The UK economy spends far more on cyber crime precautions such as antivirus software than it loses to cyber crime, a new report from academics including Cambridge University’s Ross Anderson has found.
The report concludes that the UK’s money would be better spent on tackling the relatively small number of cyber criminals than on security precautions. "We should perhaps spend less in anticipation of computer crime (on antivirus, firewalls etc.) but we should certainly spend an awful lot more on catching and punishing the perpetrators".
In contrast to traditional forms of fraud, such as tax or welfare fraud, purely online scams such as fake antivirus software net criminals relatively little but costs the average UK citizen more to prevent.
Interesting Link: Measuring the Cost of Cybercrime – Ross Anderson et al
"The new cyber-frauds such as fake antivirus net their perpetrators relatively small sums, with common scams pulling in tens of pence per year per head of population," it found. "In total, cyber-crooks’ earnings might amount to a couple of dollars per citizen per year.
"But the indirect costs and defence costs are very substantial – at least ten times that. The clean-up costs faced by users (whether personal or corporate) are the largest single component; owners of infected PCs may have to spend hundreds of dollars, while the average cost to each of us as citizens runs in the low tens of dollars per year. The costs of antivirus (to both individuals and businesses) and the cost of patching (mostly to businesses) are also significant at a few dollars a year each."
The paper gives the example of spam emails, which earn criminals little but cost a lot of money to prevent. "The botnet behind a third of the spam sent in 2010 earned its owners around $2.7m, while worldwide expenditures on spam prevention probably exceeded a billion dollars."
The authors conclude that money would be better spent on policing cyber crime, despite the perception among some police forces that it would be too difficult.
"Some police forces believe the problem is too large to tackle," they wrote. "In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase antivirus software.
"Cybercrooks impose disproportionate costs on society and we have to become more efficient at fighting cybercrime."
The report was conducted on request by the Ministry of Defence, in response to a report backed by BAE Detica estimating the total cost of cybercrime to the UK economy. The Detica report put the value at £29 billion, a figure that was met with much scepticism.
Much of Detica’s figure was based on the lost value of intellectual property stolen from UK businesses. The new report did not include this in its calculations "because there is no reliable evidence of the extent or cost of industrial cyber-espionage and extortion".
Interesting Link: Cost of cyber crime is not science fiction, says Detica
Instead, its estimates for the cost of the various kinds of "genuine" cyber crime total $170 million, but this figure is based on "extremely rough estimates".
The report will be presented on June 25th at the Workshop on the Economics of Information Security in Berlin, Germany.