Victimization in Cyberspace: an Application of Routine Activity and Lifestyle Exposure Theories

VICTIMIZATION IN CYBERSPACE: AN APPLICATION OF ROUTINE ACTIVITY AND LIFESTYLE EXPOSURE THEORIES

A dissertation submitted to Kent State University in partial fulfillment of the requirements for the degree of Doctor of Philosophy

Behzat Yucedal

August 2010

Dissertation written by Behzat Yucedal B.S., Turkish National Police Academy, 1998 M.A., Kent State University, 2009 Ph.D., Kent State University, 2010

Approved by Mark Colvin, Ph.D, Chair, Doctoral Dissertation Committee Ryan L. Claassen, Ph.D, Member, Doctoral Dissertation Committee Eric Jefferis, Ph.D., Member, Doctoral Dissertation Committee William Kalkhoff, Ph.D., Member, Doctoral Dissertation Committee Hedieh Nasheri, Ph.D., Graduate Faculty Representative

Accepted by Steven A. Hook, Ph.D., Chair, Department of Political Science John R. D. Stalvey, Ph.D., Dean, College of Arts and Sciences

Table of Contents

Table of Contents ...... iii List of Tables ...... vi List of Figures ...... vii ACKNOWLEDGMENT...... viii CHAPTER 1: INTRODUCTION ...... 1 CHAPTER 2: WHAT IS CYBERSPACE VICTIMIZATION? ...... 6 What makes cybercrime different? ...... 10 Target of Cybercrime ...... 12 Venue of Cybercrime ...... 13 Anonymity ...... 15 Challenges to Criminal Justice System ...... 15 CHAPTER 3: THEORETICAL FRAMEWORK AND HYPOTHESES ...... 25 Routine Activity Theory ...... 28 Lifestyle Exposure Theory ...... 31 Application to Cybercrime ...... 34 Proximity to Motivated Offender...... 38 Exposure to Crime ...... 44 Target Attractiveness ...... 48 Guardianship ...... 50 Constrained Behavior and Risk Perception in Cyberspace ...... 55 Research Questions ...... 61 CHAPTER 4: THE ANALYSIS OF COMPUTER VIRUS AND ONLINE HARRESMENT ...... 64 Hypotheses ...... 66 Data ...... 69 Dependent Variables ...... 74 Independent Variables ...... 76

iii

Analysis and Results ...... 78 CHAPTER 5: THE ANALYSIS OF SPYWARE AND ADWARE ...... 83 Spyware and Adware ...... 83 Hypotheses ...... 92 Data ...... 99 Methodology ...... 101 Analysis Variables ...... 106 Endogenous Variables ...... 106 Spyware and Adware ...... 106 Computer Problems ...... 107 Risk Perception ...... 108 Constrained Behavior ...... 113 Online Lifestyle ...... 113 Computer Literacy ...... 115 Exogenous Variables ...... 116 Frequency of Internet Use ...... 116 Firewall Protection ...... 116 Virus Protection ...... 117 Demographic Variables ...... 118 Measurement Models ...... 119 Computer Problems ...... 119 Constrained Behavior ...... 122 Online Lifestyle ...... 125 Computer Literacy ...... 130 Structural Equation Model ...... 133 Results ...... 139 CHAPTER 6: CONCLUSION ...... 146 Summary of Findings and Discussion ...... 146 Policy Implications ...... 156 Contribution of the Study...... 162 Limitations of the Study...... 164 Future Research Suggestions ...... 165

References ...... 167 APPENDIX 1: Correlation Table for the Variables used in Chapter 4 ...... 177 APPENDIX 2: Missing Variables for May-June 2005 Spyware Survey ...... 178 APPENDIX 3: Correlation Table for the Variables used in Chapter 5 ...... 180 APPENDIX4: SEM Analysis Results for the Indicators of Measurement Models ...... 183

List of Tables

Table 1: Frequency and Descriptive Statistics ...... 75 Table 2: Logistic Regression Results for Computer Virus and Online Harassment Victimizations ...... 79 Table 3: Goodness of Fit Indices and Criteria ...... 104 Table 4: Frequency and Descriptive Statistics for SEM Analysis ...... 109 Table 5: Parameter Estimates for the Hypothesized and Revised Computer Problems Measurement model ...... 121 Table 6: Parameter Estimates for the Hypothesized and Revised Constrained Behavior Measurement Model ...... 124 Table 7: Parameter Estimates for the Hypothesized and Revised Online Lifestyle Measurement Model ...... 129 Table 8: Parameter Estimates for the Hypothesized and Revised Computer Literacy Measurement model ...... 132 Table 9: Parameter Estimates for the Structural Equation Model ...... 136

List of Figures

Figure 1: Cybercrime Victimization ...... 55 Figure 2: Risk Perception and Constrained Behavior ...... 61 Figure 3: Spyware infection rate by quarter (Q) according to Webroot spyware scan data...... 89 Figure 4: Adware infection rate by quarter (Q) according to Webroot spyware scan data...... 90 Figure 5: Structural Model for examining Spyware and Adware Victimization, Risk Perception and Constrained Behavior ...... 98 Figure 6: Hypothesized Computer Problems Measurement model ...... 120 Figure 7: Revised Computer Problems Measurement model ...... 121 Figure 8: Hypothesized Constrained Behavior Measurement model ...... 122 Figure 9: Revised Constrained Behavior Measurement model ...... 123 Figure 10: Hypothesized Online Lifestyle Measurement model ...... 127 Figure 11: Revised Constrained Behavior Measurement model ...... 128 Figure 12: Hypothesized Computer Literacy Measurement model ...... 130 Figure 13: Revised Computer Literacy Measurement model ...... 131 Figure 14: Structural Equation Model ...... 135

vii

ACKNOWLEDGMENT

It would not be possible to finish this study without constant and sincere support and help of my family, professors, and friends. My wife, Nilgun, and my angels, Elif and

Eren, deserve to be mentioned firstly since they sacrificed the most to support me with their love.

I am so grateful to my advisor Dr. Mark Colvin, who has been an incredible mentor. He guided and encouraged me in the dark alley of academic study and he was always there to support me with his wise advices and to help me overcome difficulties that I have experienced. I also would like to thank Dr. Ryan Claassen, Dr. Eric Jefferis,

Dr. William Kalkholff and Dr.Hedieh Nasheri for their invaluable supports and advices. I am so thankful to Dr. Manfred Van Dulmen and Scott Grey for helping me to learn and understand how to use SEM analysis and Mplus statistical package.

Last but not least, I would like to thank my friends for their support and help throughout my study. I have received Dr. Serhat Demir’s continual support and help from the very beginning of my academic study. Our conversations with Ozkan Celik and Dr.

Tamer Koksal about the cybercrime inspired and helped me craft this study. Despite the physical distance between us, Yildirim Uryan gladly answered my questions about SEM analysis as he were right next to me. I also would like to thank Anton Cannaday for editing my dissertation.

Finally, I am most thankful to my mother and father for their love and prayers.

viii

CHAPTER 1: INTRODUCTION

Even though its definition, prevention and punishment might differ based on regional, cultural and temporal differences, crime has always been a universal phenomenon. While each new technology has brought change in people’s lives and has made life easier than the previous era, types of crime and tools of crime have evolved in time along with the changes in social life and advances in technology.

The twentieth century witnessed incredible inventions and technological developments most of which were not even imaginable in previous ages. These developments have penetrated all aspects of people’s lives by enabling immediate communications and easier access to various forms of information. The greatest impact of these developments is the invention and improvements of computer and network technologies. These technologies have increased the speed of calculations and processing of information at such a degree that tasks, previously taking months or years, are now accomplished in minutes. Because of these advances in the last century, especially during the second half of it, the notion of an information age has emerged to emphasize the difference of our times from the past.

Along with the radical changes and benefits that the computer technologies and the evolution of the Internet have brought, serious problems have emerged in coping with the exploitation of these technologies for criminal purposes. Like other tools, computers and the Internet can be used for either legitimate or criminal purposes (Goodman, 1997;

Grabosky & Smith, 2001; Nasheri, 2005; Newman & Clarke, 2003; Wall, 2001, 2007a;

Yar, 2005). Especially with the advancement in the computer technologies and increase in Internet usage, a new crime phenomenon has emerged: “Cybercrime.” By using the new computer technologies and the Internet, also referred to as “cyberspace”, criminals can commit a variety of offenses with very little probability of being detected. There are various reasons for the difficulty of tracing, apprehending and prosecuting cyber criminals. These difficulties mainly include, but are not necessarily limited to, the complexity of these technologies, with which law enforcement agencies have difficulty keeping pace, lack of necessary legislation, and the transnational nature of the offenses committed via the Internet (Cangemi, 2004).

Computer and the Internet usage are rapidly increasing throughout the world as a result of inexpensive personal computers and easy access to the Internet. In 20001, the

number of Internet users reached 360,985,492 by 2009 this number had skyrocketed

to1,802,330,457. When considered in proportion, the number of Internet users increased

480 percent in only nine years. As the number of computers increases and Internet usage expands globally, it is more difficult to dispute the assumption that “cybercrimes will continue to increase and in the near future most crimes will have a cyber component”

(Mendez, 2005, p. 513).

The Internet Complaint Center’s (IC3) annual reports revealed that complaints

received by the center have dramatically increased since 2001. While IC3 received

49,711 complaints in 2001 (National White Collar Crime Center & Federal Bureau of

1 http://www.internetworldstats.com/stats.htm

Investigation, 2001), this number increased to 336,655in 2009 which is also 22.3 % more than the complaints received (275,284) in 2008 (National White Collar Crime Center &

Federal Bureau of Investigation, 2009). Moreover, financial losses caused by cybercrimes reported to IC3 increased from $17.8 million in 2001 to $559.7 million in 2009 which is

nearly twice as much as financial losses in 2008 ($264.6 million). Complaints that were

reported to IC3 include different types of frauds such as auction fraud, non-delivery, and

credit/debit card fraud, as well as other kind of cybercrimes, such as computer intrusions,

spam/unsolicited e-mail, and child pornography.

Although, there have been numerous studies on the technical aspects of the

problem that examine the technical response to preventing cyber threats and maintaining

information security, there remain limited studies that focus on this issue from the

criminal justice perspective. Rather than employing empirical analyses, most of the

studies on cybercrime concentrate on legal issues related to cybercrime or center on

specific cases related to cybercrimes and cyber criminals (Moitra, 2005). There are

limited number of research studies on cybercrime and while some studies merely

examine the offender side of the problem (Skinner & Fream, 1997; Willison, 2002),

others focus only the victims of cybercrime (Alshalan, 2006; Choi, 2008; Holt & Bossler,

2009). Moitra (2005) argues that the main reason for lack of sufficient empirical study on

cybercrime is due to a lack of relevant data and difficulty of collecting those kind of data.

Since incidents of cybercrime and cybercrime victims are increasing, it becomes

necessary to study cybercrime and assess the factors that impact the victimization in

cyberspace. Once it is fully understood how people are victimized, procedures and more

proactive and directed policies can be put into place to prevent cybercrime. As an endeavor to contribute to the body of studies on this particular issue, this study will examine victimization in cyberspace by applying the theoretical framework of routine activities and lifestyle exposure theories which are discussed mainly under the criminal opportunity theories(Miethe & Meier, 1994, p. 35).

This study argues that understanding the situations in which individuals are victimized, how they perceive their own victimization risk and how they change their online behavior to avoid victimization is essential to develop better solutions and policies to maintain security in cyberspace and to prevent cybercrimes. For that reason, in the light of the routine activity and lifestyle exposure theories, this study examines how individuals’ online lifestyles affect their victimization risk and investigates the effectiveness of the digital guardianships in preventing the cyber threats. It is proposed that online lifestyles of individuals determine the risk of victimization by exposing individuals to varying levels of risk depending on what kind of online activities they engage in. Moreover, the digital guardianships, such as firewall and anti-virus programs, should prevent cyber threats, just as guardianships in the physical world, anti-theft alarms or locks, prevent theft. This study also aims to examine how individuals respond to cybercrime victimization in terms of risk perception and constrained behavior using the assumptions of routine activities and lifestyle exposure theories.

In the second chapter of this study, the literature related to cybercrime will be discussed. In the third chapter, the literature about the routine activity and lifestyle theories along with the literature about risk perception and constrained behavior will be

briefly reviewed, and its application to cyberspace will be discussed. In the fourth chapter, by using 2003 National Crime Victimization Survey, routine activity theory assumptions will be statistically analyzed for computer virus and online harassment victimizations. In the fifth chapter, using May-June 2005 Spyware Survey, routine activity and lifestyle exposure theory assumptions will be applied to statistical analysis of spyware and adware victimization, risk perception and constrained online behavior of individuals. Thus the fourth and fifth chapters (using two different data sets) examine two different dimensions of cyber victimization, which are tied together by their common link to routine activity and lifestyle exposure theory. In the last section, a summary of findings will be provided and possible policy implications will be discussed.

CHAPTER 2: WHAT IS CYBERSPACE VICTIMIZATION?

There are various terms that are used to refer to computer and Internet related victimization, some of which are cybercrime, computer crime, information technology crime, and high-tech crime(Goodman & Brenner, 2002). Even though the terms

“cybercrime” or “computer crime” are in general use, these terms are interchangeable to refer to crimes that are committed by using computers, networks, and other technological tools. “Computer crime” was used in early stage of computer and network technology before the Internet came into existence. The term “cybercrime” is now the most popular and widely used term (Moitra, 2005).

According to Moitra (2005), the term “computer crime” generally includes crimes where perpetrators utilize a computer or computers to commit crime, and the term

“cybercrime” refers to crimes that not only involve computers, but also a computer network (generally the Internet). Wall (2007a) argues that it would be more accurate to use the term “cyberspace crime,” but the term “cybercrime” has become a widely used and accepted term, regardless of its merit and demerits, to refer to “transformation of criminal and harmful behavior by networked technology” (p.10). Some harmful behaviors, such as some forms of spyware, may not reach the level of criminality as conventionally conceived, but cause victimization by infecting and damaging computer software; thus the more general term “cyberspace victimization” may be more appropriate to describe the array of cyber threats examined in this study.

However, there is no consistent definition of the term “cybercrime” and there is no national or global consensus on what cybercrime is (Brenner & Clarke, 2005;

Goodman, 1997; Moitra, 2005; Yar, 2005). Moreover, the term “cybercrime” is not a legal term contained in any law, but it has been used by politicians, academicians, media and public to refer to computer and network mediated illicit activities(Clifford, 2001;

Wall, 2001).

Since cybercrime is a fairly new term and there is no consensus on what it legally means, it is therefore necessary to understand what cybercrime is and what makes it different from conventional crimes. Some scholars argue that the term cybercrime does not refer to new crimes and it is merely the new way of committing conventional crimes that can be investigated, prosecuted and punished under the current law (Grabosky,

2001). Grabosky (2001) uses the metaphor of “old wine in new bottles” to illustrate that crime in the virtual world is not different than physical world crimes. On the other side of the debate, scholars argue that new computer and network technologies have not only created novel ways of committing conventional crimes, but those technologies have also created new forms of deviant activities which could not have been committed without the existence of computer and network technologies(Brenner, 2001; Moitra, 2005; Wall,

2001, 2007a). These forms of cyberspace victimization include computer viruses, hacking, spyware and adware.

Wall (2001) provides a more broad approach, in a sense, to combine both approaches by arguing that criminal activities have been affected in three main ways by the establishment of the Internet. First, the Internet has created a new communication

medium for conventional crimes, such as drug trafficking, stalking or hate speech.

Second, the Internet has provided new opportunities for existing forms of harmful and deviant behaviors, such as pedophilia or fraud, by creating a transnational environment.

Third, the Internet has created entirely new forms of criminal activities such as hacking, denial of service attacks or dissemination of computer viruses. He also contends that some of the new harmful activities in cyberspace indicate “a scenario where there exists new wine, but no bottles at all” (Wall, 2001, p. 3).

Instead of categorizing cybercrimes as new criminal activities or new means of committing old crimes, Yar (2006, p. 9) suggests,

“[I]nstead of trying to grasp cybercrime as a single phenomenon, it might be better to view the term as signifying a range of illicit activities whose ‘common denominator is the central role played by networks of information and communication technology in their commission.”

By sharing similar point of view, Moitra (2005) defines cybercrime as “any unauthorized, or deviant, or illegal activity over the Internet that involves a computer (or computers) as the tool to commit the activity and a computer (or computers) as the target of that activity” (p. 244). Goodman and Brenner (2002) also assert that we can examine cybercrime under two major categories. In one, the computer is the target of the offense

(computer-focused crimes), such as attacks on network confidentiality, integrity and/or availability. In the second category the computer is used as a tool to commit conventional crimes (computer-assisted crime), such as theft, fraud, and forgery that are committed with the assistance of computers and computer networks technologies.

Although Goodman and Brenner’s (2002) and Moitra ‘s (2005)categorizations help us to understand types and extent of cybercrime, this categorization might be limited

when the issue is taken into consideration from a criminological perspective since “it focuses on the technology at the expense of the relationships between offenders and their targets or victims” (Yar, 2006, p. 10). In that sense, Wall’s (2001) categorization, which uses categories drawn from criminal law, gives more comprehensive classification of cybercrime. Wall (2001) argues that cyberspace victimization can be grouped into four legal categories;

Cyber-trespass refers to the unauthorized access to computer or computer networks and/or causing damage. These types of activities consist of hacking/cracking, dissemination of viruses, spyware and adware, defacement etc.

Cyber-deceptions/theft describes the conventional crimes such as theft, fraud, or digital piracy that takes place in cyberspace.

Cyber-pornography/obscenity is “the publication or trading of sexually expressive material within cyberspace” (p.6) (wall, 2001).

Cyber-violence refers the violent activities that give psychological and/or physical harm to other individuals and/or groups of people by violating laws that protect the individuals and groups. Those kinds of violent activities consist of hate speech, cyber stalking etc.

This classification categorizes cybercrimes according to the object or target of the illicit activity in which Cyber-trespass and Cyber-deceptions/theft refers to ‘crime against property’, Cyber-pornography/obscenity represents ‘crime against morality’, and Cyber- violence relates to ‘crimes against the person’(Wall, 2001). Yar (2006)argue that ‘crimes

against the state’(e.g. terrorism, espionage and disclosure of official secrets) can be added to this classification.

In all those definitions and classifications, there is a unique common feature that, regardless of being an old or new type of victimization, cyberspace provides unique characteristics for cybercrime that makes it different than victimization in the physical world, and those characteristics present a challenge to individuals, private businesses, governments and criminal justice systems throughout the world in keeping pace with cyberspace victimization. Several scholars who specialize in cybercrime suggest that, in order to understand why cybercrime is a complex topic to study, we should look at the unique characteristics of cybercrime that makes it different from conventional crimes(Goodman, 1997; Moitra, 2005; Speer, 2000). It is these characteristics, which also make preventing, policing, prosecuting and investigating cybercrimes difficult. For that reason, in the following section, the transformation of crime with the establishment of the computer and networked technologies, specifically the Internet, and how cybercrime differs from real world crimes will be discussed.

What makes cybercrime different?

What makes today’s world different from the previous times is the ease of access

to and rapid flow of the information, which is depicted in the term of information age or

information society. The notion behind the idea of information age or information society

is the shift “in values from more tangible to less tangible forms of wealth; from thing to

ideas expressed in informational sources” (Wall, 2007a, p. 32).There is no doubt that the

introduction of computer and network technologies, especially the Internet in which

information can easily be accessed, distributed and proliferated, have accelerated and contributed to the information age (Grabosky & Smith, 2001; Nasheri, 2005; Wall,

2007a; Yar, 2006). Exponential growth in computer and Internet usage has further expanded the notion of an information age with dramatic change in every aspect of the daily lives of individuals, private businesses and governments including communication, banking, trading, education, managing, and governing(Furnell, 2002; Grabosky & Smith,

2001; Nasheri, 2005; Wall, 2001). Those technologies have not only changed daily life but also affected the nature of crime by providing new opportunities for conventional crime and creating new crimes which cannot be otherwise committed without the existence of those technologies (Furnell, 2002; Grabosky, 2001; Grabosky & Smith,

2001; Pease, 2001; Wall, 2001, 2007a).

Although the motivation of offenders may have changed, what makes cyberspace an attractive platform for cybercriminals is the variety of opportunities created by virtual and networked environments (Geer, 2007; Levi, 2001; Wall, 2001, 2007a). Through using the vulnerabilities in computer and network technologies and opportunities provided by those technologies, criminals may carry out wide range of illicit activities including fraud, theft, hacking, dissemination of malicious software, offenses against morality and cyberterrorism, which constitute serious threats to every part of the society from individuals to governments (Goodman & Brenner, 2002; Wall, 2001, 2007a; Yar,

2006).

Cyberspace, in which everything is digitally stored and transmitted removes the physical limitations of the real world that govern both licit and illicit actions of

individuals (Wall, 2001, p. 3; Yar, 2005, p. 410). Scholars who write about cybercrime discuss the distinguishing characteristics of cybercrime by referring to its networked, digitized, and globalized nature which makes it different from real world crimes (Balkin

& Kozlovski, 2007; Brenner, 2004a, 2004b; Grabosky & Smith, 2001; Wall, 2001,

2007a). In the light of current literature, what makes cybercrime different can be discussed under three major categories: target of cybercrime, venue of cybercrime, and anonymity.

Target of Cybercrime

In the real world crimes, the targets of crime in many cases are either a property

(such as portable electronics, automobiles, jewelry or cash) or a person, which are tangible in nature. But in cyberspace, the targets of cybercrime are in many cases digitally stored and transmitted information, which is intangible. Digital information consist of electronic bits (0s and 1s) (Goodman, 1997) which makes its reproduction, alteration, and eradication much easier, faster and costless (Geer, 2007; Grabosky &

Smith, 2001; Wall, 2001, 2007a; Yar, 2005). In the real world every object has a unique identity and takes a unique place in time and space and it cannot be in two different places at a given time, but in cyberspace every object can simultaneously exist in multiple locations (Geer, 2007, p. 29). Thus information that is stored on a networked computer is more vulnerable to attacks which are likely to come from people who want to copy, modify, destroy, or steal it (Dunn Cavelty, 2007, p. 15).

However, information is raw material and does not carry value by itself, unless it

is attached a meaning and processed to create knowledge (Dunn Cavelty, 2007, p. 15).

Information is also intangible in nature and it exists regardless of whether it is stored digitally on a computer or printed on a paper. Wall (2007a) argues that “[v]alue in cyberspace is attached mainly to the expressions of informational ideas rather than things.

The focus of cybercrime, therefore, is to acquire information in order to extract its value.”

(p.32). Information in cyberspace can be an individual’s Social Security Number or a company’s trademarked intellectual property or a country’s military defense plans.

Venue of Cybercrime

Not only is the target of crime in cyberspace shifted from tangible to intangible, but also the place where crime is committed is changed from the terrestrial world to cyberspace in which there are no states or international geographic borders (Brenner,

2004a, 2004b; Goodman & Brenner, 2002; Wall, 2007a). One can reach any point in cyberspace in a second and the conventional concept of distance and physical proximity becomes meaningless (Brenner, 2004a, 2004b). Yar (2005, p. 18) uses the term “anti- spatial” to refer to cyberspace and says there is zero difference between all points in the cyberspace regardless of where you connect from in the terrestrial world.

The anti-spatial characteristic of cyberspace also makes the victim-offender relationship different than relationships in conventional crimes. While in conventional crimes offenders have to be physically present to commit a crime, “cybercrimes can be committed from anywhere in the world as bits are transmitted over wires, by radio waves, or via satellites” (Goodman, 1997, p.471). Citing Geer (2004), Wall (2007a) argues that cyberspace creates an environment in which “every sociopath in the neighborhoods is living next to you, and there are no good neighborhoods” (p.37). Hence “cybercrime is

characterized by a remoteness between the perpetrator and the victim (or remoteness of the ‘scene of the crime’) (Moitra, 2005, p. 446). Today, a theft, a fraud or a forgery in

Europe can easily be committed through the Internet by a cyber criminal who is physically somewhere in America, Asia, Africa or somewhere else.

Moreover, cybercriminals have more opportunities to find potential targets as a result of the inherent features of the Internet which enables individuals to communicate with thousands of other individuals simultaneously (Yar, 2005). Hallam-Baker (2008) argues that “with a billion users and a billion-plus machines, there will never be a shortage of vulnerable targets” (p.4). Thus the Internet acts as a ‘force multiplier’ by providing cybercriminals with the opportunity of generating huge harmful effects on multiple targets with little effort, which is not possible to achieve within the real world’s physical constraints (Brenner, 2004a; Wall, 2001, 2007a; Yar, 2005).

In the physical world, most of the crimes have only one victim or a limited number of victims at a time because an offender can be in one place at the same time.

This is not the case in cyberspace. Since cybercrimes can be automated by multiplying the number of discrete offenses, cybercriminals can quickly and easily reach out to thousands of victims in remote locations at different time frames (Brenner, 2004a,

2004b). Brenner (2004b) argues that “one-to-many victimization is… the correct default assumption for cybercrime” (p.5). For instance, cybercriminals can send thousands or

millions of spam emails that may contain malicious codes or they may send scam or

phishing emails to thousands of potential victims with a little effort.

Anonymity

In the physical world, criminals use varying techniques to conceal their identity to insure that the crime is anonymous, such as covering their face or wearing gloves so as not to leave any finger prints, but they cannot hide certain characteristics such as weight, height or accent (Brenner, 2004a, p. 8). On the other hand, cyberspace provides more efficient methods to secure anonymity since cybercriminals are not required to be physically at the crime scene. As Brenner (Brenner, 2004a, 2004b) posits, cyberspace provides “perfect anonymity” to its users. Criminals use different tools and technologies to disguise their identity such as encrypted communication, anonymous re-mailers or zombie computers, which makes it difficult to identify and apprehend cybercriminals

(Grabosky & Smith, 2001; Wall, 2001; Yar, 2006).

Challenges to Criminal Justice System

Those distinct characteristics that make cybercrime different from physical world crimes, as explained in the previous section, challenges the current legal system and law enforcement capabilities to keep society safe from threats posed by criminal behavior and to punish criminals. There is a contradiction between the current criminal justice system, which is historically and structurally confined within local borders, relatively centralized, and mainly a reactive system, whereas cybercrime spans national boundaries (Geer,

2007; Moitra, 2005; Nasheri, 2005; Wall, 2001, 2007a; Yar, 2005). Despite this contradiction there is an increasing demand for the criminal justice system to effectively respond to cybercrime and cybercriminals. Although there have been new legal actions and policing approaches against cybercrime at the national and international levels,

unfortunately, responses to new criminal activities created by the exponential growth of the Internet have been slow and problematic (Brenner, 2004a, 2004b; Kozlovski, 2007;

Nasheri, 2005; Wall, 2007a, 2007b; Yar, 2005).

There are several reasons for the problems in tracing, apprehending and prosecuting cyber criminals. These difficulties mainly include, but are not necessarily limited to, the complexity of these technologies, with which law enforcement agencies have difficulty keeping pace, lack of necessary legislation, and the transnational nature of the offenses committed via the Internet (Cangemi, 2004). Law enforcement officers and prosecutors encounter problems while dealing with cybercrime because of the complexity of high technology crimes (Myers & Myers, 2002).

Within an environment of such complexity, the point is whether criminal justice officials have a sufficient level of knowledge and skills to detect, investigate, and prosecute cybercrimes. Since it is a relatively new phenomenon, many members of the law enforcement and criminal justice system are not familiar with cybercrime (Moitra,

2005). Speer (Speer, 2000) and Yar (2006, p. 16) argue that many law enforcement agencies do not have sufficient knowledge, skill and expertise to deal with cybercrime.

Computer and network technologies require that law enforcement officials have at least a certain level of expertise to permit them to collect digital evidence and identify cybercriminals. However, very few law enforcement agencies have officers who have sufficient expertise and skills to effectively investigate cybercrime incidents. Even within those situations where there are individuals with cybercrime detection backgrounds it remains a difficult task to pursue the offender who may have abundant opportunities to

conceal their identities and cover their tracks by using spurious, stolen, or temporarily administered addresses, computer labs, and business places (Montana, 2000). Moreover, the trend from real-time attacks, via hacking into systems directly, toward non-real-time attacks, which do not require the perpetrator or his machine directly participating in the attacks and which involve improved and automated tools, allow hackers to hide their tracks and perpetrate their crimes more easily (Hill III, 2003).

According to Myers and Myers (2002, p. 245), “there is a significant shortage of criminal justice and corporate information security personnel, who have a sufficient level of knowledge, skills, and attitudes to detect, investigate and prosecute high technology crimes.” In their study, they were interested in examining to what extent the current academic curricula expose undergraduate criminal justice and criminology students to essential knowledge about cybercrime investigation. According to their study’s results, a significant number of criminal justice and criminology academic programs do not offer courses that can provide essential knowledge about the cybercrime investigation to their students. Moreover, most of the academic programs indicated that they were not planning to change their academic curricula in the near future. Myers and Myers (2002) emphasize the necessity for an appropriate level of education and training of criminal investigators to be able to cope with high technology crimes.

Taking the issue from a different perspective, Huey (2002) argues that challenges to policing cybercrime stem from the nature of cyberspace and from old law enforcement habits in which “the police culture is grounded in a perceptual schema tied to understandings of the policing function as being linked to physical/geographical notions

of what constitutes territory to be policed” (p.243). In that sense, law enforcement sees cyberspace as fundamentally different than the physical world. Hence, in cyberspace, classical policing strategies cannot be easily implemented. Huey (2002)suggests that this perception within the law enforcement partially explains the unwillingness of many local policing agencies to investigate cybercrimes.

In conventional crimes, the criminal must be physically present at the crime scene. Therefore, law enforcement officials have a better chance to collect ample concrete evidence to find the offender and bring him or her to justice. However, in cybercrime, remoteness between the offender and the crime scene/victim and the anonymity provided by cyberspace make the investigation of the crime and identification of the offender by law enforcement agencies more difficult (Speer, 2000; Wall, 2001). As a result of such characteristics of cybercrime, it is extremely difficult, if not impossible, to identify and apprehend the offender. Even if the offender is identified, in many cases offenders are in another state or country. This brings in the problem of different jurisdictions, which makes the issue of investigating the crime and finding the offender more complicated than the conventional crimes (Cangemi, 2004; Goodman, 1997;

Moitra, 2005; Wall, 2007a; Yar, 2005).

