Cyber economics v2 -Measuring the true cost of Cybercrime

CyberonomicsMeasuring the true cost of Cybercrime

Shahar Geiger Maor

htt

ps:

//tw

itte

r.co

m/O

p_I

srael/st

atu

s/32

095719

030954

3938

4.2B$

(daily)

Why Measuring Cyber Security?

Cliché

alert!321in :

You Can't Manage What You Don't Measure

“…Cybercrime Cost is estimated $1 Trillion worldwide”

http://www.whitehouse.gov/video/President-Obama-on-Cybersecurity#transcripthttp://www.forbes.com/sites/andygreenberg/2012/08/03/mcafee-explains-the-dubious-math-behind-its-unscientific-1-trillion-data-loss-claim/

Global Risk Landscape (2013)

http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2013.pdf

1.8% Of

GDP

UK = 27B₤

IL = 4.5B

$

The Cost Of Cybercrime in Israel (#1)

:// . . / / / - - - - - - - -https www gov uk government publications the cost of cyber crime joint government and-industry report

The Cost Of Cybercrime in Israel (#1)

4.5B$

http://www.slideshare.net/jimmyschwarzkopf/stki-summit-2012-israeli-it-market

4.5B$ ~66% of 6.7B$

Why Measuring Cyber Security Is So Problematic?

Too many sources of dataThe problems of under-recording and under/over-reportingCybercrime surveys (lack of methodology)Conflicts of interestTerminology and rhetoricsWhat to measure? (impact, loss)

http://www.law.leeds.ac.uk/assets/files/staff/FD18.pdf

The Costs Of Cybercrime To Society

Defense costs

Indirect losses

Direct losses

Cybercrime Supporting Infra.

Criminal revenue

Cost to society

http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf +customizations

Terrorist’s gain

Vendor revenue

0.19% Of GDP

UK = 4.5B₤IL = 460M$

http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf

The Cost Of Cybercrime in Israel (#2)

460M$

http://mops.gov.il/Documents/Publications/CrimeDamage/CrimeDamageReports/CrimeDamageReport2011.pdf

Total cost of crime in Israel

(2012):4B$ Sex Crimes:

170M$

Murder: 100M$

Fraud+ Property: 1,960M$

x2.7

x4.2

23%

Some Insights From An Israeli Security Survey

This survey refers to 2009-2011 (included)Market Average: 2 incidents in 3 years Per organizationMarket score: ~400 incidents in 2011An average security incident looks like this: • Inside factor or known vulnerability/threat• ~50 working hours per incident• ~50K$ per incident (~~~~~~~~~~~)

http://www.slideshare.net/shaharmaor/information-security-stki-summit-2012shahar-geiger-maor-12059675

The Cost Of Cybercrime in Israel (#3)

20M$

http://hackingdefined.org/opisrael/rss.xml

A Brave New Economic Model

Scope Target Impact Timing Reputation

Economic gains

Government’s Role In Cyber Economic MeasurementQuantitative risk assessment may improve cyber security controls and mitigation.

So:

Regulators should encourage the use of cyber economic measurement toolsOne methodologyOne focal pointDiscreet reporting

Thank You!