Activity: Identifying and Evaluating the Impact of Cybercrime

The purpose of this activity is to identify and evaluate the impacts of cybercrime within a specific context, such as a country, industry sector, or another area of interest. The objective is to understand the reported impacts or losses caused by a cybercrime incident, analyze how these impacts were estimated, and critically assess the methodologies used for these estimations.

Step-by-Step Breakdown

1. Select a Cybercrime Incident

• Criteria: Choose a cybercrime that has occurred within your country, within an industry sector, or within another area of interest. For instance, if your focus is on your home country, you might look at a major cybercrime incident that had a significant impact on your country’s economy or societal structure.
• Example: Suppose you are from India. One notable cybercrime incident is the 2016 Union Bank of India cyber heist, where hackers attempted to fraudulently transfer $171 million from the bank.

2. Investigate the Incident

• Research: Gather comprehensive details about the incident. This includes how the cybercrime was executed, the entities involved, and the immediate and long-term consequences.
• Example: In the Union Bank of India case, hackers gained unauthorized access to the bank’s SWIFT systems and attempted to initiate fraudulent transfers to accounts in other countries. The bank was able to recover most of the funds, but not without significant reputational damage.

3. Identify the Impacts

• Monetary Impacts: Calculate the financial losses resulting from the cybercrime. This might include direct financial loss, costs of remediation, legal fees, and lost revenue.
  • Example: The initial amount involved in the Union Bank heist was $171 million. Although most of it was recovered, the bank still faced losses due to operational disruption and costs associated with investigation and legal actions.
• Societal Impacts: Assess the broader societal consequences, such as loss of public trust, changes in consumer behavior, or impacts on national security.
  • Example: The societal impact in this case included a loss of trust in the banking system, leading to increased scrutiny and stricter regulatory measures on financial institutions in India.
• Operational Impacts: Consider the impact on business operations, including downtime, loss of productivity, and long-term damage to the organization’s reputation.
  • Example: The Union Bank of India had to enhance its cybersecurity infrastructure, which may have led to operational disruptions and additional costs.

4. Estimate the Impacts

• Estimation Methods: Investigate how the financial and societal impacts were calculated. Look at whether the calculations were based on direct costs (e.g., stolen funds, fines) or if they also included indirect costs (e.g., reputational damage, increased future security costs).
• Example: In the Union Bank case, the financial impact was initially estimated based on the amount stolen ($171 million), with additional calculations for recovery costs, legal fees, and system upgrades. The reputational impact was harder to quantify but could be inferred from the bank’s stock performance and changes in customer behavior.

5. Critical Analysis

• Points of Consideration:
  • Accuracy of Estimates: Were all potential costs considered, or might some have been overlooked? For instance, was there an attempt to quantify the long-term loss of customer trust or the cost of enhanced cybersecurity measures?
  • Biases: Could there be any biases in the reported impacts? For example, organizations might underreport losses to protect their reputation.
  • Methodology: Was the methodology for estimating the impacts transparent and based on sound principles? Consider whether the estimations were done by independent third parties or by the affected organization itself.
• Skepticism: It is important to remain skeptical about the reported figures. The estimates could be inflated to justify higher security budgets or downplayed to minimize reputational damage.

6. Document Your Findings

• Study Journal Entry:
  • Title: Cybercrime Impact Evaluation: The 2016 Union Bank of India Heist
  • Details:
    • Incident Overview: Summary of the cybercrime incident, including how it was carried out and its immediate effects.
    • Impacts Identified: Breakdown of the monetary, societal, and operational impacts.
    • Estimation Methodologies: Analysis of how the impacts were estimated, including any potential flaws or biases in these methodologies.
    • Critical Reflections: Your thoughts on the accuracy and reliability of the reported impacts, including any skepticism about the figures presented.

Book Reference:

For further reading on the methodologies and theories behind estimating the impacts of cybercrime, consider the following book:

• Title: Cybersecurity and Cyberwar: What Everyone Needs to Know
• Author: P.W. Singer and Allan Friedman
• Publisher: Oxford University Press
• Publication Year: 2014
• ISBN: 978-0199918096

This book provides an accessible overview of key concepts in cybersecurity, including how the impacts of cyber incidents are measured and assessed. It offers a broader context that will be useful for understanding the complexities involved in evaluating the true cost of cybercrime.