The cost of protecting ourselves against cybercrime can far outweigh the cost of the threat itself, according to a new study led by computer scientists at The University of Cambridge.
At the behest of the UK Ministry of Defence, the research team compiled the first estimate of direct, indirect and defence costs of different types of cybercrime.
The report’s authors, which included experts from Cambridge University, working with colleagues in Germany, the Netherlands, the USA and UK, concluded that Governments should spend less trying to anticipate online crime, and more trying to actively pursue and prosecute its perpetrators.
“Advances in information technology are moving many social and economic interactions, such as fraud or forgery, from the physical worlds to cyberspace,” said lead author Ross Anderson, Professor of Security Engineering at the University of Cambridge’s Computer Laboratory.
“As countries scramble to invest in security to minimise cyber-risks, governments want to know how large that investment should be and where the money should be spent.”
Currently, the UK alone spends $1bn on efforts to defend against online threats or deal with their consequences, including $170m on antivirus activity. However, only $15m is spent on online law enforcement.
The study concluded that the cybercriminal community consist of only a small number of gangs, each costing every citizen a few pounds every year, though the indirect cost can be up to ten times as much.
Some police forces simply believe the problem is too large and diffuse to be handled effectively, the report found, with the number of phishing websites, distinct attackers and types of malware persistently over-reported.
“In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase antivirus software,” added Anderson. “Cybercrooks impose disproportionate costs on society and we have to become more efficient at fighting cybercrime.”
The team examined a number of types of different offence; online payment and banking fraud, fake antivirus, patent-infringing pharmaceuticals, ‘stranded traveller’ scams, and botnets (whereby vast numbers of computers are taken over by a ‘botnet-herder’ who then rents them out to others to commit crimes).
The study measured the cost of online crime across four distinct categories:
Direct costs: The monetary equivalent of losses, damage, or other suffering felt by the victim as a consequence of a cybercrime.
Indirect costs: The monetary equivalent of the losses and opportunity costs imposed on society by the fact that a certain cybercrime is carried out, no matter whether successful or not and independent of a specific instance of that cybercrime. Indirect costs generally cannot be attributed to individual victims.
Defence costs: The monetary equivalent of prevention efforts. They include direct defence costs, i.e., the cost of development, deployment, and maintenance of prevention measures, as well as indirect defence costs, such as inconvenience and opportunity costs caused by the prevention measures.
Cost to society: The sum of direct losses, indirect losses, and defence costs.