Just a Standard Blog
By: Douglas S. Thomas
The cyber world is relatively new, and unlike other types of assets, cyber assets are potentially accessible to criminals in far-off locations. This distance provides the criminal with significant protections from getting caught; thus, the risks are low, and with cyber assets and activities being in the trillions of dollars, the payoff is high.
When we talk about cybercrime, we often focus on the loss of privacy and security. But cybercrime also results in significant economic losses. Yet the data and research on this aspect of cybercrime are unfortunately limited. Data collection often relies on small sample sizes or has other challenges that bring accuracy into question.
In a recent NIST report, I looked at losses in the U.S. manufacturing industry due to cybercrime by examining an underutilized dataset from the Bureau of Justice Statistics, which is the most statistically reliable data that I can find. I also extended this work to look at the losses in all U.S. industries. The data isfrom a 2005 survey of 36,000 businesses with 8,079 responses, which is also by far the largest sample that I could identify for examining aggregated U.S. cybercrime losses. Using this data, combined with methods for examining uncertainty in data, I extrapolated upper and lower bounds, putting 2016 U.S. manufacturing losses to be between 0.4% and 1.7% of manufacturing value-added or between $8.3 billion and $36.3 billion. The losses for all industries are between 0.9% and 4.1% of total U.S. gross domestic product (GDP), or between $167.9 billion and $770.0 billion. The lower bound is 40% higher than the widely cited, but largely unconfirmed, estimates from McAfee.
What makes the estimates startling is that, despite being higher than commonly cited values, the assumptions I used to calculate losses pushed the lower bound estimate down significantly, meaning the true loss may be much higher. I calculated the low value assuming that those who did not respond to the Bureau of Justice Statistics survey did not experience any losses. This amounted to 77% of the 36,000 businesses surveyed being presumed as having no loss; thus, the true loss is most likely higher than the low estimate.
Additionally, the 2005 data from the Bureau of Justice Statistics comes from a time when cybercrime was considered to be less of a problem and the digital economy was smaller. If the Bureau of Justice Statistics data is representative, that is, if the average losses of the respondents’ companies equals the actual average U.S. losses per company, then the losses approach the high estimate of $36.3 billion for manufacturing and $770 billion for all industries. This would make total cybercrime losses greater than the GDP of many U.S. industries, including construction, mining and agriculture. If the losses per company have increased faster than inflation, which is likely, then the losses would be even higher.
Most other estimates, including widely cited values, tend not to present technical details of data collection and analysis. Also, some estimates assume that the ceiling of cybercrime losses doesn’t exceed the cost of car crashes or petty theft in a given year. However, cybercrime is not comparable to other types of property crime or losses. Typical property losses require physical presence, which limits the loss or damage. For instance, a burglar must be physically present to steal an object from a home or business. Cyber assets, however, are potentially accessible to any would-be criminals on the planet without them needing to leave their homes.
The removal of this obstacle (the need for physical presence) is a game-changing factor for criminal activity, making cybercrime more prevalent. For example, my personal information (e.g., Social Security number) has been stolen countless times and my credit card information has been stolen and used on numerous occasions, but my house has never been burglarized and my car has only been broken into once. If I wanted to engage with a cybercriminal, I would only need to look in my email inbox, but I have no idea where I could find a burglar.
My report describes methods in detail, uses public data, and doesn’t assume the losses are similar to other types of crime. Since the data I used from the Bureau of Justice Statistics is from 2005, these estimates are likely low. The digital economy, measured in real dollars, grew 129% between 2005 and 2016, and I did not adjust for this increase. Additionally, the number of businesses, which is used for estimation, was lower in 2016, according to the Census Bureau’s Annual Survey of Entrepreneurs. This pushes my low estimate for losses down even further.
