Let's Build a Responsible Cyber Society




Norton Cyber Crime Report 2011

Symantec is a global leader in information security products and its Norton series of products such as the Norton-Anti Virus are well known in the market.

As a part of its continuing research activity in studying the global malware scenario, Norton has been trying to develop a financial estimate of the losses arising out of Cyber Crimes.

Corporate Managers have been obsessed with the concept of "ROI" when it comes to purchase of security products and in the absence of a reliable estimate of the financial value of the Cyber Crime Risk, there is an uncertainty which corporate managers find it difficult to resolve.

Naavi has also been advocating the introduction of Cyber Crime Insurance as a product for Companies and individuals so that the risks can be hedged against. But again the lack of data on Cyber crimes has been an issue with the insurers.

In India when it comes to statistics on Cyber Crimes, there is very little published data. While NCRB does come out with data in complaints filed in various police stations this is neither uptodate nor reliable. For example, the latest information available is for the year 2009 and it records a total of 420 complaints.

On the other hand it is well known that in cities like Bangalore or Coimbatore alone more than 1500 cyber crime complaints are filed each year. The flow of e-mail/telephonic queries that Naavi receives on various phishing and other frauds indicate that the actual incidence of Cyber Crimes is far more than what NCRB reports.

In this context, the  annual report on Cyber Crimes released by Norton is an interesting study material for all Cyber Crime watchers.

According to the report, globally 19,636 persons were interviewed for this report in 24 different countries including India. The findings have been extrapolated to arrive at a conclusion that there are about 1 million cyber crimes occurring every day across the globe. The survey has tried to find out the percentage of affected persons and the average loss suffered by them which has then been extrapolated to the total population. As of now the detailed report is not available and hence it is difficult to understand if the methodology is good enough and sample size adequate.

The total number of victims were estimated at 431 million of which 29.9 million were in India.

In India it is estimated that 80% of online adults have been victims in the last year. (Estimated Netizen population is therefore 37 million). The victim hood percentage is higher in India than the global figure which was 69%.

The direct financial cost is estimated at US $114 billion globally while it is US $ 4 billion in India. (Rs 34110 crores) The survey also estimates an indirect cost in terms of time and efforts for recovery which is placed at US$274 billion globally and US $ 3.6 billion in India.

It is interesting to note that in India the indirect costs are less than the direct costs where as the global scenario is different. This may be the result of victims not pursuing the recovery.

Out of the total number of crimes, viruses accounted for 60% in India and 54% globally, online scams accounted for 20% in India and 11% globally and Phishing accounted for 19% in India and 10% globally.

As per this study the phishing loss estimate in India in the year 2011 should therefore be 19% of Rs 34,110 crores or Rs 6500 crores.

It is now the turn of RBI to check if this tallies with the frauds reported by Banks through the FMR reports.

The report also suggests that 17% of the Crime relate to mobiles. This is quite alarming considering that the use of Mobiles for financial transactions is expected to grow exponentially in the coming years and hence the losses on mobile crimes are also likely to increase.

The findings of the report need to be further corroborated and validated since this survey could be more inclined towards malware based cyber crimes. If we define Cyber Crimes as "Offences under ITA 2008", the number of crimes are likely to be even higher. Many of the ITA 2008 crimes may be non financial but they do affect the "indirect costs" which will be significantly higher than what has been estimated in the report. In the details publicized it is not clear if the report pertains only to individual crimes and does not include losses that can be ascribed to corporate data losses. Since there are some previous studies on corporate sector it may be possible to combine the two surveys and arrive at a better estimate of the total losses. This may however require both surveys to be done in a similar period and eliminate overlapping since some of the individual losses are transferred to companies. The sample size in India is not known at present but it cannot be higher than around 600.

Despite some of the reservations expressed above, the efforts of Norton to bring out a survey of this kind is highly appreciated since for the first time some financial cost estimates are being tagged to the crime report. Hopefully this will set the benchmark for other studies to be carried out in this area on a higher sample size.

[More information has been sought from Norton on the study and if made available more information will be made available here.. Naavi]



Sept 10, 2011

 Comments are Welcome at naavi@vsnl.com