One of the greatest problems is the time delay between research and developments. Cybercrime technologies advance at a startling rate and many papers (as well as laws, legal precedent and other judicial items on the subject) become quickly out-dated. This is further compounded by future papers referencing papers/cases which are already out-dated at the time of issue. Broad examples of this can be seen in anthropological papers on IRC chat rooms, which were very popular 5-10 years ago, but are now rarely used other than in niche communities. Smaller examples can be seen in examples such as the infamous online black market ‘Silk Road’, which has now been mostly shut down.
Highly technical details:
Cybercrime is, by its very nature, an extremely technical issue. Although it would be wrong to point fingers at specific examples, many Criminology/Social Science papers view cybercrimes as abstract crimes with little understanding of how such crimes are actually committed or the background of such crimes. Whilst this approach may work for easy to understand crimes such as burglary or even car theft (in which the mechanics of it may not be widely understood, but most of the crime is), this differs in cybercrime as the technicalities are so integrally linked to the crimes themselves.
For instance, cybercrime activities require wildly different levels of technical skill and this often has a significant cultural impact. For instance, the disparraging term ‘script kiddies’ is used for cybercriminals who use premade scripts and tools to launch their attacks – they are seen as a sort of cybercriminal underclass, unworthy of high level information or opportunities. Without understanding the technical aspects, a researcher may not understand the barrier or what is required to move past between being a ‘script kiddie’ and into being an accepted member of the cybercrime comunity.
By far the most problematic issue however, is the use of commercial research papers and studies (by anti-virus/computer security companies) as the foundation and starting point of further research. Many academic papers take these papers and studies (again, without pointing fingers) as unbiased and pass over the often poor methodology and issues of validity. A great deal of the research contained in these commercial papers is speculation and the methodology, sample sizes and controls are nearly always unpublished or very poor.
This is particularly worrisome as anti-virus and computer security companies are businesses (no matter how well intentioned and ethical) which are run off consumer fear. Malware and security leaks are usually invisible to the user and the technical specifics are unknown by most of the intended anti-virus market. Simply put, companies with a motivation to sell a product are not going to publish research which shows a decreased need for their products.
However, this commercial research is unfortunately the main (and sometimes only) research available to academic researchers of cybercrime and, without wanting to sound too cynical, these papers often give the ‘facts’ and figures that researchers want to make persuasive arguments. More practically, the research is also difficult for academic or independent researchers to undertake, and both requires strong technical expertise and specialised equipment. This isn’t to say that commercial research should be completely ignored, just that more in-paper analysis should be done on the commercial research itself, acknowledging the potential biases and methodological pitfalls.
Overall, cybercrime is a rapidly expanding area of crime which deserves rigorous research and exploration. The explosion of new technologies like wearable devices (such as Google Glass) and e-wallets will pose new challenges to law enforcement and researchers, and the difficulties in research need to be more thoroughly addressed rather than being brushed under the carpet of technical complexity.