Last week at Virus Bulletin in 2012, Tyler Moore of Southern Methodist University (SMU) gave a talk entitled "Measuring the cost of cyber crime." It was a study done in collaboration with multiple individuals in multiple countries.
The study sought to answer this question — How much does cyber crime cost? Up until this point, nobody really knew. The answers given were way out of line with a reasonable estimate. For example:
How accurate is this?
The costs of cybercrime don't consider the profits by the spammers (and others involved in the underground economy) vs. the losses incurred by legitimate businesses trying to fight it.
Furthermore, there are some types of cybercrime that are extremely difficult to measure. IP theft and corporate espionage are the biggest types by far but they can't be measured with any degree of confidence. All you can do is assign targets and guess, and then multiply through. For example, if Microsoft lost a secret design that "cost" them $50 million, and Microsoft represents 1% of the US's GDP (which it doesn't), then that means that theft, on average, is 50 million x 100 = $5 billion!
Obviously, this is inaccurate because (1) Microsoft's losses are not representative to the economy as a whole, and (2) the secret design cost of $50 million is a guess. 2/3 of all losses are guesses.
Because of all of these widely varying estimates, we are now seeing pushback against these big numbers. Accuracy matters because of legislation that is currently being lobbied for at the upper echelons of government power. If people want more laws, it had better be based on accurate data.
So how do we get better?
SMU's study tried to define a framework for measuring cybercrime's cost. First, there is often conflation of costs among categories. SMU broke it down into multiple sub-types (these numbers are for the UK whose government commissioned them to come up with a better model):
Most data available does not decompose by type. To simplify things, SMU only considered losses over $10 million, and only used reliable data.
So what are the costs?
How much does this translate into a cost per citizen?
Thus, for the industry that we are in, the cost of what people spend to protect against cybercrime is much, much more than what people actually lose from it. It's like spending $50,000 to insure your $10,000 car. The greatest gains per dollar spent would be investment in law enforcement.
That should cause us in the industry to make us think twice about our relative value.
After the presentation, a couple of thoughts came to mind:
All in all, this was a much more reasonable study of the cost of cybercrime. It's a problem and it is growing as traditional fraud moves online, but it is not the behemoth that headlines make it out to be.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines