Abstract
This chapter documents what we believe to be the first systematic study of the costs of cybercrime. The initial workshop paper was prepared in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem. For each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs – both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now “cyber” because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly. As far as direct costs are concerned, we find that traditional offences such as tax and welfare fraud cost the typical citizen in the low hundreds of pounds/euros/dollars a year; transitional frauds cost a few pounds/euros/dollars; while the new computer crimes cost in the tens of pence/cents. However, the indirect costs and defence costs are much higher for transitional and new crimes. For the former they may be roughly comparable to what the criminals earn, while for the latter they may be an order of magnitude more. As a striking example, the botnet behind a third of the spam sent in 2010 earned its owners around $2.7 million, while worldwide expenditures on spam prevention probably exceeded a billion dollars. We are extremely inefficient at fighting cybercrime; or to put it another way, cyber-crooks are like terrorists or metal thieves in that their activities impose disproportionate costs on society. Some of the reasons for this are well-known: cybercrimes are global and have strong externalities, while traditional crimes such as burglary and car theft are local, and the associated equilibria have emerged after many years of optimisation. As for the more direct question of what should be done, our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response – that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The UK Proceeds of Crime Act does not allow an offender’s costs to be deducted from the amount he is deemed to owe the state.
- 2.
Banks may like to describe impersonation as “identity theft” as it carries with it an implied liability shift – that it wasn’t the bank’s money that was stolen but the customer’s identity. This is controversial; as well as dumping liability it increases the fear of crime. Victimisation studies, such as the BCS and GetSafeOnline, show considerable public anxiety about card fraud and impersonation.
- 3.
The US Identity Theft Resource Center studies the time taken by victims to repair damage caused by identity theft. In 2004, it was more than 300 h; in 2008, 76 h; and in 2009, 68 h [16]. This survey, although interesting, is rather limited in that there were just 203 victims reporting their experiences and they were all assisted by the ITRC, and so might have been reasonably efficient at dealing with their problems.
- 4.
Money mule is a term for people hired by criminals to cash out stolen assets or engage in money laundering, often without knowing that their activity is illegal.
- 5.
Source: Office for National Statistics, 2011, total excluding automotive fuel
- 6.
This number is now considered extremely suspect. Florêncio and Herley have shown that this type of estimate has been regularly over-estimated by using small sample sizes and failing to deal appropriately with outliers [15].
- 7.
- 8.
- 9.
Note, this revenue is split among a number of actors. Roughly 35–40 % is typically paid to advertisers (driving investments in botnets and other cybercrime support infrastructure), 20 % goes to suppliers and shipping, and 10–15 % goes to bank discount and agent fees for payment card processing. After a range of indirect costs, net revenue for operators is typically 10–20 % of gross [41].
- 10.
In a VAT fraud goods such as mobile phones are imported into the UK. They are sold on within the UK, VAT paid on this sale (15 to 20 % at various times) which should be paid to the taxman is pocketed by criminals who shut down the company and disappear. The recipient can now re-export the phones and claim back the VAT (doubling the criminal’s take) – and the same batch of goods can then be cycled round again and again, hence the carousel term.
- 11.
Many estimates of the total number of machines that are affected have relied on counting the number of unique IP addresses that show up in botnet activity. We now know that this overestimates the size of the problem, often by an order of magnitude. Dynamic IP address allocation can cause the same infected machine to show up under many different IP addresses. When the Dutch police took down Bredolab, it was claimed that the botnet had infected 30 million machines in about 2 years. In reality, the evidence suggests that it was around three million machines.
- 12.
Some of these costs are directly related, and proportional, to the infection of machines. ISPs also bear indirect losses and more general defence costs, which do not vary with the outbreak of botnet infections.
- 13.
The precise choice of currency isn’t important given the accuracy of the figures available to us; we can be reasonably sure we have got the orders of magnitude right, and often the binary order of magnitude, but not much beyond that.
