Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Stats Microsoft Security News

The $1 Trillion Cybercrime Myth 94

wiredmikey sends this excerpt from SecurityWeek: "A recent article on ProPublica dissected two commonly quoted figures about cybersecurity: $1 trillion in losses due to cybercrime itself and $388 million in IP losses for American companies. Both figures have been scrutinized and challenged by many, and viewed as typical security vendor FUD. ... The $1 trillion figure is attributed to anti-virus vendor McAfee, while the $388 million in IP losses number belongs to Symantec's Norton division. According to ProPublica, 'The report was not actually researched by Norton employees; it was outsourced to a market research firm, StrategyOne, which is owned by the public relations giant Edelman.' The problem with both of these figures — $1 trillion and $388 million — is, as Microsoft researchers pointed out earlier this year in a report fittingly titled 'Sex, Lies, and Cybercrime,' they are studded with outliers. In one example they cite that a single individual who claims $50,000 losses, in an N = 1000 person survey, is enough to extrapolate a $10 billion loss over the population. In another, one unverified claim of $7,500 in phishing losses translates into $1.5 billion over the population. The Microsoft researchers concluded: 'Are we really producing cyber-crime estimates where 75% of the estimate comes from the unverified self-reported answers of one or two people? Unfortunately, it appears so. Can any faith whatever be placed in the surveys we have? No, it appears not.'"
This discussion has been archived. No new comments can be posted.

The $1 Trillion Cybercrime Myth

Comments Filter:
  • by Anonymous Coward

    Hah, won't get it with your logged in account now will you!

    http://xkcd.com/605/ [xkcd.com]

  • by zlives ( 2009072 ) on Friday August 03, 2012 @02:29PM (#40871035)

    i once lost 1.21 jiggawatts in a time travel scam...

  • by Baloroth ( 2370816 ) on Friday August 03, 2012 @02:32PM (#40871075)

    Obviously, the $1 trillion figure is made up. The real figure is more likely in the tens of millions, maybe a little higher, but probably even less than that. The thing is, and the reason people can get away with citing a number that ridiculous, is because it is so large. People simply have no concept of scale that large. You can't hold a number that large in your head, not insofar as it applies to something real. As a pure number, sure, but not as a number of something. The human brain can comprehend tens, even thousands: but trillions are simply too large for the mind to hold, which means that as a talking point, a couple billion is about the same as a trillion for your average human: it basically just ends up meaning "a really really really lot."

    If you approach rebuking the number as "well what should the number really be", you aren't countering the key point behind those figures, which is simply to express a massive quantity. If you respond by saying the number should really be in the millions, people will usually scoff at you ("no way McAfee could have been that wrong") or at best simply take the average of the two numbers, which still yields a massive number in their head. The point of such studies isn't to be scientific: it's to be rhetorical. So ultimately, to the people citing that number, it doesn't matter in the slightest if it is true, or how it was a arrived at. All it matters is they have a really big number to cite that they can say is "scientific" or "proof that we need to take action."

    • by Anonymous Coward on Friday August 03, 2012 @03:02PM (#40871429)

      I get suspicious when the number reaches a significant fraction of our discretionary spending on national security/military. I think that's about $750,000,000,000 for 2012.

      $1 Trillion USD is just beyond absurd. That's the same as stealing about 88% of all income tax collected from every person and company in the entire US for an entire year.

    • Re: (Score:3, Insightful)

      by TuomasK ( 631731 )
      Exactly! Lets think it in seconds: 1 million seconds was 12 days ago. 1 billion seconds ago it was the 1980's. 1 trillion seconds ago neanderthal's walked on earth.
      • by Anonymous Coward

        Million Seconds: 11.0000 Days
        Billion Seconds: 31.6879 Years
        Trillion Seconds: 3168.8088 Centuries

        I love how simple this is in C

    • If the losses are really only in the millions, how is there a market for zero-day exploits of ~$50k each? To engage in your average criminal activity, you need at least a 10:1 payout for something low-risk logically. If the packaged exploit is half the cost of executing the scam, your average zero-day should gross $1MM. Isn't it easier to skim $100k from a brokerage account than mine bit coins?

      Of course, your average criminal isn't too good at math, but it hardly seems that difficult to cast a big enough

    • by PopeRatzo ( 965947 ) on Friday August 03, 2012 @03:36PM (#40871793) Journal

      Obviously, the $1 trillion figure is made up. The real figure is more likely in the tens of millions, maybe a little higher, but probably even less than that.

