Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Measuring the cost of cybercrime

Measuring the cost of cybercrime

Last week at Virus Bulletin in 2012, Tyler Moore of Southern Methodist University (SMU) gave a talk entitled "Measuring the cost of cyber crime.” It was a study done in collaboration with multiple individuals in multiple countries.

The study sought to answer this question – How much does cyber crime cost? Up until this point, nobody really knew. The answers given were way out of line with a reasonable estimate. For example:

• According to a UK study, it cost the UK £27 billion annually which is 2% of British GDP. That is huge!
• According to testimony given by someone from AT&T (the CEO?) to Congress, it is \$1 trillion, or 1.6% of the world’s GDP. Also huge!

How accurate is this?

The costs of cybercrime don’t consider the profits by the spammers (and others involved in the underground economy) vs. the losses incurred by legitimate businesses trying to fight it.

Furthermore, there are some types of cybercrime that are extremely difficult to measure. IP theft and corporate espionage are the biggest types by far but they can’t be measured with any degree of confidence. All you can do is assign targets and guess, and then multiply through. For example, if Microsoft lost a secret design that “cost” them \$50 million, and Microsoft represents 1% of the US’s GDP (which it doesn’t), then that means that theft, on average, is 50 million x 100 = \$5 billion!

Obviously, this is inaccurate because (1) Microsoft’s losses are not representative to the economy as a whole, and (2) the secret design cost of \$50 million is a guess. 2/3 of all losses are guesses.

Because of all of these widely varying estimates, we are now seeing pushback against these big numbers. Accuracy matters because of legislation that is currently being lobbied for at the upper echelons of government power. If people want more laws, it had better be based on accurate data.

So how do we get better?

SMU’s study tried to define a framework for measuring cybercrime’s cost. First, there is often conflation of costs among categories. SMU broke it down into multiple sub-types (these numbers are for the UK whose government commissioned them to come up with a better model):

1. Criminal revenue – what the spammers make.

2. Direct losses – how much a business loses because of it.

3. Indirect losses – loss of confidence by consumers (e.g., users no longer use online banking).

4. Defense costs – e.g., installing antivirus.

Most data available does not decompose by type. To simplify things, SMU only considered losses over \$10 million, and only used reliable data.

So what are the costs?

1. Credit card fraud – in the UK (for the past year?), credit card fraud costs £563 million. Online fraud was £210 million, offline fraud was £353.

Credit card fraud is part of transitional fraud – it is fraud that has always existed but is moving online. Another example would be tax fraud. Just because you cheat on your online taxes, it doesn’t make it cybercrime.

2. Cost to merchants  - Online merchants figure that customers forgo 10% of transactions because of distrust in the system. This leads to £1.6 billion in lost sales.

3. Defense costs - £2.5 billion annually. The costs of software like antivirus and other protection was £1.2 billion, which is much, much greater than the revenue that criminals bring in. Thus, the defense costs are very asymmetrically skewed onto the defending company or user compared to what the spammers actually make.

4. Espionage – The study did not collect any data on cyber theft.

How much does this translate into a cost per citizen?

1. For traditional fraud, it is a few hundred dollars per year.

2. For transitional fraud, it is a few tens of dollars per year.

3. For cyber fraud, it is a few tens of dollars per year, mostly in defense.

Thus, for the industry that we are in, the cost of what people spend to protect against cybercrime is much, much more than what people actually lose from it. It’s like spending \$50,000 to insure your \$10,000 car. The greatest gains per dollar spent would be investment in law enforcement.

That should cause us in the industry to make us think twice about our relative value.

After the presentation, a couple of thoughts came to mind:

• In the Q&A, someone brought up the point that the cyber security industry is not a complete cost to society. It creates jobs; people like you and me are employed because of it, and businesses spend money on software. They pay us to write it, and we spend money in the general economy. So it’s not all bad.

I don’t agree with this point of view. It’s like saying that we should continue to have regular crime in order to keep the police in business. Or we shouldn’t cure cancer in order to keep pharmaceutical companies in business with expensive treatments.

• Even though businesses spend a lot to prevent what looks like small losses, what would the losses look like without any prevention?

I spend a lot of money on dental hygiene – there’s toothbrushes, toothpaste, dental floss, mouthwash and dental visits. How much extra would my dental visits be if I didn’t invest in keeping my teeth clean? The \$50/year I spend on home supplies results in me spending a few hundred a year at the dentist. If I didn’t it would be several thousand per year.

Similarly, we don’t know what it would be like if we didn’t spend money on cybercrime prevention.

All in all, this was a much more reasonable study of the cost of cybercrime. It’s a problem and it is growing as traditional fraud moves online, but it is not the behemoth that headlines make it out to be.