EXAMINING IDENTITY THEFT VICTIMIZATION USING ROUTINE ACTIVITIES THEORY By Andrew Osentoski                  A THESIS  Submitted to Michigan State University in partial fulfillment of the requirements for the degree of  Criminal Justice  Master of Science 2016   ABSTRACT EXAMINING IDENTITY THEFT VICTIMIZATION USING ROUTINE ACTIVITIES THEORY  By Andrew Osentoski According the Federal Trade Commission's Consumer Sentinel Network, complaints of identity theft has increased from 86,250 in 2001 to 332,646 in 2014 (Consumer Sentinel Network Data Book for January - December 2014, 2015). Monetary losses due to identity theft totaled around $24.7 billion in 2012, though this dipped to $15.4 billion in 2014 (Harrell & Langton, 2013; Harrell, 2015). This emerging problem in criminal justice should be studied. However, studying identity theft poses substantive and methodological challenges.  Substantively, studies of identity theft have been largely exploratory and have used a variety of definitions to characterize the crime.  Due to a lack of information on offenders, low clearance rates and the multitude of ways in which identity theft can be committed both online and offline, a framework that can depict patterns of offending and victimization is lacking. Methodologically, victimizations are hard to track since it is not a crime that is routinely recorded in the Uniform Crime Reports.  This study uses data from the 2014 National Crime Victimization Survey: Identity Theft Supplement to examine identity theft victimization. The theory of routine activities is used as a framework to assess potential patterns and precursors of victimization.   iii           Dedicated to my incredibly supportive family and friends, and to those no longer with us who helped shape me into who I am today.       iv  ACKNOWLEDGMENTS  My thanks to:  Dr. Sheila Maxwell for serving as my thesis chair and guide through this entire process, spending countless hours poring over my work and molding it into a respectable finished product.  Dr. Thomas Holt not only for serving on my committee, but also for sharing his research and giving me the opportunity to take part in it.  Dr. Mahesh Nalla for providing great constructive feedback on my work.  James and Amanda, for brightening up days of hard work in the dark side of the office and for acknowledging me in their theses.  My aforementioned friends and family whose unwavering support in the face of a number of challenges was instrumental in the completion this work, I couldn't have done it without you.        TABLE OF CONTENTS  LIST OF TABLES                  vi  LIST OF FIGURES                 vii  Chapter 1 Introduction                   1 1.1 Identity Theft                   2  Chapter 2 Routine Activities Theory                  5 2.1 Routine Activities Theory and the Internet               7  Chapter 3 Online Routine Activities                12 3.1 Target Suitability                 12 3.2 Capable Guardianship                15 3.3 Motivated Offenders                18  Chapter 4 Methods                   20 4.1 Data                  20 4.2 Measures                  22 4.3 Suitable Targets                 22 4.4 Capable Guardianship                23 4.5 Motivated Offenders                24 4.6 Current Model                 24 4.7 Analytic Strategy                 25  Chapter 5 Results                  27 5.1Bivariate Results                 30 5.2 Multivariate Results                32  CHAPTER 6 Discussion                 36  APPENDIX                   41  REFERENCES                  43          LIST OF TABLES  Table 1:  Scales and Descriptive Statistics               29 Table 2:  Bivariate Analysis                 32 Table 3: Binary Logistic Regression Model of Identity Theft Victimization Model          35                      LIST OF FIGURES  Figure 1: Concept Diagram                 42     1  Chapter 1 Introduction Identity theft is costly, prevalent, and it appears to be on the rise (Harrell, 2015).  The Federal Trade Commission (FTC) reports that it received over 332,000 complaints of identity theft in 2014, up from just 86,250 in the year 2001 (Consumer Sentinel Network Data Book for January - December 2014, 2015).  (NCVS) Identity Theft Supplement (ITS) for 2014 reports that a full 7% of U.S. residents aged 16 or older were victims of identity theft, equaling about 17.6 million Americans (Harrell, 2015).  The financial ramifications are just as compelling, with the monetary loss due to identity theft in 2012 being an estimated $24.7 billion (Harrell & Langton, 2013).  The large rise in identity theft complaints since 2001 coupled with the financial ramifications of this type of crime position identity theft as an emerging threat to the financial well-being of many Americans and the economy as more and more businesses expand into e-commerce.  Whether it is this shift towards more e-commerce or another factor increasing the amount of identity theft complaints, the financial ramifications of the crime necessitates more research on the topic.  However, studying identity theft poses substantive and methodological challenges.  Chief among these challenges is the ambiguity of definitions of identity theft (Reyns, 2013), the breadth of offenses that can be classified under the identity theft umbrella (Consumer Sentinel Network Data Book for January - December 2014, 2015; Lane & Sui, 2010), the lack of information on offenders (Allison, Schuck, & Lersch, 2005; Copes & Vieraitis, 2009), and the lack of theoretical framework that can guide research endeavors in this area.     2  1.1 Identity Theft The Department of Justice has defined identity theft as any crime in which one person (Department of Justice, 2015).  This definition is intentionally broad to account for the breadth of offenses that can be classified as identity theft. The Identity Theft and Assumption Deterrence Act of 1998 defined seven general categories of identity theft: credit card identity theft, phone or utilities fraud, bank fraud, employment-related identity theft, government documents or benefits fraud, loan fraud, and an all-encompassing (Lane & Sui, 2010). Under most of these categories are subcategories which further break identity theft down to specific crimes like creating new credit card accounts or fraudulently obtaining tax returns (Lane & Sui, 2010).  This breadth of crimes makes identity theft difficult to study in depth. Not only are there many ways to commit identity theft, but there are many ways in which offenders are able to obtain information necessary to commit the crime (Copes & Vieraitis, 2009; Reyns, 2013).  Identity theft was conceptualized as a white collar crime committed by technically skilled criminals until relatively recently.  This is not necessarily the case (Allison et al., 2005; Copes & Vieraitis, 2009; Reyns, 2013).  Using interviews of 59 prisoners convicted of identity theft, Copes and Vieraitis (2009) found that offenders come from a variety of social classes, occupations, and educational attainment.  The authors also found that most of the information used to commit identity theft in these cases was not obtained online, but bought from employees of businesses with access to personal information (Copes & Vieraitis, 2009).  Others rummaged through personal or business mailboxes and trash cans for documents containing personal information (Copes & Vieraitis, 2009).  This is not to say that identity theft is not also being committed through high tech means.   3  Although there are not many studies on high tech identity theft offenders, anecdotal evidence in the form of large scale identity theft cases confirm the existence of these types of offenders.  A recent press release from the Department of Justice outlined an identity theft case computers and sold almost $2 million worth of identities in his online store which were later used to file $65 million in fraudulent income tax returns 2015).  Another case involved a number of high tech techniques for stealing identities which targeted consumers in Massachusetts and New York.  The offenders in this case gained access to unsecured networks of local businesses to install programs which gathered customer payment information and sold this information online.  According to court documents, the identity thief was able to steal in excess of 40 million credit and debit card numbers eader of Hacking Ring 2010).  While it is possible that the offenders interviewed by Copes and Vieraitis (2009) are more representative of failed identity thieves rather than identity thieves in general, the point  clearance rates for the crime pose a number of challenges in the study of identity theft (Allison et al., 2005).  First, the low clearance rates means that virtually nothing is known about who commits the crime (Allison et al., 2005) or exactly how particular victims are targeted.  The low clearance rate itself may be a function of the relative anonymity of the crime, where the majority of victims themselves have no idea how offenders obtained their information in the first place, let alone a description of who stole their information (Harrell, 2015).  4  study of offenders is unique at this point in time, but the offenders selected by the authors may be representative of only low technology based identity theft.  Further, the fact that these offenders were caught may mean that they are representative of only the least skilled in this category of offenders (Copes & Vieraitis, 2009).  Second, the variation in the methods employed to obtain information used to commit identity theft also implies that this crime may be more diffused and intractable.  It appears that both online and offline methods are used in committing the crime, but the extent by which online or offline techniques are used cannot be assessed without measures that represent both online and offline exposure.    This research examines identity theft victimizations using routine activities theory.  The towards understanding contexts of victimizations.  Given the lack of information about identity theft offenders, routine victimization.  This theoretical framework is also robust enough to explain both low- and high-tech identity theft.   