In order to deal with the problem of multiple jurisdictions, cooperation among various law enforcement agencies and countries is essential (Moitra, 2005; Nasheri,

2005; Speer, 2000; Wall, 2007a; Yar, 2005). However it is not easy to establish cooperation between different countries. The main problem is the structure of the Internet

in which there are no national borders. The Internet is a genuine computer network on a global scale. Cangemi (2004, p.166) argues that

“[U]nder the traditional principles of international public law, States have jurisdiction only on the territory where they exercise their national sovereignty. There is thus a conflict between cybercrime, which is global in scale, and police activities that are confined to national borders”

On the other hand, even when various agencies and countries are willing to cooperate to deal with cybercrime, the definition of cybercrime or cybercrime laws in those countries can be a problem to maintain cooperation (Nasheri, 2005). Definition of cybercrime and/or laws that define cybercrime can be different in different jurisdictional areas (Moitra, 2005). Since the laws are not identical, it may create an obstacle for the establishment of cooperation and investigation of cybercrimes.

The case of the Love Bug virus is a good example for the transnational characteristic of cybercrime, the danger that cybercrimes may pose, and the difficulties criminal justice officials may encounter in detecting, pursuing, prosecuting and punishing cybercriminals.

The Love Bug, a computer virus that destroys files and steals passwords, was released to the Internet during May 2000. The virus affected more than 45 million users in more than 20 countries, and the estimated damage caused by the virus varied from $2 billion to $10 billon. The individual suspected of creating and disseminating the virus was quickly identified through the cooperation of Philippines' National Bureau of

Investigation and the FBI. However, since the Philippines had no laws pertaining to cybercrime, it was a problem convincing a magistrate to issue a search warrant, which took days, allowing the suspect to destroy essential evidence. Since, the Philippines had

no necessary laws criminalizing hacking and disseminating viruses, the perpetrator could only be charged with theft and card fraud, but the charges were later dismissed as inapplicable and unfounded. The result was that no one was ever prosecuted in spite of the great number of victims and the huge amount of damage caused (Goodman &

Brenner, 2002; Herrera, 2001).

Therefore, one of the more critical challenges that law enforcement and prosecutors encounter are legislative issues, that is, legislation differences among countries, inadequacy in international law and some political and cultural considerations

(Montana, 2000). Many countries do not have laws that are necessary to outlaw the illicit actions in cyberspace and to create procedures for investigating and prosecuting those illicit activities. Even when they have them, those laws fail to keep pace with the constantly changing nature of cybercrime (Kozlovski, 2007; Moitra, 2005; Nasheri, 2005;

Speer, 2000; Wall, 2007a).

Today, some emerging countries and developed countries, including the United

States and most of the European countries, have enacted some legislation dealing with cybercrime (Moitra, 2005; Nasheri, 2005; Speer, 2000), and as new threats emerge new laws are enacted. However, as in the example of the Love Bug virus, some countries do not have cybercrime laws, especially developing countries (Montana, 2000), and this constitutes an obstacle to the global consensus and cooperation to deal with cybercrime.

For that reason, Goodman and Brenner (2002) draw attention to the need of global consistency in cybercrime legislation and propose that consensus may be achieved on some crimes so that an essential level of consistency is established in global cybercrime

legislation. Nasheri (2005, p. 42) also argues that “[t]he global interconnection of vulnerable computer systems may require a uniform transnational legal framework for addressing multinational computer-related crime.”

Because of this, many initiatives have been taken at the international level for the purpose of creating international legislative harmonization. For example, the G8 Member

States adopted the Principles and Action Plan to Combat High-tech Crime, and the

United Nations developed a manual on the prevention and control of computer-related crime, as ways of promoting a harmonized approach to legislating against computer crime. One of the first major initiatives arose under the auspices of the Organization for

Economic Co-operation and Development (OECD). In 1986, the OECD published a report that detailed five categories of offences that it believed should constitute the basis for a common approach to computer crime (Walden, 2004).

The Council of Europe Convention on Cybercrime, which is the first international treaty on crimes committed via the Internet and other computer networks, illustrates a successful example of international attempts to harmonize cyberlaws around the world.

The Convention on Cybercrime was signed by the Council of Europe and non-member states Canada, Japan, South Africa, India, and the United States (Huey & Rosenberg,

2004).

The Convention is a very important step towards harmonizing domestic criminal laws and setting up a fast and effective regime of international co-operation. One of the important points addressed by the Convention is to provide necessary domestic criminal procedures and legal powers for the investigation and prosecution of cybercrimes and for

any type of criminal investigation that requires collecting evidence in electronic form.

The reason is that most countries that still use conventional investigative powers do not have adequate procedural rules applicable in cyberspace, such as how to compile evidence, locate the source and identify the perpetrator of an offence. However, while provisions of the Convention enable computer data to be obtained or gathered for ongoing criminal investigations, it does not offer a proactive solution to deal with cybercrime (Cangemi, 2004).

The Convention has also been criticized by civil liberties groups for undermining individual privacy and expanding surveillance powers far beyond the current state (Huey

& Rosenberg, 2004). Huey and Rosenberg (2004, p.598) argue that the Convention's requirements represent “a substantial threat to Internet users' online privacy while placing onerous obligations on private businesses.”

Whether these attempts to harmonize domestic laws sacrifice the privacy of individuals or not, it should be expected that this kind of international initiative is necessary to protect the people from harmful activities of the Internet. Despite these international and national efforts to establish effective and efficient cyberlaws, legislation dealing with cybercrime has had very limited deterrent effect and has been very slow to catch up with the problems exposed by the cybercriminals (Kozlovski, 2007; Moitra,

2005; Nasheri, 2005; Speer, 2000; Wall, 2007a). For example, the Computer Fraud and

Abuse Act of 1986 is important legislation addressing cybercrime in the United States.

The Act, however, is out dated for dealing with recent advances in cybercrime.

Moreover, by dealing primarily with federal computers, this Act does not cover privately

owned computers and networks (Speer, 2000). Another example is the Computer Misuse

Act of 1990 in the United Kingdom. This legislation is more comprehensive than the

United States’ Act. It covers all computers, rather than just federal computers.

Unfortunately, this document is also old legislation (Speer, 2000). In short, the technology and the criminals who use this technology are moving faster than the legislation.

Law enforcement agencies are not only faced with the problems of lack of cooperation, and jurisdictional and technical difficulties, they are also confronted with the problem of dealing with a large number and variety of victims of cybercrimes. The primary victims of such crimes are governments and businesses and their various agencies, corporations, and organizations. These institutions each have different agendas that often times are opposed to each other, which hinders progress toward the common goal of elimination of cybercrime. Besides, a large percentage of cybercrimes are committed against individuals, but there is sparse data on the full impact of cybercrime on individuals. Although some surveys have been conducted on cybercrime against households and some reported data on personal victimization have been collected there are no data that have been systematically and uniformly collected on the various ways that private individuals have been affected (Moitra, 2005). Legislative and law enforcement policies do not place enough emphasis on the individual victims and individuals have limited power and influence over governments (Speer, 2000).

Moitra (2005), emphasizing a similar point, argues that not only the laws are unable to keep pace with cybercrime, but also our limited knowledge about cybercrime prevents us from creating effective laws and policies.

“Laws are being developed on the basis of presumed technical possibilities of various deviant, harmful, or dangerous activities over the Internet. These laws also seem to be influenced by individual cases and the presumed nature of cybercrime. However, law enforcement policies also need to consider the actual prevalence of the different types of cybercrimes, the modus operandi of cyber criminals, and the actual impact of these action” (Moitra, 2005, p. 442).

Despite considerable efforts, cybercrime still is a serious problem in cyberspace and cybercriminals still pose serious threats to individuals, businesses and governments.

As mentioned above, attempts to create better policies either on the national or international level have not achieved a deterrent effect against the cybercriminals, and cybercrime remains on the rise. Moreover, it is difficult to prosecute and to investigate cybercrimes. Hence, it becomes necessary to prevent cybercrimes before they occur and prevention heavily depends on creating better policies/methods. Understanding how cybercrime occurs or how individuals are victimized assist in identifying the patterns that cause victimization in cyberspace. With this understanding, effective polices and methods can be created. For that reason, this study focuses on victimization of individuals in cyberspace using as its theoretical framework of routine activities and lifestyle theories, which have been previously applied to understanding crime in the physical world.

CHAPTER 3: THEORETICAL FRAMEWORK AND HYPOTHESES

Different than dispositional theories, such as social disorganization or learning theories that focus on how a person becomes a criminal in a disorganized deviant society or how a person learns to become a criminal from deviant intimate others, routine activity and lifestyle exposure theories take criminal inclination as given and focus instead on the situations in which crime occurs. They argue that those situations are created by individuals’ daily routine activities and lifestyles, which provide opportunities for offenders to commit crime (Miethe & Meier, 1994, p. 36).

Sampson and Wooldredge (1987) argue that "the more general opportunity model

(Cohen et al. 1981), which incorporates lifestyles and routine activities with a more explicit focus on ecological proximity and macro sociological processes ... provides the most promising path for future multilevel victimization research" (p. 391). For that reason, numerous studies have combined the assumptions of both routine activities and lifestyle exposure theories into empirical analyses of victimization, fear of crime, and situational crime prevention (Choi, 2008; Clarke, 1995; Fisher, Sloan, Cullen, &

Chunmeng, 1998; Holt & Bossler, 2009; Holtfreter, Reisig, & Pratt, 2008; Messner,

Zhou, Lening, & Jianhong, 2007; Miethe & Meier, 1990, 1994; Miethe, Stafford, &

Sloane, 1990). In that sense, this study aims to examine the factors that affect victimization in cyberspace and how people respond to cyberspace victimization

experiences in terms of risk perception and constrained behavior by using the routine activity and lifestyle exposure theories.

Although routine activity theory and lifestyle exposure theory are separate theories, both theories share common assumptions and it is difficult to distinguish the two; thus studies generally combine both theories (Choi, 2008; Fisher, et al., 1998; Holt

& Bossler, 2009; Holtfreter, et al., 2008; Messner, et al., 2007; Miethe & Meier, 1990,

1994; Miethe, et al., 1990). Neither theory attempts to explain the motivation behind offenders’ decisions to commit crime. Instead, they focus on how daily routine activities or lifestyles of individuals create opportunities for offenders to commit crime. Offenders’ motivations, in that sense, are a given from both theories’ perspective.

The difference between the two theories is in their terminology and emphasis used

to explain crime and victimization risk (Miethe & Meier, 1990). The lifestyle exposure

theory was developed to explain the demographic differences in risk of personal

victimization, whereas routine activity theory focus on how crime occurs by discussing

the spatial and temporal order of crime (Miethe & Meier, 1994, p. 35). Moreover, lifestyle exposure theory was presented by Hindelang, Gottfredson, and Garofalo one year earlier (in 1978) than routine activities theory; it focused solely on how individuals’ lifestyles affect their exposure to victimization risk. In that sense, routine activity theory provides more a comprehensive explanation by including in the theoretical explanation the convergence of three elements in time and space: motivated offender, suitable target and absence of guardianship. It can be argued that routine activity theory is an extension

of lifestyle exposure theory in which the assumptions of lifestyle exposure theory is absorbed as the suitable target component of routine activities theory (Choi, 2008).

Different than the sociological explanation of crime, both the routine activity

(Cohen & Felson, 1979) and lifestyle exposure (Hindelang, Gottfredson, & Garofalo,

1978) theories focus on the factors that make crime possible and contribute to victimization risk. Sociological approaches, such as social disorganization or learning theories, focus on how a person becomes a criminal in a disorganized deviant society

(Shaw & McKay, 1942) or how a person learns to commit crime from deviant intimate others (Akers, 1985). The routine activity and lifestyle exposure theories, on the other hand, take criminal inclination as a given and discuss the situations that expose individuals to risk of victimization and provide the opportunity for individuals to commit crimes.

For that reason this study uses routine activity and lifestyle exposure theories in tandem to explain victimization in cyberspace. First, both routine activity and lifestyle exposure theories will be briefly reviewed. Second, how the assumptions of both theories can be applied to cyberspace to explain cybercrime victimization will be discussed.

Third, how people respond to victimization experience will be examined in reference to the fear of crime literature, which mostly uses routine activity and lifestyle exposure theories in explaining fear of crime. Finally, the research questions of this study will be delineated.

Routine Activity Theory

The routine activity theory, essentially, explains how crime occurs with the convergence of three elements; motivated offender, suitable target and absence of capable guardianship. When these three elements converge in time and space, crime occurs. In other words, when the motivated offender comes in contact with the suitable target in the absence of a capable guardian that could potentially prevent the offender from committing crime, crime occurs (Cohen & Felson, 1979). Convergence of these three elements creates opportunities for criminal and deviant activities and increases the likelihood of criminal victimization. The absence of any of these three elements from the equation prevents the occurrence of criminal and deviant activities (Cohen & Felson,

1979; Messner & Blau, 1987; Miethe & Meier, 1994). According to Mustain and

Tewksbury (1998), a motivated offender may not have a chance to find an opportunity commit crime for several reasons. An offender may not find a person or property that is vulnerable or valuable enough to merit interest. The offender may find a suitable target, but since it is well guarded, a criminal act may not be accomplished.

The routine activity theory was developed by Cohen and Felson (1979) to examine the rising crime rates of the 1960s and 1970s despite improved living conditions in the American society and the increased education and income levels, which were supposed to decrease crime rates. Cohen and Felson (1979) propose that variation in crime rates can be explained by the change in daily routine activities. They argue that changes in daily routine activities increase the likelihood of convergence of motivated offender, suitable target and absence of capable guardianship regardless of changes in

structural conditions that affect the number of motivated offenders. In other words, what causes an increased crime rates is not the increased number of offenders in the society, but an increase in criminal opportunities available to potential offenders. Furthermore, they contend that opportunities created by the convergence of these three elements have a multiplicative effect on crime rates rather than merely an additive effect. So, the answer to increased crime rate should be sought in the situational structures in which crime occurs (Cohen & Felson, 1979).

Deriving from Hawley’s (1950) human ecology theory, Cohen and Felson (1979) argue that an individuals’ routine daily activities have a regular rhythm, tempo and timing, and once a potential offender who coordinates his criminal activity with the suitable target’s daily routines may find an opportunity to commit crime. For instance, people may leave their house during the day for a patterned period of time because they need to go to work or school in a regular way. A potential offender may perceive this daily recurrent activity as an opportunity to enter the unprotected empty house to steal valuable things. Thus, criminal victimization risk is influenced by individuals’ daily routine activities that bring them or their properties into direct contact with potential offenders (Cohen & Felson, 1979; Cohen, Kluegel, & Land, 1981). Mustain and

Tewksbury (1998) argue that “the routines of activities influence the degree of exposure one has to potential offenders, how valuable or vulnerable individuals or their property are as targets, and whether/or how well guarded they or their property is” (p.830).

Cohen and Felson (1979) posit that the increase in crime rate during the 1960s and 1970s was due to increased criminal opportunities created by the change in social life

after World War II in which women started to join the workforce, the number of household members decreased, and individuals began to spend more time away from their home; thus offenders had more opportunities to enter empty houses for theft or to encounter potential victims in public places for violent crimes. Those changes in social life reduced the social guardianship of household members and brought individuals who spend more time in public into greater direct contact to potential offenders, thereby increasing their visibility and accessibility to offenders. Hence, criminals had more opportunities to find unprotected suitable targets.

In this context, it is argued that our routine activities create opportunities for offenders to find suitable targets in the absence of capable guardians. These activities range from formal daily occupational activities to leisure activities such as going to work or school, shopping, entertaining and interacting with others. The opportunity created by daily routine activities is at the center of crime causation and changes in routines of daily life in society increases opportunities for criminals (Miethe & Meier, 1994, p. 30).

Routine activity and lifestyle exposure theories have been applied to a variety of crimes, both violent and property crimes, by many scholars (Cohen & Felson, 1979;

Cohen, et al., 1981; Messner & Blau, 1987; Miethe & Meier, 1994; Miethe, Stafford, &

Long, 1987; Mustaine & Tewksbury, 1998). Although, both theories have received a great deal of empirical support, it is argued that they do better job in explaining property crimes, rather than violent crimes (Miethe et al., 1987, Miethe &Meier, 1994).

According to routine activity theory, motivations behind offenders’ decisions to commit crime may differ (monetary gain, fun, revenge, etc.), but without having

opportunity to commit crime none of those motivations would be enough to successfully transform the criminal decision into action. They do not deny the importance of understanding what motivates offenders and under which circumstances they become criminal (Clarke & Felson, 1993; Cook, 1986), but they argue that understanding situations that make crime possible is crucial for crime prevention by altering those situations. Inspired by this idea, situational crime prevention methodologies have been widely discussed in the literature and implemented in a number of different ways for different crimes (Newman & Clarke, 2003; Newman, Clarke, & Shoham, 1997).

Lifestyle Exposure Theory

Drawing on an analysis of data from eight major American cities, Hindelang and his colleagues(1978) assert that the risk of victimization depends on different lifestyles of individuals, which is defined as “routine daily activities, both vocational activities (work, school, keeping house, etc.) and leisure activities” (Hindelang, et al., 1978, p. 241).

Different lifestyles expose people to different situations and some lifestyles may bring people into more crime-prone situations in which people are exposed to higher risk of victimization. According to Hindelang et al. (1978), people who spend more time in public places, especially during the night, and with non-family members are more likely to be victims of personal crimes, and being in public places is directly related to the lifestyles of individuals.

An individual’s lifestyle is the result of role expectations and structural constraints in the society. Individuals adjust or adapt their behaviors according to role expectations and structural constraints. It is central to Hindelang et al’s (1978) argument

that people who have different demographic and socioeconomic characteristics, related to age, sex, marital status, family income, and race, may have different role expectations and structural constraints that affect lifestyle choices available to individuals, such as where they live, with whom they associate, or how they are entertained, which in turn expose individuals to different risks of victimization (Hindelang, et al., 1978, p. 242).

For instance, a single male may spend more time in public places during the evening, whereas a married older person may spend most of his time at home with his family as a result of role expectations. Moreover, structural constraints, such as income or education level of individuals, may impose limitations on choices available to them such as living places or job opportunities. Less education may limit job opportunities available to individuals, and a job affects income level, which in turn affects where people live and with whom they interact.

Thus, different role expectations and structural constraints force people to adopt different lifestyles, which in turn expose people to different levels of victimization risk.

Some types of lifestyles lead people into situations that expose them to higher victimization risk when compared to other lifestyles. Hindelang et al. (1978, p. 245) argue,

“Variations in lifestyle are related differentially to probabilities of being in particular places at particular times and coming into contact with persons who have particular characteristics; because criminal victimization is not randomly distributed across time and space and because offenders in personal crimes are not representative of the general population- but rather there are high risk times, places, and people- this implies that lifestyle differences are associated with differences in exposure to situations that have a high victimization risk.”

In their study using data from eight major cities in the United states, Hindelang et al. (1978, p. 3) found that personal characteristics associated with victimization showed similar patterns across all cities that were examined. Moreover, they also found that

“rates of victimization are closely related to age sex, marital status, family income, and race” (Hindelang, et al., 1978, p. 4). For instance, younger, male and single persons are more likely to be victimized than, respectively, older, female, and married persons.

Based on those findings, they assert that differences in victimization are related to lifestyles of individuals which in turn may lead to individuals to be “in places and situations with high opportunities for criminal victimization” (Hindelang, et al., 1978, p.

121). Furthermore, they argue that people, who spend more time in public places, especially during the night, are more likely to be victims of crime, and being in public places is directly related to lifestyles of individuals (Hindelang, et al., 1978, pp. 251-253).

In that sense, it can be argued that both routine activity and lifestyle exposure theories explain the chemistry of crime by identifying the situations that expose people to victimization risk that makes crime possible (Felson, 1998). Both theories emphasize that crime is not randomly distributed across the society, but rather it follows regular patterns in time and space. So, individuals have greater risk of victimization in certain places at certain times and once those patterns of criminal events and situations that make crime possible are identified, those patterns and situations can be altered in a way to prevent crime occurrence (Cohen & Felson, 1979; Felson, 1998; Messner & Blau, 1987; Miethe

& Meier, 1994; Mustaine & Tewksbury, 1998).

Application to Cybercrime

According to Cohen and Felson (1979), technological advances such as automobiles, weapons, power tools, or telephones can be used for legitimate and illegal purposes. Those technologies may provide better opportunities to commit crime or can be used by potential targets to protect themselves or their properties. A gun can be used to facilitate a crime or the same gun can be used to prevent a crime. Cohen and Felson

(1979, p. 590) argue that “one can analyze how the structure of community organization as well as the level of technology in a society provide the circumstances under which crime can thrive.” Thus, technological changes not only contribute to and make daily life activities easier, but criminals may also exploit those changes for their criminal and deviant purposes.

The same argument can be applied to cyberspace that is created by advances in computer and network technologies in which people’s daily routine activities, such as communicating with others, shopping, having fun, and doing business, have changed dramatically. Like most other technological developments, computers and the Internet can be used for either legitimate or criminal purposes (Goodman, 1997; Grabosky, 2001;

Grabosky & Smith, 2001; Newman & Clarke, 2003; Wall, 2001, 2007a; Yar, 2005). As discussed above, cyberspace provides an environment in which offenders have ample opportunities to find suitable targets and to commit crime easily. Alshalan (2006), applying routine activities theory to cybercrime, argues that people who use the Internet more often are more likely to be a suitable target who might come across a motivated offender in the absence of guardianship in the cyberspace. Moreover, Alshalan (2006)

contends that individuals who engage in online activities that reveal their personal and financial information expose themselves to more cyberspace victimization risk.

Although cyberspace creates an environment in which offenders have many opportunities to find suitable targets and cyberspace itself is deemed as a risky place, it may not be true to argue that everybody in cyberspace has the same level of victimization risk. Some individuals are more likely to be the target of crime because of their proclivity to engage in deviant or risky activities (Cohen & Felson, 1979; Hindelang, et al., 1978). Thus, not only being in cyberspace creates the risk of victimization, but also certain online activities of individuals determine their level of victimization risk.

Some online activities, such as downloading freeware programs or visiting file sharing web sites, create higher risk of victimization than other online activities such as checking emails or visiting online news channels. (Choi, 2008; Moitra, 2005; Yar, 2005,

2006). In his study, Choi (2008) found that people who engage in risky online activities such as visiting unknown websites, downloading music, video and games are more likely to experience cyberspace victimization. Hence, a better understanding of victimization in cyberspace requires knowledge of online lifestyles of individuals.

In that sense, both routine activity theory and lifestyle exposure theory are useful in understanding cybercrime victimization in a society in which people’s everyday routine activities have dramatically changed with the advent of computer technologies and increased use of the Internet, (Alshalan, 2006; Grabosky, 2001; Yar, 2005). Also the change in routine activities increases the likelihood of convergence of suitable targets and motivated offenders in the absence of capable guardians in the cyberspace (Alshalan,

2006; Choi, 2008; Holt & Bossler, 2009). Thus the argument in this study is that the assumptions of the routine activities and lifestyle exposure theories, which were developed to explain street crimes, can be applied to cybercrime. A number of scholars have used the routine activities and lifestyle theories to explain the cybercrime

(Grabosky, 2001; Grabosky & Smith, 2001; Pease, 2001; Yar, 2005) and some have applied these assumptions in a limited number of empirical studies (Alshalan, 2006;

Choi, 2008; Holt & Bossler, 2009; Willison, 2002).

By using 2004 National Cyber Crime Victimization Survey collected by

Mississippi State University, Alshalan (2006) applied routine activity theory to explain cybercrime victimization. In order to measure exposure to crime, he used variables regarding to how long and how frequently respondents spend time on the Internet and he also incorporated demographic characteristics of respondents into his analysis. But, since his data do not contain information about the guardianship (such as antivirus or firewall) for all respondents, he could not test for the effect of guardianship against cybercrime. He found that respondents who spend more time online and are online more frequently are more likely to be victims of cybercrime. He also found that males and whites are more likely to be victims of cybercrime.

Choi’s(2008) study represents a more comprehensive application of both routine activity and lifestyle exposure theories to cybercrime by including measurements for suitable target and guardianship. By using a survey of college students, he found that college students who engage in risky online activities, such as downloading free music, video, and games or frequently visiting new websites, are more likely to be victims of

cybercrime. Moreover, he also found that students who use digital guardianships

(antivirus, antispyware and firewall programs) are less likely to be victims of cybercrime.

Although, studies that used routine activity and lifestyle exposure theories have demonstrated that assumptions of these theories can be successfully applied to cyberspace, the structural differences of cyberspace and the terrestrial world may raise questions regarding to what extent these theories can be applied to cybercrime. Yar

(2005, p. 409) argues that “although the core concepts of RAT [Routine activity theory] are in significant degree transposable (or at least adaptable) to crimes in virtual environments, there remain some qualitative differences between virtual and terrestrial worlds that make a simple, wholesale application of its analytical framework problematic.”

Thus, it becomes important to clarify how routine activity and lifestyle exposure theories can be applied to cybercrime. Although, Yar (2005) comprehensibly discusses this issue and convincingly illustrates that these theories can be applied to cybercrime despite structural differences between cyberspace and real world, there are a few points that need to be addressed. In the following section, by using Yar’s (2005) study and routine activity and lifestyle exposure literature, the ways in which both theories can be used in explaining cybercrime victimization will be discussed under four major concepts drawn from routine activity and lifestyle exposure theories: proximity to motivated offenders, exposure to high-risk of crime, target attractiveness, and absence of guardianship (Cohen, et al., 1981; Miethe & Meier, 1994).

Proximity to Motivated Offender

The main concept for the routine activities theory is the convergence of suitable target, motivated offender and absence of capable guardianship in time and space.

According to routine activity and lifestyle exposure scholars, crime is not randomly distributed across society, but rather it follows a regular pattern in time and space (Cohen

& Felson, 1979; Hindelang, et al., 1978; Miethe, et al., 1987). Some areas may attract individuals who are predisposed to criminal activities and provide more criminal opportunities for offenders by also attracting more potential targets, such as shopping malls, major transportation roads, convenience stores, bars, or apartment complexes

(Miethe & Meier, 1994, p. 47).

Hence, individuals have greater risk of victimization in certain places at certain times. For instance, individuals who live in or near an area in which there is a high crime rate or large population of potential offenders are more likely to have more frequent contact with potential offenders, which increases the risk of being a victim of a crime

(Cohen & Felson, 1979; Cohen, et al., 1981; Fisher, et al., 1998; Miethe & Meier, 1994).

For that reason, proximity to a motivated offender pool is one of the primary determinants that are used to explain differences in varying victimization risks. Cohen et al (1981) define proximity as “the physical distance between areas where potential targets of crime reside and areas where relatively large populations of potential offenders are found.” A person who is closer to motivated offenders has a higher risk of victimization.

Proximity to motivated offender pools is usually measured with socioeconomic characteristic of the neighborhood where people reside as well as perceived safety of the

neighborhood (Cohen, et al., 1981; Miethe & Meier, 1994). Social characteristics of neighborhoods, such as low socioeconomic conditions, population mobility, ethnic heterogeneity, and family disruption, have high correlations with crime rates in neighborhoods (Miethe & Meier, 1994, p. 84). Some areas are considered more crime- prone than others and living in or near such places increases risk of victimization. For instance, Miethe and Meier (1990) found that individuals who live in inner city areas and higher-crime rate areas are more likely to be victims of burglary, personal theft and assault. Moreover, Mustain and Tewskbury (1998) also found that people who live in neighborhoods with unpleasant characteristics, such as physical deterioration and public drinking, which attract potential offenders, are more likely to be victims of theft.

So, in the real world, physical distance between potential target and potential offenders affects individuals’ victimization risk and individuals who are in relatively closer proximity to potential offender pools are at higher risk of victimization. At this point, it should be emphasized that “proximity” in this case refers to one’s physical position relative to others. Given all other variables as equal, a potential target (person or property) that is in closer proximity to a potential offender is more likely to be visible and accessible to that offender, which makes him or her potential suitable target. Closer proximity increases the likelihood of being visible to offender. As a result of the nature of physical world crimes, the offender and target must be physically in the same place at the same time, and the offender chooses the target that is visible and easily accessible (Cohen and Felson, 1979).

Proximity in cyberspace, however, is not a tangible aspect that can be measured as easily in the physical world. In cyberspace, there is zero distance between any two points (Geer, 2007; Stalder, 1998; Yar, 2005) and in order for a crime to occur, the victim and the offender do not necessarily have to be physically at the same place. Yar (2005) argues that “everyone, everywhere and everything are always and eternally ‘just a click way’”(p.415). Once a person is connected to the Internet, she or he is just one click away from a potential offender who might be living on the same street or on the other side of the world.

According to Yar (2005), although these differences between real and virtual worlds may hinder the application of routine activity theory to cyberspace, we can still identify spatial characteristics within cyberspace that “at least in part converge with those of the familiar physical environment” (Yar, 2005, p. 415). He suggests two distinctive ways that connect the cyberspace to the physical world. First, by citing

Castells (2002), Yar (2005, p. 416) contends that cyberspace itself is rooted in the physical world’s social, economic, and political relations, and virtual environments, such as websites or email systems, are produced mostly in developed countries of the physical world, which makes cyberspace a reflection of existing economic relations and hierarchies. For instance, most of the websites that are viewed by 83 percent of Internet users originate from the United States (Yar, 2005, p. 416). Moreover, by citing Castells

(2002), Yar (2005, p. 416) claims that access to the virtual world and Internet use are

“closely correlated to existing cleavages of income, education, gender, ethnicity, age and

disability,” and physical world differences (urban-rural, first world-third world, or low- high income) are translated into the cyberspace.

