[Infowarrior] - Fwd: The Cybercrime Wave That Wasn’t

[Richard Forno]

Begin forwarded message:

> From: Simon 
> 
> The Cybercrime Wave That Wasn’t
> By DINEI FLORÊNCIO and CORMAC HERLEY
> Published: April 14, 2012
> 
> http://www.nytimes.com/2012/04/15/opinion/sunday/the-cybercrime-wave-that-wasnt.html
> 
> Ii less than 15 years, cybercrime has moved from obscurity to the
> spotlight of consumer, corporate and national security concerns.
> Popular accounts suggest that cybercrime is large, rapidly growing,
> profitable and highly evolved; annual loss estimates range from
> billions to nearly $1 trillion. While other industries stagger under
> the weight of recession, in cybercrime, business is apparently
> booming.
> 
> Yet in terms of economics, there’s something very wrong with this
> picture. Generally the demand for easy money outstrips supply. Is
> cybercrime an exception? If getting rich were as simple as downloading
> and running software, wouldn’t more people do it, and thus drive down
> returns?
> 
> We have examined cybercrime from an economics standpoint and found a
> story at odds with the conventional wisdom. A few criminals do well,
> but cybercrime is a relentless, low-profit struggle for the majority.
> Spamming, stealing passwords or pillaging bank accounts might appear a
> perfect business. Cybercriminals can be thousands of miles from the
> scene of the crime, they can download everything they need online, and
> there’s little training or capital outlay required. Almost anyone can
> do it.
> 
> Well, not really. Structurally, the economics of cybercrimes like spam
> and password-stealing are the same as those of fishing. Economics long
> ago established that common-access resources make for bad business
> opportunities. No matter how large the original opportunity, new
> entrants continue to arrive, driving the average return ever downward.
> Just as unregulated fish stocks are driven to exhaustion, there is
> never enough “easy money” to go around.
> 
> How do we reconcile this view with stories that cybercrime rivals the
> global drug trade in size? One recent estimate placed annual direct
> consumer losses at $114 billion worldwide. It turns out, however, that
> such widely circulated cybercrime estimates are generated using
> absurdly bad statistical methods, making them wholly unreliable.
> 
> Most cybercrime estimates are based on surveys of consumers and
> companies. They borrow credibility from election polls, which we have
> learned to trust. However, when extrapolating from a surveyed group to
> the overall population, there is an enormous difference between
> preference questions (which are used in election polls) and numerical
> questions (as in cybercrime surveys).
> 
> For one thing, in numeric surveys, errors are almost always upward:
> since the amounts of estimated losses must be positive, there’s no
> limit on the upside, but zero is a hard limit on the downside. As a
> consequence, respondent errors — or outright lies — cannot be canceled
> out. Even worse, errors get amplified when researchers scale between
> the survey group and the overall population.
> 
> Suppose we asked 5,000 people to report their cybercrime losses, which
> we will then extrapolate over a population of 200 million. Every
> dollar claimed gets multiplied by 40,000. A single individual who
> falsely claims $25,000 in losses adds a spurious $1 billion to the
> estimate. And since no one can claim negative losses, the error can’t
> be canceled.
> 
> THE cybercrime surveys we have examined exhibit exactly this pattern
> of enormous, unverified outliers dominating the data. In some, 90
> percent of the estimate appears to come from the answers of one or two
> individuals. In a 2006 survey of identity theft by the Federal Trade
> Commission, two respondents gave answers that would have added $37
> billion to the estimate, dwarfing that of all other respondents
> combined.
> 
> This is not simply a failure to achieve perfection or a matter of a
> few percentage points; it is the rule, rather than the exception.
> Among dozens of surveys, from security vendors, industry analysts and
> government agencies, we have not found one that appears free of this
> upward bias. As a result, we have very little idea of the size of
> cybercrime losses.
> 
> A cybercrime where profits are slim and competition is ruthless also
> offers simple explanations of facts that are otherwise puzzling.
> Credentials and stolen credit-card numbers are offered for sale at
> pennies on the dollar for the simple reason that they are hard to
> monetize. Cybercrime billionaires are hard to locate because there
> aren’t any. Few people know anyone who has lost substantial money
> because victims are far rarer than the exaggerated estimates would
> imply.
> 
> Of course, this is not a zero-sum game: the difficulty of getting rich
> for bad guys doesn’t imply that the consequences are small for good
> guys. Profit estimates may be enormously exaggerated, but it would be
> a mistake not to consider cybercrime a serious problem.
> 
> Those who’ve had their computers infected with malware or had their
> e-mail passwords stolen know that cleaning up the mess dwarfs any
> benefit received by hackers. Many measures that tax the overall
> population, from baroque password policies to pop-up warnings to
> “prove you are human” tests, wouldn’t be necessary if cybercriminals
> weren’t constantly abusing the system.
> 
> Still, that doesn’t mean exaggerated loss estimates should be
> acceptable. Rather, there needs to be a new focus on how consumers and
> policy makers assess the problem.
> 
> The harm experienced by users rather than the (much smaller) gain
> achieved by hackers is the true measure of the cybercrime problem.
> Surveys that perpetuate the myth that cybercrime makes for easy money
> are harmful because they encourage hopeful, if misinformed, new
> entrants, who generate more harm for users than profit for themselves.
> 
> Dinei Florêncio is a researcher and Cormac Herley is a principal
> researcher at Microsoft Research.
> 



---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.