As discussed above, identity theft can be committed through both high-tech (online) and low-tech (offline) methods.  This duality in methods of gaining the information necessary to commit identity theft requires consideration of both high and low tech exposures.  Important aspects of routine activities theory such as target suitability and capable guardianship will be operationalized using measures of both online and offline exposures and guardianship.  By including explorations of both high and low tech measures in this study, a more holistic portrait of identity theft and how it may occur is expected.  Data from the 2014 N (NCVS) Identity Theft Supplement (ITS) are used.  The data provides a large sample of identity theft victims throughout the United States and is therefore useful in assessing factors that can help explain identity theft victimization. 5  Chapter 2 Routine Activities Theory Routine activities theory was conceptualized as a way to explain the uptick in crime following World War II (Cohen & Felson, 1979).  Social variables such as income and unemployment which other theories use to explain high crime rates were actually improving while the crime rate rose (Cohen & Felson, 1979).  In order to explain this phenomenon, Cohen and Felson (1979) proposed that the crime spike was not a function of differences in offender behavior, but rather a difference in victim behavior.  Cohen and Felson (1979) were able to distill this thought down to a simple concept: crime occurs as an interaction of (1) motivated offenders, (2) suitable targets, and (3) a lack of capable guardianship.  Simply put: where offenders, targets with resources that offenders desire, and a lack of oversight meet, crime is more likely to occur (Cohen & Felson, 1979).  Thus routine activities theory was born. Cohen and Felson (1979) tested their newly proposed theory using a few measures to determine whether shifts in victim behavior actually occurred, and what these were.  A few major shifts in the routine activities of Americans that Cohen and Felson (1979) identified were increases in female college students, households unattended during business hours, out of town travel, vacations, and vacation time given to employees (Cohen & Felson, 1979).  Coinciding with these behavioral changes was an increase in the number of households and therefore household consumer goods such as televisions and other electronics (Cohen & Felson, 1979). These consumer products were also becoming increasingly lightweight and portable as the technology behind them improved, increasing the ease with which a burglar could walk out the door with a new television (Cohen & Felson, 1979).  Cohen and Felson (1979) asserted that these shifts made people more vulnerable to offenders outside the home because of increased exposure 6  while simultaneously making homes more vulnerable to burglary during the day (Cohen & Felson, 1979). The basic test of whether the changes in routine activities had an effect on crime trends in the way Cohen and Felson (1979) expected lies in differential rates of change within crime categories.  For example, given that people are out of the safety of their homes more often, an increase in the rate of victimization at the hands of strangers, not people known to the victim, should be expected (Cohen & Felson, 1979).  Similarly the rates of daytime burglary should increase at a rate higher than that of night time burglary given the change in the amount of households unoccupied during the day.  Indeed, this is exactly what Cohen and Felson (1979) observed.  Lifestyle changes which decreased capable guardianship and increased target suitability appears to have led to very real change in crime trends (Cohen & Felson, 1979). Since the inception of routine activities theory, it had been used to study crimes which occur when targets and offenders meet in a physical space.  At the time that Cohen and Felson (1979) created routine activities, the overwhelming majority of crime occurred with perpetrators and victims in the same physical space, or at least the perpetrator taking physical property.  Studies have generally supported the applicability of routine activities to larceny and other property crimes (Franklin, Franklin, Nobles, & Kercher, 2012; Johnson, Yalda, & Kierkus, 2010; Mustaine & Tewksbury, 1998) with others supporting the application of the theory to more serious property crimes including motor vehicle theft (Lee & Alshalan, 2005).  However, since the emergence of the internet and its rapid popularization in the late 1990s, crime in which victims and perpetrators never come into physical contact have become more viable (Janus & Davis, 2005).  7  2.1 Routine Activities Theory and the Internet As previously mentioned, there are both online and offline methods for obtaining the information needed to commit identity theft.  The applicability of routine activities theory to offline methods is easy to see.  In order to commit identity theft through offline means a potential al information.  This process typically burglary or other types of theft (Copes & Vieraitis, 2009; Newman, 2004).  Theft of purses or wallets is not uncommon (Newman, 2004), and interviews with individuals convicted of identity theft offenses by Copes and Vieraitis (2009) revealed that other offenders searched through garbage cans or mailboxes for mail or other documents containing personal information. Methods of attaining personal information which rely on physical access to documents or government issued identification can be viewed through routine activities theory which stresses a lack of capable guardianship and suitable targets - in some cases easily accessible garbage cans and mailboxes. Cases which involve breaking into either homes or cars to steal personal information are very similar to the types of property crimes Cohen and Felson (1979) originally endeavored to explain with routine activities theory (Copes & Vieraitis, 2009).  That being said this comparison is not perfect. An extra step of converting identities into financial gain is necessary to commit identity theft.  The connection between online routine activities and identity theft is less clear.  The current study aims to apply core concepts of offline routine activities to online activities to explore whether online activities can explain identity theft victimization. The internet has changed the lifestyle of the average person significantly and in a manner that is not dissimilar to the way American lifestyles changed post-WWII (Reyns, 2013).  The 2003 United States Census data revealed that 62% of American households owned a computer 8  with 54.7% reporting internet use (Janus & Davis, 2005).  The same survey found 18% of adults used the internet for banking, and about 32% had purchased a product online (Janus & Davis, 2005).  Ten years later, the 2013 United States Census found major shifts in how Americans were using computers and the internet with 83.3% of households reporting computer ownership and 74.4% reporting internet use (File & Ryan, 2014).  Not only did the number of Americans using computers and internet change, but so too did the ways in which these technologies are used. A 2013 Pew Research Center survey found that 51% of U.S. adults now use the internet for banking (Fox, 2013).  Other uses for the internet including communication and data storage are on the rise as well 2014; Leavitt, 2005).  As our reliance on technology steadily increases, it is likely that more activities that were once conducted in person will shift to cyber space (Fletcher, 2007; Reyns, Henson, & Fisher, 2011; Reyns, 2013).  For example, the most recent report on e-commerce sales in the United States show that online sales account for just under seven percent of total retail sales for the country in 2015, an increase from just under three percent in 2006 (DeNale, Liu, & Weidenhamer, 2015).  By the same token Gartner, an information research company, predicts that at least 50% of all Global 1000 companies will have sensitive customer data stored in a public cloud by 2016 (Pettey & van der Meulen, 2011).  Similar to the way the average American was more exposed to potential crime based on patterns of behavior post-WWII, the rise of online activities seems to have increased the exposure of the average American to victimization through the internet (Fletcher, 2007; Reyns et al., 2011; Reyns, 2013). This shift in routine activities has led criminologists to expand routine activities theory to include offenses which occur without direct physical contact between offenders and targets 9  (Choi, 2008; Eck & Clarke, 2003; Holt & Bossler, 2009; Pratt, Holtfreter, & Reisig, 2010; Reyns et al., 2011; Reyns, 2013; Ricketts, Higgins, & Marcum, 2010).  Eck and Clarke (2003) make this expansion by including disparate networks as places of convergence between offenders, suitable targets, and a lack of capable guardianship.  In this formulation of the theory, offenders and targets are connected through some type of network, such as the postal service or the internet (Eck & Clarke, 2003).  The network can be a substitute for physical locations where offenders and targets meet and in which crime occurs.  Eck and Clarke (2003) propose this conceptual expansion to explain crimes like mail bombing, telemarketing fraud, and online identity theft.  In this formulation of the theory, offenders and targets are connected through some type of network, such as the postal service or the internet (Eck & Clarke, 2003).  This extension of routine activities theory has been used in a number of studies since the boom in the popularity of the internet (Choi, 2008; Eck & Clarke, 2003; Holt & Bossler, 2009; Pratt et al., 2010; Reyns et al., 2011; Reyns, 2013, 2015; Ricketts et al., 2010). This is not to say that this formulation of routine activities theory is without its problems. Yar (2005) outlines a number of issues with using the theory in online contexts. Chief among between offenders and targets - the internet is fundamentally different from the physical world in the sense that on the internet it is very easy to get from one site to another.  