The cost of protecting ourselves against cybercrime can far exceed the cost of the threat itself. This is according to a recent report ‘Measuring the cost of cybercrime’ by international scientists led by the University of Cambridge. On the basis of the findings – which estimate the direct costs, indirect costs and defence costs of different types of cybercrime for the UK and the world – the authors conclude that we should spend less in anticipation of cybercrime, and more on catching the perpetrators.
The lead author Ross Anderson, Professor of Security Engineering at the University of Cambridge’s Computer Laboratory, said: “Advances in information technology are moving many social and economic interactions, such as fraud or forgery, from the physical worlds to cyberspace. As countries scramble to invest in security to minimise cyber-risks, governments want to know how large that investment should be and where the money should be spent.”
However, many of the existing sources of data have either under- or over-inflated estimates of the scale of this risk explain the researchers. For instance, a report released in February 2011 by the BAE subsidiary Detica with the Cabinet Office’s Office of Cybersecurity and Information Assurance suggested that the overall cost to the UK economy from cyber-crime is £27 billion annually, a figure that some in the IT security industry experts have questioned as too high and lacking in methodology.
In the new study, the initial impetus for which was a request by the UK Ministry of Defence, the team of researchers has specifically avoided giving a single figure for the cost of cybercrime because the total depends critically on what is counted. They suggest that fraud within the welfare and tax systems – increasingly performed in the ‘cyber’ world – cost each citizen a few hundred pounds a year on average. Fraud associated with payment cards and online banking costs just a few tens of pounds a year; however, the fear of fraud by businesses and consumers is leading some to avoid online transactions, imposing an indirect cost on the economy that is several times higher.
By contrast, true ‘cybercrime’ – the new scams that completely depend on the internet – are only costing citizens an average of a few tens of pence per year directly. However the indirect costs, such as the money spent on anti-virus software, can be a hundred times that.
The report finds that each year the UK spends US$1 billion on efforts to protect against or clean-up after a threat, including $170 million on antivirus. By contrast, just $15 million is spent on law enforcement.
Overall, the study concludes that cyber-criminals – often only a small number of gangs – are pulling in a few tens of pounds from every citizen per year, but the indirect costs to those citizens, either in protective measures such as antivirus or in cleaning up infected PCs, is at least ten times as much.
The Cambridge scientists, working with colleagues in Germany, the Netherlands, the USA and UK, considered all the main types of cybercrime – online payment and banking fraud, fake antivirus, patent-infringing pharmaceuticals, ‘stranded traveller’ scams, and botnets (whereby vast numbers of computers are taken over by a ‘botnet-herder’ who then rents them out to others to commit crimes).
For each crime, the researchers not only collected figures for direct and indirect costs, but for the cost of defending against it, as co-author Dr Richard Clayton, who works on the econometrics of cybercrime in Cambridge’s Computer Laboratory, said: “Take credit card fraud. Direct loss is clearly the monetary loss suffered by the victim. However, the victim might then lose trust in online banking and make fewer electronic transactions, pushing up the indirect costs for the bank because it now needs to maintain cheque clearing facilities, and this cost is passed on to society. Meanwhile, defence costs are incurred through recuperation efforts and the increased security services purchased by the victim. The cost to society is the sum of all of these.”
Acknowledging that the study provides a static view of what is a highly changeable category of crime, the researchers nevertheless believe that their data provides “a proper start on the problem”, one which they will continue to update as increasingly accurate data comes available. Clayton added: “The study provides a first attempt to pull all available data together. Previous studies have made rough assumptions and not fully explained the methodology they used.”
The conclusion to draw from their study, say the researchers, is that we should spend less on defence and more on policing, as Anderson added: “Some police forces believe the problem is too large to tackle. In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase antivirus software. Cybercrooks impose disproportionate costs on society and we have to become more efficient at fighting cybercrime.”
The report will be presented on June 25, at the Workshop on the Economics of Information Security in Berlin.
