Cybercrime would be better tackled by boosting the puny amounts spent on global policing and criminal justice than throwing large sums at imperfect security technologies, a Cambridge University study has argued.
Anyone who works in the security industry and depends on selling products look away now; according to Measuring the Cost of Cybercrime from a respected group of academics including Ross Anderson and Richard Clayton, the world has over-invested in defence and clean-up at the expense of old-fashioned retribution.
The cost of cybercrime results from three calculations; the direct cost of the frauds themselves (relatively small), the money spent on defending against those frauds (much larger) and the cost of cleaning up the mess when defences fail (also relatively high).
Cybercriminals have spotted and thrived on the back of host of weaknesses. Global policing remains fragmented and under-motivated, detection rates remain stubbornly low, while social resentment is far less significant than it would be for physical crimes such as robbery or burglary.
Consequently, organisations and individuals across the world invest heavily in defence, which Includes money spent on patching, anti-spam, packet defences such as firewalls and, of course, security programs including antivirus.
Exactly how much this adds up to is a complex calculation, but the Cambridge authors estimate that the UK probably spends around £32 million ($50 million) per year on software patching alone, with consumers adding another £109 million ($170 million) in antivirus licenses.
Now add in the sums spent at ISP level filtering spam, plus the money devoted to managing and upgrading a wide range of ISP and corporate security systems, and the sums must balloon. Cleaning up after an attack - whether on a large company or single consumer - is also significant for those directly involved, perhaps as much as several hundred dollars per attack for an individual.
Comically then, even in the UK and the US - two countries noted for a robust response to cybercrime - policing budgets will reach a pathetic £10 million ($15 million) per year in the UK and $100 million per year in the US, a pitiful $400 million across the whole world. This is derspite the fact that policing works as a deterrent when wielded effectively.
"As for the more direct question of what should be done, our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response, that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail," the academics argue.
This paints a picture of computer security as a gigantic security blanket, a reassuring psychological prop; we fear cybercrime, partly because we find it hard to assess its risks, and use technology to over-compensate for that lack. It's not that security systems are a bad idea per se, more that they consume huge sums of money in a piecemeal way when cheaper, traditional policing involving nabbing criminals would have more effect.
"We are extremely inefficient at fighting cybercrime; or to put it another way, cybercrooks are like terrorists or metal thieves in that their activities impose disproportionate costs on society," said the report.
"Some police forces believe the problem is too large to tackle. In fact, a small number of gangs lie behind many incidents and locking them up would be far more effective than telling the public to fit an anti-phishing toolbar or purchase antivirus software," added Professor Ross Anderson, co-author.
The Cambridge team also debunks what are sees as inflated estimates of the cost of cybercrime used to encourage security investment, especially a controversial claim made in a 2011 Detica report commissioned for the UK Cabinet Office that claimed cybercrime was costing the country £27 billion per year.