Once Bitten,Twice Shy? Understanding Repeat and Multiple Victimization in Business Cybercrime

Abstract

This study examines repeat victimization (RV) and multiple victimization (MV) in business cybercrime using data from the 2024 UK Cyber Security Breaches Survey (CSBS). Drawing on Routine Activity Theory, particularly its VIVA framework (value, inertia, visibility, accessibility) and capable guardianship, it investigates how organizational characteristics, routine activities, and cybersecurity practices influence victimization risks. The study applies multinomial logit, bivariate probit, and hurdle negative binomial models. Results show that RV and MV risk is not evenly distributed among victimized businesses, and that the predictors associated with initial or single victimization differ from those predicting RV and MV. The findings highlight the limitations of one-size-fits-all prevention strategies and call for more tailored, stage-specific prevention responses.

Keywords

organizational victimization polyvictimization cyber-victimization fraud digital security

Introduction

Cybercrime is a critical concern for businesses of all sizes and sectors. It involves both cyber-dependent crimes (e.g., hacking, malware), which require digital technologies for execution, and cyber-enabled crimes (e.g., online fraud, identity theft), which use digital tools to expand traditional offenses (McGuire & Dowling, 2013). As organizations increasingly rely on digital systems, their potential exposure to cyber-attacks grows. According to the Cyber Security Breaches Survey 2025, 43% of randomly sampled UK businesses reported experiencing at least one cyber-attack in the past year, such as phishing, hacking, and malware (DSIT, 2025). Despite growing awareness and investment in cybersecurity, many organizations, particularly charities and small and medium-sized enterprises (SMEs), often lack resources and expertise to adopt protective practices (Chaudhary et al., 2023). As a result, the effectiveness of these measures in preventing repeat victimization (RV) and multiple victimization (MV) remains underexplored.

RV refers to victims experiencing repeated incidents of the same type, while MV refers to victims experiencing different types of crime within a specific timeframe (Tseloni & Pease, 2003). These concepts have been central to criminological research since the 1990s, particularly in violent and property crimes (Farrell, 1992; Farrell et al., 2005). Although analytically distinct, prior research has shown that RV and MV often co-occur, with repeat victims for one crime type also facing higher risks to other types of victimization (Gottfredson, 1984; Hope et al., 2001). However, there is a notable gap in understanding their dynamics and patterns in business cybercrime (Pease et al., 2018). The 2024 Cyber Security Breaches Survey found that 59% of victimized businesses reported three or more cyber-attacks, highlighting a small group of companies suffering a high number of cyber-attacks (DSIT, 2024). The intensive study of cybercrime through a repeat victimization lens is overdue (Pease et al., 2018).

Criminological research has historically focused on individual victimization, while studies on business cybercrime are still scarce, largely due to the lack of reliable and accessible data (Buil-Gil et al., 2024). Drawing on Routine Activity Theory (RAT) (Cohen & Felson, 1979), specifically the VIVA framework (value, inertia, visibility, accessibility) and the concept of capable guardianship, this paper examines how businesses’ online routines and cybersecurity measures affect their likelihood of suffering RV and MV in cybercrime. To the best of our knowledge, this study is the first to explore the prevalence, patterns, and predictors of RV and MV in business cybercrime.

A Routine Activity Theory Perspective on Business Cybercrime

RAT posits that crime is likely (although not guaranteed) to occur when three elements converge in space and time: (1) a potential offender, (2) a suitable target, and (3) the absence of capable guardianship (Cohen & Felson, 1979). RAT has been applied to examine victimization patterns at both individual and community levels and offers practical insights for prevention strategies, as seen in situational crime prevention drawing on RAT (Felson, 2017; Leukfeldt & Yar, 2016).

Applying RAT to cybercrime, Miró-Llinares and Johnson (2017, p. 889) argue “cybercrime can only happen when, through IT, an offender – or the outcome of their actions (e.g., when malware is opened) – converges at a certain place in cyberspace at a given moment with a suitable target in the absence of a guardian capable of preventing the event.” Although RAT is applicable in cyberspace, some elements, particularly the notion of guardianship, are complicated by the volatility and lack of fixed and ordered routines in cyberspace, its 24/7 connectivity, and the ease with which offenders move across digital spaces (Yar, 2005). In cyberspace, the temporal convergence does not always occur simultaneously. For example, pre-planted malware may trigger later, enabling asynchronous victimization and expanding crime opportunities. The convergence in RAT remains possible in cyberspace and may even be more probable than in offline environments (Miró-Llinares & Moneva, 2020; Reyns et al., 2011).

VIVA

While RAT comprises three core elements, the potential offender component is often not directly observable in empirical survey-based research and is therefore treated often as an unmeasured, constant background condition. Accordingly, RAT-based cybercrime research has focused primarily on two elements: capable guardianship and target suitability. Cohen and Felson (1979) conceptualized target suitability through four characteristics captured in the acronym VIVA: value, inertia, visibility, and accessibility, which together shape targets’ attractiveness and vulnerability to offenders.

Value

Target value reflects its material or symbolic desirability to offenders (Cohen & Felson, 1979). Yar (2005, p. 419) discussed how “most cybercrime targets are informational in nature, given that all entities that exist and move in cyberspace are forms of digital code.” Unlike traditional theft, cyber offenses in business contexts typically target informational assets that can be exploited for financial gain through acts such as data ransom or the misuse of confidential information (Buil-Gil et al., 2021). High-revenue UK firms with incomes exceeding £5 million are more likely to be targeted by cyber-attacks than those with smaller incomes (Buil-Gil et al., 2021). Similarly, firms storing confidential data face greater risk of cyber insider business cybercrime victimization (Williams et al., 2019).

Inertia

The original concept of “inertia” refers to physical traits of a target, such as weight or size, that affect how easily it can be removed (Cohen & Felson, 1979). As targets in cyberspace are “weightless,” this concept shifts. Yar (2005) proposed an inverse relationship between inertia and target suitability, which remains applicable to the nature of informational goods online. Factors such as technological specifications of systems, cybersecurity protocols, and encryption can be understood as forms of inertia within businesses, increasing the resistance of digital assets to attack and requiring more advanced skills to breach these defenses.

Visibility

Visibility is a key component of target suitability: a target must first be recognized to be victimized, and greater visibility increases victimization risk. In cyberspace, the absence of physical constraints amplifies visibility, exposing targets to a broader pool of offenders (Yar, 2005). For cybercrime, visibility refers to the extent to which individuals’ or businesses’ online activities make them apparent to potential offenders. Individuals with frequent and varied online activities, such as sharing personal information or using SNS, face higher victimization risks (Leukfeldt & Yar, 2016; Näsi et al., 2023). Similarly, businesses engaging in various digital operations, such as having websites and social media, a guest wireless network, or using externally hosted websites, are more likely to be attacked (Buil-Gil et al., 2021).

Accessibility

Accessibility refers to the ability of an offender to approach a target and escape undetected. In cyberspace, it depends on vulnerabilities in browsers and operating systems that offenders can exploit, and on security measures that either enable or restrict unauthorized access. Many web servers use open-source operating systems, which, due to their publicly accessible code, may be more vulnerable to cybercriminals (Leukfeldt & Yar, 2016). Restricting access to specific users or files reduces the accessibility of valuable information (Miró-Llinares & Johnson, 2017). Meanwhile, accessibility may extend beyond direct user permissions and emerge through other pathways, such as the reuse of vulnerable open-source code and insecure supply chains.

