The $1 Trillion Cybercrime Myth 94
wiredmikey sends this excerpt from SecurityWeek:
"A recent article on ProPublica dissected two commonly quoted figures about cybersecurity: $1 trillion in losses due to cybercrime itself and $388 million in IP losses for American companies. Both figures have been scrutinized and challenged by many, and viewed as typical security vendor FUD. ... The $1 trillion figure is attributed to anti-virus vendor McAfee, while the $388 million in IP losses number belongs to Symantec's Norton division. According to ProPublica, 'The report was not actually researched by Norton employees; it was outsourced to a market research firm, StrategyOne, which is owned by the public relations giant Edelman.' The problem with both of these figures — $1 trillion and $388 million — is, as Microsoft researchers pointed out earlier this year in a report fittingly titled 'Sex, Lies, and Cybercrime,' they are studded with outliers. In one example they cite that a single individual who claims $50,000 losses, in an N = 1000 person survey, is enough to extrapolate a $10 billion loss over the population. In another, one unverified claim of $7,500 in phishing losses translates into $1.5 billion over the population. The Microsoft researchers concluded: 'Are we really producing cyber-crime estimates where 75% of the estimate comes from the unverified self-reported answers of one or two people? Unfortunately, it appears so. Can any faith whatever be placed in the surveys we have? No, it appears not.'"
Re: (Score:3)
Wow, you aren't very smart are you?
Some jerk will... (Score:1)
Hah, won't get it with your logged in account now will you!
http://xkcd.com/605/ [xkcd.com]
Re: (Score:1)
Clinton, Dubya and Obama have all been drug users
these things... they happen (Score:3, Funny)
i once lost 1.21 jiggawatts in a time travel scam...
Of course it's made up (Score:5, Insightful)
Obviously, the $1 trillion figure is made up. The real figure is more likely in the tens of millions, maybe a little higher, but probably even less than that. The thing is, and the reason people can get away with citing a number that ridiculous, is because it is so large. People simply have no concept of scale that large. You can't hold a number that large in your head, not insofar as it applies to something real. As a pure number, sure, but not as a number of something. The human brain can comprehend tens, even thousands: but trillions are simply too large for the mind to hold, which means that as a talking point, a couple billion is about the same as a trillion for your average human: it basically just ends up meaning "a really really really lot."
If you approach rebuking the number as "well what should the number really be", you aren't countering the key point behind those figures, which is simply to express a massive quantity. If you respond by saying the number should really be in the millions, people will usually scoff at you ("no way McAfee could have been that wrong") or at best simply take the average of the two numbers, which still yields a massive number in their head. The point of such studies isn't to be scientific: it's to be rhetorical. So ultimately, to the people citing that number, it doesn't matter in the slightest if it is true, or how it was a arrived at. All it matters is they have a really big number to cite that they can say is "scientific" or "proof that we need to take action."
Re:Of course it's made up (Score:5, Insightful)
I get suspicious when the number reaches a significant fraction of our discretionary spending on national security/military. I think that's about $750,000,000,000 for 2012.
$1 Trillion USD is just beyond absurd. That's the same as stealing about 88% of all income tax collected from every person and company in the entire US for an entire year.
Re: (Score:3, Insightful)
Re: (Score:1)
Million Seconds: 11.0000 Days
Billion Seconds: 31.6879 Years
Trillion Seconds: 3168.8088 Centuries
I love how simple this is in C
Re: (Score:2)
1.2 quadrillion seconds: 38,026 Millenia
BTW Google says 1 trillion seconds is 316.888 Centuries [google.com]
Re: (Score:2)
If the losses are really only in the millions, how is there a market for zero-day exploits of ~$50k each? To engage in your average criminal activity, you need at least a 10:1 payout for something low-risk logically. If the packaged exploit is half the cost of executing the scam, your average zero-day should gross $1MM. Isn't it easier to skim $100k from a brokerage account than mine bit coins?
Of course, your average criminal isn't too good at math, but it hardly seems that difficult to cast a big enough
Re:Of course it's made up (Score:5, Interesting)
Wait a minute now. The derivatives market by itself, is close to $800Trillion. That's "trillion" with a "T" and represents a sum that equals many times more than the GDP of the entire world.
The manipulation of Libor and stealing by simply timing the rate changes could easily have represented $1Trillion in crime.
