A comprehensive report on the costs of cybercrime concludes we should be spending more on policing and less on defenses such as firewalls and anti-virus.
Ross Anderson, a professor of security engineering at the University of Cambridge, and six other researchers from Germany, the Netherlands, the UK, and the US studied the worldwide costs of computer crime at the request of the UK Ministry of Defence. Their research (PDF) will be presented on June 26 at the 11th Annual Workshop on the Economics of Information Security in Berlin, according to Network World.
The researchers analyzed the costs to society of cybercrime through a framework of direct losses, indirect losses, and costs associated with defending against the crimes. The defense costs include buying security hardware and software such as firewalls and anti-virus programs; developing and deploying systems to detect fraud; supplying fraud-prevention services; and mounting criminal investigations.
They found that for certain types of pure cybercrime -- hacking, phishing, spam, denial-of service attacks, "stranded-traveler" scams, etc. -- the cost of defending against them far outweighed the direct losses incurred. This was not true for more traditional crimes like welfare fraud and tax fraud, which increasingly involve the use of computers in their commission. The traditional crimes cost society a few hundred dollars per capita per year, and the costs of defending against them are a fraction of that amount. Pure cybercrime costs us a few dollars each per year, and it costs at least 10 times that amount to attempt to fend it off.
A telling example of cybercrime's asymmetric cost structure is provided by the botnet that was the infrastructure behind one-third of all spam sent worldwide in 2010. That botnet earned its owners around $2.7 million, while expenditures worldwide aimed at preventing spam ran north of $1 billion, according to the researchers.
The reasons for this asymmetry are many, the researchers state, including "externalities, asymmetric information, and agency effects galore"; but the figures they collected lead them to conclude that "we should perhaps spend less in anticipation of computer crime (on anti-virus, firewalls etc.) but we should certainly spend an awful lot more on catching and punishing the perpetrators."
Network World got more background in an interview with Anderson, the Cambridge professor. The existence of cybercriminals in states with weak cybercrime laws or enforcement need not be discouraging to those urging more vigorous policing, Anderson said. "The problem at the moment is that there seems to be a very low priority for police cooperation. If the governments of Britain, Germany, France, the US and so on, were to make it a higher priority, then the government of Russia would start to crack down on these gangs."
The lesson for the company trying to stay agile while remaining secure? We can't stint on cyber-defenses for the present, but the need for them could be reduced over time if governments spent more on police work, and put more pressure on states that act as cybercrime havens to crack down on the bad guys.