Report: Cyber crime may cost US up to $100 billion a year

"This is a very broad range and we hope that our future work can narrow it," the report says. "A starting point for a better estimate would be to reduce the reliance on anecdotes and surveys, and begin to compile and compare existing estimates, develop better data on value, and refine assumptions about loss."

Tom Gann, vice president of government relations at McAfee said CSIS researchers "settled on the range of $100 billion" because "that's the consensus number they felt the most comfortable with."
The report says it's difficult to come up with an estimate for the total amount the country loses each year to cyber theft. That's because intellectual property is tough to value, and companies either hide their losses or don't know the full scope of a security breach on its networks, according to CSIS.

In addition to this, the report argues that previous estimates have been based on surveys that yield "imprecise" results.

For example, the report says surveys that collect responses from a sample of companies about cyber theft are using a "dangerous methodology." Companies that have "concealed large losses" will likely not participate in the survey.

"Given the data collection problems, loss estimates are based on assumptions about scale and effect—change the assumption and you get very different results," the report reads. "These problems leave many estimates open to question."

McAfee had previously released a study that employed this survey methodology, which estimated that cyber crime and espionage had cost businesses $1 trillion globally. The report was based on research conducted by Purdue University, according to Gann.

"It was an honest effort to drive a valid number. I think what's important about this [CSIS] study is it really replaces that [earlier] study," Gann said. "We feel that this new approach has a heck of a lot more validity than that prior study."

For its methodology, CSIS used research on piracy, car crashes, the global drug trade and other analogies to get an idea of the scope of the problem of cyber crime.

"We use several analogies where costs have already been quantified to provide an idea of the scope of the problem, allowing us to set rough bounds—a ceiling and a floor—for the cost of malicious cyber activity, by comparing it to other kinds of crime and loss," the report says.