In other words, spatial divergence in the physical world acts as an important mediator to crime.  Targets and offenders must be on the same street or in the same building.  Online, many targets may be just a few clicks away from offenders even if the two are physically thousands of miles apart, making convergence much easier on the internet (Yar, 2005).   econd concern about extending routine activities theory to online crime 10  offenders, suitable targets and a lack of capable guardianship at a moment in time.  People are on the internet at many different times and in many different contexts. Therefore Yar (2005) argues email does not exist only at a particular moment.  An offender might send the email and get a response a week later.  In contrast, a physical theft occurs at a defined time when the offender gains access to a target. Finally, Yar (2005) calls into question whether the targets of online crime can be evaluated VIVA describes the dimensions outlined by Cohen and Felson (1979) to evaluate the suitability of physical targets.  These are: value, inertia, visibility, and accessibility (Cohen & Felson, 1979; Yar, 2005).  Value represents how much an item or multiple items are worth. The concept of inertia concerns how cumbersome a physical object might be to take.  Visibility refers to the ease with which an offender can physically observe the target  it is difficult to target something if one does not know it is there.  Accessibility refers to how easy it is to get to and from a target (Yar, 2005).  VIVA is largely easy to apply to physical objects, but it is not so simple to apply to online targets (Yar, 2005).  construct was to explain what might put an item or person at risk for crime in a physical space.  While there are few studies which have explicitly applied dimensions of VIVA to online targets (Choi, 2008; Holt & Bossler, 2009) there have been a number of studies which have applied similar elements (Copes, Kerley, Huff, & Kane, 2010; Holt & Turner, 2012; Pratt et al., 2010; Reyns et al., 2011; Reyns, 2013; Ricketts et al., 2010).  For example, while Copes et al. (2010) were not specifically testing 11  VIVA, their study of fraud and identity theft did include a measure of Internet use frequency which can be viewed as a measure of visibility for online crimes.  There are many challenges to overcome in explicitly expanding VIVA to online targets (Yar, 2005).  The discussion assesses how routine activities theory has been and may be applied to online routine activities.  While are reasonable, routine activities has been shown to be of use beyond only physical crime.   To date, research on identity theft has been largely exploratory in nature (Benson, 2009; Copes & Vieraitis, 2009; Higgins, Hughes, Ricketts, & Wolfe, 2008; Lane & Sui, 2010; Slosarik, 2002).  Recently, however, a small number of researchers have examined the applicability of lifestyles oriented theories in the study of fraud and identity theft victimization (Pratt, Holtfreter, & Reisig, 2010; Reyns, 2013) despite the concerns Yar (2005) raises in order to determine the utility of the theory in this area.  These studies are important in leading the shift from what are predominantly atheoretical and descriptive explorations of identity theft to one that includes a theoretical framework.  Routine activities theory has been used as the leading framework among these lifestyle oriented approaches towards better understanding identity theft victimization.         12  Chapter 3 Online Routine Activities  Given its original conception as a theory focused on physical crime it is important to consider the ways in which the elements of routine activities theory have been applied to online activities.  The discussion below assesses how the elements of routine activities theory specifically target suitability, capable guardianship, and motivated offenders have been used in studies of online crime. 3.1 Target Suitability  A number of studies regarding a variety of online crimes have been conducted and have operationalized target suitability in different ways (Choi, 2008; Copes et al., 2010; Holt & Bossler, 2009; Holt & Turner, 2012; Pratt et al., 2010; Reyns et al., 2011; Reyns, 2013, 2015; Ricketts et al., 2010).  Using the VIVA components of target suitability, we will first look into targets in online crime is heavily dependent on the type of offense being perpetrated (Copes et al., 2010; Pratt et al., 2010; Reyns et al., 2011).  For example, the targets of expressive crimes to create a scale of target attractiveness in their study of cyber stalking based on the amount and types of information available on potential targets such as a full name, an e-mail address, photos, videos, and sexual orientation, among other measures.  Value in other online crimes including identity theft would seem to be largely invariant across potential targets  that is, one identity would not be more valuable than the next.  However, the findings of Copes et al. (2010) and Reyns (2013) suggest that higher income individuals are more likely to experience identity theft.  The authors suggest this might be due to a difference in exposure, although the effects of income 13  en lifestyle factors were controlled (Copes et al., 2010; Reyns, 2013).  Still, most studies of identity theft do not include measures of value as it would be difficult for offenders to assess the relative value of any given identity over another.   Inertia is another portion of target suitability that is common to most potential targets in file size, with larger files being more difficult to copy on underpowered machines or across slow internet connections.  That being said Yar (2005) acknowledges that these limitations are not significant for most and a criminal may actually prefer the larger file if it includes more t be profile.  More information or certain types of information may be more attractive to potential offenders because they facilitate cyberstalking better than others (Reyns et al., 2011).  For example, a profile with information linking to other social media accounts and a full name may be akin to the lighter televisions of today in terms of inertia for physical crimes, while an account with only photos might represent a target more similar to a bulky older tube television (Cohen & Felson, 1979; Reyns et al., 2011).  Much like the relative physical ease of stealing a modern flat screen television versus a heavy older television, cyber stalking a victim with more publicly available information is much easier than cyber stalking someone without a wealth of information (Cohen & Felson, 1979; Reyns et al., 2011).   The concept of inertia has not been measured in studies of identity theft as it is not easily quantifiable.  It might be the case that inertia in the case of online identity theft would be related to whether it is easy to gather information from a large database or if the collection process is more tedious.  For offline variants of identity theft, inertia similarly does not seem like a large 14  hurdle.  Inertia does not seem to be a factor in stealing wallets, purses, or documents (Copes & Vieraitis, 2009).  As Yar (2005) argues, target visibility in online routine activities might be more difficult to assess.  The internet is by its very nature a very public network (Wall, 2008; Yar, 2005).  Ricketts et al. (2010) included a question about whether respondents marked their social t included an explicit measure of target visibility but did include items concerning what types of online behaviors the respondent performed or the time spent online (Choi, 2008; Holt & Bossler, 2009; Pratt et al., 2010; Reyns et al., 2011; Ricketts et al., 2010).  A complication to the applicability of target visibility to identity theft is that businesses themselves can also be targets for data leaks, not just individuals (2015 Cost of Data Breach Study: United States, 2015).  In the case of a large scale data breach the routine activities of an individual are not as important outside of the businesses they frequent.    Accessibility may be the most difficult element to assess in porting routine activities to online behaviors.  Computer based techniques for gathering personal information necessary to commit identity theft range from technically sophisticated "hacking" of websites or individuals to so called "social engineering" techniques (Bowles, 2012; Howard, 1997; Pratt et al., 2010; Wall, 2008).  For traditional hacking, accessibility might be best defined as having a public facing website that allows for user interaction (Bowles, 2012). Cross-site scripting and SQL injection are two common ways hackers are able to gain access to sensitive database information (Bowles, 2012).  Social engineering techniques rely more upon access to a potential target's means of communication (Bowles, 2012).  For example, a potential offender might craft a phishing email designed to look like an official communication from a target's bank asking for 15  account information (Bowles, 2012; Reyns, 2013).  Whichever way an identity is stolen, getting a proxy server to obfuscate identifying information and as difficult as editing log files to digitally cks (Kao & Wang, 2009; Yar, 2005).  Studies of identity theft have not specifically measured accessibility.  Instead, many touch on related topics including the ubiquity of internet access (Holtfreter, Reisig, & Pratt, 2008; Reyns, 2013), the existence of personal information online (Allison et al., 2005), or purchasing items online (Van Wilsem, 2013a).  The anonymity the internet provides, while not quite as absolute as many believe, also adds to accessibility (Kao & Wang, 2009; Yar, 2005).   As a whole, the four elements of target suitability have shown promise in studies of online crime, but still need to be more fully developed for online crimes (Choi, 2008; Copes et al., 2010; Holt & Bossler, 2009; Holt & Turner, 2012; Pratt et al., 2010; Reyns et al., 2011; Reyns, 2013; Ricketts et al., 2010).  