Cybercrime protection costs exceed threat, says research

The cost of protecting ourselves against cybercrime can far exceed the cost of the threat itself, according to new research.

In a study carried out for the Ministry of Defence, scientists from Cambridge University found that more resources should be spent on catching cybercriminals than preparing for the crimes.

The researchers found that cybercriminals make on average a few tens of pounds from every citizen per year, but the indirect costs to those citizens, either in protective measures such as antivirus or in cleaning up infected PCs, is at least ten times as much.

‘Some police forces believe the problem is too large to tackle,’ said the study’s lead author Prof Ross Anderson in a statement. ‘In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase antivirus software.

‘Cybercrooks impose disproportionate costs on society and we have to become more efficient at fighting cybercrime.’

The study found that fraud associated with online banking costs each citizen on average a few tens of pounds a year but fear of fraud is leading some to avoid online transactions, imposing an indirect cost on the economy that is several times higher.

Internet scams cost each citizen a few tens of pence a year but the indirect costs, such as the money spent on anti-virus software, can be a hundred times that.

The UK spends $1bn (£639bn) annually on efforts to protect against or clean-up after a threat, including $170m (£109m) million on antivirus. By contrast, just $15m (£10m) is spent on law enforcement.

The researchers say the report provides the first systematic estimate of the direct costs, indirect costs and defence costs of different types of cybercrime for the UK and the world.

Co-author Dr Richard Clayton said: ‘Take credit card fraud. Direct loss is clearly the monetary loss suffered by the victim.

‘However, the victim might then lose trust in online banking and make fewer electronic transactions, pushing up the indirect costs for the bank because it now needs to maintain cheque clearing facilities, and this cost is passed on to society.

‘Meanwhile, defence costs are incurred through recuperation efforts and the increased security services purchased by the victim. The cost to society is the sum of all of these.’

However, they specifically avoided attaching a specific figure to the cost of cybercrime, arguing the total depends critically on what is counted and that many existing sources had under- or over-inflated estimates of risk.