References
Alvarez, L.: With personal data in hand, thieves file early and often. The New York Times. http://www.nytimes.com/2012/05/27/us/id-thieves-loot-tax-checks-filing-early-and-often.html (2012)
Anderson, R., Böhme, R., Clayton, R., Moore, T.: Security economics and the internal market. http://www.enisa.europa.eu/act/sr/reports/econ-sec/economics-sec (2008)
Brynjolfsson, E., Saunders, A.: Wired for Innovation: How Information Technology Is Reshaping the Economy. MIT, Cambridge (2009)
Bushnell, T.: How Google developers use Ubuntu. http://www.ubuntuvibes.com/2012/05/how-google-developers-use-ubuntu.html (2012)
Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditisation of malware distribution. In: Proceedings of the 20th USENIX Conference on Security, SEC’11, Berkeley. USENIX Association (2011)
Canalys Inc.: Enterprise security market to exceed $22 billion in 2012. http://www.canalys.com/static/press_release/2011/canalys-press-release-201211-enterprise-security-market-exceed-22-billion-2012.pdf (2011)
Communications Fraud Control Association: 2011 Global fraud loss survey. http://www.cfca.org/fraudlosssurvey/ (2011)
Consumers Union: State of the ‘net’ survey ’07. Consum. Rep. 9, 28–34 (2007)
Detica and Office of Cyber Security and Information Assurance: The cost of cyber crime. http://www.cabinetoffice.gov.uk/resource-library/cost-of-cyber-crime (2011)
Eliot, C.: Kim Dotcom – pirate or enabler? http://www.nzherald.co.nz/auckland-region/news/article.cfm?l_id=117&objectid=10784190 (2012)
European Commission: Towards a general policy on the fight against cyber crime. COM(2007) 267 final. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2007:0267:FIN:EN:PDF (2007)
Fallows, J.: Hacked! The Atlantic. http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/ (2011)
Federal Bureau of Investigation: International cooperation disrupts multi-country cyber theft ring. Press release. http://www.fbi.gov/news/pressrel/press-releases/international-cooperation-disrupts-multi-country-cyber-theft-ring (2010)
Florêncio, D., Herley, C.: Evaluating a trial deployment of password re-use for phishing prevention. In: Cranor, L.F. (ed.) Proceedings of the Anti-phishing Working Groups 2nd Annual eCrime Researchers Summit, Pittsburgh, vol. 269, pp. 26–36, 4–5 Oct 2007. ACM (2007)
Florêncio, D., Herley, C.: Sex, lies and cyber-crime surveys. In: 10th Workshop on the Economics of Information Security, Fairfax (2011)
Foley, L., Barney, K., Foley, J., Leeii, J., Fergerson, J., Sarrel, M., Nelson, C., Frank, M.: Identity theft: the aftermath 2009. http://www.idtheftcenter.org/artman2/uploads/1/Aftermath_2009_20100520.pdf (2010)
Forrester Data: Consumer attitudes toward spam in six countries. http://www.bsacybersafety.com/files/Forrester_Consumer_Spam.pdf (2004)
Frost and Sullivan: Increasing security needs of enterprises to fuel growth in the world content filtering market. Press release. http://www.frost.com/prod/servlet/press-release.pag?Src=RSS&docid=84071018 (2006)
Gözenoglu, M., Morawe, R.: The German Anti-Botnet Advisory Center. Presentation at ‘Internet Security Days’, 13–15 Sept 2011, Brühl. http://www.internet-security-days.com/templates/downloads/session-2011/110913_Goezenoglu_Morawe_ABBZ.pdf (2011)
Herley, C., Florêncio, D.: Nobody sells gold for the price of silver: dishonesty, uncertainty and the underground economy. In: Proceedings (online) of the Workshop on Economics of Information Security. http://research.microsoft.com/pubs/80034/nobodysellsgoldforthepriceofsilver.pdf (2009)
Home Office: The economic and social costs of crime against individuals and households 2003–2004. http://webarchive.nationalarchives.gov.uk/20110218135832/http://rds.homeoffice.gov.uk/rds/ecom_soc_cost.html (2005)
