My short answer is, honestly: Nowhere I personally trust or care about, mostly because I don't believe anyone has a clue within an order or two of magnitude. For comparison: to my mind, that question and the question of the global financial impact of human-driven climate change are of the same class. "It's really bad, getting worse, and could turn out to be truly horrible," is about all I am willing to corroborate professionally. We're all likely to disagree about the finer details. But I think we're all in total agreement on that level.

My longer answer is this:

There are lots of folks who are interested in that question, of course (which is why you are too). And so there are a whole lot of people trying to figure out a way to know the answer---or at least to convince others that they have figured it out. (The former, for reasons ranging from curiosity to desperation, and the latter for the oldest reasons in the history of civilization.)

One problem in accumulating and compiling an accurate answer is that every actor in the equation typically finds it in their own best interest to do their part to foil the effort. The victims, large and small, have little incentive to tell anyone, for reasons ranging from embarrassment and endangered job security to responsibility for protecting the shareholders' stock price. The attackers have little incentive to tell the truth about the successes of their activities (the good ones tell no one, and the bad ones brag and inflate).

Another perhaps greater problem is that most victims are unaware that they are victims (or at least unaware of the extent to which they've been compromised). There are myriad sprawling botnets comprised of both LAN-connected corporate systems and DSL-connected home PCs whose owners are equally oblivious, and yet these are fueling the raging firestorm of identity theft and fraud. What is the annual cost of that problem? Can we ascertain it from the Payment Card Industry (PCI)'s SEC filings? And what portion of *that* is due to hacking as opposed to corrupt waitresses and retail staff swiping numbers on the fly? Who can know?

For that matter, how many businesses---from startups to the Fortune 50---can really adequately detect compromises of any sort? How long was TJX compromised before they figured it out, and what was the "total cost of ownership" of that disaster? Is it sufficient to calculate the damage based on their short-term stock price sag, or will it cost more than that in more-or-less tangible ways, over a longer period? We'll have to wait for all the lawsuits to be settled to even begin to speculate. And so what businesses are bleeding internally even today without detection? Shall we use a cash- or accrual-basis for the accounting of these undetected, possibly catastrophic, losses? ;-)

So where does all that leave us? With my short answer, I think. Though I think it's sufficiently compelling for industry experts to say, in unison, "It's really bad, getting worse, and could turn out to be truly horrible." That should be enough for us as a society to try to become aware, and act. To mobilize as if it matters. And without hyperbole, I have to admit that I'm not sure which of the two problems worries me most with respect to my daughter's future.

/jonathan