Is counting the cost of Cyber Crime adding up?

The latest CSIS report on the global cost of Cyber Crime has been released and it raises a number of interesting points. It attempts to look at the global issue of Cyber Crime and put a dollar impact on the total cost affect.


Counting the Cost of Cyber Risk the problem with numbers It’s clear that this has proven to be very challenging as reliable data wasn’t readily available and this points to a big challenge for governments and business.  Unless more attention is focused on understanding what the real financial of effect of Cyber Crime is getting wide spread buy-in and concerted action will continue to be difficult. 


The report adds to this information with estimates provided across a wide range of ‘cost elements’ that can be indicative of the financial impact.  Putting that aside though CSIS end up with a figure estimating the impact hovering around half a trillion Dollars.


This is a massive number, but it’s not that robust given the general absence of the hard data needed and the fact that the metrics are in themselves are very variable and open to differing interpretations.


What is important in this report though is that the co-relation is being made to national economies GDP and wider economic indicators. If I translate the CSIS average estimate of GDP effect to the UK it would mean a Cyber Crime cost of around £7bn ($11bn), using the higher estimate suggested this would be over £13bn ($20bn). This is by no means the highest estimate for impact. 


The cost of Cyber Crime produced by Detica indicated a figure of £27bn, which was whittled down to £12bn following a University of Cambridge report commissioned to test this estimate.  So at least for the UK the numbers are certainly in a range that fits with current assessments. Perhaps this is to be expected for this type of Meta Research, but lets look behind the report, interesting though it is, and look a the fundamental problem with the numbers around Cyber Risk. 


What is really desperately needed for informed decision making is better information on the threats and impact in the context of the business or organisation.   I feel that the absence of solid data is now causing serious issues that are directly affecting the development of better Cyber Risk Management. 


Cyber Risk is a critical issue that needs much better management and there is plenty that can be done to gain quick wins (Cyber Essentials) and for those with bigger risks there are clear Good Practice models available that can transform Cyber Risk Management performance. To gain the benefits of progress though we have to overcome some of the negative attitudes all too often encountered in business. Getting buy-in continues to be the top issue for many working in the Cyber Security arena, in my experience at least, and links to common themes of denial, apathy or confusion. This then directly limits action, with Cyber Risk Management then being artificially limited in in application and, consequently, its effectiveness.  


The current decision culture seems to be asking the question “what is the minimum we have to do?” and not “what can we really do to secure our systems (and our business)?”. Would we want to travel in Cars or Planes that only had the minimum standards for safety, I think not.  When it comes to Business Responsibility for Cyber Risk though it seems that different attitudes may be influencing the decision making even though there is a widespread and increasing expectation that firms should be doing a lot more to control and mitigate Cyber Risk. 


These attitudes result in many businesses taking some serious risks that are not only avoidable, but which are dodging the responsibility they have to the firm, its staff and all its stakeholders.


There are plenty of studies from other fields of research that confirm that once people start engaging in “Risky Behaviour" they are far more likely to do it again and again, often without really thinking about it.  If a company is playing Russian Roulette with its Cyber Risk it’s probably taking similar gambles elsewhere.  Is this deliberate?  Well, there will always be ‘bad’ companies, but actually I think its because most businesses have yet to really connect Risk Management with Business Performance in any meaningful way.  Risk Management is often seen as the preserve of BIG companies or niche project areas, and even those that do have RM programmes don’t always use them that well as the financial crisis has show us. 


To change the culture about the connections between Business, Risk and Cyber needs organisations to get real information on how these interact within the organisation and connect with external stakeholders. Business and Government needs to get  better information on the risks businesses are actually facing and their real impact with the potential impact properly assessed, yet few actually do this and even fewer then quantify these into the potential financial effects to set priorities and steer their investment. 


Arguing about what the total cost of cyber crime is all well and good, but actually understanding what the cyber risk is for YOUR business is absolutely essential.  The better we understand the risks at an organisational level the better the data will be at a global level and, perhaps, finally we’ll have numbers we can actually use to build real performance.