Estimates of annual losses related to cyber crime and espionage vary widely due to a number of reasons, according to in interim report by a Washington, D.C.-based think tank and the network security firm McAfee, which attempts to establish an economic model for identifying cyber-related losses.

“As cybercrime increases and evolves over time, it’s hard to know precisely the impact it has on people’s wallets and the nation’s coffers,” said Tom Gann, vice president of Government Relations at McAfee in a blog post in advance of the release of the interim study yesterday. He said that McAfee has been looking at developing a “scientific way” to accurately measure losses associated with cyber theft.

The report breaks down malicious cyber activity into six components, beginning with the lost of intellectual property, and includes cyber crime, the loss of sensitive business information, opportunity costs, the costs of securing networks, and reputational damage, which manifests itself in terms of lower market valuations and or a blow to the brand name. The report said that intellectual property theft is the “most important area for loss,” but estimating these losses is difficult, it adds.

CSIS Logo

The range of cost estimates globally from cyber crime and espionage varied from a low of $6 billion and a high of $1 trillion, James Lewis, an expert on cyber security at the Center for Strategic and International Studies, said yesterday in a panel discussion to discuss the new study that he co-authored. “From an economist’s point of view you want a narrower range,” he said, adding that the goal of the effort is to be “more precise.”

The model being developed includes “tolerated costs,” which the study estimates at less than 1 percent of Gross Domestic Product as a ceiling. It bases this estimate using analogies from costs associated with other crimes and losses, such as car crashes, piracy, pilferage, and crime and drugs.

“Companies accept rates of ‘pilferage’ or ‘inventory shrinkage’ as part of the cost of doing business,” said the interim report, The Economic Impact of Cybercrime and Cyber Espionage.

Using the nearly 1 percent of GDP for estimated losses, that means in the United States the annual costs of cyber crime and espionage are about $100 billion on the high end, the study said. Lewis, in his introductory remarks, put the upper range in the United States at between $70 billion and $120 billion. But quantifying these costs is another matters, the report said.

“This question of the effect and consequences of the loss is more important than any actual number,” the report said. For example, if a company spends $1 billion in research on a product that fails in the market and the plans for the product were stolen, the loss is “zero,” it said.

“For some advanced technologies, there may be a lag of five to 10 years between the theft of the IP and when it appears as a competing product,” the report said. “This lag in the use of pilfered intellectual property complicates the estimation of loss from malicious cyber activity.” It added that how quickly stolen IP appears in competing products varies from sector to sector.

Quantifying the costs of the cyber theft of military technology also has its difficulties, the report said. Such theft may make a country less secure while also hurting export potential, it said.

“We cannot accurately assess the dollar value of the loss in military technology but we can say that cyber espionage shifts the terms of engagement in favor of foreign competitors,” the study said.

Job losses related to cyber theft can be “significant,” Lewis said, although the report said that understanding the impact on jobs needs more work. Citing Commerce Department estimates of jobs associated with exports–$1 billion in exports is nearly 5,100 jobs—the report said that that means $100 billion in losses due to cyber espionage equals more than 500,000 lost jobs.

However, the report noted that this number is likely not fully accurate as some workers would find other jobs. More important is if these workers have to settle for lower paying jobs or unemployment, it said.

Right now it is “open season for the bad guys,” Phyllis Schneck, vice president and chief technology officer for McAfee’s Global Public Sector, said during the panel discussion.

McAfee is a unit of Intel Corp. [INTC]. The final report will take a closer look at estimating the actual impacts of malicious cyber activity on trade, technology and competitiveness.