Everyone agrees cybercrime affects everyonegovernments, corporations, the publicbut to what extent? And while vast sums are spent on security to protect against the evildoers, why is it so difficult to determine the amount of the damage they have done?
According to its most recent study, security software manufacturer Symantec Corp. reports cybercrime is costing the world $110 billion every year. But, according to McAfee Inc.Symantec's closest competitorthe actual annual cost worldwide is almost 10 times that, approximately $1 trillion.
What's going on here?
Unfortunately, say security experts, there seem to be at least four hurdles to accurate reporting:
Consider, for example, a company doing advanced research has a break-in and proprietary information is copied out of its computers, says Eugene H. Spafford, a professor of computer science at Purdue University. "If the company discovers the intrusionand it might notan audit might determine the loss equals the cost cleanup and perhaps changing to new security software. But what if the company isn't aware of all that was taken or doesn't know how to evaluate it? And what if that same proprietary information shows up a year later in a competitor's product in another country? How then do you evaluate the loss? And what if the product has national defense associated with it? How do you put a value on a significant enough product? Millions of dollars? Billions?"
McAfee attributes a portion of the discrepancy between its reporting and Symantec's to the fact that its study focuses on the amount of money businesses lose worldwide due to both malicious and accidental data loss.
The company concedes, however, that coming up with an estimate is particularly difficult because there are so many facets that need to be considered.
"You need to add up losses due to corporate espionage, losses that can't be quantified, losses from damage to a brand's reputation, and so on," says a McAfee spokesperson. "But the hardest to estimate is the cost to the long-term competitiveness of the U.S. economy. What is the cost to the U.S. down the road when competitors to our best hardware, software, and bio-tech companies emerge in the future and take away market share and American jobs? Those costswhich could be hugeare the ones that are the most difficult to evaluate."
And, for consumers, it is not only about what is lost through fraud with online banking; it is also about their digital assets.
"What's the worth of that book draft they've been working on for a year?" asks the McAfee spokesperson. "And how much are their photographs worth? What about the worth of their online identity? Most victims spend a considerable amount of time trying to recover their identities and recreate information they've lost. What is that time worth?"
The true cost of cybercrime, he adds, involves looking at all these questions and adding them up "using a strong, clear, defensible methodology." Many companies and think tanks do not have the time or the money to do that kind of extensive research, he says.
Symantec chose not to comment or participate in this story.
Meanwhile, Cormac Herley, principal researcher at Microsoft Research, says he has "no faith whatsoever that either one of the numbersSymantec's or McAfee'sis anywhere close to the truth. You can call anything an estimate," he says, "but that doesn't mean it's a reasonable reflection of the underlying reality."
Herley and his co-researcher, Dinei Florencio, recently wrote a paper, "Sex, Lies and Cybercrime Surveys," after reading cybercrime estimates "that varied by orders of magnitude. I mean, many things have some wiggle room. But if physicists couldn't agree on the speed of light to within four orders of magnitude, they would just confess they didn't know."
Herley blames the methodologies in the cybercrime surveys that, he says, almost always exaggerate the numbers on the high side. He believes the actual numbers are far smaller.
The problem, he says, is that cybercrime surveys are not like voting surveys where everyone's answer counts equally.
"When you ask people what they lost from cybercrime, you have no ability to verify that they understood the question and that they answered truthfully," he explains. "And then, when even a single person gives you a number that is grossly incorrect, they have the ability to destroy the entire survey. It almost always results in a major upward bias in the numbers.
To illustrate how one person can make nonsense out of a survey, Herley suggests a study to determine how many people have pet unicorns. "If you ask 100 people (which substitutes for a population of 100 million people in the country), it means that whatever number you get you need to multiply by one million. Then you conduct the survey and everyone truthfully answers "zero," except for one person who misunderstands the question and says that, yes, they have one unicorn because their daughter has a stuffed one in her bedroom. Your estimate now shows there are one million unicorns in the U.S. It's completely incorrect and it's based on that one incorrect answer."
Cynics have charged that cybercrime stats are artificially inflated to scare more people into buying security software.
If that is the case, does it even make sense to try and determine the cost of cybercrime given the likelihood the results will be hugely inflated? Experts say "yes;" that if an organization uses the same consistent method repeatedly, trends emerge and that is valuable for those battling cyber losses.
In addition, from an awareness standpoint, experts say it is important to get the business world, private individuals, and government organizations to understand the magnitude of the problem. Otherwise, the usual attitude is "we've never had a problem so it's likely we won't have one in the future."
Cynics have charged that cybercrime stats are artificially inflated to scare more people into buying security software. And, they suggest, companies that profit by selling anti-malware software should not be the ones reporting on the size of the malware problem.
On the other hand, say observers, who else is going to conduct analyses of security other than the security companies who know the field, know whom to ask, and generally have respected names so people are likely to respond to them with good information.
