Economists: Cybercrime Estimates Are Wildly, Ridiculously Overblown

More

A statistical analysis of cybercrime damage studies by two economists found that every single report was subject to upward bias.

acyberattack_615.jpg

A cybercrime taking place. Oh, whoops! Nevermind. This is just money photoshopped onto a computer monitor. Image: Alexis Madrigal/Digital manipulation of Reuters.

Estimates of cybercrime tend to be huge. Really, really huge. A recent study pegged the losses from cybercrime to companies at one trillion dollars. By comparison, the entire illegal global drug trade may total out a few hundred billion dollars, according to the UN. So, what cybercrime studies are saying is that the cybercrime market is several times larger than all the cocaine, heroin, meth, and pot sold across the entire globe.

These estimates strain credulity. Could cybercrime really be such a big deal? But put the word cyber before anything and everything goes haywire: Cyberwar! Cybersecurity! Cyberblinders! We all know the Internet is a big deal, so therefore crime on the Internet must be a big deal, right? 

Well, finally, two economists, Dinei Florencio and Cormac Herley, came along to think about these supposed cybercrime harm estimates. What did they find? I'll let them tell you, via their editorial in the New York Times:

It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable. Most cybercrime estimates are based on surveys of consumers and companies. They borrow credibility from election polls, which we have learned to trust. However, when extrapolating from a surveyed group to the overall population, there is an enormous difference between preference questions (which are used in election polls) and numerical questions (as in cybercrime surveys).

In one case, a single person's $25,000 loss from a cybercrime could add $1 billion to a national estimate of cybercrime. In another case, two individuals' estimates added $37 billion to the overall calculation. And every single survey the economists looked at displayed structural flaws that gave them an upward bias.

That cybercrime would not be a horrible global scourge of triple the magnitude of the drug war makes "otherwise puzzling" facts make sense. "Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren't any," they explain. "Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply."

That these studies would be bunk stands to reason, Florencio and Herley argue, because economically, if there was such a boom going on, more people would rush in to push down average returns and deter people from that particular kind of activity. "Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing," they write. "Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward."

How'd so many estimates keep getting cybersecurity wrong? Anyone who cared about cybersecurity -- particularly those whose livelihoods depend on it -- had no reason to take down the inflated numbers. I'd also guess that many analysts weren't interested in being too far away from the mean of the estimates that came before them. Besides, cybercrime is a real problem for many companies and individuals, so the anecdotes could stand in for what the statistics could not actually support.

It's not the first time that cybersomething hype has come under attack. A recent Wired Opinion column called out the bipartisan cybersecurity hype. Cato's Jim Harper voiced similar concerns. Foreign Policy's recently put out a cyberwar takedown and similar concerns are circulating in some academic quarters as well. But I can't recall this kind of statistical takedown of the topline numbers -- and logic -- of the people who are hyping cyberthreats. 


Jump to comments
Presented by

Alexis C. Madrigal

Alexis Madrigal is the deputy editor of TheAtlantic.com. He's the author of Powering the Dream: The History and Promise of Green Technology. More

The New York Observer has called Madrigal "for all intents and purposes, the perfect modern reporter." He co-founded Longshot magazine, a high-speed media experiment that garnered attention from The New York Times, The Wall Street Journal, and the BBC. While at Wired.com, he built Wired Science into one of the most popular blogs in the world. The site was nominated for best magazine blog by the MPA and best science Web site in the 2009 Webby Awards. He also co-founded Haiti ReWired, a groundbreaking community dedicated to the discussion of technology, infrastructure, and the future of Haiti.

He's spoken at Stanford, CalTech, Berkeley, SXSW, E3, and the National Renewable Energy Laboratory, and his writing was anthologized in Best Technology Writing 2010 (Yale University Press).

Madrigal is a visiting scholar at the University of California at Berkeley's Office for the History of Science and Technology. Born in Mexico City, he grew up in the exurbs north of Portland, Oregon, and now lives in Oakland.

Get Today's Top Stories in Your Inbox (preview)

Juice Cleanses: The Worst Diet

A doctor tries the ever-popular Master Cleanse. Sort of.


Elsewhere on the web

Join the Discussion

After you comment, click Post. If you’re not already logged in you will be asked to log in or register. blog comments powered by Disqus

Video

Juice Cleanses: The Worst Diet

A doctor tries the ever-popular Master Cleanse. Sort of.

Video

Why Did I Study Physics?

Using hand-drawn cartoons to explain an academic passion

Video

What If Emoji Lived Among Us?

A whimsical ad imagines what life would be like if emoji were real.

Video

Living Alone on a Sailboat

"If you think I'm a dirtbag, then you don't understand the lifestyle."

Feature

The Future of Iced Coffee

Are artisan businesses like Blue Bottle doomed to fail when they go mainstream?

Writers

Up
Down

More in Technology

Just In