The Cost of Cyber Crime Full Report - The Cabinet Office

THE COST OF
CYBER CRIME.
A DETICA REPORT IN PARTNERSHIP
WITH THE OFFICE OF CYBER
SECURITY AND INFORMATION
ASSURANCE IN THE CABINET OFFICE.
Executive summary 1
Chapter 1: Introduction 4
Why estimate the cost of cyber crime? 4
Chapter 2: What is cyber crime? 6
What types of cyber crime have we considered? 6
Who are the cyber criminals? 8
What do cyber criminals target? 9
What is the impact of cyber crime? 11
Chapter 3: Study methodology 14
Constraints and assumptions 14
Sources of data on IP theft 14
Our methodology for assessing the impact of IP theft 15
Our methodology for assessing the impact of industrial espionage 16
Chapter 4: Results and analysis 18
Cost to citizens 18
Cost to the Government 19
Cost to businesses 19
Other findings 22
Chapter 5: Conclusions and recommendations 24
The cost of cyber crime is significant and growing 24
The impact of cyber crime is felt most by UK business 24
The UK needs to build a comprehensive picture of cyber crime 24
Annex A: Organisations consulted 25
Annex B: Business sector background 25
About Detica BC
2
2 Detica
Detica Insight™
WHY ESTIMATE THE COST WHAT IS CYBER CRIME?
OF CYBER CRIME? For the purposes of this study, we are using the
Our society has become almost entirely term ’cyber crime’ to mean the illegal activities
dependent on the continued availability, undertaken by criminals for financial gain. Such
accuracy and confidentiality of its Information activities exploit vulnerabilities in the use of the
and Communications Technology (ICT). As well internet and other electronic systems to illicitly
as significant benefits, the technology has access or attack information and services used
enabled old crimes to be committed in new by citizens, business and the Government.
and more subtle ways. In its National Security We have not included crimes that lack an
Strategy, cyber threats are recognised by the over-riding financial motive, or attacks of cyber
Government as one of four ‘Tier One’ risks to ‘terrorism’ or cyber ‘warfare’. In our study, we
the UK’s security. have focused on:
But estimates of the cost of cyber crime have until – identity theft and online scams affecting UK
now failed to address the breadth of the problem citizens;
and have not been able to provide a justifiable – IP theft, espionage and extortion targeted at
estimate of economic impact. Therefore, UK businesses; and
the Office of Cyber Security and Information – fiscal fraud committed against the Government.
Assurance (OCSIA) worked in partnership with
Detica to look more closely at the cost of cyber We recognise that the full economic impact of
crime in the UK and, in particular, to gain a better cyber crime goes beyond the direct costs we
appreciation of the costs to the UK economy have been able to estimate in our study, but
of Intellectual Property (IP) theft and industrial given the lack of available data and what we
espionage. Further developments of cyber crime believe to be a significant under-reporting of
policy, strategies and detailed plans thus benefit cyber crime, we have had to be pragmatic in
from greater insight. our approach.
EXECUTIVE
SUMMARY
The Cost of Cyber Crime 1

STUDY METHODOLOGY RESULTS AND ANALYSIS
To address the complexity of less understood In our most-likely scenario, we estimate the cost
cyber crime, which is the focus of this study, of cyber crime to the UK to be £27bn per annum.
we develop a causal model, relating different A significant proportion of this cost comes from
cyber crime types to their impact on the the theft of IP from UK businesses, which we
UK economy. The model provides a simple estimate at £9.2bn per annum. In all probability,
framework to assess each type of cyber crime and in line with our worst-case scenarios, the real
for its various impacts on citizens, businesses impact of cyber crime is likely to be much greater.
and the Government. We use the causal
Although our study shows that cyber crime
model to map cyber crime types to a number
has a considerable impact on citizens and
of broad categories of economic impact, which
the Government, the main loser – at a total
are generally consistent with the types of
estimated cost of £21bn – is UK business, which
parameters used in macro-economic models of
suffers from high levels of intellectual property
the UK. We then calculate the magnitude of the
theft and espionage. Businesses bearing the
costs of cyber crime using three-point estimates
brunt of cyber crime are providers of software
(worst-case, most-likely case and best-case
and computer services, financial services,
scenarios), focusing in particular on IP theft
the pharmaceutical and biotech industry, and
and industrial espionage and its effect on the
electronic and electrical equipment suppliers.
different industry sectors.
Our assessments are, necessarily, based on
estimates and assumptions rather than specific
examples of cyber crime, or from data of a
classified or commercially-sensitive origin. We
have drawn instead on information in the public
domain, supplemented by the tremendous
knowledge of numerous cyber security,
business, law enforcement and economics
experts from a range of public and private-sector
organisations. We are indebted to all those
individuals and organisations who contributed
their time and expertise to this study.
Cost of different types of cyber crime

to the UK economy
All types of cyber crime
£10,000M
£9,000M
£8,000M
£7,000M
£6,000M
£5,000M
£4,000M
£3,000M
£2,000M
£1,000M
£0M
Online Scareware Identity IP theft Espionage Customer Online theft Extortion Fiscal fraud
Fraud theft data loss from business
(reported)
2 Detica
CONCLUSIONS AND Although the existence of cyber crime in the UK
economy appears endemic, efforts to tackle
RECOMMENDATIONS it seem to be more tactical than strategic.
Cyber crime is a national scale issue. The cost to The problem is compounded by the lack of a
the economy, estimated at £27bn, is significant clear reporting mechanism and the perception
and likely to be growing. The ease of access to that, even if crimes were reported, little can be
and relative anonymity provided by ICT lowers done. Additional efforts by the Government and
the risk of being caught while making crimes businesses to build awareness, share insights
straightforward to conduct. and measure cyber crime would allow responses
The impact of cyber crime does not fall equally to be targeted more effectively.
across industry sectors. The results also
challenge the conventional wisdom that
cyber crime is solely a matter of concern for
the Government and the Critical National
Infrastructure (CNI), indicating that much larger
swathes of industry are at risk. The results
of this study suggest that businesses need
£27BN:
to look again at their defences to determine
whether their information is indeed well
protected. Without urgent measures to prevent
the haemorrhaging of valuable intellectual
property, we believe that the cost of cyber crime
is likely to rise even further in the future as
UK businesses increase their reliance on ICT. ESTIMATED
COST OF
However, encouraging companies in all sectors
to make investments in improved cyber security,
based on improved risk assessments, is likely
CYBER CRIME
to considerably reduce the economic impact of
cyber crime on the UK.
IN THE UK.
Cost of different types of cyber crime
to UK industry sectors
Espionage IP theft Online theft from business
£3,000M
£2,500M
£2,000M
£1,500M
£1,000M
£500M
£0M
s& e
r ts
ls
es
tiu s
es
rs
ch
on
ng
t)
se s
es
es
e
en
en
rin
in
al
on
on
it
ce
er
r
ns
nc
di
ur
is
ia
ce
ile
te
ni
c
iti
vic
ic
of
i
pa
in
ic
d
l
m
pm
is
r
i
ra
e
fe
i
i
r ta
v
rv
v
i
at
t
e
til
M
a
a
r & odu
io
r
m
v&
e
qu nica
le
p
rp
er
er
at
et
et
su
de
Su r se
b
l m gin
ic
ui
ui
e
no spo
ria s &
ls
wa r t s
&
m
gr
lr
fo
Ch
nd
un
er
in
pr
eq
eq
Au ce &
ul
&
ile
el
ra
ia
te
&
ru
ot
,s
e
al
n
sa
m
le
m
m
po
e
ts
av
al
&
nc
ac ene
ob
lif
ra
pu
ag
n
N
et
p
m
m
ria
s
c
a
p
io
re
al
Tr
i
lt
na
&
n
m
tri
ru
m
r
co
co
sp
ve
ct
tic
st
te
od ood
to
co
ec
ftw ts, t
Fi
ce
le
le
ro
tro stru
ria
du
be
eu
wa
st
rd
d
te
te
el
Ae
&
an
(in
F
st
In
du
ha
d
c,
c&
n
le
e
e
an
du
Co
lin
ar
fe
rs
In
m
m
tri
gy
ob
ni
In
Li
st
ar
ce
ec
d
lo
M
xe
ve
Ph
du
no
el
Fo
So
ec
in
Fi
s,
ro
ch
te
El
Ga
sp
Te
ta
ga
es
l&
al
Re
Oi

