This chapter presents our definitions of the main concepts of the study, namely “cybercrime” as well as “impact,” “harms” and “costs” (of cybercrime), along with our justifications for our choices.

CYBERCRIME

Following the approach adopted by legal texts, policy documents and other studies (e.g., UNODC, 2013), the present project does not define cybercrime per se, but rather identifies specific acts that constitute cybercrime. Specifically, and unlike most other studies on the cost and impact of cybercrime, we have developed a “technology-neutral” typology of cybercrime, i.e., a typology that is independent of the specific techniques used by cybercriminals. The typology largely draws from the Council of Europe's Convention on Cybercrime, and the Belgian act on cybercrime, but also incorporates the insights from the academic literature on the topic. The typology entails five types of cybercrime that might target businesses:

The first three types belong to the category of “computer-integrity crimes” (Gordon & Ford, 2006: 14) and the latter two largely to the category of “computer-assisted crimes” (Wall, 2007: 50). Our conceptualization of the three computer-integrity crimes is based upon the Council of Europe's Convention and Belgian cybercrime law. In fact, the incidents of illegal access to IT systems, cyber espionage and data/system interference, correspond, respectively, to the offences of “illegal access” (art. 2), “illegal interference” (art. 4) and “data” and “system interference” (art. 5–6) in the Convention. The type “cyber extortion” has no direct correspondence in the Convention; it is rather the cyber version of a standard offence in Belgian and other national criminal laws. The last type, “internet fraud,” draws from the offence of computer-related fraud defined by the Convention (Council of Europe, 2001: 6; art. 8) as well as two other more traditional types of fraud that frequently target businesses online.

ILLEGAL ACCESS TO IT SYSTEMS

This first type is comprised of illegal access to IT systems. The generic term “IT system” exemplifies the technology-neutral way in which the survey is draft ed. Following the Council of Europe's 2001 convention, an IT system is conceived as “any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data” (Convention on Cybercrime, 2001, art. 1, a).