Second, Yar (2005) argues that although in cyberspace there is zero distance between any point and one can instantly reach any point on the Internet, not all points are equidistant. According to Yar (2005), knowing a particular entity’s existence or reaching that entity may require individuals to spend some time and effort, and targets that are easily located are in closer proximity to potential offenders. For instance, while individuals are searching for a particular thing on the Internet, they may use search engines like Google and those search engines may give priority to some websites in the search results listings, and put those results in close proximity to other Internet users.

Although Yar’s (2005) two arguments provide a convincing way to connect cyberspace to the physical world, they do not provide a clear understanding of how proximity between offender and target in cyberspace in the context of routine activity theory can be identified. In the first argument, the way Yar (2005) discusses cyberspace as an extension of physical world disparities would be helpful to explain “the digital divide.” Thus differences among individuals or societies in gaining access to information and communication technologies and in using computers and the Internet result from socioeconomic differences (Mossberger, Tolbert, & Stansbury, 2003, p. 1) and other demographic differences that may be related to different online lifestyles. Hence, his argument can be used to explain why some targets are established physically at certain places, but not explain the proximity between motivated offender and suitable target. For instance this may explain how United States based companies are more likely to be

victims of intellectual property crime since they produce most of the valuable knowledge and are more accessible via the Internet (Nasheri, 2005).

However, once a person connects to the Internet those socioeconomic differences are no longer significant in measuring proximity to motivated offenders in the virtual environment where electronic signals are transmitted instantaneously. Proximity in cyberspace can be measured in a binary fashion in which either the target and offender has converged (zero distance) or the target and offender are at the farthest point (not converged). There is no varying level of proximity; everyone is in the same proximity in the cyberspace. Moreover, Geer (2007, p. 26) argues that “every location is equidistant from every other ….there is no way to fence off the good areas from bad.”

Yar’s(2005) second argument regarding locating the suitable target may promise a better explanation, but once the target is located, its distance to offender is again just a click away and cannot be explained by physical proximity. For instance, in the physical world a potential offender in New York may be aware of suitable targets, that there is one in Chicago and one in New York, but he or she probably would prefer the one that is in

New York, which is relatively closer to him or her. In cyberspace, distance is not an issue and there is no closer or farther for any potential target. A potential offender has a chance to reach any suitable target that is physically either in the same city or thousand miles away. In that sense, it can be argued that Yar’s (2005) second argument can be more relevant to the target’s visibility to the offender, not to their proximity. Any suitable target is at the same distance as any other target on the Internet, but the target may not be visible to offender.

Finally, it can be argued that proximity to a motivated offender cannot be measured as in the physical world for cybercrime. But this does not mean that assumptions of the routine activity theory cannot be applied to examining cybercrime.

Once we understand how cybercrime differs from physical world crimes and how cyberspace renders proximity to potential offenders as meaningless, we can take proximity as a given, just as the motivated offender is taken as a given in routine activities theory. In that sense, it may be more helpful to see the cyberspace itself as a

“place” like an inner city or a higher crime rate area in which potential offenders are constantly seeking suitable targets regardless of where they reside in the physical world.

Moreover, it can be argued that cyberspace itself, which creates new opportunities for potential offenders and provides different tools to perpetrate crime or make it easier for offenders, is actually a place where people are constantly exposed to risk of victimization. Cox, Johnson, and Richards (2009, p. 313) contend that “the necessity of being connected to cyberspace sets the stage for possible victimization.” The only way to absolutely prevent cybercrime is to unplug the computer’s power cable, which is not a practical solution in a society in which everything has became dependent on computers and information technologies (Hallam-Baker, 2008;Grabosky and Smith, 2001). As long as people are connected to the virtual world, they are at risk. In his study, Alshalan

(2006) found that people who connect to the Internet for a longer time and more frequently are more likely to be victims of cybercrime.

Thus, cyberspace can be considered as an expansive neighborhood on a global scale. We can argue that every time a person connects to the Internet, he or she spends

time in the higher crime rate area just like in the physical world, and that makes him or her potential target. Once in contact with a motivated offender or actions of an offender in the absence of capable guardianship, cybercrime occurs. What differentiates the likelihood of people’s victimization who live in the same neighborhood can be explained by the differences in individuals’ lifestyles and routine activities. In the case of cybercrime, individual’s online lifestyles and activities that expose them to crime along with the presence or absence of guardianship may differentiate the likelihood of victimization, which is discussed in the next section.

Exposure to Crime

Cohen et al (1981)defines the exposure to crime as “the physical visibility and accessibility of persons or objects to potential offenders at any given time or place”

(p.507). Individuals or properties that are more visible and provide easier accessibility to offenders are more likely to be victims of crime (Cohen & Felson, 1979; Cohen, et al.,

1981; Miethe & Meier, 1990, 1994). Visibility refers to the situation where a potential offender knows the existence of potential target. Accessibility, on the other hand, refers to potential offenders’ ability to get into contact with potential targets and escape from the crime scene (Miethe & Meier, 1994; Yar, 2005).

In order for a crime to occur, a motivated offender must come into contact with a suitable target. When motivated offenders and suitable targets have more frequent contact, offenders have more opportunity to commit crime(Cohen, et al., 1981). Cohen et al.(1981, p. 508) argue that “an increase in exposure leads to an increase in victimization risk.” For instance, people who spend more time in public places, such as in streets and

parks, especially during the night, have higher risk of personal victimization (Arnold,

Keane, & Baron, 2005; Hindelang, et al., 1978; Miethe & Meier, 1994). Studies also found that people who engage in non-household activities are more likely to be victims of a crime (Arnold, et al., 2005; Cohen & Felson, 1979; Hindelang, et al., 1978; Miethe &

Meier, 1990, 1994).

Hindelang et al (1978) argue that lifestyles of individuals have direct effects on their victimization risk by way of exposing them to different situations that may increase the chance of coming into contact with potential offenders. Moreover, they argue that associations between people who have similar lifestyles and share similar interests may also expose people to higher victimization risk. Hindelang et al (1978, p. 245) contend that “because offenders disproportionately have particular characteristics, association with people having these characteristics serves to increase exposure to personal victimization.”

Exposure to crime in cyberspace has similarities to crime in the physical world.

But visibility and accessibility of targets in cyberspace are more pervasive and provide more and better opportunities to potential offenders. As discussed in the previous chapter, the Internet is a global computer network and there are no national and physical borders that can limit individuals to reaching any point on it, which makes all entities connected to the Internet visible to each other and advertises “their existence to largest possible

‘pool of motivated offenders’” (Yar, 2005, p. 421).

As also discussed above, the Internet provides new opportunities for potential offenders and different tools to perpetrate the crime or make it easier for criminals. For

instance, cyber criminals may use different techniques to enter a target’s computer by exploiting known vulnerabilities of operating systems or software installed on a computer and copy, alter or delete any information without leaving any evidence. The user may not even notice their computer or network is compromised. Even when they notice, it is difficult to identify the perpetrator since they may use different techniques to cover their tracks and conceal their identities such as using encrypted communication, anonymous re-mailers, or botnets2 (Furnell, 2002; Grabosky & Smith, 2001; Hallam-Baker, 2008;

Wall, 2001, 2007a; Yar, 2005).

Thus, visibility and accessibility of targets can be transposable in cyberspace.

Online lifestyle and activities of people may expose them to different situations that may

increase the chance of coming into contact with potential offenders. For instance, some

online activities, such as downloading programs and visiting file sharing web sites,

creates higher risk of victimization than other online activities such as checking emails,

or reading online news portals (Choi, 2008; Moitra, 2005; Yar, 2005, 2006).

In his study, Choi (2008) found that people who engage in risky online activities,

such as visiting unknown websites, downloading music, video and games, are exposed to

higher victimization risk and are more likely to experience cybercrime victimization.

Moreover, Alshalan (2006) found that people who connect to the Internet for longer time

periods are more likely to be victims of computer viruses and people who engage in

activities that disclose their personal and financial information are more likely to be

2 Botnet is derived from “robot networks” and refers to network of compromised and controlled computers by cybercriminals without owners’ of computers knowledge and consent. Botnets are used to launch automated attacks such as distributed denial of service (DDOS) to business and government websites and networks (Dunham & Melnick, 2009).

victims of cybercrime. Thus, exposure to crime in cyberspace can be measured by the online lifestyle of individuals or the duration and frequency of Internet use which can be used as the indicator of online lifestyle.

Another important issue in terms of exposure to crime is the timing of activities.

Convergence of motivated offender, suitable target and absence of guardianship requires those elements existing at the same place and at the same time (Cohen & Felson, 1979).

A house left unprotected during the day or a person who spends time in public places during the night are exposed to higher risk of victimization (Cohen & Felson, 1979;

Hindelang, et al., 1978). However, time has also different implications in cyberspace.

Yar (2005, p.418) argues that

“Cyberspace, as a global interactional environment, is populated by actors living in different real-world time zones, and so is populated ‘24/7’.Moreover, online activities span workplace and home, labour and leisure, and cannot be confined to particular, clearly delimited temporal windows... Consequently, there are no particular points in time at which actors can be anticipated to be generally present or absent from the environment.”

Moreover, when we consider the automated non-real time cyber threats, such as viruses, Trojans and Internet worms, the temporal order of crime in cyberspace becomes a more complex issue. An offender who creates a virus, a Trojan, or a worm just releases the malicious software to the Internet, which automatically and remotely infects other computers that somehow get into contact with the infected computer, as in the above- mentioned Love Bug virus case. So, there might be a time lapse between offender’s deviant activity and victimization in cyberspace, whereas in the physical world action of street crime the offender instantaneously causes the victimization of a suitable target.

Thus, it can be argued that timing of activities does not affect the level of victimization

risk; instead, the duration and frequency that people connect to the Internet and their types of online activities determine differential victimization risk exposure.

Target Attractiveness

What makes a person or a property an attractive target for an offender is the material or symbolic value and perceived inertia, which offer less resistance against an illegal act of offender (Cohen & Felson, 1979; Cohen, et al., 1981; Miethe, et al., 1987).

Hindelang et al. (1978) also argue that the desirability and vincibility of an individual or a property as a potential target affect the probability of victimization. For instance properties that have high monetary value and are smaller in size are considered as more attractive to offenders, such as portable electronic devices, cash and jewelry.

Measures of target attractiveness used in studies have been the ownership of expensive and portable goods, having cash and jewelry in public places, income level and social class (Miethe & Meier, 1994). Cohen and Felson (1979)argue that decreased size of durable goods such as television sets and radios is one of the reasons for increased crime rates during 1960s and 1970s. Miethe and Meier (1990) found that people who carry larger amounts of money in public places and people who have a higher income level are more likely to be victims of a crime.

Different than the physical world crimes such as theft or assault, the target of crime in cyberspace is not directly a person or property; instead the target in cyberspace, as discussed above, is generally information, which is intangible and stored digitally. So, the value attached to digitally stored information, especially intellectual properties such as motion pictures, music files, software, personal financial information and trade secrets,

makes them desirable to cybercriminals (Grabosky, 2001; Nasheri, 2005; Wall, 2001;

Yar, 2005).

Since information is stored digitally and does not possess physical attributes, perceived inertia of the target in cyberspace has different characteristics. Digitally stored information is considered ‘weightless’ which makes the target more vulnerable to removal (Yar, 2005). Moreover, reproduction, altering or deleting of information in cyberspace is costless (Geer, 2007) which makes it more appealing. Information can be copied, altered or deleted instantaneously with no cost, and the same digital object can be possessed by many individuals as in the case of digital piracy (Grabosky, 2001) or theft of intellectual property (Nasheri, 2005). However every object in the physical world has

“unique identities and take up unique location in space and time” (Geer, 2007, p. 29) and if someone has an object, no one else can have it simultaneously.

On the other hand, Yar (2005) argues that the weightlessness of digitally stored information is not absolute and informational targets may still have little inertial resistance. For instance, the file size of data may affect the portability or the technological specification of tools used by the offender; thus the capacity of the computer system and speed of the Internet connection may affect the commission of crime (Yar, 2005, p. 419). But when the increased capacity of computer systems and speed of the Internet connection are considered, lower inertial resistance of digital files may place little or no limitation on committing cybercrime.

Also, it should be emphasized that cyberspace is a fruitful environment for cyber criminals to find suitable targets. In many cases, they do not try to locate a suitable target,

instead they have a chance to reach thousands or millions of suitable targets at one time by just releasing the malicious codes or sending scam emails; they just wait for the convergence of criminal activities with suitable targets. For instance, a cyber criminal who disseminates a virus can cause damage to millions of people with one malicious action without trying to locate any specific suitable target. Moreover, cyber criminals may steal bank account information of thousands of people by using the “phishing” method. Phishing is a way of stealing information by sending an email to thousands of people that appears to be a legitimate email originating from a company or government and that requests the recipients to submit personal information such as a Social Security

Number or banking information (Anthony & Huang, 2009).

Guardianship

Guardianship is the last component of crime causation that may affect crime occurrence with either its presence or absence. Cohen et al.(1981, p. 508) define guardianship as “the effectiveness of persons (e.g., housewives, neighbors, pedestrians, private security guards, law enforcement officers) or objects (e.g., burglar alarms, locks, barred windows) in preventing violations from occurring, either by their presence alone or by some sort of direct or indirect action.” Thus, guardianship has both social

(interpersonal) and physical (target-hardening) dimensions (Miethe & Meier, 1994, p.

51). According to Cohen et al.(1981), a person or property that is less guarded either by social or physical means is considered as a suitable target by offenders because they show little or no resistance to crime. So, individuals or properties that have greater guardianship are less likely to become victims of crime.

The social dimension of guardianship is generally measured by the number of household members, availability of neighbors or friends, density of pedestrians, existence of neighborhood watch programs or presence of law enforcement (Cohen, et al., 1981;

Fisher, et al., 1998; Miethe & Meier, 1990, 1994). Clarke and Felson (1993, p. 3) posit that law enforcement or security guards are not the best guardianship against crimes, but instead "neighbors, friends, relatives, bystanders, or the owner of the property" are the most likely persons to prevent crime occurrence. Although social guardianships may prevent the offender from committing crime by directly intervening, the essential role played by social guardianship is the deterrent effect on potential offender’s intention to commit crime (Cohen & Felson, 1979; Cohen, et al., 1981; Miethe & Meier, 1994)

Physical guardianship, on the other hand, includes target-hardening devices such as door locks, theft alarms, barriers, firearm ownership, guard dogs, and lighting on the street. Availability of both social and physical guardianships is very important for decreasing opportunity for criminals which in turn decreases the victimization risk

(Miethe & Meier, 1994, p. 51).

In theory existence of guardianship is very promising, but studies show mixed results for the effectiveness of social and physical guardianship. Some studies have shown that existence of guardianship decreases victimization risk while other studies did not find such decrease (Fisher, et al., 1998; Miethe & Meier, 1990, 1994). For instance,

Cohen et al (1981) found that guardianship has significant effect on reducing the risk of predatory victimization. Miethe and Meier (1990), on the other hand, found that social guardianship decreases the risk of residential burglary, personal theft and personal

violence victimization, whereas physical guardianships have generally insignificant effect, or in some cases increase the victimization risk. However, inconsistent findings are attributed to limitations of cross sectional data used in studies that may fail to capture clear temporal order among variables (Miethe & Meier, 1994, p. 51). For instance, findings of such studies may indicate that use of physical guardianship is correlated with risk of victimization; however precautions that might be taken as a result of victimization by individuals may be the reason for these findings.

There are many technological tools and suggested precautions to reduce the criminal opportunities in cyberspace (Grabosky & Smith, 2001, p. 36). The guardianship component of routine activity theory can easily be applied to cybercrime despite some limitations of the structural environment of cyberspace (Holt & Bossler, 2009; Yar,

2005). Social guardianship in cyberspace is generally provided by different private and informal means such as network administrators who are responsible for managing and monitoring government, private or personal computer networks or online users who informally monitor each other’s behavior on chat rooms or forums (Yar, 2005). As discussed above, law enforcement forces have difficulties in keeping pace with cybercrime and the presence of law enforcement in cyberspace is very limited. So, it is difficult to find formal social guardianship that is provided by law enforcement.

In cyberspace, physical or technological guardianship provides better protection against real cybercrime attacks such as malwares (virus, Trojan, worm, or spyware) or hacking. Guardianship in cyberspace is a widely discussed issue in computer and network security literature, which suggests using of both social and technological

protection means. Maintaining security in cyberspace encompasses a wide range of activities and tools including precautions taken by individuals such as using strong passwords, avoiding certain kinds of online activities and using digital security guards such as firewalls, intrusion detection system, anti-virus, and anti-spyware programs

(Pfleeger & Pfleeger, 2003).

On the other hand, the presence of electronic guardians is not enough to keep computers and networks secure from cyber threats. Protection provided by electronic guardians such as anti-virus, anti-spyware and intrusion detection and prevention systems are limited to known cyber threats and attacks (Cox, et al., 2009). In order to identify and clean computer viruses, anti-virus programs use virus definition files, which contain information about the pattern and signature of known viruses. Anti-virus or anti-spyware developers constantly renew their definition files by adding information about new threats.

Every computer on the Internet is vulnerable to new viruses even if they have up- to-date anti-virus programs, until the information about detecting and removing new viruses is included into virus definition files by anti-virus developers. But in some cases, the time between release of a new virus and finding the solution to it can be enough to spread the virus around the Internet, or in some cases solutions to certain threats may not be possible (Wall, 2007).

Moreover, having those guardians is not enough for protection, but also keeping those guardians routinely up-to-date and employed correctly are crucial to keep computers secure and to reduce the victimization risk (Cox, et al., 2009). Computer users

or individuals who are responsible for computer and network security play very important roles as guardians for preventing cybercrime. The human factor is not only important for the proper use of electronic guardians, but also for altering the situation that may potentially cause victimization. Cox(2009) (p.313)argues,

“The capacity to change in response to circumstances and events is what makes the human effective as guardians…No matter how sophisticated and complex the “guardians” for the users of the Internet are, these are all mechanical devices. They are reactive. They are designed to prevent actions that are already identified. They cannot respond to new intrusions and criminal activity.”

After discussing the four major concepts that are used by routine activity and lifestyle exposure theories scholars, it can be argued that routine activity theories and lifestyle theories can be applied to cybercrime as long as the differences between the physical world and cyberspace is kept in mind. In that sense, Yar’s (2005, p.409) argument can be echoed here “although the core concepts of RAT [Routine activity theory] are in significant degree transposable (or at least adaptable) to crimes in virtual environments, there remain some qualitative differences between virtual and terrestrial worlds that make a simple, wholesale application of its analytical framework problematic.”

Following the above discussion, Figure 1 illustrates the application of routine activity and lifestyle exposure theories to cybercrime. Demographic characteristics of individuals, as suggested by Hindelang et al (1978), affect individuals’ online lifestyles, which in turn, along with the existence of digital guardianship, determine the cybercrime victimization risk.

Demographic Characteristics Online Lifestyle Cybercrime

Victimization Age Gender Education Income

Digital Guardianship

Figure 1: Cybercrime Victimization

Constrained Behavior and Risk Perception in Cyberspace

One of the objectives of this study, as mentioned above, is to examine how individuals respond to victimization experiences in cyberspace by using the assumptions of routine activities and lifestyle exposure theories. Routine activity and lifestyle exposure have not only been used to explain factors that affect victimization, but also have been widely used to explain and examine fear of crime, perceived victimization risk, and constrained behavior. According to a wide range of literature findings, the contextual factors (crime rate in the neighborhood, social integration and disorder), demographic characteristics, routine activities and previous victimization experience affect the individuals risk perception and constrained behavior (Cook, 1986; Ferraro, 1995; Liska,

Sanchirico, & Reed, 1988; Liska & Warner, 1991; Rontree, 1998; Rountree & Land,

1996). Following those studies, this study is specifically interested in examining effects of cybercrime victimization on individuals’ perceived victimization risk and constrained online behavior. Although perceived risk and constrained behavior is discussed along with fear of crime, this study does not examine fear of crime since the data used in the analysis does not contain any information to measure respondents’ fear of cybercrime.

Research on victimization, fear of crime, and restricted routine activity patterns indicate that “victimization can increase perceived risk and associated fear within individuals and that this risk perception or fear can, in turn, prompt defense measures”

(Rountree & Land, 1996, p. 147). An individual who has previously been victimized or considers himself or herself at risk of victimization may show constrained behavior by having less social activities, using more security tools and taking more precautions

(Cohen & Felson, 1979; Ferraro, 1995; Hindelang, et al., 1978). Moreover, a person who has previously been victimized may feel higher risk of victimization and, as a consequence, may have a higher level of fear of crime than those who have no previous victimization experience (Ferraro, 1995; Hindelang, et al., 1978; Rader, May, &

Goodrum, 2007).

Although early studies did not make any distinction between fear of crime and perceived risk, they remain interrelated components that represent, respectively, emotional and cognitive dimensions of “fear” (Ferraro, 1995; Rontree, 1998; Rountree &

Land, 1996). Fear of crime can be defined as “…an emotional reaction of dread or anxiety to crime or symbols that a person associates with crime” (Ferraro, 1995, p. 4), whereas perceived risk is a cognitive judgment in which people calculate their own risk

of victimization depending on their lifetime experiences and social environments, which in turn affects individual’s fear of crime (Ferraro, 1995; Rontree, 1998).

The perceived risk is used as the strongest indicator of the level of fear of crime

(Ferraro, 1995; Rader, et al., 2007; Warr & Stafford, 1983). Moreover, Warr and Stafford

(1983, p. 1035) argue that fear of crime is “a multiplicative function of perceived risk and perceived seriousness.” They assert that people who may consider a crime as serious may not be afraid of being targets of particular crimes if they do not perceive themselves at risk. For instance, an individual may think that murder is a very serious crime and horrifying, but he or she may not consider being murdered as a risk in their life and may not be fearful when compared to other types of crimes such as larceny, auto theft or assault.

Rader (2004), on the other hand, argues that perceived risk and constrained behavior cannot be viewed as the source of the fear of crime. Instead, Rader (2004) suggests that fear of crime, perceived risk and constrained behavior should be seen as interrelated components of “threat of victimization” in which each component affects each other. Rader, May, and Goodrum (2007) applied Rader’s (2004) “threat of victimization” in their study and found that both perceived risk and constrained behavior have reciprocal relationships with fear of crime, however there is no relationship between perceived risk and constrained behavior.

By using the opportunity framework offered by routine activities (Cohen &

Felson, 1979) and lifestyle exposure theory (Hindelang, et al., 1978), Ferraro (1995, p.

16) argues,

“Just as the criminal opportunity perspective has been used to model how criminal offenders judge the risk of violations, it may also be useful to conceptualize how potential victims may take use of such information judging their risk of victimization. In other words, while potential offenders may take advantage of information about living quarters, crime rates, police protection, and neighborhood surveillance in judging the risk of violation, potential victims may likewise use such information to judge the threat of being victimized.”

In that sense, not only does previous victimization influence the risk perception or fear of crime, but also the social environment individuals live in (high crime rate in neighborhood, social disorder, etc.) and lifestyles or routine activities of individuals affect risk perception and fear of crime (Cook, 1986; Ferraro, 1995; Melde, 2009;

Rontree, 1998). Individuals respond to cues coming from those sources which provide information about the potential opportunity that may lead to victimization (Rontree,

1998, p. 349). Studies found that previous victimization, individuals’ exposure to crime in terms of their routine activities and social characteristics of the neighborhood affect their perceived victimization risk and fear of criminal victimization (Garofalo, 1979;

Liska, et al., 1988; Liska & Warner, 1991; Rontree, 1998; Rountree & Land, 1996)

Following Ferraro’s (1995) and others’ arguments, it can be argued that individuals who spend time in cyberspace also calculate their own cybercrime victimization risk in a similar way. Online lifestyles of individuals, security tools that are used for protection such as firewalls and anti-virus programs, and previous cybercrime victimization may influence the risk perception of Internet users. Having a risky online lifestyle, such as visiting web sites that offer pirated free programs, music or video files, using peer to peer file sharing programs and lacking of digital guardians not only affect the victimization risk of individuals, but those factors also affect individuals risk

perception. Moreover, individuals who have previous cybercrime victimization experience may believe themselves to be at a higher risk.

Another aspect discussed in literature related to this area is how the risk perception affects the individuals’ subsequent behaviors. Ferraro (1995) argues that people who feel themselves at risk of victimization show two different reactions, fear and constrained behavior. Individuals respond to higher perceived risk not only with fear, but they also may show defensive (installing extra locks and alarms, carrying or having guns, etc.) and avoidance behavior (not going out at night, limiting social activity, etc.) to cope with the victimization risk. In his study, Ferraro (1995, p. 31)reviewed twenty studies about fear of crime and reported that “most of those studies find that perceived risk to be quite predictive of fear of crime, even after controlling for related variables.” Moreover, in his analysis, he found that “perceived risk shapes constrained behavior which in turn influences fear” (p.63).

In a similar way, Cook (1986, p. 6) argues individuals’ behavior is the result of the choices they made based on anticipated consequences and "individual's exposure to risky circumstances is influenced by his concern with being victimized.” Individuals respond to perceived victimization risk by reducing their exposure to crime. Thus individuals may alter their lifestyle patterns or routine activities based on their risk perception or fear of criminal victimization (Cook, 1986; Ferraro, 1995; Keane, 1998;

Liska & Warner, 1991; Rontree, 1998; Rountree & Land, 1996). Rountree and Land

(1996, p. 153) assert that “an individual's previous victimization experience together with theperson's risk perception and other individual-level explanatory factors then affect his

or her routine activities, in particular those pertaining to safety precautions.” Studies have showed that individuals who have higher risk perception and fear of crime alter their behavior accordingly to avoid future victimization (Garofalo, 1979; Liska & Warner,

1991; Long, 1997; Rountree & Land, 1996).

Increased risk perception and victimization experience in cyberspace may also affect the Internet users’ routine online activities. For instance, when people feel that certain online activities such as using peer to peer programs for file sharing or downloading freeware or shareware programs pose threats to security of their computers, they may change their online behavior to avoid possible victimization. Similarly, people who have been the victim of any type of cybercrime may alter their behavior to avoid subsequent cybercrime victimization.

Finally, in the light of extant literature, it can be argued that since risk perception and constrained behavior are respectively cognitive and behavioral responses to victimization experiences and cues that come from the lifestyle of individuals and the social environment, the same arguments can be applied to victimization in cyberspace.

People who experienced previous victimization and expose themselves to risky online activities are more likely to have higher perceived victimization risk, which in turn constrains their online behavior (Figure 2).

Online Cybercrime

Lifestyle Victimization

Constrained Behavior

Digital Risk Guardianship Perception

Figure 2: Risk Perception and Constrained Behavior

Research Questions

The first aim of this study is to explain the factors that affect victimization in cyberspace. Despite some limitations, routine activities and lifestyle exposure theories offer a helpful theoretical framework for explaining cybercrime victimization. According to both theories, individual’s lifestyle, which is what she/he does, with whom and where, and the existence of the guardianship determine the level of victimization risk (Cohen &

Felson, 1979; Hindelang, et al., 1978). As in the physical world, online lifestyles of individuals and the existence of digital capable guardians affect victimization risk in cyberspace.

The second aim of this study is to examine how individuals respond to victimization experiences in terms of risk perception and constrained behavior.

According to Ferraro (1995), individuals calculate their own risk of victimization by looking at the cues from the social environment, their own lifestyle, and previous victimization. In a similar way, individuals who spend time in cyberspace also calculate

their own cybercrime victimization risk. Online lifestyles of individuals, security tools that are used for protection such as firewalls and anti-virus programs, and previous cybercrime victimization may influence the risk perception, which in turn affects the behavior of the Internet users. Increased risk perception and previous victimization experience may lead individuals to constrain their behavior accordingly to avoid being victims of crime.

In the light of the current literature, this study addresses a variety of questions related to the factors that affect victimization in cyberspace and how individuals respond to victimization experiences in terms of risk perception and constrained behavior. This study will try to seek answers to the following research questions:

1. Are people, who expose themselves to cybercrime by engaging in risky

online activities, more likely to be the victims of cybercrime?

2. Are people, who do not have digital capable guardianship such as virus or

firewall protection, more likely to be the victims of cybercrime?

3. Are people’s risk perceptions affected by their online lifestyle, existence

of digital guardianship, and previous victimization experience?

4. Do people change their online lifestyle according their risk perception

level and previous victimization experience to prevent victimization?

In order to find answers to these questions, two different analyses will be

employed. The first analysis will only focus on the first two questions in a very

general way. The second analysis will present a more comprehensive approach by

focusing on all four questions. Hypotheses related to each research question and analysis will be presented in each chapter.

CHAPTER 4: THE ANALYSIS OF COMPUTER VIRUS AND ONLINE

HARRESMENT

In this chapter, two types of cybercrime victimization, virus infection and online harassment, are statistically analyzed by using the assumptions of routine activity and lifestyle exposure theories. 2003 National Crime Victimization Survey (NCVS) is used for the analysis. NCVS also contains information about the victimization of online fraud, but only 1.62 percent of the respondents reported being the victim of online fraud. Since the variation for the online fraud victimization is very limited, it was not included in the analysis.

In a sense, computer virus infection represents a new type of crime that is created by the networked computer technologies which cannot exist without the help of computers and computer networks (Wall, 2001, 2007a). Computer viruses are malicious software that, like real world biological viruses, spread from one computer to another by replicating and attaching themselves to computer files or programs (Bocij, 2006; Skoudis

& Zeltser, 2004). In order to spread around the Internet, computer viruses generally depend on the actions of computer users. Once a computer user runs an infected program or opens an infected document, the computer virus is activated and it can proliferate by infecting other files and programs. Moreover, when individuals share the infected documents and programs with others or when individuals use an infected computer by

using their floppy disk, external drive or flash drive, the virus automatically spreads itself by attaching to the documents on the new computer or digital media (Bocij, 2006;

Skoudis & Zeltser, 2004). Computer viruses also spread using the network and the

Internet connection through emails, chat programs and web sites (Bocij, 2006; Walker,

2006).