WHY ESTIMATE THE But, although the fears seem to be well founded,
estimates of the impact of cyber crime have
COST OF CYBER CRIME? until now been no more than ‘best guesses’.
Few areas of our lives remain untouched by For example, there is no mandatory reporting
the digital revolution. Across the world, there regime for citizens, companies or public-sector
are now nearly two billion internet users and organisations, which forces them to declare
over five billion mobile phone connections; having being the victim of cyber crime and what it
every day, we send 294 billion emails and five has cost them. And the consequential effects of
billion SMS messages; every minute, we post cyber crime may themselves take many weeks,
35 hours of video to YouTube, 3,000 photos months or even years to play out.
to Flickr and nearly 35,000 ‘tweets’1,2. Over
91 per cent of UK businesses and 73 per cent Therefore, the Office of Cyber Security and
of UK households have internet access and Information Assurance (OCSIA) worked in
£47.2 billion was spent online in the UK alone partnership with Detica to look more closely
in 20093. Our society is now almost entirely at the cost of cyber crime in the UK and, in
dependent on the continued availability, particular, to gain a better appreciation of the
accuracy and confidentiality of its Information costs to the UK economy of Intellectual Property
and Communications Technology (ICT). We need (IP) theft and industrial espionage. In this study,
it for our economic health, for the domestic we were also interested to understand which
machinery of government, for national defence types of cyber crime have the largest economic
and for our day-to-day social and cultural existence. impact and the relative risk faced by different
industry sectors. Further developments of cyber
Despite the technology’s obvious benefits, the crime policy, strategies and detailed plans will
seeds of criminality planted by the first computer thus benefit from greater insight.
hackers 20 years ago have allowed old crimes to
be committed in new and more subtle ways. The To address the complexity of less understood
information generated by the technology is also cyber crime, which is the focus of this study,
a target of considerable interest for individuals, we develop a causal model, relating different
groups, organisations and nation states with cyber crime types to their impact on the
more malign intent. And the level of concern UK economy. The model provides a simple
expressed by some commentators suggests framework to assess each type of cyber crime
that cyber crime is a problem of considerable for its various impacts on citizens, businesses
magnitude4. In its National Security Strategy5, and the Government. We use the causal
for instance, the UK Government recognised model to map cyber crime types to a number
cyber threats as one of four ‘Tier One’ risks to of broad categories of economic impact, which
the UK’s security, and subsequently announced are generally consistent with the types of
a £650m investment in a National Cyber parameters used in macro-economic models of
Security Programme. the UK. We then calculate the magnitude of the
costs of cyber crime, focusing in particular on IP
theft and industrial espionage and its effect on
the different industry sectors.
CHAPTER 1
INTRODUCTION
Footnote
1 Email and internet statistics from the Pingdom Blog, January 2011 (http://royal.pingdom.com/2011/01/12/internet-2010-
in-numbers/)
2 Mobile statistics from Wireless Intelligence, July 2010 (http://www.wirelessintelligence.com/analysis/2010/07/global-
mobile-connections-surpass-5-billion-milestone/) and DSLReports.com (http://www.dslreports.com/shownews/Wireless-
Users-Send-5-Billion-SMS-A-Day-107515), 2010
3 “Cyber Security – A new national programme”, Emma Downing, House of Commons Library Standard Note SN/SC/5832, 19
January 2011
4 For example, see “Industrial espionage: Data out of the door” published in the Financial Times, 1 February 2011
5 “A strong Britain in an age of uncertainty”, National Security Strategy, October 2010
6 “Unsecured Economies: Protecting Vital Information”, McAfee, 2009
4 Detica
We have drawn on information in the public Finally, although Detica has an interest in and
domain, supplemented by the tremendous capability to defend organisations against many
knowledge of numerous cyber security, business, forms of cyber attack, our intent in this study has
law enforcement and economics experts from a been solely to examine the cost of cyber crime to
range of public and private-sector organisations. the UK economy; it has not been to investigate
We are indebted to all those individuals and either the attack methods used by cyber
organisations who contributed their time and criminals or the origins of such attacks.
expertise to this study.
Modelling cybercrime is a complex and difficult
exercise. Our assessments are, necessarily,
based on assumptions and informed judgements
rather than specific examples of cyber crime,
or from data of a classified or commercially-
sensitive origin. And the implications of cyber
crime mean that it is likely to be seriously under-
reported. Our results, therefore, should be used
as a credible, illustrative guide to the nature
of the impacts of cyber crime rather than as
accurate and robust estimates of the impacts
of cyber crime.
BOX 1:
FACT NOT FICTION – RECENT EXAMPLES OF CYBER THREATS
Stuxnet worm (July 2010) Operation Aurora’ Large scale fraud (2009/10) Conficker (2008)
The Stuxnet worm (a complex (December 2009) An Essex-based gang, linked to A botnet6 on an unprecedented
computer code) was used in the Google detected a highly Eastern Europe, was prosecuted scale has been operating since
first cyber attack specifically sophisticated and targeted attack for an on-line fraud making November 2008 affecting millions
targeting industrial control on its corporate infrastructure £2 million a month by stealing of computers worldwide using the
systems. This attack seemed originating from China. The attack log-in details from 600 UK bank Windows operating system.7
to be directed at Iran, and its was found to have installed accounts and tricking users into
Distributed Denial of Service
nuclear programme. Stuxnet is malware via email on computers providing additional information.
Attacks (DDoS): Estonia (2007)
unprecedented in its design to in another 30 companies and The Police e-Crime Unit, working
and Myanmar (2010) suffered
allow hackers to manipulate real- Government Agencies. with the banking sector, detected
high profile DDoS attacks thought
world equipment without operators the fraud which targeted weak
to be politically motivated. In both
knowing 1. The worm targeted security on individual’s computers
cases, numerous computers
Siemens’ systems, used in the using Zeus Trojan malware (i.e. a
overwhelmed the same target
energy sector to control nuclear malicious computer programme
simultaneously. Myanmar was cut
and gas infrastructure and also disguised as something else such
off from the Internet after more
in manufacturing and automotive as an email attachment).The fraud
than 10 days of DDoS attacks
industries. 2 Experts estimate that was co-ordinated from a single
which culminated in a massive
it took five to ten people to work on laptop with sophisticated software
data flood that overwhelmed the
the Stuxnet worm for six months. available on the internet.5
country’s infrastructure ahead of
The complexity and access to
the country’s general elections.
systems involved indicated a
(10) Estonia’s financial operations
highly organised and well-funded
were severely compromised and
project.3 The European Network
Government communications
and Information Security Agency
networks were reduced to radio for
(ENISA) has called it a “paradigm
a limited period.8
shift” in threat.4
Footnotes
1 Symantec briefing, The Stuxnet Worm [on 19 January 2011]
2 Stephen Trilling, Senior Vice President, Symantec, Heading off targeted attacks, Symantec CIO Digest, October 2010
3 Symantec briefing, The Stuxnet Worm [on 19 January 2011]
4 ENISA Press Release, European Agency analysis of ‘Stuxnet’ malware – a paradigm shift in threats and Critical Infrastructure Protection, 21 October 2010
5 Metropolitan Police News Bulletin 1527Gang sentenced for ‘trojan’ bank theft scam,16 November 2010 and High tech crime police quiz 19 people over internet bank scam that netted hackers up to £20m
from British accounts, Mail Online, 29 September 2010 (as linked to from Metropolitan Police website).
6 A botnet is a group of computers compromised and co-opted by an ‘intruder’. A single compromised computer is known as a ‘bot’.
7 SEC(2010) 1122 final, Council of the European Union, 14436/10 ADD 1, Commission staff working document Impact Assessment: Accompanying document to the Proposal for a Directive of the European
Parliament and of the Council on attacks against information systems and repealing Council Framework Decision 2005/222/JHA, 4 October 2010
9 DDoS attacks take out Asian nation: Myanmar fades to black, The Register, 3 November 2010 (9) House of Lords European Union Committee (Sub-Committee F Home Affairs), Fifth Report, Protecting
Europe against large scale cyber attacks, Session 2009-10, para 12
Parliamentary material is reproduced with the permission of the Controller of HMSO on behalf of Parliament .

For the purposes of this study only, we are using
the term ‘cyber crime’ to mean:
We appreciate that our definition is narrower
than that used elsewhere , but we wanted to
WHAT TYPES OF CYBER CRIME
focus our work on the less understood areas of HAVE WE CONSIDERED?
The illegal activities undertaken by criminals for There are several distinct ‘flavours’ of cyber
cyber security that have quantifiable economic
financial gain, which exploit vulnerabilities in the crime, which can impact citizens, businesses,
consequences. Although we acknowledge the
use of the Internet and other electronic systems to and the UK Government in different ways. All of
importance of addressing all types of cyber
illicitly access or attack information and services the following types have cumulative or knock-on
crime in government policy, for the purposes of
used by citizens, business and government. effects on the UK’s economy as a whole:
this study we have excluded:
– cyber bullying; – Identity theft – cyber criminals obtain personal
– distributing indecent material; data from individuals (such as address, date
– selling counterfeit goods; of birth or bank account details) and exploit
– the financial effects of peer-to-peer file-sharing; this online by opening bogus accounts (for
– using the profits of cyber crime to fund more example, bank accounts and mortgage
conventional crime; and applications). In many cases, the victims of
– other non-financially oriented criminal activity identity theft are not even aware of a problem
conducted online, such as internet grooming. until the impacts become severe.
We have also made a clear distinction in this – Online scams – cyber criminals obtain
study between financially-motivated cyber crime financial or other valuable information
and cyber terrorism or cyber warfare. Of course, by fraudulent means, usually by tricking
all three of these forms of cyber ‘attack’ can use individuals through scams such as purchase
the same or similar attack methods. However, frauds (such as making people pay for goods
although both cyber terrorism and cyber warfare they do not intend to despatch), ‘phishing’
can lead to significant direct and indirect (for example, sending bogus money-transfer
economic shocks , the principal difference requests from foreign countries to thousands
between them is in the attacker’s intent of e-mail accounts), ‘spear phishing’ (highly
(see below). personalised bogus e-mails targeted at a
single individual), ‘spoofing’ (fooling people
into entering details into a counterfeit
website) and ‘pharming’ (redirecting
website traffic from a legitimate website to a
fraudulent website).
Cyber crime Cyber terrorism and cyber warfare

Often re-occurring and common events Usually highly isolated and unique incidents
Often a mix between individual and organised Often solely instigated by state-sponsorship
criminals with potentially some state involvement
Usually the scale of attack is not planned to The potential scale of attack is often designed to
be critically damaging to the UK economic infrastructure cause maximum damage to the UK infrastructure
Primary motive is financial Primary intent is to threaten the UK socio/political
infrastructure
Differences between cyber

crime and cyber terrorism/
cyber warfare
CHAPTER 2
WHAT IS CYBER CRIME?
Footnotes
10 Get Safe Online, ‘Organised gangs deceive web users into downloading malicious anti-virus software’,
15th November 2010
11 ‘Man arrested for £1m online tax fraud’, The Register, 4 September 2009.
12 ‘Google probing possible inside help on attack’, Reuters January 18 2010.
13 ‘Online Casinos Will Experience Cyber-Extortion During SuperBowl Betting’, Internet Business Law
Services Kelly O'Connell, IBLS Editor, Monday, January 28, 2008.
14 For example, US retailer TJX revealed that their customers’ personal and financial data had been stolen
and could be used to conduct fraudulent transactions.
15 For example, see ‘Chinese Whispers’, Marion Wilkinson, Australian Broadcasting Corporation,
April 2010.
16 For example, see ‘Putting a price on Cyberspying’, /Forbes, January 2009.
17 For example, see ‘Money laundering in cyberspace’ BBC, February 2001.
6 Detica
– Scareware – cyber criminals mislead – Customer data loss – cyber criminals steal – Money laundering – cyber criminals use
individuals into downloading software onto sensitive customer data from a company14 online means to launder the proceeds of
their computers10(for example, fake anti-virus (such as customer financial, medical or criminal acts17 (for example, through complex,
software) by using fear tactics or other unethical criminal record details) with the purpose of internet-enabled transfers between global or
marketing practices. The software downloaded selling the data on to other criminal networks offshore bank accounts). This type of activity
is often ineffective or may appear to deal with or using it themselves for blackmail attempts. is usually associated with organised criminal
certain types of virus before infecting the For our study, we have not included accidental networks that have a wide or international reach.
computer with its own viruses. Individuals may data loss but only losses from deliberate and
We have developed a ‘causal model’ – shown
then have to pay the cyber criminals to remove technological means.
below – to illustrate the interactions between
the viruses and their impacts.
– Industrial espionage – this takes many forms, different types of cyber crime, their effect on
– Fiscal fraud – cyber criminals can withhold such as a rival organisation (or associated different stakeholder groups, and the economic
taxes due or make fraudulent claims for third party) illegally accessing confidential impacts they cause.
benefits by attacking official online channels xinformation to gain competitive or strategic
(such as online self assessment forms)11. advantage15 (for example, by finding out a
The loss of tax revenue directly affects public- rival’s bid price) or to gain insider knowledge
sector spending and the Government’s ability for financial gain (for example, by becoming
to invest in UK infrastructure. aware at an early stage of a possible M&A
deal). Cyber criminals could use the ‘insider’
– Theft from business – cyber criminals steal
information they glean to acquire or sell
revenue online directly from businesses, which
shares, or, in rare cases, by betting on
usually involves fraudulently obtaining access
currency fluctuations.
and looting company accounts and monetary
reserves. In some instances, this cyber criminal – IP theft – cyber criminals, often sponsored
activity is greatly assisted by an ‘insider’12. by rival organisations or nation states, steal
ideas, designs, product specifications,
– Extortion – cyber criminals hold a company
trade secrets, process information or
to ransom often through deliberate denial
methodologies16, which can greatly
of service13 (for example, by using malware
erode competitive advantage or even the
to flood a company server with erroneous
operational or technological advantage prized
internet traffic) or by manipulating company
by nation states over potential adversaries.
website links, which can lead to extensive
brand damage (for example, by redirecting
links for a retailer website to an online
pornography website).
Causal model showing the

different types of cyber crime
we have considered in our study
Cyber Crimes
IP theft VAT revenue
Business
Loss of
competitive
Industrial advantage Revenue Reduced Exports
espionage
Lower shareholder value
Loss of
business Share price Reduced Level of
employment
Reputational
damage
Customer data loss Disaster recovery costs and compensation Profitability Reduced Foreign
investment
Financial
Preventative
losses
and remedial
Online theft costs Pension value
Regulatory fines
Underground Extortion Taxation revenue

economy
Reduced Government
confidence
Reduced chance of
Online fraud Tax collection Investments and
detection
opportunities
Citizen
UK Economic Impacts
Disposable income Lower Identity theft Efficiency savings Reduced government
spending investment International
Lower take- power competition
up of online
Nugatory costs
services Consumer Law enforcement Increased
confidence costs Government
Increased legal spending
and reporting
costs
Lower take-up of
Scareware online services Fiscal fraud
Less public
sector revenue

