A statistical analysis of cybercrime damage studies by two economists found that every single report was subject to upward bias.
A cybercrime taking place. Oh, whoops! Nevermind. This is just money photoshopped onto a computer monitor. Image: Alexis Madrigal/Digital manipulation of Reuters.
Estimates of cybercrime tend to be huge. Really, really huge. A recent study pegged the losses from cybercrime to companies at one trillion dollars. By comparison, the entire illegal global drug trade may total out a few hundred billion dollars, according to the UN. So, what cybercrime studies are saying is that the cybercrime market is several times larger than all the cocaine, heroin, meth, and pot sold across the entire globe.
These estimates strain credulity. Could cybercrime really be such a big deal? But put the word cyber before anything and everything goes haywire: Cyberwar! Cybersecurity! Cyberblinders! We all know the Internet is a big deal, so therefore crime on the Internet must be a big deal, right?
Well, finally, two economists, Dinei Florencio and Cormac Herley, came along to think about these supposed cybercrime harm estimates. What did they find? I'll let them tell you, via their editorial in the New York Times:
It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable. Most cybercrime estimates are based on surveys of consumers and companies. They borrow credibility from election polls, which we have learned to trust. However, when extrapolating from a surveyed group to the overall population, there is an enormous difference between preference questions (which are used in election polls) and numerical questions (as in cybercrime surveys).
In one case, a single person's $25,000 loss from a cybercrime could add $1 billion to a national estimate of cybercrime. In another case, two individuals' estimates added $37 billion to the overall calculation. And every single survey the economists looked at displayed structural flaws that gave them an upward bias.
That cybercrime would not be a horrible global scourge of triple the magnitude of the drug war makes "otherwise puzzling" facts make sense. "Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren't any," they explain. "Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply."
That these studies would be bunk stands to reason, Florencio and Herley argue, because economically, if there was such a boom going on, more people would rush in to push down average returns and deter people from that particular kind of activity. "Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing," they write. "Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward."
How'd so many estimates keep getting cybersecurity wrong? Anyone who cared about cybersecurity -- particularly those whose livelihoods depend on it -- had no reason to take down the inflated numbers. I'd also guess that many analysts weren't interested in being too far away from the mean of the estimates that came before them. Besides, cybercrime is a real problem for many companies and individuals, so the anecdotes could stand in for what the statistics could not actually support.
It's not the first time that cybersomething hype has come under attack. A recent Wired Opinion column called out the bipartisan cybersecurity hype. Cato's Jim Harper voiced similar concerns. Foreign Policy's recently put out a cyberwar takedown and similar concerns are circulating in some academic quarters as well. But I can't recall this kind of statistical takedown of the topline numbers -- and logic -- of the people who are hyping cyberthreats.
More From The Atlantic