Computer viruses create different threats to computer users. Some computer viruses, especially early computer viruses, may be harmless and just display some messages, whereas some computer viruses may be destructive which delete or corrupt the files on the infected computer; in some cases they affect the operation of a computer by destroying the operating system functions (Bocij, 2006; Skoudis & Zeltser, 2004; Walker,

2006). Computer viruses are also used to send spam emails from infected computers or to install Trojans or bots in order to take the control of infected computers for using them to launch other kinds of cyber attacks such as hacking or Distributed Denial of Service

(DDoS) attacks (Walker, 2006).

In his study, Alshalan (2006) examines the computer virus victimization along with more general cybercrime victimization by using the assumptions of routine activity theory. Alshalan (2006) argues that individuals who spend more time on the Internet expose themselves to more computer virus and other types of cybercrime victimization risk. His findings show that individuals who spend more time on the Internet are more likely to be computer virus victims.

Online harassment, on the other hand, is the cyber version of traditional harassment and like real world harassment, online harassment produces fear, anxiety and

concern in the victim (Bocij, 2006; Holt & Bossler, 2009). Online harassment usually involves abusive online activities that include sending unwanted threatening or obscene emails and messages by means of Internet communication (Ellison, 2001; McGraw,

1995). Different than physical world harassment, cyberspace provides unique opportunities for online harassment by enabling offenders to reach the victim without physically contacting her/him and providing perfect anonymity to disguise the identity of the offender (Ellison, 2001; Holt & Bossler, 2009). Moreover, Finn (2004, p. 470) argues that cyberspace promotes online harassment by creating “a false sense of intimacy and misunderstanding of intentions.”

By applying the routine activity and lifestyle exposure theories, Holt and Bossler

(2009) found that college students who use chat-rooms and other online communication tools are more likely to be victims of online harassment. Moreover, they found that females are more likely to be victimized since they are seen as attractive targets. Finn

(2004), on the other hand, could not find any difference by gender, age, class standing and residence in terms of online harassment victimization. Finn (2004) also could not find any relationship between the online harassment and frequency of Internet use.

Hypotheses

As discussed above, daily activities of people create the opportunity for potential criminals to commit crimes and being in a certain place at certain times increases the likelihood of victimization (Cohen & Felson, 1979). The Internet creates a great deal of opportunity for criminals to commit crime by allowing the criminals to conceal their

identities, making it easier to commit crime and making investigation and prosecution of the crime harder and complex (Moitra, 2005; Speer, 2000). In his study, Alshalan (2006) found that when people spend more time on the Internet, they are more likely to be victims of different types of cybercrime including computer virus infection. Moreover,

Choi (2008) found that people who engage in risky online activities are more likely to be victim of cybercrime.

But the Internet users are not totally defenseless against cybercrime.

Guardianship, as in the real world, plays an important role to protect Internet users from malicious online behaviors. There are certain ways to avoid victimization in cyberspace.

For instance, to prevent a virus infection, people might use anti-virus programs or to prevent the unauthorized access to their computers, people can use firewalls. Another way is keeping the computer operating system and the programs installed on the computer up to date to fix the known vulnerabilities which can be exploited by cybercriminals (Hallam-Baker, 2008; Pfleeger & Pfleeger, 2003). In his study, Choi

(2008) found that people who use digital guardianship such as antivirus and anti-spyware programs and firewalls are less likely to be victims of cybercrime.

Unfortunately, NCVS includes only a limited number of questions about the

Internet access and online behavior of respondents, and those questions are not enough to directly measure the online lifestyles and level of capable guardianship. For that reason, the analysis in this chapter will incorporate the exposure to crime and capable guardianship concepts by using proxy variables, which are number of places that respondents use the computer for personal purposes, whether respondents use computers

for operating home-businesses, and the number of computers that each respondent has for personal use or for operating a home business.

It is assumed that people who use computers in different places for personal use or who own more computers are more likely to spend more time on the Internet. Personal use of computers may also be an indicator of leisure online activities, such as downloading programs, sharing files, using online chat-rooms and other online communication tools, which in turn expose people to higher computer virus victimization and online harassment risk.

Moreover, it is also assumed that individuals who use computers in different places such as home, work, school or libraries may not able to control the security of all computers they use. People may have necessary security tools or, in other words, digital guardians against cybercrime installed on their personal computers, but they may not be able to have the same security tools installed on other computers. Thus, it is also assumed that people who use computers at different places are more likely to not to have enough protection against cyber threats which in turn increase their computer virus victimization risk. The number of computers that respondents have also is used as the indictor of frequency of Internet use by assuming that individuals who own more computers are more likely to spend more time on the Internet and engage in more different online activities which in turn expose them to more computer virus victimization and online harassment risk.

In the light of current literature and above discussion, analysis in this chapter examines these hypotheses:

Hypothesis 1a: Individuals who use the computer at more different places for personal use are more likely to be the victims of computer virus.

Hypothesis 1b: Individuals who use the computer for business purposes are less likely to be victims of computer virus.

Hypothesis1c: Individuals who have more computers are more likely to be victims of computer virus.

Hypothesis 2a: Individuals who use the computer at more different places for personal use are more likely to be victims of online harassment.

Hypothesis 2b: Individuals who use the computer for business purposes are less likely to be victims of online harassment.

Hypothesis 2c: Individuals who have more computers are more likely to be victims of online harassment.

Data

2003 National Crime Victimization Survey (NCVS), which was collected by the

Census Bureau for Bureau of Justice Statistics, is used for the analysis of computer virus and online harassment victimization by applying the assumptions of routine activity and lifestyle exposure theories. The data used in this chapter has limited variables that can be used to operationalize the assumptions of routine activity and lifestyle exposure theories.

However, it can still be useful to give some basic ideas about the cybercrime victimization and the applicability of both theories to cyberspace.

NCVS is a nationwide ongoing survey designed to represent individuals in households to include persons age 12 and older living in the United States (Lauritsen,

2005, p. 245). Every year, nearly 100,000 people living in 50,000 household are interviewed twice a year and asked whether they had been a victim of a crime such as robbery, theft, simple and aggravated assault during previous 6 months (Lauritsen, 2001, p. 8). Beginning in the second half of 2001, questions about the cybercrime victimization were added to NCVS (Kowalski, 2002) . Later on, after the second half of 2004, these questions were removed from the survey. Despite its limitations, it was and has been the only data source that includes information about different types of cybercrime victimization at the national level. It would have been helpful to keep the cybercrime related questions in the survey, of course, by adding new and better questions.

Crime victimization surveys are used as an alternative to official law enforcement crime statistics to explore the real victimization level for citizens by depending on the idea that not every crime is reported to the law enforcement. In that sense, the NCVS is an attempt to explore victimization in the United States. The NCVS has one of the highest participation rates among similar social surveys. Response rate to NCVS is 90 percent. Moreover, different than many other surveys which use telephone directories or random digit dialing for sampling, samples for NCVS are drawn based on population and household information from the U.S. Census, which implies that the NCVS has no selection bias, except that it does not include people without a residence (Lauritsen,

2001). So, being nationally representative, the NCVS enables researchers to produce generalizable results about the victimization patterns in the United States.

Many scholars agree that official records do not show the real scope of cybercrime victimization because people do not report every cybercrime incident to law

enforcement for different reasons. Some think that reporting to local police would not solve the problem and accept the burden. Some think that the damage caused by cybercrime is not worth pursuing a legal action, or some are even not aware of having been a victim of a cybercrime. In some cases, cybercrime is not reported due to fear of bad reputation, especially by banks and financial institutions (Goodman & Brenner,

2002; Moitra, 2005; Wall, 2001, 2007a).Wall (2007a, p. 19) argues that “the most effective way that statistics about patterns of individual victimization can be reliably captured is through surveys of individuals.” In that sense, the NCVS, despite its limitations, would be very helpful for examining the reality cybercrime victimization.

The NCVS data contains four different record-type files: address, household, person, and incident. For the purpose of this study, the person record-type file is used.

The person record-type file contains information about each household member who is

12 years or older. As mentioned above, the NCVS is an ongoing survey, and once a household is taken into a sample, each household member is interviewed every six months for total of seven times over a three year period. After the seventh interview, the household is replaced by another household.

The NCVS is conducted four times in a year. The NCVS of 2003 consists of six quarters, four of which were administered in 2003, and the two of which were conducted in 2004. Respondents are interviewed every six months about their victimization for the past six months along with their demographic information. Thus, the NCVS is in the form of longitudinal data that tracks respondents’ victimization over a three-year period. But

for the purpose of this study, a cross sectional data consisting of the second quarter of

2004 is used.

The total case number for the second quarter of 2004 is 43,750. But the case number decreases to around 24,000 after the dependent variables are taken into account.

Dependent variables are whether respondents had been the victim of computer virus and online harassment during last six months. Since questions related to cybercrime victimization are only asked to those who have used the computer during the last six months, those who have not used the computer are taken out of the universe for cybercrime related questions. Thus, the number of cases decreased to around 24,000, which is still too big for the regression analysis.

In regression analysis, sample size is important to find meaningful results. Very small and very large case numbers can create problematic results and may affect the outcomes. Very small numbers may not adequately reveal the relationship between variables, whereas very large numbers may give statistically significant results for independent variables, which normally do not have any effect on the dependent variable.

Since the formula for statistical significance is based on the standard error, and standard error asymptotically decreases, a large number of cases make all statistical results significant for each variable regardless of their true effect on the dependent variable.

Cunningham and McCrum-Gardner (2007, p. 1) state “Statistical significance can be

'bought' by having a large number of cases.”

In the light of these concerns, the case number for this study needs to be reduced to obtain meaningful results from the regression analysis. A sample needs to be randomly

selected from the NCVS, but before that it is necessary to identify an ideal case number for the purpose of this study. In order to find best sample size for the analysis, GPower3

statistical program is used. GPower is a helpful statistical tool to find the ideal sample

size for different statistical analyses. For the multivariate analysis, the researcher should

define the number of predictors (independent variables) and effect size, so GPower can

be used to calculate the sample size. In regression analysis, effect size refers to the effect

of independent variables on the dependent variable. Cohen (1988) defined standardized

effect size for different kinds of statistical analyses. For multivariate regression analysis,

Cohen (1988) defined small (0.02), medium (0.15), and large (0.35) effect sizes.

Defining the effect size depends on the researcher’s judgment (Cunningham &

McCrum-Gardner, 2007). For this study, it is assumed that effect size should be

somewhere between small and medium, because the current data set does not provide us

with all related variables and it can be only tested for risk exposure by using proxy

variables. Since we cannot test for motivated offender and absence of capable

guardianship and cannot measure suitable target and risk exposure directly, it is assumed

that effect size of suitable target to victimization would be somewhere between small and

medium. Thus, two different sample sizes were calculated for small effect and medium

effect by using the by G*Power and the mean of two sample sizes is used for determining

the sample size for this study. Number of sample for medium effect size is 153 and

number of sample size for small effect size is 1099. The mean of these two numbers is

626, which is also the sample size that is used for the purpose of this study. By using

3 For more information about G*Power you can check the official website: http://www.psycho.uni-duesseldorf.de/abteilungen/aap/gpower3/download-and-register

Stata statistical software, 626 cases were randomly selected and multivariate regression analysis is conducted.

Dependent Variables

In this chapter, two different regression models, one for the computer virus victimization and one for the online harassment victimization, is tested. Table 1 shows the descriptive statistic for the dependent and independent variables used in the analysis.

Moreover, a correlation matrix for the all the variables is presented in Appendix 1.

In the NCVS questionnaire, respondents were asked, “Have you experienced any of the following COMPUTER-RELATED incidents?”

1-Fraud in purchasing something over the Internet,

2- Computer virus attack,

3- Threats of harm or physical attack made while online or through E-mail.

4- Unrequested lewd or obscene messages, communications, or images while online or through E-mail.

The dependent variable for the first regression model is computer virus victimization, which is created with the second listed computer-related incident. The computer virus attack variable is a dichotomous variable wherein “1” indicates virus infection (Table-1). Since, only 1.62 percent of the respondents reported being the victim of online fraud, online fraud is not used in the analysis

Table 1: Frequency and Descriptive Statistics

Variables Number of % Mean Standard Observations Deviation DEPENDENT VARAIBLES Computer Virus No 486 78.64 .21359 .41017 Yes 132 21.36 Total 618 100 Online Harassment No 491 79.45 .20550 .40440 Yes 127 20.55 Total 618 100 INDEPENDENT VARAIBLES Personal Use: 0 1 0.16 1.5048 .61512 Number of Places 1 347 55.43 2 239 38.18 3 39 6.23 Total 626 100 Business Use No 587 93.77 .06230 .24189 (Yes = 1) Yes 39 6.23 Total 626 100 Number of 0 3 0.48 1.8478 1.0829 Computers Owned 1 323 51.76 2 152 24.36 3 58 9.29 4 88 14.10 Total 624 100 Education Elementary 50 8.03 3.3740 1.5744 High School 199 31.94 Some college 116 18.62 Assoc.deg. 52 8.35 Bachelor 145 23.27 Masters 54 8.67 Doctorate 7 1.12 Total 623 100 Race (white = 1) Non-white 93 14.86 .85144 .35594 White 533 85.14 Total 626 100 Gender (male =1) Female 326 52.08 .47923 .49997 Male 300 47.92 Total 626 100 Married No 259 41.445 .5856 .4930 (Yes = 1) Yes 366 8.56 Total 625 100 Age Between 39.011 15.899 12 and 83

Online harassment victimization is the second dependent variable and is created by using the third and fourth listed computer-related incidents, “threat of harm or physical attack” and “unrequested lewd or obscene messages” respectively. Two incidents are consolidated into one variable which is coded as a dummy variable where

“1” indicates being a victim of online harassment (Table-1).

Independent Variables

The main explanatory variables, which are used to assess the suitable target through risk exposure, are the number of places that each respondent uses a computer for personnel purposes, whether respondents use computers to operate a home-business, and the number of computers that each respondent has for personal use or for operating a home business. Alshalan (2006) found that when people spend more time on the Internet, they are more likely to be victim of a computer virus. So, it is assumed that if a person uses computers in more different places for personal purposes or they own more computers, they are more likely to spend more time using the computer. Moreover, they are more likely to use computers that are not protected enough against computer viruses.

In the NCVS questionnaire, respondents were asked, “During the last 6 months, have YOU used a computer, laptop, or WebTV for the following purposes”

1- For personal use at home,

2- For personal use at work,

3- For personal use at school, libraries, etc.

4- To operate a home business;

The first explanatory variable, which is the number of places where a computer is used for personal purposes, is an index variable calculated by summing the first three answers. So, the value for “the personal use” variable ranges from “0” to “3” wherein

“0” indicates respondent does not use the computer for personal purposes and “3” indicates respondent uses the computer for personal purposes at three different places

(Table 1).

The fourth answer is used to create the second explanatory variable, which is the computer use for operating a home-business. The “business use” variable is coded as a dummy variable wherein “1” indicates that respondent uses the computer for operating a home-business (Table 1).

The third explanatory variable, the number of computers that each respondent has for personal use or for operating a home-business, is a count variable, which shows the number of computers that each respondent has (Table 1). Respondents were asked, “How many computers do you have access to for personal use or for operating a home business?” and were given “none, 1, 2, 3, and 4 or more” options to choose. It is expected that the more computers a person has, he/she is more likely to be victimized.

According to findings of different studies about victimization in the terrestrial world, demographic characteristics of people are closely related to victimization (Ferraro,

1995; Fisher, et al., 1998; Hindelang, et al., 1978; Rader, et al., 2007). For instance,

Fisher et al. (1998) argue that youths are more likely to be a victim of a crime. So in order to control for the demographic characteristics of the respondents, age, gender, race, education and marital status are added to the analysis as control variables (Table 1).

Age is a continuous variable, which shows the respondent’s age. Marital status and gender are dummy variables in which 1 indicates married for marital status and male for gender. Education is an ordinal variable, which is classified as elementary school (1), high school (2), some college (3), associate degree (4), bachelor (5), masters (6) and doctorate (7). Race is also a dummy variable in which “1” indicates the person is white,

“0” indicates non-white.

Analysis and Results

Since, the dependent variables for both regression models are dichotomous variables, logistic regression analysis is used to examine the relationship between the dependent variables and the explanatory variables (Table 2). Regression analyses are conducted by using the Stata statistical package. Both logistic regression models are checked for multicollinearity and outliers. The multicollinearity problem is not detected for either model since the results of variance inflation factor (VIF) for both models are smaller than 4. (The highest VIF value for the models is 1.48). Moreover, examination for outliers and influential cases by using scatter plot of standardized residuals and

Cook’s distance values respectively do not indicate any outlier or influential cases.

The first model, which is statistically significant (Chi-Square=91.04, p<.001),

predicts the probability of being a victim of computer virus by using the explanatory and

control variables. The pseudo r-square indicates that that 14.3% of the variation in the computer virus victimization is explained by the independent variables in this model.

The first explanatory variable, the number of places respondents use computer for personal use, is statistically significant (p<.001) and positively affects computer virus

victimization, which suggests that when individuals use computers at more different places for personal purposes, they are more likely to be victims of computer virus attacks.

In other words, using the computer for personal purposes increases the likelihood of computer virus infection. Thus, the null hypothesis that computer use at more different places for personal purposes has no effect on the computer virus victimization can be rejected and hypothesis 1a can be accepted.

Table 2: Logistic Regression Results for Computer Virus and Online Harassment Victimizations Model 1 Model 2 Independent Variables Computer Virus Online Harassment .70651*** .60663** Personal Use (.18669) (.18592) .4006 .59315 Business Use (.3953) (.37293) .12159 .2538* Number of Computer Owned (.10816) (.10526) .28028*** .09711 Education (.07721) (.07515) .95787*** .1999 Gender (.22031) (.21162) .32310 .45968 Marital Status (.25746) (.25592) .74134* .55869 Race (.36560) (.34618) .00695 .0093 Age (.00861) (.00838) -5.366*** -4.4594*** Constant (.60546) (.56667) Log Likelihood -272.51539 -283.9165 LR Chi Square 91.04*** 54.97*** Pseudo ࡾ૛ 0.1431 0.0883 Number of Cases 613 613 Standard errors are in parenthesis. The confidence level is 95% (p<.05): ***<.001, **<.01, *<.05

On the other hand, the second explanatory variable, computer use for operating a home-business, is not statistically significant. So, the null hypothesis that computer use for operating a home-business has no effect on the computer virus victimization cannot be rejected and hypothesis 1b cannot be accepted. Moreover, the third explanatory variable, the number of computers owned by respondents, is not statistically significant and hypothesis 1c cannot be accepted.

In the first model, marital status and age have no significant effect on the computer virus victimization. On the other hand, the control variables education, gender and race have significant positive relationships with computer virus victimization. In other words, more educated individuals, males and whites are more likely to be victims of computer viruses. These results could stem from differences in Internet and computer use by different demographic groups. For instance, Koksal (2009) found that more educated people are more likely to use the Internet and Hispanics and African-Americans are less likely to use the Internet.

The second model, which is statistically significant (Chi-Square=54.97, p<.001), predicts the probability of being a victim of online harassment by using the explanatory and control variables. The pseudo r-square indicates that that only 8.83 % of the variation in the online harassment victimization is explained by the independent variables in this model.

In the second model, the first explanatory variable, the number of places respondents use computers for personal use, has a positive significant (p<.001) relationship with the online harassment victimization, which suggests that when

individuals use computers at more different places for personal purposes, they are more likely to be victims of online harassment. In other words, using the computer for personal purposes increases the likelihood of being the target of online harassment. Thus, the null hypothesis that computer use at more different places for personal use has no effect on the online harassment victimization can be rejected, and hypothesis 2a can be accepted.

The third explanatory variable, the number of computers owned by respondents, has a positive significant (p<.05) relationship with the online harassment victimization, which suggested that when individuals own more computers, they are more likely to be victims of online harassment. Thus, the null hypothesis that owning more computers has no effect on the online harassment victimization can be rejected, and hypothesis 2c can be accepted.

Finally, none of the demographic variables in the second model have a statistically significant relationship with the online harassment victimization. This indicates there is no difference between different characteristics of respondents in terms of online harassment victimization.

Results for the computer virus victimization and online harassment victimization provide partial support for the routine activity and lifestyle exposure theories. The number of places a computer is used for personal purposes, which is used as the indicator

of frequency of Internet use and more online activities, has a positive significant effect on both victimization types. These results suggest that individuals who more frequently use computers for personal purposes are more likely to expose themselves to risk of victimization in cyberspace. For instance, respondents who use computers at more different places for personal purposes more likely spend time in chat-rooms or with other online communication tools, which in turn increase their likelihood of being the victim of online harassment. Likewise, respondents who use computers at more different places for personal purposes may engage in variety of different online activities that may expose them to virus infection.

CHAPTER 5: THE ANALYSIS OF SPYWARE AND ADWARE

In the previous chapter, routine activity and lifestyle exposure theories is operationalized with computer use for personal purposes and computer use for business purposes. Logistic regression analysis results indicate that using the computer at more different places for personal purposes increases the likelihood of being a victim of virus infection and online harassment. But, using the computer for personal purposes covers wide range of online activities and the personal use variable used in chapter four does not provide information about the types of online activities that expose individuals to greater victimization risk. Following this concern, this chapter examines the effect of different types of online activities on spyware and adware victimization, using structural equation modeling (SEM). The analysis also incorporates the guardianship component of routine activity theory to inspect the effect of digital guardians on cybercrime victimization.

Moreover, this chapter aims to examine how people respond to spyware and adware victimization experiences in terms of risk perception and constrained behavior.

Spyware and Adware

Early cybercrimes were conducted by teenage vandals (Hallam-Baker, 2008, p. 1) who have curiosity for technology, desire for reputations or just want to have fun (Wall,

2007a). But over time, cyberspace has become a place with lots of opportunities for monetary gain, and today the main purpose of cybercriminals is to make money by exploiting technological, individual, organizational and structural vulnerabilities (Bocij,

2006; Hallam-Baker, 2008; Wall, 2007a). While pursuing this desire, cybercriminals attack individuals, businesses, government computers, networks, and websites by using a variety of techniques such as phishing, spamming, hacking, and using malicious software.

In many cases, cybercriminals, however, do not prefer to directly attack guarded corporate, bank, government, or e-commerce networks and websites; instead they choose the weakest link, end users or customers, as the target. By exploiting their trust through impersonation and persuasion or vulnerabilities of computers and software they use, cybercriminals can obtain sensitive information or install malicious software on their computers that can spy on them to retrieve valuable information (via spyware and adware), control the computer for other criminal purposes (via backdoors, Trojans, bots etc.), or cause damage or harm to computer systems (via hacking, computer viruses or worms) (Hallam-Baker, 2008, pp. 2-4). For instance, cybercriminals may send fabricated emails to a person that appear to originate from the bank the person usually does business with and ask to verify personal and financial information (a phishing attack). In some cases, they use surreptitious methods by persuading the user to install a freeware program or download music or video files in which malicious software that can monitor the user’s computer and Internet activities is embedded without the knowledge or permission of the user in order to gain access to valuable information. Or in some cases just visiting websites would be enough to get infected by those kinds of malicious software, namely spyware and adware.

Because of the sneaky behavior of spyware and adware, Walker (2006) argues that “spyware and adware, its rude sister, are two of the most prolific threats to the privacy and the security of your computer today” (p.42). Spyware refers to a wide range of malicious software that covertly monitors the computer user’s activities and is installed to a computer without the user’s knowledge and consent (Bocij, 2006; Federal Trade

Commission Staff Report, 2005; Wall, 2007a). Spyware is used for wide range of purposes from stealing personal and financial information to economic espionage and intelligence (Bocij, 2006, p. 73). Different types of spyware pose different levels of insidiousness (Wall, 2007a, p. 60). Spyware, basically, spies on the user’s Internet activities and reports back to a remote point on the Internet about browsing and online shopping habits. But its ability is not limited to spying on web activities; spyware may also capture keystrokes (key-loggers) to steal valuable information such as credit card numbers, passwords or bank account information. Moreover, spyware may record the entire content of online activities and communication of a user (Wall, 2007a, p. 60).

Cybercriminals use secretly collected information to access the bank accounts and financial records, blackmailing people for extortion or in some cases the victim’s identity is used for fraudulent transactions (Wall, 2007a, p. 78).

Moreover, spyware uses the computer’s resources and may cause slowing of performance and crash down the computer. Once a spyware is installed on a computer, it may change the default system settings such as web browser home page or default search engine. It may also hijack the web session by taking a user to a different web site than what he/she typed in the web browser. Furthermore, once a spyware is installed, it can be

used as a launch base to download other malicious software such as Trojans, bots or backdoor components, thus a criminal can connect to an infected computer to send spam or to attack other potential targets on the Internet(Baskin & Piltzecker, 2006; Ming-Wei,

Yi-Min, Sy-Yen, & Yennun, 2007; Walker, 2006).

Adware, like spyware, is used to collect information about Internet users’ web- surfing habits and reports back to a remote point on the Internet so that information can be used for targeted advertisements through pop-up advertisements and messages (Bocij,

2006, p. 74). Adware, unlike spyware, is considered as semi-legitimate software (Baskin

& Piltzecker, 2006, p. 47) because it is installed with free programs by taking users consent with End User License Agreement (EULA). But in many cases people do not give attention to long EULA statements and are not aware of what they are receiving along with a free program (Baskin & Piltzecker, 2006; Ming-Wei, et al., 2007).

Moreover, although adware are supposed to collect anonymous data about the Internet usage, they may also be used to collect personally identifiable information which ties the information to specific individuals which raises concerns for the privacy of users (Bocij,

2006, pp. 74-75). For that reason, most of the studies list adware as a type of spyware and consider adware as malicious software (Bocij, 2006; Erbschloe, 2005; Hunter, 2005;

Shukla & Nah, 2005; Walker, 2006)

Spyware is usually installed on computers through piggybacking methods without users’ consent or knowledge. Bocij (2006, p. 77) lists four different methods used for spyware infection which are “drive-by downloads, bundling spyware with other

programs, making users believe that they are updating their systems, and offering free goods.”

Drive-by download, which is a very popular way of spyware distribution, refers to infection of spyware by just visiting a web site or clicking a pop-up advertisement which installs spyware by exploiting features or vulnerabilities of certain web browsers (Baskin

& Piltzecker, 2006; Bocij, 2006; Federal Trade Commission Staff Report, 2005; Hunter,

2005). Actually, cybercriminals exploit a legitimate feature of web browsers that is used to install plug-ins to see the content of visited web sites. However this feature of web browsers can be abused by cybercriminals (Bocij, 2006, p. 77). For instance, the

ActiveX technology, which is built into Microsoft’s Internet Explorer browser, can be used to install spyware by exploiting the vulnerabilities of the web browser (Federal

Trade Commission Staff Report, 2005; Hunter, 2005).

By applying patches that fix those vulnerabilities of web browsers or increasing security settings may prevent infection of malicious software. However, this is not the only way spyware infects computers. Spyware also comes bundled with free programs, shareware, or pirated software (Baskin & Piltzecker, 2006; Bocij, 2006; Hunter, 2005;

Ming-Wei, et al., 2007). For instance, when a computer user installs a program from a questionable source, spyware may also be installed along with that program, especially with freeware, shareware and Peer-to-Peer (P2P) file sharing programs. Some programs inform users about the embedded adware or spyware through the End User License

Agreement (EULA), but in many cases users do not read the lengthy EULA or even when

they read it, they may not understand what they are about to install (Baskin & Piltzecker,

2006; Hunter, 2005; Ming-Wei, et al., 2007).

The last two methods exploit the trust of users by persuading them to click on a link or to install software, which is advertised as a necessary and legitimate program. For instance, users may receive pop-up warning messages for malicious software infection that offers free online malicious software scanner or antivirus or antispyware programs.

When user clicks on the message either for accepting or rejecting, spyware is installed.

Similarly, users may be offered free services such as free samples, free entry for a lottery, free music, video or books (Bocij, 2006, p. 78).

No matter how spyware is installed on computer, it poses a wide range of threats, from annoying users to disclosing personal and financial information (Hunter, 2005), and they affect most of Internet users (Baskin & Piltzecker, 2006; Bocij, 2006; Hunter, 2005;

Walker, 2006). According to findings of Webroot4, which is an anti-spyware vendor, 89

percent of consumer computers are infected with spyware (Figure 3) whereas 59 percent are infected with adware (Figure 4) during the second quarter of 2006. Moreover, Bocij

(2006) reports on Harris a survey result of IT managers which shows that 92 percent of

respondents reported that their organization had problems with spyware infection.

4 http://www.webroot.com/resources/stateofspyware/excerpt.html

Figure 3: Spyware infection rate by quarter (Q) according to Webroot spyware scan data.5

As a response to the increasing threat of spyware, several laws have been enacted to outlaw spyware and adware dissemination and punish the writers and distributers. By the end of 2006, sixteen states enacted laws to deal with spyware problems (Sun, 2007).

Moreover, the Internet Spyware Prevention Act (I-SPY) of 2005, revised in 2007, was enacted at the federal level as an amendment to the Computer Fraud and Abuse Act of

1984 (Sun, 2007).

5 http://www.webroot.com/resources/stateofspyware/excerpt.html

Figure 4: Adware infection rate by quarter (Q) according to Webroot spyware scan data.6

The widespread and increasing threat of spyware also has led to the development

of a number of commercial anti-spyware programs (Ming-Wei, et al., 2007). Those

programs use the signature-based database, which is also used by anti-virus programs, to

find and remove unwanted spyware programs. Ming-Wei et al. (2007) suggest that

several different anti-spyware programs should be used to prevent threats posed by

spyware. Although some anti-virus programs also detect and clean spyware programs,

they are not as effective as anti-spyware programs (Feinstein, 2004). For protection from

spyware and adware, it is also recommended to use secure web browsers and to keep the

web browser security settings at higher level (Feinstein, 2004; Hunter, 2005).

Hunter (2005) also suggests using a firewall to prevent spyware infection.

