What, Really, Is Cybercrime?

We talk a lot about cybercrime but what, really, is it?

The rubric included above comes from a May 2025 report from the (US) National Academies of Sciences, Engineering, and Medicine. You can find the report here. 

You should care about this rubric for three main reasons. There is a bonus reason we will also discuss.

First, cybercriminal gangs, much like anyone or like position players on a sports team, have specialties and they get better at their specialties. For example, gangs specializing in identity theft are not the people who are engaging in acts against people such as cyberbullying. Reporting incidents to the authorities should be done along the lines of this rubric, and reporting incidents should also use this rubric, so that security specialists know how to prepare.

Second and related, you should care because you can organize your security processes and mitigation plans in terms of these types of risks: acts targeting machines or systems, acts targeting property, acts targeting people, and acts incidentally employing technology to create a physical trap for people who are then harmed by criminals. Different risks require different mitigation strategies.

Finally, note that cybercrime in this rubric follows a continuum of lesser to greater degrees of technology assistance. This parallels our discussions at Pythia about cyber risks not being isolated to (e.g.) ransomware, but instead including system risks more generally defined.

There is a bonus reason to care about this rubric. Exactly nowhere in this report is there a discussion of attacks via artificial intelligence (AI). The best thinking available on this topics at the National Academies, a well-respected and thoughtful organization of world-renowned experts, was not able to pin down the role of AI in cybercrime. Maybe it's more in one quadrant, maybe another. The lesson is that AI-based cyber risks is so emergent and ill-defined that it defies off-the-shelf solutions -- much as we at Pythia have been saying all along. Another way to put it is what worked for you in the past is not going to work for you in the future. You need a robust, verifiable, white box process that can defeat the AI cyberthreat.

Ask us how we can get you on the path to effective white box cybersecurity.