      Wait a minute now. The derivatives market by itself, is close to $800Trillion. That's "trillion" with a "T" and represents a sum that equals many times more than the GDP of the entire world.

      The manipulation of Libor and stealing by simply timing the rate changes could easily have represented $1Trillion in crime.

      Add to that the investment banks using their position to do high-frequency trading, in effect "peeking" at their customer transactions to jump in front (yes, that's a crime) and all the rest of the straight up fraud and theft that is being perpetrated by the big banks thanks to their proximity to the Federal Reserve and we've left $1Trillion in cybercrime about five miles back.

      You make the mistake of thinking that "cybercrime" can only be Balkan hackers or credit card scammers - small time fraudsters. The real cybercrime is being perpetrated by our financial elite on a scale that makes them absolutely untouchable - out of the reach of any government. Hell, the medicare fraud by the company owned by the governor of Florida, Rick Scott, caused them to pay a fine of a billion dollars, which means the amount they stole using their computer medicare billing system is well over that amount. That's certainly cyber-crime.

      Then look at the $27trillion being held illegally off-shore by American citizens to evade taxes (also a crime and also made possible thanks to computers) and the figure of what could be called "cybercrime" adds up to more than the total GDP of the United States and Japan combined. To give you an idea of the impunity with which this illegal (as in crime) activity is engaged, one of the people who almost certainly took advantage of the 2009 amnesty by which these tax cheats could repatriate their money to the US without facing criminal prosecution is now running for president.

      • Stock flow error.
      • If you just take the cases of cybercrime that the biggest banks have already settled with the Justice Department, you get way over $1trillion.

        It's silly to think that the $1 trillion figure is "made up". Just look at the deal that's being cut in regard to the massive amount of mortgage fraud. The amounts there are what, 700, 800 million dollars?

        Of course, the lawyers tell their clients, when settling for pennies on the dollar, to "admit no wrongdoing" but to pay up anyway because they committed the crimes

        • The amounts there are what, 700, 800 million dollars?

          I'm sorry, that should be "billion" with a "b".

          These numbers get so big that I can barely keep them straight.

          I can't even remember what comes after "trillion". Is it "quadrillion"? Well the derivatives market, that shadow market that is tied to absolutely nothing real - not equities, not bonds, stocks, nothing but money in the hands of a tiny number of people, nothing that adds a goddamn thing to society, and we're bumping right up against that quadrill

    • by johnnyb ( 4816 ) <jonathan@bartlettpublishing.com> on Friday August 03, 2012 @04:08PM (#40872201) Homepage

      The real way to compute cybercrime numbers:

      1) number of copies of Norton sold * price
      2) number of copies of McAfee sold * price
      3) number of copies of Windows sold * price
      4) number of copies of MS Office sold * price

      Adding up 1-4 will give a good estimate of cybercrime. We should probably add in an additional $10 million to also cover phishing scams.

    • by Hatta ( 162192 )

      If you work with very large and very small numbers on a regular basis, you can indeed hold a number that large in your head. Exponents are not that abstract.

    • by Anonymous Coward

      You are quite wrong. The discrete quantities the human brain can quickly recognize are much smaller than that.

      Think of people in a room; you enter a room and you see 3 people. You don't have to think for a second, you know it's 3 people, instantly. The same with 4. Perhaps 5. After 6 people, you might not realize, but, as you count them, you'll probably be counting in groups of 3 or 4. Everything above 6 or 7 you only estimate (e.g.: "there were *about* 15 people in that room"), unless you actually take tim

  • one in a thousand (Score:5, Interesting)

    by RichMan ( 8097 ) on Friday August 03, 2012 @02:33PM (#40871079)

    Throw that one guy out as a strange "outlier" and the number is zero. That is more believeable.

    Lies, damn lies and statistics. Grarbage in garbage out.

    If it was only one person out of a full one thousand sample then the sample size is way to small to be statistically significant. Whoever did the statistical analysis should be fired. With that low a report rate you don't know it is 1/1e6 or 1/1e9 and you just got unlucky in the sample.

    • by SJester ( 1676058 ) on Friday August 03, 2012 @02:36PM (#40871131) Journal

      Whoever did the statistical analysis should be fired.

      Why should they be fired? Their job is public relations, not honesty.

