Sunday, April 15, 2012

The low financial returns to cybercrime

Popular accounts suggest that cybercrime is large, rapidly growing, profitable and highly evolved; annual loss estimates range from billions to nearly $1 trillion. ...

We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. ...

Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing. Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward. Just as unregulated fish stocks are driven to exhaustion, there is never enough “easy money” to go around. ...

How do we reconcile this view with stories that cybercrime rivals the global drug trade in size? One recent estimate placed annual direct consumer losses at $114 billion worldwide. It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable. ...

A cybercrime where profits are slim and competition is ruthless also offers simple explanations of facts that are otherwise puzzling. Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.
--Dinei FlorĂȘncio and and Cormac Herley, Microsoft Research, on cybercrime not paying