Disclaimer: The principle of academic freedom has been the same for about 80 years. I do not officially speak on behalf of my employer. This is not how academic freedom works. This blog post represents my own thoughts and opinions.
How many times have you heard that the cost of cybercrime is $6 trillion?
While I was reading about Ransomware, I came across this bold quote yesterday: “Ransomware expected to cause $6 trillion in damage by 2021“.
Wow. Makes you want to run out and buy cybersecurity products, right? Fear, Uncertainty and Doubt, the marketing department’s dream formula! However, you really can’t blame the marketing executives who wrote this…all cybersecurity marketing departments are jumping on the bandwagon. And when dozens of journalists blindly share this figure, without examining the facts, how can we blame them?
Every time you see the absurd “$6 trillion” figure regarding the costs of cybercrime, even when misused like above, the source will be attributed to a Cybersecurity Ventures report. I did an analysis of this report in October 2017 and wanted to explain it to you here, dear reader, so that you have somewhere to point the people who cite the six trillion dollar charlatan. Here’s where things started for me, when I saw this report:
Whether I’m evaluating a student paper or reviewing a journal article, my approach to the facts is the same. Check the source. I am not the only academic who has pointed out the poor quality of many claims like this. For another example, see the Journal of National Security Law and Policy article, “Advancing accurate and objective measures of cybercrime” by Stephen Cobb. I love this quote from his peer-reviewed article:
“There is no shortage of data pointing to a dire situation in cyberspace, published under headlines such as “Global breach costs expected to exceed $5 trillion by 2024” or “Global breach costs expected to exceed $5 trillion by 2024” and “Mobile cyberattacks are on the rise. The way these figures and claims are cited – and retold – may lead the casual observer to believe that they are based on official cybercrime measurements, Yet few, if any, of these reports are the product of a comprehensive effort to consistently and objectively catalog cybercriminal activity. over time.” (emphasis mine)
(Full disclosure, Stephen cites my blog in his article – specifically my September 30, 2018 post »FBI Crime Data Explorer: What the numbers say about cybercrime.”)
A reasonable approach to estimating the impact of cybercrime might be to create various categories, suggest a reasonable maximum for each, and add them up to create your estimate. This is the approach taken by some of my biggest cybersecurity heroes, in their excellent article: “Measuring the evolution of the cost of cybercrime“, presented at the 18th Annual Workshop on the Economics of Information Security. Is this the approach taken by Cybersecurity Ventures? No. Not even close.
The $6 trillion figure that appears to be the focus of the entire report appears to be based on a single Microsoft blog post, titled “The emerging era of cyber defense and cybercrime” published on January 27, 2016. The Cybersecurity Ventures article contains a footnote indicating this as the source of their $3 trillion base. Their editor, Steve Morgan, incidentally continues to reference this figure and to use it in his new forecasts. In his forecast of 13NOV2020, he now states “Cybercrime will cost the world $10.5 trillion per year by 2025” and STILL references the Microsoft blog in the highlighted link “US$3 trillion in 2015”.
 |
| https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ |
One would assume that the blog post Steve linked to the words “$3 trillion in 2015” would claim that the cost of cybercrime in 2015 was $3 trillion. But that’s not at all what the Microsoft article says! What the Microsoft blog post from Pete Boden, general manager of cloud and enterprise security, actually says is that “the World Economic Forum estimates the economic cost of cybercrime at $3 trillion in the world “.
But even that is a false statement. The World Economic Forum certainly does not believe that the cost of cybercrime exceeds any reasonable estimate by two orders of magnitude. What did they actually say?
The report is titled “Risk and Liability in a Hyperconnected World” published by the World Economic Forum, in collaboration with McKinsey & Company.