      • by haruchai ( 17472 )

        There's no reason for those 2 things to be exclusionary

      • Why should they be fired? Their job is public relations, not honesty.

        You're part of the problem. Lies and fraud should not be tolerated, regardless of whether it's someone's "job". It's wrong, and causes damage to society by misleading people and ultimately tricking them into parting with their money.

    • by ceoyoyo ( 59147 )

      Clearly nobody actually did a statistical analysis.

      In fact, an outlier that large, in two different samples, suggests foul play. Perhaps the number was far too small so they had to slip in a ringer.

  • It is not only cyber-crime estimates that are coming from one or two self-reported unverified people. All the economy related numbers are made up, reverse engineered, adjusted to fit the narrative of the political power.

    1 Trillion USD losses to cyber-crime? So taking the 15 Trillion GDP figure at face value (which you must not make mistake of doing), it means that over 6% of the GDP is lost due to all this 'cyber-crime'. 6%. The entire USA agriculture sector is 4% of the reported GDP.

  • by logicassasin ( 318009 ) on Friday August 03, 2012 @02:36PM (#40871125)

    The RIAA and MPAA both use similar voodoo-comic book math techniques to justify their "losses" to cybercrime (illegal downloads).

  • by Anonymous Coward

    Security software vendors exaggerate business' losses due to cybercrime! Who would've thought....?

  • by sl4shd0rk ( 755837 ) on Friday August 03, 2012 @02:44PM (#40871213)

    "Up to $1 Trillion in losses[1] and "$388 million in IP losses[2]"

    [1] - someguysblog.com
    [2] - foxnews.com

  • Your summary of " $388 million in IP losses for American companies" was actually $388 Billion, and it was in total cybercrime losses in the USA (including time lost due to outages/delays)

    "Symantec [placed] cybercrime’s [US] total cost, factoring in time lost, at $388 billion".

    You keep making errors like that and ProPublica is going to come after YOU next.

  • Gee, why don't we just outsource calculations like these directly to Wall Street, or Phillip Morris, or R.J Reynolds?
  • Something like, $1 trillion with a 90% confidence interval of [$1000, $2 trillion] would have been completely honest :-) (this is the kind of confidence interval you would get using the bootstrap method on the kind of data they describe, i.e. data with one huge outlier).
  • If they are including spyware/virus in their "cybercrime" definition, the numbers make sense.

    Consider this:

    I've got a customer who had two of their machines taken out by viruses. At a billable rate of $180/hour, it took approximately 10-12 hours to try the cleaning solutions (which of course did not work) and then reformat and reinstall Windows and the five-million updates to updates to updates. So that's just two occurrences in one week costing the client $4,000.00 for actions due in large part to whoever

    • ... sheesh, they could have found a guy on Craigslist that would have immediately jumped to the "gotta reinstall windows" solution for $40 a pop.

      "Just the annual cost for this one company alone could justify extrapolating the seemingly over-inflated costs of cybercrime."

      No, your overinflated $180/hr billing rate is as much to blame for this one as does milking the client for money. Seriously, as someone that does AV cleanup as part of my security duties for a large global company I gotta call bullshit on yo

      • First, my hourly rate is cheap when compared with the rest of the industry averaging $250/hour. But never mind that, how exactly do you expect to run virus scans (60-120 minutes), apply supposed fixes (60 minutes), re-run scans to see if fixes worked (60-120), backup user data and email (30-60 minutes), reformat and reinstall windows (60-120 minutes depending on the speed of the machine), download updates (60-120 minutes), install SP3 (60 minutes), download more updates (60-120 minutes), reinstall antiviru

        • ... enough to show me just how bad you are at your job. Your industry average of $250/hr is complete bs; a number pulled out of your ass to justify raping this company due to their own ignorance. I understand, it's your cash cow and you will do anything to protect your interests, but right now you look like a used car salesman from the 80's; lying to the customer just to make a buck.

          • I've been in this business for 30 years. How long have you been operating your own consulting firm? How many competitors do you have to be price competitive with?

            Grow up and join the real world.

            The only place you can get consultants for less than $150 per hour are from India and that is for remote support only.

            • ............or Craigslist.....LOL.
            • ... no matter what you say, or how you try to justify it, you're still giving it to them with no Vaseline or even so much as a reach around or peck on the cheek. The only reason you're still in business is because you found a sucker of a company and are milking them to make your BMW payments.

