Preventing Cybercrime: An unusual study

“The cost of protecting ourselves against cybercrime can far exceed the cost of the threat itself … [therefore] we should spend less in anticipation of cybercrime and more on catching the perpetrators.”

That is the controversial conclusion of a new University of Cambridge IT security research study called “Measuring the Cost of Cybercrime” being released today. The study, conducted at the request of the UK Ministry of Defense which was concerned that cybercrime was being over-hyped, is claimed in a press release to be “the first systematic estimate of the direct costs, indirect costs and defence costs of different types of cybercrime for the UK and the world.”

Of course, in studies like this, it is important to look at what the study authors defined as being a “true cybercrime” which is one “unique to electronic networks, e.g., attacks against information systems, denial of service and hacking.” As noted in the paper,

“We distinguish carefully between traditional crimes that are now ‘cyber’ because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly.”

“As far as direct costs are concerned, we find that traditional offences such as tax and welfare fraud cost the typical citizen in the low hundreds of pounds/Euros/dollars a year; transitional frauds cost a few pounds/Euros/dollars; while the new computer crimes cost [only] in the tens of pence/cents.”

However, the societal costs for protecting against new computer crimes are far out of proportion with what the new crimes net, the researchers argue, whereas the cost of protecting  against more traditional crimes is more in line with their direct costs imposed upon society. For example, the UK is said to be spending some $1 billion on efforts to protect against or clean-up after a threat, including $170 million on antivirus measures, but only $15 million is being spent on law enforcement to pursue cyber criminals. A better approach is to “perhaps spend less in anticipation of computer crime (on antivirus, firewalls etc.) but we should certainly spend an awful lot more on catching and punishing the perpetrators.”

The argument seems premised on the assumption that a small number of cybercriminals are responsible for the vast majority of the cybercrimes  and that business will make the requisite investment to keep their IT systems secure.

The researchers don’t give much in the way of advice on how much less we should spend on anti-virus software (or how individuals should decide to forego it), or how much more funding should be spent on law enforcement. Would quadrupling to $60 million the amount of money spent on UK cybercrime law enforcement make a serious dent on UK cybercrime, for instance? Would that amount allow UK citizens to pitch their anti-virus software? Or would that increase in spending be a wasted effort unless similar increases in law enforcement spending happened around the world as well?


About SCB Enterprises
System Solutions and Integration

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: