Cybercrime surge prompts call for criminology-based security frameworks

 A new peer-reviewed study published in Computers investigates whether criminological theories can effectively strengthen information security management frameworks (ISMFs) to prevent cybercrime and protect public data. Titled “Threats to the Digital Ecosystem: Can Information Security Management Frameworks, Guided by Criminological Literature, Effectively Prevent Cybercrime and Protect Public Data?”, the study presents a rigorous synthesis of 617 scholarly records, combining bibliometric analysis, theoretical exploration, and international benchmarking to propose an interdisciplinary cybersecurity governance model.

How has criminology informed cybercrime research and understanding?

The study opens with a systematic bibliometric review mapping the evolution of criminology in cybercrime discourse. Using Scopus and Web of Science databases, researchers identified 617 peer-reviewed articles spanning from 2009 to March 2025. A significant annual growth rate of 25.53% indicates a rapidly expanding academic interest in integrating social science theory into cybersecurity research. The analysis highlighted the dual structure of the field: one axis focused on technical domains such as machine learning and malware detection, and the other grounded in human behavior and criminal psychology.

Through keyword co-occurrence and multiple correspondence analysis, key criminological theories emerged as dominant frameworks within the literature. These included rational choice theory, routine activity theory, deterrence theory, and situational crime prevention. Each of these has been increasingly repurposed to understand offender decision-making, vulnerability exploitation, and institutional guardianship in digital spaces.

For instance, rational choice theory posits that offenders assess risks and rewards before acting, directly aligning with cybersecurity deterrents like stricter penalties and monitoring. Routine activity theory, emphasizing the convergence of motivated offenders, suitable targets, and absent guardians, has been extended to interpret user behavior and systemic weaknesses. Other frameworks, such as digital drift theory and space transition theory, delve into how anonymity and disinhibition in virtual environments foster criminal tendencies.

The criminological discourse has proven particularly useful in interpreting emerging risks related to biometric data, telemedicine, and mobile digital services, areas where traditional security protocols often fall short. The study also notes that global events like the COVID-19 pandemic have intensified vulnerability by accelerating remote interactions, thus necessitating a more holistic security paradigm.

Are current cybersecurity frameworks aligned with criminological principles?

To bridge the gap between theory and practice, the authors analyzed leading cybersecurity governance models, including the National Institute of Standards and Technology (NIST), ISO/IEC 27001, and frameworks employed by the UK and Canadian governments. These were benchmarked using the Global Cybersecurity Index (GCI) and the National Cybersecurity Index (NCSI), providing a comparative view of over 170 countries.

Table 1 of the study demonstrates how specific criminological theories underpin major cybersecurity protocols. Rational choice theory supports NIST and ISO frameworks by reinforcing the logic of risk-based planning and attacker modeling. Deterrence theory shapes legal mechanisms like the EU’s GDPR and Council of Europe’s Budapest Convention. Routine activity and situational crime prevention theories drive practical controls such as continuous user monitoring, access control, and encryption.

Frameworks have also begun integrating behavioral science. Social learning theory influences public awareness campaigns, while strain and general crime theories inform the socio-economic dimensions of cyber-offending. Concepts like crime pattern theory support the creation of threat models such as MITRE ATT&CK, enabling proactive identification of common attack vectors.

At the national level, the study compares digital maturity and cyber readiness. Countries like the United States, United Kingdom, and Canada exemplify effective alignment of national strategies with international standards, leveraging criminological principles within institutional cybersecurity policies. However, disparities are evident. Some nations exhibit strong digital growth but lag in security preparedness, signaling a disconnect that theory-driven governance could help rectify.

What is the path forward for cybercrime prevention at institutional and policy levels?

While the study recognizes the progress made by integrating criminology into cybersecurity, it argues that more sector-specific and context-sensitive adaptations are necessary. Current ISMFs often emphasize technological control but overlook the behavioral dimensions essential for long-term resilience. To address this, the authors advocate for integrated frameworks combining human, technical, and organizational factors.

The proposed model includes:

• Socio-technical systems theory to align institutional structure with digital workflows.
• Risk management and compliance frameworks informed by empirical criminology.
• Institutional theory to understand how regulatory pressure shapes internal security cultures.
• Scenario-based security training and policy reinforcement to address end-user behavior.

The authors also highlight the need for empirical studies in underrepresented regions, particularly developing countries where the policy-research divide is more pronounced. They recommend assessing how cybersecurity frameworks perform across different sectors, like healthcare, finance, and education, and at various institutional levels, from frontline staff to executive management.

Ultimately, the study concludes that while national frameworks like NIST and ISO provide essential infrastructure, their success hinges on local adaptation and evidence-based refinement. A robust cybersecurity strategy must account for not just the systems but the people who operate within them, criminals, users, developers, and policymakers alike.