Capable Guardianship and Self-protection

Capable guardianship refers to individuals or objects that directly or indirectly prevent crime (Cohen et al., 1980). While formal guardianship by police is acknowledged, RAT emphasizes informal social guardians and controls (Cohen & Felson, 1979). Holt and Bossler (2013) classify three types of digital guardians: social guardianship (the protective influence of others), physical guardianship (technical or environmental prevention measures), and personal guardianship (self-protective behaviors). However, some scholars distinguish guardianship from self-protection, considering the latter as individual target-hardening efforts (Reynald et al., 2018). The current study applies the following forms of self-protection and guardianship.

Technical Self-Protection

Technical self-protection refers to the use of technological tools, such as firewalls and anti-virus software, to prevent business cybercrime. Prior research shows mixed effects: while Choi (2008) found that security software reduced virus victimization, Holt and Bossler (2013) found a positive association with malware infection, and Leukfeldt and Yar (2016) found no significant effects on individual cybercrime victimization. Miró-Llinares and Moneva (2020) emphasized the need to look beyond technical measures.

Personal Self-Protection

Personal self-protection refers to employees’ behaviors and awareness practices that rely on individual decisions rather than solely on technology to prevent cyber-attacks. Individual personal self-protection measures involve using strong passwords, developing computer skills, and maintaining online risk awareness (Holt & Bossler, 2013). Businesses also adopt personal self-protection measures, including offering CS trainings or awareness sessions and conducting mock phishing tests (DSIT, 2024). Personal self-protection serves as a fundamental form of defense in crime prevention, as it requires the awareness of potential risks and consequences of cybercrime and application of basic preventive measures (Bossler & Holt, 2009).

Internal Guardianship

In individual contexts, social guardianship refers to the protective presence or proactive intervention of others (Felson, 1995). Unlike individuals, who can rely on peers or families for social guardianship when socializing online, businesses operate within structured digital environments governed by organizational frameworks. Social guardianship in business contexts can be classified as internal or external guardianship (Buil-Gil et al., 2021). Internal guardianship involves formal CS policies which leverage internal resources, particularly including the presence of personnel assigned specific CS responsibilities (Buil-Gil et al., 2021). Policies may involve regular CS risk assessments, vulnerability audits, or compliance with industry CS standards (DSIT, 2024). While both internal guardianship and personal self-protection operate within businesses, they represent analytically distinct prevention layers: internal guardianship involves the organizational, formal, and role-based measures, while personal self-protection includes the individual-level practices exercised by employees.

External Guardianship

External guardianship in business refers to the use of third-party expertise and resources to manage and mitigate cyber risks. This may involve outsourcing providers or experts to oversee CS operations and conduct vulnerability audits and risk assessments (DSIT, 2024). Buil-Gil et al. (2021) showed that while outsourcing cybersecurity is associated with a higher likelihood of experiencing at least one cyber-attack, it is also associated with a 48% reduction in the overall number of cyber-attacks. This study applies RAT as theoretical framework to explore how VIVA elements and guardianship and self-protection shape patterns of RV and MV.

Business Online Activities, Cybersecurity Measures, and Victimization Risk

Given the lack of research on RV and MV in business cybercrime, it is important to examine how organizational characteristics, digital activities, and CS measures influence victimization risks. Paoli et al. (2018) found that 66% of sampled Belgian businesses suffered cyber-attack at least once within a year. A U.S. study of 50 representative, large firms reported that almost every sampled firm suffered malware and virus attacks (Das & Nayak, 2013). Wanamaker (2019) found that while over 20% sampled Canadian businesses experienced cyber-attacks, only 10% reported them, mainly due to low confidence in the police response.

The prevalence and economic impacts of cybercrime vary across business sizes and sectors. For example, Paoli et al. (2018) found that medium and large Belgium businesses are more frequently targeted by cyber-attacks compared to smaller ones. Das and Nayak (2013) showed that energy and utilities, and financial sectors tend to suffer higher financial losses than businesses in retail, hospitality, and consumer products. Furthermore, small enterprises often face disproportionately severe impacts due to limited resources, sometimes leading to business failure, underscoring the need for targeted national CS support (Das & Nayak, 2013).

Prior research has examined how different CS measures and online activities affect business victimization. Rantala (2008) noted that businesses outsourcing CS to external expertise report detecting more cyber-attacks than those using internal cybersecurity measures. Notably, developing in-house cybersecurity teams is the most promising way to reduce both cyber-attacks and negative impacts (Buil-Gil et al., 2021). Williams et al. (2019) analyzed the Cardiff University UK Business Cybercrime Victimization survey and found that businesses with a security manager are associated with a higher likelihood of detecting insider attacks. Common technical measures, including anti-virus software and firewalls, are insufficient to prevent cyber-attacks (Leukfeldt & Yar, 2016). Furthermore, firms that store confidential data are more likely to suffer cyber-attacks compared to others (Buil-Gil et al., 2021; Williams et al., 2019).

From Offline to Online: Evolving Patterns of Repeat and Multiple Victimization

Early research on RV and MV shows that victimization does not occur by chance or at random and that a small proportion of victims tend to suffer a disproportionately large share of total crimes (Farrell et al., 2005; Farrell & Pease, 1993). Furthermore, Hope et al. (2001) showed that prior victimization increases the likelihood of subsequent victimization both within and across crime types, therefore RV and MV are often interdependent phenomena. Both RV and MV are commonly conceptualized as specific types of recurrent victimization, a broader victimization term referring to the experiences of more than one victimization within a given time (Krushas et al., 2025). Farrell (1992), analyzing the British Crime Survey (now known as the Crime Survey for England and Wales), found that 14% of the population accounted for 70% of recorded incidents. Similar patterns have been observed across violent and property crime (Farrell & Pease, 2007; Hope & Trickett, 2008). Moreover, the severity of crime experienced by repeat victims is disproportionately high, with the most “harmed” 10% of the population accounting for 45% of total crime-related impacts (Ignatans & Pease, 2015).

While RV has been extensively studied, MV, also often termed poly-victimization, remains less developed (Tompson et al., 2026). MV research remains concentrated primarily on offline, interpersonal crimes targeting children and young adults, such as emotional abuse, sexual harassment, and family violence (Le et al., 2015, 2018; Snyder et al., 2021). Hamby et al. (2018), analyzing a sample of adolescents and adults, found that the cumulative burden of suffering MV is more strongly associated with negative psychological outcomes than any single type. Snyder et al. (2021), using survey data from US female college students, found that MV is not randomly distributed, and that those who experienced poly-victimization showed distinct lifestyle characteristics and routine activities relating to alcohol consumption and sexual relationships compared to those with single or no victimization.

In the cybercrime context, research on RV and MV remains limited but is growing. Correia (2020) found that 4% of victims accounted for 8% of fraud and computer misuse incidents, suggesting that RV is less concentrated than offline crime, but targeted prevention remains beneficial. Moneva (2022) showed that in case of website defacement, offenders often exploit common technical vulnerabilities across sites rather than re-attacking the same target, implying that technical weaknesses, not specific entities, drive target selection. Näsi et al. (2023), using the 2018 Finnish National Crime Survey and applying RAT, found that higher internet use and computer skills increase MV risk, while strong user protections (e.g., strong passwords) reduce it. Moreover, given the lack of geographic constraints in cyberspace, offenders can target many potential victims simultaneously (Pease et al., 2018). Meanwhile, businesses may “self-select” into higher-risk profiles through organizational behaviors.

To date, while RV and MV patterns are well-established in offline crimes, and increasingly in individual cybercrime, no study has systematically examined them in business contexts. This study addresses this gap by analyzing their prevalence and patterns in business cybercrime.

