“The cost of protecting ourselves against cybercrime can far exceed the cost of the threat itself … [therefore] we should spend less in anticipation of cybercrime and more on catching the perpetrators.”
That is the controversial conclusion of a new University of Cambridge IT security research study called “Measuring the Cost of Cybercrime” (pdf) being released today. The study, conducted at the request of the UK Ministry of Defense which was concerned that cybercrime was being over-hyped, is claimed in a press release to be “the first systematic estimate of the direct costs, indirect costs and defence costs of different types of cybercrime for the UK and the world.”
Of course, in studies like this, it is important to look at what the study authors defined as being a “true cybercrime” which is one “unique to electronic networks, e.g., attacks against information systems, denial of service and hacking.” As noted in the paper,
“We distinguish carefully between traditional crimes that are now ‘cyber’ because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly.”
“As far as direct costs are concerned, we find that traditional offences such as tax and welfare fraud cost the typical citizen in the low hundreds of pounds/Euros/dollars a year; transitional frauds cost a few pounds/Euros/dollars; while the new computer crimes cost [only] in the tens of pence/cents.”
However, the societal costs for protecting against new computer crimes are far out of proportion with what the new crimes net, the researchers argue, whereas the cost of protecting against more traditional crimes is more in line with their direct costs imposed upon society. For example, the UK is said to be spending some $1 billion on efforts to protect against or clean-up after a threat, including $170 million on antivirus measures, but only $15 million is being spent on law enforcement to pursue cyber criminals. A better approach is to “perhaps spend less in anticipation of computer crime (on antivirus, firewalls etc.) but we should certainly spend an awful lot more on catching and punishing the perpetrators.”
The argument seems premised on the assumption that a small number of cybercriminals are responsible for the vast majority of the cybercrimes and that business will make the requisite investment to keep their IT systems secure.
The researchers don’t give much in the way of advice on how much less we should spend on anti-virus software (or how individuals should decide to forego it), or how much more funding should be spent on law enforcement. Would quadrupling to $60 million the amount of money spent on UK cybercrime law enforcement make a serious dent on UK cybercrime, for instance? Would that amount allow UK citizens to pitch their anti-virus software? Or would that increase in spending be a wasted effort unless similar increases in law enforcement spending happened around the world as well?
The Cambridge University study, which is to be presented to next week at the Workshop on the Economics of Information Security in Berlin, Germany is just another that adds to the confusion about the significance of the threat cybercrime poses and what to do about it, as I noted last month. In fact, contrast the Cambridge study with an editorial in the New York Times about two weeks ago written by, Preet Bharara, the United States attorney for the Southern District of New York where he wrote that:
"The alarm bells sound regularly: cybergeddon; the next Pearl Harbor; one of the greatest existential threats facing the United States. With increasing frequency, these are the grave terms officials invoke about the menace of cybercrime — and they’re not understating the threat."
So is the cybercrime threat exaggerated or not?
At least for myself, I plan to keep my IT security guard up for a little while longer, especially given the two stories, one by Reuters and the other in the New York Times that discuss the increasing cyber threat to business (and personal) bank accounts. And even if an IT security all-clear is given, I don't think I will be an early adopter of dropping my anti-virus software.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.