Measuring the Cost of Stolen Data
Both cybercrime and the ways to mitigate its effects are both topics that are too broad to adequately cover in a single blog post, so let’s limit what we look at here to a subset of these. In particular, let’s follow what one team of researchers did (the “EISP” paper, “Measuring the cost of cybercrime“) and limit ourselves to crimes that are generally considered cybercrimes. So this will include crimes like online banking fraud and online payment card fraud, where a criminal uses someone else’s identity or bank account fraudulently, but it will not include crimes like welfare fraud and tax fraud in which a criminal might use their own identity, but use it to carry out a fraudulent transaction online.
From what we learned in our ECON 101 class, we should expect that businesses would be willing to spend roughly up to the amount of their losses to help prevent those losses. It probably makes sense to spend $1 million to eliminate a $10 million loss, but if it costs $20 million to eliminate a $10 million loss, you’re actually better off just accepting the loss than in trying to eliminate it. And the EISP paper suggests that this is actually happening: “defence costs are broadly comparable with actual losses.” But is also goes on to note that “but the indirect costs of business forgone because of the fear of fraud, both by consumers and by merchants, are several times higher.”
The authors of the EISP paper caution about attributing too much precision to their numbers, but in this case, “several” means roughly “more than seven” for payment card fraud. So it seems like the indirect costs from lack of consumer and merchant confidence are probably the biggest costs from cybercrime.
In this particular case, the easiest way to restore the confidence of both consumers and merchants is to protect the sensitive information that they worry about getting into the hands of cybercriminals. This addresses the biggest problem caused by cybercrime, but it will also reduce the amount of fraud that both consumers and merchants worry about so much.
To protect the sensitive information that cybercriminals want, we can tokenize it or encrypt it. If we do that, the information becomes essentially valueless to them if they hack into a data system. Cybercrime is a for-profit business these days, so that cybercriminals want to monetize any sensitive information that they might acquire. A good discussion of how this works can be found in the HPE business white paper “The Business of Hacking.”
And because cybercriminals are motivated by profit, if hacking your business will not be profitable for them, they’re unlikely to do it. So if you protect any sensitive information that could be of value to them by tokenizing or encrypting it, you’re making your business an unprofitable target for cybercriminals. If your database contains the credit card numbers of your customers, a successful cybercriminal might be able sell the contents of that database for a tidy profit.
But if that database only contains encrypted credit card numbers, that same cybercriminal will be left looking for another source of income. That means that they’ll probably spend their efforts targeting someone else who isn’t doing as good a job of protecting their sensitive information, and that’s a good thing. But the net result is also that if we do this, we’re also addressing the biggest problem that cybercrime causes, and that might be an even better thing.
About the Author
Luther Martin, HPE Distinguished Technologist, is a frequent contributor to articles and blogs. Recent articles include A software engineer’s guide to encryption: How not to fail and Relax! Good encryption practices won’t affect app performance in TechBeacon Magazine, as well as Entertainment Makes Encryption Look Easy on the Voltage.com blog.