Data and Methods

Cyber Security Breaches Survey 2024

Weisel (2005) demonstrated three primary sources showing the global prevalence of RV: victim surveys, offender interviews, and police records. Given the limitations of the latter two due to underreporting and low apprehension rates, the Cyber Security Breaches Survey (CSBS) offers a comprehensive and reliable alternative. This study draws on data from the 2024 edition of the CSBS, an annual survey conducted by UK’s Department for Science, Innovation and Technology (DSIT). The CSBS provides nationally representative data on cybercrime and cyber-facilitated frauds affecting UK businesses, charities, and educational institutions, along with the cybersecurity measures they adopt.

The 2024 CSBS used stratified random sampling, with proportionate stratification by region and disproportionate stratification by business size and sector to ensure sufficient representation of medium and large organizations. Sole traders, public-sector organizations, and offline businesses were excluded. Post-survey weights were applied using Random Iterative Method to correct for sampling and non-response biases, producing a nationally representative dataset of the UK business sector. As the CSBS does not include the stratum identifiers required for fully design-based variance estimation, reported standard errors are model-based. The sample included 2,000 businesses, 1,004 charities, and 430 educational institutions, but this study focuses solely on business data.

Dependent Variables

The CSBS 2024 adopts a hierarchical questionnaire design aligned with Home Office Counting Rules, ensuring each cyber-attack is counted once and classified by the principal crime, defined as the most serious offense when multiple crimes occur within a single incident or interlinked events (DSIT, 2024). This is particularly important in cybercrime, where attacks often unfold through stages (e.g., phishing leading to malware, then unauthorized access or fraud). Within this framework, RV captures the recurrence of the same principal cyber-attack type, while MV captures the exposure to different principal cyber-attack types within a given period. Specifically, MV reflects the breadth of victimization exposure experienced by businesses, which may result from separate attack events or from interrelated and sequential attack processes. This conceptualization is consistent with traditional RV and MV research, while extending these from offline, individual-level victimization to business cybercrime. To avoid overcounting, the CSBS follows a fixed order when recording cyber-attacks: starting with cyber-facilitated fraud that occurs because of cybercrime, ransomware, unauthorized access, account takeovers, denial-of-service (DoS) attacks, malware, and finally phishing. Only phishing or malware not linked to earlier stages are recorded separately.

We examine three dependent variables: (DV1) the likelihood of suffering at least one successful cyber-attack over the past 12 months, (DV2) the likelihood of suffering repeat successful cyber- attacks over the past 12 months, and (DV3) the number of distinct types of successful cyber-attacks over the past 12 months. DV1 identified victimized businesses, DV2 captures RV, and DV3 reflects MV. Of 2,000 businesses, 1,026 provided valid cyber-attack data. Among them, 299 reported at least one cyber-attack, while 727 reported none. Of the victimized firms, 187 businesses reported a single cyber-attack, and 112 suffered repeat cyber-attacks. The distribution of DV3 is highly skewed: 727 businesses reported zero types, 204 reported one type, 51 reported two, 24 reported three, and fewer than five reported six or seven distinct types. Given that phishing is the most common cyber-attack, we conduct a sensitivity analysis excluding it from all dependent variables; results are included in the Supplementary Material.

Predictor Variables

This study examines how businesses’ cybersecurity measures and organizational characteristics and online activities are associated with the likelihood of initial victimization, RV, and MV. Predictors are derived from VIVA elements or guardianship types (including self-protection), and most are coded as binary variables to indicate whether businesses adopt each measure or not. The business size and sector are coded as dummy variables.

To address model multicollinearity, we aggregated conceptually related variables into composite indicators representing broader organizational practices. These constructs are treated as formative indexes, defined by the presence of their component indicators. For example, a new variable “software protection” combines “regular software security updates,” “up-to-date malware protection,” and “firewall” (score 1 if all are present). “Restricting access rights” and “allowing access only via company-owned devices” are aggregated into a new variable “restricting access” (score 1 if both exist). A new variable “cloud and digital services policy” reflects the adoption of both cloud computing and digital services providers policies. “Remote and personal device policy” variable aggregates businesses’ policies for remote working and the use of personally-owned devices (score 1 if both present). A composite measure of self-protective cyber behaviors is constructed, combing four variables: “testing staff CS awareness,” “CS trainings or awareness sessions,” “guidance on strong passwords,” and “processes for reporting fraudulent emails or websites” (score 1 if three or more are present). “Security controls and monitoring” is coded as 1 when both “security controls on company-owned devices” and “monitoring of user activity” measures are in place. As a robustness check, we also re-estimated all models using additive indices in place of the binary composites, and the substantive conclusions remained effectively unchanged. The robustness check results are shown in the Supplementary Material.

We addressed missing data in two steps. First, predictors with NA resulting from survey skip patterns were recoded to 0, representing valid “no” responses due to conditional logic (i.e., follow-up question not asked if businesses responded “no” to a prior question). Then, as only two predictors had less than 2% missingness, a complete case analysis was applied.

Analytical Strategy

This study applies three models, specifically, multinomial logit (ML) model, bivariate probit (BP) model, and hurdle negative binomial (HNB) model. To explore predictors associated with different victimization outcomes, a three-category dependent variable is constructed from DV1 (victimization) and DV2 (repeat victimization): nonvictims, single victims, and repeat victims. The ML model is used as it is suitable to analyze nominal, unordered outcomes with more than two categories (Hosmer et al., 2013). The first two model (ML1 & 2) uses nonvictims as the reference group, estimating the odds of being a single or repeat victim relative to being a nonvictim. The third model (ML3) changes the reference group to single victims, examining the factors that distinguish single from repeat victims.

To address the methodological challenge that RV is only observed among victimized businesses, this study employs a BP model with sample selection to account for potential sample selection bias. The model jointly estimates two correlated binary outcomes: (1) a selection equation (BP1) predicting the likelihood that a business is victimized at least once in the past 12 months, and (2) an outcome equation (BP2) estimating the likelihood of RV among victimized businesses (Greene, 2012). The BP model accounts for potential correlation between unobserved factors influencing initial and repeat victimization. This interdependence is captured by the rho (ρ) coefficient (Greene, 2012), which quantifies the extent to which unmeasured factors affecting the likelihood of initial victimization also affect repeat victimization. Ignoring this interdependence may bias estimates, as repeat victimization (DV2) is only observed among the non-random subset of victimized businesses (DV1). In binary outcome selection models, such as the BP, identification is most straightforwardly achieved by a valid exclusion restriction (e.g., at least one predictor that affects selection but not the outcome) (Sartori, 2003). However, it might be challenging to justify and adopt such method in victimization research, as the same organizational characteristics, routines, and security measures may be expected to influence both initial and repeat victimization. In this context, forcing an exclusion restriction risks misspecification, while including identical predictors in both BP equations can lead to weak identification and unstable estimation, particularly in finite samples (Sartori, 2003).

Therefore, we followed the modeling approach (ML+BP) introduced by Osborn et al. (1996) in offline RV literature. The selection equation (BP1) includes predictors that are statistically significant in ML1, which compares single and repeat victims with non-victims. The outcome equation (BP2) includes predictors that are statistically significant in ML3 for the single versus repeat victim category only. The raw BP model coefficients are interpreted on a latent scale, representing underlying propensity for victimization rather than direct probability changes. To enhance interpretability, we calculate average marginal effects (AMEs) by calculating a marginal effect for every observation and then averaging these effects across the sample (Mize, 2019). AMEs represent the average change in predicted probability of the outcome associated with a one-unit change in each predictor, holding other variables constant (Mize, 2019).

