Alán Alcoverro Jun 10, 2021 16 min read

Cybercrime and the Broken Windows Theory (Part 2)

Imagine a building, it's abandoned, but in good condition and newly built. A couple of teenagers walk past it and one of them can't think of anything other than throwing a rock and breaking a windowpane.

Soon after, another group of young people walk by and also decide to test their aim when they see that there is already a broken window. Within a few minutes, the glass of several windows is broken.

A few days later, some other young people are looking for a place to smoke weed and when they see the broken windows of that building, they think it's abandoned and decide to go in. Finding it to be a good place to hang out, they decide to decorate it with all kinds of graffiti on the facade of the building and to break the lights outside to have more privacy.

The following week, some weed sellers see the kids having a few beers in the building and come over to sell them drugs. As there is enough space in the building, they decide to set up their "store" with which, in a short period of time, it is full of people entering and leaving in search of drugs. Some take advantage of the influx of people to sell some stolen items in the building and thus finance their drug habit, turning it into a place for "dealing" stolen things as well.

A week later, the rival weed-selling gang decides to put an end to the competition and sends hitmen who shoot several of their rival vendors, killing two of them. Several people are also injured.

In just a few days, this building had gone from having a few broken windows to being a place where murders are committed. It had gone from being a well-kept building to a hot spot for crime.

This is precisely what the Broken Windows Theory by the psychologist Philips George Zimbardo from the University of California tells us. The neglect and lack of attention to a minor criminal problem produces an escalation and evolution in crime in such a way that minor crimes generate more crimes and these, in turn, lead to others that increase in intensity until serious crimes take place.

If we apply this theory to the internet and cybercrime, we will realize that it fits in perfectly with what is currently happening on the internet. There are a number of crimes that have been institutionalized on the internet and which little attention is paid to, either because they represent small "losses", because they are difficult to prosecute or because the authorities can only dedicate their time to fighting larger cybercrime.


How many programs, games or movies are downloaded per day on the internet in breach of copyrights?

How many times is a message or image with illegal content forwarded? How many times is the distribution of messages that promote hatred or discrimination allowed? It's clear that most of us don't consider ourselves cybercriminals, we don't steal bank accounts, we don't hack systems or sell personal information.

Just like in the opening story, we are simply the boy who throws a stone and breaks a window. It's not so bad, is it?

We may view phishing and stealing the bank credentials of an innocent user as something that's illegal and shouldn't be done. However, downloading a pirated book or a newly released movie to watch on the weekend seems like something that's not so terrible.

As Daniel Ariely says, we all have our "tolerance" point, that point where we can fool ourselves into think that we are more honest than we really are. I don't steal from the company, I only take pens and papers to use at home.

Others will think that stealing a computer or machine isn't very serious either, and some will say that inflating a couple invoices or sticking their hands in the cash register from time to time also doesn't matter. The level of tolerance that is accepted in a company, in a society or in a space such as the internet is a very important element that can give us an idea of where we are going and what we can expect in the future.

But, in addition, we have the evolutionary aspect of crime. As we discussed in the previous post, criminals are attracted to neglected places that seem abandoned, without anyone watching over them or anyone to protect them. This allows criminal activity to be carried out in more comfortable conditions and with less risk for the criminal.

That's why, as we saw in the initial story, the building's broken windows and graffiti generated an attractive space for drug dealers, who saw that no one cared about this place, so they were safe in it. In turn, that attracted more criminals and increased the dangerousness of the place. This evolution also occurs in cybercrime, small crimes attract others of greater importance and this in turn leads to the criminal evolution of that context.

The company MUSO that investigates internet piracy concluded that, in 2020, there was a 41% increase in illegal downloads compared to the previous year in the US, 43% in the United Kingdom and 45% in Canada, Italy and Spain, producing losses that are impossible to calculate objectively, but that are in the vicinity of billions of dollars annually.

In its latest survey, the European Union Intellectual Property Office (EUIPO) indicated that 10% of young people between 15 and 24 years old confessed to having downloaded illegal material. In another previous survey, 38% of young people did not think it was bad to access illegal content on the internet. What would the young man who threw the first stone into the window have thought? Would he be aware that it was the starting point that led to two murders being committed?

As Wilson and Kelling pointed out in their 1982 article, “Broken Windows and Neighborhood Safety”, social control is as important as formal regulations.


