Measuring the Cost of Cybercrime

This chapter documents what we believe to be the first systematic study of the costs of cybercrime. The initial workshop paper was prepared in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem. For each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs – both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now “cyber” because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly. As far as direct costs are concerned, we find that traditional offences such as tax and welfare fraud cost the typical citizen in the low hundreds of pounds/euros/dollars a year; transitional frauds cost a few pounds/euros/dollars; while the new computer crimes cost in the tens of pence/cents. However, the indirect costs and defence costs are much higher for transitional and new crimes. For the former they may be roughly comparable to what the criminals earn, while for the latter they may be an order of magnitude more. As a striking example, the botnet behind a third of the spam sent in 2010 earned its owners around $2.7 million, while worldwide expenditures on spam prevention probably exceeded a billion dollars. We are extremely inefficient at fighting cybercrime; or to put it another way, cyber-crooks are like terrorists or metal thieves in that their activities impose disproportionate costs on society. Some of the reasons for this are well-known: cybercrimes are global and have strong externalities, while traditional crimes such as burglary and car theft are local, and the associated equilibria have emerged after many years of optimisation. As for the more direct question of what should be done, our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response – that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail.

[1]  M. Innes Signal crimes and signal disorders: notes on deviance as communicative action. , 2004, The British journal of sociology.

[2]  D. Kuksov Buyer Search Costs and Endogenous Product Design , 2004 .

[3]  J. Frey The 9/11 Commission Report: Final Report of the National Commission on Terrorist attacks upon the United States , 2004 .

[4]  Lorrie Faith Cranor,et al.  Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit 2007, Pittsburgh, Pennsylvania, USA, October 4-5, 2007 , 2007, eCrime Researchers Summit.

[5]  Cormac Herley,et al.  Evaluating a trial deployment of password re-use for phishing prevention , 2007, eCrime '07.

[6]  M. Levi,et al.  Measuring the Impact of Fraud in the UK: A Conceptual and Empirical Journey , 2007 .

[7]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[8]  F. Foldvary Uncovering the Costs of the Iraq War: Essay-review of Stiglitz, Joseph E. and Linda J Bilmes. The Three Trillion Dollar War: The True Cost of the Iraq Conflict. , 2008 .

[9]  J. Bauer,et al.  Economics of Malware: Security Decisions, Incentives and Externalities , 2008 .

[10]  Linda J. Bilmes,et al.  The Three Trillion Dollar War: The True Cost of the Iraq Conflict , 2008 .

[11]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[12]  Cormac Herley,et al.  Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy , 2009, WEIS.

[13]  Dmitry Samosseiko,et al.  THE PARTNERKA - WHAT IS IT, AND WHY SHOULD YOU CARE? , 2009 .

[14]  Ross J. Anderson,et al.  The Economics of Online Crime , 2009 .

[15]  L. Foley,et al.  Identity Theft: The Aftermath 2008 , 2009 .

[16]  N. Helberger,et al.  Ups and Downs: Economic and Cultural Effects of File Sharing on Music, Film and Games , 2009 .

[17]  Felix Oberholzer-Gee,et al.  File Sharing and Copyright , 2010, Innovation Policy and the Economy.

[18]  Johannes M. Bauer,et al.  The Role of Internet Service Providers in Botnet Mitigation an Empirical Analysis Based on Spam Data , 2010, WEIS.

[19]  Christopher Krügel,et al.  Is the Internet for Porn? An Insight Into the Online Adult Industry , 2010, WEIS.

[20]  Mihaela Ulieru,et al.  WIRED for Innovation: How Information Technology is Reshaping the Economy , 2011, Comput. J..

[21]  Cormac Herley,et al.  Sex, Lies and Cyber-Crime Surveys , 2011, WEIS.

[22]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[23]  Tyler Moore,et al.  Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade , 2011, USENIX Security Symposium.

[24]  M. Levi Social Reactions to White-Collar Crimes and their Relationship to Economic Crises , 2011 .

[25]  He Liu,et al.  Click Trajectories: End-to-End Analysis of the Spam Value Chain , 2011, 2011 IEEE Symposium on Security and Privacy.

[26]  Chris Kanich,et al.  Show Me the Money: Characterizing Spam-advertised Revenue , 2011, USENIX Security Symposium.

[27]  M. Wendy Hennequin,et al.  The Future of the Internet and How to Stop It , 2011 .

[28]  Christopher Krügel,et al.  The Underground Economy of Fake Antivirus Software , 2011, WEIS.

[29]  M. Peitz,et al.  The Oxford Handbook of the Digital Economy , 2012 .

[30]  Stefan Savage,et al.  PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs , 2012, USENIX Security Symposium.

[31]  O. Jakobsson Missing Trader Fraud in the EU , 2013 .

[32]  Lucas Smith Towards a general policy on the fight against cyber crime , 2014 .