Deb Shinder looks at several studies that have sought to quantify the cost of cybercrime. She presents the difficulties associated with it — and the challenges it poses for adequate law enforcement.
Market research company StrategyOne was commissioned by Symantec to study Internet users in fourteen different countries, and found that 65% of the 77,000 in the study had been personally victimized by cybercrime.
When you consider that viruses and malware are included, along with online scams, phishing attacks, hijacked accounts and intrusions, it's surprisingly that the percentage is that low. My guess is that many of the respondents have in fact had viruses or malware on their computers and didn't know it.
According to the survey, victims spent an average of 28 days and $334 repairing the damage done by cybercriminals. If you calculate that a victim's time is worth a modest $30 per hour, that's another $840, for a total average loss of well over $1000. Something the survey doesn't mention (and wouldn't be expected to, since it's sponsored by an anti-virus company) is the extra price we all pay for anti-virus, anti-malware, firewall and other security software and hardware as a result of cybercrime and our fear that we'll become victims if we don't implement those extra security measures. For many, that's another $50 or so plus $20-30 per year for the update subscription and although it can be lower (or nothing, if you use only free tools), it can also be a lot higher.
However, the true cost of cybercrime goes beyond the monetary loss.
The Symantec survey, unlike most, attempted to delve into some of the hidden costs by asking victims about emotional impact. Not surprisingly, they found that most of the emotional reactions to being a cybercrime victim are similar to those experienced by victims of other crimes such as burglary. Victims reported feeling angry, annoyed, and cheated, and had little hope that their attackers would be caught and punished. Experiencing cybercrime is, after all, very similar to being burglarized or vandalized. When someone else enters your space - whether it's your home or your computer - and takes or damages your property, you feel violated.
Most victims of personal crime also experience another emotion that the survey apparently didn't ask about: fear - sometimes bordering on paranoia - that it will happen again. Are cybercrime victims different in that respect? The survey showed that only a little over half said they would change their own behavior if they became victims of cybercrime. There are no details in this report as to exactly what behaviors they would change.
However, I've talked to some people - generally those who are less technically inclined - who have changed their online behaviors drastically after being victimized. Some have gone so far as to stop using the computer for any sort of financial transactions - online purchasing, banking, etc. This is especially true of those who have been victims of identity theft. That's true even though, according to a Forbes article earlier this year, the average cost of identity theft to individuals has declined because the financial institutions are picking up more of the tab.
Of course, it would be naïve to think that the consumers don't end up bearing at least some of this cost in the form of high fees and interest rates that those institutions charge to cover this cost of doing business - while those institutions write off the losses on their corporate taxes.
Suffering in silence
Perhaps one of the most interesting findings in the Symantec study was that less than half of those victimized by cybercriminals - only 44% - reported the crimes to law enforcement. We can only speculate about the reasons for that, but based on studies of other types of crime victims, I'd guess some or all of the following apply:
- They don't trust police and don't have any faith that anything will be done if they do report it.
- They don't want to spend even more of their time filling out forms and talking to law enforcement personnel and generally dealing with the "hassle factor" involved in reporting.
- They don't think the crime is serious enough or significant enough or their losses large enough to warrant taking up the time of law enforcement.
- They don't want to think of themselves as victims and are in denial.
- They don't want others to know they were victimized because they think it makes them look weak or stupid (or in the case of businesses, will cause them to lose clients because the clients won't trust them to be able to adequately protect client data).
- They blame themselves for not having bought that firewall or anti-malware program or for clicking on that link or visiting that web site or lowering their computer's security settings to make it easier for them to access what they wanted.
Burglary victims often hold the same belief that police won't or can't pursue the criminals who broke into their homes and will do nothing more than take and file a report. However, they are more likely to report the crime because they may need a police report on record to collect insurance, and because they do believe the police may step up patrols in the area and thus help prevent it from happening again.
Loss of data or damage to computer software caused by cybercriminals is usually not covered by insurance, and there's not much police can do to protect victims from further incidences. If victims do report the crime, and nothing comes of it, this tends to further reduce their faith in the criminal justice system and may deter them from reporting other, more serious crimes in the future. The "hassle factor" issue goes hand-in-hand with this; victims would be more willing to spend the time and deal with the bureaucracy if they believed it would result in the criminal being brought to justice.