To explore the predictors of MV, HNB model measures the number of distinct types of cyber-attacks suffered by businesses. The model is designed for over-dispersed count data with excess zeros and estimates a two-part process: (1) a binary hurdle component models the probability of any positive count (zero vs. non-zero cyber-attacks) and (2) a count component models the number of events among positive cases (the number of cyber-attack types among victimized businesses) (Hilbe, 2011). This model is well-suited for crime data, where many businesses report no attacks, while those victimized suffer varying types of attacks. The odds ratios for the hurdle part and incidence rate ratios for the count part are reported. All models are estimated using survey weights to ensure representativeness of the UK private-sector business population.

The data used in this study are publicly available via the UK Data Service (http://doi.org/10.5255/UKDA-SN-9285-1), and the analytic code in R software has been made available on GitHub (https://github.com/yijiehe01/business-cybercrime-victimization).

Results

Predicting the Odds of Single and Repeat Cybercrime Victimization

Table 1 presents the results of three ML models comparing business cybercrime victimization status: Model 1 compares single victims (SV) with non-victims (NV); Model 2 compares repeat victims (RV) with NV; and Model 3 distinguishes RV from SV. The models assess how business characteristics and cybersecurity practices relate to different forms of victimization. Considering the cross-sectional design of the CSBS, no causal or temporal ordering between cybersecurity measures and victimization outcomes can be inferred.

Table 1.

Multinomial Logit Models Predicting the Likelihood of Suffering Successful Single and Repeat Cybercrime Victimization Among UK Private-sector Businesses in Last 12 months.

Predictors	ML Model1		ML Model2		ML Model3
	NV vs. SV		NV vs. RV		SV vs. RV
	OR	95% CI	OR	95% CI	OR	95% CI
(Intercept)	0.22***	[0.13, 0.38]	0.09***	[0.04, 0.21]	0.42⁺	[0.16, 1.07]
Value
Business sectors (ref: retail or wholesale)
Administration or real estate	0.62	[0.31, 1.23]	0.28*	[0.09, 0.92]	0.46	[0.13, 1.64]
Construction, hospitality and agriculture	1.24	[0.70, 2.20]	0.44	[0.16, 1.18]	0.36⁺	[0.12, 1.04]
Education, entertainment and health	0.51	[0.23, 1.16]	0.62	[0.21, 1.78]	1.21	[0.35, 4.16]
Finance and professional	0.39*	[0.19, 0.82]	0.18**	[0.05, 0.65]	0.45	[0.11, 1.87]
Info or communication	0.49	[0.19, 1.25]	0.54	[0.16, 1.84]	1.11	[0.26, 4.62]
Transport and utilities	0.60	[0.29, 1.24]	0.49	[0.17, 1.39]	0.82	[0.25, 2.66]
Business sizes (ref: Micro)
Small	1.64*	[1.02, 2.65]	1.87	[0.86, 4.03]	1.14	[0.49, 2.66]
Medium and large	2.55*	[1.04, 6.29]	4.88**	[1.69, 14.06]	1.91	[0.57, 6.36]
Inertia (ref: no)
Storing personal data securely	1.03	[0.65, 1.63]	1.03	[0.49, 2.16]	1.00	[0.44, 2.27]
Removable device storage policy	0.82	[0.46, 1.48]	0.49	[0.20, 1.24]	0.60	[0.22, 1.66]
Visibility (ref: no)
Separate staff-visitor Wi-Fi	0.54**	[0.34, 0.84]	0.97	[0.48, 1.97]	1.81	[0.83, 3.97]
Cloud and digital services policy	1.59	[0.88, 2.87]	0.79	[0.33, 1.90]	0.50	[0.19, 1.32]
Accessibility (ref: no)
Restricting access	0.58**	[0.39, 0.87]	0.40**	[0.21, 0.78]	0.69	[0.33, 1.43]
Remote and personal device policy	0.84	[0.44, 1.61]	1.97	[0.78, 5.00]	2.34	[0.82, 6.66]
VPN for remote working	1.03	[0.66, 1.62]	1.58	[0.75, 3.32]	1.53	[0.67, 3.48]
Two-factor authentication	1.07	[0.69, 1.65]	0.99	[0.47, 2.06]	0.93	[0.41, 2.08]
Technical self-protection (ref: no)
Tools for security monitoring	0.91	[0.58, 1.42]	1.18	[0.57, 2.44]	1.29	[0.58, 2.89]
Software protection	1.60*	[1.03, 2.49]	0.68	[0.32, 1.44]	0.42*	[0.19, 0.97]
Personal self-protection (ref: no)
Self-protective cyber behaviors	1.43	[0.88, 2.33]	1.13	[0.52, 2.44]	0.79	[0.34, 1.85]
Internal guardianship (ref: no)
Board members on cybersecurity	1.19	[0.77, 1.85]	1.70	[0.84, 3.43]	1.42	[0.65, 3.11]
Internal audit	0.60	[0.32, 1.14]	0.56	[0.22, 1.45]	0.93	[0.32, 2.68]
Roles assigned after cyber attacks	1.53⁺	[0.99, 2.38]	1.81	[0.89, 3.68]	1.18	[0.53, 2.59]
Security controls and monitoring	1.00	[0.61, 1.62]	1.35	[0.63, 2.88]	1.35	[0.58, 3.14]
External guardianship (ref: no)
External audit	1.54	[0.88, 2.71]	3.03**	[1.34, 6.87]	1.97	[0.79, 4.90]
Outsourced provider that manages CS McFadden’s R² LRT χ²(50) = 114.42, p < .001	1.02 0.10	[0.68, 1.53]	0.67	[0.34, 1.33]	0.66	[0.31, 1.39]

Note. Weighted estimates. n = 1,008.

significant at 10% level, *sig. 5%, **sig. 1%, ***sig. 0.1%.

Business sector and size play significant roles. Compared to the retail or wholesale sector, firms in the finance and professional services sector are 64% less likely to suffer single victimization and 82% less likely to suffer RV. Firms in the administration or real estate sector are 72% less likely to report suffering repeat victimization than the retail or wholesale sector. Those in construction, hospitality, and agriculture are 64% less likely to experience repeat cyber-attacks rather than single attacks compared to the retail or wholesale sector. Compared with micro firms (2–10 employees), small firms (11–50 employees) are 64% more likely to suffer single cyber-attack, and medium (51–250 employees) and large firms (over 250 employees) show substantially higher odds of experiencing both single and repeat victimization.

Businesses with less online visibility are statistically less likely to report cyber-attacks. For instance, companies with a separate staff-visitor Wi-Fi network are associated with 46% lower odds of reporting single victimization than businesses without. Regarding accessibility, restricting access rights to employees or company-owned devices is associated with lower adds of reported victimization: these businesses are 42% less likely to report single victimization and 60% less likely to experience repeat victimization. For technical self-protection, businesses with software protection are associated with 60% higher odds of reporting a single cyber-attack compared to businesses without software protection. Among those victimized, software protection is associated with 58% lower odds of RV. In contrast, no personal self-protection measures are significantly associated with victimization in any model. Turning to guardianship measures, businesses having roles or responsibilities assigned to specific individuals during or after cyber-attacks are 53% more likely to report single attacks than companies without such incident plans. Similarly, businesses conducting external audits have three times higher odds of reporting repeat cyber-attacks compared to those without external audits.

