Symantec is a global leader in information security
products and its Norton series of products such as the Norton-Anti Virus
are well known in the market.
As a part of its continuing research activity in
studying the global malware scenario, Norton has been trying to develop
a financial estimate of the losses arising out of Cyber Crimes.
Corporate Managers have been obsessed with the
concept of "ROI" when it comes to purchase of security products and in
the absence of a reliable estimate of the financial value of the Cyber
Crime Risk, there is an uncertainty which corporate managers find it
difficult to resolve.
Naavi has also been advocating the introduction of
Cyber Crime Insurance as a product for Companies and individuals so that
the risks can be hedged against. But again the lack of data on Cyber
crimes has been an issue with the insurers.
In India when it comes to statistics on Cyber Crimes,
there is very little published data. While NCRB does come out with data
in complaints filed in various police stations this is neither uptodate
nor reliable. For example, the latest information available is for the
year 2009 and it records a total of 420 complaints.
On the other hand it is well known that in cities
like Bangalore or Coimbatore alone more than 1500 cyber crime complaints
are filed each year. The flow of e-mail/telephonic queries that Naavi
receives on various phishing and other frauds indicate that the actual
incidence of Cyber Crimes is far more than what NCRB reports.
In this context, the annual report on Cyber
Crimes released by Norton is an interesting study material for all Cyber
Crime watchers.
According to the report, globally 19,636 persons were
interviewed for this report in 24 different countries including India.
The findings have been extrapolated to arrive at a conclusion that there
are about 1 million cyber crimes occurring every day across the globe.
The survey has tried to find out the percentage of affected persons and
the average loss suffered by them which has then been extrapolated to
the total population. As of now the detailed report is not available and
hence it is difficult to understand if the methodology is good enough
and sample size adequate.
The total number of victims were estimated at 431
million of which 29.9 million were in India.
In India it is estimated that 80% of online adults
have been victims in the last year. (Estimated Netizen population is
therefore 37 million). The victim hood percentage is higher in India
than the global figure which was 69%.
The direct financial cost is estimated at US $114
billion globally while it is US $ 4 billion in India. (Rs 34110 crores)
The survey also estimates an indirect cost in terms of time and efforts
for recovery which is placed at US$274 billion globally and US $ 3.6
billion in India.
It is interesting to note that in India the indirect
costs are less than the direct costs where as the global scenario is
different. This may be the result of victims not pursuing the recovery.
Out of the total number of crimes, viruses accounted
for 60% in India and 54% globally, online scams accounted for 20% in
India and 11% globally and Phishing accounted for 19% in India and 10%
globally.
As per this study the phishing loss estimate in
India in the year 2011 should therefore be 19% of Rs 34,110 crores or Rs
6500 crores.
It is now the turn of RBI to check if this tallies
with the frauds reported by Banks through the FMR reports.
The report also suggests that 17% of the Crime relate
to mobiles. This is quite alarming considering that the use of Mobiles
for financial transactions is expected to grow exponentially in the
coming years and hence the losses on mobile crimes are also likely to
increase.
The findings of the report need to be further
corroborated and validated since this survey could be more inclined
towards malware based cyber crimes. If we define Cyber Crimes as
"Offences under ITA 2008", the number of crimes are likely to be even
higher. Many of the ITA 2008 crimes may be non financial but they do
affect the "indirect costs" which will be significantly higher than what
has been estimated in the report. In the details publicized it is not
clear if the report pertains only to individual crimes and does not
include losses that can be ascribed to corporate data losses. Since
there are some previous studies on corporate sector it may be possible
to combine the two surveys and arrive at a better estimate of the total
losses. This may however require both surveys to be done in a similar
period and eliminate overlapping since some of the individual losses are
transferred to companies. The sample size in India is not known at
present but it cannot be higher than around 600.
Despite some of the reservations expressed above, the
efforts of Norton to bring out a survey of this kind is highly
appreciated since for the first time some financial cost estimates are
being tagged to the crime report. Hopefully this will set the benchmark
for other studies to be carried out in this area on a higher sample
size.
[More information has been sought from Norton on the
study and if made available more information will be made available
here.. Naavi]
Naavi
Sept 10, 2011
