Feeds

Cybercrime figures 'as true as sexual-conquest scores'

I've slept with many ladies, and caught lots of viruses

Protecting against web application threats using SSL

Microsoft researchers have rubbished figures from cyber-crime surveys, deeming them subject to the types of distortions that have long bedevilled sex surveys.

It's well enough established that men claim to have more female sexual partners in sex surveys than women claim male partners, a discrepancy that can't be explained by sampling error alone. All it takes is for a few self-styled Don Juans to hopelessly distort the figures.

Similarly, refusal rate and small sample sizes in cybercrime surveys mean that cybercrime surveys tend to get dominated by a minority of responses, normally those who have or think they have lost a great deal as a result of hacking or malware attack, and are vocal about it.

Unverified self-reported numbers that come from such people are used as the basis for calculating losses that are based on, at best, guesstimates.

"Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population," Miscosoft researchers Dinei Florencio and Cormac Herley argue in the paper Sex, Lies and Cybercrime Surveys.

"Cyber-crime, like sexual behavior, defies large-scale direct observa- tion and the estimates we have of it are derived almost exclusively from surveys," they add.

It's only human nature to want to get a handle on the size of any economic or social problem, hence the understandable hunger for figures on cybercrime losses. While you can go some way towards gauging the spread of a virus or the volume of fraudulent phishing emails, it's fraught with difficulties to try on map such raw figures to actual losses.

This idea is seldom challenged but often overlooked by security industry firms who commission surveys of questionable methodology to talk up cybercrime losses in the hope of hoping to sell more kit, essentially by putting the frighteners up potential customers. Some customers at least are wise to such ploys, and disregard it as simply part of the rough and tumble of the security marketing game.

The problem with cybercrime figures comes when they are presented as methodically researched before being used to lobby either senior corporate executives or politicians for extra security spending and the like. Using these estimates to drive policy decisions, when they are unreliable in the first place, is almost certainly going to to steer decisions towards a misguided outcome.

Florencio and Herley note that the sketchy practices that persist in security surveys are among those security-conscious coders are taught to avoid. "'You should never trust user input' says one standard text on writing secure code," they write.

"It is ironic then that our cyber-crime survey estimates rely almost exclusively on unverified user input. A practice that is regarded as unacceptable in writing code is ubiquitous in forming the estimates that drive policy."

The paper (pdf), prepared for the Workshop on the Economics of Information Security, alleges that cyber-crime loss estimates are more often than not largely derived from the unverified self-reported answers of one or two people.

The researchers (correctly) state that others have reached the same dim view of cybercrime guesstimates before starkly concluding: "Cyber-crime surveys… are so compromised and biased that no faith whatever can be placed in their findings". ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.