E-security costs versus e-crime

"E-crime is the biggest emerging threat to the retail security as the rapid growth in e-commerce in the UK sees new ways of shopping being accompanied by new types of crime ... the British Retail Consortium ... estimates the total cost to retailers in 2011 - 12 was at least £205.4 million. That includes £77.3 million in losses from frauds themelves as well as prevention costs and legitimate business lost as a result of those measures ... " Look at the headlines from the first BRC e-crime study. But then read the press release and  download the report . "Estimated losses in revenue experienced as a result of legitimate business being rejected through on-line fraud prevention measures came to £111.6 million in 2011-12." That is more than half the total cost and puts some of the e-crime data, at long last, into perspective. Another finding was that e-crime cost double the percentage of on-line turnover (0.75% out of £28 billion) as it did of overall turnover (0.36% out of £303 billion). Given that on-line margins are commonly much tighter that is serious. But the doubling of cost appears to be mainly due to the effect of intrusive on-line security rejecting attempted sales. [I know the feeling ... I have walked away from at least as many sites as I have shopped at]. Computer Key BoardYesterday I submitted a submission to the Home Affairs Select Committee Enquiry into e-Crime. A key message was that we still have no better idea of what is "really" happening than we had at the start of Eurim-IPPR study.  All of the 50 or recommendations from that study had consensus support. Most appear somewhere in the action plans to implement the current UK strategies for Cybersecurity and "Fighting Fraud Together". But few have yet been prioritised and resourced, let alone implemented. In my submission I contrasted the claims of £27 billion of "losses" in the Detica "report" for Cabinet Office  with the demolition job by Ross Anderson and others. The latter compared criminal earnings in the $millions with security spend in the $billions. In the BRC report the biggest "cost" is, however, the abandoned transactions. You should also read the BRC recommendations, including those in their paper on Future Challenges and compare these with those in other reports. The BRC recommendations are a polite way of saying that we need to make sense of the dozens of competing initiatives being organised by those (in government and law enforcement as well as professional bodies, trade associations and clubs of vendors and consultants) who can spot potential bandwagon customers from the far side of a mix of jungle and swamp. Yesterday, before submitting my evidence to the Select Committee, I discussed ways forward with the new industry chairman of the Digital Policy Alliance (which is taking over the work I organised when I was Secretary General of EURIM). I have passed him my files and he is arranging for an intern to use these to expand a recent whiteboarding exercise (organised as part of the planning for the DPA programme) into a full "map" of the various initiatives. The idea is to arrange an "audit" to identify which are of interest to industry players who are serious about protecting themselves and their customers - as opposed to building regulatory, compliance or other empires or selling yet more security snake-oil. On 10th September there is due to be a joint meeting of PICTFOR and the DPA to receive a presentation of a recent survey of the views of the Information Assurance Community on what is currently happening. Hopefully things are now in train for a series of announcements, beginning on 17th September, covering industry-led exercises that will start the process of draining the swamp so that business gets much better value from its spend on security, whether that spend is direct or out of the taxpayers money being spend by lae enforcement and central government. I will blog on some of the initiatives over the next few days, after we have sent invitations to the EURIM/DPA members who will have priority at the launch events. As yet DPA membership remains that same as for EURIM, including the "try before you buy" routine for an individual membership  which can be credited against a corporate upgrade.