Table 2 presents the BP model results estimating the likelihood of initial (BP1) and repeat (BP2) victimization. To improve readability, Table 2 reports only predictors retained in the BP model. Variables not selected into the BP equations following the ML models are not shown. First, restricting access rights to employees or devices is associated with 8.6 percentage point decrease in the predicted probability of initial victimization. Firms conducting external cybersecurity audits are 12.4 percentage points more likely to report suffering initial victimization. Second, companies with roles assigned to specific individuals post-incident are 7.6 percentage points more likely to report initial victimization. Meanwhile, business size matters: small businesses are 5.7 percentage points more likely, and medium or large businesses are 21.7 percentage points more likely to be initially victimized. Businesses in finance and professional services are 8.5 points less likely to be victimized. For repeat victimization (BP2), among businesses that have already suffered an initial cyber-attack, businesses in construction, hospitality and agriculture are 11.5 percentage points less likely to experience RV. The rho (ρ) coefficient is negative and significant (ρ = −0.51), indicating that unobserved factors increasing the likelihood of initial victimization are associated with lower likelihood of repeat victimization, and vice versa.

Table 2.

Bivariate Probit Model Results Predicting the Likelihood of Reporting Suffering Successful Initial and Repeat Cybercrime Victimization Among UK Businesses in Last 12 Months.

Predictors	Initial victimization equation BP1		Repeat victimization equation BP2
Predictors	Estimates	SE	Estimates	SE
(Intercept)	−0.79***	0.09	0.67***	0.13
Value
Business sectors (ref: retail or wholesale)
Administration or real estate	−0.037	0.031	n/a	n/a
Construction, hospitality and agriculture	n/a	n/a	−0.115*	0.051
Finance and professional	−0.085**	0.028	n/a	n/a
Business sizes (ref: Micro)
Small	0.057*	0.026	n/a	n/a
Medium and large	0.217***	0.045	n/a	n/a
Visibility (ref: no)
Separate staff-visitor Wi-Fi	−0.050	0.034	n/a	n/a
Accessibility (ref: no)
Restricting access	−0.086**	0.031	n/a	n/a
Technical self-protection (ref: no)
Software protection	0.037	0.037	−0.082	0.068
Internal guardianship (ref: no)
Roles assigned after cyber incidents	0.076*	0.034	n/a	n/a
External guardianship (ref: no)
External audit	0.124*	0.051	n/a	n/a
Rho LRT χ²(1) = 64.77, p < .001	−0.51***

Note. Weighted estimates. n = 1,008.

*significant at 5% level, **sig. 1%, ***sig. 0.1%.

Predicting the Number of Distinct Types of Cybersecurity Attacks

Table 3 presents the results from the HNB model examining predictors of MV in business cybercrime. The model comprises two components: (1) a binary part estimating the likelihood of experiencing at least one type of cyber-attack, and (2) a count part predicting the number of distinct attack types among victimized businesses.

Table 3.

Hurdle Negative Binomial Regression Model to Predict the Number of Distinct Types of Successful Cybercrime Victimization Among UK Businesses in the Last 12 Months.

Predictors	Binary		Count
Predictors	OR	95% CI	IRR	95% CI
(Intercept)	0.32***	[0.20, 0.52]	1.71	[0.87, 3.36]
Value
Business sectors (ref: retail or wholesale)
Administration or real estate	0.51*	[0.27, 0.94]	0.39⁺	[0.15, 1.03]
Construction, hospitality and agriculture	0.99	[0.59, 1.67]	0.71	[0.39, 1.30]
Education, entertainment and health	0.57	[0.29, 1.13]	0.30*	[0.10, 0.89]
Finance and professional	0.32***	[0.17, 0.33]	0.06*	[0.01, 0.57]
Info or communication	0.54	[0.25, 1.17]	1.21	[0.44, 3.31]
Transport and utilities	0.56⁺	[0.30, 1.07]	0.80	[0.38, 1.67]
Business sizes (ref: Micro)
Small	1.68*	[1.09, 2.57]	1.20	[0.65, 2.23]
Medium and large	3.32**	[1.56, 7.05]	1.25	[0.45, 3.53]
Inertia (ref: no)
Storing personal data securely	1.03	[0.69, 1.55]	0.96	[0.52, 1.79]
Removable device storage policy	0.72	[0.43, 1.22]	0.96	[0.49, 1.87]
Visibility (ref: no)
Separate staff-visitor Wi-Fi	0.63*	[0.42, 0.93]	0.78	[0.42, 1.45]
Cloud and digital services policy	1.29	[0.77, 2.17]	1.03	[0.49, 2.90]
Accessibility (ref: no)
Restricting access	0.54***	[0.37, 0.77]	0.66	[0.38, 1.14]
Remote and personal device policy	1.08	[0.61, 1.90]	2.03⁺	[0.91, 4.54]
VPN for remote working	1.16	[0.77, 1.73]	0.84	[0.48, 1.49]
Two-factor authentication	1.04	[0.70, 1.54]	1.21	[0.73, 1.90]
Technical self-protection (ref: no)
Tools for security monitoring	0.99	[0.66, 1.47]	0.69	[0.42, 1.13]
Software protection	1.30	[0.87, 1.94]	0.86	[0.49, 1.49]
Personal self-protection (ref: no)
Self-protective cyber behaviors	1.34	[0.87, 2.07]	0.92	[0.47, 1.80]
Internal guardianship (ref: no)
Board members on cybersecurity	1.31	[0.88, 1.94]	0.90	[0.50, 1.63]
Internal audit	0.59⁺	[0.34, 1.04]	1.09	[0.52, 2.29]
Roles assigned after cyber incidents	1.60*	[1.08, 2.36]	0.67	[0.41, 1.10]
Security controls and monitoring	1.08	[0.70, 1.66]	1.33	[0.70, 2.54]
External guardianship (ref: no)
External audit	1.86*	[1.13, 3.04]	0.96	[0.52, 1.78]
Outsourced provider that manages CS McFadden’s R² LRT χ²(50) = 120.07, p < .001	0.94 0.09	[0.65, 1.35]	1.05	[0.64, 1.73]

Note. Weighted estimates. n = 1,008.

significant at 10% level, *sig. 5%, **sig. 1%, ***sig. 0.1%.

In the binary component, businesses restricting access to employees or company-owned devices are 46% less likely to report any cyber-attack. Second, businesses offering separate staff-visitor Wi-Fi are 37% less likely to suffer any victimization. Businesses that reporting assigning cybersecurity roles to specific individuals after cyber-attacks are associated with a 60% increase in likelihood of reporting victimization. Firms conducting internal audits are 41% less likely to report cyber-attacks, while those undergoing external audits are 86% more likely to report at least one cyber-attack. Sectoral differences remain pronounced. Businesses in finance and professional services are 68% less likely, those in administration or real Estate are 49% less likely, and those in transport and utilities sector are 44% less likely to experience any type of cyber-attack compared to retail and wholesale sector. In terms of size, small firms are 68% more likely to suffer any cyber-attack, and medium or large firms are 3.3 times more likely to be attacked than micro firms.

Turning to the count component, three sectoral predictors are statistically significant. Businesses in education, entertainment and health, administration or real estate, and finance and professional services sector are all less likely to report multiple victimization compared with those in retail and wholesale sectors. Notably, no significant predictors in the binary stage remain significant in the count stage. However, businesses with remote working or personally-owned device policies are associated with nearly twice the number of distinct cyber-attack types compared to those without.

Model Diagnostics

Diagnostics checks were conducted to ensure model validity. For ML models, multicollinearity was assessed using Variance Inflation Factors (VIFs). All VIF values were below the conventional threshold of 5, with the highest VIF being 4.71 for the variable “storing personal data securely,” indicating no serious multicollinearity. For the BP model, its significant correlation coefficient (ρ = −0.51, p < .001) confirmed the presence of selection bias and validates the use of a joint estimation framework. For the HNB model, its estimated dispersion parameter theta (θ = 2.49) confirms overdispersion, supporting the use of the negative binomial distribution over the Poisson. While the Hurdle Poisson (HP) model showed a slightly lower BIC (1598.29 vs. 1601.38), the HNB model showed better fit according to AIC (1340.85 vs. 1342.67) and log-likelihood (–617.42 vs. –619.34), supporting the choice of the HNB model.

