Cyber crime and espionage racks up between $300bn and $1tn in annual global losses, a study has revealed.
Security firm McAfee sponsored the study by the Center for Strategic and International Studies (CSIS) to quantify the economic impact of cyber crime after years of guesswork.
The CSIS enlisted the help of economists, intellectual property experts and security researchers to build an economic model and methodology, which revealed the global losses are lower than previously thought.
For some time the loss has been pegged at $1tn, but the study report revealed that this is really the upper limit.
The report also puts the cost in context of global GDP, pointing out that it represents only 0.4% to 1.4%, compared with $600bn in losses due to drug trafficking, which represents 5% of global GDP.
The report’s authors noted the difficulty of relying on methods such as surveys because companies that reveal their cyber losses often cannot estimate what has been taken, intellectual property losses are difficult to quantify and the self-selection process of surveys can distort the results.
Read more on the cost of cyber crime
- Cyber crime costing SMEs £785m
- 2012 Cost of Cyber Crime Study: UK
- Government launches cyber awareness campaign
- Infosec 2013: Cost of cyber breaches rises three-fold, research shows
- Number and cost of data breaches linked to cyber skills shortage
- Cyber attacks on trust could cost top firms $398m, says Ponemon
- Small firms lose up to £800m to cyber crime, says FSB
For the purposes of the research, CSIS classified malicious cyber activity into six areas:
- The loss of intellectual property;
- Cyber crime;
- The loss of sensitive business information, including possible stock market manipulation;
- Opportunity costs, including service disruptions and reduced trust for online activities;
- The additional cost of securing networks, insurance and recovery from cyber attacks;
- Reputational damage to the hacked company.
Measuring the losses associated with cyber attacks
“We believe the CSIS report is the first to use actual economic modeling to build out the figures for the losses attributable to malicious cyber activity,” said Mike Fey, executive vice-president and chief technology officer at McAfee.
“Other estimates have been bandied about for years, but no one has put any rigor behind the effort. As policy-makers, business leaders and others struggle to get their arms around why cyber security matters, they need solid information on which to base their actions,” he said.
The new study recognises that the cost of malicious cyber activity involves more than the loss of financial assets or intellectual property, and takes into account damage to brand and reputation, consumer losses from fraud, the opportunity costs of service disruptions “cleaning up” after cyber incidents and the cost of increased spending on cyber security.
“This report is also the first to connect malicious cyber activity with job losses,” said James Lewis, director and senior fellow, technology and public policy program at CSIS, and a co-author of the report.
Some 508,000 US jobs alone are potentially lost each year from cyber espionage
The authors estimate that 508,000 US jobs alone are potentially lost each year from cyber espionage.
“As with other estimates in the report, however, the raw numbers might tell just part of the story. If a good portion of these jobs were high-end manufacturing jobs that moved overseas because of intellectual property losses, the effects could be more wide ranging,” said Lewis.
Cyber crime damage reaches beyond financial cost
While this first CSIS report builds a model to scope the direct losses from cyber crime and cyber espionage, a second report will look at the ramifications of cyber security losses on the pace of innovation, the flow of trade and the social costs associated with crime and job losses.
The report's authors said that putting a number on the cost of cyber crime and cyber espionage is the headline, but the heart of the matter is the effect on trade, technology and competitiveness.
“Answering these questions will help us put the problem in its strategic context,” they wrote.
While the cost of cyber crime and cyber espionage to the global economy is likely billions of dollars every year, the dollar amount may not fully reflect damage to the global economy, the report said.
Cyber espionage and crime may slow the pace of innovation, distort trade and create social costs from job losses, and this larger effect may be more important than any actual number and it will be the focus of the second CSIS report.