Running the numbers: The fine art of calculating cybercrime costs

How much does cybercrime cost? What are the average costs associated with a single attack? And what is the cumulative annual cost of cybercrime?

You don’t have to do much reading up on cybercrime statistics to get a pretty wide range of answers to those questions. So, it’s natural to wonder how those numbers get calculated. And I’m sure it won’t surprise you to know that there really is not a standardized way of doing that.

What there is, however — and I hope I’m not exposing any industry secrets here — is an incentive for cybersecurity vendors to use the highest estimates they can find or generate in their communications. Saying “a ransomware attack could cost your company tens of thousands of dollars” doesn’t have quite the same sales oomph as “the average cost of a ransomware attack last year was five million dollars!”

So, it’s sensible to take these fast-growing estimates with a grain of salt and some critical thinking — especially when they come in the form of predictions about future costs.

What counts as cybercrime cost?

Clearly, it’s important to cast a wide net when estimating the costs of cybercrime. As reported in Cybercrime Magazine:

“Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, reputational harm, legal costs, and potentially, regulatory fines, plus other factors,” said Steve Morgan, founder of Cybersecurity Ventures.

That’s a pretty long list, and the fact that it ends with “plus other factors” leaves me, at least, a little skeptical of the numbers that emerge.

In the same May 2025 article, it is predicted that the global cost of cybercrime for that year will amount to $10.5 trillion — a dramatic rise from their 2020 estimate of $1 trillion. But looking ahead to 2031, the magazine predicts that number will rise to just $12.2 trillion, based on a steady increase of 2.5% per year. That assumption is based on the idea that the cybercrime economy is getting so big and so profitable that its growth rate, which in the past has increased steadily, will plateau soon if it hasn’t already.

Direct vs. indirect costs

ITPro reported in the same month of May 2025 on a study that found cybercrime costs in the UK amounted to “£64 billion a year in ransom payments, staff overtime, lost business, and other associated costs.”

The study distinguished between direct and indirect costs. Direct costs were identified as extra staff time spent dealing with attacks, along with “ransom payments, stolen or lost funds, legal and regulatory costs, disruption to operations, and the cost of bringing in third-party expertise along with higher cyber insurance premiums.” This amounted, in the study’s reckoning, to £37.3 billion.

Indirect costs, however, were found to be very significant as well, reaching £26.7 billion. And the largest category of indirect cost was reported to be increased cybersecurity budgets following attacks. “Other indirect costs included loss of clients, the cost of redirecting resources to incident response, and a loss of competitive advantage due to the theft of corporate intellectual property.”

Casting doubt

Yet another May 2025 report, this one produced by the Atlantic Council, amounts to a very detailed attempt to explain, define and address two significant problems with cybersecurity metrics overall, which according to the authors result in there being no way to usefully understand the effectiveness of government and other policies to address cybercrime.

“This report identifies two core problems holding back progress: first, the unknown state of the system, meaning policymakers cannot empirically describe how secure or insecure the digital landscape currently is; and second, unmeasured policy efficacy, which prevents policymakers from comparing which interventions are most effective at improving security and reducing harm. The result is a policymaking environment heavily reliant on intuition, anecdote, incomplete data, and proxy measures — all unsustainable for a domain with such systemic and escalating risks and so much security investment.”

“Counting the costs: A cybersecurity metrics framework for policy”, The Atlantic Council

This lengthy report makes a very strong case that the metrics currently in use are not up to the task, and it proposes significant high-level changes in the way that such metrics are conceptualized. The net effect for this reader is, again, to inspire considerable skepticism about cost estimates around cybersecurity.

What to make of it all

So, what’s the bottom line? First, regardless of the actual numbers, there is no doubt that cybercrime imposes massive costs on the world’s economy, and that those costs are rising.

For governments and intergovernmental organizations, that alone is not very helpful in developing polices and measuring their effectiveness. But for individual businesses, the conclusion is pretty simple: Making smart, targeted investments in cybersecurity and cyber insurance is critical to the extent that it actually reduces that organization’s exposure to the risk of costly attacks.

Do you need accurate numbers, whether for average individual costs or global costs, to make those investments properly? I don’t think you do. What you do need is an accurate assessment of your own vulnerabilities, based on trending attacks and expanding attack surfaces. And you need a cybersecurity partner that can help you make that assessment and deliver solutions and strategies that target your specific areas of greatest risk.

And that’s exactly what Barracuda does, every day, with organizations of all sizes, all around the world.