Study: Spend less on antivirus, more on catching cyber crooks
When it comes to preventing cyber crime, the medicine might be worse than the diseases, according to a new study led by Cambridge University.
Spending on IT security outpaces what is spent on policing by a factor of 10 to 1 in the United Kingdom, but the potential return on investment from law enforcement could be much greater. Actual losses suffered from online crime, as estimated for the study, are dwarfed by spending on antivirus and other security tools.
“The straightforward conclusion to draw...is that we should perhaps spend less in anticipation of computer crime (on antivirus, firewalls, etc.), but we should certainly spend an awful lot more on catching and punishing the perpetrators,” the authors wrote.
Cost of cyber crime rises sharply
Cyber crime-fighters: A model for international cooperation?
The report, “Measuring the Cost of Cybercrime,” was written by an international team of scientists led by Cambridge University. It will be presented June 25 at the Workshop on the Economics of Information Security in Berlin.
The study was requested by the U.K. Ministry of Defence because of concerns that previous studies had overhyped the problem. A British government report in 2011 estimated the cost of cyber crime in the United Kingdom at 27 billion pounds, or 1.8 percent of GDP. Corporate theft of intellectual property and espionage alone was valued at 21 billion pounds.
Cambridge scientists worked with colleagues in Germany, the Netherlands and the United States to gather information on various categories of cyber crime, using best estimates and extrapolations where necessary to come up with global figures for the costs of these crimes.
Although law enforcement activity and international cooperation against cyber criminals has increased in the past two years, the study’s conclusion runs counter to traditional thinking on cybersecurity, which has been focused on deployment of tools for prevention, detection and response.
“This is a helpful study because it poses a key question: Is the money we are spending on security worth the cost?” said Alan Paller, director of research at the SANS Institute. He points out that some analysts already have questioned the value of products such as antivirus programs.
Paller questioned the ability to accurately quantify losses to cyber crime, however. “What is the value of the data stolen from the Commerce Department on our technologies that are too sensitive to export?" he asked. "What is the value of the plans for command and control of drone networks? And of radar systems? And what is the value of the playbook for GE in negotiating with the Chinese on technology transfer?”
The authors of the report acknowledged the challenges of putting a value on losses.
“The subject is difficult because definitions are hard; much fraud that used to be conducted on paper or face-to-face (such as tax and welfare fraud) is now ‘online,’ and these traditional frauds are much larger in volume and value terms than the new purely ‘computer’ frauds,” they wrote. “Also, there is a significant amount of fraud ‘in between’ the traditional and the new, such as payment card fraud” which now is moving online. “We've called this ‘transitional’ fraud for want of a better name.”
The authors did their best to come up with real or reasonable figures for all the categories of online crime they identified, but they avoided publishing total figures because of the risk of their being taken out of context. “Our work has its limitations,” they wrote. But they called it “a principled start to being able to measure the cost of cyber crime.”
They estimated that traditional forms of fraud that now are being conducted online cost each citizen a few hundred pounds, dollars or Euros each year. The “transitional” frauds cost each person a few pounds, dollars or Euros each year, and pure cyber crime costs only a few cents each year.
Companies and individual users typically spend more than that each year for security, and spending on security products probably outpaces what cyber criminals are taking in, they said. “As a striking example, the botnet behind a third of the spam sent in 2010 earned its owners around $2.7 million, while worldwide expenditures on spam prevention probably exceeded a billion dollars.”
The authors estimated global spending on cyber law enforcement at about $400 million, with the United States accounting for about half of that. Because of the persistence and international nature of much online crime, many police forces view it as too large and diffuse a problem to tackle. But the authors said that a small number of gangs lie behind many crimes, and that “a police response against them could be far more effective than telling the public to fit anti-phishing toolbars or purchase antivirus software.”
“Our figures suggest that we should spend less in anticipation of cyber crime (on antivirus, firewalls, etc.) and more in response — that is, on the prosaic business of hunting down cyber criminals and throwing them in jail,” they said.