Many studies, however do not specifically delineate each element of VIVA. Instead, measures are housed under the general category that include items which measure one or more factors of VIVA. For example, measures of time spent online are included in many studies as a general target visibility or suitability measure (Pratt et al., 2010; Reyns, 2013).  3.2 Capable Guardianship  While typically there are no visible guardians in online spaces which mirror the presence of police or bystanders on the street, there are other actors that approximate the same effects. Online moderators, system administrators, and other users in online communities seem to play similar roles to that of third parties in the physical world (Howard, 1997; Wall, 2008; Yar, 2005). Computer and online guardianship may also be operationalized through measures of antivirus or 16  security software use, private profiles and profile trackers (Bowles, 2012; Choi, 2008; Holt & Bossler, 2009; Howard, 1997; Reyns et al., 2011; Wall, 2008).  Keeping systems up to date, the use of good passwords, and increasing computer skills have also been prescribed to increase online guardianship (Bowles, 2012; Reyns, 2013; Wall, 2008).   Holt & Bossler (2009) also included a measure of friends who practice online deviance as a measure of lack of capable guardianship, reasoning that people with more deviant friends would have less friends to turn to if they became a victim.  In this way both computer based measures of guardianship and more traditional social guardianship measures have been used to represent capable guardianship in computer based victimization. Research that included guardianship measures has generally shown that higher levels of capable guardianship reduces online victimization (Choi, 2008; Holt & Bossler, 2009; Reyns et al., 2011; Ricketts et al., 2010).  However, other studies have found that higher levels of capable guardianship actually increases online victimization (Ngo & Paternoster, 2011; Reyns et al., 2011; Reyns, 2015; Van Wilsem, 2013b).  These studies operationalized guardianship as the use of online profile trackers (Reyns et al., 2011), use of anti-virus software (Ngo & Paternoster, 2011; Reyns, 2015), or computer crime education and knowledge (Ngo & Paternoster, 2011; Van Wilsem, 2013b).  Interestingly, the reduction in online victimization due to guardianship that were observed by Holt & Bossler (2009) and Ricketts et al. (2010) measured guardianship as social guardianship, that is, computer deviance of peers and social locations where respondents used their computers, respectively.  These findings suggest that in regard to online victimization, capable guardianship may not be a strictly computer-centric matter. Offline routine activities may also play a large part in online victimization and perhaps in online and offline identity theft.  An interesting conceptualization of capable guardianship has been used in which general 17  guardianship is divided into two categories: physical and personal (Holt & Bossler, 2009; Holt & Turner, 2012; Ngo & Paternoster, 2011; Reyns et al., 2011; Van Wilsem, 2013b).  Physical guardianship typically refers to the respondents' use of security related software such as antivirus programs and firewalls (Holt & Bossler, 2009; Holt & Turner, 2012; Ngo & Paternoster, 2011; Reyns et al., 2011; Van Wilsem, 2013b).  Personal guardianship focuses on the respondents' self-reported skill level with computers (Holt & Bossler, 2009; Holt & Turner, 2012; Ngo & Paternoster, 2011; Reyns et al., 2011; Van Wilsem, 2013b).  This method of differentiation makes intuitive sense. Antivirus software and firewalls seem to provide a different type of  The results of research using this conceptualization of guardianship is mixed. In fact, a number of studies have found that higher levels of physical or personal online guardianship actually increase online victimization (Ngo & Paternoster, 2011; Reyns et al., 2011; Reyns, 2015; Van Wilsem, 2013b) or have no effect on victimization (Holt & Bossler, 2009). It is not entirely clear why the counterintuitive result has been found.  Ngo & Paternoster (2011) hypothesize that either their measures were somehow flawed or that the guardianship measures including running anti-virus or other protective software may embolden users to perform more risky behaviors online (Ngo & Paternoster, 2011; Reyns, 2015).  Another explanation is that respondents only began using profile tracker as a reaction to previous cyber stalking incidents (Reyns et al., 2011; Reyns, 2015).  Van Wilselm (2013) offered an alternative explanation that those with lower levels of computer knowledge were less likely to report being hacked because they did not recognize the signs of being victimized given their lack of knowledge.    In regards to the utility of this personal and physical guardianship in the study of identity theft, results are similarly mixed.  Holt & Turner (2012) do not specifically test routine activities 18  theory, but did study online identity theft's relationship with three different protective factors: use of protective software, use of a firewall, and personal computer knowledge.  The first two protective items align with physical guardianship concepts, while the last aligns with personal guardianship.  The authors found the use of protective software increased resiliency against identity theft, while the others had no effect (Holt & Turner, 2012).   3.3 Motivated Offenders  Similar to tests of traditional routine activities theory, motivated offenders have been taken as a given in studies of online crime with authors focusing instead on exposure to potential offenders (Ngo & Paternoster, 2011; Pratt et al., 2010; Reyns, 2013, 2015).  Cohen & Felson (1979) themselves did not attempt to quantify motivated offenders, instead they focused on factors which lead to specific crime incidents.  Studies that used routine activities theory to explain offline crimes have attempted to quantify the number of potential offenders in an area with success by asking victims questions about neighborhood crime or similar questions about exposure (Clodfelter, Turner, Hartman, & Kuhns, 2010; Franklin et al., 2012; Massey, Krohn, & Bonati, 1989; Moriarty & Williams, 1996; Mustaine & Tewksbury, 1998).   Similarly studies of online victimization tend not to broach the topic of motivated offenders, instead focusing on the exposure of a potential victim to more offenders (Holt & Bossler, 2009; Ngo & Paternoster, 2011; Reyns et al., 2011; Reyns, 2013, 2015; Ricketts et al., 2010).  For example, Holt & Bossler (2009) included measures of computer ownership and internet connection speed as proxies for exposure to motivated offenders.  Similarly Reyns et al. (2011) included measures of time spent online, number of social network accounts and number of photos among other measures to capture exposure to would be cyber stalkers. The encouraging results of this body of literature seems to bolster the legitimacy of 19  online lifestyles as a factor in online crime.  However, studies in the area have lacked precision in their measures of dimensions of routine activities theory.  The present study aims to add to this literature by testing the impact of specific components of the theory with measures of online and offline routine activities that are derived from the National Crime Survey, which is a representative survey of the United States population.  The current study will assess measures of visibility and to some extent accessibility and value in identity theft victimization. Inertia does not play heavily into this model.                 20  Chapter 4 Methods 4.1 Data The NCVS data is gathered by the United  Census Bureau on behalf of the Bureau of Justice Statistics.  The NCVS was started in 1973 largely to complement other crime data collection tools - National Crime Victimization Survey ).  The Uniform Crime Report (UCR) includes data on crimes reported to police, but the NCVS is a survey of a random sample of households in the United States, and thus, is able to shine a light on crimes that are not reported to the police.  Thus the NCVS is able to provide a more complete picture of just how much crime is actually occurring, and also how much goes unreported to the police ) - National Crime Victimization ). The NCVS is a nationally representative sample of about 90,000 households and is given as a survey to all people residing within each household over the age of 12.  Each household remains a part of the sample for a period of 3 years with a total of 7 interviews either conducted in person or by phone - National Crime Victimization Survey ).  The NCVS specifically focuses on personal crimes (excluding homicide) and property crimes, while also recording the demographic information of respondents Justice Statistics (BJS) - National Crime ). The NCVS occasionally includes supplemental questionnaires that focuses on a specific type of crime.  Topics which have been the focus of past NCVS supplements have include intimate partner violence, identity theft, stalking, and school crime.  The NCVS has included the Identity Theft Supplement (ITS) in three previous surveys: 2008, 2012, and most recently in 21  2014 - National Crime ).   This study will make use of the most recent NCVS: Identity Theft Supplement which specifically asks about the details of identity theft victimization. The NCVS: ITS first started in 2008 presumably due to a generally growing concern about the crime in the law enforcement community - National Crime ).  The ITS aimed to specifically address a number of unstudied details surrounding identity theft including the number of people affected, the financial loss incurred by the victims, and victim reporting behavior, among other things.  The ITS is a valuable tool for gaining insight into what the average identity theft victim looks like, what makes someone more likely to become a victim of identity theft, and what protective factors may shield people from identity theft. The 2014 edition of the NCVS: ITS  (N = 84,823) contains survey items regarding the number of incidents of identity theft victimization, the types of accounts maintained by the respondent, the type of account misused, whether the theft misused an existing account or created a new one, how the respondent discovered the theft incident, and actions taken following the discovery.  