Feeds

Cybercrime figures 'as true as sexual-conquest scores'

I've slept with many ladies, and caught lots of viruses

Beginner's guide to SSL certificates

Microsoft researchers have rubbished figures from cyber-crime surveys, deeming them subject to the types of distortions that have long bedevilled sex surveys.

It's well enough established that men claim to have more female sexual partners in sex surveys than women claim male partners, a discrepancy that can't be explained by sampling error alone. All it takes is for a few self-styled Don Juans to hopelessly distort the figures.

Similarly, refusal rate and small sample sizes in cybercrime surveys mean that cybercrime surveys tend to get dominated by a minority of responses, normally those who have or think they have lost a great deal as a result of hacking or malware attack, and are vocal about it.

Unverified self-reported numbers that come from such people are used as the basis for calculating losses that are based on, at best, guesstimates.

"Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population," Miscosoft researchers Dinei Florencio and Cormac Herley argue in the paper Sex, Lies and Cybercrime Surveys.

"Cyber-crime, like sexual behavior, defies large-scale direct observa- tion and the estimates we have of it are derived almost exclusively from surveys," they add.

It's only human nature to want to get a handle on the size of any economic or social problem, hence the understandable hunger for figures on cybercrime losses. While you can go some way towards gauging the spread of a virus or the volume of fraudulent phishing emails, it's fraught with difficulties to try on map such raw figures to actual losses.

This idea is seldom challenged but often overlooked by security industry firms who commission surveys of questionable methodology to talk up cybercrime losses in the hope of hoping to sell more kit, essentially by putting the frighteners up potential customers. Some customers at least are wise to such ploys, and disregard it as simply part of the rough and tumble of the security marketing game.

The problem with cybercrime figures comes when they are presented as methodically researched before being used to lobby either senior corporate executives or politicians for extra security spending and the like. Using these estimates to drive policy decisions, when they are unreliable in the first place, is almost certainly going to to steer decisions towards a misguided outcome.

Florencio and Herley note that the sketchy practices that persist in security surveys are among those security-conscious coders are taught to avoid. "'You should never trust user input' says one standard text on writing secure code," they write.

"It is ironic then that our cyber-crime survey estimates rely almost exclusively on unverified user input. A practice that is regarded as unacceptable in writing code is ubiquitous in forming the estimates that drive policy."

The paper (pdf), prepared for the Workshop on the Economics of Information Security, alleges that cyber-crime loss estimates are more often than not largely derived from the unverified self-reported answers of one or two people.

The researchers (correctly) state that others have reached the same dim view of cybercrime guesstimates before starkly concluding: "Cyber-crime surveys… are so compromised and biased that no faith whatever can be placed in their findings". ®

Remote control for virtualized desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.