by Constantine von Hoffman

Norton ’12 Cybercrime Report Magically Makes $278B in Damages Disappear

Sep 06, 20124 mins
CybercrimeSecurity blogger Constantine von Hoffman says Norton's 2012 cybercrime report commits a huge sin of omission and just plain doesn't make sense.

Norton released its annual cybercrime report on Wednesday, and the company put the “direct costs associated with global consumer cybercrime at US $110 billion over the past twelve months.”

Last year’s report put the total “at an annual price of $388 billion globally based on financial losses and time lost.” That’s more than the estimated value of the global black market in marijuana, cocaine and heroin combined ($288 billion), the report said.

But Norton makes no mention of the vast difference between the 2011 and 2012 numbers. Perhaps that’s because last year’s number was entirely fictitious. It was derived from one of the most amusing mathematical formulas you will ever encounter. From Norton:

“The value of time lost due to cybercrime experiences in the last year ($274 billion) is calculated as follows: Victims over past 12 months (per country) x average time cost of cybercrime (per country in US currency). Figure shown in the sum of all countries total cost.”

In other words, average time cost of cybercrime = unicorn.

As investigative reporters like Pro Publica’s Peter Maass and Megha Rajagopalan have shown, there is no way to calculate that number. I asked Norton about the numbers, and I got the following response:

“Last year’s number ($388 billion) also included estimated time spent trying to resolve instances of cybercrime. This year’s report focuses solely on direct, self-reported cash amount lost over the past year due to well-defined cybercrime events.”

I have two problems with that answer: 1) It isn’t an answer; and 2) It is nowhere near as entertaining as the answer given to Maass and Rajagopalan a few months ago. When asked if Symantec’s estimates could be called scientific, a StrategyOne (the company that did the survey) spokesman, responded, “Yes, as much as any survey or poll that relies on consumers to estimate their losses based on recall.”

Now there’s a problem here even if we set aside the clearly imaginary numbers in last year’s report and just stick to the pre-magic act figures. This year’s cost is $4 billion less than last year’s despite the fact that there are more victims. More from Norton:

“In the past twelve months, an estimated 556 million adults across the world experienced cybercrime, more than the entire population of the European Union. This figure represents 46 percent of online adults who have been victims of cybercrime in the past twelve months, on par with the findings from 2011 (45 percent).”

So the total costs decreased, even as the number of alleged victims increased? Hmmmmm.

Here’s what Norton had to say as an explanation of this phenomenon:

“The average cost of cybercrime per victim in the last 12 months has actually dropped 20 percent across 20 tracking markets but that has been offset almost entirely by the number of online adult users rising by 20 percent across PC and mobile Internet platforms.”

I read this to say

  1. The same percentage of the population in both years was victimized.
  2. The second year’s population was 20 percent larger than the first year’s.
  3. The higher number of victims diluted the average cost per crime.

But the same percentage of a larger pool of people should result in a higher total take for the year. Instead the total per year is $4 billion less. That means either the crooks were substantially less efficient or the victims were substantially poorer and/or better at protecting themselves.

Here’s what StrategyOne said in response:

“The assumption that the cost per victim is lower primarily because there are more people online is not necessarily true. The growing number of online users around the world is largely independent of the types of cybercrime and cyber-costs that consumers experience. The incidence of cybercrime (46 percent) in the past 12 months is virtually unchanged. What has changed is the nature of cybercrime – yes, consumers are getting better at protecting themselves on the more traditional traps of cybercrime, such as suspicious emails and attachments – but, the move to mobile and social platforms, along with consumers sharing valuable information across platforms and emails, has meant that consumers are still leaving themselves open to some basic rip-offs.”

That, unlike what was published, makes sense.. 

Hopefully, Norton’s security products are generally better than its reports.