=–=-=
Transport for London (TfL) is calling for businesses and commuters to join in to learn more about how they can ‘Get Ahead of the Games’. TfL will be joined by staff from Unilever and Sagicor at Lloyd’s, who will answer questions to help Britain’s employers and commuters plan their transport ahead of the London 2012 Games.
Ben Plowden, Director of Planning at TfL Surface Transport; Jacobina Plummer, Global Change and Communications Manager, Agile Working for Unilever; and Paul Marden, Marketing, Communications and CSR officer at Sagicor at Lloyd’s (an insurance syndicate operating in Lloyd’s of London insurance market) will be available between 1pm and 2pm on Thursday, June 21 on Twitter. Unilever and Sagicor have already developed Games-time travel plans to suit their businesses. Their plans include offering flexible or home working options and encouraging employees to use alternative forms of transport, such as cycling or walking all or part of their commute.
The chat will be hosted by the official London 2012/TfL Get Ahead of the Games transport advice twitter feed @GAOTG, using the hashtag #GAOTG. Questions for the panel can be submitted to @GAOTG beforehand, using the hashtag #GAOTG.
Firms – and their employees – can ask questions to help them maximise the business benefits of the Games, and to plan ahead for a busy transport network. Potential topics for the live chat include:
How businesses are planning ahead to minimise the travel impact of the Games on operations
Ways to communicate plans to employees and stakeholders
Advice on alternative forms of transport, such as cycling or walking to work
Key hotspots that commuters will need to avoid
Tools and information needed about road events and how to plan journeys
Challenges experienced to date with travel planning and how to overcome them
How to test travel plans
Sending and receiving deliveries during Games-time
Legacy: How to continue with any travel plans put in place after the Games.
Ben Plowden, Director of Planning at TfL Surface Transport, said: ‘After the success of the first ever Olympic Twitter chat for businesses, we’re engaging with businesses once again, as well as tweeting directly to commuters. By teaming up with influential organisations already planning ahead for Games-time, this Twitter chat offers a direct channel for firms and London commuters to speak to other companies and workers as well as to TfL.
‘During the Games, London will be turned into a massive sporting and cultural venue. As a result central London, the ORN and areas around venues will be exceptionally busy. This is why we’re communicating with businesses to help them avoid delay and disruption and ensure they have all the advice and support they need to plan ahead.’
Jacobina Plummer, Global Change and Communications Manager, Agile Working for Unilever, said: ‘Like many companies, business continuity will be critical for Unilever during the Games. Our approach to planning for Games-time is to raise employee awareness around the impact on the transport network, and the range of solutions to overcome this. Key to Unilever’s Games-time plan is our approach to flexible working, which is ingrained in our business and available to all employees. As a result, 92 per cent of our London-based employees said they felt confident working away from the office during the Olympics. While it’s taken us years to foster that culture, via Twitter I can share our experiences and some tips with other companies looking for last minute quick wins to help get ready for the Games.’
Paul Marden, Marketing, Communications and CSR officer, Sagicor at Lloyd’s, said: ‘We are taking planning very seriously as we’re based in City of London, a key hotspot area. We have five staff managing different aspects of the planning from HR to IT and we’re communicating all plans to employees in ‘lunch and learn’ sessions. Non-essential employees are being encouraged to work from home, while essential staff, like those trading at Lloyd’s, are encouraged to walk or cycle into work. To make this as easy as possible, we’re allowing ‘dress down’ during Games-time and looking to install bike storage. We’ve been planning since October last year and I’ll draw on our experiences to answer questions during the live chat.’
Five hundred major businesses employing more than 600,000 people have signed up for specific travel advice and have drafted travel plans which they have shared with TfL, and 24,000 businesses across London and other affected areas of the UK have attended TfL arranged or supported workshops. Businesses are encouraged to use the support available at www.GetAheadoftheGames.com.