Respondents were also questioned about the financial and emotional damage incurred by the incident and their feelings on police responses to their complaint if one was filed.  Survey items regarding actions taken to avoid identity theft prior to or in response to identity theft were asked.  For example, respondents were asked whether they changed account passwords or shredded documents containing sensitive information to protect themselves from identity theft.  Finally, the NCVS as a whole includes information on each respondendemographic background  sex, race, level of education, income, and other items.    22  4.2 Measures The current study takes a slightly different approach in the measures used from past studies of identity theft that used routine activities theory.  Reyns (2011) focused heavily on the effects of online routine activities with measures including whether or not respondents used the internet for banking and shopping, but also for chatting, working, and social networking, among other things.  Pratt et al. (2010) used hours spent online and whether or not a respondent purchased something online as measures of online routine activities.  While previous studies in the area have included measures of home occupancy during the day as a proxy for capable guardianship against offline identity theft, this study aims to measure offline guardianship by incorporating the measure of physical document shredding (Reyns, 2013).  Measures of the core elements of routine activities theory are outlined below. Both online and offline measures are included and will be assessed in the final analysis. 4.3 Suitable Targets Target suitability will include measures of the visibility and desirability (value) of a potential target.  First, an item regarding online purchases will be used to measure online visibility .  This is consistent with previous studies interested in identity theft and fraud victimization  and has been found to be significantly related to victimization (Pratt et al., 2010; Reyns, 2013; Van Wilsem, 2013a).   Second, an item concerning already existing bank accounts will be included as a representation of target desirability/value.  Those that do not have accounts are not assumed to be highly valued targets financial institution).  Besides visibility and desirability, target suitability will also include 23  demographic variables.  These measures will include sex, race, marital status, income, and employment status, which have been used in previous studies of identity theft victimization (Pratt et al., 2010; Reyns, 2013).   The NCVS: ITS did not include items necessary to measure the other aspects of the VIVA construct, inertia and accessibility.  The inertia of any offline or online form of identity theft is largely negligible, but accessibility may hold value in the explanation of identity theft victimization.  Given that access to information is an essential part of identity theft, future studies may do well to operationalize the concept when possible. 4.4 Capable Guardianship Capable guardianship is more difficult to measure in the context of identity theft.  The internet seems to be an inherently unguarded network, and offline identity theft typically occurs due to anothe(Copes & Vieraitis, 2009; Reyns, 2013; Wall, 2008; Yar, 2005).  original measures of capable guardianship which focused more upon people being away from their homes.  That being said, the NCVS: ITS includes a number of items measuring the types of protection respondents have sought out to avoid identity theft.  This study will use three of these items to represent the concept of physical guardianship in the manner it has been conceptualized in other studies of online victimization ftware program on your theft protection from a company tha.  Other studies have used similar items as physical guardianship measures given the similarities of security software use 24  and more traditional types of physical guardianship (Holt & Bossler, 2009; Holt & Turner, 2012; Ngo & Paternoster, 2011; Reyns et al., 2011; Van Wilsem, 2013b). Checking credit reports, changing passwords, checking statements, and shredding documents will be included as measures of personal guardianship bank).  These survey items follow the lead of other studies that have used items concerning the extent to which a potential victim can protect themselves from victimization (Holt & Bossler, 2009; Holt & Turner, 2012; Ngo & Paternoster, 2011; Reyns et al., 2011; Van Wilsem, 2013b).  4.5 Motivated Offenders  In most research using routine activities theory as a framework, motivated offenders are more or less take as a given (Bossler & Holt, 2009; Cohen & Felson, 1979; Pratt et al., 2010; Reyns et al., 2011; Reyns, 2011).  Traditionally measuring target suitability and lack of capable guardianship take precedence over attempting to measure motivated offenders in testing routine activities theory.   4.6 Current Model The current model is illustrated in Figure 1 of the appendix and includes the core concepts of routine activities theory discussed above, namely suitable targets and capable guardianship.  This model will test the following hypotheses:  (1) Target suitability is related to the prevalence of identity theft victimization. 25  (2) Lack of capable guardianship is related to the prevalence of identity theft victimization. Target suitability is measured using two elements: existing bank accounts and online purchases. The former is a representation of both on and offline target visibility while the latter is a representation of only online visibility.  Guardianship measures will be split into two groups: personal guardianship and physical guardianship.  Personal guardianship measures include whether respondents check credit reports, shred documents, or check financial statements.  Physical guardianship is captured by asking respondents whether they had purchased identity theft protection, security software, or credit monitoring services. 4.7 Analytic Strategy  Bivariate and multivariate analyses are used to assess if the measures of target suitability and capable guardianship affect identity theft victimization. For the bivariate models, contingency tables are produced with phi-coefficients given the binary nature of most variables. Phi-coefficients are similar to Pearson correlation coefficients in how they are interpreted, with values falling between -1, perfect negative correlation, and +1, perfect positive correlation. For the multivariate models, binary logistic regression is used due to the dichotomous nature of the dependent variable.  A description of all the variables used across the models are shown in Table 1 and will be discussed in the next chapter.  The impact of identity theft is large, but the fact remains that it is a relatively rare occurrence. It should be noted, however, that of the total number of respondents in the NCVS Just 2.7% of respondents in the 2014 NCVS: ITS reported identity theft victimization. This represents 2,291 cases.  Victimization included incidents in which information was used without their permission for a variety of reasons including to get cash or 26  buy items.  The NCVS recorded up to 6 reports of victimization within the past 12 months from each member of households within the NCVS panel.  Due to this rarity of identity theft victimization, a sub sample of the NCVS: ITS respondents was. This subsample includes all respondents who reported victimization (N=2291) and a randomly selected subset of cases who reported no victimization (N=2509) for a total of 4800 cases.  The highly skewed nature of the dependent variable (3% victimizations) presents potential problems in statistical modeling, particularly using Logistic Regression in multivariate analysis.  This is discussed more in Chapter 4.  Statisticians have dealt with this in a number of ways including using corrections in modeling (P. D. Allison, 2012; Vittinghoff & McCulloch, 2007), particularly when the events (victimizations) are not highly disproportional to the non-events, but primarily when there are very few cases (n<10) in the events of interest.  Statisticians argue that a highly skewed distribution that still has a large number of cases among the events of interest (n>10,000) is viable and multivariate logistic regression may still be used (P. D. Allison, 2012).  However, also recommended is simply a random sampling of non-events, for more effective modeling (P. D. Allison, 2012).  In line with this recommendation, a random subsample of non-events (about 5% of the total number of non-events) was done.  These cases were then combined with all respondents who reported victimization (N=2291) for a total subsample of 4800.       27  Chapter 5 Results An outline of all the variables used in this study can be found in Table 1, both for the entire NCVS: ITS respondents and the subsample.  For identity theft victimization, the NCVS- collected up to six incidents per respondent that happened within a 12-month period from the time they were interviewed last.  As discussed above, victimization was defined as any thout permission for financial gain or other reasons (ITS).  In this study, identity theft victimization was dichotomized given the low frequency of victimizations.  As shown in Table 1, victimization for the entire NCVS-ITS sample is about 3% (n=2291), While the sample is relatively evenly split in terms of sex (48% male, 52% female) and marital status (46% not married, 54% married).  It is largely white (82% white, 18% non-white SD = .39), employed (43%, SD = .50), and has a household income of under $75,000 (34%, SD = .48).  Education was recoded into 9 categories (0 = no education, 1 = elementary, 2 = some high school, 3 = high school, 4 = some college, 5 = Associate degree, 6 = Professional school degree, 7 = Bachelor degree, 8 = Master degree, 9 = Doctorate).  In the full sample, the average education level was some college (M = 4.33, SD = 2.08). The sociodemographics of the subsample largely mirror the sample.  The average age for the sample is 44 (SD = 17.94) and the average level of education is some college (M = 4.33, SD = 2.03).  