Research Redux reviews academic articles to identify scientific findings, uncover new data sources, and reflect on how to measure and mitigate cyber risk.

I’ve been researching cyber insurance from an academic perspective since I started my PhD titled "The Economics of Cyber Risk Transfer" in 2015. Once you learn how to navigate academic publishing, I believe there’s a lot of valuable insight to be found. Rather than compete to publish the latest insights—which industry sources are better placed to do—academia excels at critically weighing evidence and identifying underlying trends. At its best, this provides new concepts and approaches to thinking about a problem.

Our first post looks at the seminal article on the cost of cybercrime, which has been cited over 700 times. This sets the stage for future posts that zoom in on particular cybercrimes or methodologies.

Measuring the (changing) cost of cybercrime

Workshop on the Economics of Information Security (2019) — Anderson, Ross, Chris Barton, Rainer Böhme, Richard Clayton, Carlos Ganán, Tom Grasso, Michael Levi, Tyler Moore, and Marie Vasek.

Key takeaways

• Measuring cybercrime is messy. It is not clear which crimes should be included, let alone where to identify reliable data sources.

• "The new computer crimes cost in the tens of cents" per citizen, this result held even when the study was repeated in 2019.

• Online "payment frauds and similar offenses" are particularly costly… in the tens of dollars, meanwhile tax fraud costs in the hundreds of dollars per citizen

• Data sources for the big loss drivers for insurers are lacking—things like business interruption, crisis response costs, breach litigation and so on.

There is no authoritative source for the cost of cybercrime. This means many actors publish estimates using a range of methodologies, data sources and definitions of what crimes should be included.

In 2011, a security consultancy estimated the annual cost of cybercrime to the UK at £27 billion (about 1.8 % of GDP), which was greeted with skepticism. In response, the Chief Scientist at the UK Ministry of Defense asked a group of academics to conduct an independent study.

Anderson et al. conducted the first systematic study of the costs of cybercrime, pulling together evidence from across academic, industry and government sources. The original study was published in 2012 and was repeated in 2019. 

Findings

In the 2019 study, the authors quantify the cost of 22 different crimes and frauds, citing data sources for each, and focusing on scams and frauds impacting individuals rather than corporations.

Data extracted from Anderson et al. Note the authors report a mixture of £ and $ estimates. The brackets (US/UK) imply the estimate is for losses in just that country.

The authors do not provide a singular figure for the aggregate cost of cybercrime. This is partly because the line between cyber and conventional crime is blurry, and also because some costs are more uncertain than others. For example, the authors quote the FBI’s estimate that $7.1m was lost to anti-virus fraud in the US, whereas only an order of magnitude is reported for Advanced fee fraud (in the low hundreds of millions of dollars).

Despite the intellectual humility, actuaries involved in cyber insurance may raise an eyebrow at the ransomware losses, which were estimated at “well over $10 million” in the 2019 study. This low estimate is likely caused by reporting delays from secondary literature. 

The authors report on two data sources for ransomware losses:

• “Research done by Liao et al. on CryptoLocker, a particular Bitcoin-based ransomware program, from a 5 month period 2013 through 2014 showed $300,000-$1,100,000 lost to this malware”

• “Huang et al. found $16m in criminal revenue due to ransomware via cryptocurrencies over a period of 2 years from 2015-2017”

This means the data informing the ransomware loss estimate was collected at latest in 2017.

The authors suggest that, when combined with payments to criminals, the total direct ransomware losses "may be one to two orders of magnitude higher." This would be anywhere from $10m to $150m. With hindsight, we know that the ransomware epidemic was about to hit firms across the UK and US, causing spikes in loss ratios among cyber insurers and total claims in the billions of dollars.

It can be sobering to look beyond losses aggregated across the economy. For example, even $10 billion of ransomware losses sounds alarming, but this would be less than $1.30 per person globally or $30 per US citizen. Comparing cybercrime losses to other types of societal harm could be another useful exercise in helping us quantify and contextualize loss/cost.

Pulling the data sources together, the authors estimate that:

“tax and welfare fraud cost the typical citizen in the low hundreds of Euros/dollars a year; payment frauds and similar offenses … cost in the tens; while the new computer crimes cost in the tens of cents."

These provocative estimates depend on how crimes are grouped and which data sources are used. Is business email compromise a payment fraud or a new computer crime? Similarly, more up-to-date and accurate ransomware losses would lead to higher estimates of the new computer crime costs. Future Research Redux posts will cover more quantitative cybercrime studies to triangulate towards ground truth on these estimates.

The authors also quantify the cost of defending against cybercrime—common scams cost in the "tens of cents/pence per year per head of population," whereas the cost of securing systems are "in the tens of dollars a year." This leads the authors to suggest:

"it would be economically rational to spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more on response."

This recommendation was independently put into practice by cyber insurers. The cyber insurance industry has invested more resources into coordinating incident response teams to help policyholders than it has focused on subsidizing security solutions (e.g. antivirus or firewall).

Outlook

Understanding the existing and emerging academic literature can benefit not only academic communities but also security practitioners. Contextualizing research alongside practice helps us to understand cyber risk and the importance of our collective efforts to manage and mitigate that risk. In particular, the work of Anderson et al. helps us to map out the costs of cybercrime. However, it does not provide a definitive answer. 

The authors are pretty clear about the limitations in their data. The report uses crime reports published by law enforcement, such as the FBI’s Internet Crime Complaint Centre, despite individuals inconsistently reporting cyber crime to authorities. This raises the possibility that these figures under-count the true cost of cybercrime to individuals—an issue Research Redux will return to.

This blog post is designed to provide general information on the topic presented and is not intended to construe, or the rendering, of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.