Estimating the Cost of Internet Insecurity

It's really hard to estimate the cost of an insecure Internet. Studies are all over the map. A methodical study by RAND is the best work I've seen at trying to put a number on this. The results are, well, all over the map:

"Estimating the Global Cost of Cyber Risk: Methodology and Examples":

Abstract: There is marked variability from study to study in the estimated direct and systemic costs of cyber incidents, which is further complicated by the considerable variation in cyber risk in different countries and industry sectors. This report shares a transparent and adaptable methodology for estimating present and future global costs of cyber risk that acknowledges the considerable uncertainty in the frequencies and costs of cyber incidents. Specifically, this methodology (1) identifies the value at risk by country and industry sector; (2) computes direct costs by considering multiple financial exposures for each industry sector and the fraction of each exposure that is potentially at risk to cyber incidents; and (3) computes the systemic costs of cyber risk between industry sectors using Organisation for Economic Co-operation and Development input, output, and value-added data across sectors in more than 60 countries. The report has a companion Excel-based modeling and simulation platform that allows users to alter assumptions and investigate a wide variety of research questions. The authors used a literature review and data to create multiple sample sets of parameters. They then ran a set of case studies to show the model's functionality and to compare the results against those in the existing literature. The resulting values are highly sensitive to input parameters; for instance, the global cost of cyber crime has direct gross domestic product (GDP) costs of $275 billion to $6.6 trillion and total GDP costs (direct plus systemic) of $799 billion to $22.5 trillion (1.1 to 32.4 percent of GDP).

Here's Rand's risk calculator, if you want to play with the parameters yourself.

Note: I was an advisor to the project.

Separately, Symantec has published a new cybercrime report with their own statistics.

Posted on January 29, 2018 at 6:18 AM • 16 Comments


meJanuary 29, 2018 6:53 AM

*maybe* if nsa doesn't spend all their time sabotating things that works and stops inserting backdoors everywere the security can increase

mike ackerJanuary 29, 2018 7:52 AM

Hopefully they have made a good effort to include the cost of labor directed at security measures -- which the anecdotal evidence shows -- are less effective than what is needed.

Too, consumers are likely to balk at cost saving automation based on the anecdotal evidence which clearly shows various automation such as the "Internet of Things" are less secure than what they ought to be.

It is my impression that most of the trouble has its roots in 4 problem areas:
1. computer programs which has more capabilities than they need to have;
2. poor familiarization for digital authentication of network transactions;
3. lack of product liability;
4. insecure operating software in some systems;

mike ackerJanuary 29, 2018 8:09 AM

the Rx for cybercrime continues to be mis-directed, generally addressing poor consumer habits

the real trouble lies in un-authorized programming

un-authorized programming makes it advantage from poor o/s security and a lack of proper authentication of program distributions.

writing your password on paper is a lot less risk than running your computer with a keyboard logger active.

keinerJanuary 29, 2018 8:14 AM

RAND corp? srsly? Have a look at the CEO. His qualification (according to Wikipedia) is his father?

hermanJanuary 29, 2018 8:32 AM

$799 billion to $22.5 trillion:
So, the cost of cyber crime is whatever you want it to be.

HJohnJanuary 29, 2018 9:43 AM

@herman • January 29, 2018 8:32 AM

$799 billion to $22.5 trillion:
So, the cost of cyber crime is whatever you want it to be.

Part of the range disparity is that there is so much gray area as to what is a cybercrime cost.

Obviously prevention/detection, both systematic and personnel, are costs. One incident from years past comes to mind, and that is an authorized attack attempt against an financial website conducted without response staff knowledge. The IDS flagged it, and the staff decided to shut down the system... during the business day. This incident cost the entity a lot of money. Of course, they learned a valuable lesson... while their IDS was working, their intrusion response plan was inadequate.

The question? Would this be considered a cybercrime expense? Some would yes, all the business losses from the entire incident are cybercrime prevention/detection/response and would count. Some would say no, it was self inflicted and not the result of a crime, and the business losses should not be included. Still others would say partially, that the cost of the assessment/tools/staff are, but that the business losses aren't. These would be three different ways to measure the cost, and the differences would be huge.

