technique ‘#25 Control Drugs and Alcohol’, there were 74 eligible articles for review. There were 11 relevant articles [120–130]. These articles mainly suggested different ways and methods using hardware or software tools to detect the consumption of alcohol, which can be used by organizations to detect and limit employees’ drugs and alcohol consumption. For example, You et al. [127] proposed using transdermal sensing wristbands as a personal tool to track alcohol use. The remaining articles were not relevant because they were about issues or effects of drug and alcohol abuse and did not focus on limiting the availability of drugs and alcohol in situations related to cybercrimes [31].

Appendix C

Detailed Explanation of Classification of ISO/IEC 27002:2022 Controls into SCP Strategies and Techniques

References