The need for a comprehensive methodology for profiling cyber-criminals


By Hemamali Tennakoon


“The infectiousness of crime is like that of the plague.” - Napoleon Bonaparte



Crimes in the Physical World vs. the Digital World


Society, crime, and punishment are some of the universal concepts in human history dating back to the middle ages and even further. From then until now, the meaning of crime and criminal behaviour has changed dramatically. Theories defining criminal behaviour are abundant. For instance, ‘Conflict Theory’ sees criminal behaviour as the result of a clash between social classes or conflicts arising due to power distance. According to the concept of deterrence, behavioural deviance is the result of fear of punishment, risk and uncertainty. Interestingly, the theory of Social Control suggests that nonconformity to social ethics and legal standards is an indication of lack of social control. Regardless of what the theorist say, it is apparent that we, as a global society have failed in a number of ways when it comes to controlling certain aspects of crime. Thanks to the mass media, these days we are bombarded with tidings of crimes committed in the physical world. However, the growth of ICT, information systems, interconnectivity and the Internet has revealed a new world of crime, those that are committed in the digital world. Various techniques are used to combat physical world crime and criminal profiling is one such tool. However, the applicability of such criminological techniques to deal with e-crimes is a challenge, not only because of the environment in which they occur but also because of other factors such as anonymity on the Web, geographic and legal barriers. Yet, this article is an attempt to penetrate through those barriers to discuss the possibility of applying criminal profiling techniques to the digital world.


The challenges in profiling cyber criminals

In dealing with crimes in the physical world, forensic psychologist use inductive or deductive profiling to make an educated guess of the characteristics of criminals. Inductive criminal profiles are developed by studying statistical data involving known behavioural patterns and demographic characteristics shared by criminals. Deductive profiling uses a range of data including forensic evidence, crime scene evidence, victimology, offender characteristics etc, using such techniques seems possible in the physical world. However, in the cyber-world, their applicability might be questionable. This may explain why profiling cyber-criminals has been given little attention by practitioners as well as academics where some call it “a promising but immature science” (Bednarz, 2004). Unlike in the physical world, one might require not only the knowledge about psychology, criminology and law but also understand the technological aspects associated with the ‘scene of crime’ when developing cyber-criminal profiles. It is evident that an interdisciplinary approach should be taken when dealing with such an issue. Unfortunately, the nature of cyber-crimes is such that most often than not, many cyber-crimes go either unreported, or unnoticed. Moreover, the afore-mentioned issues of anonymity, tractability, law and geography makes it difficult to gather any information about cyber-crimes and criminals, resulting in crimes that go unpunished. Still, certain parallels can be drawn between cyber- crimes and non-cyber-crimes. Based on these, one might attempt to develop a profile that might be of some use to the law enforcement.


Application of existing tools to profile cyber criminals


Out of inductive and deductive profiling methods mentioned before, let us take the latter first. Based on the application of current deductive profiling techniques, the author suggests a four-step process to developing a cyber-criminal profile. The first stage involves the victim. Today, both individuals and organizations are victimised by cyber-crimes for various purposes. Understanding what aspect of the individual or the organisation attracted the criminals to them is a useful first step, a process also known as ‘victimology’. This stage is closely associated with and leads to the next step, identification of a motive. The victimology may help understand the motive behind the crime. In terms of cyber-crimes, they may include the following:


1. Crimes committed for monitory purposes (e.g. hacking a company data base to steal information that can be sold to third parties)


2. Crimes committed due to emotional reasons (e.g. cyber-stalking)


3. Crimes driven by sexual impulses (e.g. paedophiles)


4. Politically motivated crimes (e.g. cyber-terrorists)


5. Crimes those are less dangerous in nature such as sharing copyrighted movies, software by individuals (Source: Shinder, 2010)


The victimology and motives brings us to the third stage, the identification of characteristics of the offender. Several cyber-crime researchers have introduced topologies and ways of classifying cyber criminals [see Rogers, 2006; Johnson, 2005; Jahankhani & Al-Nemrat, n.d) based on their motives. However, as the technological environment changes, so does the criminal behaviour, requiring reclassifications and modifications of the existing schemes. Further, research indicates that crime is an addiction where in the cyber world; the addiction is to computers and the Internet (Nykodym et al., 2008). It is further argued that such addictions, aided by opportunity i.e. the availability, access to computers, the Internet and fuelled by motives, could lead to the making of a cyber-offender. Such understanding may be useful in analysing “the course of events that lead to the crime scene, the modus operandi (MO)” (Preuß et al., 2007) of cyber-criminals, another aspect reflective of their character. For example, one criminal may choose to attack a server by hacking into a computer system to steal information while another may use a virus attached to an e-mail to destroy information. This indicates that the level of technical expertise is also important in understanding the cyber-criminal behaviour. One may need a higher level of technical efficacy to penetrate a highly secure network while a ‘script kiddie’ might simply use a program developed by others to attack a system. Nevertheless, one should not be misled by the complexity of the technical aspects alone. The human element is often disregarded in computer crimes and according to the former hacker Kevin D. Mitnick, one should never under-estimate the social engineering skills of some of the professional cyber-criminals. Even a criminal with average technical skills may commit a crime by simply employing techniques of friendly persuasion and subtle psychological manipulations. It is evident that a number of factors determine the MO of a cyber-offender including motive, technical and social skills.