Basically, there are two types of firewalls and hardware and software or personal firewall

(Hunter, 2005; Pfleeger & Pfleeger, 2003). Hardware firewalls are usually used for

6 http://www.webroot.com/resources/stateofspyware/excerpt.html

protection of computer networks, which control the incoming and outgoing network traffic to prevent the unauthorized access to the network. Software or personal firewalls, on the other hand, are installed on the personal computer and work like the hardware firewalls. Software firewalls are usually preferred by the home user since they are affordable and relatively easy to manage (Pfleeger & Pfleeger, 2003, p. 464). Software firewalls only allow the permitted connections in and out of the computer. It prevents unauthorized access from outside, running malicious codes on the computer without the permission of user (as in the case of Active X exploits mentioned above), or leakage of information stored on the computer (Hunter, 2005; Pfleeger & Pfleeger, 2003).

Thus, along with antivirus and antispyware programs, firewalls have potential to prevent any kind of malicious attacks. But as aforementioned, protection provided by those programs is limited. They need to be configured correctly and kept up to date for new threats to maintain the highest possible security. Everyday, new malicious software are released and the ability of these programs depends on having the signature of every known malicious software, so they can identify the threat and eliminate it (Cox, et al.,

2009; Pfleeger & Pfleeger, 2003; Wall, 2007a). Hallem-Baker (2008, p.5) asserts that

“By the time the ‘virus’ has been detected and analyzed, and ‘antivirus’ signatures has been distributed, the attack will already have reached tens of hundreds of millions of machines, and the attacker will be busy on his next attack.”

Thus, digital guardians in cyberspace provide a level protection, but they do not totally eliminate the threats. So, protection against spyware and all other cybercrime threats also requires Internet users to take precautions by not exposing themselves to risky situations by visiting unknown websites, downloading programs found through

search engines without making sure they are safe, and without reading EULA carefully

(Feinstein, 2004, p. 129). It is also important to keeping the operating system and software installed on the computer up to date for known vulnerabilities that can be exploited by cyber criminals (Cox, et al., 2009; Pfleeger & Pfleeger, 2003; Wall, 2007a).

Hypotheses

The first aim of this part of study is to examine factors that affect spyware and adware victimization by using the assumptions of routine activity and lifestyle exposure theories. As discussed above, spyware and adware use different methods to infect target computers. Both spyware and adware infection methods require individual actions either by visiting a website that surreptitiously installs spyware, or downloading a program, freeware or shareware, which contain spyware or adware. Thus online lifestyle of individuals plays a crucial role in individuals’ victimization by spyware and adware.

Moreover, digital security tools used by individuals may also determine their victimization risk. Existence of security tools such as firewalls, anti-virus and anti- spyware programs act as capable guardians to prevent spyware and adware infection.

Although current data does not provide information about whether respondents use anti- spyware or not, it provides information about firewall and anti-virus use of respondents.

Following the discussion in the risk perception and constrained behavior literature, the second aim of this part of the study is to examine how individuals perceive their online safety and how they modify their behavior as a result of personal victimization experiences. An individual who has previously been victimized or considers his/her self at risk of victimization may show constrained behavior by having

less social activities, using more security tools and taking more precautions (Cohen &

Felson, 1979; Ferraro, 1995; Hindelang, et al., 1978). Moreover, a person who has previously been victimized may feel at higher risk of victimization (Ferraro, 1995;

Hindelang, et al., 1978; Rader, et al., 2007).

In the light of current literature, this chapter presents a structural model in which the factors that affect victimization and responses to victimization in terms of risk perception and constrained behavior are examined by using structural equation modeling

(Figure 5). According to routine activity and lifestyle exposure theories, lifestyle or routine activity of individuals is one of the primary determinants of the victimization risk.

Moreover, Hindelang et al (1978) argue that differences in demographic characteristics of victims can be used to explain lifestyle differences of individuals. Lifestyles are the result of role expectations and structural constraints related to different demographic characteristics. By following these arguments, previous victimization studies have generally used the demographic variables such as age, gender, and education as indicators of different lifestyles or as control variables along with other variables related to lifestyle or routine activities of individuals (Miethe & Meier, 1994). Different than the previous studies, this study offers a model in which demographic variables are used to examine how they are related to online lifestyles of individuals which in turn influence the victimization risk.

Moreover, a limited number of cybercrime victimization studies have used the frequency of Internet use to measure exposure to victimization risk (Alshalan, 2006).

However, the frequency of Internet use may not directly affect victimization risk; in fact,

it may be seen as an indicator of online lifestyle. For instance, the risk of victimization for a person who only uses the Internet occasionally to access online library materials or to check emails is not same as the person who uses the Internet frequently for playing online games or downloading files. In that sense, this study uses the frequency of

Internet use as a factor that indicates individuals’ online lifestyle. It is proposed that when individuals use the Internet more frequently they are more likely to engage in leisure online activities, which in turn increases the risk of victimization.

As discussed in the third chapter, different lifestyles expose individuals to different victimization risks. For instance, in his study, Choi (2008) found that engaging in risky online activities increases the risk of cybercrime victimization. So, what directly affects the victimization is the lifestyle of individuals, which puts them in different victimization risk groups that share common demographic characteristics. In terms of the spyware and adware victimization, leisure online activities such as downloading programs or games from the Internet may expose people to risk of spyware or adware infection, whereas basic online activities such as checking emails or online shopping may expose individuals to less spyware and adware infection risk.

Another component of routine activity and lifestyle exposure theories that affects victimization is guardianship. In terms of spyware and adware infection, antispyware software is considered the most effective tool for prevention, detection and removal

(Feinstein, 2004; Hunter, 2005; Ming-Wei, et al., 2007). Unfortunately, the data used for the analysis does not contain information about whether respondents use any antispyware program. But, the data contain information about the antivirus program and firewall use

of respondents, which are still effective tools for protection against spyware and adware and other types of malicious software and cyber attacks. So, the effect of digital guardianship on victimization will also be examined in this chapter.

Along with the online lifestyles and guardianship, individuals’ knowledge about computer and Internet related terms is included into the analysis. Hu and Dinew (2005) argue that despite the threats posed by spyware many users do not worry about it and accept it in exchange of getting free programs, music, or video files or they are even not aware of the threats posed by spyware. Some users also tend to ignore those kinds of malicious software as long as their computer works without any problem by thinking that they have no valuable information stored on the computer (Hallam-Baker, 2008; Wall,

2007a). Thus, it can be argued that people who have better computer and Internet knowledge may be more aware of the threats that are posed by spyware and adware, and when people are aware of threats and of ways of eliminating threats, they may take necessary precautions to prevent those threats, which in turn reduce their victimization risks.

It is also expected that victimization by spyware and adware affects individuals risk perception and constrained behavior. Risk perception, as discussed above, is a cognitive judgment in which people calculate their own risk of victimization depending on their lifetime experiences and social environments which in turn affects individuals’ fear of crime (Ferraro, 1995; Rontree, 1998). So, it is proposed that online lifestyle, guardianship, and previous victimization affect individuals’ judgment about the

possibility of victimization which in turn affect individuals’ constrained behavior along with previous victimization experiences.

It should also be noted that cybercrimes’ impact upon victims varies from perceived harm to actual harm (Wall, 2007a, p. 144). For instance, some users may see an adware, which follows the web-surfing habits and reports to a remote server for targeted advertisement, as harmless, or they may even appreciate getting advertisements about the services or product they are looking for. On the other hand, some people consider the adware as a violation of their privacy. In that sense, a mediating variable, computer related problems, which could be caused by spyware and adware, is added to the analysis to test the direct and indirect effects of the spyware and adware victimization on risk perception and constrained behavior. The computer related problems variable is also used to show the effect of lifestyle, guardianship, and computer knowledge on having computer problems. Moreover, computer problems may also be indicators of malicious software other than spyware and adware, and these problems can be seen as the actual harm caused by any malicious software. In that sense, examination of computer problems could also provide information about factors that affect the victimization.

In the light of above discussions, the following hypotheses are proposed to examine factors affecting spyware and adware victimization along with risk perception and constrained behavior.

Hypothesis 3: Online lifestyle of individuals affects their spyware and adware victimization risk and the extent of their computer problems.

Hypothesis 4: Individuals who use digital guardians are less likely to be the victims of spyware and adware and are less likely to have computer problems.

Hypothesis 5: Individuals with better knowledge of computers, online threats, and Internet related terms are less likely to be victims of spyware and adware and are less likely to have computer problems.

Hypothesis 6: Individuals’ risk perception is affected by their own online lifestyle, previous victimization, use of digital guardians, and knowledge of computers, online threats, and Internet related terms.

Hypothesis 7: Individuals who have higher risk perception, have been the victims of spyware and adware and have experienced computer problems are more likely to change their online lifestyle in order to avoid future victimization.

Demographic Computer Characteristics Knowledge

Risk Age Gender Perception Education Income Online Lifestyle Spyware Computer Basic Adware Problems Leisure Internet Usage Frequency Constrained Behavior

Digital Guardianship

Firewall Antivirus

Figure 5: Structural Model for examining Spyware and Adware Victimization, Risk Perception and Constrained Behavior 98

Data

The analysis will be conducted by using survey data from the May-June 2005

Spyware Survey, which was collected by the PEW Research Center for the PEW Internet and American Life Project7, by employing structural equation modeling (SEM). The data

were collected through telephone interviews with a nationally representative sample of

2,001 adults living in the United States in households with telephones between May 4

and June 7, 2005. Most of the questions used for the analysis for this chapter were only

asked to those who use the Internet at home; 1,204 respondents reported that they use the

Internet at home. For that reason, home Internet users are the sample for the analysis and

other cases are deleted from the dataset. Thus, the universe for the analysis is comprised

of home Internet users.

After deleting non-home Internet users from the dataset, data are examined for the

missing cases. Missing cases can lead to biased results and because of that different

strategies can be followed to handle missing cases such as listwise deletion, pairwise

deletion, mean substitution or regression imputation (Acock, 2005; Byrne, 2001;

Schumacker & Lomax, 2004). Each strategy has its own strengths and weaknesses

depending on the pattern of missing data and the sample size. When there is small

number of missing cases, mean substitution is considered as the best choice, whereas a

regression imputation can be useful for handling a moderate number of missing cases

(Schumacker & Lomax, 2004, p. 26). Listwise deletion, on the other hand, is considered a

7 http://www.pewinternet.org/Shared-Content/Data-Sets/2005/MayJune-2005-Spyware.aspx

100

reasonable strategy if data are missing completely at random (MCAR)8 or missing at

random (MAR)9 and if there is a large sample size (Acock, 2005)

Missing data in the May-June 2005 Spyware Survey are examined by using the

Stata and SPSS statistical software packages. Most of the variables used in the analysis have a relatively small number of missing cases varying from 0 to 32 (see Appendix 2).

However, two variables, spyware and adware, have relatively more missing cases, respectively 98 and 74 (Appendix 2), which can still be considered as a relatively small number of missing cases. Moreover, the missingness in the data does not indicate any pattern that is related to any particular variable since it shows random distribution. So, missingness in the data can be considered as MCAR or MAR.

For the structural equation modeling analysis, the Mplus statistical software package is used. Mplus offers full estimated maximum likelihood imputation to fill the missing cases for continuous variables when the missingness is MCAR or MAR (Acock,

2005; Muthén & Muthén, 2007). However, the endogenous variables used in the analysis are either dichotomous or categorical variables, and full estimated maximum likelihood imputation cannot be used for estimating missing cases. For that reason, listwise deletion is used to clean missing cases from the data.

Listwise deletion eliminates of all cases that have a missing value on any variable used for the analysis. The only problem related to listwise deletion is losing the statistical power due to reduced number of cases (Acock, 2005; Byrne, 2001; Schumacker &

8 MCAR refers that “missingness is independent of both the unobserved and the observed values of all other variables in the data” (Byrne, 2001, p. 288). 9 MAR refers that “missingness is independent only of the missing values and not of the observed values of other variables in the data” (Byrne, 2001, p. 288).

101

Lomax, 2004). But, loss of statistical power is not considered a problem when the dataset is sufficiently large (Acock, 2005). Since, the study data have relatively large number of cases (1204), listwise deletion is used in order to obtain unbiased estimates, despite the reduced statistical power. After deleting the cases with missing cases, the sample size is reduced to 915.

Methodology

In this chapter, Structural Equation Modeling (SEM) will be used to examine the relationship between endogenous (dependent) and exogenous (independent) variables; a structural model will be tested in which factors that affect victimization and responses to victimization are analyzed by using Mplus 5.0 statistical software. Since indicators of measurement models and endogenous variables of the structural equation model are either dichotomous or categorical variables, the weighted least square method with adjusted mean- and variance chi-square (WLSMV) estimator, which is specifically developed for the analysis of dichotomous and categorical variables, is used for the estimation of models (Muthén & Muthén, 2007).

SEM is a statistical methodology that is used for testing hypotheses based on structural relations among latent and observed variables by taking a confirmatory approach(Byrne, 2001). As Byrne (2001, p.3) states,

“The term structural equation modeling conveys two important aspects of the procedure: (a) that the causal processes under study are represented by a series of structural (i.e., regression) equations, and (b) that these structural relations can be modeled pictorially to enable a clearer conceptualization of the theory under study. The hypothesized model can then be tested statistically in a simultaneous analysis of the entire system of variables to determine the extent to which it is consistent with the data. If the goodness of fit is adequate, the model argues for

102

the plausibility of postulated relations among variables; if it is inadequate, the tenability of such relations is rejected.”

In this study, SEM analysis is conducted in two main steps; validation of measurement models of study constructs and fitting the structural equation model

(Garson, 2009). In the first step, hypothesized measurement models (latent variables) are validated by using confirmatory factor analysis and if the model fit of the measurement model is acceptable then we move to the second step, testing the structural equation models (Garson, 2009).

The measurement model basically refers to a statistical analysis of the relationship between the latent variables and indicators of those latent variables. A latent variable, which is also called a factor or a construct, is the variable that cannot be measured or observed directly, but it can be inferred by other multiple indicators (Byrne, 2001;

Garson, 2009). Validation of measurement models of latent variables is carried out by employing confirmatory factor analysis (CFA) (Byrne, 2001; Garson, 2009; Schumacker

& Lomax, 2004). Confirmatory factor analysis, different than explanatory factor analysis, is conducted to validate hypothesized latent variables or factors, which are specified based on a theoretical framework and measured with a series of observed indicators

(Schumacker & Lomax, 2004).

Measurement models are tested by following the three steps suggested by Wan

(2002). In the first step, measurement models are identified based on the theoretical framework. In the second step, each measurement model is tested, and an assessment is made of how well both measurement models and structural models fit with the study data. In the third step, if the model does not fit with the study data, possible reasons are

103

examined and the model is modified to improve the model fit by making changes to the model based on the modification indices reported by Mplus 5.0 and by (2) eliminating the indicators that have factor loadings (standardized regression weights) below .40.

Modification indices give information about the possible decrease in the value of chi- square when a particular relationship between variables is established as suggested by the modification indices (Schumacker & Lomax, 2004). At each step, one relationship guided by theoretical considerations is added to the model between one pair of error terms that has the largest modification index value. This process is repeated until reaching a reasonably good model fit for measurement models.

After validating the measurement models, the structural equation model, which is also specified based on the theoretical framework, is tested (Byrne, 2001; Garson, 2009;

Schumacker & Lomax, 2004). The structural equation model is constructed by establishing relations or structural equations among exogenous (independent) and endogenous (dependent) latent and observed variables (Byrne, 2001; Garson, 2009;

Schumacker & Lomax, 2004). Different than multiple regression analysis, SEM allows construction of both regression and path models by using more than one dependent variable, and moreover both latent and observed variables can be used in SEM (Garson,

2009).

SEM not only tests the relationships among variables, but it also tests how well the theoretical model fits with the study data(Schumacker & Lomax, 2004). In order to assess the model fit, several different fit statistics are suggested in the SEM literature.

Since there is no generally accepted single criterion for model testing, it is usually

104

suggested to report at least three model fit statistics (Garson, 2009). In this study, the chi-square goodness of fit statistic, the normed chi-square statistic (Chi-Square/DF), the root mean square error of approximation (RMSEA), the comparative fit index (CFI) and the Tucker Lewis Index (TLI) are used for assessing the model fit of both the measurement models and the structural equation model (Table 3).

Table 3: Goodness of Fit Indices and Criteria Index Criterion Chi-square (x²) The discrepancy should be minimal Degrees of Freedom (df) greater than or equal to 0

P value a non-significant value (>0.05) is desired Normed chi-square (x²/df) smaller than 5.0 suggests a good fit

Tucker Lewis Index (TLI) >0.90 suggest a good fit

Comparative Fit Index (CFI) >0.90 suggest a good fit

Root Mean Squared Error of smaller than 0.05 Approximation (RMSEA) suggests a good fit

The chi-square goodness of fit statistic compares the differences between “the sample variance-covariance matrix and the reproduced implied covariance matrix”

(Schumacker & Lomax, 2004, p. 83). It is expected to have little difference between the sample variance-covariance matrix and the model variance-covariance matrix, so a smaller chi-square value and an insignificant p-value are desired for the good model fit.

105

However, the chi-square test may produce a biased result when the sample size is large

(above 200) (Schumacker & Lomax, 2004). When the sample size is large, in most cases, the chi-square test tends to reject the model by producing significant p-value (≥ .05). For that reason, researchers favor the normed chi-square statistic (chi-square/DF), which is the ratio of chi-square and degrees of freedom, to minimize the impact of a large sample size (Kline, 2005). Although there is no clear-cut suggestion about the cutoff point of normed chi-square, below 5.0 is generally accepted as indicator of a reasonable model fit

(Kline, 2005). Despite its limitations, it is also suggested to report the chi-square model fit index along with degrees of freedom and p value (Hooper, Coughlan, & Mullen, 2008;

Kline, 2005).

Hu and Bentler (1999) also suggest using both absolute and incremental model fit indices while assessing the model fit. Absolute fit indexes measure how well the model reproduce the sample data, whereas incremental fit indexes measure “the proportionate improvement in fit by comparing a target model with a more restricted, nested baseline model” (L.-T. Hu & Bentler, 1999, p. 2). According to Hu and Bentler (1999), it is useful to use the root mean square error of approximation (RMSEA) which is an absolute fit index along with the comparative fit index (CFI) and the Tucker Lewis Index (TLI), which are incremental fit indexes, to evaluate the model fit.

By taking the error of approximation into account, RMSEA measures how well the model would fit the data if unknown but optimally chosen parameter estimates were available and included into the model. Although a cut off value of RMSEA below .05 is suggested for good model fit, a value between .05 and .08 is also considered as an

106

acceptable level. According to Hu and Bentler (1999), RMSEA value below .06 can be accepted as the indicator of good model fit.

CFI, which is also known as the Bentler Comparative Fit Index, compares the sample covariance matrix with a null model and assumes all variables are uncorrelated

(Garson, 2009). The value for CFI ranges from 0 to 1, and a value close to 1 indicates a very good model fit. Generally, a CFI value greater than .90 is regarded as an indicator of acceptable model fit (Garson, 2009; L.-T. Hu & Bentler, 1999; Kline, 2005). TLI, on the other hand, is one of the statistics that are less affected by the sample size (Garson,

2009). TLI compares the proposed model with a null model and is scaled from 0 to 1 in which 0 indicates no fit and 1 indicates perfect fit (Schumacker & Lomax, 2004). Like

CFI, a TLI value greater than .90 indicates acceptable model fit (Garson, 2009; L.-T. Hu

& Bentler, 1999). Table 3 shows all the fit indexes and criteria used in this study.

Analysis Variables

In this section, endogenous and exogenous variables used in SEM analysis will be explained. Table 4 shows the descriptive statistics for both exogenous and endogenous variables. A correlation table for all the variables is presented in Appendix 3.

Endogenous Variables

Spyware and Adware

Spyware and adware are two of the main endogenous variables in the analysis.

They also serve as exogenous variables in explaining the risk perception and constrained behavior. Respondents were asked “As far as you know, have you ever had one of these

107

‘spyware’ programs on your home computer?” and “As far as you know, have you ever had one of these ‘adware’ programs on your home computer?” Two different dichotomous variables are created for spyware and adware and respondents whose computers are infected by spyware or adware are coded as “1” and non-infection is coded as “0” (see Table 4).

Computer Problems

The second endogenous variable is the computer problems that have been experienced by respondents on their main home computer. Computer problems are measured as a latent variable by using four dichotomous variables. Respondents were asked whether they have experienced any of the following problems on their home computers during the last year:

1. Computer has slowed down or is not running as fast as it used to

2. Computer started freezing up or crashing, requiring you to shut down or reset

3. Your internet home page changed without you resetting it

4. A new program appeared on your computer that you didn’t install or new

icons suddenly appeared on your desktop

The answer to each problem was coded as a dummy variable with 1 indicating the existence of a problem (Table 4). By using these four dummy variables, computer related problems is measured as a latent variable. Each of these problems may be related to any kind of malicious software or to a technical problem. So, this variable is used to examine the harmful effect of spyware and adware on computer problems and the effectiveness of security tools (firewall and virus protection) in preventing problems. Moreover, the

108

computer problems latent variable will serve as an exogenous variable when examining the mediating effects of computer problems on the risk perception and constrained behavior.

Risk Perception

Risk perception of the respondent is an observed variable and measured by using the survey question “how confident are you that you can keep things like computer viruses, spyware and adware off of your home computer when you want to?” and respondents were given the options “not at all confident, not too confident, somewhat confident, and very confident.” It is considered that respondents who feel very confident about keeping their computers safe from malicious software perceive themselves as lower victimization risk, whereas respondents who feel not at all confident perceive themselves at higher victimization risk. In order to capture levels of risk perception, the risk perception variable is coded between 1 and 4, wherein “1” indicates “very confident”

(indicating lower victimization risk perception) and “4” indicates “not at all confident”

(indicating higher victimization risk perception) (Table 4). Respondents who feel not at all confident about keeping their computers safe from malicious software perceive themselves at higher risk of victimization. So, the higher the confidence level, the lower the perceived risk of victimization level.

109

Table 4: Frequency and Descriptive Statistics for SEM Analysis

Variables Number of % Mean Standard Observatio Deviation ns Spyware No 549 60 .4 .49017 Yes 366 40 Total 915 100 Adware No 598 65.36 .34645 .47610 Yes 317 34.64 Total 915 100 Computer Problems Computer Slowing No 447 48.85 .51148 .50014 Down Yes 468 51.15 Total 915 100

Computer No 470 51.37 .48634 .50009 Freezing or Yes 445 48.63 Crashing Total 915 100

Home Page No 747 81.64 .18361 .38738 Changed Yes 168 18.36 Total 915 100

A new program No 680 74.32 .25683 .43712 appeared Yes 235 25.68 Total 915 100

Risk Perception 1 201 21.97 2.2175 .93071 2 431 47.10 3 166 18.14 4 117 12.79 Total 915 100

Constrained Behavior Stop Downloading No 687 75.08 .24918 .43278 Music and Video Yes 228 24.92 Total 915 100

Stop Downloading No 589 64.37 .35628 .47916 Programs Yes 326 35.63 Total 915 100

110

Stopped opening No 135 14.75 .85246 .35484 email attachments Yes 780 85.25 Total 915 100

Stopped visiting No 472 51.58 .48415 .50002 particular websites Yes 443 48.42 Total 915 100

Started reading No 393 42.95 .57049 .49528 user agreements Yes 522 57.05 Total 915 100

Started using a No 738 80.66 .19344 .39521 different internet Yes 177 19.34 web browser Total 915 100

Basic Online Activities E-mail No 40 4.37 .95628 .20457 Yes 875 95.63 Total 915 100 Online Shopping No 246 26.89 .73115 .44361 Yes 669 73.11 Total 915 100 Creating Web No 851 93.01 .06995 .25519 Blog Yes 64 6.99 Total 915 100 Reading Web No 647 70.71 .29290 .45534 Blog Yes 268 29.29 Total 915 100 Leisure Online Activities

Playing online No 575 62.84 .37159 .48349 games Yes 340 37.16 Total 915 100 Sharing files No 653 71.372 .28634 .45230 Yes 262 8.63 Total 915 100 Downloading No 747 81.64 .18361 .38738 video files Yes 168 18.36 Total 915 100 Downloading No 678 74.10 .25902 .43833 music files Yes 237 25.90 Total 915 100

111

Downloading No 518 56.61 .43388 .49588 programs Yes 397 43.39 Total 915 100 Downloading No 695 75.96 .24044 .42758 screensavers Yes 220 24.04 Total 915 100 Downloading No 717 78.36 .21639 .41201 games Yes 198 21.64 Total 915 100 Visiting adult No 795 86.89 .13115 .33775 websites Yes 120 13.11 Total 915 100 Downloading or No 878 95.96 .04044 .19709 sharing adult Yes 37 4.04 content Total 915 100 Computer Literacy Firewall Term 1 19 2.08 2.8273 .42964 2 120 13.11 3 776 84.81 Total 915 100 Internet Cookies 1 37 4.04 2.7137 .53436 Term 2 188 20.55 3 690 75.41 Total 915 100 Spyware Term 1 17 1.86 2.8415 .41316 2 111 12.13 3 787 86.01 Total 915 100 Adware Term 1 70 7.65 2.5202 .63485 2 299 32.68 3 546 59.67 Total 915 100

Phishing Term 1 118 12.90 2.2022 .64783 2 494 53.99 3 303 33.11 Total 915 100 Spam Term 1 9 0.98 2.9224 .302236 2 53 5.79 3 853 93.22 Total 915 100

112

Podcasting Term 1 194 21.20 1.9454 .60565 2 577 63.06 3 144 15.74 Total 915 100 RSS Feed Term 1 227 24.81 1.847 .56578 2 601 65.68 3 87 9.51 Total 915 100 Frequency of Internet 1 54 5.90 4.4809 1.4816 Use 2 49 5.36 3 126 13.77 4 152 16.61 5 242 26.45 6 292 31.91 Total 915 100 Firewall Protection No 380 41.53 .58470 .49304 Yes 535 58.47 Total 915 100 Virus Protection 0 94 10.27 2.4033 1.2544 1 127 13.88 2 210 22.95 3 284 31.04 4 200 21.86 Total 915 100 Age Between 43.071 15.1467 18 and 87 Gender Female 488 53.33 .46667 .49916 Male 427 46.67 Total 915 100 Race Non-white 488 53.33 .84153 .36538 White 427 46.67 Total 915 100 Education grades 1-8 5 0.55 4.9781 1.4813 grades 9-11 27 2.95 high school 212 23.17 technical 21 2.30 some college 268 29.29 college 238 26.01 post-grad. 144 15.74 Total 915 100

113

Constrained Behavior

The next endogenous variable is constrained online behavior, which is a latent variable and is measured by changes in online behavior of respondents. Respondents were asked, “Have you, personally, done any of the following to avoid getting unwanted software programs on your computer?”

1. Stopped downloading music or video files from peer-to-peer networks

2. Stopped downloading software programs from Internet websites

3. Stopped opening email attachments unless you are sure they are safe

4. Stopped visiting particular websites

5. Started reading user agreements more carefully before downloading or installing

new programs or files from the internet

6. Started using a different Internet web browser

Respondents were given three options to choose “Have never done this activity”,

“No, haven’t done this to avoid unwanted software”, and “Yes, have done this to avoid unwanted software”. The first two answers are coded as “0” and respondents who have changed the online activity to avoid unwanted software are coded as “1” (Table 4). Using confirmatory factor analysis, constrained behavior is measured as a latent variable.

Online Lifestyle

As mentioned above, some online activities, especially leisure online activities such as playing online games, downloading programs, music and video files (Choi, 2008;

Koksal, 2009), are considered risky because they increase the likelihood of victimization.

For this reason, measurement models include two latent variables (basic online activities

114

and leisure online activities) to measure the online lifestyle of respondents. These latent variables are used as main explanatory variables to examine the relationships with endogenous variables. Respondents were given a list of online activities and asked whether they use the Internet for following purposes. Those online activities separated into two different factors as basic and leisure online activities. The basic online activities are measured with:

1. Sending or reading e-mail

2. Buying a product online, such as books, music, toys or clothing

3. Creating a web log or “blog” that others can read on the web

4. Reading someone else’s web log or blog

Although, every online activity poses a different level of victimization risk, these activities are considered less risky activities in terms of spyware and adware infection, since the spyware and adware, as mentioned above, generally infect computers through installation of programs and drive by downloads through malicious web sites.

More risky leisure online activities are measured with:

5. Playing online games

6. Sharing files from your own computer, such as music, video or picture files, or

computer games with others online

7. Downloading video files onto your computer so you can play them at any time

you want

8. Downloading music files onto your computer so you can play them at any time

you want

115

9. Downloading computer programs from the Internet

10. Downloading screensavers from the Internet

11. Downloading computer games from the Internet

12. Visiting an adult website

13. Downloading or sharing adult content online.

These online activities pose more serious threats, since any kind of malicious software are often embedded in freeware or shareware programs, games, video files or music files or infect computers through the web sites that offer those kinds of materials for free.

A dummy variable is created for each online activity with “1” indicating that the respondents have used the Internet for that particular purpose (Table 4). These dummy variables are used to measure leisure online activities and basic online activities latent variables by using confirmatory factor analysis. It is expected that people who do more leisure online activities are more likely to be victims of spyware and adware and have more computer problems.

Computer Literacy

Respondents were asked whether they know what the terms “firewall, internet cookies, spyware, adware, internet phishing, spam, podcasting, and RSS feed” mean and for each term, they were give these option to choose: (1) never heard term, (2) not really sure what term means, and (3) yes, have good idea what term means (Table 4). Each indicator is coded between 1 and 3 wherein “1” indicates “never heard term” and “3”

“yes, have good idea what term means.” By using these indicators of knowledge about

116

cyber threats and Internet and computer related terms, computer literacy is measured as a latent variable. It is expected that people who have more knowledge about computers,

Internet and cyber threats are less likely to be victims of spyware and have less computer problems.

Exogenous Variables

Frequency of Internet Use

Pervious studies have shown that people who use the Internet more often are more likely to be victims of cybercrime (Alshalan, 2006; Choi, 2008), which is also implied by the findings in chapter four. So, frequency of Internet use may be related to spyware and adware victimization. Respondents were asked how often they go online from their home

(less often, every few weeks, 1-2 days a week, 3-5 days a week, about once a day, several times a day). The variable is coded as categorical variable wherein “1” indicates never and “6” indicates several times a day (Table 4). It is expected that people who go online more often expose themselves to more victimization risk, which in turn increases the likelihood of being victims of spyware and adware and having more computer problems.

Firewall Protection

Firewalls are programs that control incoming and outgoing network traffic, monitor all processes running on the computer, and require user permission for unknown activities (Pfleeger & Pfleeger, 2003). So, a firewall has the potential to prevent the execution of malicious software without the permission of the user. Respondents were asked whether they have a firewall program installed on their computers. The variable

117

was coded as a dummy variable with “1” indicating the existence of a firewall (Table 4).

It is expected that people who have firewalls installed on their computers are less likely to be victims of spyware and have less computer problems.

Virus Protection

Virus protection refers to the existence of anti-virus software on the computer.

Anti-virus programs are used for cleaning computer viruses from the computer and preventing computer virus infections. As mentioned above, although some anti-virus programs also detect and clean spyware programs, they are not as effective as anti- spyware programs (Feinstein, 2004). Since the data do not contain information about the usage of anti-spyware programs, only virus protection is included in the analysis as an indicator of capable guardianship along with firewall protection.

As also discussed above, the existence of anti-virus or anti-spyware is not enough for protection and those programs should be kept up to date for new threats to maintain the highest possible security (Cox, et al., 2009; Hallam-Baker, 2008; Pfleeger & Pfleeger,

2003; Wall, 2007a). For that reason two different questions are used to construct the virus protection variable. Respondent were asked whether they have an anti-virus program installed on their computers. Moreover, respondents who have anti-virus programs were asked how often the anti-virus program is updated and they were given the options (1) do not know, (2) less often, (3) weekly, and (4) daily. In order to measure the effectiveness of the virus protection, these variables are consolidated in one variable in which respondents who do not have virus protection are coded as “0”, and respondents who have virus protection and answered the second question are coded between 1 and 4

118

(Table 4) in which “1” indicates “do not know” and “4” indicates “daily” update.

Moreover, respondents who have the virus protection, but did not answer the second question also coded as “1.” It is assumed that people who have the anti-virus program and keep it more regularly up to date have better protection against malicious software. It is also expected that people who have better virus protection are less likely to be victims of spyware and adware and have less computer problems.

Demographic Variables

As discussed above, demographic characteristics of the people have been used in the literature to examine the differences between different demographic characteristics and as the indicators of different lifestyles that expose people to different victimization risk (Ferraro, 1995; Fisher, et al., 1998; Hindelang, et al., 1978; Rader, et al., 2007). For that reason, demographic variables of age, gender, race, education and income are also added to analysis (Table 4).

Age is a continuous variable that shows the respondent’s age. Gender is a dichotomous variable in which “0” indicates female and “1” indicates male. Race is also a dummy variable in which “1” indicates the person is white, “0” indicates non-white including African-American, Hispanic, and Asian.

Education is an ordinal variable which is classified as (1) elementary school(grades 1-8), (2) high school incomplete (grades 9-11), (3) high school graduate,

(4) technical, trade or vocational school after high school, (5) some college (includes associate degree), (6) college graduate, (7) post-graduate training/professional school after college.

119

Measurement Models

Computer Problems

The computer problems latent variable is measured with four indicators and confirmatory factor analysis is conducted to validate the hypothesized measurement model (Figure 6). In the confirmatory factor analysis, one indicator is chosen as a scale factor in order to obtain factor loadings estimates of other indicators. For that reason, while calculating the unstandardized regression coefficients, Mplus reports the scale factor indicator’s unstandardized regression coefficients as “1”.

Table 5 shows the confirmatory factor analysis results for hypothesized computer problems measurement model. All indicators are statistically significant and factor loadings (standardized regression estimates) are above .40. Although CFI and TLI model fit statistics are at expected levels, chi-square goodness of fit statistic, normed chi-square and RMSEA statistics indicates poor model fit (Table 5). For that reason, the hypothesized measurement model is revised to increase the model fit by using the modification indices reported by Mplus 5.0.

120

Computer Slowing Down .83

.78 Computer Freezing or Computer Crashing Problems .70 Home Page Changed .71

A new program appeared Figure 6: Hypothesized Computer Problems Measurement model

Based on the modification indices, error terms of the computer slowing down and computer freezing or crashing indicators are correlated (Figure 7). Since the computer slowing down and computer freezing or crashing indicators measures very similar computer related problem, their measurement error term might be related to each other.

Table 5 shows the results for the revised final model. Examination of revised computer problems measurement model shows that all indicators are statically significant at .05 level and all factor loadings (standardized regression estimates) are above .40.

The revised model also indicates better model fit over the hypothesized model.

Chi-square value decreased substantially and p-value became insignificant. RMSEA value decreased to .05, which is below the expected .06 level. CFI and TLI model fit indices also increased and report good model fit (Table 5). Consequently, revised computer problems measurement model shows an acceptable model fit and is validated as a measurement model for the latent construct of computer problems.

121

Slowing Down .66 .51

.60 Freezing or Crashing Computer Problems .77 Home Page Changed .81

A new program appeared

Figure 7: Revised Computer Problems Measurement model

Table 5: Parameter Estimates for the Hypothesized and Revised Computer Problems Measurement model Hypothesized Model Revised Model Indicator SRE URE P SRE URE P Slowing Down Computer .833 1.000 .660 1.000 Problems (.000) (.000) Freezing or Computer .775 .931 .00* .596 .904 .00* Crashing Problems (.072) (.079) Home Page Computer .696 .836 .00* .769 1.165 .00* Changed Problems (.062) (.114) A new .707 .849 .00* .808 1.224 .00* program Computer (.062) (.127) appeared Problems ↔Freezing .505 .305 .00* Slowing Down or Crashing (.055) Model Fit Indices

2 Chi-square (x ) 30.989 3.095 Degrees Of Freedom (df) 2 1 P value .000* .0786 2 Normed Chi-square (x /df) 15.495 3.095 Comparative Fit Index (CFI) .97 1 Tucker Lewis Index (TLI) .92 .99 Root Mean Square Error Of Approximation (RMSEA) .126 .05 Standard errors are in parenthesis. Note: U. R.W. = Unstandardized Regression Estimates; S. R. W. = Standardized Regression Estimates (Factor Loadings)

122

Constrained Behavior

As explained above, constrained behavior latent variable is measured with six indicators and confirmatory factor analysis is conducted to validate the hypothesized measurement model (Figure 8).Table 6 shows the confirmatory factor analysis results for hypothesized computer problems measurement model.

Stop Downloading Music and Video

77 Stop . Downloading .83 Programs

.50 Stopped opening Constrained email attachments Behavior .65 Stopped visiting particular websites .44

Started reading user agreements .35

Started using a different internet web browser

Figure 8: Hypothesized Constrained Behavior Measurement model

All indicators are statistically significant and factor loadings (standardized regression estimates), except “started using a different internet web browser” indicator, are above .40. Although normed Chi-square CFI, TLI and RMNSEA model fit statistics are at expected level, chi-square goodness of fit statistic indicates poor model fit (Table

123

6). To improve the model fit, hypothesized measurement model is revised by using the modification indices reported by Mplus 5.0.

Stopped Downloading Music and Video .37 .66 Stopped Downloading .76 Programs

.56 Stopped opening email attachments Constrained Behavior .65 Stopped visiting particular websites .41 Started reading user agreements

Figure 9: Revised Constrained Behavior Measurement model

Based on the modification indices, “stopped downloading music and video” with

“stopped downloading programs” are correlated (Figure 9). Since, both indicators are related to downloading files from the Internet, they might have correlated measurement errors. Even after revising the model, “started using a different Internet web browser” indicator was below.40 threshold and was removed from the model. Table 6 shows the results for revised final model. Examination of revised measurement model shows that all indicators are statically significant at .05 level and all factor loadings (standardized regression estimates) are above .40.

124

Table 6: Parameter Estimates for the Hypothesized and Revised Constrained Behavior Measurement Model Hypothesized Model Revised Model Indicator SRE URE P SRE URE P Stop Down. Constrained .767 1.000 .659 1.000 Mus.&Vid. Behavior (.000) (.000) Stop Down. Constrained .829 1.080 .00* .763 1.162 .00* Programs Behavior (.084) (.107) Stop opening Constrained .502 .654 .00* .560 .940 .00* attachments Behavior (.082) (.141) Stop visiting Constrained .652 .850 .00* .649 1.252 .00* websites Behavior (.067) (.176) Reading Constrained .443 .578 .00* .410 .838 .00* agreements Behavior (.068) (.123) Different Constrained .353 .460 .00* Web Browser Behavior (.073)

Stop Down. ↔Stop Down .374 .346 .00* Mus.&Vid Programs (.070) Model Fit Indices

2 Chi-square (x ) 27.440 5.806 Degrees Of Freedom (df) 8 4 P value 2 .000* .2141 Normed Chi-square (x /df) 3.43 1.45 Comparative Fit Index (CFI) .97 1 Tucker Lewis Index (TLI) .96 1 Root Mean Square Error Of Approximation (RMSEA) .052 .000 Standard errors are in parenthesis. Note: U. R.W. = Unstandardized Regression Estimates; S. R. W. = Standardized Regression Estimates (Factor Loadings)

125

The revised model also indicates better model fit over the hypothesized model.

Chi-square value substantially decreased and p-value became insignificant. RMSEA value, CFI and TLI model fit indices indicates nearly perfect fit (Table 6). Consequently, revised constrained behavior measurement model shows an acceptable model fit and is validated as a measurement model.

Online Lifestyle

Online lifestyle of respondents is constructed as a two-factor measurement model, which consists of basic and leisure online activities (Figure 10). Basic online activities include relatively safer online activities in terms of spyware and adware victimization such as reading or sending emails and online shopping. Leisure online activities, on the other hand, comprise relatively more risky online activities such as downloading music, video files or programs that expose individuals to more spyware and adware infection.

“Downloading or sharing adult content” indicator is excluded from the model since it showed tetrachoric correlation, which is used to check the correlation between two dichotomous variables (Garson, 2008), with “sending or reading e-mail”.

Figure 10 illustrates the hypothesized online lifestyle measurement model and

Table 7 shows the confirmatory factor analysis results. All indicators for both basic and leisure online activities factors are statistically significant and factors loading are above

.40. However, model fit indices indicates poor model fit and the model needs to be examined to further the model fit.

In order to improve the model fit, error terms of “playing online games” and

“downloading games” are correlated which has the highest modification indices value;

126

correlation between these indicators is meaningful since the both activities are similar activities (Figure 11). Table 7 shows the confirmatory factor analysis results for the revised online lifestyle measurement model. All indicators are statistically significant and all factors loading are above the .40. CFI, TLI, normed chi-square, and RMSEA model fit statistics indicate good model fit. On the other hand, although the value of chi-square substantially decreased, it still shows significant p-value that indicates poor model fit. As explained in the methodology section, chi-square values may yield higher values when the sample size is large. For that reason, it is suggested to use normed chi-square statistic

(chi-square/DF) to minimize the impact of large sample size (Kline, 2005). Since the normed chi-square value is 3.8, which is below the desired level, the chi-square goodness of fit statistic is ignored. Moreover, RMSEA and TLI, which are less sensitive to sample size, also indicate good model fit. Consequently, revised constrained behavior measurement model shows an acceptable model fit and is validated as a measurement model.

127

E-mail .50

.43 Online Shopping Basic Activities .82 Creating Web Blog

.80 Reading Web Blog

Playing Online .44 Games .62 Sharing files .44

.75 Downloading video files

Downloading .69 music files Leisure Activities .55 Downloading programs .43 Downloading .78 screensavers

Downloading .46 games

Visiting adult websites

Figure 10: Hypothesized Online Lifestyle Measurement model

128

.51 E-mail

.45 Online Shopping Basic Activities .80 Creating Web Blog .78 Reading Web Blog

.58 Playing Online Games .4 Sharing files .47 Downloading .80 video files

Downloading .73 .64 music files Leisure Activities .59 Downloading programs .59 Downloading games .48 Visiting adult websites Figure 11: Revised Constrained Behavior Measurement model

129

Table 7: Parameter Estimates for the Hypothesized and Revised Online Lifestyle Measurement Model Hypothesized Model Revised Model Indicator SRE URE P SRE URE P Email Basic .497 1.000 .509 1.000 Activities (.000) (.000) Online Basic .425 0.854 .00* .449 .882 .00* Shopping Activities (.222) (.221) Creating Web Basic .815 1.639 .00* .808 1.587 .00* Blog Activities (.380) (.359) Reading Web Basic .799 1.606 .00* .787 1.544 .00* Blog Activities (.381) (.354) Playing Leisure .622 1.000 .411 1.000 Online Games Activities (0.000) (.000) Sharing Files Leisure .437 .702 .00* .468 1.137 .00* Activities (.089) (.177) Downloading Leisure .747 1.200 .00* .795 1.933 .00* Video Files Activities (.097) (.247) Downloading Leisure .686 1.102 .00* .727 1.768 .00* Music Files Activities (.093) (.228) Downloading Leisure .553 0.889 .00* .589 1.434 .00* Programs Activities (0.087) (.199) Downloading Leisure .425 0.683 .00* .422 1.026 .00* Screensavers Activities (0.087) (.167) Downloading Leisure .779 1.252 .00* .588 1.431 .00* Games Activities (0.106) (.170) Visiting Adult Leisure .460 .740 .00* .480 1.168 .00* Websites Activities (.105) (.197) Basic ↔ Leisure .442 .137 .00* .494 .103 .00* Activities Activities (.035) (.027) Downloading ↔Playing .629 .463 .00* Games Online Games (.046) Model Fit Indices

2 Chi-square (x ) 224.997 143.391 Degrees Of Freedom (df) 39 38 P value 2 .00* .00* Normed Chi-square (x /df) 5.77 3.8 Comparative Fit Index (CFI) .84 .91 Tucker Lewis Index (TLI) .84 .91 Root Mean Square Error Of Approximation (RMSEA) .072 .055

130

Standard errors are in parenthesis. Note: U. R.W. = Unstandardized Regression Estimates; S. R. W. = Standardized Regression Estimates (Factor Loadings)

Computer Literacy

The last latent variable is computer literacy, which is measured with a series questions related to cyber threats, digital guardianship and Internet terms. Confirmatory factor analysis is conducted to validate the hypothesized measurement model (Figure

12).Table 8 shows the confirmatory factor analysis results. Although, all indicators are statistically significant and factor loadings (standardized regression estimates) are above

.40, all model fit indices indicate poor model fit. For that reason, the hypothesized measurement model is revised to increase the model fit by using the modification indices.

Firewall

.80 Internet Cookies .75 Spyware .86

.72 Adware Computer Literacy .55 Phishing .65

.62 Spam

.61 Podcasting

RSS Feed

Figure 12: Hypothesized Computer Literacy Measurement model

131

Based on the modification indices, error terms of “podcasting” and “RSS feed” terms are correlated, since both terms are related to similar types of web based news publishing tools. But after correlating these two indicators, their factor loading decreased to below .40. So, these two indicators are removed from the measurement model. After removing the podcasting and RSS feed, the model fit significantly increased. It is also worth emphasizing that after removing the podcasting and RSS feed indicators, the computer literacy latent variable only includes the terms that are related to different cyber threats and digital guardianship. In that sense, this variable can be also interpreted as the respondents’ knowledge about possible online threats and protection means against those threats.

Firewall

.83 Internet Cookies .82

Spyware .90

.75 Adware Computer Literacy .40 Phishing

.72 Spam

Figure 13: Revised Computer Literacy Measurement model

132

Table 8: Parameter Estimates for the Hypothesized and Revised Computer Literacy Measurement model Hypothesized Model Revised Model Indicator SRE URE P SRE URE P Firewall Term Computer .796 1.000 .832 1.000 Literacy (.000) (.000) Internet Computer .752 .945 .00* .820 .985 .00* Cookies Term Literacy (.036) (.038) Spyware Term Computer .865 1.087 .00* .898 1.079 .00* Literacy (.044) (.042) Adware Term Computer .721 .906 .00* .752 .903 .00* Literacy (.036) (.036) Phishing Term Computer .548 .688 .00* .395 .475 .00* Literacy (.044) (.052) Spam Term Computer .651 .818 .00* .712 .855 .00* Literacy (.061) (.060) Podcasting Computer .618 .777 .00* Term Literacy (.040) RSS Feed Computer .608 .764 .00* Term Literacy (.045) Model Fit Indices

2 Chi-square (x ) 491.413 18.094 Degrees Of Freedom (df) 13 8 P value .000* .0205 2 Normed Chi-square (x /df) 37.80 2.25 Comparative Fit Index (CFI) .81 1 Tucker Lewis Index (TLI) .79 1 Root Mean Square Error Of Approximation (RMSEA) .201 .032 Standard errors are in parenthesis. Note: U. R.W. = Unstandardized Regression Estimates; S. R. W. = Standardized Regression Estimates (Factor Loadings)

133

Table 8 shows the results for revised final model. After removing the two indicators, examination of revised measurement model shows that all indicators are statically significant at .05 level and all factor loadings (standardized regression estimates) are above .40.The revised computer literacy model also indicates better model fit over the hypothesized model. RMSEA value, CFI and TLI model fit indices indicates nearly perfect fit (Table 9). Consequently, revised constrained behavior measurement model shows an acceptable model fit and is validated as a measurement model.

Structural Equation Model

After the validation of measurement models, structural equation model (SEM), which consists of exogenous and endogenous latent variables as well as observed variables, is conducted. The structural equation model is presented by connecting variables based on the assumptions of routine activity and lifestyle exposure theories as explained in the hypotheses section of this chapter (Figure 14). After establishing the structural equation model, statistical analysis is conducted by using Mplus 5.0.

Figure 14 shows the structural equation model. In order to make the illustration simpler, indicators of latent variables are not included in the figure. Circles represent latent variable measurement models as validated in the previous section and rectangular shapes represent observed variables.

Table 9 shows the statistical results for the structural equation model10. Although,

normed chi-square (3.3) and RMSEA (0.050) model fit statistics indicate acceptable

model fit, chi-square (x2=844.985, Df =254 p value= 0.000), TLI (0.83) and CFI (0.83)

10 Analysis results for the indicators of measurement models are presented in Appendix 2.

134

show poor model fit. Thus, model fit indices provide partial support to the structural equation model.

There could be several reasons for obtaining partial support in the structural equation model. First, the current model may not include all relevant variables that can explain the structural relationship between the variables. For instance, use of anti- spyware, which is the primary and most effective guardianship against spyware and adware, is not included in the analysis. Moreover, the model does not include all previous cybercrime victimizations and computer related skills of individuals that may affect their risk calculation and constrained behavior.

The second reason could be related to measurement of variables. For instance, the measurement of computer literacy is limited to several terms related to computer and the

Internet, which may provide partial explanation of the endogenous variables. Similarly, measurement of online lifestyle is also limited to basic questions related to a limited number of online activities. Although, both computer literacy and online lifestyle measurement models show good model fit, they may provide partial explanations over the endogenous variables.

135

Literacy Gender Risk Perception Race

Basic Spyware

Education Computer Problems

Adware Age Leisure

Internet Usage Firewall Constrained Behavior Antivirus

Figure 14: Structural Equation Model 135

136

Table 9: Parameter Estimates for the Structural Equation Model

Indicator SRE URE P Gender Basic .045 .062 .348 Activities (.066) Race Basic .016 .031 .707 Activities (.082) Education Basic .224 .105 .005* Activities (.033) Age Basic -.177 -.008 .002* Activities (.003) Internet Basic .359 .168 .00* Usage Activities (.048) Gender Leisure .129 .141 .002* Activities (.045) Race Leisure -.111 -.167 .008* Activities (.063) Education Leisure -.094 -.035 .032* Activities (.016) Age Leisure -.385 -.014 .00* Activities (.002) Internet Leisure .256 .103 .00* Usage Activities (.019) Basic ↔ Leisure .450 .129 .002* Activities Activities (.041) Gender Computer .131 .289 .002* Literacy (.093) Race Computer .123 .370 .005* Literacy (.132) Education Computer .182 .135 .00* Literacy (.033) Age Computer -.233 -.017 .00* Literacy (.003) Basic Spyware .022 .040 .755 Activities (.128) Leisure Spyware .280 .637 .001* Activities (.184) Firewall Spyware .091 .229 .045* Protection (.115)

137

Virus Spyware .130 .129 .004* Protection (.045) Computer Spyware .449 .509 .00* Literacy (.082) Basic Adware -.049 -.099 .451 Activities (.132) Leisure Adware .390 .999 .00* Activities (.229) Firewall Adware .189 .539 .00* Protection (.122) Virus Adware .210 .235 .00* Protection (.049) Computer Adware .449 .574 .00* Literacy (.101) Spyware ↔ Adware .604 .604 .00* (.053) Basic Computer .003 .004 .970 Activities Problems (.095) Leisure Computer .043 .072 .608 Activities Problems (.140) Firewall Computer -.090 -.168 .073 Protection Problems (.094) Virus Computer -.031 -.023 .510 Protection Problems (.034) Computer Computer -.279 -.235 .002* Literacy Problems (.074) Spyware Computer .567 .421 .00* Problems (.091) Adware Computer .264 .174 .036* Problems (.083) Basic Risk -.102 -.190 .143 Activities Perception (.130) Leisure Risk -.287 -.681 .002* Activities Perception (.218) Firewall Risk -.200 -.528 .00* Protection Perception (.126) Virus Risk -.229 -.237 .00* Protection Perception (.050)

138

Computer Risk -.288 -0.340 .002* Literacy Perception (.108) Spyware Risk -.328 -.342 .032* Perception (.160) Adware Risk .463 .428 .002* Perception (.137) Computer Risk .492 .692 .00* Problems Perception (.176) Spyware Constrained -.332 -.343 .044* Behavior (.171) Adware Constrained .531 .487 .000* Behavior (.140) Computer Constrained .478 .667 .002* Problems Behavior (.218) Risk Constrained -.260 -.258 .002* Perception Behavior (.081) Model Fit Indices

2 Chi-square (x ) 844.985 Degrees Of Freedom (df) 254 P value 2 .00* Normed Chi-square (x /df) 3.3 Comparative Fit Index (CFI) .83 Tucker Lewis Index (TLI) .83 Root Mean Square Error Of Approximation (RMSEA) .050 Standard errors are in parenthesis. Note: U. R.E. = Unstandardized Regression Estimates; S. R. E. = Standardized Regression Estimates (Factor Loadings)

139

Results

In this section, findings are discussed and hypotheses are evaluated based on the analysis results of the structural equation model.

As discussed in the third chapter, differences in demographic characteristics of victims is explained by the different lifestyles associated with those demographic characteristics (Hindelang, et al., 1978) and victimization studies generally use the demographic variables as the indicator of different lifestyles (Miethe & Meier, 1994). In this study, rather than checking the effects of demographic variables on the victimization, demographic variables are used to examine how they are related to basic and leisure online activities (or on-line lifestyles) as proposed by Hindelang et al (1998).

According to structural equation model results, age has a negative significant effect on both basic (Ƅ 11= -.177) and leisure (Ƅ= -.385) online activities. This means that

older people engage in less basic and leisure activities, holding other variables constant.

This finding could be the result of the fact that older people are less likely to use the

Internet as found by the previous studies (Koksal, 2009; Mossberger, et al., 2003). So,

older people engage in less online activities, which in turn expose them to less

cybercrime victimization.

Gender has an insignificant effect on basic online activities, whereas it has a

significant positive effect on leisure (Ƅ=.129) online activities, which means that males

engage in more leisure online activities than females by holding other variables constant.

This finding is consistent with findings of Joiner and his colleagues (2005). They also

11 “Ƅ” represent standardized regression estimate and shows relative strength of the relationship.

140

found that males are more likely to use the Internet for leisure activities such as visiting game websites and downloading materials from the Internet.

Education has a statistically significant positive effect on basic online activities

(Ƅ= .224), which indicates that more educated individuals engage in more basic online

activities. Education, on the other hand, has a significant negative relationship with

leisure online activities (Ƅ=-.094), which means that when education level increases,

individuals engage in less leisure online activities.

Race, on the other hand, did not have significant relationship with basic online

activities, while it has significant negative effect on leisure online activities (Ƅ=-.111).

This suggests that white people engage in less leisure online activities than African-

Americans, Hispanic and Asians when holding the other variables constant.

Along with the demographic characteristics of the individuals, frequency of

Internet use is used to predict individuals’ online lifestyle. Frequency of the Internet use

has significant positive effects on both basic (Ƅ=.359) and leisure (Ƅ= .256) online

activities. When people connect to the Internet more frequently, they engage in more

basic and leisure online activities, which in turn influence their exposure to cyberspace

victimization risk.

Study results also indicate that demographic characteristics affect the individuals’

computer literacy. According to results, gender (Ƅ= .131), race (Ƅ=.123), and education

(Ƅ=.182) have significant positive relationships with the respondents’ knowledge of the

terms that are related to computers, online threats and the Internet. In other words, males,

whites, and more educated people have better knowledge of computers, online threats,

141

and Internet related terms. On the on the other hand, age (Ƅ= -.233) has a significant negative effect on computer literacy, which indicates that older people has less knowledge of computers, online threats, and Internet related terms.

One of the main purposes of this study is to examine effect of online lifestyle on the cybercrime victimization in light of routine activity and lifestyle exposure theories.

The structural equation model shows that the basic online activities latent variable has no significant effect on spyware, adware and computer problems. On the other hand, the leisure online activities latent variable has positive significant effects on spyware

(Ƅ=.280) and adware (Ƅ=.390) while it has no significant effect on computer problems. In other words, individuals who engage in leisure online activities are more likely to be victims of spyware and adware. Thus, leisure online activities increase the likelihood of both spyware and adware victimization by holding other variables constant.

Although leisure online activities do not have any direct effect on having computer problems, it may have indirect effect through spyware and adware since both spyware and adware have significant positive effects on computer problems, which means that individuals whose computer is infected by spyware and adware are more likely to experience computer problems. Thus, greater leisure online activities increase

the likelihood of spyware and adware infection, which in turn cause having computer

problems. In that sense, it can be argued that Hypothesis 3, which states that online

lifestyle of individuals affects their spyware and adware victimization risk and having

computer problems, is partially supported.

142

Hypothesis 4 is related to digital guardianship; it was expected that individuals who use antivirus and firewall as a digital guardians are less likely to be victims of spyware and adware and are less likely to have computer problems. However, structural equation model results do not support the hypothesis. Contrary to expectations, both firewall and virus protection have significant positive effects on spyware (Ƅ= .091and

Ƅ=.130 respectively) and adware (Ƅ= .189and Ƅ= .210respectively) victimizations,

whereas they do not have any significant effect on computer problems.

Hypothesis 5, which states that individuals with better knowledge of computers,

online threats, and Internet related terms are less likely to be the victims of spyware and

adware and are less likely to have computer problems, is partially supported by the

structural equation model results. It is expected that individuals who have better

knowledge about cyber threats, the Internet and computer related terms, are less likely to

be victims of spyware and adware. However, the results show that there are significant

positive relationships between the computer literacy latent variable and spyware (Ƅ=

.449) and adware (Ƅ= .449) victimization variables, which indicates that respondents who

have better knowledge are more likely to be victims of spyware and adware infection. On

the other hand, the computer literacy latent variable has a significant negative effect on

the computer problems, which indicates that individuals who have better knowledge are

less likely to experience computer problems.

In the light of the current literature, this study also aims to examine how

individuals perceive the risk of victimization in cyberspace. For that reason, Hypothesis 6

proposes that individuals’ risk perception is affected by their own online lifestyle,

143

previous victimization and use of digital guardians. It was expected that online lifestyle would affect individuals’ risk calculations. The structural equation model results do not reveal any significant relationship between risk perception and basic online activities, whereas results show that leisure online activities (Ƅ= -.287) has a significant negative effect on risk perception, which indicates that individuals who engage in leisure activities feel themselves at less risk of victimization.

The computer problems (Ƅ=.492) and adware (Ƅ= .463) variables, however, have significant positive effects on the risk perception (Ƅ=.509).So, individuals who experienced computer problems and reported being victims of adware infection feel less confident about keeping malicious software away from their computers, which suggests that they perceive themselves at more risk. On the other hand, spyware (Ƅ= -.328) has a negative effect on risk perception, which indicates that individuals who reported spyware infection on their computers have more confidence about keeping malicious software away from their computers, which suggests that they perceive themselves at less risk.

Digital guardians, firewall (Ƅ= -.200) and anti-virus protection (Ƅ=-.229), have significant negative relationships with the risk perception, which suggests that use of digital guardianship gives more confidence to individuals about keeping their computer free from malicious software. So, they perceive less victimization risk. In other words, individuals who use antivirus programs and firewalls as digital guardians feel less victimization risk. Similarly, the structural equation model results show that the computer literacy latent variable (Ƅ= -.288) has significant negative effect on risk perception. This means that individuals, who have better knowledge about cyber threats and Internet and

144

computer related terms, feel more confident about keeping malicious software away from their computers. In other words they feel less victimization risk. Thus, it can be argued that Hypothesis 6 is partially supported by the structural equation model results.

Hypothesis 7 proposed that individuals, who have higher risk perception and who have been the victims of spyware and adware and experienced computer problems, are more likely to change their online lifestyle in order to avoid future victimization. It was expected that individuals who have been the victims of spyware and adware are more likely to change their online lifestyle. According to the structural equation model results, adware victimization variable (Ƅ= .531) has a significant positive effect on constrained behavior, whereas spyware victimization variable (Ƅ= -.332) has significant negative

direct effect on constrained behavior. This suggests that individuals who have been the

victims of adware infection are more likely to change their online lifestyle by avoiding certain types of activities to prevent future victimization, while individuals who have been the victim of spyware infection are less likely to change their online behavior.

The computer problems latent variable (Ƅ= .478), on the other hand, has a

significant positive relationship with constrained behavior. Individuals who have

experienced computer problems are more likely to change their online lifestyle. This also

suggests that, despite spyware’s negative effect, spyware and adware victimizations also

have indirect effects on constrained behavior since they increase the likelihood of having

computer problems. In that sense, it can be argued that infection of spyware may not

provide enough incentive to change behavior unless they cause computer problems.

