Tuesday, August 04, 2015

The cost of cybercrime: short version

The cost of cybercrime = $66.66.

That rather beastly number is a rough and very modest approximation of the cost of 18 minutes of my time, which is how long it just took me to make an online tuition payment to my school in England. Allow me to explain.

1. The tuition for my MSc in the Criminology Department at the University of Leicester is paid in multiple chunks of about $2,800 per chunk.

2. The university has a very convenient online payment system.

3. I am fortunate right now to have a credit card that can handle $2,800.

4. But I cannot charge $2,800 to the card via a website that is outside the US unless I spend 18 minutes on the phone with the bank to let them know this charge is okay (believe me, I've spent longer, and I've tried doing the transaction without the call enough times to know that this is typical, across multiple cards/banks).

5. That phone call is required because there is so much payment card fraud being perpetrated around the world today, most of which can be classified as cybercrime.

6. I work in cybersecurity. The hourly rate for an appropriately certified independent consultant in this field is likely to be at least $200. So 18 minutes of wasted time at that rate = $66.66.

Now multiply that by all the transactions that match the "must call us" category. Like when you're trying to surprise your wife with an upgrade as you're flying out of Heathrow (despite the fact that you told the credit card company you would be in England, still they required a call). At that rate the cost of cybercrime, just in terms of lost productivity, quickly adds up.

As for the rate calculation, I think I'm being reasonable. Back in the 1990s, our IT security consulting firm billed clients $2,500 per person per day, which was a combination of overhead and direct labor costs. The going rate today for specialists in this field, like the people brought in to respond to a big corporate data breach, can be as high as $900 per person per hour. I'm not saying my time is worth more than another person's, I'm just trying to put a number on the surcharge that cybercrime imposes on an otherwise efficient payment processing system. Time is money and spending 18 extra minutes to complete an online transaction is costly, whomever you are and however you look at it.

And this is nothing to do with my university. I have the same problem buying tickets for international air travel. And in some ways I'm glad I have the problem because it means my bank is protecting my account. But I'm also sad that the darker side of human nature has imposed these limits on our enjoyment of technology's many potential benefits (like studying at a university in another country).

Speaking of time, I've spent quite a bit of it studying the size and cost of cybercrime in my work as well as at school. I will be talking about this topic later this year at the Virus Bulletin Conference in Prague, as well as at this month's ISSA meeting in San Diego. Measuring the cost of cybercrime is not easy, indeed, it might be impossible. But I do think you can argue that the cost of cybercrime could get too high: if we reach a point where the cost of cybercrime deters the adoption of otherwise helpful technology, then we will have a much bigger problem than me getting grumpy on the phone with my otherwise very helpful bank.