Spending on IT security outpaces what officials spend on policing by a factor of 10 to 1 in the United Kingdom, but the potential return on investment from law enforcement could be much greater, a new study said.
Actual losses suffered from online crime, as estimated for the study, end up dwarfed by spending on antivirus and other security tools, according to a new study led by Cambridge University.
“The straightforward conclusion to draw … is that we should perhaps spend less in anticipation of computer crime (on antivirus, firewalls, etc.), but we should certainly spend an awful lot more on catching and punishing the perpetrators,” according to a report entitled, “Measuring the Cost of Cybercrime,” written by an international team of scientists led by Cambridge University.
The study, requested by the UK Ministry of Defense, comes as the result of concerns that previous reports overhyped the problem. A British government report in 2011 estimated the cost of cyber crime in the United Kingdom at £27 billion, or 1.8 percent of GDP. Corporate theft of intellectual property and espionage alone was valued at £21 billion.
Cambridge scientists worked with colleagues in Germany, the Netherlands and the United States to gather information on various categories of cyber crime, using best estimates and extrapolations where necessary to come up with global figures for the costs of these crimes.
Although law enforcement activity and international cooperation against cyber criminals increased in the past two years, the study’s conclusion runs counter to traditional thinking on cyber security, which focused on deployment of tools for prevention, detection and response.
“This is a helpful study because it poses a key question: Is the money we are spending on security worth the cost?” said Alan Paller, director of research at the SANS Institute. He points out some analysts already have questioned the value of products such as antivirus programs.
Paller questioned the ability to accurately quantify losses to cyber crime, however.
“What is the value of the data stolen from the Commerce Department on our technologies that are too sensitive to export?” he asked. “What is the value of the plans for command and control of drone networks? And of radar systems? And what is the value of the playbook for GE in negotiating with the Chinese on technology transfer?”
The authors of the report acknowledged the challenges of putting a value on losses.
“The subject is difficult because definitions are hard; much fraud that used to be conducted on paper or face-to-face (such as tax and welfare fraud) is now online, and these traditional frauds are much larger in volume and value terms than the new purely computer frauds,” the authors wrote. “Also, there is a significant amount of fraud in between the traditional and the new, such as payment card fraud,” which now is moving online.
The authors did their best to come up with real or reasonable figures for all the categories of online crime they identified, but they avoided publishing total figures because of the risk of their being taken out of context. “Our work has its limitations,” they wrote. But they called it “a principled start to being able to measure the cost of cyber crime.”
They estimated traditional forms of fraud now conducted online cost each citizen a few hundred pounds, dollars or Euros each year. The “transitional” frauds cost each person a few pounds, dollars or Euros each year, and pure cyber crime costs only a few cents each year.
Companies and individual users typically spend more than that each year for security, and spending on security products probably outpaces what cyber criminals are taking in, they said. “As a striking example, the botnet behind a third of the spam sent in 2010 earned its owners around $2.7 million, while worldwide expenditures on spam prevention probably exceeded a billion dollars.”
The authors estimated global spending on cyber law enforcement at $400 million, with the United States accounting for about half of that. Because of the persistence and international nature of much online crime, police forces view it as too large and diffuse a problem to tackle. But the authors said a small number of gangs lie behind many crimes, and that “a police response against them could be far more effective than telling the public to fit anti-phishing toolbars or purchase antivirus software.”
“Our figures suggest that we should spend less in anticipation of cyber crime (on antivirus, firewalls, etc.) and more in response — that is, on the prosaic business of hunting down cyber criminals and throwing them in jail,” they said.