All of these crimes differ significantly in risk, cost
and complexity. And criminals are likely to trade
WHO ARE THE CYBER As global competition increases, there is likely
to be an increasing risk that disreputable
off the risks against the value they perceive CRIMINALS? but legitimate organisations may engage
the crime can generate. However, compared At the highest level, foreign intelligence in cyber crimes such as IP theft or industrial
with other criminal activities, such as drug services may have a substantial impact on the espionage to obtain a rival company’s sensitive
trafficking or conventional theft, cyber crime in UK economy by sponsoring or engaging directly information. Although it is unlikely that the vast
general offers a much more attractive financial in widespread industrial espionage. This type majority of organisations will engage in this type
proposition, because the rewards are higher, the of cyber criminal tends to be highly organised, of criminal activity due to the risk it holds for
chances of detection or attribution are lower, with sophisticated techniques and extensive their reputation, some large or under-pressure
there are far fewer barriers to entry and there resources20. Particular focus may be given to organisations may believe that the ends justify
are no (or few) physical assets or third parties to the theft of IP because this would enable the the means, especially if they are assisted by
manage18 (see below). For these reasons, it is swift accumulation of knowledge, advancing foreign intelligence services. Alternatively, in an
likely that we will see criminal interest in cyber foreign industries and economies at a fraction attempt to distance themselves from the crime,
activity continue to flourish19. of the cost normally needed to develop it. Other disreputable organisations may hire a third party
priorities for this group could include stealing to undertake the cyber crime on their behalf – at
company-sensitive information to ensure high- a premium price, of course.
value, internationally-competed contracts are
won by their preferred bidder. At the lower levels, individuals or small groups of
opportunistic cyber criminals will tend to target
At the next level, large organised crime UK citizens and vulnerable organisations23. This
networks are focusing more of their attention on group is likely to focus on obtaining revenue
cyber crime because it offers attractive rewards through identity fraud, customer-data theft,
for minimal investment and low risk21. It seems small-scale online scams, scareware, fiscal
likely that less-sophisticated gangs will focus fraud and extortion. The level of sophistication
on online theft from businesses and large-scale shown by cyber criminals in this group depends
online scams. For the more sophisticated on their skill and resources, but it is likely that
networks, with global contacts, industrial their numbers and influence will grow as cyber
espionage can be lucrative, for example, if they crime becomes more lucrative24.
combine stolen ‘insider’ information, such as
M&A details, with targeted stock market deals22. In all cases, however, the UK’s continued
emphasis on IP development – to sustain
our ‘knowledge-based’ economy25 – means
that being able to prevent thefts of IP by cyber
criminals is vital.
The cyber
criminal triangle
Opportunity
Opportunity
e
im
r cr
be
Cy
me al
cri ntion
nve
Co
Means Motive
Means Motive
Footnotes
18 Cyber ‘Crime has Surpassed Illegal Drug Trafficking as a Criminal Moneymaker’, Symantec 2009
19 Cybercrime's financial and geographic growth shows no slowdown during the global economic crisis’, Marc Fossi, Tech Republic May 2010.
20 For example, see ‘Canada's Cyber Security Strategy’, Vic Toews, Canadian Minister for Public Safety, 2009.
21 For example, see ‘The Cybercrime Arms Race’, Eugene Kaspersky, Securelist, 2008.
22 For example, see ‘How cyber-crime became a multi-billion-pound industry’, The Spectator, June 2007
23 For example, see ‘Hackers Invade iTunes: Cybercriminals are opportunistic’, Peter Chubb, August 2010.
24 For example, see ‘Cyber crime is a lucrative trade and it's growing’, SC Magazine September 3, 2010.
25 ‘The knowledge-based economy: what can the UK do to avoid losing out to the Far East?’ BCS Thought Leadership Debate, 16 January 2006
8 Detica
WHAT DO CYBER – High-value IP – different business sectors
have different approaches to developing,
– Tactical corporate information – frequently
this is communicated using online technology
CRIMINALS TARGET? investing in and exploiting their IP. IP does but is not necessarily stored online, is low
Unlike conventional crimes of theft, in which not necessarily need to be stored online, in volume and contains short-term sensitive
the owner actually loses their physical property, and usually contains information that has information (for example, contract bid
the theft of information by cyber criminals may long-term high value to an organisation. While prices, or share-price sensitive material).
not result in the loss of anything physical at all. much exists in a tangible form, many other Protection for this information typically
Moreover, the ‘theft’ can often leave the original types of IP are intangible – in the form of tacit involves procedural and messaging security
data exactly where it was to begin with. knowledge and the skills of employees, for implemented at an organisation’s senior-
With the exception of the well-understood and example. The types of IP most likely to be management level. It has a high financial
documented copyright theft issue, information stolen by cyber criminals are ideas, designs, impact if it is breached (especially by cyber
stolen by cyber criminals often falls into the methodologies and trade secrets, which exist criminals who operate in the stock market)
following categories: mostly in tangible form and add considerable and is eminently exploitable by cyber criminals
value to a competitor. Examples include R&D if they know how to manipulate or sell this
– Bulk business data – this often needs to outputs; product prototypes; documents information at the right moment. We believe
be online to enable efficient transactions describing unique business process that this information is targeted mainly by
to take place, and is usually customer- methodologies or corporate strategies and well organised and sophisticated cyber
sensitive (for example, customer addresses business decision-making; staff details, criminal networks, but can also be used by
or financial details). Any associated data including personal information, skill sets foreign intelligence services to weaken the UK
breaches can carry large regulatory penalties and remuneration levels; and descriptions economy29.
as well as substantial reputational damage. of company capabilities and weaknesses.
Most organisations employ conventional When it comes to stealing IP from organisations,
Any associated data breaches can result
information assurance methods (such as there are four ways cyber criminals can obtain
in significant damage or compromise to
firewalls) to protect this data, and we believe what they want. They can:
long-term strategy or corporate finances26.
it is targeted mainly by opportunist individual Protection for this type of information is – buy it (in the case of a product), and then
cyber criminals, or small cyber criminal often provided by storage on a standalone reverse-engineer or copy it;
networks. Some types of digital data, once IT system, complemented by additional
they are stolen, tend to have great longevity – – carry out a cyber attack, to obtain the
physical and personnel security. High-value
for instance, data containing names, dates of information electronically while remaining
IP is targeted mainly by foreign intelligence
birth, and National Insurance numbers have outside the organisation’s network;
services27, but can also be of interest to high-
lifetime durations and cannot be 'reset'. This level organised criminal networks, who can sell – carry out an ‘insider’ attack, so that the data
data will potentially be just as valuable to cyber the information on to interested third parties28. is stolen by someone authorised to access it
criminals in the long term as it is now. This from within an organisation;
is quite distinct from transient data (such as
login passwords), which can readily be reset, – steal it, by physically breaking-in to office
and are frequently changed on a regular cycle. premises or by stealing from employees.
For the purposes of this study, we have defined
insider attacks as security breaches associated
with employees while cyber attacks are security
breaches associated with company technology.
Therefore, although we acknowledge that insider
attacks can be performed using cyber means, to
simplify our model, we have focused our study
on external cyber attacks, which tend to go
unnoticed and unreported30.
Footnotes
26 For example, see ‘The Consumer's Report Card on Data Breach Notification’, Ponemon Institue, 2008.
27 GCHQ Press Release, Director GCHQ, Iain Lobban, makes Cyber speech at the IISS, 12 October 2010
28 For example, see ‘Businesses under Cybercrime attack: how to protect your corporate network and data against its impact’,
Yuval Ben-Itzhak CXO
29 For example, see http://www.us-cert.gov/control_systems/csthreats.html
30 ‘E-crime detectives as vital as bobbies on beat’, Sir Paul Stephenson, Metropolitan Police Commissioner, Daily Telegraph,
October 2010.

HOW EASY IS IT Once the IP has been acquired by interested
cyber criminals or other third parties, it can be
TO EXPLOIT STOLEN IP? exploited in a number of ways, including:
Once they have acquired the IP, cyber criminals
will assess its value and how they might be able – producing a direct replica, which is likely if
to exploit it (see below). the IP is not legally protected;
The degree to which the IP can be exploited is – producing a similar product using the
likely to depend on the original motives for the same concept more quickly, which is highly
theft and a number of other situational factors, dependent on the complexity of the IP;
such as: – incorporating elements of the IP into an
– the importance of time-to-market for the alternative design, which is highly dependent
product, organisation, or industry; on how closely the original IP fits the
alternative design;
– the level of innovation involved and the
subsequent value this adds; – becoming inspired to generate new IP, which
is highly situational, and doesn’t guarantee
– the level of competition and value within an the new IP being successful;
organisation’s industry sector;
– selling the IP to a third party, which is likely
– the ability to ‘sell’ stolen IP to third parties via if the IP can be commercially exploited by an
the underground economy; opportunistic stakeholder;
– the level of interest that the IP has for cyber – blackmailing the IP-owner by threatening its
criminal stakeholders, such as foreign disclosure, which is highly dependent on the
intelligence services. value of the IP to the organisation.
Ultimately, the overall economic impact of
IP theft analysis
the theft will depend on the market size for
the stolen IP and other market forces, which
Exploit will drive the IP price. Given this wide range of
possible mechanisms, the degree to which
stolen IP can be exploited depends on the nature
and inherent complexity of the industry sector.
Acquire IP Assimilate Exploit
What have we got? Exploit

What is its value?
How could it be exploited?

Retask What risks would we be
collection running?
asset How will we exploit it?
Do we need more
information?
10 Detica
WHAT OTHER MEASURES WHAT IS THE IMPACT IMPACT ON CITIZENS
CAN BE USED TO PROTECT IP? OF CYBER CRIME? Citizens can help themselves reduce the impact
As well as measures to improve cyber security, We have adapted the methodology used by the of cyber crime by ensuring that they take a
organisations can also protect their information, Home Office in their 2001 report on the economic number of sensible precautions to stay safe
to some extent, by legal means such as patents, impact of crime in the UK35 to define the following online, such as installing a firewall, regularly
trademarks and non-disclosure agreements. types of cost associated with cyber crime: patching or updating software applications and
While these measures provide some assurance using legitimate anti-virus software. They can
– costs in anticipation of cyber crime, which also take out specialist insurance to protect
for UK organisations that their information will
include individual and organisational security against the impact of identity theft. These costs,
not be unfairly and unlawfully exploited, some
measures (such as installing physical and in anticipation of cyber crime, have not been
of the legal protections may be limited in their
virtual protection such as antiviral software), included in our study.
effectiveness. For example, certain types of IP,
insurance costs and costs associated with
such as computer software or unique business No defences are foolproof, though, and even
gaining compliance to required IT standards
processes, cannot always be patented in the well-prepared citizens are likely to suffer a range
(for example the Payment Card Industry Data
UK yet they remain highly valued and coveted by of costs as a consequence of and in responding
Security Standard, PCI DSS);
organisations worldwide31. Even when the IP can to cyber crime: victims of identity theft can be
patented or registered, the investment required – costs as a consequence of cyber crime, left to pick up the tab for loans taken out under
to maintain the protections may be prohibitive32 which take into account direct losses to their name by cyber criminals; victims of online
and the protections themselves may force individuals and companies (including scams can find their credit card details are
unwanted disclosure. For example, patent business continuity and disaster recovery used by cyber criminals to purchase goods or
applications, which are available in the public- response costs), and indirect losses arising services; victims of phishing scams can be tricked
domain, can reveal not only elements of the IP that from reduced commercial exploitation of IP into revealing passwords, PIN numbers and other
the company would have preferred to keep secret and opportunity costs through weakened sensitive financial information that cyber criminals
but also their market intentions33. Furthermore, competitiveness; can subsequently sell or exploit. Alternatively,
the patent application process can be lengthy, citizens may be compelled into purchasing
– costs in response to cyber crime, such as
particularly where there may be existing defective software as a result of receiving or
compensation payments to victims of identity
applications or patents for similar products34. inadvertently downloading scareware.
theft, regulatory fines from industry bodies
Once a patent has been approved, subsequent and indirect costs associated with legal or The wide-ranging and large-scale nature of
enforcement activities may be ineffectual, forensic issues; many of these individual cyber crimes means
especially in international markets. In some that their aggregate effect can be detrimental
– indirect costs associated with cyber crime,
cases, and usually with considerable investment to the UK economy.
which include such factors as reputational
in marketing, organisations may benefit from
damage to organisations, loss of confidence Furthermore, indirect macroeconomic effects
their IP becoming an industry standard (such
in cyber transactions by individuals and could occur as a result of cyber crimes
as VHS, DVD-Video or BlueRay), but this is by no
businesses, reduced public sector revenues committed on UK citizens, for example, from a
means guaranteed.
and the expansion of the underground economy. loss of confidence in services such as online
The challenges associated with some of these banking (although anecdotal evidence seems to
We have used these definitions to examine more
legal protections have led to many companies suggest this isn’t the case36) , or because they
closely the impact of cyber crime on the principal
resorting to secrecy, with non-disclosure subsequently spend less, which has a knock-on
stakeholder groups – citizens, businesses
agreements or similar provisions in their effect on the retail industry.
and the Government – as well as exploring the
contracts of employment. The danger with
macro-economic impacts.
this approach is that cyber attacks become
particularly threatening, especially when the IP
is accessible from online computer systems.
Footnotes
31 UK Intellectual Property Office
32 For example, see http://www.ip-holdings.com/patent-enforcement
33 For example, see ‘Using Patents in Competitive Intelligence’, Gregory J. Kirsch and Charley F. Brown, SCIP
34 For example, see ‘The Patent Application Process in the UK’, By Waheedan Jariwalla
35 Home Office methodology described in ‘The economic and social costs of crime’, Home Office Research Study 217, 2001
36 Closing In on Bank Customer Churn’, CRM Magazine, May 2007