Discussion

This study addresses a notable gap in criminological research by investigating repeat and multiple victimization in the context of business cybercrime, using the 2024 CSBS data. While prior research has primarily focused on individual-level offline or online RV and MV, this study applies RAT, incorporating the VIVA framework and capable guardianship, to explore how organizational routines and cybersecurity measures shape the risks of single, repeat, and multiple cyber-attacks in UK private-sector businesses.

Following Osborn et al. (1996), we used a two-stage approach to analyze RV: a ML model identified predictors of non-, single, and repeat victimization; then a BP model estimated the likelihood of single and repeat victimization, accounting for their unobserved correlation. The significant and negative rho coefficient confirms the statistical dependence between initial and repeat victimization, justifying the use of the BP model. Osborn et al. (1996) interpreted a significant negative rho as evidence that unexpectedly victimized households may become more cautious, thus reducing their risk of further victimization. Our finding extends this to business cybercrime, suggesting that businesses may similarly change their online activities and adopt protective measures after an initial attack. Tura et al. (2026) further support the use of the BP model for analyzing RV. Finally, while the two-stage modeling approach improves parsimony and finite-sample stability, the predictor selection for the BP model based on the ML results may introduce some post-selection bias. Future research using longitudinal or purpose-designed data may be better positioned to identify defensible exclusion restrictions.

To examine MV, we applied a HNB model to account for over-dispersed count data. While relatively understudied in criminological research, hurdle models are well-suited for modeling zero-inflated victimization count data as they separately estimate the factors associated with the likelihood of experiencing any victimization and the frequency of cyber-attacks among victims (Hope & Trickett, 2008). Tura et al. (2026) suggest that negative binomial regression is one of the most appropriate approaches for count-based victimization outcomes. Methodologically, this study advances business cybercrime research by jointly modeling RV as a state-dependent process and MV as a count-based outcome, demonstrating how RV and MV capture analytically distinct but complementary dimensions of victimization risk.

Prior research has shown that business size and sector are significant predictors of cybercrime victimization (Williams et al., 2019). Our analysis extends this by showing that these organizational characteristics also shape the risk of repeat and multiple victimization. In the BP model, firms in the finance and professional services sectors are less likely to experience initial victimization, indicating lower baseline risk. The HNB model reinforces this pattern, showing that the administration or real estate and finance and professional services sectors have lower odds of any attack and report fewer distinct types of cyber-attacks compared to the retail or wholesale sector. While this may seem counter-intuitive given their high informational and financial value, these sectors typically engage in less visible online activities and adopt stronger protective strategies (Buil-Gil et al., 2021). For instance, 52.6% of firms in administration or real estate report adopting self-protective cyber behaviors, compared to 44.4% of the sample overall, and 57.7% of finance and professional services firms have board members responsible for cybersecurity, compared to 45.3% overall.

Other sectors also show differences across stages of victimization. In the BP model, firms in construction, hospitality, and agriculture are significantly less likely to suffer RV once initially attacked, suggesting that victimization risk is not static across sectors but can shift between stages. In the HNB model, firms in education, entertainment, and health are less likely to experience MV once targeted, despite not having a reduced likelihood of initial attacks. This suggests that while initial exposure or baseline risks are not reduced, these sectors may be less susceptible to diverse forms of cyber-attacks, possibly due to the lower target value or sector-specific online routines that constrain attack diversity. In contrast, the retail or wholesale sector, used as the reference group, emerges as consistently high-risk for both RV and MV, possibly reflecting their greater visibility and accessibility through frequent online transactions, customer data storage, and public-facing systems.

In terms of business size, both the BP and HNB models show that small, medium, and large firms face significantly higher risks of initial victimization than micro firms. This mirrors the 2025 CSBS (DSIT, 2025), where 52% of large firms reported cyber-attacks compared to 18% of micro firms. However, business size does not significantly predict the number of distinct types of cyber-attacks once victimized, suggesting that while larger firms are more often targeted initially, likely due to higher perceived value and visibility, they are not necessarily more susceptible to varied attack types once victimized.

The presence of separate staff-visitor Wi-Fi networks, a visibility-reducing measure, shows consistent patterns across models. In the ML and HNB models, this practice is associated with a lower likelihood of single or initial victimization, suggesting that businesses with such measure may effectively lower their exposure or accessibility to cyber offenders. Accessibility-related measures, such as access restriction, also show consistent effects across models. In ML, BP, and HNB models, restricting access is linked to lower odds of initial, single, and repeat cyber victimization. These findings are consistent with RAT, indicating that reduced accessibility is associated with lower cyber-attack risks. Additionally, while having remote or mobile working policies and policies on the use of personally-owned devices are not significantly associated with initial victimization, they are positively linked to a higher number of distinct cyber-attack types among victimized businesses. This may reflect increased vulnerabilities introduced by bring-your-own-device (BYOD) and remote environments, which, once breached, can expose businesses to a broader range of attack types. While such policies support operational flexibility, the higher risk of diverse attacks observed suggests a trade-off between convenience and cybersecurity resilience.

The use of software protection, as a technical self-protection measure, reveals a stage-dependent relationship with cybercrime victimization. In the ML model, businesses with software protections are more likely to report a single cyber-attack than those without, which may reflect greater cybersecurity awareness or enhanced detection capability. However, among businesses that have already experienced one cyber-attack, those with software protection are less likely to be re-victimized. One hypothesis consistent with this pattern is that software protection is more prevalent among businesses already exposed to cyber risks and may reduce subsequent RV, which requires examination using longitudinal designs.

In terms of internal guardianship, businesses assigning specific roles to individuals following cyber-attacks are associated with a higher likelihood of reporting single or initial cyber-attacks in ML and BP models. This indicates that such role assignments may be more prevalent among victimized businesses and thus correlated with heightened cyber risk awareness. As the cross-sectional design does not allow examining the temporal ordering of cyber-attacks, the findings highlight the importance of distinguishing between proactive (pre-incident) measures and reactive (post-incident) measures in the future as their timing and purpose can produce divergent effects on victimization risk. Additionally, businesses conducting internal audits are less likely to experience any type of cyber-attack in HNB model, which may suggest stronger capacity to detect and address internal vulnerabilities.

Meanwhile, the presence of external audits is consistently associated with higher odds of cybercrime victimization across models. One plausible hypothesis is that the use of external audits is adopted reactively following cyber incidents to assess damage or restore compliance, or by businesses operating in high-value or highly regulated sectors. Alternatively, businesses that proactively conduct external audits might have greater capacity to detect, document, and report cyber-attacks, which could inflate reported victimization rates without reflecting true underlying higher risk. However, the timing of adoption relative to victimization cannot be established in a cross-sectional study. Therefore, future longitudinal research is needed to disentangle the causal relationships between cybersecurity measures and victimization risk.

Conclusion

In summary, this research is the first to study RV and MV in the context of business cybercrime. Drawing on RAT, the analysis was guided by the theory-driven expectations that businesses’ risks to cyber-attacks would vary with target suitability and capable guardianship. The results indicate that several RAT-derived indicators are associated with the likelihood of experiencing an initial or single cyber-attack, but their explanatory power largely disappears when modeling RV and MV among victimized businesses. The consistent null effects observed for certain RAT elements, such as inertia and personal self-protection measures, are theoretically informative for understanding the scope of RAT in business cybercrime. One explanation is that RAT is comparatively better suited to explaining baseline opportunity and initial exposure than post-victimization dynamics; once a cyber-attack has occurred, subsequent risk may be shaped by state-dependent processes (e.g., organizational recovery practices, changes in routines) that are not captured by standard RAT constructs, particularly in measurement of cross-sectional survey. A complementary explanation is that as the CSBS was not designed to operationalize criminological theory, available indicators may only partially reflect key organizational-level constructs. Taken together, the findings suggest that RAT remains a valuable framework for identifying conditions associated with initial exposure in business cybercrime, but explaining RV and MV likely requires theoretical extensions that explicitly incorporate temporal ordering and post-incident changes across victimization stages.

