Sunday, April 15, 2012

The Cybercrime Wave That Wasn’t

via The New York Times...
In less than 15 years, cybercrime has moved from obscurity to the spotlight of consumer, corporate and national security concerns. Popular accounts suggest that cybercrime is large, rapidly growing, profitable and highly evolved; annual loss estimates range from billions to nearly $1 trillion...

Yet in terms of economics, there’s something very wrong with this picture...

...in numeric surveys, errors are almost always upward: since the amounts of estimated losses must be positive, there’s no limit on the upside, but zero is a hard limit on the downside. As a consequence, respondent errors — or outright lies — cannot be canceled out. Even worse, errors get amplified when researchers scale between the survey group and the overall population...

The cybercrime surveys we have examined exhibit exactly this pattern of enormous, unverified outliers dominating the data. In some, 90 percent of the estimate appears to come from the answers of one or two individuals. In a 2006 survey of identity theft by the Federal Trade Commission, two respondents gave answers that would have added $37 billion to the estimate, dwarfing that of all other respondents combined...

Among dozens of surveys, from security vendors, industry analysts and government agencies, we have not found one that appears free of this upward bias. As a result, we have very little idea of the size of cybercrime losses. (more)

Thus proving once again, fear-mongering is profitable.

• Keep a cool head. 
• View the risk holistically. 

Your valuable information was/is available elsewhere, before it is ever entered into a computer.

• Balance your security budgets appropriately. 

Information risk management isn't solely an IT issue... no matter what the IT security vendors and other vested interests tell you. ~Kevin