IMPACT ON BUSINESSES Although there is no legal obligation under the
Data Protection Act (1998) on data controllers
IMPACT ON GOVERNMENT
In anticipation of coming under attack by cyber to report breaches of security that result in The Government and public-sector bodies spend
criminals, many UK businesses are investing loss, release or corruption of personal data, the significant sums of money on security to reduce
in stronger physical security, such as ‘air- Information Commissioner believes serious the impact of crime in the UK. These costs, which
gapped’ networks, advanced intruder detection breaches – whether by accidental loss or from include the annual expenditure of the Police
hardware, or training initiatives to increase their cyber criminal activity – should be brought Central E-crime Unit39, for example, already factor
employees’ awareness of cyber crime. These to the attention of his Office38. However, in an increasing focus on cyber crime. They are
initiatives are particularly important for IP-rich companies can only declare the losses if they not included in our study, though, because these
business sectors, such as the pharmaceutical are aware of them in the first place – and cyber resources also provide benefits in combating
and biotechnology sectors, which invest heavily criminals are increasingly adept at covering many other types of crime and insecurity.
in R&D and rely on it to create market advantage their tracks. Moreover, in light of the substantial However, direct costs in responding specifically
in a fiercely competitive global industry. As financial penalties that could be levied and the to cyber crime include lost corporation and
before, though, these costs have not been potential damage to their reputations, some personal taxation revenue as a result of fiscal
assessed as part of our study because they are organisations may also attempt to conceal the fraud, as well as the cost of fines levied for
‘business-as-usual’ costs that would have been loss from their customers and the regulator. personal data breaches.
incurred anyway. We have assumed, therefore, that losses of
customer data by UK organisations are running Finally, there are significant indirect costs
Businesses are likely to incur significant direct
significantly higher than the current statistics for the UK Government, particularly because
costs as a consequence of cyber crime, however.
would suggest. increasing levels of cyber crime could limit the
The most obvious of these is from online theft.
scale of efficiency savings made by moving
Extortion may lead to less direct costs, such IP theft and customer-data loss can also more government services online. Furthermore,
as the loss of business incurred as a result of increase the cost to businesses even if with cyber crime affecting tax revenues and
denial of service attacks or by manipulation the data is not actually exploited by cyber diminishing the confidence of overseas
of corporate websites. The theft of sensitive criminals. However, costs incurred as a result investors, the UK’s continued economic growth
information or IP can significantly erode of reputational damage, for example, are may suffer.
competitive advantage in the marketplace if particularly hard to measure and will affect
it is subsequently exploited by another party. different organisations in different ways.
These costs could potentially impact any of the Some cyber crimes may not significantly affect
six functions in the business value chain37: a company’s reputation at all, for instance,
particularly if customers have a limited choice
– R&D, because companies are less likely of alternative suppliers.
to invest;
The knock-on effects of IP theft or industrial
– design of products, services, or processes, espionage on UK companies include:
because companies are less willing to turn
new ideas into products; – reduced turnover through direct loss of business;
– production, because companies want to – reduced profitability by losing first-to-market
reduce costs; advantage and increasing price-competition;
– marketing and sales, because companies – reputational damage caused by disclosure
want to cut expenditure to reduce their of the theft and arrival on the market of
attractiveness to the underground economy; counterfeit goods;
– distribution, because companies are affected – reduction in share price, which may be
by reduced demand for exports; particularly acute if the company also
happens to be an acquisition target;
– customer service, because companies have
less money to spend on their customers. – loss of competitive advantage, which may be
more apparent in overseas markets;
Costs associated with cyber crime for
organisations include implementing their – additional costs incurred through attempts to
business continuity and disaster recovery plans, protect future IP;
which can divert personnel and resources away – opportunity costs, as the company becomes
from business-as-usual activities, good will and less willing to invest;
compensation payments to customers affected
by online scams and identity theft, regulatory – redundancies as R&D facilities and product
penalties for customer data breaches, and lines decrease in capacity or are closed;
‘clean-up’ consultancy costs associated with – company failures, particularly if the theft has
legal and forensic issues. occurred from Small-to-Medium Enterprise
Indirect costs could arise from share-price (SME) reliant upon IP-enabled trade sales;
manipulation, enabled by sophisticated industrial – reduction in investment from overseas.
espionage, as well as the attrition of UK industry
influence overseas as a result of IP theft. As before, while the costs to individual
businesses are by no means insignificant,
the aggregate cost of cyber crime on UK
businesses overall is likely to be of considerable
economic impact.
Footnotes
37 Value Reference Model (VRM) developed by the trade consortia Value Chain Group.
38 ‘Notification of Data Security Breaches to the Information Commissioner’s Office’, ICO
39 The current PCeU budget is £2.3M per year, revealed in a Computing.co.uk interview with the Head of the PCeU on 11 November 2010.
40 Symantec Report on the Underground Economy July 07–June 08.
41 ‘Cybercrime Growth Accelerating’ by Keith Ferrell, Information Week, August 2010
12 Detica
MACROECONOMIC EFFECTS
Our model shows that different stakeholder
groups are affected by different economic
impacts. The impacts of cyber crime are also
interdependent. For example, if citizens have
less money in their pockets, they may spend
less, therefore exacerbating revenue losses
from business. For the UK Government,
widespread cyber crime may lead to stronger
international competition from overseas
businesses, significantly reduced revenues from
taxes and VAT receipts, and limited scope for
spending to improve the UK’s infrastructure.
Perhaps one of the biggest significant long term
threats is the rise of the so-called ‘underground
economy’40 (for example, see below), which
provides a viable economic growth model in
itself, and can lead to talented individuals being
drawn away from the legal economy if they are
unemployed or if it is viewed as a more attractive
alternative. As technology enables individual
criminality to morph into something less
opportunistic, more organised and ultimately
more successful, criminal gangs from further
afield, financed by global networks or by hostile
foreign states, may be attracted to the UK.
As the criminality increases in sophistication
and profitability, it is likely to have an ever higher
cumulative impact41, which may cause the
legitimate mainstream UK economy to decline in
revenue and influence.
Causal model showing the cyber

criminal ‘underground economy’
Ransom Higher insurance

Individual criminals Cyber crimes Business costs
Facilitated payments
Decreased attractuveness
Disposable through “drops” Industrial Revenue
income espionage Loss of Less industry
business spending
Motivated Customer Reputation Financial
Better criminal
data theft losses Less government
opportunities
spending
Skill sets and Online theft Competitive
expertise Reputational erosion Loss of Higher security
damage business costs
Identity theft
Loss of
Utilized, invested competitive Economic impacts
and enhanced advantage
Organised Crime Reduced Cyber crimes Wider Criminal Reduced barriers

chance Networks to entry
Capabilities of detection Business Influence
disruption Increased
Increased attractiveness
bargaining power
Gain of
Reputation Extortion
competitive
advantage Gain of Lowered
business prosecution rate
Profits Service denial Capabilities
International
criminal activity
Financial gains
Reputational increase Increased
Money Off- legitimacy
laundering shoring Revenue
of crime
Underground economy
Reduced chance of detection

To address the complexity of cyber crime, CONSTRAINTS AND – We have excluded costs in anticipation of
cyber crime, such as insurance costs and
our study developed a causal model, relating
different cyber crime types to their impact on
ASSUMPTIONS the costs of purchasing anti-virus software,
Our study has focused on the costs as because these are likely to be factored
the UK economy. The model provided a simple
a consequence of cyber crime, and has into normal day-to-day expenditure for the
framework to assess each type of cyber crime
included some additional costs in response Government, businesses and individuals.
for its various impacts on citizens, businesses to cyber crime where these can be realistically
and the Government. We used the causal estimated. However, because the situation In general, our approach to estimating economic
model to map cyber crime types to a number is inherently complex, we have had to apply impacts is conservative where there is a high
of broad categories of economic impact, a number of constraints to our estimating degree of uncertainty – as there is in many
methodology. These are: cases – caused by a lack of data, particular
which are generally consistent with the types
sensitivities or where we know cyber crime
of parameters used in macro-economic – The impact has been measured as a is going under-reported43. For most of these
models of the UK. We then calculated the ‘snapshot’, using the economic situation of areas, we have used three-point estimates –
magnitude of the costs of cyber crime, 2010 as a baseline. We have not attempted to worst case, best case and most likely case – to
focusing in particular on IP theft and industrial predict economic impacts for 2011 or beyond allow for sensitivity and scenario analysis44.
espionage and its effect on the different because market conditions still remain fluid Accordingly, we cannot provide definitive
industry sectors. and a very large number of variables can estimates of economic impacts for cyber crime
affect our estimates. in every case and for every industry. Rather, one
– Because economic data for UK industry of our primary aims was to provide a framework
sectors and citizens varies considerably for future estimates, which can be updated as
depending on its source and context, we have more accurate information is obtained through
based our estimates wherever possible on further study and analysis.
economic data provided by official government
bodies, such as the Department for Business, SOURCES OF DATA ON IP THEFT
Innovation and Skills and the ‘Blue Book
Our study has identified two methods for
2010’42. Although we have used the most
calculating the costs to the UK economy of IP
up-to-date information, unfortunately it has
theft through cyber crime.
not always been possible to obtain 2010 data;
therefore our estimates have been based on The first method used the total R&D expenditure
the most contemporary data available and for each UK industry sector as a starting
applied as if they were 2010 data. point45. The expected return on investment as
a percentage for this R&D spend was estimated,
– Although certain indirect economic impacts
which created an overall market value for the IP.
can be attributed to cyber criminal activity, we
This value recognises that IP theft does not just
have not included those which exhibit a high
lead to short-term losses from R&D spend, but
degree of situational complexity. For example,
also to future losses from the value that industry
we have excluded the short-term fluctuations
sectors would wish to recoup from their initial
in a company’s share price caused by theft
expenditure.
of customer data. Our attempts to measure
this sort of impact would be made challenging The second method started with the total cash
because such fluctuations would depend on flow for each UK industry sector, and then
the prevailing market conditions at the time estimated the fraction that was attributable
of the theft and a number of other factors to IP within the industry. This calculated the
specific to the individual company affected. subsequent economic value.
CHAPTER 3
STUDY METHODOLOGY
Footnotes
42 UK National Accounts Blue Book 2010, Office for Government Statistics
43 ‘Law of Electronic Commerce’ by Jane Winn and Benjamin Wright.
44 ‘Three point estimates and quantitative risk analysis’, MOD 2007
45 Department for Business, Innovation and Skills, 2010. R&D Scoreboard and Office of National Statistics, 2008. Expenditure on R&D performed in UK businesses.
46 For example, see ‘The Business of Cybercrime - A Complex Business Model’, A Trend Micro White Paper, January 2010
14 Detica
Once the economic value of the IP had been IP theft methodology
derived from both methods, estimates were
made of the probability of cyber theft for each
industry sector using three point estimates, Segment the UK into business
with the subsequent IP exploitability and revenue sectors
impact also calculated as a percentage. This
enabled us to assess the economic impact of
IP theft on both the basis of R&D spend and the Determine the economic value of
overall economic value of IP. IP created in the UK per year by
each business sector
OUR METHODOLOGY FOR