The permissiveness of certain "uncivil" or "deviant" behaviors lead to the collapse of community controls, turning a community into an area that's vulnerable to "criminal invasion".

Or, in other words, if we allow certain behaviors to be committed that we view as insignificant from a criminal point of view, it's very likely that sooner or later these behaviors will become routine, which will lead to the creation of dangerous spaces.


What if someone had fixed the broken windowpanes in the opening story? It didn't seem too important, but the broken windows were left as is. What if at least someone had tried to kick out the young people and had cleaned up the graffiti? Yes, these are behaviors that can't be considered significantly dangerous or relevant so as to be addressed by the police or the community. They can't dedicate all of their resources to that, right?

The problem is that if we don't tackle this low-intensity crime, it is very likely that we will find ourselves in a more dangerous situation as time goes by.

This phenomenon is already known in criminal policy, where they speak of “Zero Tolerance” with a crime. They know that it is necessary to prosecute smaller crimes so that they don't lead to more important crimes.

If we pursue petty theft and minor offenses, we create a sense of security and control that prevents other types of crime from taking place. In addition, it is much more convenient and profitable to allocate resources to this type of crime before having to deal with more serious crimes, just as it would have been cheaper to replace some broken glass than to have to deal with two murdered people and several who were injured.

Zero Tolerance

The expression "Zero Tolerance" isn't an authoritarian and repressive solution, it is based on the prevention and promotion of social conditions of security. It's not about lynching the offender, it's not zero tolerance for the person who commits the crime, but zero tolerance for the crime itself. It's about creating civic, orderly communities that respect the law and the basic codes of human social coexistence, based on honesty and for the benefit of all.

Currently, cybercrime has already undergone major developments in terms of its severity, meaning that the police or administrators of justice can no longer spend time prosecuting each uncivil or fraudulent behavior within their jurisdiction.

It's clear that when we talk about investing resources, the police forces are allocating them to large cyber scams, the trafficking of child pornography via the internet, the theft of relevant business information, or very intense crimes. But criminology teaches us that this isn't enough, that security policies must be applied at the lowest levels of cybercrime, that a Zero Tolerance approach to cybercrime is necessary, applied to any type of cybercrime.

To do so, it's clear that the police alone are not enough. In fact, the Broken Windows Theory puts a lot of responsibility on society, on the community, and its citizens as part of that "natural vigilance" that's required to eradicate crime off the streets and, where applicable, off the internet.

It's not that users are to become vigilantes, simply they should be civic and share responsibility for what goes on in our society. As this theory indicates, keeping the streets well maintained and clean, preventing uncivil behavior and rejecting those who misbehave can be extremely useful tools for keeping crime from installing itself in a certain place.

Similarly, being an internet user with a sense of shared responsibility for internet security doesn't mean being an ethical hacker or a hacktivist of good, it simply consists of doing, participating and collaborating in making the internet a clean, caring and civic place.

As the European Union Intellectual Property Office itself indicates, improving user behavior on the internet is possible. Raising awareness and explaining to young people what intellectual property consists of and how illegal downloads affect authors is something that reduces said illegal downloads.

There is growing awareness among young Europeans about the potential security risks that come with hacking, such as possible data theft or the infection of devices with viruses. They also highlight respect for the law as an important factor. Undoubtedly, teaching people about everything that happens on the internet is still a pending issue. But until when?

Increasingly, the police of various countries are offering users the ability to report crimes they become aware of on the internet. Certain platforms also allow for the blocking or reporting of certain users who behave illegally or of fraudulent websites.

Zero Tolerance must be established on the internet at the cybersecurity level, it is crucial for us to be aware of it and to not allow cybercrime to take place in any of its intensities. We must learn from what criminology tells us and apply our knowledge of it to the virtual world once and for all.


Alán Alcoverro

Alán is a Solutions Architect at Revelock. With over 12 years of professional experience acting as a Solutions Engineer / PreSales in companies such as IBM, SCC, Allot Communications and Riverbed, he owns a transversal and integrated view of the IT world and all the digital challenges this implies for any company size, being Cybersecurity his main focus along the way. He is the main contact person for all technical items related with our Revelock online fraud prevention solution, for both current and future customers, generating at the same time new business opportunities within the EMEA region whilst offering highly efficient solutions for all challenges we face every single day related with cybercrime.