Practically, these findings highlight the need to differentiate between victimization stages when developing cybersecurity policy and guidance. Current UK national cybersecurity frameworks, such as the Cyber Essentials Scheme and the 10 Steps to Cyber Security, aim to reduce baseline cyber risk across all businesses, regardless of prior victimization experience (Kemp, 2023). However, our results indicate that cyber risk is not evenly distributed, even among those already victimized. Businesses that suffer RV and MV may face distinct, post-incident vulnerabilities that are not adequately addressed by one-size-fits-all strategies, and this underscores the need for more tailored and targeted prevention measures. For example, for first-time victimized firms, post-incident guidance could prioritize rapid incident recording, recovery, and adoptions of baseline CS practices. For repeat victimized firms, guidance may shift the focus from general CS practices to offense-specific hardening. For instance, repeat phishing victims may benefit most from role-based training for high-risk employees (e.g., finance, HR, or customer support) with strengthened email authentication and filtering; while repeat malware or unauthorized access victims may require technical hardening, including stricter privileged access controls and enhanced monitoring. By contrast, multiple victims across cyber-attack types could signal broader and cross-domain weaknesses in overall cybersecurity profiles and capability, suggesting the need for a targeted post-incident CS risk assessment. Future empirical longitudinal research is therefore needed to further examine and illuminate which specific cybersecurity strategies or organizational characteristics most effectively reduce or increase the risk of RV and MV in business cybercrime.

Supplemental Material

sj-docx-1-cad-10.1177_00111287261440151 – Supplemental material for Once Bitten, Twice Shy? Understanding Repeat and Multiple Victimization in Business Cybercrime

Supplemental material, sj-docx-1-cad-10.1177_00111287261440151 for Once Bitten, Twice Shy? Understanding Repeat and Multiple Victimization in Business Cybercrime by Yijie He, David Buil-Gil, Jon Davies and Emma Barrett in Crime & Delinquency

Footnotes

Acknowledgements

The authors would like to thank Nico Trajtenberg for his valuable comments that greatly improved the manuscript.

ORCID iDs

Yijie He

Jon Davies

Ethical Considerations

Following University of Manchester guidelines, ethical approval was not required for this study, as it involved secondary analysis of publicly available, anonymized survey data.

Informed Consent

Informed consent was not required because the study used publicly available, anonymized data.

Funding

The authors received no financial support for the research, authorship, and/or publication of this article.

Declaration of Conflicting Interests

The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Data Availability Statement

The data used in this study are publicly available via the UK Data Service ().

Supplemental Material

Supplemental material for this article is available online.

Author Biographies

Yijie He is a PhD student in Criminology at the School of Social Sciences at the University of Manchester. Her research focuses on cybercrime victimization in business contexts, with particular attention to how organizations experience, respond to, and mitigate digital threats.

David Buil-Gil is a Senior Lecturer in Quantitative Criminology and Research Director in the Department of Criminology at the University of Manchester. He is also Director of CrimRxiv, the global open access hub for criminology. His research focuses on the study of communities and crime, comparative criminology, and quantitative research methods.

Jon Davies is a Senior Lecturer in Criminology in the Department of Criminology at the University of Manchester. His research focuses on white-collar, corporate, and organisational crime, with particular interest in labor exploitation and modern slavery, fraud, regulation, and governance.

Emma Barrett is a Professor of Psychology, Security and Trust in the Department of Criminology at the University of Manchester. Between 2019 and 2023, she was Director of the Security, Privacy, Identity and Trust NetworkPlus (SPRITE+) funded by EPSRC. Her research interests include the harmful use of new and emerging technologies, betrayal, deception, and investigative sense-making and decision-making.

References

Bossler

A. M.

Holt

T. J.

(2009). On-line activities, guardianship, and malware infection: An Examination of routine activities theory. International Journal of Cyber Criminology, 3(1), 400–420.

Buil-Gil

Lord

Barrett

(2021). The dynamics of business, cybersecurity and cyber-victimization: Foregrounding the internal Guardian in prevention. Victims & Offenders, 16(3), 286–315. https://doi.org/10.1080/15564886.2020.1814468

Buil-Gil

Trajtenberg

Aebi

., (2024). Measuring Cybercrime and Cyberdeviance in Surveys. In Graham

R. S.

Humer

S. G.

Lee

C. S.

Nagy

(Eds.), The Routledge International Handbook of Online Deviance (pp. 44-72). Routledge. https://doi.org/10.4324/9781003277675-4

Chaudhary

Gkioulos

Katsikas

(2023). A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprises. Computer Science Review, 50, Article 100592. https://doi.org/10.1016/j.cosrev.2023.100592

Choi

K.-S.

(2008). Computer crime victimization and integrated theory: An empirical assessment. International Journal of Cyber Criminology, 2(1), 308–333.

Cohen

L. E.

Felson

(1979). Social change and crime rate trends: A routine activity approach. American Sociological Review, 44(4), 588–608. https://doi.org/10.2307/2094589

Cohen

L. E.

Felson

Land

K. C.

(1980). Property crime rates in the United States: A Macrodynamic Analysis, 1947–1977; With EX Ante Forecasts for the Mid-1980s. American Journal of Sociology, 86(1), 90–118.

Correia

S. G.

(2020, November 16–19). Patterns of online repeat victimisation and implications for crime prevention [Conference session]. 2020 APWG Symposium on Electronic Crime Research (eCrime), Boston, United States (pp. 1–11). IEEE. https://doi.org/10.1109/eCrime51433.2020.9493258

Das

Nayak

(2013). Impact of cyber crime: Issues and challenges. International Journal of Engineering Sciences & Emerging Technologies, 6(2), 142–153.

10.

Department for Science, Innovation and Technology. (2024). Cyber security breaches survey 2024. GOV.UK.

11.

Department for Science, Innovation and Technology. (2025). Cyber security breaches survey 2025. GOV.UK.

12.

Farrell

(1992). Multiple victimisation: Its extent and significance. International Review of Victimology, 2(2), 85–102. https://doi.org/10.1177/026975809200200201

13.

Farrell

Pease

(1993). Once bitten, twice bitten: Repeat victimisation and its implications for crime prevention (Crime Prevention Unit Series Paper No. 46). Home Office Police Research Group.

14.

Farrell

Pease

(2007). The sting in the tail of the British Crime Survey: Multiple victimisations. In Hough

Maxfield

(Eds.), Surveying crime in the 21st century (Vol. 22, pp. 33–54). Criminal Justice Press.

15.

Farrell

Tseloni

Mailley

Tilley

(2005). Repeat victimization in the ICVS and the NCVS. Crime Prevention and Community Safety, 7, 7–18. https://doi.org/10.1057/palgrave.cpcs.8140221

16.

Felson

(1995). Those who discourage crime. Crime and Place, 4(3), 53-66.

17.

Felson

(2017). The routine activity approach. In Wortley

Townsley

(Eds.), Environmental criminology and crime analysis (2nd ed., pp. 87–98). Routledge.

18.

Gottfredson

M. R.

(1984). Victims of crime: The dimensions of risk (Home Office Research Study No. 81). Home Office.

19.

