Diversi sono gli studi che provano a quantificare i danni economici arrecati dal c.d. cyber-crime ma questo che vi segnalo, riguardante la Gran Bretagna, mi sembra essere più accurato dei precedenti e soprattutto giunge a conclusioni… per così dire… non convenzionali rispetto a quanto si legge (o si sente) in giro. Non volendo sbagliare lascio a voi l’onere di “fare le pulci” a questa ricerca: “Measuring the Cost of Cybercrime“.

The data we have collected indicates that, in terms of the measurable costs:
- Traditional frauds such as tax and welfare fraud cost each of us as citizens a few hundred pounds/euros/dollars a year.12 With such crimes, the costs of defences, and of subsequent enforcement, are much less than the amounts stolen.
- Transitional frauds such as payment card fraud cost each of us as citizens a few tens of pounds/euros/dollars a year. Online payment card fraud, for example, typically runs at 30 basis points, or 0.3% of the turnover of e-commerce rms. Defence costs are broadly comparable with actual losses, but the indirect costs of business foregone because of the fear of fraud, both by consumers and by merchants, are several times higher.
- The new cyber-frauds such as fake antivirus net their perpetrators relatively small sums, with common scams pulling in tens of cents/pence per year per head of population. In total, cyber-crooks’ earnings might amount to a couple of dollars per citizen per year. But the indirect costs and defence costs are very substantial { at least ten times that. The cleanup costs faced by users (whether personal or corporate) are the largest single component; owners of infected PCs may have to spend hundreds of dollars, while the average cost to each of us as citizens runs in the low tens of dollars per year. The costs of antivirus (to both individuals and businesses) and the cost of patching (mostly to businesses) are also signicant at a few dollars a year each.

This brings us to an interesting question. Traditional acquisitive crimes, such as burglary and car theft, tend to have two properties. The first is that the impact on the victim is greater in nancial terms than either the costs borne in anticipation of crime, or the response costs afterwards such as the police and the prisons.[…] Drilling down further into the victim costs, we nd that for nonviolent crimes the value of the property stolen or damaged is much greater than the cost of lost output, victim services or emotional impact. With the new cybercrimes, the pattern is much more like robbery, where (according to UK Home Oce 2005 gures) only $109 is stolen but the additional costs include $483 for health services, $1 011 for lost output, and a whopping $3 048 for distress.

It may be worth noting that the criminal justice system recognises the quite disproportionate social costs of robbery as opposed to burglary; the typical robbery incurs $2 601 of criminal justice system costs compared with a typical burglary, where a much larger amount ($846) is stolen and yet less than half as much ($1 137) is spent on justice. Yet while robbers get longer sentences than burglars do, cyber-crooks get shorter ones. This is probably because cyber-crimes, being impersonal, evoke less resentment and vindictiveness. Indeed, the crooks are simply being rational: while terrorists try to be annoying as possible, fraudsters are quite the opposite and try to minimise the probability that they will be the targets of eective enforcement action.
Why does cyber-crime carry such high indirect and defence costs? Many of the reasons have been explored in the security-economics literature: there are externalities, asymmetric information, and agency eects galore. Globalisation undermines the incentives facing local police forces, while banks, merchants and service providers engage in liability shell games. We are also starting to understand the behavioural aspects: terrorist crimes are hyper-salient because the perpetrators go out of their way to be as annoying as possible, while most online crooks go out of their way to be invisible. The possible policy remedies have also been discussed at length, from better statistics to better international cooperation. But what’s the priority?

The straightforward conclusion to draw on the basis of the comparative figures collected in this study is that we should perhaps spend less in anticipation of computer crime (on antivirus, rewalls etc.) but we should certainly spend an awful lot more on catching and punishing the perpetrators […].