If you follow computer security and have a good memory, you might remember a story from early 2009 that claimed cyber crime costs businesses as much as $1 trillion in just one year -- that's "trillion" with a "t." The version I saw was by Cnet writer Elinor Mills, whom I've always considered quite reliable. Somehow, her reporter's BS detector didn't go off, and she regurgitated that wild assertion by McAfee, a company that makes a living selling security products and services.
I had forgotten about that story until I came across a study by two Microsoft researchers who took the trouble to look hard at the facts behind the cyber crime scare stories, which persist to this day. Their paper, with the appealingly sensational title of "Sex, Lies and Cybercrime Surveys," is a rigorous debunking of the wildly inflated claims spread by security companies, law enforcement, and credulous journalists.
[ The newest security scaremongering has hit users of Mac OS X and confused IT managers of mobile devices. | Keep up with the key tech news and analysis with the InfoWorld Daily newsletter. ]
I don't mean to pick on McAfee or Mills, but as I've written more than once, neither IT nor the public benefit from security scare stories. Indeed, the more security companies cry wolf, the less likely it is that well-founded warnings will be heeded.
Consider how much money we're talking about when McAfee claims that cyber crime costs $1 trillion a year. The requested federal defense budget for the United States for fiscal year 2013 is just (!) $525.4 billion. The total profits derived from the global trade in illegal drugs were pegged at $600 billion by the International Monetary Fund in 2010.
Is cyber crime really a bigger source of revenue than the drug trade? Hard to believe.
Enter Dinei Florencio and Cormac Herley, the authors of the Microsoft study, who say, "One recent estimate placed annual direct consumer losses [from cyber crime] at $114 billion worldwide. It turns out, however, that such widely circulated cyber crime estimates are generated using absurdly bad statistical methods, making them wholly unreliable."
You'll notice that the figure they call wholly unreliable is just one-tenth the size of the McAfee assertion.