House of Lords European Union Committee: Stopping the carousel: missing trader fraud in the EU. 20th Report of Session 2006–2007 (2007)
Huygen, A., Rutten, P., Huveneers, S., Limonard, S., Poort, J., Leenheer, J., Janssen, K., van Eijk, N., Helberger, N.: Ups and downs – economic and cultural effects of file sharing on music, film and games. TNO report 34782 http://www.ivir.nl/publicaties/vaneijk/Ups_And_Downs_authorised_translation.pdf (2009)
Innes, M.: Signal crimes and signal disorders: notes on deviance as communicative action. Br. J. Sociol. 55, 335–355 (2004)
Institute for the Prevention of Crime: Cost of the criminal justice system. http://www.socialsciences.uottawa.ca/ipc/eng/cost_of_the_criminal_justice_system.asp (2012)
Irish, H.: Machine learning to classify fraudulent websites. 3rd Year Project Report, Computer Laboratory, University of Cambridge (2012)
Kalapesi, C., Willersdorf, S., Zwillenberg, P.: The connected kingdom: how the Internet is transforming the U.K. economy. http://www.connectedkingdom.co.uk/the-report (2010)
Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: Spamalytics: an empirical analysis of spam marketing conversion. In: Proceedings of the ACM Conference on Computer and Communications Security, Alexandria (2008)
Kanich, C., Weaver, N., McCoy, D., Halvorson, T., Kreibich, C., Levchenko, K., Paxson, V., Voelker, G.M., Savage, S.: Show me the money: characterizing spam-advertised revenue. In: Proceedings of the USENIX Security Symposium, San Francisco (2011)
Khan, A., Hunt, J.: UK online fraud report 2012. http://forms.cybersource.com/forms/FraudReport2012UKUKwebwww2012 (2012)
Krebs, B.: SpamIt, Glavmed pharmacy networks exposed. Krebs on security blog. http://krebsonsecurity.com/2011/02/spamit-glavmed-pharmacy-networks-exposed/ (2011)
Krebs, B.: Who’s behind the world’s largest spam botnet? Krebs on security blog. http://krebsonsecurity.com/2012/02/whos-behind-the-worlds-largest-spam-botnet/ (2012)
Kuksov, D.: Buyer search costs and endogenous product design. Mark. Sci. 23(4), 490–499 (2004)
Leontiadis, N., Moore, T., Christin, N.: Measuring and analyzing search-redirection attacks in the illicit online prescription drug trade. In: Proceedings of the USENIX Security, San Francisco (2011)
Levchenko, K., Chachra, N., Enright, B., Felegyhazi, M., Grier, C., Halvorson, T., Kanich, C., Kreibich, C., Liu, H., McCoy, D., Pitsillidis, A., Weaver, N., Paxson, V., Voelker, G.M., Savage, S.: Click trajectories: end-to-end analysis of the spam value chain. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland (2011)
Levi, M.: Social reactions to white-collar crimes and their relationship to economic crises. In: Deflem, M. (ed.) Economic Crisis and Crime, pp. 87–105. The JAI Press/Emerald, London/Bingley (2011)
Levi, M., Burrows, J.: Measuring the impact of fraud in the UK: a conceptual and empirical journey. Br. J. Criminol. 48, 293–318 (2008)
Leyden, J.: Russian bookmaker hackers jailed for eight years. http://www.theregister.co.uk/2006/10/04/russian_bookmaker_hackers_jailed/ (2006)
Lieber, E., Syverson, C.: Online vs. Offline Competition. In: Peitz, M., Waldfogel, J. (eds.) The Oxford Handbook of the Digital Economy. Oxford University Press, New York (2012)
M86 Security Labs: Canadian pharmacy no longer king. http://www.m86security.com/labs/traceitem.asp?article=1316 (2010)
McCoy, D., Pitsillidis, A., Jordan, G., Waver, N., Kreibich, C., Krebs, B., Voelker, G.M., Savage, S., Levchenko, K.: PharmaLeaks: understanding the business of online pharmaceutical affiliate programs. In: Proceedings of the USENIX Security Symposium, Bellevue (2012)
Microsoft Inc.: Microsoft security intelligence report, vol. 10 (2010). http://www.microsoft.com/security/sir/
Microsoft Inc.: Microsoft security intelligence report, vol. 9 (2010). http://www.microsoft.com/security/sir/
Moore, T., Clayton, R.: Examining the impact of website take-down on phishing. In: Cranor, L.F. (ed.) Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit, Pittsburgh, vol. 269, pp. 1–13, 4–5 Oct 2007. ACM (2007)
Moore, T., Clayton, R., Anderson, R.: The economics of online crime. J. Econ. Perspect. 23(3), 3–20 (2009)
National Commission on Terrorist Attacks Upon the United States: The 9/11 Commission Report: Final Report of the National Commission on Terrorist Attacks upon the United States. W.W. Norton, New York (2004)
Oberholzer-Gee, F., Strumpf, K.: File-sharing and copyright. Harvard Business School Working Paper 09–132. http://www.hbs.edu/research/pdf/09-132.pdf (2009)
Peel, M.: Nigeria-Related Financial Crime and its links with Britain. Chatham House Report, London (2006)
Samosseiko, D.: The Partnerka – What is it, and why should you care? In: Proceedings of the Virus Bulletin Conference, Geneva (2009)
Snow, G.: Cyber security: threats to the financial sector. Testimony before the House Financial Services Committee. http://financialservices.house.gov/UploadedFiles/091411snow.pdf (2011)
Stiglitz, J.E., Bilmes, L.J.: The Three Trillion Dollar War: The True Cost of the Iraq Conflict. W.W. Norton, New York (2008)
Stone-Gross, B., Abman, R., Kemmerer, R.A., Kruegel, C., Steigerwald, D.G., Vigna, G.: The underground economy of fake antivirus software. In: 10th Workshop on the Economics of Information Security, Fairfax (2011)
Symantec: MessageLabs Intelligence Report. http://www.symanteccloud.com/mlireport/MLI_2010_06_June_FINAL.pdf (2010)
Taylor, J.: Overseas cyber-crimewave taking £600 million a year from the taxman. The Independent (2011). http://www.independent.co.uk/news/uk/crime/overseas-cybercrimewave-taking-600m-a-year-from-thetaxman-6271552.html
Van Eeten, M., Bauer, J.M.: Economics of malware: Security decisions, incentives and externalities. Tech. Rep. OECD STI Working Paper 2008/1, OECD, Paris. http://www.oecd.org/dataoecd/53/17/40722462.pdf (2008)
Van Eeten, M., Bauer, J.M., Asghari, H., Tabatabaie, S.: The role of Internet service providers in Botnet mitigation: an empirical analysis based on spam data. Tech. Rep. s0 STI Working Paper 2010/5, OECD, Paris. http://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=DSTI/DOC(2010)5&docLanguage=En (2010)
Van Eeten, M., Asghari, H., Bauer, J.M., Tabatabaie, S.: Internet service providers and Botnet Mitigation: a fact-finding study on the Dutch market. The Hague: Ministry of Economic Affairs. http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/01/13/internet-service-providers-and-botnet-mitigation.html (2011)
Vancouver Sun: Online drugs can prove deadly: Coroner. http://www.canada.com/vancouversun/news/story.html?id=ddadbf8a-bdac-45c4-a566-36acd8ffd72b (2007)
Wondracek, G., Holz, T., Platzer, C., Kirda, E., Kruegel, C.: Is the Internet for porn? An insight into the online adult industry. In: Proceedings (online) of the 9th Workshop on Economics of Information Security, Cambridge http://weis2010.econinfosec.org/papers/session2/weis2010_wondracek.pdf (2010)
Zittrain, J.: The Future of the Internet: And How to Stop It. Allen Lane, London (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Anderson, R. et al. (2013). Measuring the Cost of Cybercrime. In: Böhme, R. (eds) The Economics of Information Security and Privacy. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39498-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-39498-0_12
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39497-3
Online ISBN: 978-3-642-39498-0
eBook Packages: Computer ScienceComputer Science (R0)