Click on the image for the report
from mckinsey.com
Here’s what they actually say…
“Current trends could lead to a backlash against digitalization, with considerable economic impact. Major technology trends such as massive analytics, cloud computing and big data could create between US$9.6 trillion and US$21.6 trillion in value for the global economy. If the sophistication of attackers exceeds the capabilities of defenders, resulting in more destructive attacks, a wave of new regulations and corporate policies could slow innovation, with an overall economic impact of around $3 trillion.” – p.3
Three things to note:
1) the loss they predict is A REDUCTION IN THE FUTURE ECONOMIC VALUE of certain technologies (analytics, cloud computing, big data) DUE TO A SLOWDOWN IN INNOVATION.
2) this loss would only occur IF NEW REGULATIONS ARE IMPOSED that would stifle creativity in these areas.
3) THE CUMULATIVE EFFECT between the date the report was written (2014) and SIX YEARS LATER (2020) would have the potential to reach $3 trillion.
So how on earth did Cybersecurity Ventures achieve their numbers?
First, they clearly never read the World Economic Forum/McKinsey report, otherwise they certainly wouldn’t have been able to say that the impact of cybercrime was $3 trillion in 2015. Again, these $3 trillion was spent OVER SIX YEARS (that’s $500 billion). Billions per year on average) and ONLY IF REGULATORY CONDITIONS changed dramatically, resulting in “potential unrealized economic value” for the technology industry.
But how did they go from $6 trillion to $3 trillion, even though they wrongly believed that $3 trillion was an annual figure? Simple. In their report they say there were 2 billion internet users in 2015, they predict there will be 6 billion internet users by 2022. They then say “Like street crime, which has historically increased alongside population growth, we are seeing a similar evolution in cybercrime. It’s not just about more sophisticated weapons; it is as much about the growing number of human and digital targets.” (See: “Official Annual Report on Cybercrime 2019“, p. 4). In other words, since there are a lot more people, the fake $3 trillion is now $6 trillion, right? No. It’s not That’s not how crime works, and that’s not how cybercrime works either.
According to the Cybersecurity Ventures report, the $6 trillion in damages would consist of:
- Data damage and destruction
- Money stolen
- Loss of productivity
- Theft of intellectual property
- Theft of personal and financial data
- Embezzlement
- Fraud
- Post-attack disruption
- Forensic investigation
- Restoring and deleting hacked data
- Damage to reputation
But is that what the World Economic Forum said? ABSOLUTELY NOT!!!
Just to keep driving the point home: the WEF has stated that FUTURE GROWTH of certain technology industries could be slowed by $3 trillion between 2014 and 2020 IF AN UNFAVORABLE REGULATORY ENVIRONMENT is created.
How much does $6 trillion cost?
According to Steve, the annual cost of cybercrime is $6 trillion (and growing!). Ask yourself this question:
If you agree with Steve’s number, you think the cost of cybercrime is greater than the TOTAL REVENUE of Citibank, JPMorgan Chase, Bank of America, and Wells Fargo.
You also believe that the cost of cybercrime is greater than the TOTAL REVENUE of Volkswagen, Toyota, Daimler/Chrysler, Mitsubishi, Honda, BMW and Nissan.
Add in Walmart, Amazon, and Google and you’re STILL not at $6 trillion.
It would take the total 2019 annual revenues of ALL thirty-three of these global companies to generate $6 trillion. Steve says that’s the cost of cybercrime this year, and it will reach $10.5 trillion by 2024! Do you believe? No.
 |
| The total cost of cybercrime? |
Ransomware math
Here is a useful pie chart to illustrate this:
Now, if RANSOMWARE is the number one source of cybercrime damage and ransomware represents 0.33% of the total cost of cybercrime, what does the remaining 99.7% of costs consist of? That’s right. Thin air.
Some help?
Please do me a favor? If you see someone citing the $6 trillion cost of cybercrime, send them a link to this story. The numbers simply don’t make sense!
Have you seen a source citing the cost of cybercrime at $6 trillion? Please share it in the comments below! And if you know the person who is spouting this nonsense, send them a link to this article!