One way of grabbing attention as a journalist is to take a story and adopt an unpredictable and contrary position. This seems to be what a pair of Microsoft researchers did earlier this month, when they announced in the New York Times that the cybercrime wave is a "wave that wasn't."
It would be easy to pass over this story as an aberration, were it not for the fact that it's still getting traction with some usually smart analysts like Bruce Schneier, and still being tweeted about. Since it's still with us, let's take a look at some of the authors' flawed reasoning.
According to Dinei Florêncio and Cormac Herley:
The harm experienced by users rather than the (much smaller) gain achieved by hackers is the true measure of the cybercrime problem.
That sounds reasonable, but I'd disagree. The true measure of the cybercrime problem is the threat to users, and the collateral damage it causes. (More on that momentarily.)
The authors' argument isn't the easiest to follow, but here it is in a nutshell: Estimates of the damages caused by cybercrime are derived from polling. Errors, they claim, are almost always upward, because people can exaggerate their losses to any degree they wish.
What's more, individual errors (or deliberate misstatements) are blown up when extrapolating from the poll sample to the population at large. An individual who misreports the loss of a few thousand dollars contributes millions or more to the estimated national losses, once his error is multiplied by the 200 million people in the population.
One thing that's missing from this reasoning, of course, is any estimate of the rate of misreporting. Secondly, the multiplicative effect really doesn't matter: Valid reports of loss are multiplied by the same factor. Thirdly, the assumption that errors are almost always upward is unfounded. While no one can report losses smaller than zero, any amount of losses might be going unreported, or even unnoticed.
The authors don't know what percentage of the estimated losses due to cybercrime can be attributed to misreporting. If it's 20 percent, say, then sure -- the cybercrime wave is indeed much smaller than generally supposed. But if misreporting happens at the rate of only 1 percent or 2 percent -- and if the estimate can be pushed down as well as up -- it doesn't really matter.
What's also missing is any sensitivity to the tangible corporate damage that results from cybercrime, whether any individuals losses are reported at all. How many Sony customers reported instances of credit card fraud following the series of major breaches of Sony Playstation and Entertainment network databases? I don't know, but I do know that Sony estimated the damage to be in the region of $170 million, before taking into account any actual credit card fraud as a result of the breach.
What has been the effect on Zappos's business of having 24 million customer accounts compromised? What damage have other compromised enterprises suffered? To what extent is the ever-present threat of identity theft and credit card fraud having a depressing effect on e-commerce in general?
These are questions the Microsoft researchers don't even attempt to address. While nobody has an easy solution to the cybercrime menace, juggling ineptly with the figures is not going to make it go away.
— Kim Davis , Community Editor, Internet Evolution