About 48% of respondents in the subsample reported they had experienced identity theft victimization (SD = .50).  Again, respondents were generally evenly split in terms of gender (48% male, 52% female) and marital status (47% not married, 53% married).  The racial makeup of the subsample mirrored that of the sample as well (81% white, 19% non-white). Employment status differed a bit in the subsample, with 59% of the subsample being employed (SD = .49). 28  Finally, household income closely matched the overall sample, >$70,000 USD (30%) and <$70,000 USD (70%) (SD = .46).  The average educational attainment was some college (M = 4.33, SD = 2.03).                     29    Table 1: Scales and Descriptive Statistics.      Subsample Sample Variable Scale Range M (SD) M(SD) Dependent Variable     Victim of Identity Theft (0 = No, 1 = Yes) 0-1 .48 (.50) .03 (.17)      Target Visibility     Bank Account Existing (0 = No, 1 = Yes) 0-1 .86 (.35) .87 (.33) Made Online Purchase (0 = No, 1 = Yes) 0-1 .43 (.50) .37 (.48) Physical Guardianship     Credit Monitoring Service (0 = No, 1 = Yes) 0-1 .05 (.21) .04 (.20) Security Software (0 = No, 1 = Yes) 0-1 .14 (.34) .13 (.34) Identity Theft Protection (0 = No, 1 = Yes) 0-1 .03 (.18) .03 (.17) Personal Guardianship     Check Credit Report (0 = No, 1 = Yes) 0-1 .40 (.49) .38 (.49) Change Passwords  (0 = No, 1 = Yes) 0-1 .33 (.47) .30 (.46) Check Statements (0 = No, 1 = Yes) 0-1 .75 (.43) .77 (.42) Shred Documents (0 = No, 1 = Yes) 0-1 .69 (.46) .70 (.46) Sociodemographics     Sex: Female (0 = Male, 1 = Female) 0-1 .52 (.50) .52 (.50) Race: Non-white (0 = White, 1 = Non-white) 0-1 .19 (.39) .18 (.39) Married: Non-married (0 = Married, 1 = Non-married) 0-1 .47 (.50) .54 (.50) Employed: Unemployed (0 = Employed, 1 = unemployed) 0-1 .41 (.49) .43 (.50) Income:  > $75,000 (0 = < $75000, 1 = >$75000) 0-1 .30 (.46) .34 (.48) Age Continuous  44.95 (17.94) 47.43 (18.68) Education (0 = No education - 9 = PhD) 0-9  4.33 (2.03) 4.33 (2.08)  (4 = some college)         30  5.1 Bivariate Results To assess the initial effects of each of the independent measures on identity theft victimization, several bivariate tests were done.  Results are outlined in Table 2.  The bivariate analyses reveal that a number of the routine activities measures were significantly related to identity theft victimization.  Table 2 shows that both exposure measures (existence of a bank account and using the internet to purchase items) are statistically significantly related to identity theft victimization (p < .001).  However, having a bank account actually had a negative effect on identity theft victimization while purchasing items online had a positive effect.  The latter is in the hypothesized direction (more online exposure, more victimization), but the former, surprisingly, has the opposite effect.  It is possible that those with bank accounts are protected by their bank's security services.  It may also be the case that those with bank accounts might differ from those without bank accounts in security practices, that is people with bank accounts are more likely to be cautious in financial matters. The phi-binary measures) show that internet purchase has a stronger effect on identity theft victimization (.13 compared to -.05).  When guardianship measures are assessed, statistically significant but relationships are found between victimization and two measures of guardianship: checking credit reports and changing passwords (p < .01).  The effects were unexpectedly in a positive direction, with positive Phi statistics indicating that both checking credit reports and changing passwords increase identity theft victimization . Bivariate analysis of shredding documents and checking statements did not yield any statistically significant results (see Table 2). 31   Physical guardianship measures were not found to have significant relationships with identity theft victimization in bivariate analyses.  Purchasing credit monitoring services, security software or identity theft protection did not appear to have any effect on identity theft victimization (see Table 2).  With regards demographic measures, race, marital status, employment status, and education show statistically significant relationships with identity theft victimization.  Nonwhite respondents were more likely to be victimized than white respondents.  This relationship was significant at the .05 level.  Marital status and employment status were each statistically significant with married and employed individuals less victimized than non-married and unemployed individuals (p < .001).  Sex did not have a statistically significant effect on identity theft victimization, which means there are no differences in victimizations between men and women. Bivariate logistic regression was used to explore the relationships of both education and age with identity theft victimization given their ordinal and continuous nature, respectively (see Table 2).  Education was not found to have a significant effect on identity theft.  Age was found to be significant, with each additional year of age corresponding to just over a 1% decrease in odds of being victimized (ExpB=0.987, p < .001).        32  Table 2: Bivariate Analysis   Victim of Identity Theft  Chi - Square Phi Exposure     Bank Account 11.712 *** -.054 *** Internet Purchase 84.593 *** .133 ***      Personal Guardianship     Check Credit Report 7.243 ** .043 ** Change Password 6.953 ** .042 ** Shred Documents .528  -.012  Checked Statements 1.892  -.022       Physical Guardianship     Credit Monitoring .468  .011  Security Software 1.848  .022  ID Theft Protection .096  -.005       Sociodemographics     Sex: Female 2.705  .024  Race: Non-white 4.021 * .029 * Income: >$75,000 27.642 *** -.089 ** Marital Status: Non-married 71.615 *** -.123 *** Employment Status: Unemployed 17.421 *** -.063 *** Education - - - - Age[1] - - - -  [1]Age logistic regression: Exp(B)=0.987*** A correlation matrix was not run due to the dichotomous nature of the dependent variable.  5.2Multivariate Results Following the bivariate analyses, logistic regression models were run to test the effects of all independent variables when others are controlled (held constant) (see Table 3). The model included four steps: the first step includes only the variables that represented visibility/value, then measures representing personal guardianship were added in the second step (Model 2), then 33  measures representing physical guardianship were added in step three (Model 3), and finally step four (Model 4) add all the socio-demographic measures.   Table 3 shows that both measures of exposure are statistically significant across the four models.  The direction of the effects are consistent with the bivariate models shown in Table 2.  In model 4, the final model with all the variables already included,  respondents who reported online purchases in the past year had about 25% higher odds of experiencing identity theft than those who did not purchase goods online, everything else being held constant (ExpB=1.25).  Having a bank account had the opposite effect.  Those who had a bank account had about a 33% reduction in their odds of identity theft victimization compared to those who had no bank accounts, when the other variables are controlled (ExpB=.674).  Previous steps in the model showed stronger effects for these variables which were then diminished after the inclusion of demographic variables.  This was especially true for the measure of online purchases.  This suggests that online purchases are perhaps mediated by at least one of the demographic variables.   In terms of personal guardianship as it relates to identity theft victimization, only one of the three measures representing this category was statistically significant: changing passwords (p < .001).  Consistent with the bivariate model, the relationship observed in Table 3 is opposite of what one would expect to see.  In the final model when all variables were controlled, changing passwords increased the odds of identity theft victimization by about 27% (ExpB: 1.268).  One can see across the models that this effect was strengthened significantly in the final model when all the demographic variables were controlled.    While this seemingly counterintuitive result is unexpected, it does echo the results of other studies which suggest that either a false sense of security or a recognition of one's own risky behavior is to blame for this effect (see for example: Reyns et al., 2011; Reyns, 2013; van Wilselm, 2013; Ngo & Paternoster, 2011).  Checking credit 34  card statements and shredding documents did not have any statistically significant effect on identity theft victimization.   In regard to physical guardianship, each of the measures representing this concept were found to be unrelated to identity theft victimization.  Purchasing credit monitoring services, identity theft protection, or purchasing security software does not appear to be protective against identity theft.   Finally, of the demographic variables age, income and marital status are significantly related to identity theft victimization (p < 0.001).  For age, the odds of identity theft victimization decreases per unit increase in age by about 2% (ExpB: .98); meaning older individuals have lesser odds of victimizationwhich is congruent with the hypothesized direction.  In terms of household income (binary measure),  households with an income of over $75,000 experiencing about a 27% reduction in odds of victimization compared to those with a household income of less than $75,000 (ExpB=.725).  This result is in direct opposition to the findings of Reyns (2013), who found that individuals with higher incomes were more likely to be victimized, holding other factors constant.  Finally, those who are married had about 22% lower odds than unmarried respondents (ExpB=.781) to experience identity theft. 