A statistical analysis of cybercrime damage studies by two economists found that every single report was subject to upward bias.
Estimates of cybercrime tend to be huge. Really, really huge. A recent study pegged the losses from cybercrime to companies at one trillion dollars. By comparison, the entire illegal global drug trade may total out a few hundred billion dollars, according to the UN. So, what cybercrime studies are saying is that the cybercrime market is several times larger than all the cocaine, heroin, meth, and pot sold across the entire globe.
These estimates strain credulity. Could cybercrime really be such a big deal? But put the word cyber before anything and everything goes haywire: Cyberwar! Cybersecurity! Cyberblinders! We all know the Internet is a big deal, so therefore crime on the Internet must be a big deal, right?
Well, finally, two economists, Dinei Florencio and Cormac Herley, came along to think about these supposed cybercrime harm estimates. What did they find? I'll let them tell you, via their editorial in the New York Times:
It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable. Most cybercrime estimates are based on surveys of consumers and companies. They borrow credibility from election polls, which we have learned to trust. However, when extrapolating from a surveyed group to the overall population, there is an enormous difference between preference questions (which are used in election polls) and numerical questions (as in cybercrime surveys).
In one case, a single person's $25,000 loss from a cybercrime could add $1 billion to a national estimate of cybercrime. In another case, two individuals' estimates added $37 billion to the overall calculation. And every single survey the economists looked at displayed structural flaws that gave them an upward bias.