Cybercrime budgets should be spent on policing not tech, argues study

Over-reliance on security tech, say Cambridge researchers

Cybercrime would be better tackled by boosting the puny amounts spent on global policing and criminal justice than throwing large sums at imperfect security technologies, a Cambridge University study has argued.

Anyone who works in the security industry and depends on selling products look away now; according to Measuring the Cost of Cybercrime from a respected group of academics including Ross Anderson and Richard Clayton, the world has over-invested in defence and clean-up at the expense of old-fashioned retribution.

The cost of cybercrime results from three calculations; the direct cost of the frauds themselves (relatively small), the money spent on defending against those frauds (much larger) and the cost of cleaning up the mess when defences fail (also relatively high).

Cybercriminals have spotted and thrived on the back of host of weaknesses. Global policing remains fragmented and under-motivated, detection rates remain stubbornly low, while social resentment is far less significant than it would be for physical crimes such as robbery or burglary.

Consequently, organisations and individuals across the world invest heavily in defence, which Includes money spent on patching, anti-spam, packet defences such as firewalls and, of course, security programs including antivirus.

Exactly how much this adds up to is a complex calculation, but the Cambridge authors estimate that the UK probably spends around £32 million ($50 million) per year on software patching alone, with consumers adding another £109 million ($170 million) in antivirus licenses.

Now add in the sums spent at ISP level filtering spam, plus the money devoted to managing and upgrading a wide range of ISP and corporate security systems, and the sums must balloon. Cleaning up after an attack - whether on a large company or single consumer - is also significant for those directly involved, perhaps as much as several hundred dollars per attack for an individual.

Comically then, even in the UK and the US - two countries noted for a robust response to cybercrime - policing budgets will reach a pathetic £10 million ($15 million) per year in the UK and $100 million per year in the US, a pitiful $400 million across the whole world. This is derspite the fact that policing works as a deterrent when wielded effectively.

"As for the more direct question of what should be done, our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response, that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail," the academics argue.

This paints a picture of computer security as a gigantic security blanket, a reassuring psychological prop; we fear cybercrime, partly because we find it hard to assess its risks, and use technology to over-compensate for that lack. It's not that security systems are a bad idea per se, more that they consume huge sums of money in a piecemeal way when cheaper, traditional policing involving nabbing criminals would have more effect.

"We are extremely inefficient at fighting cybercrime; or to put it another way, cybercrooks are like terrorists or metal thieves in that their activities impose disproportionate costs on society," said the report.

"Some police forces believe the problem is too large to tackle. In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase antivirus software," added Professor Ross Anderson, co-author.

The Cambridge team also debunks what are sees as inflated estimates of the cost of cybercrime used to encourage security investment, especially a controversial claim made in a 2011 Detica report commissioned for the UK Cabinet Office that claimed cybercrime was costing the country £27 billion per year.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place