Lack of verification and dubious extrapolation mean loss estimates "are generated using absurdly bad statistical methods."
So says Dinei Florencio and Cormac Herly of Microsoft Research in their new report "Sex, Lies and Cyber-crime Surveys." The New York Times gave them op-ed space for this report. Two years ago, the GAO (Government Accountability Office) heaped the same type of scorn on piracy loss estimates, saying it is "difficult, if not impossible, to quantify the economy-wide impacts."
How do bogus loss numbers become "official" over time? Cybercrime victims, such as banks, are loathe to admit losses. Surveys used to estimate losses have to multiply real losses by some number to come up with the size of the total loss. Result? "One unverified claim of $7,500 in phishing losses translates into $1.5 billion." Beware the multipliers.
My information being used to open fraudulent accounts didn't cost me real money, but it sure took a lot of time to resolve.aficianado on arstechnica.com
every single "cost of cybercrime" calculation I found - even from government agencies - was based on the same original, unsourced estimate from MarkMonitor, which sells various brand protection services to IP holders.jaylevitt on news.ycombinator.com
If at the end of the day, the horror stories read online push users and admins to educate themselves, even if out of fear of overly estimated loses, I see no harm.CLORO on news.ycombinator.com
Lies, damn lies, and statistics
I groaned as soon as I read they used a survey. In my stats classes we make fun of studies that use surveys.dagonoth on arstechnica.com
This is why I wish the Bureau of Justice Statistics, Uniform Crime Report, and State Governments do a better job of reporting pure cyber-crime statistics. That information would be extremely valuable versus doing surveys.Jerry Dixon on threatpost.com
I find both sides of the argument to be both ignorant and full of hyperbole in whichever manner they are submitting their "evidence".Discoceris on arstechnica.com
I suppose you have a better method to gather info about thousands/millions of individuals?.roken on arstechnica.com
Kudos to the researchers for bringing some cautious sanity and objectivity to the issue, instead of just running away in the other direction.kjin on news.ycombinator.com
The time aspect really does, as you say, muddy the water in terms of the real cost which is analogous to how difficult it is to assess the real cost of piracy. The time lost to me was real, but I can't quantify how much money it cost.aficionado on arstechnica.com
Luckily, Rob Reid explains "Copyright Math" to us in "The $8 billion iPod."
Now read this: