Ross Anderson, et al released a new paper today titled “Measuring the Cost of Cybercrime” to be presented at the 2012 Workshop on the Economics of Information Security.
If you have not followed the WEIS body of work, I encourage you to do so. The macroeconomics perspective will make you think differently about our field. Anderson and Moore’s 2011 survey paper is a good place to start.
Most of my perspective is enterprise-focused, while Anderson, et al’s perspective is heavily consumer-focused with an bent of social/political/global impacts. Their paper was developed in response to a query from the UK gov’t, and thus the spin is more public policy guidance than actionable data for Information Security Officers. However, there are still a few worthwhile observations for enterprise information security.
First, be sure to read the section on terminology. They describe explicit costs as “direct costs” (both direct cash outlays and time spent by existing staff) and use “indirect costs” to refer to both implicit costs and opportunity costs.
Second, recognize all the figures are incredibly gross estimates. I’m not even going to quote any of their figures here, because taking those figures out of context lends them a credibility they don’t deserve. If you’re interested in more detail and estimates, refer to their paper and consider the sources and caveats.
Reputation damages: Anderson, et al does include costs to merchants due to loss of reputation following a breach. The primary source data is a Eurostat survey that estimates 16% of all individuals in the UK do not use online banking due to security concerns, combined with an estimate each online customer saves a bank $70. Damages due to reputation loss are only considered in the context of banking and payment card breaches.
I’m confused with the data sources referenced here. There are a number of studies that use public company’s stock prices as a proxy for reputation (example); these are more tangible results than the per-industry approach used. Perhaps because the existing studies are US-centric and they were searching for UK references?
Intellectual property losses: The report also considered the cost of intellectual property losses, but concluded there is “no reliable evidence of the extent or cost of industrial cyber-espionage” and thus do not include any IP loss figures in their report. The language is a tad snobbish and denigrates the existing attempts to bracket potential costs due to IP losses.
I’m disappointed with this conclusion. I don’t disagree with the assessment there is little tangible data, but no reasonable person can agree the cost of intellectual property loss is zero.
Conclusions: The primary conclusion is a table of cost estimates; largely irrelevant for enterprises. One secondary conclusion is “we should spend less [on protection] and spend more on [detection and response]” due to the differences in the cost of a data breach vs. the value of the data breach to an intruder.
Those of you who have heard me speak may have seen me refer to the cost vs. value of a data breach, and it’s impact on probability in risk assessments. (For blog readers, I’ll get a post up one day outlining the chain of logic) I’m pleased to see that detail, at least.
All in all, I’m pleased to see Anderson et all weigh in on the discussion of costs. I have long respected Anderson’s clear thinking and wisdom on structural problems in information security. I am disappointed with their data sources and estimation methods, (“So we’ll hazard a figure of $10B, bearing in mind that only the order of magnitude is probably right”) since the selection of any figure implies a rigor and accuracy that is impossible. However, policy-makers must still make policy, and lack of data does not absolve them of the responsibility to do so. I recognize the need to present something, even if the uncertainty is high.