35  Table 3: Binary Logistic Regression Model of Identity Theft Victimization Model  Model 1 Model 2 Model 3 Model 4  B S.E. Exp(B) B S.E. Exp(B) B S.E. Exp(B) B S.E. Exp(B) Exposure                Bank Account -.529 ** .115 .589 -.569 *** .119 .566 -.569 *** .119 .566 -.395 ** .125 .674 Online Purchases .332 ** .078 1.393 .260 ** .083 1.297 .253 ** .084 1.288 .226 * .091 1.253                 Personal Guardianship                Check Credit Report - - - .141  .081 1.152 .144  .082 1.154 .152  .084 1.164 Change Password - - - .201 * .088 1.223 .200 * .089 1.221 .238 ** .092 1.268 Shred Documents - - - -.114  .086 .892 -.118  .087 .174 -.018  .089 .982                 Physical Guardianship                Purchase Credit Monitoring - - - -  - - -.073  .196 .709 -.066  .199 .936 Purchase Security Software - - - -  - - .089  .113 .432 .144  .115 1.155 Purchase ID Theft Protection - - - -  - - -.073  .230 .751 -.019  .233 .981                  Sociodemographics                Sex: Female - - - -  - - -  - - .073  .077 1.076 Race: Non-white - - - -  - - -  - - .127  .100 1.135 Age - - - -  - - -  - - -.010 *** .002 0.990 Income: > $75,000 - - - -  - - -  - - -.322 *** .093 .725 Married: Non-married - - - -  - - -  - - -.247 ** .081 .781 Employed: Unemployed - - - -  - - -  - - -.120  .086 .887 Education - - - -  - - -  - - -.019  .022 .981 2 = 30.736***; Model 2: X2 = 11.003*; Model 3: X2 = 0.860; Model 4: X2 = 71.453*** 36  Chapter 6 Discussion Given its position as a crime that can be perpetrated both online and offline, identity theft can be difficult to study.  In this thesis, the general goal was to test the applicability of routine activities theory in explaining identity theft victimization.  The main elements of routine activities that were tested included measures of target suitability and guardianship.  These included online and offline activities that either puts a person at risk of, or protects them from identity theft victimization. These activities included exposure (via online activities and offline banking), physical guardianship (such as shredding documents), and personal guardianship (such as buying online identity theft protection).   The hypotheses were that increased exposure in the form of transmitting personal information online or simply having a bank account should increase identity theft victimization while increased personal or physical guardianship in the form of shredding documents or buying identity theft protection should decrease identity theft victimization.  The results from this study are mixed: few of the measures of routine activities theory are related to identity theft victimization and of the few that do show statistically significant effects, do so in the opposite direction than what routine activities theory would suggest.    The results showed that seemingly responsible actions such as checking credit reports and shredding documents showed no effects on the odds of being victimized, while changing passwords actually increased the odds of being victimized.  The latter is obviously counterintuitive and goes against the assumptions of guardianship that were outlined earlier in the literature review.  Some explanations for this counterintuitive result will be offered here,  however, it should be noted that there are currently very few studies on identity theft 37  victimization and a framework or theory that can adequately explain correlates and dimensions of identity theft victimization still needs to be explored, developed and tested.  Using findings from previous research it is possible to infer that those who change passwords are truly at higher risk for victimization and have reason to believe that they need to take extra precautions given this knowledge (Ngo & Paternoster, 2011; Reyns, 2013).  This current analysis did control for whether or not individuals performed each physical and personal guardianship activity due to past victimization (these cases were selected out of the analysis to avoid model misspecification), yet it is still possible that individuals who do take the time to guard themselves are part of a subgroup who are more likely to be victimized.  Perhaps there were people in their family who experienced an incident of identity theft recently, or that they judge their actions online as risky.  study did find that respondents who judged themselves to be more at risk for identity theft were truly victimized more often than those who did not judge themselves to be at risk.  Likewise, while not specifically about identity theft, Ngo and Paternoster (2011) also found that added layers of protection in the form of using antivirus, spyware, and firewalls increased the odds of both getting a computer virus and being harassed online.    A possible explanation for seemingly protective factors increasing the odds of  made users more careless in their activities (Ngo & Paternoster, 2011).  The feeling of security afforded to respondents who believe they are safe due to frequent password changes might cause them to act more recklessly and therefore be victimized more often.  It is also possible that there is social desirability bias attached to each of these measures.  Admitting one does not practice good personal information security may be difficult, especially after disclosing an incident of identity theft. 38   The finding regarding exposure, that is, more online activities increases the odds of victimization is consistent with past research  Reyns (2013) found that banking, shopping, downloading media, and emailing significantly increased the odds of identity theft victimization.  Similarly, Pratt et al. (2010) found that online shopping increased the odds of online fraud victimization.  However, the negative effect (less victimization) of having bank accounts, another measure of exposure, is counterintuitive.  While it may seem that the existence of a bank account would expose an individual to identity theft, the opposite appears to be true from the results in this study.  An explanation may be that without a bank account, making financial transactions such as cashing checks becomes more risky.  People who have bank accounts often opt for direct deposits, negating the need to make a trip to a physical location to translate the check into a usable form of currency.  Those without bank accounts do not have this ability and instead must take paper checks to a business that will cash checks.  Holding, carrying, and cashing checks may account for the increase in the odds of victimization for those without bank accounts. This characteristic is perhaps also likely co-mingled with economic status and possibly also a host of other characteristics that may be related to social disadvantage.  As mentioned earlier, this underscores the need to more adequately study dimensions of identity theft victimization, perhaps including not only individual-level measures but also group and neighborhood characteristics particularly economic disadvantage, and how these relate to identity theft.   The finding that a number of demographic variables such as age and marital status were significantly related to victimization suggests that perhaps offline routine activities are just as important, if not more important in explaining identity theft victimization than online activities.  The NCVS does not include fine grained lifestyle details, but it is not difficult to imagine that 39  younger and unmarried individuals (both groups that have lower odds of identity theft victimization) lead different offline lifestyles.  It is possible that younger, unmarried people spend more time outside the home at places which might expose them to more risk of identity theft.  The fact that these demographic variables remained significant even with the online activities held constant may indicate that while the internet may be a factor in identity theft, the crime is still a largely offline crime.    The combination of factors found in this study to be related to identity theft victimization may reveal an interesting insight into lifestyles which might increase the odds of victimization.  The finding that unmarried, younger, and lower income individuals experienced higher odds of identity theft victimization suggests that perhaps there is something different about these individuals.  For instance, individuals in these situations may live in apartment buildings with roommates.  An apartment building with many tenants may prove to be a fertile ground for would be offenders to gain access to privileged information through mail or discarded items.  Similarly, young, unmarried, and lower income individuals may live in housing conditions where outsiders, relatives or roommates can gain access to personal documents easily through shared mailboxes and common areas. The findings of this study offer a degree of insight into the factors that may predispose individuals into identity theft victimization.  It was found that both online and offline activities and characteristics do impact identity theft victimization.  Activities such as purchasing items online increased the risk of identity theft victimization, but so also did offline characteristics like marital status, income, and age.  These findings seem to weakly support routine activities theory, particularly given the non-significance of some of the main elements of routine activities such as guardianship, and also the counterintuitive findings outlined above.  Routine activities theory 40  was able to account for the increased victimization of those who purchased items online but a number of counterintuitive findings warrant further explanation.  The finding that individuals with bank accounts had lower odds of being victimized raises questions regarding the lifestyles of these individuals.  Similarly, the fact that a number of sociodemographic factors had a significant impact on the odds of identity theft victimization highlights the potential existence of additional lifestyle factors which were not included in this study.  Future studies of identity theft using routine activities theory should include more measures of offline routines along with economic and social disadvantage, which appear to be very important in explaining victimization.           