(PDF)

Measuring the Changing Cost of Cybercrime
Ross Anderson 1 Chris Barton 2 Rainer B¨ohme 3 Richard Clayton 4
Carlos Ga˜n´an 5 Tom Grasso 6 Michael Levi 7 Tyler Moore 8 Marie Vasek 9
Abstract
In 2012 we presented the first systematic study of the costs of cybercrime. In this paper,
we report what has changed in the seven years since. The period has seen major platform
evolution, with the mobile phone replacing the PC and laptop as the consumer terminal
of choice, with Android replacing Windows, and with many services moving to the cloud.
The use of social networks has become extremely widespread. The executive summary is
that about half of all property crime, by volume and by value, is now online. We hypothe-
sised in 2012 that this might be so; it is now established by multiple victimisation studies.
Many cybercrime patterns appear to be fairly stable, but there are some interesting changes.
Payment fraud, for example, has more than doubled in value but has fallen slightly as a
proportion of payment value; the payment system has simply become bigger, and slightly
more efficient. Several new cybercrimes are significant enough to mention, including business
email compromise and crimes involving cryptocurrencies. The move to the cloud means that
system misconfiguration may now be responsible for as many breaches as phishing. Some
companies have suffered large losses as a side-effect of denial-of-service worms released by
state actors, such as NotPetya; we have to take a view on whether they count as cybercrime.
The infrastructure supporting cybercrime, such as botnets, continues to evolve, and specific
crimes such as premium-rate phone scams have evolved some interesting variants. The over-
all picture is the same as in 2012: traditional offences that are now technically ‘computer
crimes’ such as tax and welfare fraud cost the typical citizen in the low hundreds of Eu-
ros/dollars a year; payment frauds and similar offences, where the modus operandi has been
completely changed by computers, cost in the tens; while the new computer crimes cost in
the tens of cents. Defending against the platforms used to support the latter two types of
crime cost citizens in the tens of dollars. Our conclusions remain broadly the same as in 2012:
it would be economically rational to spend less in anticipation of cybercrime (on antivirus,
firewalls, etc.) and more on response. We are particularly bad at prosecuting criminals who
operate infrastructure that other wrongdoers exploit. Given the growing realisation among
policymakers that crime hasn’t been falling over the past decade, merely moving online, we
might reasonably hope for better funded and coordinated law-enforcement action.
1Computer Laboratory, University of Cambridge, Cambridge, UK. ross.anderson@cl.cam.ac.uk
2chris@vnworks.net
3Department of Computer Science, Universit¨at Innsbruck, Innsbruck, Austria. rainer.boehme@uibk.ac.at
4Computer Laboratory, University of Cambridge, Cambridge, UK. richard.clayton@cl

... (truncated, 98 KB total)