Cybercrime Statistics: Most of Them Are Pure Marketing Crap

Periodically I get emails from readers looking for reliable statistics about cybercrime. Because my own searches have always raised more questions than answers, I just respond: If you find some let me know. Now the investigative reporters at Pro Publica – which you really owe it to yourself to read and support – have yet more proof that these numbers are utter bovine feces.

Like me, they wondered about claims made by NSA boss Keith Alexander earlier this month that cybercrime costs the world $1 trillion. Putting a lot of faith in that number, Gen. Alexander said, “In my opinion, it’s the greatest transfer of wealth in history.”

As reporters Peter Maass and Megha Rajagopalan point out:

“He [Alexander] cited statistics from, among other sources, Symantec Corp. and McAfee Inc., which both sell software to protect computers from hackers. Crediting Symantec, he said the theft of intellectual property costs American companies $250 billion a year. He also mentioned a McAfee estimate that the global cost of cybercrime is $1 trillion. ‘That’s our future disappearing in front of us,’ he said, urging Congress to enact legislation to improve America’s cyberdefenses.”

That $1 trillion figure has been cited by a lot of people in government in claiming we need to spend more money on our cyber-bureaucracy.

Back in May, I pointed out the nonsense that lies behind these cybercrime claims. They are nonsense because they are usually based on numbers basically pulled out of someone’s random number generator. (I was going to use a single word in place of that last phrase. I’ll let you guess what it was.)

As researchers Dinei Florencio and Cormac Herley discovered, “It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable.”

While Florencio and Herley trashed most cybercrime stats en masse, the Pro Publica crew got specific and tried to find out where two of the most used numbers — $250 billion in annual losses from IP theft and the $1 trillion – came from in the first place. Turns out not even the researchers whose work was cited as the basis for them know.

About the $250B:

“Although Symantec mentioned the $250 billion estimate in a 2011 report, “Behavioral Risk Indicators of IP Theft,” the estimate is not Symantec’s. The report mentions the figure in passing, sourcing it in a footnote to a legal paper, where, as it turns out, the $250 billion number is not mentioned at all. Eric Shaw, one of two forensic psychologists Symantec retained to research the “Behavioral Risk” report, told ProPublica the footnote was a mistake. Instead, it should have referred to a different paper that points to a 2003 speech by FBI Director Robert S. Mueller. The figure is also cited in old FBI news releases available via the Internet Archive. An agency spokeswoman said that although she believed FBI officials used a reliable source for the number, the FBI had neither developed the number nor claimed to have done so.”

Ouch.

Now for that $1 trillion figure:

“McAfee’s trillion-dollar estimate is questioned even by the three independent researchers from Purdue University which McAfee credits with analyzing the raw data from which the estimate was derived. “I was really kind of appalled when the number came out in news reports, the trillion dollars, because that was just way, way large,” said Eugene Spafford, a computer science professor at Purdue.”

Ross Anderson, another of the researchers, said:

“He did not know about the $1 trillion estimate before it was announced. “I would have objected at the time had I known about it,” he said. “The intellectual quality of this ($1 trillion number) is below abysmal.”

But wait … it gets dumber.

Sal Viveros, a McAfee public relations official who oversaw the 2009 report, said McAfee was never told by Purdue that the number could not be supported by the survey data. The company moved ahead with the news release and, Viveros noted, the trillion-dollar estimate “got a life of its own.”

It was just one of those things. Could happen to anyone.

Another great, damning quote:

“A StrategyOne spokesman, asked if the Symantec estimates could be called scientific, responded, ‘Yes, as much as any survey or poll that relies on consumers to estimate their losses based on recall.'”

And by yes, he means no.

To be clear: No one is saying that cybercrime isn’t a big problem, just that these figures are pure marketing crap.

Crime statistics – whether physical or cyber – are always problematic. At their best they only measure reported crimes. In the physical world we know crimes are under-reported because victims often don’t report them to the authorities. The victims don’t think it will do any good or, in crimes like rape, they think reporting them may be too traumatic.

Cybercrime statistics are even worse because frequently the victims (people or companies) don’t even know they’ve been hacked and even when they do they don’t want anyone to know because of the possible impact on the bottom line.

Even if they were legit to begin with, no one ANYWHERE has come up with a way to calculate how much they cost companies. Want an accurate count? Go ask a unicorn.