The US Goverment Accountability Office has published a report on the cost of crime, and how those are computed. I looked at that report as measure of how we are reporting the costs of cybercrime, which the FBI says costs hundreds of millions of dollars a year - numbers which are reported differently by different news agencies. Forbes says that number will be $2 Trillion by 2019. CNET says the FBI reports costs of $67B for computer crime. There are several other estimates that are higher and lower than these numbers. The Press is all over the map because, as the GAO shows for crime in general, the numbers are computed differently.
The GAO does not help this very much by their proposal to include as direct costs such things as incarceration of criminals, defense attorneys for criminals, costs of police investigations, recidivism, costs of potential bias (or in this case understanding of the nature of the crime), and last, but not least, the uncertainty of cost estimates. These are assumed to already include the cost of buying security devices and software to improve oversight of security functions. To me, these are costs of prevention of crime, and not the cost of crime per se.
Next GAO is looking at the unreported crime as part of the cost of crime. This is something nobody can measure since unreported crime is not documented anywhere. Any guess as to the amount, like the number of people who don’t report being scammed by “the IRS wants you to call” routine is just a guess. Second, much of cybercrime is committed in places where prosecution is not possible, or very difficult- like Russia. Identity theft is an international crime now with brokers of numbers, buyers and sellers of identities, and sophisticated banking operations to siphon big money from those schemes.
GAO needs to re-examine this whole area for a more accurate separation of crime prevention and crime cost. Crime costs should come from the failure of crime prevention. They should be computed as the value of goods and services lost as a result of the crime committed. Tell me Experian is not having costs associated with the loss of data, their customers will not have losses due to identity theft, or law enforcement will not have costs running down the people who stole the data. Nobody is putting those numbers together to get a total cost of a cyber event like this one. No wonder the cost estimates are all over the map. GAO needs to do better than this report to help anyone make decisions about how to compute costs of a crime.
No comments:
Post a Comment