April 18, 2012, 11:26 AM —
Lack of verification and dubious extrapolation mean loss estimates "are generated using absurdly bad statistical methods."
So says Dinei Florencio and Cormac Herly of Microsoft Research in their new report "Sex, Lies and Cyber-crime Surveys." The New York Times gave them op-ed space for this report. Two years ago, the GAO (Government Accountability Office) heaped the same type of scorn on piracy loss estimates, saying it is "difficult, if not impossible, to quantify the economy-wide impacts."
How do bogus loss numbers become "official" over time? Cybercrime victims, such as banks, are loathe to admit losses. Surveys used to estimate losses have to multiply real losses by some number to come up with the size of the total loss. Result? "One unverified claim of $7,500 in phishing losses translates into $1.5 billion." Beware the multipliers.
My information being used to open fraudulent accounts didn't cost me real money, but it sure took a lot of time to resolve.
aficianado on arstechnica.com
every single "cost of cybercrime" calculation I found - even from government agencies - was based on the same original, unsourced estimate from MarkMonitor, which sells various brand protection services to IP holders.
jaylevitt on news.ycombinator.com
Lies, damn lies, and statistics
I groaned as soon as I read they used a survey. In my stats classes we make fun of studies that use surveys.
dagonoth on arstechnica.com
This is why I wish the Bureau of Justice Statistics, Uniform Crime Report, and State Governments do a better job of reporting pure cyber-crime statistics.