I would note that one of the many things that annoyed me about the take-down companies (you know who you are, b@stards!) was that they would count a site / URI as down (and to be paid for) as soon as they couldn’t access it (often because of connectivity issues as it was swamped by the duped – in the days before botnet hosting) and then count it again and again as it popped in and out of reach.

Money lost, money moved, money at risk were all also measured and were important for understanding the actual risk the bank faced. But the bank’s metrics, important as they are for taking security decisions shouldn’t be the same as society’s metrics (crimes, in this case), which reflect a necessarily different view of what is important.

On the point in your conclusion – it is “2 + multiple” crimes – 1 x TWOC and (1 + multiple) criminal damage. But don’t worry, he’ll get a conditional discharge or a community service order. Which, unfortunately, is more than the phishing fraud gang are likely to receive

On crimes – I’d make that between 112 and 150 (I would count each fraudulent credit card payment and each unauthorised transfer as 1 x theft), but we never considered or relied on any numerical correlation (never mind equality) between “security incident” and actual criminality.

BTW – can I take issue with your “now with impeccable grammar“? For anecdote, as opposed to evidence, may I submit the most recent phish from my spam bin?:

Abbey National has changed the Online System Security in the last two days and your account was deactivated for security reasons. We suggest you check your balance
as soon possible, Just in case your savings was affected
please contact us:

Mind you, I think there probably is one, I’m just hoping for more evidence than intuition

And, totally agree on why this is an issue, and why tracking consumer confidence is critically important.

If the measurement increases then you should be looking for more policing, better security mechanisms, more investment in back-office control systems.

If the measurement decreases then you may be over-investing in preventative measures and looking for ways to make things simpler for customers, with less hoop-jumping when they want to do something unusual with their money.

If phishing measurements decrease but bank losses continue to grow, then you have a key logging problem! and work is needed on countermeasures for that.

It [..] doesn’t really tell us anything about how much we should spend stopping it, what the total economic damage it, etc.

The real danger for the banks is that people will lose confidence in online banking. That’s potentiall disastrous — they’d need to repurchase all the trendy wine bars and refill them with all the staff they’ve been downsizing. Serious money, whereas phishing losses are still down in the noise.

What is that number useful for, and what does it help you drive? It tells us a little about the total volume of these scams reaching end-users, but doesn’t really tell us anything about how much we should spend stopping it, what the total economic damage it, etc.