In a recent editorial in the New York Times, Dinei Florêncio and Cormac Herley point out that cybercrime probably isn't as lucrative as the security industry makes it out to be. Apparently companies doing surveys either don't know what they're doing, or are deliberately trying to make the numbers sound bigger than they really are (probably both). The surveys used to estimate the cost of cybercrime have massive upward biases and even a few outlier responses can result phantom billions of dollars in losses.
They're probably right.
But that doesn't mean companies are wasting their money on mitigations and countermeasures. That's because the cost of cybercrime isn't just what's lost, but also the cost of cleaning up the mess left behind - and that can include big brand damage that is hard to recover from and hard to quantify.
The bigger picture is that cybercrime is only one of the reasons to care about security. Security is not only about preventing the bad guys. It's also about enabling trust for everyone else. If people don't trust a service to be secure, fewer will use the service to conduct transactions or share private information. Though it's easy to take trust for granted when everything is going well, it's hard to regain once it's lost. That's the fundamental business value of security, and that's why poorly designed surveys on the cost of cybercrime are not only ironic but also unnecessary.