Economic growth in recent years for the U.S. has been between 2% and 3%, at least prior to the COVID-19 pandemic. While this is considered a healthy growth rate, my estimates show that the economy could be growing even faster if not for cybercrime. With the U.S. being a wealthy country and having a commonly spoken language that increases the number of potential offenders (it’s difficult to send phishing emails in an unfamiliar language), it’s a prime target for cybercrime. If businesses and governmentunderestimate the risk, they might underinvest in strategies for mitigating it. For instance, they might hire fewer IT security experts, take unnecessary risks with data/information, or disregard a recommended security measure. The result is unnecessary losses that may be quite substantial. If these losses are in the area of intellectual property, they can also reduce incentives for investing in research and development, limiting economic growth even more. For these reasons, it’s critical to gain a better understanding of cybercrime loss.
The implication from my report is that widely accepted estimates of cybercrime loss may severely underestimate the true value of losses. One of the first steps in addressing a problem such as cybercrime is to understand the magnitude of the loss, what types of losses occur, and the circumstances under which they occur. Without further data collection, we are in the dark as to how much we are losing. But the evidence suggests it’s more than we thought.
Cybersecurity, Information Technology and Manufacturing
About the author
Douglas S. Thomas is an economist in the Applied Economics Office at the National Institute of Standards and Technology. His work focuses on manufacturing industry costs, risksand economic decision...
As the power of AI grows, businesses, governments and the public will have to manage AI’s impact on society.
What would we do if the world ran out of room in the radio-frequency spectrum? It’s something NIST and our partners are working to prevent through spectrum
NIST and its partners in government and industry are working toward replicating the vital aspects of human driving and building a supporting infrastructure.
Question about the graph: how can the digital economy be more than the *total* economy? Isn't the digital economy a subset of the total?
It's plotted on the right axis, far less than the total GDP.
Ransomware is often crime
I have the same question regarding the grah. Why the orange line is above the blue line ? Is there part of the digital economy that would not be included in the global economy ? If this is the case, what are we talking about ?
Wow, really informative Douglas. Indeed, there are 3 or 4 methodologies that you point out where the numbers are being estimated far too low. And, while more qualified than most, those are the ones you can think of! Love this article will get the report. Thank you.
Given Dan Steven's question, it occurs to me that plot cybercrime as a % of GDP might be a little more eye-opening. I have enough numerical literacy to where I can more or less do that in my head, but most people cannot. Also, plotting % of GDP automatically adjusts for inflation.
HIre less security experts/ developers??? No way. I need a job.
China, Russia and the DNC. NSA, blockchain, cryptocurrency, quantum computers. The Federal Reserve creates digital trillion$ every month. What's real anymore? One big Carrington Event and .....
Doug, great article first off. Is there an initiative in the works to perform a more comprehensive and current report?
There has been some discussion of additional work, but nothing is scheduled at this time.
Nice article, but the data presented are too old, if this article presented and discussed with the latest data, then this article will be much more interesting.
Another big money impact: waste in US healthcare spending is also about the same as cybercrime $750B. Two huge opportunities for US voters.
A nice blog; the whole digital supply chain, needs attention from the cyber security perspective; as opposed to mere end -users.
Is this post tagged correctly? It is not showing up in the Cybersecurity topic feed, and I think it should.
Thank you for bringing that to our attention! We have fixed it!
All govts should have passed cyber crimes prevention laws with universal applicable provisions along with trans-border access of criminals.
Add new comment
Cybercrime is criminal activity that either targets or uses a computer, a computer network or a networked device. Most cybercrime is committed by cybercriminals or hackers who want to make money.What are the worst cyber crimes? ›
- The Melissa Virus. ...
- NASA Cyber Attack. ...
- The 2007 Estonia Cyber Attack. ...
- A Cyber Attack on Sony's PlayStation Network. ...
- Adobe Cyber Attack. ...
- The 2014 Cyber Attack on Yahoo. ...
- Ukraine's Power Grid Attack.
It is being committed every day right now. Thieves commit cyber crimes to steal people's money and their identity. With your identity, the thief can take out loans, incur credit, accumulate debt and, then flee without a trace. It can take years to rehabilitate your identity.Why is cybercrime so difficult to stop? ›
The world of cyber crime is more complicated. There are too many cybersecurity incidents and too little law enforcement resources available to keep up with the crime. To add more complexity to the issue, there are jurisdictional boundaries that prevent criminals from being prosecuted.What can we do to stop cybercrime? ›
- Use a full-service internet security suite. ...