In many cases, the monetary loss due to cybercrime - such as the value of time spent reformatting a drive, reinstalling an operating system, and restoring data from backup - is difficult to determine. Even when there is a direct monetary loss, as in the case of identity theft, it may be delayed or it may be difficult to prove that the identity theft was linked to the Trojan or network intrusion; it seems likely, but might not be provable.
Some people deal with crime - even far more personal crimes such as assault and rape - by trying to put it out of their minds completely and pretending it never happened. Reporting it to the police makes it indisputably real. And even if they acknowledge to themselves that they've been victimized, they may not want anyone else to know about it because they believe it diminishes them in others' eyes. It's embarrassing, even humiliating, to admit that a cybercriminal got the best of you.
Self-blame is commonly seen in rape victims, but also in victims of burglary, robbery and theft. When it comes to cybercrime, all the warnings about what can happen and admonitions to protect yourself are well intended and useful, but also contribute to the tendency of victims to feel guilty or "stupid" for not having done enough to prevent it. People who feel guilty or think it's their own fault are less likely to report a crime. Thus if we want to encourage more reporting of cybercrime, it's important, when educating users about security, to word it in a way that doesn't denigrate them for failing to implement security measures that are strong enough.
Cost to business
The Symantec survey deals primarily with personal consequences of cybercrime. Although many individuals have valuable information on their computers, as well as personal data and financial data that can be exploited for identity theft, the exact value of that data is often difficult to quantify. It's easier in some ways to estimate the costs of cybercrime incidents to businesses.
InformationWeek Analytics' "Global Threat, Local Pain" report deals more with the effect of cybercrime on companies world-wide.
An interesting finding in that report (page 2) is that only a small percentage of time/staff resources is devoted to end user security awareness training (9% in 2009, 11% in 2010) and monitoring employee behavior (7% both years). Note that we're not sure about these numbers, though, since the total adds up to much more than 100%. In any event, this relatively small amount of time that focuses on users seems strange in light of the fact that (on page 6), authorized users/employees is seen as the second greatest threat, with 70%, after hackers (their term) at 77%.
The monetary cost of cybercrime to businesses varies widely, depending on which study you cite. In 2009, a McAfee study estimated the overall cost of cybercrime to be as much as $1 trillion on a global basis, based on a survey of CIOs in several countries.
A recent study conducted by Ponemon Institute for ArcSight and reported in Network World looked at forty-five organizations in the United States and found that average cost to an individual organization is $3.8 million per year. This number did not include the cost of preventative measures such as anti-virus and firewalls, but just direct costs of responding to, mitigating and cleaning up after an attack. Whereas the average time required was fourteen days, malicious insider attacks took up to forty-two days or more.
These direct costs are really only the tip of the iceberg, though. When a company falls victim to a security breach, especially if it involves exposure of customer/client data, the cost to future business due to a damaged reputation is impossible to measure. And it's also important to recognize that in many cases, companies don't even know themselves that they've experienced losses due to malware, intrusions and other criminal activities because the attacks are designed to be surreptitious. Unlike the theft of a physical object, theft of data may go unnoticed if the original is left in place. These unnoticed losses may never be detected or reported.
Bringing the cost down
The answer to reducing the cost of cybercrime to all of us is simple: catch the criminals. Actually doing that is not so simple. Jurisdictional issues, privacy issues and anonymity, budget constraints and many other factors combine to make cybercrime enforcement difficult for law enforcement agencies. Few other types of crime can be committed from half way around the globe, without ever setting foot in the same country where your victim and the object of the crime are located. Better tracking of criminal activities generally also means more tracking of all Internet activity, and invasion of the privacy of legitimate Internet users. To many, that's too high a price to pay. And the monetary cost of enforcing laws in cases that span many miles add to the challenge for agencies facing tight budgets in a continuing weak economic climate.
Many of the resources allocated for fighting cybercrime are channeled into efforts to detect and prevent the most serious of cybercrimes, cyberterrorism. Because the potential losses from a successful cyberterrorist attack are so great and include loss of lives and disruption of society, it makes sense to make it a top priority. However, that means crimes that "only" involve loss of money may not get as much attention as the victims of those crimes would like.
Until these issues can be resolved, we'll keep addressing cybercrime in reactionary - rather than proactive - mode. And that means the criminals will stay one step ahead. In future columns, we'll look in more detail at these issues and possible solutions or workarounds for each. In the meantime, the victims and potential victims of cybercrime face a tough question: Are we willing to pay the price (both monetary and non-monetary) that would be required to bring more cybercriminals to justice?