ASSESSING THE IMPACT OF
IP THEFT Estimate the proportion of IP that
is stolen by cybercrime
Develop potential scenarios,
best case, worst case and most
In developing our methodology for measuring the probable
impact of IP theft, we have made assumptions
about: Correlation
Estimate the exploitability of
– the total amount of R&D spend in each UK the IP assuming that it has been
business sector (using up-to-date and credible stolen
data where it is available);
– the average estimated return on investment that Estimate the impact on the
each UK business sector would expect from revenue of the IP owner
its R&D spend (to estimate the true value of assuming it has been exploited
the IP and not just the current market worth);
– the average estimated level of IP
‘exploitability’ for cyber criminals (recognising Economic impact
that not all IP can be easily exploited);
– the level of economic impact that IP
exploitation would have on the UK economy
(recognising that, even though it may be
exploited, stolen IP does not necessarily lose
all of its residual value). The methodology is illustrated above:
In the absence of robust estimates for actual Given the number of variables and lack of
levels of IP theft, our methodology assumes ‘official’ data, our methodology uses a scenario-
that the ‘business model’ cyber criminals based approach, which establishes three-point
adhere to for IP theft follows the same principles estimates to determine the range of uncertainty.
of any other type of business46 : the desire Using this approach, we have identified:
to maximise financial gain and minimise – The best-case scenario: IP thefts by cyber
business risk. attack are not widely reported because,
For IP theft by cyber criminals, our methodology although they may be technically possible,
attempts to determine the means, motive and they are not widespread. Therefore a very
opportunities presented to potential attackers. small amount of IP is actually stolen.
It recognises that the nature of IP generated in – The worst-case scenario: The sophistication
different business sectors is different and has of and resources available to cyber criminals,
different levels of exploitability and economic coupled with the vulnerability many
impact if it is stolen. businesses have to cyber attack, means that
Therefore, the method used by our study to most IP worth stealing is actually stolen. The
calculate the costs to the UK economy of IP theft logic of this position is that if cyber criminals
through cyber crime started with the value added have the means, motive and opportunity they
to the UK economy by each industry sector as will use it for financial gain. In this scenario,
given in the Blue Book47. We then estimated the economic impact is limited by the ability of
the fraction that was attributable to IP within the cyber criminal to exploit the IP effectively
the industry. This calculated the subsequent rather than to acquire it.
economic value. – The most likely scenario: Theft of IP by cyber
Once the economic value of the IP had been criminals can occur but it needs to guarantee
derived, estimates were made of the probability a big return. The level of IP theft within a
of cyber theft for each industry sector using business sector is therefore determined
three point estimates, with the subsequent IP by the level of motivation of the criminal to
exploitability and revenue impact also estimated attack specific targets, which means that
as a percentage. some business sectors are significantly more
attractive than others.
The results give an estimate of the value lost to
the economy due to IP theft across the different
industry sectors.

This report assumes that there are two possible
models of IP theft used by cyber criminals.
However, the proportion of IP actually stolen
cannot at present be measured with any
OUR METHODOLOGY FOR
The first model would see cyber criminals degree of confidence. Our methodology makes ASSESSING THE IMPACT OF
targeting selected companies to acquire specific the assumption that the level of IP theft is INDUSTRIAL ESPIONAGE
information that they know can be exploited proportional to the level of motivation that It is very hard to determine what proportion of
effectively. In this model, the IP is targeted cyber criminals have in acquiring it. We have industrial espionage is due to cyber crime. For
explicitly, possibly ‘to-order’ if the attacker is further assumed that their level of motivation is example, is company-sensitive information
working on behalf of an otherwise legitimate affected by the following factors: stolen through hacking into a company’s
business. The second model would see cyber systems or by the physical theft of printed
– Their ability to obtain the IP using alternative
criminals attempting to obtain IP in bulk from documents? Is unauthorised access to company
means, for example by reverse-engineering
as many companies as possible and then sensitive information granted by leaked
a legitimately-acquired sample, which would
assessing it to determine whether to exploit it, documents e-mailed from an insider or by a
reduce or indeed remove their motivation for a
if at all. We believe it is likely that both models deliberate cyber attack originating from outside
cyber-attack.
are occurring in parallel. the company? In many cases, we believe that
– The importance they place on time–to-market companies may be completely unaware that they
in the sector, which increases the motivation are the victims of industrial espionage. Like IP
for a cyber attack if time is more of the essence. theft, this is likely to lead to crimes being under-
– The level of innovation typically present in the reported and underestimated.
IP within the sector. A high level of innovation In developing the methodology for estimating
would make the IP intrinsically more value the impact of industrial espionage, we have
to cybercriminals, hence a higher degree made assumptions about:
of motivation.
– the value added to the UK economy by each
– The size of the market that exploitation of the UK business sector using up-to-date and
IP will allow them to address. credible data where available48;
– The level of security awareness within – the average proportion of open tender
the sector and the deployment of security contracts placed in each UK business sector,
countermeasures by targeted companies. the likelihood of UK organisations winning at
Although this may be a factor in reducing the least one of these contracts, and the level of
success rate of IP thefts, we do not think that exploitability for rival organisations should they
increased levels of security will necessarily gain access to sensitive contract documents;
reduce the level of motivation for an attack
where the returns are sizeable. Instead, it may – the total value of M&A activity for each UK
motivate the cyber criminal to use even more business sector using up-to-date and credible
sophisticated means. data where available49;
– the expected rate of return on investment in
shares for targets of M&A activity, short selling
and currency-price fluctuations, and the level
of exploitability of commercially-sensitive
information (to assess impacts from illegal
investment in shares for target organisations,
the impact from illegal investment in short
selling and the impact of market fluctuations
respectively).
In line with IP theft by cyber criminals, our
IN MANY CASES,
methodology has attempted to determine the
means, motive and opportunities presented to
potential attackers. It recognises that the nature
WE BELIEVE THAT of industrial espionage in different business

sectors is different and has different levels of
COMPANIES MAY
exploitability and economic impact if it is stolen.
It is our belief that it is more likely that cyber
BE COMPLETELY
criminals will target organisations for espionage
based on size and perceived revenue rather than
the business sector that they operate in,
UNAWARE THAT THEY as illustrated opposite).
ARE THE VICTIMS

OF INDUSTRIAL
ESPIONAGE.
Footnotes
49 PKF, 2010. Deal Drivers UK
16 Detica
Industrial espionage
considerations
Business
Defence and aerospace

IP theft Hi tech R&D companies
Pharm
Component manufacturers
High value IP
Multinational manufacturers
Design led companies
Counterfeit
Finanacial services
Utility companies
Customer data theft
Retail
Retail
Extortion
Size of company
Industrial espionage

The results of our study provide one of the
first detailed assessments of the cost of cyber
COST TO CITIZENS The table below presents a summary of the
results of the cost of cyber crimes to individual
crime to the UK economy, which, in our most- We considered three types of cyber crime that citizens.
likely scenario, we estimate to be £27bn per impact on individual citizens:
Cyber crime Economic impact
annum. A significant proportion of this cost – identity theft; Identity theft £1.7bn
comes from the theft of IP from UK businesses, – online scams; Online fraud £1.4bn
which we estimate at £9.2bn per annum. Our – scareware. Scareware and fake AV £30m
results challenge the conventional wisdom that
The impact of identity theft was estimated in Cost of cyber crime
cyber crime is solely a matter of concern for the to UK citizens
Government and Critical National Infrastructure two ways, based on information published by
(CNI), indicating that much larger swathes of CIFAS50, in particular: Therefore, our overall the estimate for the
industry are at risk. economic cost of cyber crime to UK citizens is
– the number of reported incidents was £3.1bn per annum.
This section describes in more detail the results of multiplied by the average cost of an incident
our study for different stakeholders and how the and a further estimate made for the level of
cost of each type of cyber crime was calculated. under-reporting (we estimated that only one in
15 incidents are reported);
– the number of UK citizens with internet access
was multiplied by the probability that they
became a victim of identity theft, modified
by an estimate of the proportion of these
crimes being conducted online (which we
conservatively estimated at 25 per cent).
Both methods of calculation provided similar
answers, with an average of £1.7bn per annum,
which compares well with the results of other
studies by CIFAS, which also made an estimate
of £1.7bn per annum51, and the IFSC, which
reported a figure of £1.2bn52per annum.
We used a similar approach to estimate the
cost of online scams, in which we took the
total number of UK citizens who have shopped
online53 and multiplied this by the estimated
percentage who may have experienced fraud54
and the average cost of the fraud55. This gave an
estimate of the total cost of online scams
of £1.4bn.
Finally, the costs of scareware and fake anti-virus
were calculated from information published by
Symantec56 on the probability of such an attack
and its average cost. The resulting figure of £30m
was by far the lowest for any type of cyber crime,
but it has been identified as an area of growth57.
CHAPTER 4
RESULTS AND ANALYSIS
Footnotes
50 CIFAS, 2006. Identity Fraud – What About The Victim?
51 Ibid
52 ‘New Estimate of Cost of Identity Fraud to the UK Economy’, Identity Fraud Steering Group (IFSC), 2008.
53 Source: Get Safe Online.
54 Ibid
55 Ibid
56 Symantec, 2009. Report on Rogue Security Software
57 ‘Growth of 'scareware' is frightening’, by Ced Kurtz, Pittsburgh Post-GazetteJuly 11, 2010.
18 Detica
COST TO THE GOVERNMENT COST TO BUSINESSES Our results for the most-likely scenarios show
that the following business sectors are most
We used two approaches to assess the cost of Our study looked at the cost to business of the likely to be impacted by IP theft 61:
fiscal fraud by cyber criminals to the Government. following types of cyber crime:
– aerospace and defence – £0.4bn per annum
The first approach took information from the NFA – IP theft; – which is likely to be due to the high likelihood
Annual Fraud Indicator58, which estimates the – industrial espionage; of companies in this sector being subject to a
total cost of: – customer data-loss (reported); cyber attack and the relative exploitability of
– online theft; their IP;
– tax fraud;
– extortion.
– benefits fraud; – chemicals – £1.3bn per annum – which is
– local-government fraud; The results for each of these types of cyber likely to be due to the high volumes of IP
– central government-fraud; crime are provided in the following sub-sections. generated in this sector and the relative ease
– NHS fraud; with which it can be exploited;
– pension fraud.
IP THEF T – electronic and electrical equipment – £1.7bn
The total cost was combined with an estimate In Chapter 2 of this report, we describe the issue per annum – which is likely to be due to the
from NFA59 on the proportion of fraud that of IP theft in some detail, including the impact on relative ease with which the IP generated by
is attributable to ‘criminal attacks’. For the different business sectors. Because we believe companies in this sector can be exploited;
purposes of our study, we assumed that all of the level of IP theft will vary by sector, individual
these ‘attacks’ were cyber attacks60. – software and computer services – £1.6bn
assumptions were made for: per annum – which is likely to be due to the
This gave an overall figure for fiscal fraud by – the probability of IP theft in the sector; relative ease with which the IP generated by
cyber criminals of £2.2bn. However, although – the level of exploitability of the IP in the sector; companies in this sector can be exploited;
we have used the most up-to-date information – the revenue impact on the company if a rival is
available, we believe it may be underestimating – healthcare, pharmaceutical and bio-
able to exploit the IP. technology – £1.8bn per annum – which
the total level of cyber crime against government
systems and, therefore, further work in this Our approach produced three-point estimates is likely to be due to the high volumes of IP
specific area may be of value. for the economic value of IP by taking published generated by companies in this sector.
figures for the cash flow per year in each sector We note that, although none of the other
and estimating the fraction attributable to IP. business sectors are likely to be entirely immune
The results are provided below: from IP theft, the impact of cyber attacks here is
likely to be much smaller due to the relatively low
volumes of IP generated in these sectors.
Annual costs by business sector

of IP theft by cyber criminals
IP theft –most likely economic impact by business sector
£2,000M
£1,800M
£1,600M
£1,400M
£1,200M
£1,000M
£800M
£600M
£400M
£200M
£0M
s& e
r ts
nt
ns
rs
rs
ng
ce
ia
ns
se s
es
es
es
e
st
en
in
in
al
al
ce
ie
s & ofit
er
ns
ec
tio
ur
ed
ile
ile
e
an
ni
io
tio
ic
vic
vic
di
pa
er
n
ic
lit
c
m
pm
is
r
ot
fe
r ta
v
rv
i
i
at
e
M
ta
a
r & odu
r
em
M
i
&
e
qu nica
le
ip
rp
er
er
er
Ge ltiut
at
et
bi
su
de
l m gin
ic
re
ui
no spo
rv
qu
ria s &
ls
wa r t s
&
m
lr
fo
Ch
nd
un
in
r
eq
Au ce &
ug
se
wa ge p
r
ile
u
u
el
ra
ia
le
te
&
ot
e
l
an
sa
m
le
m
m
o
ta
av
&
dr
c
ne
ob
p,
lif
pu
ca
pp
n
st
m
m
n
ria
r
e
ra
a
io
re
al
Tr
i
lt
na
&
n
m
tri
ru
m
co
co
sp
Su
ve
ct
tic
st
te
od ood
to
co
ec
ftw ts, t
Fi
ce
le
le
ro
tro stru
ria
du
be
eu
st
rd
d
te
te
el
Ae
&
an
(in
F
st
In
du
ha
ac
d
c,
c&
on
ile
e
e
an
du
lin
ar
fe
rs
In
m
m
tri
gy
ob
C
ni
In
Li
st
ar
ce
ec
d
lo
M
xe
ve
Ph
du
no
el
Fo
So
ec
in
Fi
s,
ro
ch
te
El
Ga
sp
Te
ta
ga
es
l&
al
Re
Oi
Footnotes
58 National Fraud Authority, 2010. Annual Fraud Indicator
59 Ibid
60 This assumption was made due to the high volume of financial transactions made using online means.
61 Assumptions are based on anecdotal evidence and information from BIS innovation.gov.uk

