Home / Blogs

Measuring the Cost of Cybercrime

Terry Zink

Last week at Virus Bulletin in 2012, Tyler Moore of Southern Methodist University (SMU) gave a talk entitled "Measuring the cost of cyber crime." It was a study done in collaboration with multiple individuals in multiple countries.

The study sought to answer this question — How much does cyber crime cost? Up until this point, nobody really knew. The answers given were way out of line with a reasonable estimate. For example:

  • According to a UK study, it cost the UK £27 billion annually which is 2% of British GDP. That is huge!
  • According to testimony given by someone from AT&T (the CEO?) to Congress, it is $1 trillion, or 1.6% of the world's GDP. Also huge!

How accurate is this?

The costs of cybercrime don't consider the profits by the spammers (and others involved in the underground economy) vs. the losses incurred by legitimate businesses trying to fight it.

Furthermore, there are some types of cybercrime that are extremely difficult to measure. IP theft and corporate espionage are the biggest types by far but they can't be measured with any degree of confidence. All you can do is assign targets and guess, and then multiply through. For example, if Microsoft lost a secret design that "cost" them $50 million, and Microsoft represents 1% of the US's GDP (which it doesn't), then that means that theft, on average, is 50 million x 100 = $5 billion!

Obviously, this is inaccurate because (1) Microsoft's losses are not representative to the economy as a whole, and (2) the secret design cost of $50 million is a guess. 2/3 of all losses are guesses.

Because of all of these widely varying estimates, we are now seeing pushback against these big numbers. Accuracy matters because of legislation that is currently being lobbied for at the upper echelons of government power. If people want more laws, it had better be based on accurate data.

So how do we get better?

SMU's study tried to define a framework for measuring cybercrime's cost. First, there is often conflation of costs among categories. SMU broke it down into multiple sub-types (these numbers are for the UK whose government commissioned them to come up with a better model):

  1. Criminal revenue – what the spammers make.
  2. Direct losses – how much a business loses because of it.
  3. Indirect losses – loss of confidence by consumers (e.g., users no longer use online banking).
  4. Defense costs – e.g., installing antivirus.

Most data available does not decompose by type. To simplify things, SMU only considered losses over $10 million, and only used reliable data.

So what are the costs?

  1. Credit card fraud – in the UK (for the past year?), credit card fraud costs £563 million. Online fraud was £210 million, offline fraud was £353.Credit card fraud is part of transitional fraud — it is fraud that has always existed but is moving online. Another example would be tax fraud. Just because you cheat on your online taxes, it doesn't make it cybercrime.
  2. Cost to merchants – Online merchants figure that customers forgo 10% of transactions because of distrust in the system. This leads to £1.6 billion in lost sales.
  3. Defense costs – £2.5 billion annually. The costs of software like antivirus and other protection was £1.2 billion, which is much, much greater than the revenue that criminals bring in. Thus, the defense costs are very asymmetrically skewed onto the defending company or user compared to what the spammers actually make.
  4. Espionage – The study did not collect any data on cyber theft.

How much does this translate into a cost per citizen?

  1. For traditional fraud, it is a few hundred dollars per year.
  2. For transitional fraud, it is a few tens of dollars per year.
  3. For cyber fraud, it is a few tens of dollars per year, mostly in defense.

Thus, for the industry that we are in, the cost of what people spend to protect against cybercrime is much, much more than what people actually lose from it. It's like spending $50,000 to insure your $10,000 car. The greatest gains per dollar spent would be investment in law enforcement.

That should cause us in the industry to make us think twice about our relative value.

After the presentation, a couple of thoughts came to mind:

  • In the Q&A, someone brought up the point that the cyber security industry is not a complete cost to society. It creates jobs; people like you and me are employed because of it, and businesses spend money on software. They pay us to write it, and we spend money in the general economy. So it's not all bad.

    I don't agree with this point of view. It's like saying that we should continue to have regular crime in order to keep the police in business. Or we shouldn't cure cancer in order to keep pharmaceutical companies in business with expensive treatments.
  • Even though businesses spend a lot to prevent what looks like small losses, what would the losses look like without any prevention?I spend a lot of money on dental hygiene — there's toothbrushes, toothpaste, dental floss, mouthwash and dental visits. How much extra would my dental visits be if I didn't invest in keeping my teeth clean? The $50/year I spend on home supplies results in me spending a few hundred a year at the dentist. If I didn't it would be several thousand per year.

    Similarly, we don't know what it would be like if we didn't spend money on cybercrime prevention.

All in all, this was a much more reasonable study of the cost of cybercrime. It's a problem and it is growing as traditional fraud moves online, but it is not the behemoth that headlines make it out to be.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: Cybercrime, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

2015 Trends: Multi-channel, Streaming Media and the Growth of Fraud

Data Volumes and Network Stress to Be Top IoT Concerns

DKIM for ESPs: The Struggle of Living Up to the Ideal

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

The Deep Web and the Darknet - The Nether Regions of the Internet

Introducing the Verisign DNS Firewall

Sponsored Topics



Sponsored by

DNS Security

Sponsored by
Afilias - Mobile & Web Services


Sponsored by
Afilias - Mobile & Web Services


Sponsored by