145

Finally, the structural equation model results show that risk perception (Ƅ= -.260) has a significant negative effect on constrained behavior, which indicates that individuals who have higher confidence about the keeping malicious software away from their computers (lower risk perception) are more likely to change their behavior. Thus,

Hypothesis 7 receives partial support according to the structural equation model results.

In the next chapter, these findings are discussed in more detail, along with the findings reported in chapter four. The implications of the findings of this study for routine activities and lifestyle theories are considered as are the public policy implications. Limitations and contributions of the overall study are discussed, and suggestions for future research are provided.

CHAPTER 6: CONCLUSION

Summary of Findings and Discussion

This study has examined the factors that affect cybercrime victimization, risk perception and constrained behavior in cyberspace by using the routine activity and lifestyle exposure theories. Cybercrime is a relatively new phenomenon and the empirical studies that focus on cybercrime are very limited as a result of the lack of data (Moitra,

2005). In that sense, this study has also aimed to contribute to the literature on this particular issue by applying the assumptions of routine activity and lifestyle exposure theories. Despite its limitations, both routine activity and lifestyle exposure theories have been successfully applied to examining cybercrime in several studies (Alshalan, 2006;

Choi, 2008; Holt & Bossler, 2009; Willison, 2002). As Yar (2005) points out, the application of routine activity theory into the cyberspace is limited and some assumptions related to physical place and timing of the crime that are developed to explain physical world situations may not be transposable to explain cybercrime. But routine activity and lifestyle exposure theories still have explanatory power for examining cybercrime as long as the differences between the real world crime and cybercrime are laid out properly.

This study has offered two different empirical chapters. In chapter four, computer virus and online harassment victimizations are examined by using the 2003 NCVS. The

NCVS data have limited variables that can be used to operationalize the assumptions of routine activity and lifestyle exposure theories. Despite its limitations, three explanatory

146

147

variables were used to analyze the effect of individuals’ exposure to cybercrime risk. The number of places that individuals use computers for personal purposes is used as the indicator of individuals’ frequency of Internet use and online activities. It is assumed that when individuals use the computer at more different places, they are more likely to spend more time using the computer to connect to the Internet and engaging in more online activities. Moreover, it is assumed that when individuals use the computer for personal purposes, they are more likely to engage in leisure online activities, which expose them to greater cybercrime victimization risk (Choi, 2008). The number of computers that individuals have is also used as the indicator of more frequent use of computers and the

Internet use, which in turn expose individuals to greater computer virus and online harassment victimization risk.

On the other hand, using the computer for operating a home-business is used as the indicator of relatively safer business related online activities, which in turn may reduce the risk of computer virus and online harassment victimizations. It is assumed that individuals who use the computer for business purposes are less likely to engage in leisure online activities, including using online chat-rooms, instant messengers or other online communication and socialization channels that may increase the likelihood of being the victim of online harassment.

The logistic regression analysis results show that when individuals use computers at more different places for personal purposes, they are more likely to become victims of computer viruses and online harassment. Moreover, individuals who own more computers are more likely to be victims of online harassment. Using the computer for

148

operating a home-business has no effect on either computer virus or online harassment victimization. Thus, it can be argued that using the computer for personal purposes increases the likelihood of being victim of virus infection and online harassment whereas using the computer for business purposes does not affect victimization. Although the operationalization of exposure to cybercrime is very limited, findings of the logistic analyses indicate that the routine activities and lifestyle exposure theories can be applied to cybercrime.

On the other hand, using the computer for personal purposes covers a wide range of online activities and, as measured in chapter 4, personal use does not provide information about the types of online activities expose individuals to greater cybercrime victimization risk. Given this concern, chapter five provides a more comprehensive examination of cybercrime by using Structural Equation Modeling (SEM) statistical analysis. In the SEM analysis, a structural model is proposed in which the factors that affect spyware and adware victimization are examined along with the factors that affect individuals’ risk perception and constrained behavior in the cyberspace.

Demographic variables are used to examine the effects of different demographic characteristics on variations in lifestyles, which in turn affect individuals’ victimization risks (Hindelang, et al., 1978; Miethe & Meier, 1994). In that sense, the first step in the

SEM analysis was to examine the effect of demographic characteristics on the types of online activities that individuals engage in. SEM analysis shows that older people engage in less basic and leisure online activities. On the other hand, education had different effects on basic and leisure online activities. The study results indicate that more

149

educated individuals are more likely to engage in basic online activities whereas less educated individuals engage in more leisure online activities. Moreover, males and non- whites are more likely to engage in leisure online activities than females and whites.

Thus, SEM results clearly show that demographic characteristics are related to different types of online activities. These findings are also consistent with the previous studies.

Joiner et al.(2005) found that males are more likely to engage in leisure online activities.

Moreover, Koksal (2009), and Mossberger et al. (2003) show that older people are less likely to use the Internet.

Different than the previous studies, frequency of Internet use is not used as the direct determinant of the risk of victimization, rather it is used merely as an indicator of online activities that users engage in by arguing that spending more time on the Internet may not directly affect individuals risk victimization unless they engage in leisure online activities which expose the individuals to greater victimization risk. SEM results show that frequency of Internet use increases the basic and leisure online activities, which in turn may increase the victimization risk. In other words, individuals who spend more time on the Internet are more likely to engage in more diverse activities, some of which may increase their victimization risk.

One of the primary aims of this study is to examine the factors that expose individuals to cybercrime victimization risk. In that sense, it is proposed that the type of online activities individuals engage in affects the risk level of being the victim of spyware and adware and of having computer problems. It is expected that leisure online activities, such as downloading music, video files or programs, should increase the risk of

150

victimization since those kinds of activities are generally exploited by cybercriminals to install malicious software on the targets’ computers. Findings suggest that leisure online activities increase the likelihood of being the victim of spyware and adware whereas they do not directly affect having computer problems. Besides, basic online activities have no significant effect on spyware, adware or computer problems. Thus, the results indicate that type of online activities determine the risk of cybercrime victimization and support the assumptions of routine activity and lifestyle exposure theories regarding the relationship between the victimization and lifestyle or routine activities of individuals.

Another important component of the routine activity theory is guardianship that can prevent victimization. In his analysis, Choi (2008) found that digital guardians such as firewalls and anti-virus software decrease the likelihood of victimization in cyberspace. However, SEM results show that using firewalls and virus protection positively affects the spyware and adware victimization. It is expected that virus protection and firewalls, or any other digital guardianship, should prevent cyber threats.

But the results are contrary to the expectations and to discussions in the computer security and cybercrime literature. So, there should be other explanations for the positive relationship between the digital guardianships and spyware and adware victimizations.

The first explanation is related to the data used in this analysis. As discussed in chapter three, studies show inconsistent results about the effect of guardianship and these inconsistent results are attributed to limitations of cross sectional data used in those studies, which do not capture clear temporal order among variables (Miethe & Meier,

1994, p. 51). Since the data used in this study are also a cross sectional, it may not

151

capture the real temporal order of victimization and use of digital guardianship. In other words, respondents who have been the victim of spyware and adware might start using the virus protection after the victimization in order to avoid possible future victimization.

In this case, victimization might cause the use of digital guardianship and this may explain why there is a significant positive relationship between the digital guardianship and spyware and adware victimization.

The second possible explanation is related to detection of spyware and adware. As explained above, different types of spyware and adware may show different attributes. In some cases, they show easily detectable symptoms such as installing new programs, slowing down the computer, hijacking the web browser, or showing pop up advertisements. Those kinds of spyware and adware may be easily detected without help of firewall, anti-spyware or anti-virus programs. But, in some cases, malicious software runs silently in the background without disturbing the user and effecting the computer’s operation, and they cannot be detected unless anti-spyware or anti-virus programs detect them. So, users may not be aware of the malicious software installed on the computer unless malicious software affects the computer’s operation or they are detected by digital guardians.

In that case, the question is how respondents know that their computer is infected by spyware or adware and report as such. Respondents who reported spyware and adware infection might give the answer based on the symptoms associated with spyware and adware or on the detection provided by anti-spyware or anti-virus. Hence, the positive relationships between the digital guardianship and spyware and adware victimizations

152

might be the result of detection of the existence of spyware and adware by those digital guardianships. In other words, respondents who use firewall and anti-virus programs and keep them up to date might be more likely to detect spyware and adware and report the infection. This discussion will be more evident below when the results for computer knowledge is discussed.

Respondents’ knowledge about cyber threats, Internet and computer related terms is also incorporated into the analysis as the social guardianship provided by the users themselves. It is expected that individuals who have better knowledge about cyber threats, Internet and computer related terms, are less likely to be victims of spyware and adware and have less computer problems. However, the results revealed that there are significant positive relationships between the computer literacy latent variable and spyware and adware victimization variables, which indicate that respondents who have better knowledge about the terms that are related to cyber threats, Internet and computer are more likely to be victims of spyware and adware infection. On the other hand, respondents’ computer knowledge has a negative significant effect on the computer problems, which suggests that individuals who have better knowledge of computers and

Internet related terms experience less computer problems.

Despite its negative effect on computer problems, the computer literacy latent variable has a positive effect on spyware and adware victimization. As in the case of virus protection, respondents who have better knowledge of the terms that are related to cyber threats, Internet and computers might detect the spyware and adware and they might be more likely to report the infection of spyware and adware. The positive

153

significant relations between variables might be the result of detection by respondents who have better knowledge. In a sense, this argument can be supported by the negative relationship between the computer literacy latent variable and computer problems latent variable. Although, computer literacy latent variable has significant positive relationships with both spyware and adware, it has a negative relationship with the computer problems latent variable. It can be argued that individuals who have better knowledge about the terms related to cyber threats, Internet and computer are more likely to detect the spyware and adware surreptitiously installed on their computers and eliminate the problems related those malicious software.

Actually, the way that the questions related to spyware and adware were asked to respondents may also explain why virus protection and computer knowledge have positive effects on spyware and adware victimization. Respondents were asked “As far as you know, have you ever had one of these ‘spyware’ programs on your home computer?” and “As far as you know, have you ever had one of these ‘adware’ programs on your home computer?” So, the ability of respondents to answer these questions depends on their ability to detect and know about the existence of malicious software.

Individuals who do not use anti-virus or firewall programs may fail to detect silent and sneaky spyware and adware that do not cause any detectable computer problems. As Wall (2007) points out, computer users tend to fail to show efforts to protect their computers from malicious software as long as their computer works without any apparent problems. So, when the computer works without any problem, users may think there is no malicious software installed on their computer. Hence, the individuals

154

who have better knowledge and use anti-virus or anti-spyware may be aware of the malicious software on their computer, and they can take necessary actions to remove the malicious software and prevent possible problems.

The results for the digital guardianships and computer literacy do not provide clear understanding of their relationship with the risk of cybercrime victimization. So, in order to understand the effect of the digital guardianships and computer literacy of individuals requires further evaluations.

The second aim of this study is to examine the factors that affect the risk perception of individuals. According to Ferraro (1995), individuals calculate their own victimization risk by looking at the cues from the social environment, their own lifestyles and previous victimization. In a similar way, it is expected that individuals calculate their own cybercrime victimization risk based on own online lifestyles, security tools that are used for protection and previous cybercrime victimization.

According to SEM results, adware victimization does not affect individuals risk perception, whereas spyware victimization negatively affects the risk perception, which indicates that individuals who reported being victim of spyware feel more confident about keeping their computers safe from malicious software. Moreover, contrary to expectations, leisure online activities have negative effects on the risk perception, which suggests that individuals who engage in leisure online activities do not feel themselves at risk.

On the other hand, the computer problems latent variable has a significant positive effect on the risk perception. In other words, individuals who experienced

155

computer problems feel less confident about keeping malicious software away from their computers, which suggests that they perceive themselves at more risk. Given that leisure online activities increase the likelihood of spyware and adware infection which in turn cause having computer problems, this may suggest that individuals who engage in leisure online activities and have reported spyware infection do not feel themselves at risk unless they experience computer problems. Moreover, this may also suggest that individuals who engage in leisure online activities may ignore the threats that are posed by spyware unless they cause problems; the pleasure that is given by those activities outweighs the minor annoyances caused by spyware unless they turn into bigger computer problems.

Similarly, in his study, Melde (2009) found that youths who have delinquent lifestyles do not consider themselves at higher risk of victimization, and he argues that delinquent youths do not perceive victimization risk unless they personally experience victimization.

The digital guardianships in the form of firewall protection and virus protection have negative effects on individuals’ risk perception, which suggests that individuals who use firewall and anti-virus feel more confident about keeping the malicious software away from their computers. Similarly, individuals who have better knowledge about cyber threats, Internet and computer related terms perceive less victimization risk. These findings suggest that individuals who use antivirus and firewall as digital guardianship and who have better computer knowledge feel more confident in keeping their computers free from malicious software, which in turn reduce their risk perception. So, as in the physical world, individuals calculate their own victimization risks based on cues from their experiences and environments.

156

Finally, the effect of previous victimization and risk perception on the individuals’ constrained behavior is examined. It is expected that individuals who have higher risk perception and previous victimization experience change their online behavior accordingly to avoid being victims of cybercrime. SEM findings suggest that individuals who reported being victims of adware and having computer problems are more likely to change their online behavior in order to avoid victimization, whereas individuals who reported being victims of spyware are less likely to change their behavior. As in the case of risk perception, spyware victimization may not affect individuals’ online lifestyle unless they cause computer problems. Individuals may accept annoyances caused by spyware as long as they do not cause any computer problems. Moreover, SEM analysis results indicate that individuals, who feel more confident about keeping their computer safe from malicious software, are more likely to change their online behavior.

Policy Implications

The Internet has become an integrated part of daily life. Individuals, institutions, business and national governments, especially in developed countries, are highly dependent on the Internet, computers and network technologies. Thus securing cyberspace and preventing cyber threats are important public policy issues (Dunn

Cavelty, 2007). Although attempts to create a safer online environment have been too slow to keep pace with the increasing online threats and their deterrent effects have been very limited, various policies and legislation have been developed and implemented to deal with cyber threats. Current cyber security policies are mostly shaped by concerns related to threats against critical national infrastructures and the economy (Dunn Cavelty,

157

2007). These security policies also address the role of individuals in maintaining the online security of those national assets. For instance, one of the priorities of President

Bush’s the National Strategy to Secure Cyberspace in 2003 was to increase the awareness of the individuals (Bush, 2003). Moreover, President Obama’s Cyberspace Policy

Review in 2009 (Obama, 2009) emphasizes the importance of the increasing awareness of the public to secure cyberspace.

As discussed above, the human factor plays a crucial role in preventing cyber threats, since most of cybercrimes exploit the trust and routine activities of individuals or the failure of the users to take necessary precautions that may prevent threats, such as visiting unknown web sites where malicious software can be installed on computer surreptitiously or not using any digital guardians. Hallam-Baker(2008, p. xix) assert that;

“Internet crime is about people. Money is the means; technology is merely an end. Some Internet criminals are world-class technology experts, but rather fewer than you might expect. Most Internet criminals are expert in manipulating and exploiting the behavior of people rather than machines.”

Moreover, the online security of individuals not only affects them, but also affects other people, institutions, and governments. A piece of malicious software installed on a person’s computer may not necessarily be a threat for that person or it may give little or no harm, but at the aggregate level, it may pose a greater threat to the security of a nation.

For instance, one of the serious security threats in cyberspace is the botnet, which is derived from “robot networks” and refers to networks of compromised and controlled computers by cybercriminals without owners’ knowledge and consent. Botnets are used to launch automated attacks such as distributed denial of service (DDOS) to business and government websites and networks (Dunham & Melnick, 2009). One infected computer

158

may not be enough to launch an attack to a well-guarded institution or government network, but thousand or even millions of infected computers that are controlled by cyber criminals may pose serious threats to national security. One of the most prominent and recent example of this type of threats is the denial of service attack that was launched against the Estonian government’s and financial institutions’ web sites, including web sites of the President, Parliament, news media, and larger banks (Hansen & Nissenbaum,

2009). The attack against the Estonian government and institutions caused the disruption of email systems and online banking services (P. Finn, 2007). Although the Estonian government blamed Russia for the attack, the original source of attack could not be identified (Hansen & Nissenbaum, 2009) since the cyber criminals used a botnet to launch the attack which included thousands of infected computers from nearly 50 different countries including the United States (Hansen & Nissenbaum, 2009).

This is a very good example of how an individual’s infected computer can be a serious threat to national security and individuals at the aggregate level. For that reason, understanding the factors that affect victimization in cyberspace is an essential step in creating effective prevention measurements. In that sense, findings of this study provide support for the current policy strategies and show that increasing the awareness and knowledge of individuals about cyber threats and protection methods prevents damage caused by those threats. SEM results indicate individuals who have better knowledge of computer and Internet related terms are less likely to experience computer problems.

Moreover, although it requires further examination, when the positive relationships of the digital guardians (firewall and anti-virus protection) and computer knowledge with

159

spyware and adware victimization are attributed to detection provided by the digital guardians and to individuals who have better computer knowledge, it becomes more evident how important digital guardianship and knowledge of individuals are for detecting possible threats and for preventing problems and harm associated with these threats.

The Internet creates a great deal of opportunities for criminals to commit crime by allowing criminals to conceal their identities, making it easier to commit crime and making investigation and prosecution of the crime harder and more complex (Moitra,

2005; Speer, 2000). But Internet users are not totally defenseless against cybercrime.

There are certain ways to avoid victimization, for instance to prevent possible virus infections people might use anti-virus programs, or to prevent unauthorized access to their computers people can use firewalls(Hallam-Baker, 2008). Moreover, people may engage in safer online activities by avoiding risky activities such as visiting unknown websites, downloading programs and games from unknown sources (Choi, 2008).

People, however, may prefer to engage in risky online activities with or without knowing the threats posed by those risky activities. They also may not be aware of all tools that can be used against cyber threats, or even when they know about and have those tools, they may not be able to use those tools properly. In that sense, it becomes necessary to increase the awareness and knowledge of Internet users about cyber threats and protection means (Grabosky & Smith, 2001; Hallam-Baker, 2008; Q. Hu & Dinev,

2005; Thompson, 2005).

160

Increasing the awareness of the users, however, is not sufficient for prevention; it is also necessary to inform individuals how to protect themselves from various threats

(Hallam-Baker, 2008, p. 12). The current attempts to increase public awareness, unfortunately, are limited to informing the public about possible threats and encouraging them to take more precautions, but they do not provide a systematic way to increase individuals’ knowledge about how to keep their computers safe. Moreover, current curriculum for K-12 education does not expose students to enough knowledge about the computer technologies (National Research Council, 2009) which also hinder the attempts to increase the awareness about the cyber threats and capabilities of individuals dealing with those threats.

For that reason, while increasing the awareness of individuals, it is important to provide information about the basic ways of keeping the computer secure and avoiding online activities that put individuals at greater victimization risk. Today, most of the security tools do not require advanced computer knowledge, and ordinary computer users can easily use them. But this requires the initiative of users, and individuals may take that initiative only when they are aware of the possible threats and how to use protective means to avoid these threats. Thus, it becomes very important to educate individuals beginning at an early age. One way of achieving this is to expose students to knowledge of computer security and how to avoid cyber threats through safer online activities by developing curriculums that address those issues.

On the other hand, increasing the awareness and educating all Internet users requires continuous effort and it may only be effective in the long term since it would not

161

be possible to reach all Internet users in a short period of time. Moreover, Geer(2007, p.

29) argues that “Adam Smith’s ‘invisible guiding hand’ will not push the Internet toward order and security, because the players are in a classic prisoners dilemma: the self interest of each player leads to a result that is bad for the common good.” Moreover, as Wall

(2007) and Bradley (2010) point out, individuals may fail to take necessary precautions and to use digital security tools thinking that they have nothing valuable stored on their computer, but the computer itself is valuable for the cybercriminals. Cybercriminals do not use their own computers for committing cybercrime. Rather, they use compromised computers to send spam or launch attacks on other individuals or institutions (Bradley,

2010; Hallam-Baker, 2008). So, the ignorance of individuals may not directly affect the individuals’ themselves, but it affects the overall security of cyberspace. For that reason, regulating Internet use by either forcing the users to use some basic security tools such as anti-virus, anti-spyware and firewall or forcing the market to supply computers with pre- installed security tools may provide improved overall online security in the short term.

Although regulating the Internet is a controversial issue and may receive a lot of objections from cyber liberty groups, requiring the Internet users to use basic security tools does not directly invade the privacy and liberty of individuals, and it can be seen as essential basic prevention of cyber threats for both individuals and society. It also may not put a financial burden on individuals since there are a number of free security tools that can be used for protection. For instance, Microsoft provides free virus and malware protection programs that can be used with Windows operating systems and most of the commercial personal firewalls’ basic versions can be used for free.

162

On the other hand, the presence of electronic guardians is not enough to keep computers and networks secure from cyber threats. As discussed in chapter three, protection provided by electronic guardians are limited to known cyber threats and attacks and their effectiveness depends on keeping those guardians routinely up to date and employed correctly (Cox, et al., 2009). Moreover, digital guardians do not provide protection for cyber threats that exploit the trust of individuals such as phishing or online frauds (Bradley, 2010). So, it is still very important to increase the awareness and knowledge of Internet users in order to achieve better protection.

Finally It should also be noted that regulating the Internet should not sacrifice the privacy of individuals and should not undermine the values (innovation, trust, openness and equity) associated with the Internet (Margetts, 2009). By understanding the concerns about the privacy, in his May 29th, 2009 speech on securing the cyber infrastructure,

President Obama emphasize that

“Our pursuit of cyber security will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans. Indeed, I remain firmly committed to net neutrality so we can keep the Internet as it should be -- open and free.”12

Contribution of the Study

This study contributes to the limited empirical studies that examine cybercrime

victimization. Based on the results of two different analyses, this study also provides partial support to the applicability of the assumptions of routine activity and lifestyle exposure theories to cybercrime. Study results show that as in the real world, different

12 http://www.whitehouse.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure

163

lifestyles in the cyberspace are associated with higher victimization risk. By using a more general indicator of online lifestyle, the analysis of computers virus and online harassment victimization shows that personal use of the computer exposes individuals to more computer virus and online harassment victimization risk.

In the spyware and adware victimization analysis, better measurements are used for distinguishing basic and leisure online activities that expose individuals to different victimization risks. SEM results indicate that leisure online activities increase the likelihood of spyware and adware victimization and of having computer problems.

Although findings in this study do not directly provide support for the effect of digital guardianship in terms of cybercrime prevention, the results may indicate that digital guardianship increases the detection of malicious software, which in turn may indirectly prevent the future problem associated with malicious software. Findings related to digital guardianship need further examination.

Rather than employing separate analyses for each dependent variable, this study provides a comprehensive analysis of the factors that affect cybercrime victimization, risk perception and constrained behavior by establishing a structural equation model among variables in which structural relationships between variables are examined. Thus, by using the SEM analysis, this study is able to test the assumptions of routine activity and lifestyle exposure theories as proposed by Hindelang et al. (1998) and Cohen and Felson

(1979). For instance, similar studies use the demographic variables either as the indicator of the lifestyles of individuals or as control variables along with other variables that measure lifestyles and routine activities (Miethe & Meier, 1994). In this study,

164

demographic variables are used as the factors that affect online lifestyle, which in turn expose the individuals to victimization risk as suggested by Hindelang et al (1998).

Limitations of the Study

The NCVS survey which is used for the analysis of the computer virus and online harassment provides very limited information for operationalizing the assumptions of the routine activity and lifestyle exposure theories. For that reason, rather than directly measuring the risk exposure through online lifestyle of respondents, three proxy variables are used as indicators of risk exposure and online lifestyles of respondents. So, the results provided by the analysis are limited and need further examination by using proper data that contain direct measurements of related variables.

Although, May-June 2005 Spyware Survey used in the fifth chapter provides information for direct measurement of online lifestyle and digital guardianship, there could be a better set of variables that give detailed information about online activities and digital guardianship. For instance, variables used for measuring basic and leisure online activities give only basic information about whether respondents engage in those activities. However, it would be more accurate to have more information for each online activity. For example, rather than only asking whether individuals download programs, games, music or video files, it would be more useful to ask a series of questions about the source of downloading those files, such as whether they used legitimate means to download those files or whether they download pirated programs, games, music or video files.

165

Moreover, it should also be noted as a limitation that both datasets used in this analysis utilize self report surveys with the inherent problems that respondents may prefer to conceal the information that are asked about, or they may give incorrect information for various reasons. For instance, individuals may not want to report that they access adult web sites or download adult content from those web sites.

Future Research Suggestions

Studying cybercrime victimization is a challenging issue since there is not enough data that covers or reveal every aspect of cybercrime victimization. As Moitra (2005) and

Wall (2007) point out, there are limited data about cybercrime and cybercrime victimization. Despite its limitations, the NCVS is the only ongoing nationwide data source on cybercrime victimization. However, questions related to cybercrime victimization were removed from the survey beginning in the third quarter of 2004. It would be helpful to keep the cybercrime related questions in the survey by including additional questions related to Internet use and digital guardianship. On the other hand, it might be more useful to have a separate survey that solely focuses on the cybercrime victimization. Thus, it could be more flexible and could easily be adjusted according to changing cyber threat trends.

The analysis of spyware and adware victimization showed that the relationship between digital guardianship and cybercrime victimization might not be captured with cross-sectional data. Using longitudinal data may provide a better understanding of the relationship between the digital guardianship and cybercrime victimization.

166

Moreover, technical aspect of cybercrime may create challenges since it may not be captured through survey questions. While collecting data on cybercrime victimization, especially about malicious software, relying on the respondents’ answers may not provide accurate information since their ability to answer the question correctly depends on the ability of the respondents to detect these problems. In order to overcome this shortcoming, better data collection methods should be used by researchers. For instance, along with employing the survey, respondents’ computers could be scanned by IT security professionals in order to identify the problems that cannot be detected by respondents. Thus, the data can be obtained about the users’ ability to detect the problem and the real scope of the problem.

References

Acock, A. C. (2005). Working With Missing Values. Journal of Marriage and Family, 67, 1012–1028.

Akers, R. L. (1985). Deviant behavior : a social learning approach (3rd ed.). Belmont, Calif.: Wadsworth Pub. Co.

Alshalan, A. (2006). Cyber-Crime Fear and Victimization: An Analysis of a National Survey. Mississippi State University, Mississippi.

Anthony, S., & Huang, W. (2009). Nature and Distribution of Phishing. In F. Schmalleger & M. Pittaro (Eds.), Crimes of the Internet (pp. 191-205). Upper Saddle River, N.J.: Prentice Hall.

Arnold, R., Keane, C., & Baron, S. (2005). Assessing Risk of Victimization through Epidemiological Concepts: An Alternative Analytic Strategy Applied to Routine Activities Theory. Canadian Review of Sociology & Anthropology, 42, 345-364.

Balkin, J. M., & Kozlovski, N. (2007). Cybercrime : Digital Cops in a Networked Environment. In J. M. Balkin, J. Grimmelman, E. Katz, N. Kozlovski, S. Wagman & T. Zarky (Eds.), Cybercrime : Digital Cops in a Networked Environment (pp. 107-134). New York: New York University Press.

Baskin, B., & Piltzecker, T. (2006). Combating spyware in the enterprise. Rockland, MA: Syngress.

Bocij, P. (2006). The Dark Side of the Internet: Protecting Yourself and Your Family from Online Criminals. Westport, CT: Praeger Publishers.

Bradley, T. (2010). How to Stop 11 hidden security threats and how to stop them. PCWorld. Retrieved from http://www.pcworld.com/article/187199/how_to_stop_11_hidden_security_threat s.html

Brenner, S. W. (2001). Defining Cybercrime: A Review of State and Federal Law. In R. D. Clifford (Ed.), Cybercrime: The Investigation, Prosecution and Defense of a Computer-Related Crime (pp. 11-69). Durham: Carolina Academic Press.

167

168

Brenner, S. W. (2004a). Toward a Criminal Law for Cyberspace: A New Model for Law Enforcement? Rutgers Computer and Technology Law Journal, 30(1).

Brenner, S. W. (2004b). Toward a Criminal Law for Cyberspace: Distributed Security. Boston University Journal of Science & Technology Law, 10(2).

Brenner, S. W., & Clarke, L. L. (2005). Distributed Security: Preventing Cybercrime. The John Marshall Journal of Computer & Information Law, 4.

Bush, G. (2003). The National Strategy to Secure Cyberspace.

Byrne, B. M. (2001). Structural equation modeling with AMOS : basic concepts, applications, and programming. Mahwah, N.J.: Lawrence Erlbaum Associates.

Cangemi, D. (2004). Procedural Law Provisions of the Council of Europe Convention on Cybercrime. International Review of Law Computers, 18(2), 165–171.

Castells, M. (2002). The Internet galaxy : Reflections on the Internet, Business, and Society. Oxford ; New York: Oxford University Press.

Choi, K.-S. (2008). Computer Crime Victimization and Integrated Theory: An Empirical Assessment. International Journal of Cyber Criminology, 2(1), 308-333.

Clarke, R. V. (1995). Situational Crime Prevention: The University of Chicago Press.

Clarke, R. V., & Felson, M. (1993). Routine activity and rational choice. New Brunswick, NJ: Transaction Publishers.

Clifford, R. D. (2001). Cybercrime : the investigation, prosecution, and defense of a computer-related crime. Durham, N.C.: Carolina Academic Press.

Cohen, J. (1988). Statistical power analysis for the behavioral sciences (2nd ed.). Hillsdale, N.J.: L. Erlbaum Associates.

Cohen, L. E., & Felson, M. (1979). Social Change and Crime Rate Trends: A Routine Activity Approach. American Sociological Review, 44(4), 588-608.

Cohen, L. E., Kluegel, J. R., & Land, K. C. (1981). Social Inequality and Predatory Criminal Victimization: An Exposition and Test of a Formal Theory. American Sociological Review, 46(5), 505-524.

Cook, P. J. (1986). The Demand and Supply of Criminal Opportunities. Crime and Justice, 7, 1-27.