INDUSTRIAL ESPIONAGE We believe that this type of cyber crime is heavily
influenced by prevailing market conditions.
The cost of customer data loss in each of these
three categories was estimated as follows:
A more detailed discussion of the impact of However, in the current market climate of this
espionage has been given in Chapter 2. During – We took the number of reported incidents of
study, three business sectors were assessed to
our study, we made three-point estimates of the data loss and multiplied these by estimates
be significantly impacted by espionage:
costs to the UK of: of the average number of records lost in each
– aerospace and defence – £1.2bn per annum incident and the handling cost per record.
– The loss of competition-sensitive – which is due to the large proportion of We took account of number of other factors,
information – we estimated the proportion revenue that companies in this sector derive including estimates from BIS of business
of a sector’s annual value-added to the UK from large tendering competitions62; disruption costs, direct financial losses and
economy that is dependent on large-scale average costs for reputational damage.
tendering competitions, and multiplied this by – financial services – £2.0bn per annum –
estimates for the probability that any of these which is due to extremely high transaction – We carried out a sensitivity analysis to
would be subject to cyber attacks and the volumes and recent share price fluctuations determine what the effect would be of larger
resultant exploitability of the stolen information. in this sector; costs associated with reputational damage
and direct financial loses, because we believe
– Information on mergers and acquisitions – – mining – £1.6bn per annum – which is due
they are underestimated in some sources
we estimated costs by taking the total value to both the increasing market value of raw
of data67.
of mergers and acquisitions for each business minerals and the high level of mergers in this
sector in the last year and multiplying these sector at present63. The overall impact from data loss is estimated to
by estimates for the probability that any be between £0.96bn and £1.44bn per annum.
of these would have been subject to cyber
CUSTOMER DATA LOSS The level of uncertainty in our results is principally
attack, the exploitability of the information The costs to businesses of customer data driven by the variability in our estimate for costs
and the maximum illegal return that could loss arising from cyber attacks have been associated with reputational damage.
be generated without the exploitation being determined using information from the
The results are shown below:
detected. Separate calculations were made Department for Business, Innovation and Skills
for cybercriminals being able to manipulate (BIS)64 combined with additional information Business size Best Case Worst case
the share price of the organisation through from the Ponemon Institute65. Small £3.9m £4.3m
‘short selling’ or, in the case of exceptionally For this type of cyber crime, these references Medium £12m £14m
large mergers, benefiting from exchange indicate that the business sector is less Large £940m £1420m
rate fluctuations. important than the overall size of the company. Total £0.96bn £1.44bn
Our total estimate for industrial espionage Therefore, our approach considered the
Annual costs to business
is £7.6bn. The results for different business following sizes of company66: of customer data loss through
sectors are shown below: – small companies, defined as having less cyber crime
than 50 employees;
– medium-sized companies, with between
250 and 500 employees;
– Large companies, with more than
500 employees.
Estimates by UK business sector of the annual

cost of industrial espionage by cyber criminals
Espionage impact by business sector
£2,500M
£2,000M
£1,500M
£1,000M
£500M
£0M
s& e
r ts
nt
ns
rs
rs
ng
ce
ia
ns
se s
es
es
es
e
st
en
in
in
al
al
ce
ie
s & ofit
er
ns
ec
tio
ur
ed
ile
ile
e
an
ni
io
tio
ic
vic
vic
di
pa
er
n
ic
lit
c
m
pm
is
r
ot
fe
r ta
v
rv
i
i
at
e
M
ta
a
r & odu
r
em
M
i
&
e
qu nica
le
ip
rp
er
er
er
Ge ltiut
at
et
bi
su
de
l m gin
ic
re
ui
no spo
rv
qu
ria s &
ls
wa r t s
&
m
lr
fo
Ch
nd
un
in
r
eq
Au ce &
ug
se
wa ge p
r
ile
u
u
el
ra
ia
le
te
&
ot
e
l
an
sa
m
le
m
m
o
ta
av
&
dr
c
ne
ob
p,
lif
pu
ca
pp
n
st
m
m
n
ria
r
e
ra
a
io
re
al
Tr
i
lt
na
&
n
m
tri
ru
m
co
co
sp
Su
ve
ct
tic
st
te
od ood
to
co
ec
ftw ts, t
Fi
ce
le
le
ro
tro stru
ria
du
be
eu
st
rd
d
te
te
el
Ae
&
an
(in
F
st
In
du
ha
ac
d
c,
c&
on
ile
e
e
an
du
lin
ar
fe
rs
In
m
m
tri
gy
ob
C
ni
In
Li
st
ar
ce
ec
d
lo
M
xe
ve
Ph
du
no
el
Fo
So
ec
in
Fi
s,
ro
ch
te
El
Ga
sp
Te
ta
ga
es
l&
al
Re
Oi
20 Detica
ONLINE THEFT FROM BUSINESS Overall, we estimate the most likely impact is
£1.3bn per annum, with the best and worst case
As there are no reliable published estimates estimates £1.0bn and £2.7bn respectively.
for direct online theft from business, our study Our results show that support services, the
attempted to estimate the likely impact by construction and materials industry and the
looking at the cash-flow per year across the not-for-profits sector are most likely to be
different business sectors and making some targeted.
assumptions about the level of cyber crime.
We acknowledge that our approach to estimate
Our approach estimated a maximum percentage the level of theft is based on a set of broad
of annual cash-flow that a business sector assumptions, but in the absence of data being
could potentially tolerate being lost. This was available on actual levels of online theft, we
multiplied by an estimate we made of the consider them to be reasonable. In particular,
probability that businesses in this sector were the profile of online theft we have estimated
subject to successful cyber attacks. Due to the for the business sector is driven by the amount
sensitivity of the results to this estimate, we of capital potentially at risk, and, one would
calculated three-point estimates of the worst therefore assume, the level of attractiveness the
case, best case and most likely costs. sector holds for cyber criminals.
The figure below, shows the results across the
business sectors for the most likely costs:
Annual costs of online theft by cyber

criminals by UK business sector
Online theft by business sector
£250M
£200M
£150M
£100M
£50M
£0M
s& e
ts
ec & m als
eq ials
es
rs
tiu s
es
rs
l m gin h
ria ls & ng
ng
ce
ng
ns
t)
or
r s es
wa r t s es
eq ces
e
en
en
on
fit
er
s
io
di
ur
is
le
s a aile
ct
ar
n
ri
ni
ni
ob efen
ic
iti
vic
c
No & d
ro
c
m
is
r
pu er vi
i
ot
ra
ee
i
i
ai
r ta
se
p
rv
rv
i
i
at
at
e
til
M
r & odu
em
le
p
p
p
er
at
et
bi
su
co l se
e
ic
qu nic
tic al re
ui
ui
no spo
ic
or
rv
d
&
gr
Ch
nd
un
in
pr
bl
Au ce &
ul
se
tf
s&
ile
el
ia
te
ru
Pu
e
n
m
m
m
o
e
av
al
&
nc
ac ene
,
lif
an tra
ha upp
ag
n
st
et
ip
m
om
du stria
c
a
c & ctio
re
al
Tr
na
an d &
n
m
tri
tru
m
er
sp
l
G
ce elec
S
te
to
co
Fi
ec bev
ce
le
ro
ria
du
s,
eu
wa
st
rd
d
tro str
Fo
te
el
Ae
&
So ent
(in
st
In
t
du
d
c,
n
ile
e
Co
lin
ar
fe
rs
In
m
m
tri
gy
ob
ni
In
ftw
Li
st
ar
od
d
lo
M
xe
ve
Ph
du
no
el
Fo
ec
in
Fi
s,
ro
ch
te
El
Ga
sp
Te
ta
ga
es
l&
al
Re
Oi
Footnotes
62 For example, see the MOD Contracts Bulletin
63 PFK Deal Drivers
64 Department of Trade and Industry, 2004. Information Security Breaches Survey 2004 Technical Report
65 ‘Cost of UK data breaches 2010’, Ponemon Institute, July 2010.
66 The definitions of company sizes are consistent with those used in the BERR 2008 Information Breach Survey.
67 Source: BIS

EXTORTION OTHER FINDINGS
This is one area in which we believe This section presents an analysis of some
underreporting is prevalent68. A successful of the key features of the results.
extortion attempt is unlikely to be reported as this
The impact of cyber crime extends far
may cause further reputational damage with a low
beyond the CNI
probability of recovering any of the money lost69. We
Our study has shown that the vast majority of
have therefore assumed that there are no reliable
business sectors assessed to be at greatest
estimates of the true extent of cyber-extortion.
risk of cyber crime are not part of the Critical
Our approach considered the combined turnover National Infrastructure (CNI)70. Finance is the
of business of small, medium and large size, only sector that is both part of the CNI and
and multiplied these by an estimate we made assessed as being most at risk of cyber crime.
of the proportion of companies that would be This is illustrated below.
vulnerable to extortion, the probability of an
extortion attempt being made and the probability Comparison of CNI sectors with
that it would be successful. The table below industry sectors exposed to
outlines the three point estimates we calculated highest risk of cyber crime
using this approach.
Business Best Most Worst Sectors in the critical Sectors significantly
size case likely case national infrastructure vulnerable to economically
motivated cyber crime
Small £12m £20m £24m
Medium £13m £27m £34m
Large £532m £2,130m £2,660m
Total £0.56bn £2.2bn £2.7bn
Defence
Annual cost of extortion
to UK businesses through Food Energy
cyber crime
The overall impact on medium-sized business Communications Electronics Pharmaceuticals

