Oft-cited cybercrime cost estimates called out as inflated

Report highlights security vendors' built-in conflict of interest in threat reports

President Barack Obama said it in a major speech on cybersecurity. U.S. senators said it while promoting their Cyber Security Act of 2012. Gen. Keith Alexander, director of the National Security Agency and head of the U.S. Cyber Command, said it while warning of "the greatest transfer of wealth in history" through the theft of intellectual property. "It" was that the costs of cybercrime are $250 billion each year according to Symantec and $1 trillion each year accoridng to McAfee.

But those estimated costs for cybercrime are inflated, a report from the public-interest watchdog group ProPublica says. (It also notes that the widely cited $1 trillion figure was not even in the actual McAfee report, but in the press releases about it.)

[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

ProPublica is not alone in exposing such inflated estimates from vendors that stand to profit from creating fears about cybercrime. Computer scientists Dinei Florencio and Cormac Herley of Microsoft Research, authors of the recent paper "Sex, Lies, and Cybercrime Surveys (PDF)" recently wrote, "Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings."

The ProPublica report saus the McAfee estimate is disputed by some of those who analyzed data for the 2009 report, which was based on information gathered from a survey of 1,000 IT professionals.

Eugene Spafford, one of three independent researchers from Purdue University, told them: "I was really kind of appalled when the number came out in news reports, the trillion dollars, because that was just way, way large."

Another researcher, Ross Anderson, a security engineering professor at University of Cambridge, told ProPublica he "would have objected at the time had I known about [the $1 trillion estimate]. The intellectual quality of this is below abysmal."

"[The Symantec estimate] was indeed mentioned in a Symantec report, but it is not a Symantec number and its source remains a mystery," the report said.

Sal Viveros, a McAfee public relations official who oversaw the 2009 report, had not responded to a request for comment by the deadline for this story. But he wrote in an email to ProPublica: "We work with think tanks and universities to make sure our reports are non-biased and as accurate as possible."

Other security experts and analysts tend to agree with ProPublica, saying not only that the estimates are inflated but that any estimate from a security vendor should be treated with skepticism, because there is a built-in conflict of interest -- the worse the security risks and costs are, the better it is for their business.

In addition, industry reports are not subject to the kind of peer review that is done for academic and professional journals.

But experts are also willing to cut the companies some slack, for a couple of reasons. First, it is very difficult to estimate such things. Sometimes, companies don't even know they have been attacked. Many times, when they find out, they don't want to talk about it, lest they damage their brand. And sometimes it is difficult to know how much actual damage has occurred.

"I don't beat them up for it," said Jason Healey of the Atlantic Council and a former White House and Goldman Sachs security official. "Experts have long had trouble agreeing on estimates that are within even two orders of magnitude of each other."

Healey said the damage estimates of the first large-scale cyber incident, the Morris worm of 1988, "ranged from $200 to more than $53,000 per installation, while the most widely cited estimate of the total damage ranged from $100,000 to $10 million: two full orders of magnitude. And that was 24 years ago."

Gary McGraw, CTO of Cigital, said he suspects McAfee "followed protocol [in its report] up to the end, where they did some crazy math -- I think control got turned over to the marketing guys."

But he admits, "I've cited that [$1 trillion] number in my own work. I was writing a piece about cyberwar for a think tank. I was trying to make a point about cybercrime being worse than cyberwar -- which the risks of cyberwar were exaggerated, and cybercrime was worse. How's that for irony?"

There are other reasons that estimates are difficult. In a recent paper called "Measuring the Cost of Cyber Crime," done for the U.K. Ministry of Defense, the authors listed a chart that suggested the annual cost of worldwide cybercrime was about $225 billion -- less than 25 percent of the McAfee estimate.

But the authors included a host of caveats, including: "There are over 100 sources of data on cybercrime, yet the available statistics are still insufficient and fragmented; they suffer from under- and over-reporting, depending on who collected them, and the errors may be both intentional (e.g., vendors and security agencies playing up threats) and unintentional (e.g., response effects or sampling bias)."

They also note that there are differences between direct and indirect costs. Indeed, the group even refuses to add up its own figures to report a total, noting that "many of these are extremely rough estimates -- we believe it is entirely misleading to provide totals lest they be quoted out of context, without all the caveats and cautions that we have provided."

In short, they are much more cautious than either McAfee or Symantec.

But the other reason some experts are willing to grant those companies some leeway is because, whatever the precise number is, it is a very big one. Indeed, there are daily stories about data breaches -- the recent hack of Dropbox that resulted in the theft of user names and passwords is just one of the more recent.

NetBenefit reported research by software vendor SecurityCoverage that found the number of pieces of information illegally sold during the first quarter of 2012 was up 67 percent from 2010 figures.

"It's not good to inflate estimates," Gary McGraw said. "But cybercrime is a huge problem. You can talk about cyberespionage and cyberwar, but cybercrime is worse than those."

The solution is to "build stuff right," he said. "If we did that, it would reduce the probability of war, cut down on espionage and take a bite out of crime."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

This story, "Oft-cited cybercrime cost estimates called out as inflated" was originally published by CSO.