Does cyber crime really cost £27 billion a year?

gallery

A number of security experts have questioned the £27 billion figure placed on the cost of cyber crime.

A Government report released today estimated in the “most likely scenario” cyber criminals cost the UK £27 billion a year.

Furthermore, the Detica-authored report said the actual cost of cyber crime is likely to be far greater than that figure.

A significant chunk of that cost is due to intellectual property theft, amounting to losses of £9.2 billion per annum, the report suggested.

Businesses take much of the hit, with £21 billion lost every year thanks to hackers' efforts, according to the estimates.

To determine the figure, Detica brought together data from sources including information from the public domain, cyber security professionals, as well as business, law enforcement agencies and economics experts.

The security firm drew up a causal model, relating different kinds of cyber crime to their impact on the UK economy.

“We used the model to may cyber crime types to a number of broad categories of economic impact, which are generally consistent with the types of parameters used in macro-economic models of the UK,” the report explained.

“We then calculated the magnitude of the cots of cyber crime using three-point estimates (worst-case, most-likely case and best-case scenarios), focusing in particular on IP theft and industrial espionage and its effect on the different industry sectors.”

Figures released by Symantec earlier this week suggested cyber crime would cost the UK economy £1.9 billion in 2011.

The varying figures on the financial impact of illegal online activity in the UK has brought into question the validity of making such estimates.

Many in the security industry believe the £27 billion suggestion to be somewhat excessive.

Mikko Hyponnen, chief research officer at F-Secure, said in a tweet he found the figure to be “very high.”

"In my view, there’s more to be gained by highlighting the potential risks and explaining how to minimise them than in alarming people with abstract numbers that may or may not reflect reality," said David Emm, senior security researcher at Kaspersky Lab UK.

Sophos, meanwhile, has called for a more efficient way of measuring the cost of cyber crime altogether.

The company’s senior technology consultant Graham Cluley called for a “proper mechanism for reporting cyber crime” before any figure is ascertained.

He suggested there was not enough detail on how Detica reached its estimates.

“An accurate measure of cyber crime is required in order to provide the proper support that computer users - in business and at home - need to defend against the threats,” Cluley said.

“Once we know the true scale of the problem, and can produce reports that aren't dealt with skepticism, we can fund the computer crime authorities appropriately, and we can begin to measure if the UK's attempts to fight the problem are really working or not.”

At the time of publication, Detica had not responded to a request for more information on how it came to the £27 billion figure.

Despite queries over the estimates, the report has been praised for spreading awareness of the threats facing UK businesses in particular.

Steve Durbin, global vice president of the Information Security Forum, said he could not comment on the figure but stressed where the report was correct was in noting the cost of cyber crime "is primarily borne by UK businesses."

"The cost of cyber crime is certainly significant and both private sector organisations and governments need to build a comprehensive picture of the threats to information security to be able to deal effectively with this growing trend," Durbin told IT PRO.

Email to a friend

Print this page