is lower because the number of companies
that fall within this category is lower. The large Finance
variation in the three-point estimates is indicative
Emergency Water Software Technology
of the uncertainty that remains in the true scale services hardware
of extortion.
Transport Health Chemicals
We believe that these results are because: This is not to say that other types of cyber
attacks are of no concern to the CNI. The CNI is a
– companies within the CNI are established key target for cyber terrorism and cyber warfare,
providers of core services that do not have a where the motive is to cause disruption and fear
high level of IP; rather than to obtain financial revenue.
– companies within the CNI tend to be stable, The Centre for the Protection of National
with limited M&A activity; Infrastructure (CPNI) currently provides advice
– companies within the CNI tend to provide and support to companies in the CNI on how they
services directly to the public, and very little can improve their levels of protection against
of their turnover is generated through a cyber attacks. We recognise that the CNI is
commercial tendering process; exposed to other types of cyber risk, which are
not instigated by financially-motivated criminals,
– companies within the CNI do not rely heavily but nevertheless recommend that at least the
on the use of the Internet to sell their products same emphasis should be given by the CPNI to
or services. the business sectors we have shown to be at the
greatest risk of cyber crime.
Footnotes
68 For example, see Cyber-Extortion: ‘The Elephant in the Server Room’, Adam J. Sulkowski and Timothy Shea, May 2007
69 Ibid
70 For a definition of the CNI see the Centre for the Protection of the National Infrastructure web site, www.cpni.gov.uk
22 Detica
The costs of cyber crime vary considerable – Some types of cyber crime may be
across business sectors much larger or smaller in scale than we
We found that there are large variations in the estimate, especially in areas which are
profile of cyber crime across different business typically undetected, under-reported or not
sectors. We believe that this is due to a number investigated. For example, online extortion is
of factors, which may include: very difficult to estimate as no information on
its scale is publically available.
– The sectors most affected are outside
the CNI, and so have not necessarily had – There are high knock-on indirect economic
the levels of regulation or investment in effects of cyber crime which compound the
infrastructure or, resources to tackle cyber estimates made in this study. Examples
crime in the same way as those sectors that include the growth and increasing influence
do fall under CPNI’s principal remit. The only of highly organised criminal organisations and
exception to this is the financial sector. activity, and the potential re-investment of cyber
criminal proceeds into other criminal activities,
– Each sector has a very different cyber
such as drug dealing and human trafficking.
risk profile, and this can be due to several
variables, such as the online presence of – Some economically-motivated cybercrimes
companies in the sector typically, the amount on businesses and the Government can
of liquidity they hold, the current market cause other harm to individual citizens,
activity they engage in and the investment in which magnifies the impact of the original
IP and security they make. crime. For instance, businesses that are
severely impacted by cyber crime may have
– The scale of IP theft across sectors differs
to reduce staff levels accordingly to maintain
depending on its value, because companies
their profit margins. This can lead to job
in some sectors invest more heavily in IP than
losses and less consumer spending, which in
others, or consider IP generation more critical
turn, reduces the cash flow to organisations
to their strategic growth.
and creates a vicious circle.
– The loss to business is much larger than
the loss to citizens, because, it seems, that
cyber criminals can make more money from
successful attacks on businesses through IP
theft, online theft, espionage and customer
data loss.
– We believe that there are significant under-
reporting issues in some cyber crime areas,
which may arise from lack of awareness or
reputational considerations on the one hand,
but also because of uncertainty of where to
report, whether it will make a difference and
confusion about when a cyber criminal attack
is actually taking place on the other.

The cost of cyber crime is significant and The impact of cyber crime is felt most by UK The UK needs to build a comprehensive picture
growing business of cyber crime
Cyber crime costs the UK economy an estimated Although our study shows that cyber crime Although the existence of cyber crime in the UK
£27bn per annum. For the cyber criminals – who has a considerable impact on citizens and economy appears endemic, efforts to tackle
may be individuals, organised criminal groups the Government, the main loser – at a total it seem to be more tactical than strategic.
or even nation states – it is highly lucrative and estimated cost of £21bn – is UK business, which We believe that the potential for reputational
the barriers to entry are low. The ease of access suffers from high levels of intellectual property damage is inhibiting the reporting of cyber crime.
to and relative anonymity provided by ICT lowers theft and espionage. The problem is compounded by the lack of a
the risk of being caught while making crimes clear reporting mechanism and the perception
The impact of cyber crime does not fall
straightforward to conduct. that, even if crimes were reported, little can
equally across industry sectors. The most
be done. Additional efforts by the Government
Additional work is needed to understand the seriously affected businesses are from
and businesses to measure and improve their
cyber criminal’s ‘business model’, however, sectors not traditionally viewed as targets of
understanding of the level of cyber crime would
which could draw upon knowledge being rapidly cyber attacks. And, although the Government
allow responses to be targeted more effectively.
assimilated by law enforcement organisations continues to focus on protecting the Critical
and through research being conducted by ‘think National Infrastructure, providers of software Therefore, we recommend that selected
tanks’ and academia. Through this model, and computer services, financial services, companies from within the most affected
more holistic approaches for countering cyber pharmaceutical and biotech and electronic and business sectors are approached in confidence
crime can be developed, seeking to exploit electrical equipment are at a particular risk from to help the Government build a more accurate
weaknesses in their end-to-end process, cyber crime. Without urgent measures to prevent assessment of IP theft and espionage. This
including striking at the dependencies that cyber the haemorrhaging of valuable intellectual would not only increase the awareness of the
criminals have on legitimate ICT infrastructure property, the cost of cyber crime is likely to rise issues by individual companies, helping them
and service providers. even further in the future as UK businesses to conduct detailed investigations into their
increase their reliance on ICT. losses from different types of cyber crime,
but also contribute to a more accurate and
The results of the current economic study
comprehensive picture of cyber crime across
suggest that businesses need to look again
the UK.
at their defences to determine whether
their information is indeed well protected. At the same time, we believe UK businesses
Encouraging companies in all sectors to make should be provided with a Government-
investments in improved cyber security, based sponsored, authoritative, online and interactive
on improved risk assessments, is likely to service to promote more widespread awareness
considerably reduce the economic impact of and the adoption of best practice in protection
cyber crime on the UK. from cyber crime. Such a service could also
provide a central reporting mechanism to allow
businesses to report cyber crime, anonymously
if necessary.
CHAPTER 5
CONCLUSIONS AND
RECOMMENDATIONS
Footnote
70 “Business and the cyber threat: unknowingly under siege?”, Detica security monitor, December 2010
24 Detica
ANNEX A: The UK aerospace and defence sectors
continue to represent significant long-term
ORGANISATIONS CONSULTED growth opportunities for the UK economy,
Representatives from the following government with international companies attracted by the
departments were consulted during the study: UK’s open market, competitive supply base
and strong government support for R&D. The
– Serious Organised Crime Agency (SOCA) aerospace and defence sectors spent around
– Intellectual Property Office (IPO) £2bn on R&D in total and were the second
largest contributor to R&D in the UK1000 and
– Police Central E-crime Unit (PCeU) the seventh largest in the G1000 in 2008. In
– Centre for the Protection of the National 2008, the three giants of the UK aerospace
Infrastructure (CPNI) sector – Airbus, BAE Systems and Rolls-Royce –
collectively spent almost £1.2bn on R&D.
– The Department for Business Innovation and
Skills (BIS) Due to the high levels of revenue generated by
this market, combined with fierce international
In addition, several discussions were held with competitiveness and substantial investment in
senior security staff within some of the most R&D, this sector is likely to be affected by cyber
high profile organisations across industry crime through industrial espionage (through
sectors. For the purposes of this report, these international corporations), IP theft and share price
businesses have remained anonymous. manipulation (through state sponsored activity).
Automobiles and parts
ANNEX B: BUSINESS SECTOR The turnover of the UK automotive sector is
£24bn, contributing approximately 1.5 per cent
BACKGROUND of GDP and generating some £10.2bn value
This appendix provides background information added. The industry employs some 715,000
on the key business sectors that are potentially people, both directly in vehicle manufacturing
at greatest threat from cyber crime. The and in the supply and distribution chain. About
information was used to inform the development half of added value comes from manufacturing
of the cyber crime impact model. and assembly, which represents about 15 per
It must be noted that, whilst every effort cent of total UK manufacturing value added.
was made in this study to obtain the most The UK sector’s particular strengths include
authoritative, reliable and up to date information design engineering, especially advanced
on each industry sector, this data has not always technology in motorsport. It is also increasingly
been available. Although changing market becoming a centre for engine production and in
conditions and new research may, therefore, ‘premium’ cars.
alter the assessments below, we hope that the The automobiles and parts sector was the
framework provided in this study will help in fifth largest contributor to R&D in the UK1000
future studies and evaluations of the total cost and the second largest in the G1000 in 2008.
of cyber crime to the UK. Overall the industry is currently investing over
Aerospace and defence £1bn annually in new plant and technology,
The UK aerospace industry is the world’s largest equivalent to 13 per cent of gross value-added.
outside the USA with a 17 per cent share of The UK is also a centre for design engineering
the global market. It has an annual turnover of where around 7,500 people are employed,
around £139bn per annum according to the UK generating a turnover of some £650m, with
National Accounts Blue Book 2010. It directly around 65 per cent exported. Automotive R&D
employs 101,000 workers, and supports a total accounted for six per cent of total UK R&D and
of 230,000 jobs across the UK economy. It also the innovation generated can support other
contains a highly skilled workforce, with 36 per United Kingdom industries.
cent of all employees having a university degree Due to the high levels of revenue generated by
ANNEXES
or equivalent. The UK defence industry provides this market, combined with fierce international
high-value employment, technology, innovation competitiveness and substantial investment in
and exports and is a core element of the UK R&D, this sector is likely to be affected by cyber
manufacturing industry. crime through industrial espionage (through
international corporations), IP theft and share price
manipulation (through state sponsored activity).

