Say $6 Trillion Again ... I DARE you: Examining the roots of a total BS Marketing Number
CyberCrime & Doing Time 2023-01-03
Disclaimer: The principle of Academic Freedom has been the same for 80 years or so. I do not speak officially for my employer. That isn't how Academic Freedom works. This blog post represents my own thoughts and opinions.
How often have you heard the quote that the Cost of Cybercrime is $6 Trillion?
As I was doing some reading on Ransomware I came across this bolded quote yesterday: "Ransomware is set to cause $6 trillion in damages by 2021."
Wow. Makes you want to run right out and buy cybersecurity products, doesn't it? Fear, Uncertainty, and Doubt, the marketing department's dream formula! You really can't fault the marketing folks who wrote that though ... every cybersecurity marketing department is jumping on the bandwagon. And when dozens of journalists share the number blindly with no examination of the facts, how can they be blamed?
Every time you see the preposterous number "$6 Trillion Dollars" with regards to cybercrime costs, even when mis-used, as above, the source will be traced to a Cybersecurity Ventures report. I did an analysis of that report back in October 2017 and wanted to walk you through it here, gentle reader, so that you would have a place to point people who quote the Six Trillion Dollar Charlatan. Here is where things started for me, when I saw this report:
Whether I'm grading a student paper, or reviewing a journal article submission, my approach to facts is the same. Check the source. I'm hardly the only academic that has pointed out the shoddiness of many of the claims such as this one. For another example, see the Journal of National Security Law & Policy article, "Advancing Accurate and Objective Cybercrime Metrics" by Stephen Cobb. I love this quote from his peer-reviewed article:
"There is no shortage of data pointing to a dire state of affairs in cyberspace, published under headlines like “Global Breach Costs Set to Top $5 Trillion By 2024,” or "Global Breach Costs Set to Top $5 Trillion By 2024," and “Mobile Cyberattacks on the rise.” The manner in which such numbers and claims are quoted – and requoted – may lead the casual observer to believe they are based on official cybercrime metrics, yet few if any of these reports are the product of a comprehensive effort to consistently and objectively catalogue cybercriminal activity over time." (emphasis mine)
(Full disclosure, Stephen quotes my blog in his article - specifically my 30SEP2018 article "FBI's Crime Data Explorer: What the Numbers Say about Cybercrime.")
A reasonable approach to estimating the impact of Cybercrime might be to create various categories, suggest a reasonable maximum for each of them, and add them all together to create your estimate. That is the approach taken by some of my greatest cybersecurity heroes, in their excellent paper, "Measuring the Changing Cost of Cybercrime," presented at the 18th Annual Workshop on the Economics of Information Security. Is that the approach taken by Cybersecurity Ventures? No. Not even close.The $6 Trillion number that seems to be the point of the entire report seems to hinge on a single blog post from Microsoft, entitled, "The Emerging Era of Cyber Defense and Cybercrime" published 27JAN2016. The Cybersecurity Ventures article has a footnote listing this as their source for their $3 trillion base. Their Editor-in-Chief, Steve Morgan, by the way, continues to reference this number and use it in his fresh forecast. In his 13NOV2020 prognostication, he now claims "Cybercrime to Cost the World $10.5 Trillion Annually by 2025" and STILL references the Microsoft blog in the highlighted link "$3 Trillion USD in 2015."
https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ One would presume that the blog post linked by Steve to the words "$3 trillion USD in 2015" would make a claim that the cost of cybercrime in 2015 was $3 trillion. But that isn't what the Microsoft article says at all! What the Microsoft blog post by Pete Boden, General Manager of Cloud and Enterprise Security, actually says is that "The World Economic Forum estimates the economic cost of cybercrime to be $3 trillion worldwide."But even that is a mis-statement. The World Economic Forum certainly doesn't believe that the cost of cybercrime is two orders of magnitude higher than any reasonable estimate. What did they actually say?
The report is "Risk and responsibility in a Hyperconnected World" published by the World Economic Forum, in collaboration with McKinsey & Company.
"Current trends could result in a backlash against digitization, with huge economic impact. Major technology trends like massive analytics, cloud computing, and big data could create between US $9.6 trillion and US $21.6 trillion in value for the global economy. If attacker sophistication outpaces defender capabilities -- resulting in more destructive attacks -- a wave of new regulations and corporate policies could slow innovation, with an aggregate economic impact of around US $3 trillion." - p.3
Three things to note:
1) the loss they are forecasting is A REDUCTION IN FUTURE ECONOMIC VALUE of certain technologies (analytics, cloud computing, big data) DUE TO A SLOW DOWN IN INNOVATION.
2) that loss would only come about IF THERE ARE NEW REGULATIONS IMPOSED that would stifle creativity in these areas.
3) The CUMULATIVE EFFECT between the time of the report (2014) and SIX YEARS LATER (2020) was said to have a potential of reaching $3 Trillion.
So how on earth did Cybersecurity Ventures reach their number?
First, they clearly never read the World Economic Forum / McKinsey report, or they would certainly have been unable to say that the impact of Cybercrime had been $3 trillion in 2015. Again, the $3 trillion was OVER THE COURSE OF SIX YEARS (or $500 Billion per year on the average) and ONLY IF REGULATORY CONDITIONS CHANGED DRAMATICALLY causing "unrealized potential economic value" to the tech industry.
But how did they get from $6 Trillion to $3 Trillion, even if they wrongly believed that the $3 Trillion was an annual number? Simple. In their report, they say there were 2 billion Internet users in 2015, they predict there will be 6 billion Internet users by 2022. They then say "Like street crime, which historically grew in relation to population growth, we are witnessing a similar evolution of cybercrime. It's not just about more sophisticated weaponry; it's as much about the growing number of human and digital targets." (See: "2019 Official Annual Cybercrime Report," p.4). In other words, since there are so many more people, the false $3 Trillion is now $6 Trillion, right? No. That isn't how crime works, and it isn't how cybercrime works either.
According to the Cybersecurity Ventures report, the $6 Trillion in damages would consist of:
- Damage and destruction of data
- Stolen money
- Lost productivity
- Theft of intellectual property
- Theft of personal and financial data
- Embezzlement
- Fraud
- Post-attack disruption
- Forensic investigation
- Restoration and deletion of hacked data
- Reputation harm
How Much Is $6 Trillion?
Ransomware Math
A Little Help?