The cost of cybercrime must be taken with a grain of salt but certainly not ignored. In 2009, McAfee stated that they estimated the total global cost of cybercrime to be $1 trillion. This number is now used by public officials in citing the monetary impact of global cybercrime. The Center for Strategic International Studies (CSIS) released information this month stating that this number could be half or three times as high (CSIS, TheEconomic Impact of Cybercrime and Cyber Espionage, July 2013). McAfee, responded by stating that they are releasing a new study that will add more rigor to their numbers (Joseph Menn, Obama'strillion-dollar hacking costs claim exaggerated, McAfee-funded study says, July 22, 2013).
CSIS did not attempt to find the exact value of cybercrime, but rather examine the process by which the value is quantified. Maybe someday CSIS will apply sample tests to determine a quantifiable value, but the purpose of the paper was simply to examine the methodology of cybercrime cost valuation.
Anyone who attempts to create a quantifiable value as difficult to determine as the total cost of global cybercrime is required to thoroughly outline the analysis process. The report by CSIS scrutinizes the qualitative process used by other companies in publicizing a definitive value. While CSIS’ conclusions are riddled with the word “probably,” the exercise in qualitative scrutiny is essential to achieving more accuracy in the number. The perspective outlined by CSIS spurs (at least in my opinion) perspectives on the methods by which experts quantify cybercrime.
Is this a worthwhile quest? Absolutely. By attempting to get to a quantifiable value, we have an obligation to scrutinize the qualitative analysis process. The CSIS paper leverages analogies to demonstrate its point and to the embedded cybercrime fighter this seems quite tongue-in-cheek. However, to the analytic brilliant minds that will undoubtedly find new ways of getting to a more accurate number, the analogies help explain the problem.
Speaking from my own experience working on cybercrime cases, I often tell listeners to my presentations and training courses that I have worked five of the top-10 cyber intrusion cases of the last decade. I never list the clients with whom I have worked and if one of my listeners attempted to verify my assertion, they would not be able to use any publication to validate my statement. This is because two of the five largest cases are not published. Additionally, I can attest that the leaders of at least two of the five largest cases in the past 10 years have never responded to a survey or reported the total cost of an intrusion into their networks. They have never even reported the direct cost of their intrusion such as insurance cost, cost of security appliances or cost of investigators brought onboard to respond to the specific incident.
A great article published on Barrons by Reshma Kapadia (Reshma Kapadia, Breaking Into Cybersecurity, July 20, 2013,) states that, “hackers are pilfering $250 billion a year in intellectual property-weapon designs and source code.”
Just in that statement, the bar is already set at the $250 billion level. How high does the bar go?
The direct costs are more easily quantified because they can be counted in a spreadsheet. Indirect costs are the stickler because, as CSIS points out, they are not easily identified, let alone quantified. I do like how CSIS outlined their breakdown of the types of cybercrime quantifiable values:
- Loss of intellectual property
- Direct financial loss
- Loss of sensitive business information
- Service, employment, and revenue disruptions
- Security costs
- Reputation damage
Arriving at a good quantifiable value seems insurmountable in my opinion, but we are obligated as businesspeople in the global marketplace to ask and attempt to answer the question. Keep asking. Keep trying to answer.
As I visit with corporate leaders and discuss current, prior or impending compromise of their network or data, I will leverage the information in this CSIS report. Within the past 12 months, one change has become critical to my incident response plan. I work at General Dynamics Fidelis Cybersecurity Solutions where we leverage an incident response plan that has worked for 10 years to great success helping our clients. We figure out what happened, when it happened, where it happened, who did it and how they did it. However, the past several years we have been met with the question “why are they doing this?” In answering this question we have made a change to our incident response plan and created a new workstream box at the end of the flowchart. This workstream is called “Damage Assessment.” The sole purpose of damage assessment is to ascertain the reasons and risk to indirect areas of the business. It attempts to address damage to reputation, targeted attacks against personnel, theft of business information or theft of intellectual property. The cost of performing damage assessment is not cheap, but business leaders now understand that in a cybercrime event within their network, assessing the extent of the damage helps them mitigate the business risk in the long term.