Wednesday, April 25, 2012

Re-Calibrating Cybercrime Costs and Responses


A few days ago the NYT published an article called "The Cybercrime Wave That Wasn't". What !?!

I read the title again, cleaned my glasses, counted to ten, took a deep cleansing breath, and looked at it again.

It still said the same thing. How disappointing. But maybe, I thought, it was just another piece of anti-sensationalist faux-journalism.

Here's a slice for you:
Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.
If you read the article, the authors unpack their analysis that shows the upward bias and roundup errors that appear "among dozens of surveys, from security vendors, industry analysts and government agencies" and they note that they "have not found one that appears free of this upward bias."

They don't go as far you'd think they would if they were true anti-sensationalists, because they remind the reader that despite the fact that it appears actual cybercrime losses are much lower than the many reports on the subject seem to indicate, there's still major cause for concern:
... this is not a zero-sum game: the difficulty of getting rich for bad guys doesn’t imply that the
consequences are small for good guys. Profit estimates may be enormously exaggerated, but it would be a mistake not to consider cybercrime a serious problem.
Sounds pretty fair and balanced to me. And so I was well prepared when Computerworld (and many others) reported yesterday that an analyst firm called Group-IB after reviewing the Russia cyber underworld's 10Q and 10K reports, audited by an unnamed Big 4 accounting firm, estimated that Russian cyber criminals bagged $4.5 billion last year.

Inclined now to be skeptical of large numbers in this area, I asked someone who should know, and he said the absence of a methodology section in the report made it hard to take the claims seriously.

Of course, since you already know I'm a card carrying member of AAAJOA - Anti-sensationalist, Anti-alarmist Amateur Journalists of America, it may be hard to take my post entirely seriously. But I like the fresh perspective the NYT authors, Dinei Florencio and Cormac Herley, brought to a topic which we've all been rather slow to question in the past. Kudos.

Image credit: Public Domain Photos on Flickr.com