Quantifying cybercrime: Why we must measure impact to fight it effectively 

• It is vital to have a comprehensive understanding of cybercrime to measure progress and the impact of activities used to combat the problem.Quantifying cybercrime benefits everyone by setting a baseline to see how effective efforts to fight cybercrime are and improve success rates.Creating that baseline is difficult, given the range of crimes, the data different firms may value and the ease of accessing that data.

Although no one lens will quantify every aspect of cybercrime, good data can go a long way to understanding the big picture when it comes to measuring cybercrime.Leaders and stakeholders in the cybersecurity community need to find common ground and establish common definitions and a standard way of reporting statistics. With key performance indicators (KPIs) and a common language with standardization and data normalization, it’s possible to gain more insight into what is happening.The question is, although a single repeatable base of statistics to quantify cybercrime is necessary, is such a thing practical? What are some of the challenges? How can we create a common language to quantify the value of steps taken to prevent cybercrime? How can we improve the reliability and accuracy of existing reports and statistics and ensure they are consistent with any new taxonomies or metrics?

Here’s a breakdown of some of the information that exists now:

• Fortinet Global Threat Landscape Report. This report is published twice a year with a view of significant outbreaks and recommendations to help prepare and protect organizations from threats. IBM Cost of a Data Breach Report provides information on the financial and brand impacts of data breaches with information on the contributing factors to higher data breach costs, such as critical infrastructure vulnerabilities, security system complexity, and skills shortage.Verizon Data Breach Investigations Report includes data and insights from confirmed breaches.FBI Internet Crime Complaint Center (IC3) Internet Crime Report is based on cyber incidents submitted to the FBI.

The limitation of existing reports and information is that it they primarily focus on the results of what happened. We have information about attacks and types of crimes, but measuring the direct business of cybercrime is significantly more challenging

Better measurement of cybercrime also requires a strong understanding the range of those crimes. As a starting list, the business of cybercrime includes, but is not limited to:

• Crime services (CaaS) such as:– Ransomware As A Service (RaaS)– Pay per install / pay per purchase models on commission– Botnets for hire– Laundering servicesRevenue and profits, including the role of cryptocurrency in cybercrimeAffiliate networks and commissionsOverall business structures and extended business operations

Delving into the business operations of cybercriminals is a critical aspect of quantifying cybercrime. Many know that Ransomware As A Service exists, but currently there are not sufficient tools to quantify this cybercrime risk, and therefore the investment into cybersecurity that is required to combat it.In the United States, it’s possible to look at court indictments from the Department of Justice to get figures on a particular group. Even one ransomware group can make hundreds of millions or billions of dollars. And they often have complex extended business structures with affiliate programmes and commissions. However, examining court and investigation documents is highly time-consuming. Just poring through these documents does not help leaders better understand how to balance the risk their firm could face.

The Cybercrime Atlas initiative brings together global leaders to fight cyber threats and map the cybercrime landscape, covering criminal operations, structures and networks. Currently, the organization is working to map the cybercrime ecosystem and differentiate cybersecurity groups, methods, and crypto addresses globally. With more information about cybercriminal groups, it’s possible to get a picture of how their revenue streams work and how they profit. Aggregating the numbers and adding structure around measurement can offer more meaningful insights. Consolidating, validating and aggregating statistics provides a view into the business of cybercrime, quantifying their operating costs, profits and losses. Gaining the big picture of how cybercrime organizations work also can make disruption efforts far more effective. With a detailed playbook on what cybercriminals are doing, finding ways to thwart their efforts is easier.

Different organizations need different data

Another challenge quantifying cybercrime is that not everyone needs or cares about the same data. Because so many organizations have a vested interest in combatting cybercrime, the data they need isn’t going to be the same. Every organization has different uses for the information being gathered. For example, data on the average ransom amount being paid is helpful to insurance companies. But the KPIs that interest law enforcement groups relate to the recovery of funds, freezing of assets, infrastructure and operational growth. From a law enforcement perspective, when it comes to reporting, there is a dearth of clear and publicized evidence about what works and what doesn’t. The law enforcement community is interested in more data and statistics showcasing success stories which send a clear message to cyber criminals. A data-based perspective regarding the commonalities of cybercrime within organizations that show successful outcomes would be valuable, but it doesn’t exist clearly today.Security vendors and law enforcement agencies need to work together to do research, such as following criminal groups, the dark web and forums. Threat hunters posing as cybercriminals can infiltrate organizations, and when law enforcement is involved, information from hard drives can be included in court documents.

Quantifying cybercrime seems like an overwhelming task, but like any other large project, it starts with groups rallying around an idea and breaking the process down into smaller tasks. All of the cybersecurity stakeholders including vendors, law enforcement, and other experts need to work together to create standardized uniform methods for collecting and reporting data. Next steps could include:

• Convene a small working group of experts from the Partnership Against Cybercrime (PAC), who can work to narrow the scope of this discussion to an actionable and reasonable plan specific to the PAC’s unique strengths.Discuss the data sharing and consolidation efforts of certain PAC members’ data-based contributions.Determine the standards for measurement and definitions and what a unified approach to quantifying cybercrime would look like.

Quantifying cybercrime benefits everyone. By establishing a baseline, we can then see how effective our efforts to fight cybercrime really are and how we