"You're not likely to see a survey in this area conducted by Hostess Snack Foods," said one. "As for the government doing it, many organizations simply don't want to report to the government that they've had losses be cause they don't trust how that information will be used."
But Microsoft's Herley says he believes "with very high confidence and without much fear of contradiction the methodologies the companies use produce bogus answers. As far as their motivations go, I just don't know and I don't want to speculate. Mistakes happen all the time even when there's no intent to deceive."
However, Ross Anderson suspects that most cybercrime statistics"like the ridiculous $1 trillion number which means cybercrime is 2% of the world's GDP"have been unreliable "because people compiling them (like policemen or security software vendors) have had some axe to grind." Anderson is professor of security engineering at the University of Cambridge's Computer Laboratory.
His 2008 study, "Security Economics And The Single Market," reports that has been the case for years. And in his more recent paper, "Measuring The Cost of Cybercrime," he suggests society ought to spend less money on antivirus software and more on policing the Internet.
"Many cybercrimes are committed by a small number of people," he says. "For example, in 2010, a third of all the spam in the world was sent by one botnet. So it would be a lot more efficient to just arrest the bad guys and put them in jail than to expect several hundred million users worldwide to run anti-virus and anti-spam software. Of course the anti-virus and anti-spam companies don't agree."
A large part of the true cost of cybercrime is the money the world spends on anti-virus software, he maintains, adding "in fact, the anti-virus companies make much more money out of spam than the bad guys do."
"Many organizations simply don't want to report to the government that they have had losses because they don't trust how that information will be used."
If, in fact, measuring the true cost of cybercrime is viewed as important, experts have recommendations.
Purdue's Spafford suggests that a reasonable set of metricsand a reasonable set of questions to obtain those metricsneeds to be devised by an organization familiar with creating surveys and calculating costs.
He recommends a coalition of software or hardware vendors, perhaps one that already exists, perhaps an organization like the National Institute of Standards and Technology (NIST).
"Whoever it is," he says, "it needs to be someone who has everyone's trust. And that's not going to be easy, nor is it going to be cheap."
Cambridge's Anderson suggests taking a different route: "Stop wasting money on measuring cybercrime and stop wasting money on cyberwar," he says. "Spend it on the police instead."
Measuring the cost of cybercrime, http://www.cam.ac.uk/research/news/how-much-does-cybercrime-cost/, June 8, 2012.
Florencia, D. and Herley, C.
Sex, lies and cyber-crime surveys, Workshop on Economics of Information Security, http://research.microsoft.com/apps/pubs/default.aspx?id=149886, June 2011.
Unsecured economies: Protecting vital information, http://www.cerias.purdue.edu/assets/pdf/mfe_unsec_econ_pr_rpt_fnl_online_012109.pdf, Jan. 21, 2009.
2012 Norton Cybercrime Report, http://now-static.norton.com/now/en/pu/images/Promotions/2012/cybercrimeReport/2012_norton_Cybercrime_Report_Master_FINAL_050912.pdf, May 9, 2012.
Verizon RISK Team
2012 Data Breach Investigations Report, http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf, 2012.
©2013 ACM 0001-0782/13/03
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from email@example.com or fax (212) 869-0481.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2013 ACM, Inc.
The following letter was published in the Letters to the Editor in the May 2013 CACM (http://cacm.acm.org/magazines/2013/5/163765).
Paul Hyman's complaint about the lack of adequate reporting of cybercrime statistics was well justified in his news story "Cybercrime: It's Serious, But Exactly How Serious?" (Mar. 2013). All we have, he acknowledged, are lower-bound data, writing, "This much but how much more is there?" Information security is open-ended, with real but unreported losses, vulnerabilities, and threats.
Trade and professional journals tell us how to achieve security solutions, but such advice is not supported by experience because experience itself must be kept confidential. The confidentiality needed to achieve security of security greatly inhibits valid research and adequate preparation. I have for 40 years advised victim enterprises to carefully evaluate the pros and cons of publicly reporting specifics of their security experience, as revealing them would be a violation of the very concept of security; they could lose more from reporting than from keeping the information confidential. Yet they have a moral, social, and possibly legal obligation to publicly report it. An SEC advisory letter to public corporations (SEC Disclosure Guidance: Topic No. 2, Oct. 13, 2011, http://www.sec.gov/divisions/corp-fin/guidance/cfguidance-topic2.htm) requires publicly reporting cybersecurity risks to shareholders but also advised not to reveal information helpful to potential adversaries. How can they carry out such a contradictory dual mandate?
Security-information-sharing organizations (such as Infraguard, http://www.infraguard.net) in cooperation with the FBI and the inter-industry Information Sharing and Analysis Centers (http://www.isaccouncil.org) are helpful to a point. I suggest also using what I call the "old boys network" of informally sharing the most sensitive security information by developing mutual trust with fellow security practitioners in other enterprises, as has been the practice for a long time in industrial security.
Donn B. Parker
Los Altos, CA
Displaying 1 comment