A new report on the cost of cybercrime commissioned by the MoD suggests that we should spend a lot less on prevention and a lot more on detection. Statistics in this area are notoriously unreliable in part because of under-reporting by victims and over-estimating by security firms anxious to push their products.
So the researchers from the UK, Germany, the Netherlands and the US examined the available data from both the UK and globally to derive estimates for the direct and indirect costs of various forms of cybercrime compared with the income netted by criminals.
By a very large margin, the highest direct and indirect costs to us as citizens (several hundred pounds a year) come from traditional frauds, such as tax and benefit frauds, which are mostly white collar offences which have become cybercrime offences as a result of moving to online systems. But the costs of dealing with these crimes, like the costs of dealing with traditional crimes like burglary and robbery, are much less than the amounts lost. At sentencing such cybercriminals tend to get lower sentences than robbers or burglars.
Crimes based on fraudulent use of payment cards or online banking, fake antivirus, illicit pharmaceuticals, copyright infringement and other scams cost us as citizens a few pounds a year and about as much to deal with as the criminals net in proceeds.
Phishing, or tricking users with a lookalike banking site that steals their credentials, gets little money – normally a fee from selling it to another group who can use it. Illicit pharmaceuticals — either generic ones produced in a third world country or ones that a doctor has stopped prescribing to avoid dependence – make more money as can fake auction sites where the goods never turn up. But copyright theft makes very little money. These crimes normally incur much higher indirect costs through, for example, lack of trust in the Internet and loss of business.
Crimes based on botnets or other breaches of computer security cost us as citizens a few pence a year. Botnets, or infections of multiple computers with a network of viruses, are used to automate and to hide criminal activities and they net fairly small amounts for the criminals operating them compared with other forms of cybercrime. But we spend more than ten times as much on prevention than the police spend on catching such cybecriminals and the amounts we and the industry spend on security measures can be more than ten times the losses suffered by victims. For example, a major botnet was estimated to have earned its owners $2.7million whereas billions of dollars had been spent trying to deal with it.
There are many reasons why police forces fail to take action against such forms of cybecrime including lack of global cooperation and the fact that cybercriminals take a lot of trouble to avoid headlines, compared for example with terrorists. Yet the costs to the police of identifying and dismantling their operations are quite small and the savings to us as citizens would be quite considerable.
The full report can be obtained from here.