via The New York Times...
In less than 15 years, cybercrime has moved from obscurity to the spotlight of consumer, corporate and national security concerns. Popular accounts suggest that cybercrime is large, rapidly growing, profitable and highly evolved; annual loss estimates range from billions to nearly $1 trillion...
Yet in terms of economics, there’s something very wrong with this picture...
...in numeric surveys, errors are almost always upward: since the amounts
of estimated losses must be positive, there’s no limit on the upside,
but zero is a hard limit on the downside. As a consequence, respondent
errors — or outright lies — cannot be canceled out. Even worse, errors
get amplified when researchers scale between the survey group and the
overall population...
The cybercrime surveys we have examined exhibit exactly this pattern of
enormous, unverified outliers dominating the data. In some, 90 percent
of the estimate appears to come from the answers of one or two
individuals. In a 2006 survey of identity theft by the Federal Trade
Commission, two respondents gave answers that would have added $37
billion to the estimate, dwarfing that of all other respondents
combined...
Among dozens of surveys,
from security vendors, industry analysts and
government agencies,
we have not found one that appears free of this
upward bias. As a result,
we have very little idea of the size of
cybercrime losses. (
more)
Thus proving once again, fear-mongering is profitable.
• Keep a cool head.
• View the risk holistically.
Your valuable information was/is available elsewhere, before it is ever entered into a computer.
• Balance your security budgets appropriately.
Information risk management isn't solely an IT issue... no matter what the IT security vendors and other vested interests tell you. ~Kevin