Add to that the investment banks using their position to do high-frequency trading, in effect "peeking" at their customer transactions to jump in front (yes, that's a crime) and all the rest of the straight up fraud and theft that is being perpetrated by the big banks thanks to their proximity to the Federal Reserve and we've left $1Trillion in cybercrime about five miles back.
You make the mistake of thinking that "cybercrime" can only be Balkan hackers or credit card scammers - small time fraudsters. The real cybercrime is being perpetrated by our financial elite on a scale that makes them absolutely untouchable - out of the reach of any government. Hell, the medicare fraud by the company owned by the governor of Florida, Rick Scott, caused them to pay a fine of a billion dollars, which means the amount they stole using their computer medicare billing system is well over that amount. That's certainly cyber-crime.
Then look at the $27trillion being held illegally off-shore by American citizens to evade taxes (also a crime and also made possible thanks to computers) and the figure of what could be called "cybercrime" adds up to more than the total GDP of the United States and Japan combined. To give you an idea of the impunity with which this illegal (as in crime) activity is engaged, one of the people who almost certainly took advantage of the 2009 amnesty by which these tax cheats could repatriate their money to the US without facing criminal prosecution is now running for president.
Re: (Score:2)
Re: (Score:2)
If you just take the cases of cybercrime that the biggest banks have already settled with the Justice Department, you get way over $1trillion.
It's silly to think that the $1 trillion figure is "made up". Just look at the deal that's being cut in regard to the massive amount of mortgage fraud. The amounts there are what, 700, 800 million dollars?
Of course, the lawyers tell their clients, when settling for pennies on the dollar, to "admit no wrongdoing" but to pay up anyway because they committed the crimes
Re: (Score:2)
I'm sorry, that should be "billion" with a "b".
These numbers get so big that I can barely keep them straight.
I can't even remember what comes after "trillion". Is it "quadrillion"? Well the derivatives market, that shadow market that is tied to absolutely nothing real - not equities, not bonds, stocks, nothing but money in the hands of a tiny number of people, nothing that adds a goddamn thing to society, and we're bumping right up against that quadrill
Re: (Score:2)
Sorry, as you can see in my correction (right below my post), I meant to say, "$700, 800 billion".
Number so big make me a little dizzy. Please excuse me.
Re:Of course it's made up (Score:4, Funny)
The real way to compute cybercrime numbers:
1) number of copies of Norton sold * price
2) number of copies of McAfee sold * price
3) number of copies of Windows sold * price
4) number of copies of MS Office sold * price
Adding up 1-4 will give a good estimate of cybercrime. We should probably add in an additional $10 million to also cover phishing scams.
Re: (Score:3)
If you work with very large and very small numbers on a regular basis, you can indeed hold a number that large in your head. Exponents are not that abstract.
Re: (Score:1)
You are quite wrong. The discrete quantities the human brain can quickly recognize are much smaller than that.
Think of people in a room; you enter a room and you see 3 people. You don't have to think for a second, you know it's 3 people, instantly. The same with 4. Perhaps 5. After 6 people, you might not realize, but, as you count them, you'll probably be counting in groups of 3 or 4. Everything above 6 or 7 you only estimate (e.g.: "there were *about* 15 people in that room"), unless you actually take tim
one in a thousand (Score:5, Interesting)
Throw that one guy out as a strange "outlier" and the number is zero. That is more believeable.
Lies, damn lies and statistics. Grarbage in garbage out.
If it was only one person out of a full one thousand sample then the sample size is way to small to be statistically significant. Whoever did the statistical analysis should be fired. With that low a report rate you don't know it is 1/1e6 or 1/1e9 and you just got unlucky in the sample.
Re:one in a thousand (Score:4, Insightful)
Whoever did the statistical analysis should be fired.
Why should they be fired? Their job is public relations, not honesty.
Re: (Score:2)
There's no reason for those 2 things to be exclusionary
Re: (Score:2)
You're part of the problem. Lies and fraud should not be tolerated, regardless of whether it's someone's "job". It's wrong, and causes damage to society by misleading people and ultimately tricking them into parting with their money.
Re: (Score:2)
Clearly nobody actually did a statistical analysis.
In fact, an outlier that large, in two different samples, suggests foul play. Perhaps the number was far too small so they had to slip in a ringer.
1 Trillion is over 6% of GDP (Score:2, Interesting)
It is not only cyber-crime estimates that are coming from one or two self-reported unverified people. All the economy related numbers are made up, reverse engineered, adjusted to fit the narrative of the political power.
