In this section we present the results of the analyses of the second wave (November 2017 – February 2018). Before entering into detail, we report that the questionnaire was completed primarily by high-level representatives of the participating businesses: 33.9% of the respondents classified themselves as CEO or member of the executive board; 14.4% as Chief Information Security Officer; 14% as managing director; 10.3% as other IT staff and 4.1% as executive director. This suggests that the respondents had a good evidence base to assess both victimization and impact correctly.

The section is structured as follows. First, we discuss the extent to which businesses have been confronted with cybercrime in the 12 months preceding the survey; this includes both the victimization prevalence for each cybercrime type, and the incidence of each type. Next, we focus on the business representatives’ perceptions of the likelihood of their business being attacked in the following 12 months. Third, we estimate the harms to material support, that is, the staff and other costs that the businesses have incurred as a result of cybercrime incidents in the 12 months before the survey, as well as to assess the severity of the financial impact of these incidents. Fourth, we discuss the business representatives’ assessments of the non-material harm that the businesses have experienced as a result of cybercrime in the same time span.

VICTIMIZATION IN THE PAST 12 MONTHS

Half of the businesses in our sample (53.6% or 125 businesses) have been victims of one of the five cybercrime types, at least once in the last 12 months. Specifically, illegal access to IT systems is the most prevalent: 32.7% (or 83 businesses). About a fift h of the respondents reported being victims of data/ system interference (20.2% or 49 businesses), or cyber extortion (18.9% or 47 businesses). Slightly more than a tenth of the respondents indicated that their business had been a victim of internet fraud (12.6% or 30 businesses) or cyber espionage (10.6% or 29 businesses). Figure 3 provides more insight into the incidence of cybercrime in the 12 months before the survey in our sample.

For three of the cybercrime types, there were more repeated victims than single victims: 79.5% of the victims report repeated incidents of illegal access to IT systems, 65.3% of data/system interference, 66.6% internet fraud.