Say $6 Trillion Again ... I DARE you: Examining the roots of a total BS Marketing Number

Would you like to see someone's head explode? 

Observe what happens when I'm researching a topic and I see a headline like this AVG story which claims "Ransomware is set to cause $6 trillion in damages by 2021."  Wow.  Makes you want to run right out and buy cybersecurity products, doesn't it?  Fear, Uncertainty, and Doubt, the marketing department's dream formula!

AVG's Marketing Department can't help themselves

You really can't fault the marketing folks at AVG though ... every cybersecurity marketing department is jumping on the bandwagon.  And when places like CISO Magazine share the number blindly with no examination of the facts, how can they be blamed?

How much is $6 Trillion?  That would be the GDP of Brazil, Italy, and France lost to cybercrime each year.  That would be the entire GDP of Japan lost to cybercrime each year. 

The source, every time you see this preposterous number the source will be traced to a Cybersecurity Ventures report that was designed to scare people into spending more money on cybersecurity defenses.  I did an analysis of that report back in October 2017 and wanted to walk you through it here, gentle reader, so that you would have a place to point people who quote the Six Trillion Dollar Charlatan.  Here is where things started for me, when I saw this report:

A reasonable approach to estimating the impact of Cybercrime might be to create various categories, suggest a reasonable maximum for each of them, and add them all together to create your estimate.  Is that the approach taken by Cybersecurity Ventures?  No. 

The entire report seems to hinge on a single blog post from Microsoft, entitled, "The Emerging Era of Cyber Defense and Cybercrime" published 27JAN2016.  The Cybersecurity Ventures article has a footnote listing this as their source for their $3 trillion base.  Their Editor-in-Chief, Steve Morgan, by the way, continues to misunderstand this number and use it in his fresh forecast.  In his 13NOV2020 prognostication, he now claims "Cybercrime to Cost the World $10.5 Trillion Annually by 2025" and STILL references the Microsoft blog in the highlighted link "$3 Trillion USD in 2015." 

https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

Continuing to presume that no one is going to notice this monumental misrepresentation, apparently Steve believes that people will see the link goes to Microsoft and assume that Microsoft says the cost of Cybercrime was $3 Trillion USD in 2015.  But that isn't what his source says at all!

What the Microsoft blog post by Pete Boden, General Manager of Cloud and Enterprise Security,  actually says is that "The World Economic Forum estimates the economic cost of cybercrime to be $3 trillion worldwide." 

But even that is a mis-statement.  The World Economic Forum certainly doesn't believe that the cost of cybercrime is two orders of magnitude higher than any reasonable estimate.  What did they actually say?

The report is "Risk and responsibility in a Hyperconnected World" published by the World Economic Forum, in collaboration with McKinsey & Company.  

Here's what they actually say ... 

"Current trends could result in a backlash against digitization, with huge economic impact.  Major technology trends like massive analytics, cloud computing, and big data could create between US $9.6 trillion and US $21.6 trillion in value for the global economy.  If attacker sophistication outpaces defender capabilities -- resulting in more destructive attacks -- a wave of new regulations and corporate policies could slow innovation, with an aggregate economic impact of around US $3 trillion." - p.3 

Three things to note: 

1) the loss they are forecasting is A REDUCTION IN FUTURE ECONOMIC VALUE of certain technologies (analytics, cloud computing, big data) DUE TO A SLOW DOWN IN INNOVATION.

2) that loss would only come about IF THERE ARE NEW REGULATIONS IMPOSED that would stifle creativity in these areas.

3) The CUMULATIVE EFFECT between the time of the report (2014) and SIX YEARS LATER (2020) was said to have a potential of reaching $3 Trillion. 

So how on earth did Cybersecurity Ventures reach their number?

First, they clearly never read the World Economic Forum / McKinsey report, or they would certainly have been unable to say that the impact of Cybercrime had been $3 trillion in 2015.  Again, the $3 trillion was OVER THE COURSE OF SIX YEARS (or $500 Billion per year on the average) and ONLY IF REGULATORY CONDITIONS CHANGED DRAMATICALLY causing "unrealized potential economic value" to the tech industry.

But how did they get from $6 Trillion to $3 Trillion, even if they wrongly believed that the $3 Trillion was an annual number?  Simple.  The number of people on the Internet was predicted to double from 2015 to 2021.  If there are twice as many people, then there must be twice as much impact of cybercrime.  Right?  Wrong.

According to their report, the $6 Trillion in damages would consist of: 

• Damage and destruction of data
• Stolen money
• Lost productivity
• Theft of intellectual property
• Theft of personal and financial data
• Embezzlement
• Fraud
• Post-attack disruption
• Forensic investigation
• Restoration and deletion of hacked data
• Reputation harm

Ransomware Math