Quantifying cybercrime: Why we must measure impact to fight it effectively 

Although no one lens will quantify every aspect of cybercrime, good data can go a long way to understanding the big picture when it comes to measuring cybercrime.

Leaders and stakeholders in the cybersecurity community need to find common ground and establish common definitions and a standard way of reporting statistics. With key performance indicators (KPIs) and a common language with standardization and data normalization, it’s possible to gain more insight into what is happening.

The question is, although a single repeatable base of statistics to quantify cybercrime is necessary, is such a thing practical? What are some of the challenges?

How can we create a common language to quantify the value of steps taken to prevent cybercrime? How can we improve the reliability and accuracy of existing reports and statistics and ensure they are consistent with any new taxonomies or metrics?

Here’s a breakdown of some of the information that exists now:

The limitation of existing reports and information is that it they primarily focus on the results of what happened. We have information about attacks and types of crimes, but measuring the direct business of cybercrime is significantly more challenging.

Better measurement of cybercrime also requires a strong understanding the range of those crimes. As a starting list, the business of cybercrime includes, but is not limited to:

Delving into the business operations of cybercriminals is a critical aspect of quantifying cybercrime. Many know that Ransomware As A Service exists, but currently there are not sufficient tools to quantify this cybercrime risk, and therefore the investment into cybersecurity that is required to combat it.

In the United States, it’s possible to look at court indictments from the Department of Justice to get figures on a particular group. Even one ransomware group can make hundreds of millions or billions of dollars. And they often have complex extended business structures with affiliate programmes and commissions. However, examining court and investigation documents is highly time-consuming. Just poring through these documents does not help leaders better understand how to balance the risk their firm could face.

The Cybercrime Atlas initiative brings together global leaders to fight cyber threats and map the cybercrime landscape, covering criminal operations, structures and networks. Currently, the organization is working to map the cybercrime ecosystem and differentiate cybersecurity groups, methods, and crypto addresses globally.

With more information about cybercriminal groups, it’s possible to get a picture of how their revenue streams work and how they profit. Aggregating the numbers and adding structure around measurement can offer more meaningful insights. Consolidating, validating and aggregating statistics provides a view into the business of cybercrime, quantifying their operating costs, profits and losses.

Gaining the big picture of how cybercrime organizations work also can make disruption efforts far more effective. With a detailed playbook on what cybercriminals are doing, finding ways to thwart their efforts is easier.

Another challenge quantifying cybercrime is that not everyone needs or cares about the same data. Because so many organizations have a vested interest in combatting cybercrime, the data they need isn’t going to be the same.

Every organization has different uses for the information being gathered. For example, data on the average ransom amount being paid is helpful to insurance companies. But the KPIs that interest law enforcement groups relate to the recovery of funds, freezing of assets, infrastructure and operational growth.

From a law enforcement perspective, when it comes to reporting, there is a dearth of clear and publicized evidence about what works and what doesn’t. The law enforcement community is interested in more data and statistics showcasing success stories which send a clear message to cyber criminals.

A data-based perspective regarding the commonalities of cybercrime within organizations that show successful outcomes would be valuable, but it doesn’t exist clearly today.

Security vendors and law enforcement agencies need to work together to do research, such as following criminal groups, the dark web and forums. Threat hunters posing as cybercriminals can infiltrate organizations, and when law enforcement is involved, information from hard drives can be included in court documents.

Quantifying cybercrime seems like an overwhelming task, but like any other large project, it starts with groups rallying around an idea and breaking the process down into smaller tasks.

All of the cybersecurity stakeholders including vendors, law enforcement, and other experts need to work together to create standardized uniform methods for collecting and reporting data.

Next steps could include:

Quantifying cybercrime benefits everyone. By establishing a baseline, we can then see how effective our efforts to fight cybercrime really are and how we can tune them to increase the friction and improve the success rate.