Economists: Cybercrime Estimates Are Wildly, Ridiculously Overblown

A statistical analysis of cybercrime damage studies by two economists found that every single report was subject to upward bias.

acyberattack_615.jpg

A cybercrime taking place. Oh, whoops! Nevermind. This is just money photoshopped onto a computer monitor. Image: Alexis Madrigal/Digital manipulation of Reuters.

Estimates of cybercrime tend to be huge. Really, really huge. A recent study pegged the losses from cybercrime to companies at one trillion dollars. By comparison, the entire illegal global drug trade may total out a few hundred billion dollars, according to the UN. So, what cybercrime studies are saying is that the cybercrime market is several times larger than all the cocaine, heroin, meth, and pot sold across the entire globe.

These estimates strain credulity. Could cybercrime really be such a big deal? But put the word cyber before anything and everything goes haywire: Cyberwar! Cybersecurity! Cyberblinders! We all know the Internet is a big deal, so therefore crime on the Internet must be a big deal, right? 

Well, finally, two economists, Dinei Florencio and Cormac Herley, came along to think about these supposed cybercrime harm estimates. What did they find? I'll let them tell you, via their editorial in the New York Times:

It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable. Most cybercrime estimates are based on surveys of consumers and companies. They borrow credibility from election polls, which we have learned to trust. However, when extrapolating from a surveyed group to the overall population, there is an enormous difference between preference questions (which are used in election polls) and numerical questions (as in cybercrime surveys).

In one case, a single person's $25,000 loss from a cybercrime could add $1 billion to a national estimate of cybercrime. In another case, two individuals' estimates added $37 billion to the overall calculation. And every single survey the economists looked at displayed structural flaws that gave them an upward bias.

That cybercrime would not be a horrible global scourge of triple the magnitude of the drug war makes "otherwise puzzling" facts make sense. "Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren't any," they explain. "Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply."

That these studies would be bunk stands to reason, Florencio and Herley argue, because economically, if there was such a boom going on, more people would rush in to push down average returns and deter people from that particular kind of activity. "Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing," they write. "Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward."

How'd so many estimates keep getting cybersecurity wrong? Anyone who cared about cybersecurity -- particularly those whose livelihoods depend on it -- had no reason to take down the inflated numbers. I'd also guess that many analysts weren't interested in being too far away from the mean of the estimates that came before them. Besides, cybercrime is a real problem for many companies and individuals, so the anecdotes could stand in for what the statistics could not actually support.

It's not the first time that cybersomething hype has come under attack. A recent Wired Opinion column called out the bipartisan cybersecurity hype. Cato's Jim Harper voiced similar concerns. Foreign Policy's recently put out a cyberwar takedown and similar concerns are circulating in some academic quarters as well. But I can't recall this kind of statistical takedown of the topline numbers -- and logic -- of the people who are hyping cyberthreats. 


Presented by

How to Cook Spaghetti Squash (and Why)

Cooking for yourself is one of the surest ways to eat well. Bestselling author Mark Bittman teaches James Hamblin the recipe that everyone is Googling.

Join the Discussion

After you comment, click Post. If you’re not already logged in you will be asked to log in or register.

blog comments powered by Disqus

Video

How to Cook Spaghetti Squash (and Why)

Cooking for yourself is one of the surest ways to eat well.

Video

Before Tinder, a Tree

Looking for your soulmate? Write a letter to the "Bridegroom's Oak" in Germany.

Video

The Health Benefits of Going Outside

People spend too much time indoors. One solution: ecotherapy.

Video

Where High Tech Meets the 1950s

Why did Green Bank, West Virginia, ban wireless signals? For science.

Video

Yes, Quidditch Is Real

How J.K. Rowling's magical sport spread from Hogwarts to college campuses

Video

Would You Live in a Treehouse?

A treehouse can be an ideal office space, vacation rental, and way of reconnecting with your youth.

More in Technology

Just In