A recent study that greatly reduces an often-cited estimate on the
economic impact of cybercrime and cyberespionage should not give
companies a reason to spend less on security, experts say.
The McAfee-sponsored report,
released on Monday, found that Internet-based crime and spying cost the
U.S. economy as much as $100 billion a year, not the $1 trillion
originally estimated by the Intel-owned security vendor. The study was
done in conjunction with the nonprofit Center for Strategic and
The analytical approach used in the latest findings is closer to reality
than the previous methodology based on notoriously imprecise corporate
surveys. McAfee acknowledges that the earlier figure, included in
President Barack Obama’s 2009 cybersecurity speech, was inflated.
”There were some methodological challenges with the [original] study and
we felt that the right thing to do was to work with the top think tank
in the world focused on security and come up with a better study to set
the record straight,” Tom Gann, vice president of government relations
at McAfee, said on Tuesday.
But whether the macroeconomic figure is $100 billion, $1 trillion or
somewhere in between, it should not affect how much a company decides to
spend on security, experts say.
Avivah Litan, an analyst with Gartner, compared security spending to
preparing for a natural disaster, such as Hurricane Sandy that
devastated parts of New Jersey and New York in 2012. Such events may
happen once in decades, but if you are not prepared, the losses could be
”When you build security defenses, you don’t know if you’re going to get
attacked, and if you’re going to wait until you get attacked, then it’s
too late,” Litan said.
Stewart Baker, a former assistant secretary for policy at the Department
of Homeland Security (DHS) and a co-author of the study, said companies
should not take comfort in the fact that $100 billion is less than 1%
of the U.S. gross domestic product (GDP).
”I’m skeptical about treating [cyberintrusions] as a manageable cost
unless a company has done an informed analysis of who wants their data
and what the long term consequences of letting them have it might be,”
Baker said. “If you’re not of interest to foreign governments or
state-owned competitors, or a target for criminals seeking money, then I
think you probably can treat it as a tolerated cost.Ã’Â But that’s a
In deciding how much to spend on cybersecurity, a company should first
determine how likely it is to be a target of cybercriminals, hacktivists
or cyberspies, Baker said. A company should then figure out the worst
that can happen if a network is compromised by one of these adversaries.
The study’s macroeconomic numbers are most valuable as a description of
the broad cybersecurity challenges companies face, which should be
helpful in conversations between chief security officers and chief
executives, Gann said.
”It creates a more thoughtful kind of dialogue,” he said.
In estimating losses, the study considered the cost of cybercrime and
service disruptions, the theft of IP and sensitive business information
and the damage to reputation. In addition, the report considered the
cost of securing networks, insurance and recovery from cyberattacks.
On a worldwide basis, the report found that cybercrime and espionage
cost as much 1.4% of the global economy, or between $300 billion and $1
trillion a year.