1 Trillion USD losses to cyber-crime? So taking the 15 Trillion GDP figure at face value (which you must not make mistake of doing), it means that over 6% of the GDP is lost due to all this 'cyber-crime'. 6%. The entire USA agriculture sector is 4% of the reported GDP.
the same type of math the RIAA and MPAA use... (Score:5, Informative)
The RIAA and MPAA both use similar voodoo-comic book math techniques to justify their "losses" to cybercrime (illegal downloads).
Re:the same type of math the RIAA and MPAA use... (Score:4, Informative)
A speaker at TED demonstrated this was due to rampant ringtone piracy.
Stop the presses (Score:1)
Security software vendors exaggerate business' losses due to cybercrime! Who would've thought....?
Re:We trust Microsoft now? (Score:4, Insightful)
Re: (Score:1)
Well, in this case, it is basically Microsoft defending itself against the FUD from Norton, because the only reason you should need Norton is if Microsoft Windows sucks. So Microsoft will attempt to minimize the reported cybercrime numbers because it reflects poorly on them.
I'm not saying Microsoft is wrong in their analysis here, in fact I think they are correct, but you cannot say that Microsoft is "helping" anybody but themselves by exposing the FUD. I highly doubt that they would help expose any FUD a
Re:We trust Microsoft now? (Score:5, Funny)
Well, in this case, it is basically Microsoft defending itself against the FUD from Norton, because the only reason you should need Norton is if Microsoft Windows sucks.
Which is ironic, because Norton sucks like a black hole with daddy issues.
Re: (Score:2)
Norton sucks like a black hole with daddy issues
Of all the days to not have mod points.
Symatec source citations (Score:5, Funny)
"Up to $1 Trillion in losses[1] and "$388 million in IP losses[2]"
[1] - someguysblog.com
[2] - foxnews.com
Re: (Score:2)
You better watch out (Score:2)
Your summary of " $388 million in IP losses for American companies" was actually $388 Billion, and it was in total cybercrime losses in the USA (including time lost due to outages/delays)
"Symantec [placed] cybercrime’s [US] total cost, factoring in time lost, at $388 billion".
You keep making errors like that and ProPublica is going to come after YOU next.
Department of Conjecture (Score:1)
That's why we need confidence intervals (Score:1)
The Costs May Be Justified If You Consider........ (Score:1)
If they are including spyware/virus in their "cybercrime" definition, the numbers make sense.
Consider this:
I've got a customer who had two of their machines taken out by viruses. At a billable rate of $180/hour, it took approximately 10-12 hours to try the cleaning solutions (which of course did not work) and then reformat and reinstall Windows and the five-million updates to updates to updates. So that's just two occurrences in one week costing the client $4,000.00 for actions due in large part to whoever
$4000 for two machines??? (Score:2)
... sheesh, they could have found a guy on Craigslist that would have immediately jumped to the "gotta reinstall windows" solution for $40 a pop.
"Just the annual cost for this one company alone could justify extrapolating the seemingly over-inflated costs of cybercrime."
No, your overinflated $180/hr billing rate is as much to blame for this one as does milking the client for money. Seriously, as someone that does AV cleanup as part of my security duties for a large global company I gotta call bullshit on yo
Re: (Score:1)
First, my hourly rate is cheap when compared with the rest of the industry averaging $250/hour. But never mind that, how exactly do you expect to run virus scans (60-120 minutes), apply supposed fixes (60 minutes), re-run scans to see if fixes worked (60-120), backup user data and email (30-60 minutes), reformat and reinstall windows (60-120 minutes depending on the speed of the machine), download updates (60-120 minutes), install SP3 (60 minutes), download more updates (60-120 minutes), reinstall antiviru
your explanation was enough... (Score:2)
... enough to show me just how bad you are at your job. Your industry average of $250/hr is complete bs; a number pulled out of your ass to justify raping this company due to their own ignorance. I understand, it's your cash cow and you will do anything to protect your interests, but right now you look like a used car salesman from the 80's; lying to the customer just to make a buck.
Re: (Score:1)
I've been in this business for 30 years. How long have you been operating your own consulting firm? How many competitors do you have to be price competitive with?
Grow up and join the real world.
The only place you can get consultants for less than $150 per hour are from India and that is for remote support only.
Re: (Score:1)
raping a company for 20 years is still rape (Score:3)
... no matter what you say, or how you try to justify it, you're still giving it to them with no Vaseline or even so much as a reach around or peck on the cheek. The only reason you're still in business is because you found a sucker of a company and are milking them to make your BMW payments.
