Errors, Outliers Obscure Cybercrime Losses

2012-04-17T18:33:53
ID THREATPOST:17AC167B3F04D3043199819655CB5EB8
Type threatpost
Reporter Chris Brook
Modified 2013-04-17T16:32:26

Description

Estimates of the extent of cyber crime are hopelessly overblown, two computer security researchers argue in an editorial from Sunday’s New York Times.

Arguing counter to the prevailing opinion that online crime is a modern day Yukon Gold Rush for entrepreneurial hackers, the two Microsoft researchers say that evidence suggests that only a sliver of the world’s cyber crooks get rich from their illegal activity, while most struggle to make it.

“If getting rich were as simple as downloading and running software, wouldn’t more people do it?” researchers Dinei Florêncio and Cormac Herley ask in their Times editorial, “The Cybercrime Wave That Wasn’t.”

The editorial synthesizes the findings of a raft of research from Herley and his colleagues that cast doubt on the estimates of the size of the cyber underground – many of which were funded by private security firms with an interest in making cyber crime appear to be a large and pressing problem.

The two studied surveys of cyber crime affecting consumers and companies. They conclude that estimates of the amount by which cyber crime make a number of common errors in trying to extrapolate the extent of global cyber criminal activity. Surveys, for example, mistakenly ratchet up the numbers when they try to scale small survey groups to the overall population. The two also single out the adverse effect ‘unverified outliers’ can have on data. In their research, 90 percent of estimates are skewed by input from one or two individuals. “Upward bias” – a tendency of overstating a general phenomenon based on statistical evidence – permeated all of the surveys the two looked over, according to the piece.

The editorial draws from a paper issued by Herley and Florêncio; “Sex, Lies and Cyber-crime Surveys” in which the two researchers reasoned that cyber crime surveys are “so compromised and biased that no faith whatever can be placed in their findings.” When the research was published the duo called their assessment harsh but insisted that when it comes to security research, unreliable data is just masquerading as reliable data.

The thoughts also echo some that Herley, a principal researcher at Microsoft, has expressed before. In 2009, Herley challenged the concept that the underground cyber crime community’s size and vitality are forces to be reckoned with.

In a June 2009 podcast with Threatpost editor Dennis Fisher still applicable today, Herley rationalized that it’s hard to get an accurate reading on some security metrics and that the value of the underground economy was being oversold.

In a recent publication for IEEE Security And Privacy Magazine, Herley took a similar, contrarian stance against popular coverage of banking fraud, noting that money mules, not the account holders were the most victimized by online bank heists.