Study: Spend less on antivirus, more on catching cyber crooks

When it comes to preventing cyber crime, the medicine might be worse than the diseases, according to a new study led by Cambridge University.

Spending on IT security outpaces what is spent on policing by a factor of 10 to 1 in the United Kingdom, but the potential return on investment from law enforcement could be much greater. Actual losses suffered from online crime, as estimated for the study, are dwarfed by spending on antivirus and other security tools.

“The straightforward conclusion to draw...is that we should perhaps spend less in anticipation of computer crime (on antivirus, firewalls, etc.), but we should certainly spend an awful lot more on catching and punishing the perpetrators,” the authors wrote.


Related coverage:

Cost of cyber crime rises sharply

Cyber crime-fighters: A model for international cooperation?


The report, “Measuring the Cost of Cybercrime,” was written by an international team of scientists led by Cambridge University. It will be presented June 25 at the Workshop on the Economics of Information Security in Berlin.

The study was requested by the U.K. Ministry of Defence because of concerns that previous studies had overhyped the problem. A British government report in 2011 estimated the cost of cyber crime in the United Kingdom at 27 billion pounds, or 1.8 percent of GDP. Corporate theft of intellectual property and espionage alone was valued at 21 billion pounds.

Cambridge scientists worked with colleagues in Germany, the Netherlands and the United States to gather information on various categories of cyber crime, using best estimates and extrapolations where necessary to come up with global figures for the costs of these crimes.

Although law enforcement activity and international cooperation against cyber criminals has increased in the past two years, the study’s conclusion runs counter to traditional thinking on cybersecurity, which has been focused on deployment of tools for prevention, detection and response.

“This is a helpful study because it poses a key question: Is the money we are spending on security worth the cost?” said Alan Paller, director of research at the SANS Institute. He points out that some analysts already have questioned the value of products such as antivirus programs.

Paller questioned the ability to accurately quantify losses to cyber crime, however. “What is the value of the data stolen from the Commerce Department on our technologies that are too sensitive to export?" he asked. "What is the value of the plans for command and control of drone networks?  And of radar systems? And what is the value of the playbook for GE in negotiating with the Chinese on technology transfer?”

The authors of the report acknowledged the challenges of putting a value on losses.

“The subject is difficult because definitions are hard; much fraud that used to be conducted on paper or face-to-face (such as tax and welfare fraud) is now ‘online,’ and these traditional frauds are much larger in volume and value terms than the new purely ‘computer’ frauds,” they wrote. “Also, there is a significant amount of fraud ‘in between’ the traditional and the new, such as payment card fraud” which now is moving online. “We've called this ‘transitional’ fraud for want of a better name.”

The authors did their best to come up with real or reasonable figures for all the categories of online crime they identified, but they avoided publishing total figures because of the risk of their being taken out of context. “Our work has its limitations,” they wrote. But they called it “a principled start to being able to measure the cost of cyber crime.”

They estimated that traditional forms of fraud that now are being conducted online cost each citizen a few hundred pounds, dollars or Euros each year. The “transitional” frauds cost each person a few pounds, dollars or Euros each year, and pure cyber crime costs only a few cents each year.

Companies and individual users typically spend more than that each year for security, and spending on security products probably outpaces what cyber criminals are taking in, they said. “As a striking example, the botnet behind a third of the spam sent in 2010 earned its owners around $2.7 million, while worldwide expenditures on spam prevention probably exceeded a billion dollars.”

The authors estimated global spending on cyber law enforcement at about $400 million, with the United States accounting for about half of that. Because of the persistence and international nature of much online crime, many police forces view it as too large and diffuse a problem to tackle. But the authors said that a small number of gangs lie behind many crimes, and that “a police response against them could be far more effective than telling the public to fit anti-phishing toolbars or purchase antivirus software.”

“Our figures suggest that we should spend less in anticipation of cyber crime (on antivirus, firewalls, etc.) and more in response — that is, on the prosaic business of hunting down cyber criminals and throwing them in jail,” they said.

 

Reader Comments

Tue, Jun 19, 2012 earth

Consider that it is in the best interest of anti-virus writers to have virus writers and you have a partial grasp of the problem. The second is that the individual must concentrate spending on detection and prevention because they have no capability to enforce the law, and response must be within the boundaries of their own system or it could be considered a cyber crime itself.

So DUH!!!

Thankfully, the anti-malware is as effective as it is. Consider how easy it would be to trigger the power distribution grid to destroy itself, banks accounts to be transferred somewhere else, etc. without it (would you like to play a game). Communication is as important as transportation to the functioning of a world scale community. All multi-cellular organisms have to have some form of communication system or be the equivalent of, and as prevalent as, sponges.

We need to move from honey pots to poison pots. For instance credit card numbers that can be embedded in databases and have only one use: the arrest and convection of anyone who uses it.

Tue, Jun 19, 2012 Col. Panek Rome NY

The best defense is Linux, without anti-virus.

Tue, Jun 19, 2012 CH

Shouldn't need a study to reach this obvious conclusion; catch and severely punish the criminals and you stop the crime. And fix the system - we're paying the price for poorly designed systems dating back to the early days of credit cards that allowed an explosion in credit with weak security, and the idea that a percentage of fraud and theft was "acceptable". Now, the Internet allows mass exploitation of these weak systems with disparate law enforcement systems unable to respond effectively. The system is broken.

Tue, Jun 19, 2012 steve columbia, md

Of course, the measurements look at realized expenditures and losses. IF antivirus were not in place, IF antispam measures were not in place, how much higher would the returns be for spam and other criminal activities. Given that criminals generally do NOT report their ill-gotten gains on tax returns, the 'value' associated with the reported losses (or earnings, in the case of spambots), are not independently verifiable. And, as the study notes, much of what is being protected really falls into the Mastercard category of 'priceless' - the loss of national security information COULD result in the loss of the country, entirely. Who knows? We only get one chance to find out, and not many people are willing to risk that. Better tools, better mechanisms, better self enlightened economic policies, so much improvements in many areas would contribute to a better sense of balance here. The bottom line message of the report? If you make crime so difficult to commit successfully and so high risk, then you have achieved deterrence. Otherwise you need prevention.

Tue, Jun 19, 2012 MBA

The best defense is a good offense.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above