The true cost of cybercrime

software, can be a hundred times that.

The report finds that each year the United Kingdom spends $1 billion on efforts to protect against or clean-up after a threat, including $170 million on antivirus. By contrast, just $15 million is spent on law enforcement.

Overall, the study concludes that cybercriminals — often only a small number of gangs — are pulling in a few tens of pounds from every citizen per year, but the indirect costs to those citizens, either in protective measures such as antivirus or in cleaning up infected PCs, is at least ten times as much.

The release notes that the Cambridge scientists, working with colleagues in Germany, the Netherlands, the United States, and the United Kingdom, considered all the main types of cybercrime — online payment and banking fraud, fake antivirus, patent-infringing pharmaceuticals, “stranded traveler” scams, and botnets (whereby vast numbers of computers are taken over by a “botnet-herder” who then rents them out to others to commit crimes).

For each crime, the researchers not only collected the best figures for direct and indirect costs, but also for the cost of defending against it, as co-author Dr. Richard Clayton, expert in the econometrics of cybercrime in Cambridge’s Computer Laboratory, explained: “Take credit card fraud. Direct loss is clearly the monetary loss suffered by the victim. However, the victim might then lose trust in online banking and make fewer electronic transactions, pushing up the indirect costs for the bank because it now needs to maintain cheque clearing facilities, and this cost is passed on to society. Meanwhile, defense costs are incurred through recuperation efforts and the increased security services purchased by the victim. The cost to society is the sum of all of these.”

Acknowledging that the study provides a static view of what is a highly changeable category of crime, the researchers nevertheless believe that their data provides “a proper start on the problem”, one which they will continue to update as increasingly accurate data comes available.

Clayton added: “The study provides a first attempt to pull all available data together. Previous studies have made rough assumptions and not fully explained the methodology they used.”

The straightforward conclusion to draw from their study, say the researchers, is that we should spend less on defense and more on policing, as Anderson explained: “Some police forces believe the problem is too large to tackle. In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase antivirus software. Cybercrooks impose disproportionate costs on society and we have to become more efficient at fighting cybercrime.”

The report will be presented on 25 June at the Workshop on the Economics of Information Security in Berlin, Germany.