A Bloke in a Pub

Costs and Benefits

Getting to Zero

Every so often, I see a post asking “How can we make [ransomware] [phishing] [cybercrime generally] (delete as appropriate) a thing of the past?”

I very much doubt that you can. There are at least two reasons:

  1. At a theoretical level, there’s no accepted definition of cybercrime. That was set out very clearly in a Home Office report dating from about 2018. And if you can’t define it, you can’t measure it.

  2. At a practical level, depending on your beliefs, crime has been around since Cain slew Abel. My guess is that it will be around for a bit yet.

So, Point One: there will always be cybercrime. There, I said it.

Management

Before asking “How can we… ?”, it might be worth asking “Should we… ?”. Because, to quote Sales:

“The optimal level of cyber-intrusions is not zero, and the optimal level of cyber-security expenditures is not infinity. From an economic perspective, the goal is to achieve an efficient level of attacks, not to prevent all attacks.”

Cormac Herley in particular, points out that trying to defend against all attacks leads to “absurdities”. One for the EU lawmakers there, I think. Because making every system in Europe completely resilient against Advanced Persistent Threats (i.e. well equipped, capable actors funded by a hostile nation state) would be quite expensive. I haven’t done the sums, but I’m guessing that doing so would inflict about the same order of economic damage as the attackers are looking for. Except the absurd option, purely as a side effect, would make the cyber industry more profitable. Just saying.

So if we can’t stop all attacks, and if it might not make sense to do so anyway, what are we left with? I’d say three things. Setting an acceptable level of attacks. Yeah, heresy, right? Also managing the nature of the attacks. And I’m afraid, managing the target of the attacks.

Point Two: if you accept that the optimal number of cyber-intrusions is not zero, it follows that there will always be a victim. The reality of the situation therefore involves making a decision on who that should be.

Returns

The Ransomware Task Force report from 2021 makes fifty recommendations in their plan to eliminate ransomware. You know. Like achieving zero COVID. Worth taking a look at the latest figures on COVID, where there is now an accepted and acceptable baseline level of infections.

The RTF report’s recommendations centre on the creation of a global network of linked ransomware response centres, presumably including China and Russia, which (probably just my age) reminds me of another attempt to defend the world against a shadowy power, from a secret island base… although that one, as I recall, was a mixture of fantasy and special effects.

I’ve looked through the RTF report a number of times, and I’d be pleased if someone could correct me on a couple of things. First, there seems to be no statement that says “if you implement these recommendations, the cost will be $x million (trillion?)”. There also seems to be no statement anywhere that says “if you implement these recommendations, the benefit will be $y million (trillion?)”. And there seems to be no statement that says “and the likelihood of success is z%”. That is, there’s not even the basis of a business case. Instead, the argument seems to be “it’s cyber, just give us the money”.

By the by, a 2019 Microsoft Global Cyber Risk Perception survey concluded that:

Organizations may be frustrated or confused when their increasing investment in cyber risk mitigation does not directly correlate to improved outcomes, as is usually the case with other areas of business investment and performance improvement.”

So, Point Three: cyber, at least according to the cyber industry, seems to be an investment that doesn’t need a supporting business case. Odd. Why not?

Return on Investment

Greater minds than mine have spent a lot of time trying to figure out how to calculate the Return On Investment for cyber. Intellects very much weaker than mine have concluded that the use of an Annualised Loss Expectancy is the way to go. In fact, as referenced elsewhere on this web site, ALE involves some baseless assumptions, and is generally considered to be unreliable at best, facile at worst.

So how do you calculate cyber ROI? I’ve spent some time looking at this, and I don’t think you can. Although in that respect, I may be in good company. Two years after the implementation of the EU Network and Information Security Directive, the UK Government’s Post-Implementation Review concluded that:

“… given the nature of cyber breaches and the complex factors involved, it will not be possible to attribute incidents as having been prevented by measures taken under the Regulations.”

“It is also not possible to quantify whether there has been a reduced impact of incidents where appropriate incident response plans have been put in place.”

“Quantifying the benefits of avoided losses through better security and risk management approaches is an extremely difficult task …”

“These difficulties pose barriers to undertaking a robust cost benefit analysis …”

Sitrep

Cybercrime will always be with us. Talk of elimination is optimistic at best. The better option is to manage it, which in part will involve directing the impact.

