Cybercrime is a fear for just about everyone, from individuals fearing identity theft to large corporation guarding sensitive data. The question is, how valid is this fear? It is a question that was raised recently in an Economist article and it makes it clear that politicians are not the only ones who misuse and abuse numbers.
Claims have been made that cybercrime is bigger than the drug trade and that it costs a trillion dollars annually. Most of these figures come from firms who specialize in preventing cybercrime...in other words the same folks who will benefit if people feel the need to protect themselves from cybercrime. These figures are generally not questioned, either out of numerical ignorance or the belief (probably correct) that big numbers scare people and help to sell newspapers (or in today's world web hits).
A couple of recent studies question these figures and the methods used to generate them (though in many cases the folks pushing the scary numbers don't explain their methodology). The biggest mistakes are made by poorly extrapolating the data. This can happen by overestimating the cost of individual attacks (overestimating a single devastating crime by $50,000 would add $10 billion to a national figure) or by using particularly devastating attacks as their base rather than recognizing that most attacks have relatively little financial impact.
Work by Chris Kanich of the University of California, San Diego and Brett Stone-Gross, of the University of California, Santa Barbara greatly reduces the total cost of these crimes, probably still in the billions, but not trillions.
So clearly the misuse of numbers goes beyond politicians, and the media are willing accomplices. As someone who sees numbers as a way to discern the truth, this disturbs me. I'm not sure that abusing numbers to scare people really drives more people to take the threat seriously. It is also possible that scaring them causes them to see things as hopeless, or worse still not to trust numbers at all.
The shame of it is that cybercrime is a big problem. Whether it is trillions, billions or thousands doesn't matter to the victim of identity theft...they only know how much their lives have been impacted. The open question is whether misleading or outright wrong numbers help or hurt.
For the sake of our many clients in healthcare and financial services, I should mention that as a research company, we don't need to be scared to recognize the need for security. We are SAS-70 certified and take our responsibility to protect confidential data very seriously. We'll keep that commitment regardless of how big cybercrime is...
Rich brings a passion for quantitative data and the use of choice to understand consumer behavior to his blog entries. His unique perspective has allowed him to muse on subjects as far afield as Dinosaurs and advanced technology with insight into what each can teach us about doing better research.