Statistics and the 'Cyber Crime Epidemic'

Commentary | September 22, 2011

According to the recently released Norton Cyber Crime Report for 2011, 431 million adults worldwide were victims of cyber crime last year. The total cost of those crimes amounts to some $114 billion. This precise statement, however, hides an important problem: We actually lack comprehensive data in assessing the true scale and scope of cyber crime. This is because we primarily rely on businesses to voluntarily self-report incidences of attacks and intrusions without any means to verify their statements. To turn the tide in the fight against cyber crime, we first need to know its true impact on the world economy.

William W. Watt once remarked, "Do not put your faith in what statistics say until you have carefully considered what they do not say." In examining the statistical outpouring of data on cyber crime, one should pay special attention to what those statistics do not say. The recently published report, Second Annual Cost of Cyber Crime Study, by the Poneman Institute, a U.S. based information security policy research center, is another good case in point. The report states that "over the past year, the median cost of cyber crime increased by 56 percent and now costs companies an average of $6 million per year." This statistic was compiled using a self-report survey of 50 U.S. based businesses.

The reason businesses routinely under-report incidents of cyber crime is that most information on cyber crime losses are derived from surveys; that is, statisticians merely send questionnaires to companies and hope they are answered in good faith. Businesses have vested self-interests in under-reporting incidents since they either do not want to lose consumer confidence or be held accountable by shareholders or boards. Consequently, the data we collect from such surveys has very low predictive power and cannot serve as a basis for informed policy formulation.

What most people do not realize is that cyber criminals do not have to be too sophisticated to inflict major damage. Cheap malware that can be purchased online often suffices. The real danger to a country's economy arises from advanced persistent threats (APTs) -- highly sophisticated and long-planned intrusions often executed with state sponsorship. Jeffrey Carr, a U.S. based cyber security expert, recently stated that the biggest threat is the theft of intellectual property in high-value technology and energy assets. Here too under-reporting is endemic.

One report claims that U.S. intellectual property theft -- an APT -- costs 750,000 jobs annually, much of which is conducted via cyber space. The validity of this number, however, is questionable since many APT attacks either are not detected or are kept secret for many years. Most companies do not even know that they are under attack, and if they do know, companies are not willing to share data because we lack a trusted identity to collect it.

There are dozens of public- and private-led cyber security data distribution forums in existence already, but the number, scope, and diversity makes for a complex environment where sharing information is very difficult. What is needed is the equivalent to the U.S. Center for Disease Control and Prevention, an umbrella organization coordinating the different activities of forums and which could conduct broad analysis into cyber space. In the United States the National Security Telecommunication Advisory Committee provides a good model for sharing and normalizing threat data that could be generalized to various initiatives from defense, finance, or information-based industries.

Such a new umbrella organization could induce private sector companies to voluntarily provide at least a modicum of raw statistical data about their performance. For example, the data breach reports should be "anonymized," which will, from a business perspective, facilitate sharing. With this minimal data, rudimentary statistics could be compiled and common responses developed. The main focus here should be on data treatment and distribution. Data must be usable and accurate enough to enable action and suppress vulnerabilities in companies.

The significant disconnect within many corporations, where internal security experts are unable to justify increased security methods or spending due to a lack of measured information, presents a grave danger to the well-being of our global economy. Having trusted measures and performance benchmarks will significantly reduce this information gap between security and executive leadership in organizations. It will help formulate more cost effective defense strategies against cyber crime. Better detection rates of attacks, faster responses to incidents, and sounder policy formulations will make companies more secure and consequently more competitive in the global market. As Gordon Gekko stated in Wall Street: "The most valuable commodity I know of is information." This has never been truer than in the age of cyber space.

Click here to read Gady's piece on the Huffington Post