But a recent research report calculates that the estimates of lost lucre are not just exaggerated, they are wildly, primordially, impossibly overhyped. To the extent that some projections suggest the sums being skimmed are greater in value than that of all the illegal drugs being sold anywhere in the world. Combined.
Yeah. Upon more sober reflection, didn't seem plausible to us, either.
Now, as the old saw goes, just because you're paranoid, it doesn't mean that they're not out to get you. And we know from universal experience with all manner of Nigerian email scams and virus-laden attachments that there is a 'they' and they are out there. But as the analysis points out, it is a really boring, time-consuming, low margin way to make a quick buck. Banking is so much easier. JL
Alex Madrigal reports in The Atlantic:
Estimates of cybercrime tend to be huge. Really, really huge. A recent study pegged the losses from cybercrime to companies at one trillion dollars. By comparison, the entire illegal global drug trade may total out a few hundred billion dollars, according to the UN. So, what cybercrime studies are saying is that the cybercrime market is several times larger than all the cocaine, heroin, meth, and pot sold across the entire globe.
These estimates strain credulity. Could cybercrime really be such a big deal? But put the word cyber before anything and everything goes haywire: Cyberwar! Cybersecurity! Cyberblinders! We all know the Internet is a big deal, so therefore crime on the Internet must be a big deal, right?
Well, finally, two economists, Dinei Florencio and Cormac Herley, came along to think about these supposed cybercrime harm estimates. What did they find? I'll let them tell you, via their editorial in the New York Times:
It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable. Most cybercrime estimates are based on surveys of consumers and companies. They borrow credibility from election polls, which we have learned to trust. However, when extrapolating from a surveyed group to the overall population, there is an enormous difference between preference questions (which are used in election polls) and numerical questions (as in cybercrime surveys).
In one case, a single person's $25,000 loss from a cybercrime could add $1 billion to a national estimate of cybercrime. In another case, two individuals' estimates added $37 billion to the overall calculation. And every single survey the economists looked at displayed structural flaws that gave them an upward bias.
That cybercrime would not be a horrible global scourge of triple the magnitude of the drug war makes "otherwise puzzling" facts make sense. "Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren't any," they explain. "Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply."
That these studies would be bunk stands to reason, Florencio and Herley argue, because economically, if there was such a boom going on, more people would rush in to push down average returns and deter people from that particular kind of activity. "Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing," they write. "Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward."
How'd so many estimates keep getting cybersecurity wrong? Anyone who cared about cybersecurity -- particularly those whose livelihoods depend on it -- had no reason to take down the inflated numbers. I'd also guess that many analysts weren't interested in being too far away from the mean of the estimates that came before them. Besides, cybercrime is a real problem for many companies and individuals, so the anecdotes could stand in for what the statistics could not actually support.
It's not the first time that cybersomething hype has come under attack. A recent Wired Opinion column called out the bipartisan cybersecurity hype. Cato's Jim Harper voiced similar concerns. Foreign Policy's recently put out a cyberwar takedown and similar concerns are circulating in some academic quarters as well. But I can't recall this kind of statistical takedown of the topline numbers -- and logic -- of the people who are hyping cyberthreats.
0 comments:
Post a Comment