Chemicals Electronic and electrical equipment services Financial services
The chemical industry is one of the largest The UK electronics industry is worth £55bn The UK Financial Services industry (including
manufacturing industries in the UK, with a a year and is the fifth largest in the world. It banks) has an annual turnover of around
turnover of £55bn and predicted continued good employs over 250,000 people in the UK in £812bn according to the 2010 Blue Book. It
growth despite the economic downturn. With an more than 11,000 workplaces and represents directly employed just over one million people
8.2 per cent share of the world market, the UK ten per cent of the UK manufacturing industry. in 2009 and despite the recent financial crisis,
chemical industry provides direct employment Electronics is pervasive and underpins virtually its net exports grew to £50bn in 2008. Over
for 214,000 people and supports several every other sector of economic activity. It is a the last year, the UK financial services sector
hundred thousand additional jobs throughout key enabling technology in every other sector remained the largest in Europe, while London
the economy. The industry spends in excess of providing labour saving devices, driving the retained its mantel as the world’s international
£2 billion per year on new capital investment. development of high-speed communications centre of choice for more financial institutions
and information processing, and transforming and investors than any other city globally. The
The chemical industry is very efficient, delivering
entertainment and business. Of the UK EPES impact of financial services, however, goes well
a value added per employee of nearly twice that
manufacturing businesses, more than 98 per beyond the sector’s direct contribution to the UK
of the UK manufacturing average. Today, the UK
cent are below the 250 employee threshold economy. Since finance underpins everything
chemical industry focuses 60 per cent of its
that defines them as small or medium sized in an economy and society, its availability and
production on the specialist sector. The result
enterprises, and around two thirds are ‘Micro’ stability are necessary to support societal
is an innovative industry, strongly assisted by
enterprises with less than 10 employees. These needs. The industry provides a critical
major research and development centres and
small or medium sized enterprises account for underpinning for the generation, accumulation
funding initiatives which are enabling UK-based
around half the work force and turnover. and transfer of wealth and provides essential
businesses to capitalise on new materials and
capital for business growth. Innovations in
products to secure competitive advantage. The R&D expenditure by the electronics sector
financial services also help governments,
is £5.7bn per annum and accounts for 7.2 per
The R&D expenditure by the UK chemicals businesses and individuals to invest and take
cent of the UK R&D investment total. The UK
industry is £3.8bn per annum, and amounts risks in a measured, more considered manner.
hosts nearly a third of Europe’s silicon design
to more than 10 per cent of industry sales.
companies. The banking sector was the fourth largest
Furthermore, the UK government offers
contributor to R&D in the UK1000 and fifteenth
tax credits to UK-based business engaged Due to the high levels of revenue generated
in the G1000 in 2008. Three banks were among
in R&D. As a result, the UK has developed by this market, combined with significant
the top 25 UK investors in the UK1000: RBS,
dynamic, innovative clusters in a wide range of investment in R&D and the high levels of
HSBC and Barclays continue to dominate R&D
technologies and many overseas companies medium and smaller companies, this sector
investment in the UK banking sector. Together
have established R&D centres in the UK to is likely to be affected by cyber crime through
they accounted for 88 per cent of the sector
capitalise on this open innovation ‘ecosystem’. industrial espionage, share price manipulation
total and over five per cent of the UK1000
Around 45 per cent of all business R&D (through international corporations), IP theft
spend in 2008. According to the BIS 2009 R&D
undertaken in the UK is funded by overseas- (through state sponsored activity) and service
scorecard, the financial sector (including banks)
owned companies. denial (as there is a high level of online reliance
invested around £1.8bn in R&D activity.
by smaller companies).
Due to the high levels of revenue generated by
Due to the high levels of revenue generated
this market, combined with fierce international
by this market, combined with substantial
competitiveness and substantial investment in
investment in R&D and a high online presence
R&D, this sector is likely to be affected by cyber
and reliance on technology, this sector is
crime through industrial espionage (through
likely to be affected by cyber crime through
international corporations) and IP theft (through
industrial espionage (through international
state sponsored activity).
corporations) share price manipulation (through
state sponsored activity), online theft and online
fraud (as there is a high level of concentrated
financial liquidity).
26 Detica
Food and beverages Industrial engineering Not-for profits
The UK Food and Beverage manufacturing In 2007 the UK’s total exports in the engineering The UK Not for Profits sector generates a
industry is the single largest manufacturing sector exceeded £109bn, with manufacturing total of £111bn revenue and comprises of
sector in the UK, with a turnover of £72.8bn and accounting for 14 per cent of the UK’s GDP both charities (with £52bn generated and
a gross value added of £21.6bn, accounting and 55 per cent of its exports. There are some 188,000 organizations) and higher educational
for 15 per cent of the total manufacturing 2.9m people employed in UK manufacturing. institutions (with £59bn generated). Some
sector. Employing more than 500,000 people, it Examples of industrial engineering include charities are large in both income and staffing,
makes a huge contribution to the economy and nanotechnology, ceramics, plastics processing, but more than half of registered charities have
positions the UK as the fifth largest exporter of printing and publishing, processing and an annual income of less than £10,000. For
value-added food and drink. All this economic packaging equipment, automation, and solids higher educational institutions, there is a
activity is carried out by just over 7,000 food and materials handling substantial employment effect with around
and drink enterprises – many of which are small 670,000 jobs being created throughout the
The UK is the world’s sixth-largest engineering
companies employing less than 10 people. economy in 2007/08. Of these some 372,000
and manufacturing base and engineering and
people were directly employed by universities
The food and beverage sector accounts for over manufacturing industries spent £10.8bn on
and colleges. There is further evidence of the
four per cent of the total R&D spend reported in R&D in 2006.
importance of international students to the
the UK. Due to the highly competitive nature of
Due to the high levels of revenue generated by sector and the wider economy. One significant
the industry, there are over 1,500 new products
this market, combined with high investment in impact is the volume of personal off-campus
introduced each quarter. The mix of product
R&D and the high levels of medium and smaller expenditure of these students, which amounted
and process innovation is a core strength of
companies, this sector is likely to be affected to £2.3bn in 2008.
the sector. Due to its size, direct links to health
by cyber crime through industrial espionage
outcomes and its impact on emissions from Charitable funding of UK R&D has been rising
(through international corporations) IP theft
production and logistics, the food and drink in real terms since 2004 and reached around
(through state sponsored activity), and service
sector should have a strategic focus in the UK. £950m in 2008-09. Most research charities
denial (as there is a high level of online reliance
do not consider the funding of university
Due to the high levels of revenue generated by this by smaller companies).
infrastructure their responsibility, although many
market, this sector is likely to be affected by cyber
Mobile telecommunications contribute to it. Higher education institutions
crime through online theft and online fraud (as there
The contribution of the mobile telephone income is around £3.7bn through research grants
is a high level of concentrated financial liquidity).
industry to UK GDP was £40.6bn in 2009. This and contracts, through around 2,000 UK public
Healthcare, pharmaceutical and biotech was 2.2 per cent of the UK’s total economic sources and around 1,000 private sources.
The pharmaceuticals and biotechnology output and the industry contributes £15bn
industries contributed around 4 per cent of total a year to government finances. The sector
by this market, combined with substantial
UK value added in 2008, while the healthcare is responsible for nearly 200,000 jobs. The
investment in R&D, this sector is likely to be
equipment and services sector contributed UK (mobile) market is considered to be one
affected by cyber crime through IP theft (through
0.5 per cent. The total annual turnover for all of the most competitive in the world with well
state sponsored activities), customer data
UK healthcare, pharmaceuticals and biotech established 2G GSM (Global Systems for Mobile
theft (through large databases containing
industries was around £29bn. Communications) and 3G UMTS (Universal
personal information in charities) and industrial
Mobile Telecommunications Systems)
The UK-based healthcare technology industry espionage (through international corporations).
operators. Since the privatisation of the
plays a significant role in contributing to patient
incumbent operator BT in 1984, competition has Oil and gas
care, public healthcare and the national
developed strongly. There are now approximately The oil and gas industry is one of the largest
economy with values of £5.6bn annual sales in
170 fixed telecommunications providers, five UK economic contributors in terms of added
2007 and £5.4bn in exports in 2008.
mobile providers, 59 mobile service providers value (measured as the value of sales minus
The UK is one of the world's largest exporters of and 700 Internet service providers. production costs), accounting for £22bn in
pharmaceuticals by value. Industry exports in 2006. This amounted to 13 per cent of the
The mobile telecommunications sectors
2005 were £12.2bn and created a trade surplus production and manufacturing industry total
were the sixteenth largest contributor to
of £3.4bn. UK domestic market accounts for in the UK. In 2007, the upstream oil and
R&D in the UK1000 in 2008. Both BT and
four per cent of world consumption. gas industry invested £4.9bn in capital and
Vodafone dominated R&D spending in the UK
£1.3bn in exploration and spent £6.2bn in
The UK's medical biotechnology sector is the most telecommunications sectors, as together they
operations, making a total expenditure for the
mature in Europe and contains approximately 450 spent 93 per cent of the sector total, and five
year of £12.4bn. The industry now provides
biotechnology businesses in the UK employing per cent of the overall UK1000 spend. R&D
employment for 450,000 people and delivers
21,830 with revenues around £2.63bn decreased in the UK telecommunications
around £21bn in taxes every year, both from
sectors in 2008, while sales grew. Of the
The pharmaceutical industry invests around 30 direct taxation of production and the wider
biggest investors, only Vodafone grew its R&D
per cent of its sales in research. This amounts economic activities of the UK supply chain. In
investment (by 20 per cent) more quickly than
to nearly £4bn, or more than £10m a day. The 2009, the UK's balance of trade in goods and
its sales.
pharmaceuticals and biotechnology sector services was boosted by oil and gas production
was the largest contributor to R&D in both the Due to the high levels of revenue generated by up to £27bn.
UK1000 and the G1000 in 2008. by this market, combined with significant
In 2009, the sector was the largest industrial
investment in R&D and the high levels of
Due to the high levels of revenue generated by investor, spending £5.7bn on R&D activities.
customer data, this sector is likely to be affected
this market, combined with high investment in Shell was the largest investor in research
by cyber crime through industrial espionage
R&D and the high levels of medium and smaller and development among the major oil firms
(through international corporations) IP theft
companies, this sector is likely to be affected spending nearly £800m on the research and
(through state sponsored activity), and online
by cyber crime through industrial espionage development of technologies to produce more
theft, customer data theft and online fraud (as
(through international corporations) IP theft energy, and more efficient fuels and products.
there is a high level of customers, transactions
(through state sponsored activity), and service
and profits). Due to the high levels of revenue generated
by this market, combined with significant
investment in R&D and the high dependency
level of other sectors on the energy produced
by oil and gas, this sector is likely to be affected
by cyber crime through industrial espionage,
share price manipulation (through international
corporations) and IP theft (through state
sponsored activity).

Software and computer services Technology and hardware services
The UK is one of the largest ICT markets The UK technology and hardware services
in Europe, worth almost £120bn in 2009 generate £86bn a year and are growing in
and employing over one million people. The significance. The sector also makes a positive
software and computer services industry is contribution to UK trade, with export in
central to the UK economy and a key source services in particular bringing in an estimated
of competitiveness for all sectors, opening £1.4bn for April-June 2009 alone. The UK’s
up new markets, increasing performance technology sector will continue to grow in size
and driving productivity. The UK’s IT industry and importance over the next decade. Next
produces an annual GVA of £30.6bn, three generation technologies are using semantic
per cent of the total UK economy. Continued approaches to catalogue information and compile
IT adoption and exploitation has the capacity more accurate and personalised responses
to generate an additional £35bn of GVA to the to information queries, essential given the
UK economy over the next five to seven years. increasing volume of data on the internet.
In the UK 1.2m people are employed in the IT
The R&D expenditure by the electronics sector
workforce (597,000 in the IT industry itself
is around £1bn per annum and has included
and 650,000 IT professionals working in other
initiatives such as the £30m Centre for Secure
industries). These are the people upon which
Information Technologies at Queen’s University,
the 22m employees who use IT in their daily
Belfast, which will become the UK’s principal
work rely upon for the creation, implementation
centre for the development of technology to
and operation of systems, services and
counter malicious cyber attacks.
communications, forming the backbone of
companies across the UK. There are 154 Due to the high levels of revenue generated
software and computer services companies in by this market, combined with significant
the UK1000, more than in any other sector investment in R&D and the high levels of
medium and smaller companies, this sector
In 2008, the software and computer services
is likely to be affected by cyber crime through
sector was the third largest contributor to R&D in
industrial espionage, share price manipulation
both the UK1000 and the G1000. R&D spending
(through international corporations), IP theft
by companies in the UK software and computer
(through state sponsored activity) and service
services sector remained more fragmented than
in other sectors: the six largest companies in
terms of R&D spent 47 per cent of the sector total.
by this market, combined with significant
investment in R&D and the high online presence
and dependency level of other sectors on
the capabilities produced by software and
computers, this sector is likely to be affected
by cyber crime through industrial espionage,
share price manipulation (through international
corporations), IP theft (through state sponsored
activity) and extortion and online fraud (by cyber
criminal organizations).
28 Detica
About Detica
Detica delivers information intelligence solutions to government
and commercial customers. We help them collect, exploit and
manage data so they can deliver critical business services
more effectively and economically. We also develop solutions to
strengthen national security and resilience.
We integrate and deliver world-class solutions to our customers’
most complex operational problems – often applying our own
unique intellectual property. Our services include cyber security,
managing risk and compliance, data analytics, systems integration
and managed services, strategy and business change and the
development of innovative software and hardware technologies.
Detica is part of BAE Systems, a global defence and security
company with over 100,000 employees worldwide. BAE Systems
delivers a full range of products and services for air, land and naval
forces, as well as advanced electronics, security, information
technology solutions and customer support services.
For more information contact:

Detica Limited
Surrey Research Park
Guildford
Surrey, GU2 7YP © 2011 Detica Limited. ALL RIGHTS RESERVED. Detica, the Detica logo and/
United Kingdom or names of Detica products referenced herein are trademarks of Detica
+44 (0) 1483 816000 Limited and/or its affiliated companies and may be registered in certain
jurisdictions. Detica Limited is registered in England (No.1337451) with its
E: info@detica.com registered office at Surrey Research Park, Guildford, England, GU2 7YP.
www.detica.com 02.11.DET.CCR.001

The Cost of Cyber Crime Full Report - The Cabinet Office

Uploaded by

Copyright:

Available Formats

The Cost of Cyber Crime Full Report - The Cabinet Office

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Cost of Cyber Crime Full Report - The Cabinet Office

Uploaded by

Copyright:

Available Formats

THE COST OF

The Cost of Cyber Crime 1

Cost of different types of cyber crime

All types of cyber crime

Espionage IP theft Online theft from business

The Cost of Cyber Crime 3

The Cost of Cyber Crime 5

Cyber crime Cyber terrorism and cyber warfare

Differences between cyber

Causal model showing the

Underground Extortion Taxation revenue

The Cost of Cyber Crime 7

The Cost of Cyber Crime 9

What have we got? Exploit

How could it be exploited?

The Cost of Cyber Crime 11

Causal model showing the cyber

Ransom Higher insurance

Organised Crime Reduced Cyber crimes Wider Criminal Reduced barriers

The Cost of Cyber Crime 13

OUR METHODOLOGY FOR

The Cost of Cyber Crime 15

WE BELIEVE THAT of industrial espionage in different business

UNAWARE THAT THEY as illustrated opposite).

ARE THE VICTIMS

Defence and aerospace

Design led companies

Customer data theft

The Cost of Cyber Crime 17

Annual costs by business sector

IP theft –most likely economic impact by business sector

The Cost of Cyber Crime 19

Estimates by UK business sector of the annual

Espionage impact by business sector

Annual costs of online theft by cyber

Online theft by business sector

The Cost of Cyber Crime 21

The overall impact on medium-sized business Communications Electronics Pharmaceuticals

Transport Health Chemicals

The Cost of Cyber Crime 23

The Cost of Cyber Crime 25

The Cost of Cyber Crime 27

For more information contact:

You might also like