Skip to navigation

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.

// Home / Blogs

Posted on February 12th, 2013 by Nicole Kobie

How much does cybercrime cost the UK? Not £27bn

Judging the success of the UK’s online security strategy is difficult, a government agency has reported – and it’s no surprise given it’s using debunked statistics.
The cybercrime strategy report from the National Audit Office (NAO) looks to measure the success of the government’s efforts, looking at non-financial as well as financial measures.
“The NAO recognises, in particular, that there are some challenges in establishing the value for money of the cybersecurity strategy,” the agency said. “There is the conceptual problem that, if cyber-attacks do not occur, it will be difficult to establish the extent to which that was down to the success of the strategy.”
Those challenges are worsened by the NAO’s own use of bad data, and the misquoting of reports within its own analysis.
[pquote]The NAO recognises, in particular, that there are some challenges in establishing the value for money of the cybersecurity strategy[/pquote]
The NAO cites the cost of cybercrime is between £18bn and £27bn – two figures that are respectively inaccurate and thoroughly debunked.
The £27bn figure is from a 2011 Detica report commissioned by the Cabinet Office, which has been widely dismissed as [a href="http://www.lightbluetouchpaper.org/2012/06/18/debunking-cybercrime-myths/" title="Light Blue Touchpaper"]“scaremongering”[/a] and a [a href="http://www.zdnet.com/cybercrime-cost-estimate-is-sales-exercise-say-experts-3040091866/" title="ZDNet"]“sales exercise”[/a].
The second figure, of £18bn, comes from a [a href="http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf" title="Cambridge report"]University of Cambridge report[/a] commissioned by the government entirely to debunk the Detica report, a fact that is clear to anyone reading as far as five paragraphs in. However, that figure is also inaccurate and misleading.
First, the Cambridge report shows the figures in dollars, so in the very least it should be $18bn, not £18bn.
Second, the report authors specifically advise against adding up all of the numbers it provides, saying it would be “entirely misleading to provide totals lest they be quoted out of context, without all the caveats and caution that we have provided”.
And that, of course, is exactly what has happened. The $18bn figure is made up of four parts: Transactional crime, such as card fraud and “loss of consumer confidence” makes up more than $3bn; cost of infrastructure and protections such as antivirus accounts for $1.2bn; more traditional crime, such as tax and benefit fraud, shifting to the internet adds more than $14bn; “genuine” cybercrime, such as online banking fraud and botnets, cost the UK an estimated $164m an year – less than consumers spend on antivirus.
The NAO report provided two solid figures for cybercrime in the UK. The Serious Organised Crime Agency prevented a “potential economic loss” of £500m last year, while individuals reported £292m of attempted online fraud to Action Fraud. Those numbers don’t include all the costs of cybercrime, which are hard to collect, as companies aren’t required to report data breaches.
Getting the numbers straight is key, as the government has laid out £650m in funding to 2015 to secure networks and educate the public  - as well as to help UK businesses grab a slice of the “growing market in cybersecurity”.

securitylock

Judging the success of the UK’s online security strategy is difficult, a government agency has reported – and it’s no surprise given it’s using debunked statistics.

The National Audit Office (NAO) has today released a report examining the government’s£650m cybersecurity strategy, looking to judge whether or not it’s working and offers good value for money.

That is a tough task, as there’s no easy way to calculate the cost of cybercrime — a fact the agency admits.  ”The NAO recognises, in particular, that there are some challenges in establishing the value for money of the cybersecurity strategy,” the agency said. “There is the conceptual problem that, if cyber-attacks do not occur, it will be difficult to establish the extent to which that was down to the success of the strategy.”

Those challenges are worsened by the NAO’s own use of bad data, and the misquoting of reports within its own analysis.

The NAO repeatedly cites the cost of cybercrime as between £18bn and £27bn — two figures that are respectively inaccurate and thoroughly debunked.

The £27bn figure is from a 2011 Detica report commissioned by the Cabinet Office, which has been widely dismissed as “scaremongering” and a “sales exercise” — Detica is owned by BAE Systems, a security and defence firm.

The £27bn figure is from a 2011 Detica report commissioned by the Cabinet Office, which has been widely dismissed as “scaremongering” and a“sales exercise”

The second figure, of £18bn, comes from a University of Cambridge report that was commissioned by the government purely to verify the accuracy of the Detica report. That figure is also inaccurate and misleading for two reasons. First, the Cambridge report shows the figures in dollars, so in the very least it should be $18bn, not £18bn. Second, the report’s authors specifically advise against adding up all of the numbers it provides, saying it would be “entirely misleading to provide totals lest they be quoted out of context, without all the caveats and caution that we have provided”.

And that, of course, is exactly what has happened.

The $18bn figure is made up of four parts: transactional crime, such as card fraud and “loss of consumer confidence” makes up more than $3bn; cost of infrastructure and protections such as antivirus accounts for $1.2bn; more traditional crime, such as tax and benefit fraud, shifting to the internet adds more than $14bn; “genuine” cybercrime, such as online banking fraud and botnets, only costs the UK an estimated $164m an year – less than consumers spend on antivirus software.

Getting the numbers straight is key, so we and the government don’t end up spending more on security protection than it actually costs us. For the current strategy, the government has laid out £650m in funding to 2015 to secure networks, as well as to educate the public and help UK businesses grab a slice of the “growing market in cybersecurity”.

Reports such as these that keep using artificially inflated numbers — from security firms — don’t help the education remit, but they certainly might help the latter.

Tags: ,

Posted in: Newsdesk

Permalink

Follow any responses to this entry through the RSS 2.0 feed.

You can skip to the end and leave a response. Pinging is currently not allowed.

3 Responses to “ How much does cybercrime cost the UK? Not £27bn ”

  1. Davidbb Says:
    February 13th, 2013 at 8:10 am

    As always the devil is in the detail.

     
  2. Santa Says:
    February 14th, 2013 at 8:44 am

    When I ran a warehouse in the 80s we estimated that we were ‘losing’ £15,000 to £20,000 of stock every year. We did not know how much was accounting (dispatched but not invoiced) or theft.

    The auditors wanted me to employ security at an estimated cost of £25,000 to stop it.

     
  3. invalidscreenname Says:
    February 14th, 2013 at 4:04 pm

    Santa–The Auditors clearly can’t do their job then, look at the numbers.
    Some discreet recording equipment, and checking of invoices would be cheaper and just as effective

     

Leave a Reply

Spam Protection by WP-SpamFree

* required fields

* Will not be published

Authors

Categories

Archives

advertisement

SEARCH
SIGN UP

Your email:

Your password:

remember me

Create an account

advertisement


Hitwise Top 10 Website 2010