There are (at least) two different meanings of “costing” in large-scale economic impact thinking. The narrow meaning is “actual amount spent on this topic”. The more common (because it’s a bigger number) meaning is “how much bigger would the economy be in the counterfactual world that doesn’t have this feature”.
The article linked from Wikipedia says
The damage cost estimation is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation-state sponsored and organized crime gang hacking activities, and a cyberattack surface which will be an order of magnitude greater in 2025 than it is today.
Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, reputational harm, legal costs, and potentially, regulatory fines.
Which puts it in the second category—most of these costs are NOT direct expenses, but indirect and foregone value. That doesn’t make it wrong, exactly, just not comparable to “real” measures (which GDP and GPP isn’t either, but it’s more defensible).
It’s extremely unclear whether LLM adoption and increasing capabilities will shift the equilibrium between attack and defense on these fronts. Actually, it’s almost certain that it will shift it, but it’s uncertain how much and in what direction, on what timeframes.
It’s further unclear whether legislation can slow the attacks more than they hinder defense.
Mostly, it’s not a useful estimate or model for reasoning about decisions.
There are (at least) two different meanings of “costing” in large-scale economic impact thinking. The narrow meaning is “actual amount spent on this topic”. The more common (because it’s a bigger number) meaning is “how much bigger would the economy be in the counterfactual world that doesn’t have this feature”.
The article linked from Wikipedia says
Which puts it in the second category—most of these costs are NOT direct expenses, but indirect and foregone value. That doesn’t make it wrong, exactly, just not comparable to “real” measures (which GDP and GPP isn’t either, but it’s more defensible).
It’s extremely unclear whether LLM adoption and increasing capabilities will shift the equilibrium between attack and defense on these fronts. Actually, it’s almost certain that it will shift it, but it’s uncertain how much and in what direction, on what timeframes.
It’s further unclear whether legislation can slow the attacks more than they hinder defense.
Mostly, it’s not a useful estimate or model for reasoning about decisions.