Greene

W. H.

(2012). Econometric analysis (7th ed.). Pearson Education.

20.

Hamby

Blount

Smith

Jones

Mitchell

Taylor

(2018). Digital poly-victimization: The increasing importance of online crime and harassment to the burden of victimization. Journal of Trauma & Dissociation, 19(3), 382–398. https://doi.org/10.1080/15299732.2018.1441357

21.

Hilbe

J. M.

(2011). Negative binomial regression (2nd ed.). Cambridge University Press.

22.

Holt

T. J.

Bossler

A. M.

(2013). Examining the relationship between routine activities and malware infection indicators. Journal of Contemporary Criminal Justice, 29(4), 420–436. https://doi.org/10.1177/1043986213507401

23.

Hope

Bryan

Trickett

Osborn

D. R.

(2001). The phenomena of multiple victimization: The relationship between personal and property crime risk. British Journal of Criminology, 41(4), 595–617. https://doi.org/10.1093/bjc/41.4.595

24.

Hope

Trickett

(2008). The distribution of crime victimisation in the population. International Review of Victimology, 15(1), 37–58. https://doi.org/10.1177/026975800801500103

25.

Hosmer

D. W.

Jr. Lemeshow

Sturdivant

R. X

. (2013). Applied logistic regression (3rd ed.). Wiley.

26.

Ignatans

Pease

(2015). On whom does the burden of crime fall now? Changes over time in counts and concentration. International Review of Victimology, 22(1), 55–63. https://doi.org/10.1177/0269758015610854

27.

Kemp

(2023). Exploring public cybercrime prevention campaigns and victimization of businesses: A Bayesian model averaging approach. Computers & Security, 127, Article 103089. https://doi.org/10.1016/j.cose.2022.103089

28.

Krushas

A. E.

Kulig

T. C.

Goslar

(2025). A review of personal recurrent victimization. Springer Nature.

29.

M. T. H.

Holton

Romero

Fisher

(2015). Poly-victimisation among Vietnamese high school students: Prevalence and demographic correlates. PLoS ONE, 10(5), e0125189. https://doi.org/10.1371/journal.pone.0125189

30.

M. T. H.

Holton

Romero

Fisher

(2018). Polyvictimization among children and adolescents in low- and lower-middle-income countries: A systematic review and meta-analysis. Trauma, Violence & Abuse, 19(3), 323–342. https://doi.org/10.1177/1524838016659489

31.

Leukfeldt

E. R.

Yar

(2016). Applying routine activity theory to cybercrime: A theoretical and empirical analysis. Deviant Behavior, 37(3), 263–280. https://doi.org/10.1080/01639625.2015.1012409

32.

McGuire

Dowling

(2013). Cyber crime: A review of the evidence (Research Report No. 75). Home Office.

33.

Miró Llinares

Johnson

S. D

. (2017). Cybercrime and place: Applying environmental criminology to crimes in cyberspace. In Bruinsma

G. J. N.

Johnson

S. D.

(Eds.), The Oxford handbook of environmental criminology (pp. 883–906). Oxford University Press. https://doi.org/10.1093/oxfordhb/9780190279707.013.39

34.

Miró-Llinares

Moneva

(2020). Environmental criminology and cybercrime: Shifting focus from the wine to the bottles. In Holt

Bossler

(Eds.), The Palgrave handbook of international cybercrime and cyberdeviance (pp. 491–511). Palgrave Macmillan. https://doi.org/10.1007/978-3-319-90307-1_30-1

35.

Mize

T. D.

(2019). Best practices for estimating, interpreting, and presenting nonlinear interaction effects. Sociological Science, 6, 81–117. https://doi.org/10.15195/v6.a4

36.

Moneva

Leukfeldt

E. R.

Van De Weijer

S. G. A.

Miró-Llinares

(2022). Repeat victimization by website defacement: An empirical test of premises from an environmental criminology perspective. Computers in Human Behavior, 126, Article 106984. https://doi.org/10.1016/j.chb.2021.106984

37.

Näsi

Danielsson

Kaakinen

(2023). Cybercrime victimisation and polyvictimisation in Finland—Prevalence and risk factors. European Journal on Criminal Policy and Research, 29, 283–301. https:/doi.org/10.1007/s10610-021-09497-0

38.

Osborn

D. R.

Ellingworth

Hope

Trickett

(1996). Are repeatedly victimized households different? Journal of Quantitative Criminology, 12(2), 223–245. https://doi.org/10.1007/BF02354416

39.

Paoli

Visschers

Verstraete

(2018). The impact of cybercrime on businesses: A novel conceptual framework and its application to Belgium. Crime, Law and Social Change, 70, 397–420. https://doi.org/10.1007/s10611-018-9774-y

40.

Pease

Ignatans

Batty

(2018). Whatever happened to repeat victimisation? Crime Prevention and Community Safety, 20, 256–267. https://doi.org/10.1057/s41300-018-0051-x

41.

Rantala

R. R.

(2008). Cybercrime against businesses, 2005 (Special Report). Bureau of Justice Statistics.

42.

Reynald

D. M.

Moir

Cook

Bracy

N. L.

(2018). Changing perspectives on guardianship against crime: An examination of the importance of micro-level factors. Crime Prevention and Community Safety, 20, 268–283. https://doi.org/10.1057/s41300-018-0049-4

43.

Reyns

B. W.

Henson

Fisher

B. S.

(2011). Being pursued online: Applying cyberlifestyle–routine activities theory to cyberstalking victimization. Criminal Justice and Behavior, 38(11), 1149–1169. https://doi.org/10.1177/0093854811421448

44.

Sartori

A. E.

(2003). An estimator for some binary-outcome selection models without exclusion restrictions. Political Analysis, 11(2), 111–138. https://doi.org/10.1093/pan/mpg001

45.

Snyder

J. A.

Scherer

H. L.

Fisher

B. S.

(2021). Poly-victimization among female college students: Are the risk factors the same as those who experience one type of victimization? Violence Against Women, 27(10), 1716–1735. https://doi.org/10.1177/1077801220952176

46.

Tompson

Jolliffe Simpson

Wortley

(2026). Understanding poly-victimisation through an intersectional lens. Journal of Criminology, 24(2), 227–241. https://doi.org/10.1177/26338076251409419

47.

Tseloni

Pease

(2003). Repeat personal victimization: “Boosts” or “flags”? The British Journal of Criminology, 43(1), 196–212. https://doi.org/10.1093/bjc/43.1.196

48.

Tura

Buil-Gil

Adeniyi

(2026). Measuring recurrent victimization: Evaluating operationalization strategies and predictors using the Crime Survey for England and Wales. Evidence Base. Advance online publication. https://doi.org/10.1080/30679125.2025.2605330

49.

Wanamaker

K. A.

(2019). Profile of Canadian businesses who report cybercrime to police: The 2017 Canadian survey of cyber security and cybercrime (Report No. 2019–R006). Public Safety Canada.

50.

Weisel

D. L.

(2005). Analyzing repeat victimization (Problem-Solving Tools Series No. 4). Office of Community Oriented Policing Services, U.S. Department of Justice.

51.

Williams

M. L.

Levi

Burnap

Gundur

R. V.

(2019). Under the corporate radar: Examining insider business cybercrime victimization through an application of routine activities theory. Deviant Behavior, 40(9), 1119–1131. https://doi.org/10.1080/01639625.2018.1461786

52.

Yar

(2005). The novelty of ‘cybercrime’: An assessment in light of routine activity theory. European Journal of Criminology, 2(4), 407–427. https://doi.org/10.1177/147737080556056

Supplementary Material

Please find the following supplemental material available below.

For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.

For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.

0.00 MB

0.06 MB