(must have spent it on insecure software...)
Dark Reading: Insecure Software Costs US $180B per Year, according to David Rice in his book, Geekonomics. [Me: I wonder how he came up with that?]
Here's the nut graph from the Dark Reading article:
He estimates that the actual cost of insecure software to the U.S. is at least $180 billion per year, although he acknowledges that such numbers are "soft." He based his estimates on other numbers -- including a recent General Accounting Office report that says the U.S. cybercrime market is around $117 billion -- as well as other reports, such as estimates of worldwide phishing operations of $350 billion per year.
Here's the pertinent part of his book (p. 37):
In the case of software, the National Institute of Standards and Technology (NIST) the cost of inadequate software testing cost the United States roughly $60 billion, which is just under 1% of GDP. This cost does not account for other social costs associated with software usage such as cyber crime and related identity theft, however. A 2007 report by the Government Account [sic] Office (GAO) estimated cyber crime costs the U.S. economy approximately $117 billion a year.
Given that $117 and $60 make $177 ~ $180 billion, I am going to assume these are the sources the DR article (and other parts of the book) reference:
- The NIST study in 2002, which was actually done under contract by RTI: Economic Impacts of Inadequate Infrastructure for Software Testing.
- The $117 billion estimate, which actually comes from an article written about the GAO report in E-commerce Times: Cybercrime Costs US Economy at Least $117B Each Year. The GAO report itself is available as well: Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats.
Though I've been known to employ my own back-of-the-envelope estimates on occasion, I have a number of reservations about the approach employed by Geekonomics:
- The RTI study employed interview techniques and included all faults, not just security-related ones. In addition, the estimate was actually a range from a "feasible" $23 billion to the $60 billion identified in the book.
- The GAO report is all secondary research; it simply aggregates the information from other studies. The $117 billion amount was derived from 3 of the identified reports totaled together. One main source for the $117 billion ($67.2 billion) was the 2005 FBI Computer Crime Survey. This survey includes, for example, losses associated with laptop/PDA theft that were not caused by "insecure" software.
- The second largest report cited by the GAO is an identity theft report that cites $49.3 billion in losses. Unfortunately, the full report costs $2500 so I could only work with press reports. In any case, to source identity theft of all types back to insecure software is a huge leap. In at least one account (the "consumer version") only 2% of the incidents are Internet-related.
- Btw, I believe all of these numbers (certainly most of them) are for the U.S. only.
I don't know if this number is too high or too low, but I do know that this estimate doesn't get us any closer to knowing the true cost of insecure software.