The Economic Impact o Cybercrime and Cyber Espionage
3The wide range o existing estimates o the annual loss—rom a ew billion dollars to hundreds obillions—reects several difculties. Companies conceal their losses and some are not aware o what hasbeen taken. Intellectual property is hard to value. Some estimates relied on surveys, which provide veryimprecise results unless careully constructed. One common problem with cybersecurity surveys is thatthose who answer the questions “sel-select,” introducing a possible source o distortion into the results.Given the data collection problems, loss estimates are based on assumptions about scale and eect—change the assumption and you get very dierent results. These problems leave many estimates opento question.
The Components of Malicious Cyber Activity
In this initial report we start by asking what we should count in estimating losses rom cybercrimeand cyber espionage. We can break malicious cyber activity into six parts:
The loss o intellectual property and business confdential inormation
Cybercrime, which costs the world hundreds o millions o dollars every year
The loss o sensitive business inormation, including possible stock market manipulation
Opportunity costs, including service and employment disruptions, and reduced trust or online activities
The additional cost o securing networks, insurance, and recovery rom cyber attacks
Reputational damage to the hacked companyPut these together and the cost o cybercrime and cyber espionage to the global economy is probablymeasured in the hundreds o billions o dollars. To put this in perspective, the World Bank says thatglobal GDP was about $70 trillion in 2011. A $400 billion loss—the high end o the range o probablecosts—would be a raction o a percent o global income. But this begs several important questionsabout the ull beneft to the acquirers and the damage to the victims rom the cumulative eecto cybercrime and cyber espionage.
Using Analogy to Set the Bounds for the Cost of Malicious Cyber Activity
We use several analogies where costs have already been quantifed to provide an idea o the scopeo the problem, allowing us to set rough bounds—a ceiling and a oor—or the cost o malicious cyberactivity, by comparing it to other kinds o crime and loss.
Is cybercrime, cyber espionage, and other malicious cyber activitieswhat some call “the greatest transer o wealth in human history,”or is it what others say is a “rounding error in a ourteen trilliondollar economy?”