One can get an H1B Indian consultant to stand up an SAP BobJ instance on SUSE 10 for around $160/hr right now and he/she will sit in your office to do the job, you can get them for that much to do a wide range of things
Re: (Score:1)
Painful truths are still painful (Score:2)
Calling me a troll does nothing to change the fact that you're robbing this poor company blind.
Re: (Score:2)
I do agree, that his rate seems to be a bit inflated, especially if he has an ongoing relationship with his client.
But "Robert Half"? What is that? Some kind of Temp agency? Do their Temps come with their own CD/DVDs? USB backup drives? Will they come with their own rescue/toolkit USB sticks? Or will the Temp have to Google his way out of your predicament? And will the Temp have to rely on you for finding your installation CDs/DVDs?
And every time you call this Robert Half agency, will the same exact person
Re: (Score:2)
Re: (Score:1)
Up until last year, they had their own inside IT person who was from the mainframe world and was a bit out of her element. They have 50 people and 49 different workstations. Not my choice. Not my sale. They have been buying onesy/twosy machines since slooooooowly transitioning from Wyse serial terminals into the PC world.
Most of the people who commented on this portion of the main post should really sit down and watch Glengarry, Glenn Ross: "Never open your mouth when you don't know the shot". Jesus Ch
Re: (Score:1)
I'll put that in my morning memo: "Please Note: An anonymous coward on the internet will be glad to replace my 20 years of working with your company and 30 years of experience with setups exactly as yours with his own home spun bargain basement virus repair. I'll gladly repair them when he is finished".
You should be fired! (Score:1)
Re: (Score:1)
Why should the fire me?
Rather than be a smart aleck, what would you do if: you warned the customer's about the specific viruses they're getting hit with, your warned them of the insufficiency of their current antivirus, you repeatedly told them that we have to upgrade from Outlook Express to a real email program, you warn that they need a much more reliable and secure email server with modern filtering capabilities, and they refuse to acquiesce to any of those recommendations?
Would you take it upon yoursel
FOSS could have been the solution (Score:2)
A lot of what you have described could be mitigated with open-source software. A good consultant would have made those recommendations.
Re: (Score:1)
We see the actual money thefts (Score:1)
I work for a company that analyzes transactions and detects account takeovers and thefts at banks. Banks call us when they suffer a loss or series of losses. When they call us these losses are typically over $300,000 and the largest attack we've seen is for about $1.5M. We do NOT deal with the biggest banks, mostly regional and local banks. In case you didn't know, there are about 15,000 banks and credit unions in the U.S., so there are a lot of targets for criminals. Not all these banks have assets worth s
Re: (Score:2)
you know, even one billion dollars is pretty far from one trillion dollars.
by the way this cybercrime doesn't include apparently wire fraud, which certainly existed before "cyber" as well.
this one trillion dollars isn't mainly even based on real dollars the companies held in their hands, but on IMAGINARY POTENTIAL PROPERTY value. they estimate that their new widget is worth 23 millions and that they lost that due to breach and that would have been included in the study, never mind that there weren't enough
Pffft 1 Trillion? That's nothing! (Score:3)
RIAA have this science down pat. I mean they sued Limewire for 51$ Trillion dollars! (insert pinky)
All these companies come up with BS numbers to push their own agenda. Oh and you can bet every study done by the MPAA and RIAA, were all done by "independent" sources... I mean I recall a number used for piracy being used in Canadian lobby, that was so self refreential it was neigh impossible to figure out where it came from. When they finally did, it was an unsourced, no details presentation, done by RIAA themselves, pass on from them to others, to studies, etc...
Just like the Academy of Tobacco Studies, the Moderation Council, and SAFTY were all unassoicated with their terrible industry overlords...
Re: (Score:2)
Ironic (Score:2)
Microsoft is calling others out on inflated numbers? Talk about the pot calling the kettle black. In 2009 people viewed BSA's $53 Billion Lost to Piracy [ecommercetimes.com] claim with a healthy dose of skepticism. So which companies are in BSA? Oh look! Microsoft, Symantec and McAffee [bsa.org] (among others).
Maybe McAfee, which TFA credits with the Trillion Dollar figure, is just applying what they've learned from their dealings with Microsoft and BSA.
Debunking of this is months old (Score:2)
I remember that woman, formerly with World Bank . (Score:2)