Report rails against inflated costs of cybercrime protection
The report, entitled The True Cost of Cybercrime, states that companies and consumers are spending up to ten times as much on protective measures such as anti-virus software or on cleaning up infected computers than they are experiencing in direct losses.
Consequently, concludes the report, less should be spent on ‘the anticipation of cybercrime (on antivirus software and firewalls) and more should be spent on catching and punishing the criminals’.
The report’s authors believe they have compiled ‘the first systematic study of the costs of cybercrime’ and are critical of previous studies that have ‘made rough assumptions and not fully explained the methodology they used”.
hide
A UK Cabinet Office report in February 2011, which was conducted by information security firm Detica, estimated the annual overall cost to the UK economy from cybercrime to be £27bn. It was scepticism over this figure that led the UK’s Ministry of Defence to commission this subsequent study.
The report stops short of producing a single figure for the cost of cybercrime and instead highlights specific categories, showing the disparity between what the crimes directly cost consumers and companies and what is spent on indirect costs, including the cost of defence.
Whereas traditional offences such as tax evasion and welfare fraud cost the average citizen hundreds of pounds a year in direct costs, new computer-based crimes tend to cost around 10p per person.
However, the indirect and defence costs for cybercrime are far higher. For example, the botnet virus responsible for a third of the spam sent worldwide in 2010 earned its owners approximately $2.7m while worldwide expenditure on spam prevention software exceeded $1bn.
In addition to consumer-targeted fraud, the paper also examines the cost of commercial cybercrime, such as espionage, extortion and intellectual property theft, suggesting that the figures claimed in the Detica report, such as £9.6bn for IP theft, have ‘no obvious foundation’.
Similarly Detica’s claim that cyber extortion costs the UK economy more than £2.2m is refuted by the report that attributes the comment that this type of cybercrime goes largely unreported as ‘a very old and persistent claim made by security salesman’.
“The marketing efforts of governments and the anti-virus software vendors may be causing some firms to spend more than they should on defending against cybercrime,” said Ross Anderson, Professor of Security Engineering at University of Cambridge’s Computer Laboratory and lead author of the report.
Furthermore, “Anti-virus software tends not to work very well these days,” said Mr Anderson, given that most malicious software is produced commercially and tested against the anti-virus products prior to their release. “Companies should instead put more effort into keeping their system patches up to date, detecting intrusions and maintaining staff discipline over computing practices,” argued Mr Anderson. The fundamental problem, concludes the report, is that the globalised nature of cybercrime and the hype created by cyber security providers have diminished the efforts of law enforcement and led banks, merchants and other companies to engage in liability shell games. “We don’t put anything like enough effort into locking up the bad guys,” said Mr Anderson.
“Some police forces believe the problem is too large to tackle. In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase anti-virus software. Cyber crooks impose disproportionate costs on society and we have to become more efficient at fighting cybercrime,” he continued. The report’s authors acknowledge that the study provides a static view of what is a highly changeable category of crime—especially as regards the development of the dark market in carding data, crimeware, botnet rental and other illegal services made available to the highest bidders. But they nevertheless believe their data provides ‘a proper start on the problem’ and intend to update their findings as increasingly accurate data becomes available.