By Matt Hannula; Marketing Associate
How can we truly gauge how large cybercrime has become? Is it in the millions? Billions? Maybe even in the trillions? There are statistics that claim each of these audacious numbers but what does it even mean? How do researchers find this data, who contributes, and how do they even define cybercrime?
Steven Cobb, a CISSP for over 20 years, who leads a research team for security giant ESET, explained the implications of cybercrime statistics and taught us to be wary about the “truth” of cybercrime at a recent SDISSA lunch and learn.
When Bird Rock Systems isn’t securing the networks of their loyal customers, they are attending technology events acting as sponges soaking up the most relevant and up to date technology information.
This past week, the Bird Rock Systems sales team and engineers attended a San Diego Information Systems Security Association (SDISSA) event, an event they attend once a month.
Stephen Cobb opened the session with a bunch of graphs showing all types of statistics for physical crime, such as theft, assault, and murder. He then pulled up statistics from CSI and PWC. These stats looked good until you saw that they only tested 500 individuals who may or may not have been repeats and the response rate was only 15%. Anyone versed in doing a scientific study knows that this is not very compelling data.
The next best study on cybercrime was from 2005 by NCSS. Their study consisted of 8000 individuals with a response rate of 23%. Sure this was a step up in figuring out how much cybercrime companies are actually experiencing but it still was not very compelling.
So why is this relevant? Why do we even care about these statistics? Mr. Cobb presented this issue as a problem to how we are measuring cybercrime. It is almost impossible for us to track cybercrime for so many reasons. How do people define cybercrime? How often do companies report cybercrime that has happened? How much cybercrime is happening in residential environments compared to commercial?
The real reason we care about cybercrime statistics is because we as companies, trying to protect data as well as keeping our networks running with minimal downtime, attach a monetary value to cybercrime. How much does it cost my company every single time a breach has occurred or a user’s data is compromised? These numbers become very helpful when C-level executives are trying to justify making a decision on large investments to secure their networks and data.
Cobb stated that the Ponemon Institute put a cost of $200 per compromised user while Verizon in their own study said it costs about .59 cents per compromised user. These numbers are so far from each toher that Cobb says we cannot trust either of them as credible sources as a cost for cybercrime. So, Cobb defined his own cost of a breach with a time cost basis.
While in Europe, Cobb was attempting to get a check approved for about $10,000. First submission received a denial of approval. Cobb tried again and once again received a denial. He then called his bank and they said they would look out for the transaction. He submitted again and sure enough the check was denied. Cobb finally called his bank and stayed on the phone until the check finally submitted through. The time it cost Cobb to get his check approved in order to make sure it was not a fraudulent transaction is the cost Cobb puts on each security breach or compromised user. Not the breach itself as a cost but the cost it takes to protect oneself from a breach. And if you wanted to know his cost per breach, it is $66! Why? Well, taking into account the time he spent to have his check approved and his average hourly wage, $66 was the most logical number for Cobb to wrap his head around.
The moral of the story is that we cannot be naïve when it comes to cybercrime statistics because there are so many factors and implications that we cannot control or track. What we can do, is make critical investments into our networks, IT team, and security initiatives to make sure we keep cybercrime at bay!