- Use strong passwords. ...
- Keep your software updated. ...
- Manage your social media settings. ...
- Strengthen your home network. ...
- Talk to your children about the internet. ...
- Keep up to date on major security breaches.
- Easy Access System. It is often difficult or impossible to safeguard a system from data breaches that involve complex technologies. ...
- Storing Data in a Small Space. ...
- Complex Codings.
Cyber-crime is unfortunately getting worse every year. Over a six year period, the number of personal records and data breaches went from a mediocre but still damning 3.8 million cases, rising to an unprecedented 3.1 billion in 2016.What is the biggest cyber threat today? ›
Malware is the most common type of cyberattack, mostly because this term encompasses many subsets such as ransomware, trojans, spyware, viruses, worms, keyloggers, bots, cryptojacking, and any other type of malware attack that leverages software in a malicious way.Why cyber crime is serious? ›
Cybercrime – An overview
Some of the most commonly known cybercrimes include identity theft, ransomware, cyber extortion, phishing, data breach, online shopping scams, etc. The ill effects of cybercrimes often lead to extreme financial ruin and reputation loss to both businesses and individuals.
The psychological impact of cybercrime can also give birth to anxiety, secondary victimization, depressive symptoms, a sense of helplessness, fear and perceived risk, loss of trust, and loss of autonomy and control, which often is an outcome of a sense of violation.
In some ways, a cyber attack can feel like the digital equivalent of being robbed, with a corresponding wave of anxiety and dread. Anxiety, panic, fear, and frustration – even intense anger – are common emotional responses when experiencing a cyber attack.Is cyber crime getting worse? ›
6. The COVID-19 pandemic has only made this problem worse, with cybercrime rates increasing by 600%. During the COVID-19 pandemic, cybercrime has increased drastically by 600% affecting all types of businesses.Is cybercrime getting worse? ›
The cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025, according Cybersecurity Ventures' "2022 Official Cybercrime Report," sponsored by eSentire.Are cyber crimes solved? ›
A report from last month said that, of the 32,286 cybercrime cases registered by Karnataka police since 2019, only 7,835 cases or 24% have been solved so far.Can all cyber crime be prevented? ›
After all, cyber crime can't be stopped completely. But sometimes it can be prevented. It all starts with practicing good online safety habits. Here are seven things that you can start doing today to better protect against computer crime.How is cyber crime controlled? ›
Check security settings to prevent cybercrime: A cyber firewall checks your network settings to see if anyone has logged into your computer. Using antivirus software: Using antivirus software helps to recognize any threat or malware before it infects the computer system.Who do cybercrime happen to? ›
These attacks can be against governments, businesses or individuals and are not always necessarily large-scale or wide-ranging. A cyber attack can cripple a computer system, meaning a business loses money because its website is inaccessible or it can stop a government body from offering an essential service.Who is the common victim of cybercrime? ›
Those who use the Internet, email, social media and vulnerable computers will be the likely victims.Why cyber crime is increasing? ›
As technology advances and our use of it evolves, so does cybercrime and the way criminals capitalise on vulnerable security systems for their gain. Un-targeted cyber-attacks such as phishing and ransomware have seen rampant growth in the last 2 years as more opportunities present themselves to cybercriminals.What are the advantages of cyber crime? ›
With more cybercrime going on there becomes more of need for people to protect themselves. This makes businesses that deal with computer software to protect unwanted ads or sites to show up higher in demand. The companies are growing because of the use of cybercrimes. They are the winners out of cybercrime.
Social Security numbers, banking information, and personal data of nearly 1.5 million customers were stolen by threat actors. The healthcare industry is particularly vulnerable to cyber attacks due to the wealth of Personal Identifiable Information (PII) their systems store.What is the most common threat on the internet? ›
Computer viruses are the most common among internet security threats out there. Viruses enter your computers by attaching to a host file or a system. Once they enter your computer, they can create damage instantly or remain dormant.
