Editor’s Note:  For more infomation, including the study Abstract and a pdf of the complete paper, please see FISMA Focus here.

From: Bloomberg Business Week

How do you calculate the real cost to society of cyber crime (PDF)? There are the financial losses to individuals and organizations (figures rarely made public), as well as the sizable expense of security software and personnel to protect against possible digital incursions. Then there is the damage to brand image should your company be the unfortunate victim of an online crime. In a paper presented on June 26 to the Workshop on the Economics of Information Security, a team of academics (recruited by the U.K. Ministry of Defence) attempt to estimate the financial toll of Internet crime. The authors observe that we are “extremely inefficient” at fighting cyber crime and offer a hard-line solution: “Our figures suggest that we should spend less in anticipation of cyber crime (on antivirus, firewalls, etc.) and more in response—that is, on the prosaic business of hunting down cyber criminals and throwing them in jail.” Below is a snapshot of their data illustrating the imbalance between what cyber criminals actually take and the money spent to protect against digital crime.

Cyber Crime

$97M

Fake Antivirus

Users get a message warning them that their computer has been infected with malware. When they click on a link to download antivirus software, their machine is infected. An analysis of financial records from three criminal gangs found that from 2008 to 2010 they collectively earned $97 million annually.

$10M↑

Stranded Traveler

Hijacked e-mail accounts are used to ask friends for money, claiming to be stranded traveling abroad. According to an analysis of 2010 records from one e-mail provider, criminals received one or two payments a day, on average.

$200M↑

Fake Escrow

In a financial transaction, the victim is told to use an “independent” escrow agent. Despite having a convincing website, the escrow company is a sham. There are about 100 active fake escrow websites at any given time, according to a study by the University of Cambridge.

$1,000M↑

Advanced Fee

Advanced Fee Fraud, sometimes called 419 fraud after the relevant article of the Nigerian criminal code, is legendary for its variations on the same theme: The request is for a small amount (an advance fee) to pay the costs so that a larger fortune can be released.

$370M↑

Online Banking Fraud: Malware

Cyber thieves target businesses and individuals using malware to capture passwords, account numbers, and other data to get into online banking accounts. As of September 2011, the FBI was investigating 400 cases of “corporate account takeover” where criminals stole $85 million.

$320M≈

Online Banking Fraud: Phishing

Online banking fraud is sometimes carried out in a phishing attack, in which criminals impersonate websites to get unsuspecting users to provide their login credentials. University of Cambridge researchers estimated that in 2007, between 280,000 and 560,000 people were taken in by fake websites.

Cyber Defense

Created with Raphaël 2.1.0

$1,000M≈

Bank Countermeasures

Banks sometimes hire companies to vanquish websites used in phishing attacks. There are additional internal security costs, such as authentication programs and systems for generating one-time passwords.

$3,400M

Antivirus

According to a 2010 survey by the European Union’s statistics agency, 88 percent of all households with a broadband subscription use some form of antivirus protection.

$40M≈

ISP Cleanup

In 2010, German Internet Service Providers (ISPs) spent €2 million to establish a call center to help combat botnets—networks of machines that have been infected with malware. In its first year, 315,518 users were notified that they had a compromised machine—a fraction of the infected population.

$1,000M≈

Patching Vulnerabilities

Software companies constantly patch their products against vulnerabilities that can be exploited by malware. Anecdotal evidence suggests that the development cost of a single patch for key enterprise software can run up to $1 million. Deploying that patch is equally costly.

$10,000M≈

User Cleanup

When antivirus programs fail—or aren’t used—users may have to call in the Geek Squad to fix their PC or dump the infected hardware and buy a new machine. The authors calculate the repair cost from malware for U.K. users alone at roughly $500 million.

$10,000M≈

Business Security

Companies use a variety of tools to fight cyber crime including firewalls, intrusion detection systems, software maintenance and deployment, and user training.

$400M

Law Enforcement

The authors estimate that the U.S. spends $200 million to fight cyber crime and accounts for half the law enforcement work worldwide.

Note: Global estimates include only crimes that result in costs of more than $10 million annually ↑ likely an underestimate ≈ High uncertainty

Source: “Measuring the Cost of Cybercrime,” by Ross Anderson, University of Cambridge; Chris Barton, Cloudmark; Rainer Böhme, University of Münster; Richard Clayton, University of Cambridge; Michel J.G. van Eeten, Delft University of Technology; Michael Levi, Cardiff University; Tyler Moore, Southern Methodist University; and Stefan Savage, University of California, San Diego

For more video and conversation on Fix This/Cyber Security, visit: http://www.businessweek.com/fix-this/cyber-security.html