Assessing the cost of cybercrime is extremely hard, not just because of the nature of the crime, the differing definitions and actors involved but also because of hype-cycle surrounding the area and the inflated numbers thrown out. Kings of War takes to task the cost estimate of £27 billion provided by the UK Cabinet Office and Detica.
While I completely agree with the view that the £27 billion figure looks inflated, some of the counterpoints stated in the post is also weak.
The figure of £30 million damage is to be contrasted by the worldwide market of scareware estimated at £114 million. The UK would therefore represent 26% of the share of this market for an online population representing only less than 2% of the global online population. Why the discrepancy?
“2%” of global population does not say much. It might seem like a small number when compared to the “26%” market share but other factors need to be considered. For example, China and India occupies a good percentage of global online population but that population may not really care when a scary message prompts them to buy a (fake) anti-virus software. Even if they care, the default mode of operation could be different that click on a link and spend money online to buy the anti-virus. I have no concrete numbers to provide nor any specific study to quote, however given first hand experience, I would be surprised if I am too far off the mark. A little knowledge is dangerous and it applies to cybersecurity as well.
And regarding consumer data loss: all the 3 legal cases in 2010 where the Computer Misuse Act 1990 was invoked concerned a breach of confidentiality, and no data were deleted. Thus the cost of consumer data loss reported to the police would be zero.
Consumer data may not have been deleted but given that confidentiality has been breached, it is naive to think that the cost of the data loss would be zero. For example, if my credit card details were compromised (but not deleted), I would have to go through the motion of reporting it, getting it revoked, replacing it etc. Of course this would mean costs imposed on the credit card company too. These can add up very quickly.
All these discussions go on to show that guesstimating the (real) cost of cyber crime is not an easy task and therein lies a big problem – if one cannot estimate such a number then one cannot set aside an appropriate budget for fighting the crime. After all, security is a lot about economics.