From theory to firewalls: Criminology now shapes global cybersecurity policy

Cybercrime is growing in sophistication, prompting researchers to rethink foundational strategies behind global information security. A new peer-reviewed study titled “Threats to the Digital Ecosystem: Can Information Security Management Frameworks, Guided by Criminological Literature, Effectively Prevent Cybercrime and Protect Public Data?” published in Computers (2025), offers a sweeping analysis of how traditional criminological theories can, and increasingly do, inform cybersecurity practices and policy frameworks worldwide.

The study, authored by Shahrukh Mushtaq and Mahmood Shah of Northumbria University, brings together criminology, cybersecurity standards, and international benchmarking data to argue that a more interdisciplinary approach is crucial for both anticipating cyber threats and protecting public digital infrastructure.

How have criminological theories been applied to understand cybercrime?

The study analyses 617 academic publications from Scopus and Web of Science, charting the intellectual evolution of criminological theory in the cyber domain. Researchers applied Multiple Correspondence Analysis (MCA) to separate the field into two primary dimensions: technical cybersecurity research and human-centered criminological studies. The coexistence of both areas, along with the rising prominence of interdisciplinary models, underscores growing academic consensus that cybercrime is a complex, multifaceted problem.

Key criminological theories, such as Routine Activity Theory, Rational Choice Theory, and Deterrence Theory, have been adapted to cyber contexts. For instance, Routine Activity Theory identifies three core elements of a crime: a motivated offender, a suitable target, and the absence of a capable guardian. In cyberspace, this translates to scenarios such as unsecured systems being attacked by threat actors due to weak defenses like outdated firewalls or inattentive users.

Similarly, Rational Choice Theory assumes that cybercriminals make calculated decisions by weighing the costs and benefits of their actions. Deterrence Theory adds that effective prevention hinges on certainty, severity, and swiftness of punishment, difficult factors to enforce in the jurisdictionally ambiguous realm of cybercrime.

Newer frameworks like the Space Transition Theory and Digital Drift Theory reflect the behavioral disinhibition of users in anonymous digital environments, further complicating crime prevention. According to the authors, these theories help explain why individuals who would not offend in real life may do so online.

This body of work reveals that while individual theories offer valuable insights, cybercrime prevention is best understood by synthesizing multiple theoretical lenses. Cyber offenders often exploit the "path of least resistance" by targeting the weakest security nodes, and institutions often suffer from a cultural lag, adopting technology faster than they build regulatory or security safeguards.

Are criminological concepts reflected in cybersecurity frameworks?

Beyond theory, the researchers conducted a critical review of global cybersecurity frameworks such as the NIST Cybersecurity Framework (CSF), ISO/IEC 27001, and other national policies from countries like the UK, the US, and Canada. Their analysis reveals strong theoretical alignments between criminology and cybersecurity policy.

For example:

• NIST and ISO/IEC 27001 integrate Rational Choice Theory by prioritizing risk-based models, encouraging cost-benefit assessments.
• Deterrence Theory influences regulatory frameworks like the GDPR and the Budapest Convention, which emphasize enforcement and penalties.
• Routine Activity Theory is embedded in user-access controls and real-time monitoring measures.
• Situational Crime Prevention (SCP) finds expression in technical controls like multi-factor authentication, data encryption, and proactive system design.

The researchers also introduce a role-based cybersecurity framework, which allocates responsibility for threat mitigation across organizational hierarchies. These models illustrate how criminological ideas have permeated practical governance structures, offering templates for both national and institutional cyber readiness.

Yet, the study warns that technological hardening alone is insufficient. Overreliance on tools without human-centered policies can render systems vulnerable. The most effective security strategies, the study suggests, merge technical controls with criminological and behavioral insights.

How do national strategies reflect the cybercrime-development gap?

The study’s third phase evaluates 170+ countries using the National Cyber Security Index (NCSI) and Digital Development Level (DDL) to map global disparities between cybersecurity preparedness and digital advancement. Countries like the U.S. and the UK outperform their digital maturity with robust cybersecurity frameworks, while others, particularly in the Global South, lag significantly.

This gap illustrates a key dilemma: digital expansion without proportional cyber defenses increases vulnerability. Many developing nations, despite rapid digital adoption, have limited capacity for implementing or enforcing advanced cybersecurity protocols. The research highlights the importance of tailoring frameworks to national contexts. A one-size-fits-all model may falter in regions lacking regulatory infrastructure or digital literacy.

Additionally, frameworks such as Canada's National Cyber Security Strategy or the UK’s bespoke national policies, while grounded in international best practices like NIST or ISO, show how nations can flexibly localize their cybersecurity governance.

The authors call for future research to focus on how these frameworks function in diverse sectors such as healthcare or finance and across organizational levels. More importantly, they stress that cybersecurity policies must be empirically evaluated in real-world settings, especially in developing countries where formalized strategies often fail to translate into practice.