41          APPENDIX         42  Figure 1: Concept Diagram43           REFERENCES        44  REFERENCES 2015 Cost of Data Breach Study: United States. (2015). Retrieved from http://public.dhe.ibm.com/common/ssi/ecm/se/en/sew03055usen/SEW03055USEN.PDF\nhttp://www-03.ibm.com/security/data-breach/ Allison, P. D. (2012). Logistic Regression Using SAS: Theory and Application, Second Edition (Vol. 2nd). Cary, N.C: SAS Institute.  Allison, S. F. H., Schuck, A. M., & Lersch, K. M. (2005). Exploring the crime of identity theft: Prevalence, clearance rates, and victim/offender characteristics. Journal of Criminal Justice, 33(1), 1929. doi:10.1016/j.jcrimjus.2004.10.007 Benson, M. L. (2009). Offenders or opportunities: Approaches to controlling identity theft. Criminology & Public Policy, 8(2), 231236. doi:10.1111/j.1745-9133.2009.00565.x Bowles, M. (2012). The business of hacking and birth of an industry. Bell Labs Technical Journal. Hoboken: IEEE. doi:10.1002/bltj.21555 Bureau of Justice Statistics (BJS) - National Crime Victimization Survey (NCVS). (n.d.). Retrieved from http://www.bjs.gov/index.cfm?ty=dcdetail&iid=245 Choi, K. (2008). Computer Crime Victimization and Integrated Theory: An Empirical Assessment. International Journal of Cyber Criminology U6 - ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info:sid/summon.serialssolutions.com&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Computer+Crime+Victimization+and+Integra. Thirunelveli: International Journal of Cyber Criminology.  Cisco Global Cloud Index: Forecast and Methodology, 20132018. (2014). Cisco Press, 20142019. Retrieved from http://www.cisco.com/c/en/us/solutions/collateral/service-provider/global-cloud-index-gci/Cloud_Index_White_Paper.pdf Clodfelter, T. A., Turner, M. G., Hartman, J. L., & Kuhns, J. B. (2010). Sexual Harassment Victimization During Emerging Adulthood: A Test of Routine Activities Theory and a General Theory of Crime. Crime & Delinquency. Sage CA: Los Angeles, CA: SAGE Publications. doi:10.1177/0011128708324665 Cohen, L. E., & Felson, M. (1979). Social Change and Crime Rate Trends: A Routine Activities Approach. American Sociological Review, 44(4), 588. Consumer Sentinel Network Data Book for January - December 2014. (2015). Copes, H., Kerley, K. R., Huff, R., & Kane, J. (2010). Differentiating identity theft: An exploratory study of victims using a national victimization survey. Journal of Criminal Justice, 38(5), 10451052. doi:10.1016/j.jcrimjus.2010.07.007 Copes, H., & Vieraitis, L. M. (2009a). Understanding Identity. Criminal Justice Review, 34(3), 329349. Retrieved from 45  http://www.us.oup.com/us/catalog/general/subject/Psychology/Social/?view=usa&ci=9780340808504 Their Lives and Crimes. Criminal Justice Review. Sage CA: Los Angeles, CA: SAGE Publications. doi:10.1177/0734016808330589 Their Lives and Crimes. Criminal Justice Review, 34(3), 329349. Retrieved from http://www.us.oup.com/us/catalog/general/subject/Psychology/Social/?view=usa&ci=9780340808504 DeNale, R., Liu, X., & Weidenhamer, D. (2015). Quarterly Retail E-Commerce Sales: 3rd Quarter 2015. Retail Trade. Washington, D.C. Retrieved from https://www.census.gov/retail/mrts/www/data/pdf/ec_current.pdf Department of Justice. (2015). Identity Theft. Retrieved from http://www.justice.gov/criminal-fraud/identity-theft/identity-theft-and-identity-fraud Eck, J. E., & Clarke, R. V. (2003). Classifying Common Police Problems: A Routine Activity Theory Approach. In Theory and Practice in Situational Crime Prevention. Crime Prevention Studies, vol. 16 (pp. 739). File, T., & Ryan, C. (2014). Computer and Internet Use in the United States: 2013. Washington, DC. Retrieved from http://www.census.gov/content/dam/Census/library/publications/2014/acs/acs-28.pdf Fletcher, N. (2007). Challenges for regulating financial fraud in cyberspace. Journal of Financial Crime. London: Emerald Group Publishing Limited. doi:10.1108/13590790710742672 Fox, S. (2013). 51 % of U . S . Adults Bank Online. Washington, DC. Franklin, C. A., Franklin, T. W., Nobles, M. R., & Kercher, G. A. (2012). Assessing the Effect of Routine Activity Theory and Self-Control on Property, Personal, and Sexual Assault Victimization. Criminal Justice and Behavior. Sage CA: Los Angeles, CA: SAGE Publications. doi:10.1177/0093854812453673 Harrell, E. (2015). Victims of Identity Theft, 2014. Washington DC. Harrell, E., & Langton, L. (2013). Victims of Identity Theft, 2012. U.S. Department of Justice, (December), 27. Retrieved from http://www.bjs.gov/content/pub/pdf/vit12.pdf  Hughes, T., Ricketts, M. L., & Wolfe, S. E. (2008). Identity theft complaints: exploring the statelevel correlates. Journal of Financial Crime, 15(3), 295307. doi:10.1108/13590790810882883 Holt, T., & Bossler, A. (2009). Examining the Applicability of Lifestyle-Routine Activities Theory for Cybercrime Victimization. Deviant Behavior. Taylor & Francis Group. doi:10.1080/01639620701876577 46  Holt, T. J., & Turner, M. G. (2012). Examining Risks and Protective Factors of On-Line Identity Theft. Deviant Behavior. Abingdon: Taylor & Francis Group. doi:10.1080/01639625.2011.584050 Holtfreter, K., Reisig, M. D., & Pratt, T. C. (2008). Low Self-Control, Routine Activities, and Fraud Victimization. Criminology. Oxford, UK: Blackwell Publishing Ltd. doi:10.1111/j.1745-9125.2008.00101.x Howard, J. D. (1997). An analysis of security incidents on the Internet 1989-1995. ProQuest Dissertations Publishing.  Janus, A., & Davis, J. (2005). . Washington, DC. Retrieved from https://www.census.gov/prod/2005pubs/p23-208.pdf Airport: An Examination of the Routine Activities Approach. Journal of Applied Security Research, 5(1), 42. doi:10.1080/19361610903407814 Kao, D.-Y., & Wang, S.-J. (2009). The IP address and time in cyber-crime investigation. Policing: An International Journal of Police Strategies & Management, 32(2), 194208. doi:10.1108/13639510910958136 Lane, G. W., & Sui, D. Z. (2010). Geographies of identity theft in the U.S.: Understanding spatial and demographic patterns, 2002-2006. GeoJournal, 75(1), 4355. doi:10.1007/s10708-010-9342-1 Leader of Hacking Ring Sentenced for Massive Identity Thefts From Payment Processor and U.S. Retail Networks . (2010). Biotech Business Week . Leavitt, N. (2005). Instant messaging: a new target for hackers. Computer. New York: IEEE Computer Society. doi:10.1109/MC.2005.234 Lee, M., & Alshalan, A. (2005). GEOGRAPHIC VARIATION IN PROPERTY CRIME RATES: A TEST OF OPPORTUNITY THEORY. Journal of Crime and Justice. Abingdon: Taylor & Francis Group. doi:10.1080/0735648X.2005.9721640 Massey, J. L., Krohn, M. D., & Bonati, L. M. (1989). Property Crime and the Routine Activities of Individuals. Journal of Research in Crime and Delinquency, 26(4), 378400. doi:10.1177/0022427889026004004 Moriarty, L. J., & Williams, J. E. (1996). Examining the relationship between routine activities theory and social disorganization: An analysis of property crime victimization. American Journal of Criminal Justice. Louisville: Springer Science & Business Media. doi:10.1007/BF02887429 Mustaine, E. E., & Tewksbury, R. (1998). Predicting risks of larceny theft victimization: A routine activity analysis using refined lifestyle measures. Criminology, 36(4), 829858. doi:10.1111/j.1745-9125.1998.tb01267.x Newman, G. R. (2004). Identity theft. Washington, D.C: U.S. Dept. of Justice, Office of 47  Community Oriented Policing Services.  Ngo, F. T., & Paternoster, R. (2011). Cybercrime Victimization: An examination of Individual and Situational level factors. International Journal of Cyber Criminology U6 - ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info:sid/summon.serialssolutions.com&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Cybercrime+Victimization%3A+An+examinati. Thirunelveli: International Journal of Cyber Criminology.  Pettey, C., & van der Meulen, R. (2011). Gartner Reveals Top Predictions for IT Organizations and Users for 2012 and Beyond. Retrieved November 23, 2015, from http://www.gartner.com/newsroom/id/1862714 Pratt, T. C., Holtfreter, K., & Reisig, M. D. (2010). Routine Online Activity and Internet Fraud Targeting: Extending the Generality of Routine Activity Theory. Journal of Research in Crime and Delinquency. Sage CA: Los Angeles, CA: SAGE Publications. doi:10.1177/0022427810365903 Reyns, B. W. (2013). Online Routines and Identity Theft Victimization: Further Expanding Routine Activity Theory beyond Direct-Contact Offenses. Journal of Research in Crime and Delinquency. Sage CA: Los Angeles, CA: SAGE Publications. doi:10.1177/0022427811425539 Reyns, B. W. (2015). A routine activity perspective on online victimisation. Journal of Financial Crime. doi:10.1108/JFC-06-2014-0030 Reyns, B. W., Henson, B., & Fisher, B. S. (2011). Being Pursued Online: Applying CyberlifestyleRoutine Activities Theory to Cyberstalking Victimization. Criminal Justice and Behavior. Sage CA: Los Angeles, CA: SAGE Publications.  Ricketts, M., Higgins, G., & Marcum, C. (2010). Potential Factors of Online Victimization of Youth: An Examination of Adolescent Online Behaviors Utilizing Routine Activity Theory. Deviant Behavior. Abingdon: Taylor & Francis Group. doi:10.1080/01639620903004903 Slosarik, K. (2002). Identity theft: An overview of the problem. The Justice Professional, 15(4), 329343. Consumer Fraud Victimization. European Sociological Review. OXFORD: OXFORD UNIV PRESS. doi:10.1093/esr/jcr053 Van Wilsem, J. (2013b). Hacking and HarassmentDo They Have Something in Common? Comparing Risk Factors for Online Victimization. Journal of Contemporary Criminal Justice. Sage CA: Los Angeles, CA: SAGE Publications. doi:10.1177/1043986213507402 Vietnamese National Sentenced to 13 Years in Prison for Operating a Massive International Hacking and Identity Theft Scheme: 1. (2015). Department of Justice (DOJ). Lanham: Federal Information & News Dispatch, Inc. Vittinghoff, E., & McCulloch, C. E. (2007). Relaxing the Rule of Ten Events per Variable in 48  Logistic and Cox Regression. American Journal of Epidemiology. United States: Oxford University Press. doi:10.1093/aje/kwk052 Wall, D. S. (2008). Cybercrime, media and insecurity: The shaping of public perceptions of cybercrime. International Review of Law, Computers & Technology, 22(1-2), 4563. doi:10.1080/13600860801924907 Theory. European Journal of Criminology, 2(4), 407427. doi:10.1177/147737080556056