From news articles to discussions at industry events, numerous examples demonstrate the far-reaching effects of cybercrime on businesses, infrastructure, and national security. Malicious actors continue to advance their tactics, with attacks becoming more complex and targeted. It comes as no surprise that professionals worldwide are growing increasingly concerned. According to the Global Cybersecurity Outlook 2023 report published by the World Economic Forum, 91% of business executives and cybersecurity leaders believe that a far-reaching, catastrophic cyber event is at least somewhat likely to occur in the next two years.

Although many statistics and estimates related to cybercrime and cybersecurity exist, isolated figures only provide us with one piece of the puzzle when it comes to understanding cybercrime's broad impact on society. To stay ahead of threat actors and disrupt criminal operations, we need a better understanding of the overall situation, and specifically tied to quantifying cybercrime.

The Value in Quantifying Cybercrime

We all want deeper insights into the business of the criminal operations that private and public cyber defenders are fighting. An initial challenge is that there needs to be a baseline to measure our progress and the impact of activities we're pursuing to combat the problem. For example, we should be able to answer questions like, "Are cybersecurity vendors and solutions effective?" and "Are cybercriminal profits declining?" Data can help us better understand what efforts are and aren't working.

Another challenge in quantifying cybercrime is that not everyone needs the same data. Every organization uses the information gathered in different ways. For example, data on the average ransom amount being paid is helpful to insurance companies. Yet law enforcement groups are more interested in data about the recovery of funds, freezing of assets, infrastructure, and operational growth related to ransomware.

The State of Cybercrime Measurement Today

Although no single source will quantify every aspect of cybercrime, collecting unique and robust data from reliable sources is a significant step toward understanding the big picture. Stakeholders across the cybersecurity community need to establish common definitions and a standard way of reporting statistics. With key performance indicators (KPIs) and a common language regarding the standardization and normalization of data, it's possible to gain more insight into what's happening among cybercrime operations and how we can curb that activity.

A single, repeatable collection of statistics is vital to quantifying cybercrime. But is it practical? While it is possible, we need to be realistic about the challenges as an industry. What would it take to create a common language to discuss quantifying the value of steps taken to prevent cybercrime? How can we improve the reliability and accuracy of existing reports and statistics and ensure they're consistent with new taxonomies or metrics?

Several resources exist today that can serve as a starting point for this endeavor. Consider the following:

• Fortinet Global Threat Landscape Report is a twice-yearly view of significant cyber outbreaks with recommendations to help prepare and protect organizations from threats.
• IBM Cost of a Data Breach Report provides information on the financial and brand impacts of data breaches with information on the contributing factors to higher data breach costs, such as critical infrastructure vulnerabilities, security system complexity, and the cyber skills shortage.
• Verizon Data Breach Investigations Report showcases data and insights from confirmed breaches.
• FBI Internet Crime Complaint Center (IC3) Internet Crime Report offers insights based on cyber incidents submitted to the FBI.

Understanding How Cybercrime Operations Work Is a Crucial Next Step

While these reports undoubtedly offer valuable insights, the challenge with them is that they primarily focus on incidents that have already occurred. We have information about attacks and types of crimes, but measuring the direct business of cybercrime is significantly more complex.

The business of cybercrime includes, but is not limited to:

• Crime Services (CaaS) such as Ransomware-as-a-Service (RaaS), botnets for hire, and laundering services
• Revenue and profits, including the role of cryptocurrency in cybercrime
• Affiliate networks and commissions
• Overall business structures and extended business operations

Delving into the business operations of cybercriminals is a critical aspect of quantifying cybercrime. Everyone knows that RaaS exists, for example, but there are numerous active groups, many of which have sophisticated extended business structures with affiliate programs and commissions. We don't currently have sufficient tools available to quantify actual cybercrime versus risk, nor quantify the investment organizations must make to combat it.

Public-Private Collaboration Is Crucial

As we uncover more information about cybercriminal groups, we can get a picture of how their revenue streams work and how they profit. Aggregating the numbers and adding structure around measurement can offer more meaningful insights. Consolidating, validating, and aggregating statistics shows the operating costs, profits, and losses of various crime groups.

The Cybercrime Atlas is an excellent example of a group already working to offer that comprehensive, more extensive view of cybercrime operations. The initiative is working to map the global cybercrime ecosystem, illuminate differentiate groups, shared infrastructure, crypto addresses, and more in order to attribute, identify, and disrupt choke points in cybercriminal organizations.

Gaining the big picture of how cybercrime organizations work can also make disruption efforts far more effective. If we can create a playbook on what cybercriminals are doing, it becomes easier for public and private organizations to collaborate to halt cybercriminals' efforts effectively.

Next Steps Toward Quantifying Cybercrime

Quantifying cybercrime may seem daunting, but like any other significant project, it begins with groups rallying around an idea and breaking the process down into more manageable tasks. For example, the next steps could include cybersecurity stakeholders working together to create standardized methods for collecting and reporting data, followed by convening a small group of experts to narrow the project's scope and create an actionable plan.

Measuring cybercrime benefits everyone. Establishing a baseline allows us to understand the effectiveness of our collective efforts to fight cybercrime and adjust those initiatives to become even more impactful.