It’s very difficult to calculate security ROI. Possibly that’s because, as Verendel said, security doesn’t lend itself to being represented as a number. In fact, the idea that risk (and therefore security) can’t be represented using numbers has been around for oooh… at least a decade. Still waiting to be adopted. Until now anyway. Maybe.

Social Security

Externalities are impacts that affect e.g. bystanders rather than the central party. When a company experiences a cyber attack for example, the company itself might feel some impacts, but like as not, others will feel impacts too, such as trading partners, customers, the general public. Consequently, all of those parties have a stake in the security of the company. There’s a wider picture to be had, involving more than just the one organisation.

Last time I looked, about £0.6Bn was being leaked into the criminal economy every year, from credit and debt card fraud. And yet, the common consensus is that it’s perfectly safe to use debit and credit cards online. Why?

If you take the multi-stakeholder view, as a first approximation, there might be three parties involved: cardholders; card issuers; and regulatory bodies. Cardholders are ok with the situation, because the majority of fraud is paid back. The banks/issuers are ok, because they’ve reached the point of diminished marginal returns. And the regulators are ok, because the banks are being seen to address the problem.

Images: Canstockphoto

A couple of things to point out. First, each party has a different view of what security looks like. On the other hand, each of those views has been met, so there’s a shared agreement that the situation is “secure” in some sense. Second, this position has been arrived at through discussion. The banks and the cardholders for example, have come to an agreement on what would be an appropriate level of repayments. Security has come about through negotiation. Not via a spreadsheet.

And finally, because everyone’s comfortable, this is a stable situation.

Or at least, it was.

Enter Authorised Push Payment fraud, where money isn’t taken out illicitly, instead the account holder is persuaded to move money to the fraudster through legitimate, authorised transfers. This is a change to the status quo, and therefore triggers a new cycle of discussion between the banks and the cardholders on what security should look like. For example…

A couple of years ago, an unfortunate individual fell victim to a romance scam, costing them up to £300k in savings, loans, overdraft, and borrowings from friends and family. When it became evident that the recipient wasn’t who they claimed to be, the victim turned to the banks, and asked for their money back. Not surprisingly, the banks demurred. At least at first. Until the individual turned to the regulator for support.

So there’s been another round of discussions, with both the cardholders and the banks trying to keep to their previous views on security, and the regulator saying that actually, it’s the banks that should bear the consequences. Then it seems, to judge from the debate going on in the media, MP’s joined in, on the side of the cardholders, saying that the banks have to step up. That is, a new party entered into the negotiations.

While the banks might put up a spirited defence, something has to give. You can perhaps see who’s given way, when I tell you that the individual concerned had the money returned to them, by and large, by the banks. Although I suspect that the negotiations haven’t yet concluded. Occasionally, individuals will now take action against their bank, for refusing to allow them to transfer money to a suspected scammer. The argument seems to be “it’s my money, and I have a perfect right to decide what to do with it”. Not disagreeing, but if I took out all my savings and put them on Dodgy Wobbler in the 4:30 at Kempton Park, I might feel on dodgy ground myself, going back to the banks when it limped home twenty minutes behind the rest of the field.

Summary

This is a complicated situation. Although perhaps less complicated than this post.

Cybercrime will always be with us. Each of the parties involved in the discussion on what to do about it, holds their own view on what constitutes an acceptable level of cybercrime, what the nature of cybercrime should be, and perhaps more importantly, who the victim should be.

This is a discussion, not a calculation. It’s entirely possible that you can’t calculate a sensible ROI, precisely because each stakeholder has a different view of the benefits they’re expecting. And to be perfectly up front about it, the idea that security is socially constructed isn’t exactly new.

If you’re looking to establish some form of ROI, you need to look at this problem from the other end of the telescope. Or “skeletope”, as my eldest grandson would say. You need to think “what do we think security looks like, and could we achieve the same position more cheaply than at present?”. That is, you need to adopt a demand driven model rather than a sales driven one. And you need to start by looking at “what do we want to get from this”.

This is not spreadsheet territory. It’s very much a social issue, with the interested parties having significantly different agendas.

Coda

As things stand, the discussion on cyber is dominated by one party that tells everyone else that cyber is about compliance. Mostly that’s compliance against technically based standards set, managed and owned by that party. So the imposed view on all engaged parties is that security is achieved through compliance. No need for a business case, compliance is all you need.

