In 2012 we presented the first systematic study of the costs of cybercrime. We have now repeated our study, to work out what’s changed in the seven years since then.
Measuring the Changing Cost of Cybercrime will appear on Monday at WEIS. The period has seen huge changes, with the smartphone replacing as PC and laptop as the consumer terminal of choice, with Android replacing Windows as the most popular operating system, and many services moving to the cloud. Yet the overall pattern of cybercrime is much the same.
We know a lot more than we did then. Back in 2012, we guessed that cybercrime was about half of all crime, by volume and value; we now know from surveys in several countries that this is the case. Payment fraud has doubled, but fallen slightly as a proportion of payment value; the payment system has got larger, and slightly more efficient.
So what’s changed? New cybercrimes include ransomware and other offences related to cryptocurrencies; travel fraud has also grown. Business email compromise and its cousin, authorised push payment fraud, are also growth areas. We’ve also seen serious collateral damage from cyber-weapons such as the NotPetya worm. The good news is that crimes that infringe intellectual property – from patent-infringing pharmaceuticals to copyright-infringing software, music and video – are down.
Our conclusions are much the same as in 2012. Most cyber-criminals operate with impunity, and we have to fix this. We need to put a lot more effort into catching and punishing the perpetrators.
Our new paper is here. For comparison the 2012 paper is here, while a separate study on the emotional cost of cybercrime is here.
With a few cyber models, we’ve seen a common operating model adjust its most-likelies from physical payment card stripe fraud to extortion to CNP/account fraud over the last decade. Everything converges in the various threat communities, whether criminal, espionage, or cyber physical systems. Keep up the great research!
Our paper was picked up in a Guardian editorial on June 4th, which points out that the systematic under-reporting of cybercrime in the UK from 2005-15 helped Theresa May become Prime Minister. Despite cutting police numbers by 20,000 she was able to claim she’d cut crime; the truth was that it was just going online, like everything else, and the online stuff wasn’t being counted
Also picked up by John Naughton.