              One can get an H1B Indian consultant to stand up an SAP BobJ instance on SUSE 10 for around $160/hr right now and he/she will sit in your office to do the job, you can get them for that much to do a wide range of things

              • Sorry! No more food here Mr. Troll!
              • I do agree, that his rate seems to be a bit inflated, especially if he has an ongoing relationship with his client.

                But "Robert Half"? What is that? Some kind of Temp agency? Do their Temps come with their own CD/DVDs? USB backup drives? Will they come with their own rescue/toolkit USB sticks? Or will the Temp have to Google his way out of your predicament? And will the Temp have to rely on you for finding your installation CDs/DVDs?

                And every time you call this Robert Half agency, will the same exact person

        • by kcitren ( 72383 )
          You've supported this company for years and still haven't made a standard system image? I guess if they don't know any better it's a nice way to milk your customers. Good job, you make us all look great. And what company over 5 people buys machines with bloatware? They going into Bestbuy?
          • Up until last year, they had their own inside IT person who was from the mainframe world and was a bit out of her element. They have 50 people and 49 different workstations. Not my choice. Not my sale. They have been buying onesy/twosy machines since slooooooowly transitioning from Wyse serial terminals into the PC world.

            Most of the people who commented on this portion of the main post should really sit down and watch Glengarry, Glenn Ross: "Never open your mouth when you don't know the shot". Jesus Ch

    • 50 people and they have 3-4 incidents a month? Sounds like they need to fire you and hire a real IT person - somebody that knows what they are doing and charges a decent rate.
      • Why should the fire me?

        Rather than be a smart aleck, what would you do if: you warned the customer's about the specific viruses they're getting hit with, your warned them of the insufficiency of their current antivirus, you repeatedly told them that we have to upgrade from Outlook Express to a real email program, you warn that they need a much more reliable and secure email server with modern filtering capabilities, and they refuse to acquiesce to any of those recommendations?

        Would you take it upon yoursel

  • I work for a company that analyzes transactions and detects account takeovers and thefts at banks. Banks call us when they suffer a loss or series of losses. When they call us these losses are typically over $300,000 and the largest attack we've seen is for about $1.5M. We do NOT deal with the biggest banks, mostly regional and local banks. In case you didn't know, there are about 15,000 banks and credit unions in the U.S., so there are a lot of targets for criminals. Not all these banks have assets worth s

    • by gl4ss ( 559668 )

      you know, even one billion dollars is pretty far from one trillion dollars.
      by the way this cybercrime doesn't include apparently wire fraud, which certainly existed before "cyber" as well.

      this one trillion dollars isn't mainly even based on real dollars the companies held in their hands, but on IMAGINARY POTENTIAL PROPERTY value. they estimate that their new widget is worth 23 millions and that they lost that due to breach and that would have been included in the study, never mind that there weren't enough

  • by DarthVain ( 724186 ) on Friday August 03, 2012 @03:38PM (#40871807)

    RIAA have this science down pat. I mean they sued Limewire for 51$ Trillion dollars! (insert pinky)

    All these companies come up with BS numbers to push their own agenda. Oh and you can bet every study done by the MPAA and RIAA, were all done by "independent" sources... I mean I recall a number used for piracy being used in Canadian lobby, that was so self refreential it was neigh impossible to figure out where it came from. When they finally did, it was an unsourced, no details presentation, done by RIAA themselves, pass on from them to others, to studies, etc...

    Just like the Academy of Tobacco Studies, the Moderation Council, and SAFTY were all unassoicated with their terrible industry overlords...

  • Microsoft is calling others out on inflated numbers? Talk about the pot calling the kettle black. In 2009 people viewed BSA's $53 Billion Lost to Piracy [ecommercetimes.com] claim with a healthy dose of skepticism. So which companies are in BSA? Oh look! Microsoft, Symantec and McAffee [bsa.org] (among others).

    Maybe McAfee, which TFA credits with the Trillion Dollar figure, is just applying what they've learned from their dealings with Microsoft and BSA.

  • . . .a UK citizen, last I heard she was with the state gov't of Colorado, who pulled a hundreds of billions of dollars figure out of her butt while she was at some talk in Saudi Arabia --- pure BS as she was and probably still isn't -- at her age -- any type of computer science industry expert, etc. Frequently repeated, with no validation nor verification whatsoever --- typical of the Amerikan non-media.

"I prefer the blunted cudgels of the followers of the Serpent God." -- Sean Doran the Younger