The cost of protection against cyber crime can far exceed the cost of the threat itself, a Cambridge University-led international study has concluded.
The first systematic study of the cost of cyber crime recommends that less should be spent on anti-virus software and more on policing the internet and catching cyber criminals.
“Advances in information technology are moving many social and economic interactions, such as fraud or forgery, from the physical worlds to cyberspace,” said lead author of the study report Ross Anderson, professor of security engineering at the University of Cambridge’s computer laboratory.
“As countries scramble to invest in security to minimise cyber risks, governments want to know how large that investment should be and where the money should be spent," Ross Anderson said.
However, the study found many existing sources of data either under- or over-inflated estimates of the scale of the risk.
For example, a report released in February 2011 by the BAE subsidiary Detica, in partnership with the Cabinet Office’s Office of Cybersecurity and Information Assurance, suggested the overall cost to the UK economy from cyber crime is £27bn a year.
But many industry experts have questioned the £27bn figure as being too high and lacking in methodology.
The Cambridge study was carried out at the request of the UK Ministry of Defence. The researchers avoided giving a single figure for the cost of cyber crime, because the total depends on what is counted.
Instead, they suggested that fraud in welfare and tax systems – increasingly performed in the cyber world – costed each citizen a few hundred pounds a year on average.
Fraud associated with payment cards and online banking costs just a few tens of pounds a year. But the fear of fraud by businesses and consumers is leading some to avoid online transactions, imposing an indirect cost on the economy that is several times higher.
By contrast, true cyber crime – scams that completely depend on the internet – are only costing citizens an average of a few tens of pence a year directly, while the indirect costs – such as the money spent on anti-virus software – can be a hundred times that.
The report found that, each year, the UK spends $1bn on efforts to protect against or clean up after a threat, including $170 million on anti-virus. By contrast, just $15m is spent on law enforcement.
The study concludes that cyber criminals – often only a small number of gangs – are pulling in a few tens of pounds from every citizen a year. But the indirect costs to those citizens – either in protective measures such as anti-virus or in cleaning up infected PCs – is at least ten times as much.
The Cambridge scientists, working with colleagues in Germany, the Netherlands, the USA and elsewhere in the UK, considered all the main types of cyber crime. They collected figures for direct and indirect costs for each, including the cost of defending against it.
“Some police forces believe the problem is too large to tackle," said Anderson.
"In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase anti-virus software.
"Cyber crooks impose disproportionate costs on society and we have to become more efficient at fighting cyber crime."
The report is to be presented on 25 June, at the Workshop on the Economics of Information Security in Berlin, Germany.