So ranges can offer huge disparity between what the clear and the maybe. In reality, I think they'd be less deceptive than picking one or the other.


Impossibly StupidJanuary 29, 2018 9:58 AM

Is there anyone out there serious about paying these costs? I get a ton of abuse directed at my servers, but there doesn't seem to be a single source network that is willing to compensate me for the effort of dealing with their insecure systems. Hell, most abuse contacts seem to go out of their way to discard any reports that might force them to cut off a paying customer. So long as there are perverse incentives like that, the true cost of abuse is going to be inherently difficult to nail down. The Internet has become a tragedy of the commons.

22519January 29, 2018 11:18 AM

RAND churns out pseudo-rigorous tripe much too often.

I was once intimately involved in the subject matter of a RAND study, and their approach to answering the question at hand was naive at best. I found that they did not want to upset the organization that was sponsoring the study and buttering their bread. Instead of telling the ugly truth, which would have benefited a lot of folks, they told comfortable falsehoods--after that my respect for RAND went to zero. They told falsehoods because their assumptions were pathetic and naive. They did not take into consideration the human factors--the mire, the contradictions, the tangled alliances of contradictory motives--that characterized the subject of the study I am referring to. But that did not hinder them from getting paid.

RAND sometimes tries to quantify stuff that cannot be measured. The question here is too broad and too complex to answer with any degree of certainty. To my mind, the salient topic is not about overall costs, but the identity of the overall winner, and that is China.

echoJanuary 29, 2018 2:06 PM

Calculating the economic cost of failure is a good idea. I don't have a link to hand but in the UK there has been some movement within government and healthcare/social care to recognise that mistakes or inadequacy or cost cutting for the sake of cost cutting can create an avalanche of knock on effects costing many multiple times more than doing things properly the first time. This is now slowly being turned into policy although how fast and how effective remains to be seen.

I forgot what site carries the article and did have a search but couldn't find it. A dot chart was published this week with impact versus likelihood axis of various threats from climate change to terrorism to economic collapse and cyberthreats.

DroneJanuary 30, 2018 2:14 AM

1. Nobody really has a CLUE what the true cost of cyber insecurity is. Estimates and research methods are all over the map and remain essentially unverifiable.

2. Currently nobody CARES what the true cost of cyber insecurity is because it isn't big enough to really matter (yet). Businesses keep silent and simply pass the costs on to the consumer base as a whole thereby diluting the impact. Because of the secrecy surrounding the whole subject, both consumers (victims actually) and regulators really have no CLUE what is really happening.

3. The only consolation is that in-general cyber insecurity is (so-far) NOT causing a big enough problem for society as a whole to demand comprehensive and transparent action. But the proverbial Ticking Time-Bomb is real in this case, and there is little (if anything) that can be done to disarm it.

LarryJanuary 30, 2018 4:43 AM

@ mike acker
What do you mean by "un-authorized programming"?
What programming & who should authorize it?

AJ FinchJanuary 30, 2018 11:09 AM

This paper discusses the cost of an insecure internet compared with a secure internet.

I wonder what is the cost of an insecure internet compared with no internet?
(I suspect it's a profit, not a cost).

ChrisJanuary 30, 2018 7:10 PM

could be retitled "Estimating the Cost of Putting Data on the Internet". spoiler alert: the internet will always have security vulnerabilities.

chrisJanuary 31, 2018 4:18 PM

Years ago (like in 2006), The Register ran an article which started out evaluating the cost of Internet security breaches. It then turned to things like the cost "lost productivity" due to March Madness brackets, smoking, drinking and other middle class pleasures. The estimated total of all this loss soon added up to more money than actually existed. So, yeah, whenever I see a cost put to some Internet happening (especially if it's from a security vendor -- no offence intended, Bruce) I get skeptical.

AnuraJanuary 31, 2018 4:46 PM


It doesn't really mean anything that it adds up to more than the economy. If we could be twice as productive, then there would be twice as much money - thus, lost productivity would be costing us half our potential (i.e. cost of lost productivity = GDP). However, in the case of things like recreational activity leading to less productivity, it might be worth the cost as work isn't the object of life.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.