
Cybercrime loss estimates about as reliable as piracy estimates - curthopkins
http://arstechnica.com/tech-policy/news/2012/04/study-shows-cybercrime-estimates-to-be-overblown.ars
======
jaylevitt
When I worked on a cybercrime startup idea in 2008-9, every single "cost of
cybercrime" calculation I found - even from government agencies - was based on
the same original, unsourced estimate from MarkMonitor, which sells various
brand protection services to IP holders (e.g. they'll watch eBay for
counterfeit auctions of Rolex watches). After a few years, MM was able to cite
the more "official" sources with a circular reference.

There's no financial incentive for anyone to say "nah, it's not that bad".

------
CLORO
While I concur that objectivity is important, I would not completely discredit
that there are severe economic concerns with cyber crime. I've seen first hand
vast amounts of intellectual property being obtained illegally through
coercion and manipulation of private and federal systems. Working in a
position to detect and prevent you'll find often that the victims are not
aware of their losses nor the secondary conditionals that drive associated
costs. Most cyber crime in't as clearly defined as say a list of credit cards
stolen from a services provider. These are the models you can somewhat
quantify a worse case estimate for. All that's required is that you tally up
the limits on all the cards and say the potential was for x amount of monetary
loss. Is the number a realistic answer or projection? Not really, often it's
way out of touch with reality, the question then becomes how do you define
realistic loses?

It's true that there aren't models that can clearly and appropriately estimate
losses for an entity. This is due in part to the large costs that aren't a
known in that exposure of credit card numbers. Addressable's such as client
confidence, the manpower and time to disseminate information to the victims,
the time spent eradicating all flaws being levied by the actors which alone
are not inclusive of your overall downtime and even public shame, all items
hard to quantify a numerical value for. We can argue about models, but the
truth is there is never a model for every scenario. You can only go by
speculation and assumption. So it's with that understanding that I somewhat
allow an inflated estimate of real damage. If at the end of the day, the
horror stories read online push users and admins to educate themselves, even
if out of fear of overly estimated loses, I see no harm.

Personally, I fell the more appropriate response is to give clear guidance as
to how these incidents were born. It's only through proper education of users
and admins alike, that we'll be able to stymy those attempting harm.

In concurrence with your comment, there is no doubt that there is
sensationalization on the part of everyone at play. Antivirus and malware
removal manufacturers want to project an image of fear. It's this sense of
fear that drives their market. However inappropriate it may be, it at least
drives discussion. It's only with proper education that users see the
difference between realistic threats and the hollywood movie projections.

------
kijin
Interesting that this came out of Microsoft Research. Perhaps Microsoft was
getting really annoyed with overblown estimates of losses from compromised
Microsoft products.

There are political and economic forces that benefit from fanning alarmism
about cybercrime, just as there are companies like MS that incur losses from
such alarmism. When there's so much uncertainty about what reality looks like,
either side can cite figures that support their own agenda. Kudos to the
researchers for bringing some cautious sanity and objectivity to the issue,
instead of just running away in the other direction.

