FBI Says Computer Crime Costs Billions Every Year

JamesAlfaro wrote to mention a C|Net article putting a pricetag on computer crime. From the article: "The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey, released Thursday, found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. The average cost per company was more than $24,000, with the total cost reaching $32 million for those surveyed. Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent. "

Mod parent insightful!

[Spy+der+Mann]

Considering most of the vulnerabilities exploited in "computer crime" are Windows flaws, we could say that by switching to (insert your distro here) we could save the licensing costs, PLUS the computer crime related costs.

(Disclaimer: Yeah yeah, i know this is slashdot and I'm probably not the first in mentioning it yadda yadda)

Re:Some Guy says computer crime creates jobs

[dada21]

Our promise to our customers is to fix it and it won't happen again.

If it happens again, we fix it without charging them. How is that untrustworthy?

Or, you can ask the cops to sit in front of your house and make sure you don't get robbed. I'd rather pay a private security firm to handle my security, thank you very much.

Prevention is better than trying to get someone busted for a previous crime because you didn't take the steps necessary to protect your assets.

*insert squealing breaks sound*

[voice_of_all_reason]

suffered a financial loss from computer security incidents

Whoa, whoa. Back the truck up here, pal. Define "loss." I'm betting the overwhelming majority of the reported un-cash is probably:

1) "Lost" sales -- which is money the company didn't have in the first place
2) Money paid to try and prevent computer crime (which was their choice, and obviously didn't work
3) Money paid to chase criminals after the fact (which, though necessary, shouldn't be lumped together with what a robber stole)

That leaves a very small percentage of money that was actually substracted from a bank account somewhere.

security vs defects, what to fix?

[DeveloperAdvantage]

I am curious how this would compare to the costs incurred due to defects in software. Back in 2002, NIST reported "Software bugs, or errors, are so prevalent and so detrimental that they cost the U.S. economy an estimated $59.5 billion annually":

http://www.nist.gov/public_affairs/releases/n02-10 .htm

Has anyone seen an update to this report?

With limited resources, organizations need to choose between fixing security problems or fixing others types of defects in their software.

"Should have already spent"

[gnovos]

Most, nearly all, of the "cost" of computer crime comes from running a full security audit of your systems and locking down the security procedures and controls you will use to keep it from happenng again. If these companies had a competent computer security policy in the first place, they would find thier "costs" much less.

It's like a thief crashing through your dry-rot, termite-infested walls and then blaming HIM that you have to rebuild your whole house now. This money is almost always money that *should* have been spent, but wasn't in the name of cost-cutting or just general laziness.

Re:FBI questions Bill

[Hymer]

• if I forget to lock the door it is my fault
• if thief picks my lock it is not my fault and it is theft
• if the lock i faulty by design then it is the manufacturers fault

...why is the software business not treated that way ?
Microsoft had two or three possibilities for fixing the security problems in Windows and we are still seeing security issues that are 10 years old...
...and the reason for allmost all of these security issues can be isolated to a simple "it would cost to much to fix"...
--
This sig suck...

Re:Who knows what else the FBI says...

[TubeSteak]

Not necessarily, though since most people are ignorant about computers, you're probably right.

There are diminishing returns when it comes to trying to solve any problem. Which is better:

1. $67 billion lost to computer crime
2. $100 billion spent to reduce #1

Fight Club:
A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.

In other news:

[vertinox]

Accountants enjoy new freedom of book keeping with "theoretical losses" of arbitrary fitgures they pulled off the top of their head:

Accountant: So how much did you think we lost because of computer crime?

IT Guy: I dunno... Our server web server went down for a while and I joked that it was because some guy was hitting F5 in China.

Accountant: Ah! Excellent... *writes something down* So how much do you think it cost us.

IT Guy: Oh I dunno... Whats the cost of me getting up out of my seat to make a phone call to the guy down in the server room to boot it... Oh $0.35 cents?

Accountant: Hrm... *scratches chin* No good. But if I multiply it by inflation and theoretical estimates and carry the zero. By golly! I think we've lost over $2,000,000.35 to computer crime! Thats one hell of a tax break. Daddies going to be rolling in the bonus this year!

IT Guy: But... I... Oh never mind...