Lies, Damned Lies & Cybercrime Statistics
Reports on some aspect or other of cybercrime are highlighted in the press and in dozens of blogs on a daily basis. Whether it is phishing, botnets, or ID theft, what is the truth behind the numbers? Where are the real figures?
You may be forgiven if you're confused over the plethora of conflicting reports and contrasting figures out there. In fact, if you are still interested enough to continue reading Internet-security-related articles in the press, you are doing well. To the cynically minded it could seem that some of the statistics produced are meant to be attention-grabbing, even though such tactics often prove to be counterproductive.
Even more worrying, however, is a sense that some statistics are leveled at lobbying for government funding, corporate gain, or media hype rather than having any base in reality.
So when we read that cyber attacks can result in company losses of $6 million a day, is it any wonder that skepticism sets in?
A skeptical attitude isn't helped by the words from the supplier of the figures, the well-respected security organization McAfee Inc. (NYSE: MFE), which states that the figures are a "rough measure of executive opinion" and are "not designed to be a statistically valid opinion poll."
Hmmm, figures such as these are widely circulated, popularized, and finally accepted as "the figure" without, seemingly, any quantifiable basis. Perhaps this is best summarized by a highly respected editor I know, who said on this very topic: "The issue of security vendor-sponsored research has always bothered me, the sound of a commercial axe being ground almost always deafening."
So how many other figures out there are based upon nothing more than guesstimates? Well, from a personal perspective, the answer is far more than I realized.
Take the serious subject of identity fraud as one example: A well-known research organization, Javelin Strategy and Research , backed by more than one leading consumer group, surveyed a selected sample of 5,000 citizens to arrive at an estimated 11 million-plus victims. [Note: the full report will cost you $3,000!]
The Federal Trade Commission , on the other hand, received 278,078 actual complaints from victims of ID theft. Compare that to the FBI's IC3 report for 2009 (just out), which shows 336,655 complaint submissions.
Using the FBI's report, the loss per victim equates to $1,660. Applying that cost per victim to 14 percent of all Internet crime, you get a total of 47,132 victims.
So just to demonstrate the differences in data for ID theft for 2009: Javelin reports potential losses of $1.8 billion; the FTC estimates $461 million; and the FBI, $78 million.
Of course, a stark comparison here is hardly fair, as not all cases of ID theft will be reported to the FTC or FBI. But how can such a wide discrepancy be explained?
Credit card fraud, we are told, is a huge and specific problem, so accurate figures should be readily available. Well, not exactly. Once again, the FTC has received significantly fewer complaints -- 31,928, at a potential cost of $71.8 million. The Aite Group, which bills itself as the "leading industry expert" in banking, securities, and investments, quotes $8.6 billion as the annual US card fraud cost.
Not all comparisons fail quite so miserably, though. Statistics on phishing seem to be fairly consistent, at least for the second half of 2009. Both Cyveillance and the Anti-Phishing Working Group have encouragingly similar results, with 2009 incident figures of 219,360 and 208,011, respectively.
The problem of quantification is illustrated by Trusteer Ltd. 's valiant attempt, where 1 million banking customers were tracked, but the accumulated losses could only be expressed as being between $2.4 million and $9.4 million. Therefore, with an estimated 200 million users of online banking worldwide, the potential range could be anywhere between $480 million and $1.9 billion -- more than the usually acceptable statistical difference.
So what are the best places to get numbers? The simplest approach for data breaches and related exposed data can be found at the Identity Theft Resource Center, where a no-frills download with no corporate hype or lobbying gives a list of breaches and associated totals.
Here we see that for 2009, the number of data breaches equaled 498, and the number of records exposed equaled 222,477,043.
So in conclusion, it would appear the only accurate and consistent analysis we have available shows us how many of our records have been exposed. Unfortunately, the only other statistics are based on complaints, or limited-sample surveys rather than real data. What we still need is a reliable and independent data source(s) to bring these figures together, free from any hype.