Empirical Analyses of Effects and Perceptions of Cybercrime

This work investigates three related topics involving some of the consequences or perceptions of cybercrime. These consequences and perceptions have important policy

implications, ranging from potentially billions of dollars in societal costs that depend on credit card reissue decisions to the perceived fairness of sentences imposed on people convicted of cybercrimes. I analyze these consequences and perceptions using a combination of legal, empirical economic, and criminological analyses. First, this work analyzes at the economics of credit card reissue after a data breach. Using a parameterized estimation model based on publicly-available information, it compares the cost of

reissuing cards to the total expected cost of fraud if cards are not reissued. The model suggests that automatically reissuing cards may have lower social costs than the costs of waiting until fraud is attempted, although the range of results is considerably broad. The results also show how a

lack of quality public information about data breach and identity theft can make informed public policy decisions more difficult. Second, it explores a potential misalignment between the factors that contribute to cybercrime sentences and the importance of those factors in public perceptions. It presents the results of two empirical studies that measure public perceptions of different factual attributes of

cybercrime. The studies show that Computer Fraud and Abuse Act (CFAA) sentences are indeed out of alignment with the public’s views and provide empirical support for arguments that CFAA sentencing is miscategorized in the federal sentencing guidelines. Third, it addresses the question of whether CFAA subsection (a)(2), covering

unauthorized access to a computer to obtain information, should be considered a trespass, burglary, or fraud statute. It does this through an analysis of case records and sentencing data from 1,095 real-world CFAA sentences, and an experimental study of perceptions of 499 participants on Amazon Mechanical Turk. The results of both studies suggest that (a)(2) is not like trespass or fraud, at least in terms of current punishments or perceptions, and lend support to arguments that CFAA sentencing should be covered under its own section of the sentencing guidelines.