The (real) cost of cyber crime in the UK

The Cabinet Office & Detica have put forward a report evaluating the cost of cyber crime in the UK at 27 billion a year [1]. It is more than the socio-economic cost of drugs, estimated at 15.4 billion a year in the UK [2]. Before this figure becomes widely spread, it is important to be well aware that it is an estimation of the cost of cyber crime. It does not tell us what is known of cyber crime, which would be far more informative. The current level of cost of cyber crime can be easily assessed from the law enforcement authority standpoint. Cyber crime is a violation of norms, and the police keep record of the cases they deal with. In Germany for instance, out of the cases dealt by the police, the cost of cyber crime was mentioned to be of 61.5 million in 2010 [3]. The UK, unfortunately, does not publish this kind of clear statistic. Cyber crime can be split into two categories: the crime that are facilitated by the modern use of information technologies, and the crime that target information technology [4]. The UK estimations fall a-priori within the first category, since they include intellectual property theft and fiscal fraud. However, child pornography and cyber stalking are strangely left out. It can seem farfetched to include the socio-economic cost of these two areas of cyber crime, but not as much as evaluating/extrapolating how much intellectual property theft or espionage cost to the industry. The evaluation of the costs of intellectual property theft and espionage is largely based on two factors: 1) the investment in R&D by sector 2) the turnover of the sector. However, even if someone has access to the utmost recent research of a company, it does not mean that the stolen company loses all its investments in the research. The thief needs to be able to re-sell the stolen material, and even if a competing industry implement the stolen research, the benefits for the initial company are not cancelled out. A first question that can be answered is how many cases have been processed by law enforcement agencies that relate to the wider interpretation of cyber crime. The table at the end of this article summarizes the figures in each of the category identifies by the Cabinet Office & Detica report. It is not possible to know how many of these cases really involved the use of computer and how much the court assessed the damage to be in each case. However, law enforcement agencies have the capacity to make this assessment. In any case, it can be perceived as more informative to see that there are more cases concerning blackmailing than intellectual property theft or that customer data loss is almost irrelevant (2 cases). Moreover, from a legal standpoint, espionage can be merged with intellectual property theft, as can be online theft from businesses with online fraud. It goes without saying that having a relevant taxonomy that ease data gathering by law enforcement agencies is important.

Bearing in mind that for cyber crime in its wider interpretation is incomplete and only extrapolations of figures can be provided, how much of the cost of cyber crime in its narrow interpretation can be assessed? This includes the following area: online fraud (and identity theft and online theft from businesses), scareware and customer data loss. According to Financial Fraud UK, and summing up online banking fraud (46.6 million), phone banking fraud (12.7 million) and e-commerce fraud (135.1 million), this makes a total of 194.4 million [5]. Scareware are fake program that trick the user into believing he has been infected by a virus and he needs as a consequence to buy an (fake) anti-virus solution. No legal complaints have concerned them and no other figures are available apart from those in the Cabinet Office & Detica report. The figure of 30 million damage is to be contrasted by the worldwide market of scareware estimated at 114 million. In other word, either UK would represent 26% of the share of this market for an online population representing only less than 2% of the global online population, or there is an inadequacy in the estimate [6]. Finally, concerning consumer data loss, out of the 3 cases in 2010 trialled under the Computer Misuse Act 1990, all of them concerned a breach of confidentiality and no data were deleted. In the UK therefore, the cost reported to police is null. The cost of cyber crime comes this way closer to the estimations from Germany with a total of 194.4 million. The 2.1 million invested for the Police eCrime Unit to tackle cyber crime appears all of a sudden a wiser and more understandable approach from the government [1].

Online fraud Cost ( bn) Legal Act 1.4 Fraud Act 2006

Scareware 0.03 Malicious Communications Act 1988 (false information given) Disclosure, obstruction, false or misleading statements: 151 (101)

Identity theft 1.7 Data Protection Act Fraud Act 2006 174

IP theft 9.61 Copyright, Designs & Patents Act 1988 456 (320)

Espionage 7.6 See IP theft

Customer data loss 0.96 Computer Misuse Act 1990 3 (2)

Online theft from business 1.3 See online fraud

Extortion 2.2 Theft Act 1968 (art. 21) Blackmail 368 (347)

Fiscal fraud 2.2 Fraud Act 2006

Number of cases in 2010 (convictions)

Theft from ATM: 497 (371) Other fraud: 21,932 (13,288)

See IP theft

See online fraud

Revenue Law Offence: 21 (10) Social security offence: 5,536 (4,796) 467,761

Average cost per case if correct assumptions

197,671

297.029

9.7 million

53.7 million

See IP theft

480 million

See online fraud

6.3 million

Source: [7]

Bibliography 1. 2. 3. 4. 5. 6. 7. Cabinet Office, Detica. (Cabinet Office, London, 2011), pp. 32. P. Reuter, A. Stevens. (UK Drug Policy Commission, London, 2007). Bundeskriminalamt, BKA, Ed. (Wiesbaden, 2010). A. Alkaabi, G. M. Mohay, A. J. McCullagh, A. N. Chantler, in 2nd International ICST Conference on Digital Forensics & Cyber Crime. (QUT Digital Repository, Abu Dhabi, 46 October 2010). Financial Fraud Action UK, Fraud - The Facts 2011 (FFA, London, 2011). F. Paget, Running Scared: Fake Security Software Rakes in Money Around the World (Santa Clara, CA, 2010). Criminal Justice Statistics in England and Wales. (2008-2010), vol. Volume 1, Magistrate Court Part 3.