Home / Blogs

Measuring the Cost of Cybercrime

Terry Zink

Last week at Virus Bulletin in 2012, Tyler Moore of Southern Methodist University (SMU) gave a talk entitled "Measuring the cost of cyber crime." It was a study done in collaboration with multiple individuals in multiple countries.

The study sought to answer this question — How much does cyber crime cost? Up until this point, nobody really knew. The answers given were way out of line with a reasonable estimate. For example:

  • According to a UK study, it cost the UK £27 billion annually which is 2% of British GDP. That is huge!
  • According to testimony given by someone from AT&T (the CEO?) to Congress, it is $1 trillion, or 1.6% of the world's GDP. Also huge!

How accurate is this?

The costs of cybercrime don't consider the profits by the spammers (and others involved in the underground economy) vs. the losses incurred by legitimate businesses trying to fight it.

Furthermore, there are some types of cybercrime that are extremely difficult to measure. IP theft and corporate espionage are the biggest types by far but they can't be measured with any degree of confidence. All you can do is assign targets and guess, and then multiply through. For example, if Microsoft lost a secret design that "cost" them $50 million, and Microsoft represents 1% of the US's GDP (which it doesn't), then that means that theft, on average, is 50 million x 100 = $5 billion!

Obviously, this is inaccurate because (1) Microsoft's losses are not representative to the economy as a whole, and (2) the secret design cost of $50 million is a guess. 2/3 of all losses are guesses.

Because of all of these widely varying estimates, we are now seeing pushback against these big numbers. Accuracy matters because of legislation that is currently being lobbied for at the upper echelons of government power. If people want more laws, it had better be based on accurate data.

So how do we get better?

SMU's study tried to define a framework for measuring cybercrime's cost. First, there is often conflation of costs among categories. SMU broke it down into multiple sub-types (these numbers are for the UK whose government commissioned them to come up with a better model):

  1. Criminal revenue – what the spammers make.
  2. Direct losses – how much a business loses because of it.
  3. Indirect losses – loss of confidence by consumers (e.g., users no longer use online banking).
  4. Defense costs – e.g., installing antivirus.

Most data available does not decompose by type. To simplify things, SMU only considered losses over $10 million, and only used reliable data.

So what are the costs?

  1. Credit card fraud – in the UK (for the past year?), credit card fraud costs £563 million. Online fraud was £210 million, offline fraud was £353.Credit card fraud is part of transitional fraud — it is fraud that has always existed but is moving online. Another example would be tax fraud. Just because you cheat on your online taxes, it doesn't make it cybercrime.
  2. Cost to merchants – Online merchants figure that customers forgo 10% of transactions because of distrust in the system. This leads to £1.6 billion in lost sales.
  3. Defense costs – £2.5 billion annually. The costs of software like antivirus and other protection was £1.2 billion, which is much, much greater than the revenue that criminals bring in. Thus, the defense costs are very asymmetrically skewed onto the defending company or user compared to what the spammers actually make.
  4. Espionage – The study did not collect any data on cyber theft.

How much does this translate into a cost per citizen?

  1. For traditional fraud, it is a few hundred dollars per year.
  2. For transitional fraud, it is a few tens of dollars per year.
  3. For cyber fraud, it is a few tens of dollars per year, mostly in defense.

Thus, for the industry that we are in, the cost of what people spend to protect against cybercrime is much, much more than what people actually lose from it. It's like spending $50,000 to insure your $10,000 car. The greatest gains per dollar spent would be investment in law enforcement.

That should cause us in the industry to make us think twice about our relative value.

After the presentation, a couple of thoughts came to mind:

  • In the Q&A, someone brought up the point that the cyber security industry is not a complete cost to society. It creates jobs; people like you and me are employed because of it, and businesses spend money on software. They pay us to write it, and we spend money in the general economy. So it's not all bad.

    I don't agree with this point of view. It's like saying that we should continue to have regular crime in order to keep the police in business. Or we shouldn't cure cancer in order to keep pharmaceutical companies in business with expensive treatments.
  • Even though businesses spend a lot to prevent what looks like small losses, what would the losses look like without any prevention?I spend a lot of money on dental hygiene — there's toothbrushes, toothpaste, dental floss, mouthwash and dental visits. How much extra would my dental visits be if I didn't invest in keeping my teeth clean? The $50/year I spend on home supplies results in me spending a few hundred a year at the dentist. If I didn't it would be several thousand per year.

    Similarly, we don't know what it would be like if we didn't spend money on cybercrime prevention.

All in all, this was a much more reasonable study of the cost of cybercrime. It's a problem and it is growing as traditional fraud moves online, but it is not the behemoth that headlines make it out to be.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: Cybercrime, Cybersecurity


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

IP Addressing

Sponsored by Avenue4 LLC

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias


Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum