Home / Blogs

Measuring the Cost of Cybercrime

Terry Zink

Last week at Virus Bulletin in 2012, Tyler Moore of Southern Methodist University (SMU) gave a talk entitled "Measuring the cost of cyber crime." It was a study done in collaboration with multiple individuals in multiple countries.

The study sought to answer this question — How much does cyber crime cost? Up until this point, nobody really knew. The answers given were way out of line with a reasonable estimate. For example:

  • According to a UK study, it cost the UK £27 billion annually which is 2% of British GDP. That is huge!
  • According to testimony given by someone from AT&T (the CEO?) to Congress, it is $1 trillion, or 1.6% of the world's GDP. Also huge!

How accurate is this?

The costs of cybercrime don't consider the profits by the spammers (and others involved in the underground economy) vs. the losses incurred by legitimate businesses trying to fight it.

Furthermore, there are some types of cybercrime that are extremely difficult to measure. IP theft and corporate espionage are the biggest types by far but they can't be measured with any degree of confidence. All you can do is assign targets and guess, and then multiply through. For example, if Microsoft lost a secret design that "cost" them $50 million, and Microsoft represents 1% of the US's GDP (which it doesn't), then that means that theft, on average, is 50 million x 100 = $5 billion!

Obviously, this is inaccurate because (1) Microsoft's losses are not representative to the economy as a whole, and (2) the secret design cost of $50 million is a guess. 2/3 of all losses are guesses.

Because of all of these widely varying estimates, we are now seeing pushback against these big numbers. Accuracy matters because of legislation that is currently being lobbied for at the upper echelons of government power. If people want more laws, it had better be based on accurate data.

So how do we get better?

SMU's study tried to define a framework for measuring cybercrime's cost. First, there is often conflation of costs among categories. SMU broke it down into multiple sub-types (these numbers are for the UK whose government commissioned them to come up with a better model):

  1. Criminal revenue – what the spammers make.
  2. Direct losses – how much a business loses because of it.
  3. Indirect losses – loss of confidence by consumers (e.g., users no longer use online banking).
  4. Defense costs – e.g., installing antivirus.

Most data available does not decompose by type. To simplify things, SMU only considered losses over $10 million, and only used reliable data.

So what are the costs?

  1. Credit card fraud – in the UK (for the past year?), credit card fraud costs £563 million. Online fraud was £210 million, offline fraud was £353.Credit card fraud is part of transitional fraud — it is fraud that has always existed but is moving online. Another example would be tax fraud. Just because you cheat on your online taxes, it doesn't make it cybercrime.
  2. Cost to merchants – Online merchants figure that customers forgo 10% of transactions because of distrust in the system. This leads to £1.6 billion in lost sales.
  3. Defense costs – £2.5 billion annually. The costs of software like antivirus and other protection was £1.2 billion, which is much, much greater than the revenue that criminals bring in. Thus, the defense costs are very asymmetrically skewed onto the defending company or user compared to what the spammers actually make.
  4. Espionage – The study did not collect any data on cyber theft.

How much does this translate into a cost per citizen?

  1. For traditional fraud, it is a few hundred dollars per year.
  2. For transitional fraud, it is a few tens of dollars per year.
  3. For cyber fraud, it is a few tens of dollars per year, mostly in defense.

Thus, for the industry that we are in, the cost of what people spend to protect against cybercrime is much, much more than what people actually lose from it. It's like spending $50,000 to insure your $10,000 car. The greatest gains per dollar spent would be investment in law enforcement.

That should cause us in the industry to make us think twice about our relative value.

After the presentation, a couple of thoughts came to mind:

  • In the Q&A, someone brought up the point that the cyber security industry is not a complete cost to society. It creates jobs; people like you and me are employed because of it, and businesses spend money on software. They pay us to write it, and we spend money in the general economy. So it's not all bad.

    I don't agree with this point of view. It's like saying that we should continue to have regular crime in order to keep the police in business. Or we shouldn't cure cancer in order to keep pharmaceutical companies in business with expensive treatments.
  • Even though businesses spend a lot to prevent what looks like small losses, what would the losses look like without any prevention?I spend a lot of money on dental hygiene — there's toothbrushes, toothpaste, dental floss, mouthwash and dental visits. How much extra would my dental visits be if I didn't invest in keeping my teeth clean? The $50/year I spend on home supplies results in me spending a few hundred a year at the dentist. If I didn't it would be several thousand per year.

    Similarly, we don't know what it would be like if we didn't spend money on cybercrime prevention.

All in all, this was a much more reasonable study of the cost of cybercrime. It's a problem and it is growing as traditional fraud moves online, but it is not the behemoth that headlines make it out to be.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: Cybercrime, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Introducing the Verisign Quarterly DDoS Trends Report

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Sponsored Topics

Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines


Sponsored by


Sponsored by

DNS Security

Sponsored by