Moving onto the fourth stage of the deductive cyber-profiling, it could involve the analysis of digital forensic evidence. It is a comfort to know that today, the field of digital forensics is rapidly advancing, a sign of encouragement to the cyber-criminal profiler. The importance of digital forensics is apparent since it is the only means of tracing the perpetrator in the absence of physical evidence. According to Preuß et al. (2007) “not every criminal is traceable and three out of twelve manage to modify or remove the audit trail” wiping off their digital footprints. The suggested four stage approach is essentially an iterative process [see Figure 1] because new information about the victim, the motive, the offender combined with forensic evidence could come to the surface throughout the course of an investigation.


Referring back to the inductive profiling techniques, they can be combined with the deductive method described above to yield better results. For instance, statistical analysis data pertaining to cyber –security breaches could be used to identify trends in attacks such as the type of victims that are more likely to be targeted, most popular mode of attack or motive for attack etc,. This might help identify cases with similar MO or even identify serial offenders.


The future of cyber-criminal profiling

Nykodym et al. (2005) point out that “the idea that an individual committing crime in cyberspace can fit a certain outline (a profile) may seem farfetched, but evidence suggests that certain distinguishing characteristics do regularly exist in cyber criminals”. Therefore, the possibility of using the tools and techniques discussed here might be worth testing in a practical scenario. Considering the exponential increase in the cyber-crimes that has been taking place lately, collaboration between practitioners and academic is needed. Such endeavours may help the law enforcement to “collect legally valid evidences from cyber- crimes so that appropriate actions can be taken against cyber criminals (Kwan et al. 2008).





Bednarz, A. (2004) Profiling cybercriminals: A promising but immature science. [online] [accessed: 26/04/2011]


Jahankhani, H. and Al-Nemrat, A. (n.d.) 'Examination of Cyber-criminal Behaviour', International Journal of Information Science and Management. [online] [accessed: 26/04/2011]


Johnson, T. A., (2005). Forensic Crime Investigation. USA, CRC Press


Kwan, L., Ray, P. and Stephens, G. (2008) Towards a Methodology for Profiling Cyber Criminals. IEEE Computer Society. Proceedings of the 41st Hawaii International Conference on System Sciences


Nykodym, N., Ariss, S. and Kurtz, K. (2008) 'Computer addiction and cyber crime', Journal of Leadership, Accountability and Ethics, 35 pp. 55-59.


Nykodym, N., Taylor, R. and Vilela, J. (2005) 'Criminal profiling and insider cyber crime', Computer Law & Security Report, 21 (5), pp. 408-414.


Preuß, J., Furnell, S. M. and Papadaki, M. (2007) 'Considering the potential of criminal profiling to combat hacking', Journal in Computer Virology, 3 (2), pp. 135-141.

Rogers, M. K. (2006) 'A two-dimensional circumplex approach to the development of a hacker taxonomy', Digital Investigation, 3 (2), pp. 97-102.


Shinder, D. (2010) Profiling and categorizing cybercriminals. [online] [accessed: 26/04/2011]




please REGISTER to leave a comment.



Warning: Creating default object from empty value in /www/htdocs/w00bd6c3/modules/mod_archive/helper.php on line 47

Warning: Creating default object from empty value in /www/htdocs/w00bd6c3/modules/mod_archive/helper.php on line 47

Warning: Creating default object from empty value in /www/htdocs/w00bd6c3/modules/mod_archive/helper.php on line 47

Warning: Creating default object from empty value in /www/htdocs/w00bd6c3/modules/mod_archive/helper.php on line 47

Warning: Creating default object from empty value in /www/htdocs/w00bd6c3/modules/mod_archive/helper.php on line 47

Warning: Creating default object from empty value in /www/htdocs/w00bd6c3/modules/mod_archive/helper.php on line 47

Warning: Creating default object from empty value in /www/htdocs/w00bd6c3/modules/mod_archive/helper.php on line 47

Warning: Creating default object from empty value in /www/htdocs/w00bd6c3/modules/mod_archive/helper.php on line 47

Warning: Creating default object from empty value in /www/htdocs/w00bd6c3/modules/mod_archive/helper.php on line 47