169

Cox, R. W., Johnson, T., & Richards, G. E. (2009). Routine Activity and Internet Crime. In F. Schmalleger & M. Pittaro (Eds.), Crimes of the Internet (pp. 302-316). Upper Saddle River, N.J: Prentice Hall.

Cunningham, J. B., & McCrum-Gardner, E. (2007). Power, effect and sample size using GPower: practical issues for researchers and members of research ethics committees. Royal College of Midwives-Evidence-Based Midwifery Retrieved from http://findarticles.com/p/articles/mi_6862/is_4_5/ai_n28470198/?tag=content;col 1

Dunham, K., & Melnick, J. (2009). Malicious bots : an inside look into the cyber- criminal underground of the internet. Boca Raton: CRC Press.

Dunn Cavelty, M. (2007). Cyber-security and threat politics : US efforts to secure the information age. Milton Park, Abingdon, Oxon ; New York: Routledge.

Ellison, L. (2001). Cyberstalking: Tackling harassment on the Internet. In D. S. Wall (Ed.), Crime and the Internet. London and New York: Routledge, Taylor and Francis Group.

Erbschloe, M. (2005). Trojans, worms, and spyware : a computer security professional's guide to malicious code. Amsterdam ; Boston: Elsevier Butterworth Heinemann.

Federal Trade Commission Staff Report (2005). Spyware Workshop: Monitoring Software On Your Pc: Spyware, Adware, And Other Software Available from http://www.ftc.gov/os/2005/03/050307spywarerpt.pdf

Feinstein, K. (2004). How to Do Everything to Fight Spam, Viruses, Pop-Ups & Spyware. New York: McGraw-Hill/Osborne.

Felson, M. (1998). Crime and everyday life (2nd ed.). Thousand Oaks, Calif.: Pine Forge Press.

Ferraro, K. F. (1995). Fear of crime : interpreting victimization risk. Albany, NY: State University of New York Press.

Finn, J. (2004). A Survey of Online Harassment at a University Campus. J Interpers Violence, 19(4), 468-483.

Finn, P. (2007, May 19). Cyber Assaults on Estonia Typify a New Battle Tactic. The Washington Post,

170

Fisher, B. S., Sloan, J. J., Cullen, F. T., & Chunmeng, L. (1998). Crime in the Ivory Tower: The Level and Sources of Student Victimization. Criminology, 36(3), 671-710.

Furnell, S. (2002). Cybercrime: Vandalizing the Information Society: Addison-Wesley: A Pearson Education book.

Garofalo, J. (1979). Victimization and the Fear of Crime. Journal of Research in Crime and Delinquency, 16(1), 80-97.

Garson, G. D. (2008). Correlation. Retrieved from http://faculty.chass.ncsu.edu/garson/PA765/correl.htm

Garson, G. D. (2009). Structural equation modeling. Retrieved from http://faculty.chass.ncsu.edu/garson/PA765/structur.htm

Geer, D. E. (2004). The Physics of Digital Law. Paper presented at the Plenary Speech at the Digital Cops in a Virtiual Enviroment Conference, Information Society Project.

Geer, D. E. (2007). The Physics of Digital Law: Searching for Counterintuitive Analogies. In J. M. Balkin, J. Grimmelman, E. Katz, N. Kozlovski, S. Wagman & T. Zarky (Eds.), Cybercrime : Digital Cops in a Networked Environment (pp. 107-134). New York: New York University Press.

Goodman, M. D. (1997). Why the Police Don't Care About Computer Crime. Harvard Journal of Law and Technology, 10, 465-494.

Goodman, M. D., & Brenner, S. W. (2002). The Emerging Consensus on Criminal Conduct in Cyberspace. International Journal of Law and Information Technology, 10(2), 139-223.

Grabosky, P. N. (2001). Virtual Criminality: Old Wine in New Bottles? Social & Legal Studies, 10(2), 243-249.

Grabosky, P. N., & Smith, R. (2001). Telecommunication fraud in the digital age: The convergence of technologies. In D. S. Wall (Ed.), Crime and the Internet (pp. 29- 43). London and New York: Routledge, Taylor and Francis Group.

Hallam-Baker, P. (2008). The dotCrime manifesto : how to stop Internet crime. Upper Saddle River, NJ: Addison-Wesley.

Hansen, L., & Nissenbaum, H. (2009). Digital Disaster, Cyber Security, and the Copenhagen School. International Studies Quarterly, 53(4), 1155-1175.

171

Hawley, A. H. (1950). Human ecology; a theory of community structure. New York,: Ronald Press Co.

Herrera, J. R. (2001). International Aspect of Cybercrime. In R. D. Clifford (Ed.), Cybercrime: The Investigation, Prosecution and Defense of a Computer-Related Crime (pp. 165-190). Durham: Carolina Academic Press.

Hill III, G. D. (2003). The trend toward non-real-time attacks. Computer Fraud & Security, 2003(11), 5-11.

Hindelang, M. J., Gottfredson, M. R., & Garofalo, J. (1978). Victims of Personal Crime: An Empirical Foundation for a Theory of Personal Victimization. Cambrdige, MA: Balliger Publishing Company.

Holt, T. J., & Bossler, A. M. (2009). Examining the Applicability of Lifestyle-Routine Activities Theory for Cybercrime Victimization. Deviant Behavior, 30, 1-25.

Holtfreter, K., Reisig, M. D., & Pratt, T. C. (2008). Low Self-Control, Routine Activities, and Fraud Victimization. Criminology, 46, 189-220.

Hooper, D., Coughlan, J., & Mullen, M. (2008). Structural Equation Modelling: Guidelines for Determining Model Fit The Electronic Journal of Business Research Methods 6(1), 53-60.

Hu, L.-T., & Bentler, P. M. (1999). Cutoff criteria for fit indexes in covariance structure analysis: Conventional criteria versus new alternatives. Structural Equation Modeling: A Multidisciplinary Journal, 6(1), 1 - 55.

Hu, Q., & Dinev, T. (2005). Is spyware an Internet nuisance or public menace? Commun. ACM, 48(8), 61-66.

Huey, L. (2002). Policing the abstract: Some observations on policing cyberspace. [Article]. Canadian Journal of Criminology, 44, 243-254.

Huey, L., & Rosenberg, R. S. (2004). Watching the Web: Thoughts on Expanding Police Surveillance Opportunities under the Cyber-Crime Convention. Canadian Journal of Criminology & Criminal Justice, 46(5), 597-606.

Hunter, L. E. (2005). Stopping spyware. [S.l.] :: Addison Wesley.

Joiner, R., Gavin, J., Duffield, J., Brosnan, M., Crook, C., Durndell, A., et al. (2005). Gender, Internet identification, and Internet anxiety: correlates of Internet use. Cyberpsychology & Behavior: The Impact Of The Internet, Multimedia And Virtual Reality On Behavior And Society, 8(4), 371-378.

172

Keane, C. (1998). Evaluating the Influence of Fear of Crime as an Environmental Mobility Restrictor on Women's Routine Activities. Environment and Behavior, 30(1), 60-74.

Kline, R. B. (2005). Principles and practice of structural equation modeling (2nd ed.). New York: Guilford Press.

Koksal, T. (2009). The effect of police organization on computer crime Kent State University, Kent, Ohio.

Kowalski, M. (2002). Cyber-Crime: Issues, Data Sources, and Feasibility of Collecting Police-Reported Statistics. In S. C. C. C. f. J. Statistics (Eds.)pp. 31). Available from http://dsp-psd.pwgsc.gc.ca/Collection/Statcan/85-558-X/85-558- XIE2002001.pdf

Kozlovski, N. (2007). Designing Accountable Online Policing. In J. M. Balkin, J. Grimmelman, E. Katz, N. Kozlovski, S. Wagman & T. Zarky (Eds.), Cybercrime : Digital Cops in a Networked Environment (pp. 107-134). New York: New York University Press.

Lauritsen, J. L. (2001). The Social Ecology of Violent Victimization: Individual and Contextual Effects in the NCVS. Journal of Quantitative Criminology, 17, 3.

Lauritsen, J. L. (2005). Social and Scientific Influences on the Measurement of Criminal Victimization. Journal of Quantitative Criminology, 21, 245-266.

Levi, M. (2001). "Between the risk and the reality falls the shadow:" Evidence and urban legends in computer fraud (with appologies to T.S. Eliot). In D. S. Wall (Ed.), Crime and the Internet (pp. 44-58). London and New York: Routledge, Taylor & Francis Group.

Liska, A. E., Sanchirico, A., & Reed, M. D. (1988). Fear of Crime and Constrained Behavior Specifying and Estimating a Reciprocal Effects Model. Social Forces, 66(3), 827-837.

Liska, A. E., & Warner, B. D. (1991). Functions of Crime: A Paradoxical Process. The American Journal of Sociology, 96(6), 1441-1463.

Long, J. S. (1997). Regression Models for Categorical and Limited Dependent Variables (Vol. 7 of Advanced Quantitative Techniques in the Social Sciences Series). Thousand Oaks, CA: SAGE Publications.

Margetts, H. Z. (2009). The Internet and Public Policy. Policy&Internet, 1(1), 91-111.

173

McGraw, D. K. (1995). Sexual Harassment in Cyberspace: The Problem of Unwelcome E-mail. Rutgers Computer and Technology Law Journal, 491.

Melde, C. (2009). Lifestyle, Rational Choice, and Adolescent Fear: A Test of a Risk- Assessment Framework. Criminology, 47, 781-812.

Mendez, F. (2005). The European Union and cybercrime: insights from comparative federalism. Journal of European Public Policy, 12(3), 509 - 527.

Messner, S. F., & Blau, J. R. (1987). Routine Leisure Activities and Rates of Crime: A Macro-Level Analysis. Social Forces, 65(4), 1035-1052.

Messner, S. F., Zhou, L., Lening, Z., & Jianhong, L. (2007). Risks of Criminal Victimization in Contemporary Urban China: An Application of Lifestyle/Routine Activities Theory. JQ: Justice Quarterly, 24, 496-522.

Miethe, T. D., & Meier, R. F. (1990). Opportunity, Choice, and Criminal Victimization: A Test of a Theoretical Model. Journal of Research in Crime & Delinquency, 27, 243-266.

Miethe, T. D., & Meier, R. F. (1994). Crime and its social context : toward an integrated theory of offenders, victims, and situations. Albany: State University of New York Press.

Miethe, T. D., Stafford, M. C., & Long, J. S. (1987). Social Differentiation in Criminal Victimization: A Test of Routine Activities/Lifestyle Theories. American Sociological Review, 52(2), 184-194.

Miethe, T. D., Stafford, M. C., & Sloane, D. (1990). Lifestyle changes and risks of criminal victimization. Journal of Quantitative Criminology, 6(4), 357 - 376.

Ming-Wei, W., Yi-Min, W., Sy-Yen, K., & Yennun, H. (2007). Self-Healing Spyware: Detection, and Remediation. IEEE Transactions on Reliability, 56, 588-596.

Moitra, S. D. (2005). Developing Policies for Cybercrime: Some Empirical Issues. European Journal of Crime, Criminal Law and Criminal Justice, 13(3), 435-464.

Montana, J. C. (2000). Viruses and the Law: Why the Law is Ineffective. Information Management Journal, 34(4), 57.

Mossberger, K., Tolbert, C. J., & Stansbury, M. (2003). Virtual Inequality: Beyond the Digital Divide. Washington, D.C.: Georgetown University Press.

174

Mustaine, E. E., & Tewksbury, R. (1998). Predicting Risks of Larceny Theft Victimization: A Routine Activity Analysis Using Refined Lifestyle Measures. Criminology, 36, 829-857.

Muthén, L. K., & Muthén, B. O. (2007). Mplus User's Guide: Statistical Analysis with Latent Variable. Los Angeles, CA: Muthén & Muthén.

Myers, L. J., & Myers, L. B. (2002). Preparing for high technology crime: An educational assessment of criminal justice and criminology academic programs. Journal of Criminal Justice Education, 13(2), 251 - 271.

Nasheri, H. (2005). Economic espionage and industrial spying. Cambridge, UK ; New York: Cambridge University Press.

National Research Council (2009). Assesing the Impacts of Changes in the Information Technology R&D Ecosytems. Washington, DC: The National Academies Press.

National White Collar Crime Center, & Federal Bureau of Investigation (2001). IC3 2003 Internet Fraud Report: January 1, 2001 - December 31, 2001 Available from http://www.ic3.gov/media/annualreport/2001_IFCCReport.pdf

National White Collar Crime Center, & Federal Bureau of Investigation (2009). 2009 Internet Crime Report Available from http://www.ic3.gov/media/annualreport/2009_IC3Report.pdf

Newman, G. R., & Clarke, R. V. G. (2003). Superhighway robbery : preventing e- commerce crime. Cullompton: Willan.

Newman, G. R., Clarke, R. V. G., & Shoham, S. G. (1997). Rational Choice and Situational Crime Prevention : Theoretical Foundations. Brookfield, USA: Dartmouth ; Ashgate.

Obama, B. H. (2009). Cyberspace Policy Review.

Pease, K. (2001). Crime futures and foresight: Challenging criminal behavior in the information age. In D. S. Wall (Ed.), Crime and the Internet (pp. 18-28). London and New York: Routledge, Taylor & Francis Group.

Pfleeger, C. P., & Pfleeger, S. L. (2003). Security in Computing (3 ed.). Upper Saddle River: Prentice Hall PTR.

Rader, N. E. (2004). The Threat of Victimization: A Theoretical Reconceptualization of Fear of Crime. Sociological Spectrum, 24, 689-704.

175

Rader, N. E., May, D. C., & Goodrum, S. (2007). An Empirical Assessment Of the "Threat of Victimization:" Considering Fear Of Crime, Perceived Risk, Avoidance, And Defensive Behaviors. Sociological Spectrum, 27, 475-505.

Rontree, P. W. (1998). A Reexamination of the Crime-Fear Linkage. Journal of Research in Crime and Delinquency, 35(3), 341-372.

Rountree, P. W., & Land, K. C. (1996). Perceived Risk versus Fear of Crime: Empirical Evidence of Conceptually Distinct Reactions in Survey Data. Social Forces, 74(4), 1353-1376.

Sampson, R. J., & Wooldredge, J. D. (1987). Linking the micro- and macro-level dimensions of lifestyle-routine activity and opportunity models of predatory victimization. Journal of Quantitative Criminology, 3(4), 371 - 393.

Schumacker, R. E., & Lomax, R. G. (2004). A beginner's guide to structural equation modeling (2nd ed.). Mahwah, N.J.: Lawrence Erlbaum Associates.

Shaw, C. R., & McKay, H. D. (1942). Juvenile Delinquency and Urban Areas. In F. T. Cullen & R. Agnew (Eds.), Criminological Theory: Past to Present (2 ed., pp. 104-110). Los Angeles: Roxbury Publishing Company.

Shukla, S., & Nah, F. F.-H. (2005). Web browsing and spyware intrusion. Commun. ACM, 48(8), 85-90.

Skinner, W. F., & Fream, A. M. (1997). A Social Learning Theory Analysis of Computer Crime Among College Students. Journal of Research in Crime & Delinquency, 34(4), 495-518.

Skoudis, E., & Zeltser, L. (2004). Malware : fighting malicious code. Upper Saddle River, NJ: Prentice Hall PTR.

Speer, D. L. (2000). Redefining borders: The challenges of cybercrime. Crime, Law and Social Change, 34(3), 259-273.

Stalder, F. (1998). The Logic of Networks:Social Landscapes vis-a-vis the Space of Flows. Retrieved from http://www.ctheory.net/articles.aspx?id=263

Sun, L. (2007). Who Can Fix the Spyware Problem? Berkeley Technology Law Journal, 22, 554-575.

Thompson, R. (2005). Why spyware poses multiple threats to security. Commun. ACM, 48(8), 41-43.

176

Walden, I. (2004). Harmonising Computer Crime Laws in Europe. [Article]. European Journal of Crime, Criminal Law & Criminal Justice, 12, 321-336.

Walker, A. (2006). Absolute beginner's guide to security, spam, spyware and viruses. Indianapolis, Ind.: Que.

Wall, D. S. (2001). Cybercrimes and the Internet. In D. S. Wall (Ed.), Crime and the Internet (pp. 1-17). London and New York: Routledge, Taylor & Francis Group.

Wall, D. S. (2007a). Cybercrime: The Transformation of Crime in the Information Age. Cambridge, UK; Malden, MA USA: Polity Press.

Wall, D. S. (2007b). Policing Cybercrimes: Situating the Public Police in Networks of Security Within Cyberspace. Police Practice and Research, Vol. 8, No. 2, pp. 183-205, 2007.

Wan, T. T. H. (2002). Evidence-based health care management : multivariate modeling approaches. Boston: Kluwer Academic Publishers.

Warr, M., & Stafford, M. (1983). Fear of Victimization - a Look at the Proximate Causes. Social Forces, 61(4), 1033-1043.

Willison, R. A. (2002). Opportunities for Computer Abuse: Assessing a Crime Specific Approach in the Case of Barings Bank. Unpublished Dissertation, London School of Economics and Political Science, London.

Yar, M. (2005). The Novelty of 'Cybercrime:' An Assessment in Light of Routine Activity Theory. European Journal of Criminology, 2(4), 407-427.

Yar, M. (2006). Cybercrime and Society. London, Thousand Oaks and New Delhi: SAGE Publications.

APPENDIX 1: Correlation Table for the Variables used in Chapter 4

Comp. Online Personal Business Number Virus Harass. Use Use of Comp. Educ. Race Gender Marriage Age Computer 1.0000 VirusOnlineHaras .3749 1.0000 s. Personal Use .2368 .2108 1.0000 Business Use .0970 .1204 .1181 1.0000 Number of Comp. .1379 .1670 .4725 .0541 1.0000 Education .2449 .1579 .1759 .1205 .0845 1.0000 Race .0945 .0761 -.0436 .0503 -.1338 .0635 1.0000 Gender .1863 .0548 .0657 -.0293 .0801 -.0115 .0046 1.0000 Marriage .1412 .1344 -.0411 .1209 -.0363 .3661 .1410 .0059 1.0000 Age .0920 .0774 -.1690 .0821 -.2111 .3608 .2106 -.0769 .4486 1.0000

177

APPENDIX 2: Missing Variables for May-June 2005 Spyware Survey

Variables Missing Total Missing/Total Spyware 98 1204 .081395 Adware 74 1204 .061462 Computer Problems Computer Slowing Down 10 1204 .008306 Computer Freezing or Crashing 13 1204 .010797 Home Page Changed 28 1204 .023256 A new program appeared 32 1204 .026578 Risk Perception 21 1204 .017442 Constrained Behavior Stop Downloading Music and 6 1204 .004983 Video Stop Downloading Programs 12 1204 .009967 Stopped opening email 7 1204 .005814 attachments Stopped visiting particular 14 1204 .011628 websites Started reading user agreements 8 1204 .006645 Started using a different internet 22 1204 .018272 web browser Basic Online Activities E-mail 0 1204 0 Online Shopping 1 1204 .000831 Creating Web Blog 5 1204 .004153 Reading Web Blog 13 1204 .010797 Leisure Online Activities Playing online games 1 1204 .000831 Sharing files 1 1204 .000831 Downloading video files 1 1204 .000831 Downloading music files 1 1204 .000831 Downloading programs 3 1204 .002492 Downloading screensavers 5 1204 .004153

178

179

Downloading games 2 1204 .001661 Visiting adult websites 3 1204 .002492

Downloading or sharing adult 4 1204 .003322 content

Computer Literacy Firewall Term 1 1204 .000831 Internet Cookies Term 0 1204 0 Spyware Term 1 1204 .000831 Adware Term 0 1204 0 Phishing Term 3 1204 .002492

Spam Term 3 1204 .002492

Podcasting Term 1 1204 .000831 RSS Feed Term 2 1204 .001661 Firewall Protection 1 1204 .000831 Virus Protection 0 1204 0 Age 30 1204 .024917 Gender 0 1204 0 Race 0 1204 0 Education 19 1204 .015781

APPENDIX 3: Correlation Table for the Variables used in Chapter 5

180

181

Freq. Risk Internet Firewall Cookies Spyware Adware Phishing Spam Podcast. Rssfeed Online Spyware Adware Percept. use Term Term Term Term Term Term Term Term Email Shopping Spyware 1.0000 Adware .5120 1.0000 Risk perception .0010 .0199 1.0000 Freq.Internet use .1687 .1575 -.2140 1.0000 Firewall Term .1725 .1644 -.1823 .2457 1.0000 Cookies Term .2373 .2269 -.2002 .2142 .4659 1.0000 Spyware Term .2755 .2071 -.1834 .1872 .5360 .5079 1.0000 Adware Term .3080 .3623 -.1584 .2432 .3778 .4589 .4356 1.0000 Phishing Term .0930 .0990 -.1329 .1129 .1649 .2306 .1689 .2654 1.0000 Spam Term .1285 .1110 -.1111 .1201 .3854 .2958 .4008 .2448 .1249 1.0000 Podcasting Term .0663 .0657 -.0604 .1037 .1529 .1612 .1184 .2561 .3349 .0844 1.0000 Rssfeed Term .0237 .0589 -.0697 .1114 .0982 .1191 .0974 .2249 .3591 .0201 .5120 1.0000 Email .1091 .0433 -.1109 .1272 .1754 .1956 .1639 .0911 .0668 .1220 .0337 -.0011 1.0000 Online Shopping .1177 .1307 -.0570 .2335 .3187 .3026 .2090 .1903 .0675 .2033 .0186 -.0202 .1838 1.0000 Playing Game .1108 .1103 -.0047 .0588 .0301 .0311 .0048 .0290 .0219 - .0196 .0395 .0161 -.0236 -.0540 Sharing Files .0701 .1028 -.0727 .1143 .1196 .1042 .0967 .0941 .0374 .0427 .0093 .0296 .0881 .1060 Dwnld.Video Files .1371 .1946 -.0896 .1262 .1118 .1063 .1000 .1495 .1091 .0377 .1314 .0534 .0462 .1029 Dwnld.Music Files .1996 .1777 -.0846 .1416 .1448 .1161 .1302 .1679 .0928 .0528 .0781 .0629 .0410 .1503 Dwnld.Programs .1719 .2107 -.1336 .2727 .2339 .1969 .1971 .2171 .1115 .0716 .1045 .0965 .0470 .2076 Dwnld.Screensaver .0470 .0848 .0224 .0073 -.0001 .0287 .0363 -.0018 -.0374 -.0163 -.0253 -.0648 .0077 .0412 Dwnld.Game .1398 .1361 -.0964 .1269 .321 .0482 .0410 .0795 .0368 -.0319 .0474 .0342 -.0045 .0106 Creating Blog .0472 .0885 -.0808 .1338 .0504 .0748 .0326 .0723 .0732 -.0005 .0672 .0666 .0377 .0696 Reading Blog .0725 .0815 -.0700 .1851 .1302 .1517 .0725 .1385 .1180 .0540 .0859 .0213 .1024 .1465 Visit.Adult. Web. .1586 .1390 -.0659 0553 .0884 .1174 .0942 .1254 .0387 .0355 .0458 .0879 .0356 .0019 Dwnld.Adult.Cont. .0476 .0954 -.0572 .1057 .0696 .0685 .0788 .0940 .0387 .0160 .0552 .0555 .0439 .0869 Comp.Slow.Down .2490 .2337 .2120 -.0340 -.0213 -.0368 .0115 .0329 -.0460 .0385 -.0449 -.0325 .0156 .0534 Comp Crashing .1830 .1647 .2309 -.0295 - .0314 -.0556 .0186 -.0052 -.0573 .0256 -.0386 -.0383 -.0379 .0574 Homepage Chang. .2293 .2835 .1198 .0309 .0855 .0534 .0863 .1050 .0001 .0377 .0242 -.0164 .0600 .0966 New prog.inst. .3217 .2712 .1826 .0270 .0150 .0529 .0742 .1212 .0212 .0682 .0489 -.0046 .0523 .0687 Firewall Protect .1766 .1848 -.1868 .2452 .3377 .2209 .2513 .2541 .1193 .1580 .0375 .0504 .0910 .1442 Virus Protect. .1822 .1817 -.1764 .2323 .1801 .1969 .2037 .2144 .1096 .1750 .0146 .0470 .0645 .0732 Age -.2129 -.1533 .0410 .0002 -.0993 -.1113 -.1423 -.1374 .0116 -.0110 -.0263 -.0640 -.0163 -.0892 Education .0181 .0526 -.0481 .1359 .1591 .1275 .1373 .0761 .1255 .0720 .0694 -.0040 .1304 .2008 Race -.0122 -.0488 -.0916 .0904 .1043 .0811 .1161 .0539 .0153 .0966 -.0243 -.0592 .0243 .1216 Gender .1037 .0602 -.1033 .0661 .0854 .1200 .0831 .1342 .1511 .0372 .0736 .0981 -.0357 .0138

181

182

Dwnld. Dwnld. Visit. Dwnld. Comp. Playing Sharing Video Music Dwnld. Dwnld. Dwnld. Creating Reading Adult. Adult. Slow. Comp Homepage Game Files Files Files Program Scrsvr. Game Blog Blog Web Site Content Down Crashing Chang. Playing Game 1.0000 Sharing Files .1033 1.0000 Dwnld.Video Files .1903 .2304 1.0000 Dwnld.Music Files .1958 .2381 .4091 1.0000

Dwnld.Programs .1163 .0796 .2284 .2374 1.0000 Dwnld.Screensaver .2024 .1132 .1229 .1227 .1576 1.0000 Dwnld.Game .4527 .1192 .2649 .2103 .2629 .2509 1.0000 Creating Blog .0640 .1675 .1134 .1019 .0885 .0262 .0744 1.0000 Reading Blog .0667 .1129 .1538 .1019 .2167 .0762 .0759 .3319 1.0000 Visit.Adult. Web. .1300 .0834 .1837 .1694 .1433 .0390 .1575 .1219 .1768 1.0000 Dwnld.Adult.Cont. .1292 .1277 .1749 .1699 .1449 .1052 .1616 .1830 .1361 .3311 1.0000 Comp.Slow.Down .0728 .0725 .0230 .0738 .0174 .0741 .0463 .0451 .0285 .0623 .0452 1.0000 Comp Crashing .0482 .0657 .0130 .0736 .0570 .0614 .0303 .0246 .0560 .0301 -.0221 .4917 1.0000 Homepage Chang. .0735 .0555 .0886 .1578 .0861 .0106 .0456 .0692 .0297 .0499 .0746 .2602 .2728 1.0000 New prog.inst. .1070 .0925 .1024 .0978 .0204 .0439 .0434 .0349 .0559 .0680 .0952 .3343 .2738 .3867 Firewall Protect .0101 .0677 .1075 .1338 .1605 .0071 .0282 .0659 .0843 .0449 .0266 -.0339 -.0630 .0560 Virus Protect. .0178 .0720 .0208 .0386 .1616 .0332 .0321 .0417 .0995 .0455 .0535 .0005 .0219 .0388 Age -.1685 -.1651 -.2180 -.2949 -.1058 -.0390 -.1078 -.0871 -.0544 -.1520 -.0801 -.0734 -.0636 -.0994 Education -.1674 -.0086 -.0178 -.0267 .1291 -.0556 -.1446 .0359 .1084 .0101 -.0195 -.0440 -.0196 -.0273 Race -.1184 -.0363 -.0493 -.0099 .0297 -.0850 -.0627 -.0570 -.0232 -.0265 -.0477 -.0769 -.1107 -.0493 Gender -.0257 -.0401 .1449 .1420 .1845 -.0188 .0511 .0699 .0478 .2531 .0526 -.0500 -.0424 -.0023

New Firewall Virus prog.inst. Protect Protect. Age Education Race Gender New prog.inst. 1.0000 Firewall Protect .0386 1.0000 Virus Protect. .0623 .2782 1.0000 Age -.1055 -.0442 -.0171 1.0000 Education -.0150 .0610 .0401 .0960 1.0000 Race -.0874 .0108 .0489 .1355 .0300 1.0000 Gender .0117 .1348 .0678 -.0015 -.0069 .0100 1.0000 182

182

APPENDIX4: SEM Analysis Results for the Indicators of Measurement Models

Indicator SRE URE P Slowing Down Computer .676 1.000 Problems (.000) Freezing or Computer .609 .838 .00* Crashing Problems (.105) Home Page Computer .768 1.306 .00* Changed Problems (.227) A new .784 1.378 .00* program Computer (.237) appeared Problems ↔Freezing .495 0.495 .00* Slowing Down or Crashing (.056) Stop Down.  Constrained .810 1.000 Mus. & Vid. Behavior (.000) Stop Down.  Constrained .796 .952 .00* Programs Behavior (.207) Stop opening  Constrained .543 .468 .00* attachments Behavior (.133) Stop visiting  Constrained .609 .556 .00* websites Behavior (.157) Reading  Constrained .326 .250 .00* agreements Behavior (.080) Stop Down. ↔ Stop Down .106 0.106 0.522 Mus. & Vid Programs (.206) Email  Basic .353 1.000 Activities (.000) Online  Basic .443 1.310 .001* Shopping Activities (.378) Creating Web  Basic .395 1.140 .005* Blog Activities (.403) Reading Web  Basic .396 1.144 .00* Blog Activities (.347)

183

184

Playing Online  Leisure .428 1.000 Games Activities (.000) Sharing Files  Leisure .457 1.085 .00* Activities (.214) Downloading  Leisure .770 2.552 .00* Video Files Activities (.474) Downloading  Leisure .766 2.514 .00* Music Files Activities (.465) Downloading  Leisure .593 1.555 .00* Programs Activities (.287) Downloading  Leisure .560 1.427 .00* Games Activities (.226) Visiting Adult  Leisure .497 1.208 .00* Websites Activities (.262) Downloading ↔ Playing .623 .623 .00* Games Online Games (.048) Firewall Term  Computer .739 1.000 Literacy (.000) Internet  Computer .764 1.079 .00* Cookies Term Literacy (.134) Spyware Term  Computer .888 1.761 .00* Literacy (.304) Adware Term  Computer .764 1.081 .00* Literacy (.136) Phishing Term  Computer .666 .337 .00* Literacy (.061) Spam Term  Computer .347 .814 .00* Literacy (.125)