The $1 Trillion Cybercrime Myth 94
wiredmikey sends this excerpt from SecurityWeek:
"A recent article on ProPublica dissected two commonly quoted figures about cybersecurity: $1 trillion in losses due to cybercrime itself and $388 million in IP losses for American companies. Both figures have been scrutinized and challenged by many, and viewed as typical security vendor FUD. ... The $1 trillion figure is attributed to anti-virus vendor McAfee, while the $388 million in IP losses number belongs to Symantec's Norton division. According to ProPublica, 'The report was not actually researched by Norton employees; it was outsourced to a market research firm, StrategyOne, which is owned by the public relations giant Edelman.' The problem with both of these figures — $1 trillion and $388 million — is, as Microsoft researchers pointed out earlier this year in a report fittingly titled 'Sex, Lies, and Cybercrime,' they are studded with outliers. In one example they cite that a single individual who claims $50,000 losses, in an N = 1000 person survey, is enough to extrapolate a $10 billion loss over the population. In another, one unverified claim of $7,500 in phishing losses translates into $1.5 billion over the population. The Microsoft researchers concluded: 'Are we really producing cyber-crime estimates where 75% of the estimate comes from the unverified self-reported answers of one or two people? Unfortunately, it appears so. Can any faith whatever be placed in the surveys we have? No, it appears not.'"
Of course it's made up (Score:5, Insightful)
Obviously, the $1 trillion figure is made up. The real figure is more likely in the tens of millions, maybe a little higher, but probably even less than that. The thing is, and the reason people can get away with citing a number that ridiculous, is because it is so large. People simply have no concept of scale that large. You can't hold a number that large in your head, not insofar as it applies to something real. As a pure number, sure, but not as a number of something. The human brain can comprehend tens, even thousands: but trillions are simply too large for the mind to hold, which means that as a talking point, a couple billion is about the same as a trillion for your average human: it basically just ends up meaning "a really really really lot."
If you approach rebuking the number as "well what should the number really be", you aren't countering the key point behind those figures, which is simply to express a massive quantity. If you respond by saying the number should really be in the millions, people will usually scoff at you ("no way McAfee could have been that wrong") or at best simply take the average of the two numbers, which still yields a massive number in their head. The point of such studies isn't to be scientific: it's to be rhetorical. So ultimately, to the people citing that number, it doesn't matter in the slightest if it is true, or how it was a arrived at. All it matters is they have a really big number to cite that they can say is "scientific" or "proof that we need to take action."
Re:one in a thousand (Score:4, Insightful)
Whoever did the statistical analysis should be fired.
Why should they be fired? Their job is public relations, not honesty.
Re:We trust Microsoft now? (Score:4, Insightful)
Re:Of course it's made up (Score:5, Insightful)
I get suspicious when the number reaches a significant fraction of our discretionary spending on national security/military. I think that's about $750,000,000,000 for 2012.
$1 Trillion USD is just beyond absurd. That's the same as stealing about 88% of all income tax collected from every person and company in the entire US for an entire year.
Re:Of course it's made up (Score:3, Insightful)