Bridging Information Security and Environmental Criminology Research to Better Mitigate Cybercrime

Cybercrime is a complex phenomenon that spans both technical and human aspects. As such, two disjoint areas have been studying the problem from separate angles: the information security community and the environmental criminology one. Despite the large body of work produced by these communities in the past years, the two research efforts have largely remained disjoint, with researchers on one side not benefitting from the advancements proposed by the other. In this paper, we argue that it would be beneficial for the information security community to look at the theories and systematic frameworks developed in environmental criminology to develop better mitigations against cybercrime. To this end, we provide an overview of the research from environmental criminology and how it has been applied to cybercrime. We then survey some of the research proposed in the information security domain, drawing explicit parallels between the proposed mitigations and environmental criminology theories, and presenting some examples of new mitigations against cybercrime. Finally, we discuss the concept of cyberplaces and propose a framework in order to define them. We discuss this as a potential research direction, taking into account both fields of research, in the hope of broadening interdisciplinary efforts in cybercrime research.

💡 Research Summary

**
The paper “Bridging Information Security and Environmental Criminology Research to Better Mitigate Cybercrime” argues that the information‑security community and the environmental‑criminology community have been working on cybercrime from largely separate perspectives, and that a systematic integration of the two can yield more effective prevention strategies.

First, the authors review the evolution of environmental criminology (EC), highlighting its focus on “place” and “time” as the primary determinants of crime. They trace the field from early crime‑mapping work (Guerry, Quetelet) through the development of core theories such as Crime Prevention Through Environmental Design (CPTED), Routine Activity Theory, Situational Crime Prevention, Crime Pattern Theory, and Rational Choice Theory. EC treats crime as a function of immediate environmental conditions rather than offender traits, emphasizing the manipulation of those conditions to reduce opportunity.

Next, the paper maps these EC concepts onto the cyber domain. “Guardians” become firewalls, authentication mechanisms, intrusion‑detection systems, and continuous monitoring; “targets” are high‑value data, accounts, or services; “motivated offenders” are represented by threat actors; and “suitable places” correspond to vulnerable servers, poorly configured APIs, or popular platforms. The authors argue that this mapping allows EC’s systematic toolbox—particularly the 3R framework of Situational Crime Prevention (Removal, Reduction, and Replacement)—to be applied to malware distribution, botnet command‑and‑control, and phishing campaigns. They propose a concrete framework that (1) identifies critical nodes in an attack infrastructure, (2) removes or hardens those nodes, (3) reduces the attractiveness of remaining nodes, and (4) replaces vulnerable pathways with secure alternatives.

A central contribution is the introduction of the “cyberplace” concept. The authors define a cyberplace as a tuple of location (IP address, domain, cloud region), state (security posture, known vulnerabilities, patch level), and function (service type, user interaction model). This three‑dimensional model enables risk profiling of digital assets, analogous to hotspot analysis in physical crime. By classifying cyberplaces according to these dimensions, defenders can prioritize high‑risk locations for EC‑inspired interventions such as “digital CPTED” (e.g., reducing visibility of sensitive endpoints, enforcing single‑point entry controls, increasing “natural surveillance” through logging and analytics).

The paper also addresses common criticisms of EC—namely, the risk of crime displacement and the claim that EC ignores root causes. The authors cite empirical studies showing that displacement is not inevitable and that overall crime reductions are typical. They further argue that the immediate environmental factors EC targets are themselves root causes of many cyber incidents, thus reframing EC as a complementary, not a replacement, to broader social‑policy approaches.

Finally, the authors outline a research agenda for interdisciplinary collaboration: (1) develop shared ontologies and data repositories for cyberplace attributes; (2) create joint simulation environments (e.g., agent‑based models) to test EC‑derived interventions in cyberspace; (3) establish metrics for evaluating displacement, diffusion, and overall crime reduction; and (4) foster collaborative funding streams that bring together security engineers, criminologists, urban planners, and policy makers.

In summary, the paper makes four key contributions: (1) a comprehensive review of EC theory and its prior applications to cybercrime; (2) a systematic mapping of EC mitigation techniques onto information‑security practice, including novel situational‑crime‑prevention frameworks; (3) the formal definition of “cyberplace” as a three‑dimensional construct for risk assessment; and (4) a concrete interdisciplinary roadmap to integrate EC’s systematic, place‑based thinking into the technical arsenal of cyber‑defense. By doing so, it promises to move cybercrime prevention beyond purely technical fixes toward a more holistic, environment‑aware paradigm.