If you as a customer want to depart from that position, then you either have to introduce a new party to the discussion that holds a different viewpoint, or you need to change your position on what security looks like to you. Maybe ask for less compliance, and more effectiveness.

If you’re a Government body, you’re in a difficult position. A growing, healthy cyber industry is great. But at the same time, you want some degree of actual protection. That is a circle that you are going to have to square. Personally I would suggest that doing so is likely to involve aligning yourself slightly less strongly with the industry position. Just a thought.

Selected Sources

  1. HOSAC. Understanding the Costs of Cyber Crime. Available from: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/674046/understanding-costs-of-cyber-crime-horr96.pdf
  2. Sales, N.A., Regulating cyber-security. Nw. UL Rev., 2012. 107: p. 1503.
  3. Herley, C., Security, cybercrime, and scale. Communications of the ACM, 2014. 57(9): p. 64-71.
  4. Combating Ransomware: A Comprehensive Framework for Action. Available from: https://securityandtechnology.org/ransomwaretaskforce/
  5. Marsh. 2019 Global Cyber Risk Perception Survey. 2019. Available from: https://www.microsoft.com/security/blog/wp-content/uploads/2019/09/Marsh-Microsoft-2019-Global-Cyber-Risk-Perception-Survey.pdf
  6. Schneier, B. Schneier on Security: Security ROI.  Available from: https://www.schneier.com/blog/archives/2008/09/security_roi_1.html
  7. HMG. Post-Implementation Review of the Network and Information Systems Regulations 2018. Available from: https://www.gov.uk/government/publications/review-of-the-network-and-information-systems-regulations
  8. Verendel, V. Quantified security is a weak hypothesis: a critical survey of results and assumptions. Proceedings of the 2009 workshop on New security paradigms workshop.
  9. Adams, J., Risk Management: It’s Not Rocket Science…… It’s Much More Complicated. Risk Management, 2007. 54(5): p. 36.
  10. UKFinance. Fraud the Facts 2019: The Definitive Overview of Payment Industry Fraud. Available from: https://www.ukfinance.org.uk/system/files/Fraud%20The%20Facts%202019%20-%20FINAL%20ONLINE.pdf
  11. BBC. Romance fraud: ‘I wish I hadn’t given £300k to a man I met online’. Available from: https://www.bbc.co.uk/news/newsbeat-59135689
  12. BBC. Banks ‘too often blaming customers’ for fraud. Available from: https://www.bbc.co.uk/news/business-55286037
  13. Byers, D. Banks failing to protect people from scams, say regulators.  Available from: https://www.thetimes.co.uk/article/banks-failing-to-protect-people-from-scams-say-regulators-bqjcwszp6
  14. Jones, R. MPs urge compulsory refunds for victims of bank transfer fraud.  Available from: https://www.theguardian.com/business/2019/nov/01/mps-urge-compulsory-refunds-for-victims-of-bank-transfer
  15. Brennan, H. Banks forced to refund fraud victims. Available from: https://www.telegraph.co.uk/personal-banking/current-accounts/banks-forced-refund-fraud-victims/
  16. Penningtons. Philipp v Barclays Bank – Supreme Court judgment finds payment service providers are not liable to reimburse victims of ‘APP’ fraud. Available from: https://www.penningtonslaw.com/news-publications/latest-news/2023/philipp-v-barclays-bank-supreme-court-judgment-finds-payment-service-providers-are-not-liable-to-reimburse-victims-of-app-fraud
  17. Vanderpump. Authorised Push Payment Frauds – Bank Succeeds in Supreme Court Test. Available from: https://www.vanderpumpandsykes.co.uk/site/library/legalnews/https://www.vanderpumpandsykes.co.uk/site/library/legalnews/authorised_push_payment_frauds_bank_succeeds_supreme_court.html
  18. Humphreys, L., Reframing social groups, closure, and stabilization in the social construction of technology. Social epistemology, 2005. 19(2-3): p. 231-253
  19. BBC. Banks to put four-day hold on suspicious payments. Available from: https://www.bbc.co.uk/news/articles/cn7yel28rx6o
  20. The Guardian. ‘He spent thousands’: how a bank team tries to rescue scam victims. Available from: https://www.theguardian.com/money/2025/feb/01/bank-team-scam-victims-fraud

First published 20th February 2025

Edited 24th February 2025