The operation has been launched in coordination with state police, Interpol and agencies of other countries, they said. The CBI said 16 persons were arrested by Karnataka Police, seven by Delhi Police, two by Punjab Police and one by Andaman and Nicobar Police.Is cybersecurity good or bad? ›
Cybersecurity is crucial because it safeguards all types of data against theft and loss. Sensitive data, protected health information (PHI), personally identifiable information (PII), intellectual property, personal information, data, and government and business information systems are all included.How social media affects cybercrime? ›
Cybercrime has breached social media networks, thanks to both increased users and increased use. Hackers look for opportunities to gain access to people's accounts, personal or financial information, typically through suspicious links or downloads.When did cybercrime become a problem? ›
1962. The modern history of cybercrime began when Allen Scherr launched a cyber attack against the MIT computer networks, stealing passwords from their database via punch card.What is cyber crime in detail? ›
Cybercrime may be defined as “Any unlawful act where computer or communication device or computer network is used to commit or facilitate the commission of a crime”.What is cyber crime essay? ›
Cybercrime is a type of crime in which illegal activities are carried out online or using computers. Cybercrime comes in a variety of forms which involves harassing online users. Cybercrime is the most serious and rapidly expanding type of crime in this day and age.Which are cyber crimes? ›
There are several types of cybercrimes; the most common ones are email frauds, social media frauds, banking frauds, ransomware attacks, cyber espionage, identity theft, clickjacking, spyware, etc.What are 5 cyber crimes? ›
- Phishing Scams.
- Website Spoofing.
- IOT Hacking.
It reveals that the people most vulnerable to cybercrime tend to be adults over 75 and younger adults. The report analyzes all cybercrime activity from July 2020 to December 2020, and reveals the unprecedented growth in criminal activity across the world.Are cyber attacks illegal? ›
Cybercrime. Yes. The federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, is the primary statutory mechanism for prosecuting cybercrime, including hacking, and also applies to some related extortionate crimes such as in the context of ransomware.How cyber crime affects society? ›
The ill effects of cybercrimes often lead to extreme financial ruin and reputation loss to both businesses and individuals. Moreover, the repercussions of cybercrimes can affect society in numerous ways. Cybercrime can take numerous forms, be it online scams for petty thefts or serious threats like terrorism.Why is it important to prevent cybercrime? ›
One single security breach can lead to exposing the personal information of millions of people. These breaches have a strong financial impact on the companies and also loss of the trust of customers. Hence, cyber security is very essential to protect businesses and individuals from spammers and cyber criminals.Why is cyber crime awareness important? ›
It can instill good cybersecurity hygiene—habits that will make it easier for them to avoid falling victim to security threats in the future—and facilitate an organizational culture built around threat prevention and mitigation.What is the most popular cyber crime? ›
These include thefts, scams, and harassment, which have existed for centuries, way before computer science started to develop. Since these are the most common cybercrimes we will be focusing on these ones for this article.Why do people commit crimes? ›
These included biological, psychological, social, and economic factors. Usually a combination of these factors is behind a person who commits a crime. Reasons for committing a crime include greed, anger, jealously, revenge, or pride.Why are cyber attacks increasing? ›
The escalation of cyberattacks is attributed to more agile hackers and ransomware gangs who focused on exploiting collaboration tools used by remote workers and schools and educational institutions that shifted to e-learning during the pandemic, as well as a significant increase in attacks on healthcare organizations.What is the latest cyber crime? ›
- Delhi Man Arrested For Creating Fake Instagram Account Of Ex-Girlfriend. ...
- 40 Bank Customers Lose Lakhs In 3 Days. ...
- Male Nurse Rapes Kerala Doctor, Sharers Her Nude Photos Online. ...
- Ghaziabad Man Arrested For Posting Delhi Woman's Morphed Pics On Instagram.
Those who use the Internet, email, social media and vulnerable computers will be the likely victims.
If you are charged with federal hacking crimes under 18 U.S.C. § 1030, you could face up to a year in federal prison for lesser offenses, between 10-20 years for more serious offenses, and even life in prison if the hacking resulted in someone's death.