wiredmikey sends this excerpt from SecurityWeek:
"A recent article on ProPublica dissected two commonly quoted figures about cybersecurity: $1 trillion in losses due to cybercrime itself and $388 million in IP losses for American companies. Both figures have been scrutinized and challenged by many, and viewed as typical security vendor FUD. ... The $1 trillion figure is attributed to anti-virus vendor McAfee, while the $388 million in IP losses number belongs to Symantec's Norton division. According to ProPublica, 'The report was not actually researched by Norton employees; it was outsourced to a market research firm, StrategyOne, which is owned by the public relations giant Edelman.' The problem with both of these figures — $1 trillion and $388 million — is, as Microsoft researchers pointed out earlier this year in a report fittingly titled 'Sex, Lies, and Cybercrime,' they are studded with outliers. In one example they cite that a single individual who claims $50,000 losses, in an N = 1000 person survey, is enough to extrapolate a $10 billion loss over the population. In another, one unverified claim of $7,500 in phishing losses translates into $1.5 billion over the population. The Microsoft researchers concluded: 'Are we really producing cyber-crime estimates where 75% of the estimate comes from the unverified self-reported answers of one or two people? Unfortunately, it appears so. Can any faith whatever be placed in the surveys we have? No, it appears not.'"