Statistics and the ‘Cyber Crime Epidemic’
By what percentage has Cyber Crime increased in the last 12 months? How many internet users Worldwide? How can this affect everyone from large companies to individuals?
Source : www.ewi.info
According to the recently released Norton Cyber Crime Report for 2011, 431 million adults worldwide were victims of cyber crime last year. The total cost of those crimes amounts to some $114 billion. This precise statement, however, hides an important problem: We actually lack comprehensive data in assessing the true scale and scope of cyber crime. This is because we primarily rely on businesses to voluntarily self-report incidences of attacks and intrusions without any means to verify their statements. To turn the tide in the fight against cyber crime, we first need to know its true impact on the world economy.
William W. Watt once remarked, “Do not put your faith in what statistics say until you have carefully considered what they do not say.” In examining the statistical outpouring of data on cyber crime, one should pay special attention to what those statistics do not say. The recently published report, Second Annual Cost of Cyber Crime Study, by the Poneman Institute, a U.S. based information security policy research center, is another good case in point. The report states that “over the past year, the median cost of cyber crime increased by 56 percent and now costs companies an average of $6 million per year.” This statistic was compiled using a self-report survey of 50 U.S. based businesses.
The reason businesses routinely under-report incidents of cyber crime is that most information on cyber crime losses are derived from surveys; that is, statisticians merely send questionnaires to companies and hope they are answered in good faith. Businesses have vested self-interests in under-reporting incidents since they either do not want to lose consumer confidence or be held accountable by shareholders or boards. Consequently, the data we collect from such surveys has very low predictive power and cannot serve as a basis for informed policy formulation.
What most people do not realize is that cyber criminals do not have to be too sophisticated to inflict major damage. Cheap malware that can be purchased online often suffices. The real danger to a country’s economy arises from advanced persistent threats (APTs) — highly sophisticated and long-planned intrusions often executed with state sponsorship. Jeffrey Carr, a U.S. based cyber security expert, recently stated that the biggest threat is the theft of intellectual property in high-value technology and energy assets. Here too under-reporting is endemic.
One report claims that U.S. intellectual property theft — an APT — costs 750,000 jobs annually, much of which is conducted via cyber space. The validity of this number, however, is questionable since many APT attacks either are not detected or are kept secret for many years. Most companies do not even know that they are under attack, and if they do know, companies are not willing to share data because we lack a trusted identity to collect it.
There are dozens of public- and private-led cyber security data distribution forums in existence already, but the number, scope, and diversity makes for a complex environment where sharing information is very difficult. What is needed is the equivalent to the U.S. Center for Disease Control and Prevention, an umbrella organization coordinating the different activities of forums and which could conduct broad analysis into cyber space. In the United States the National Security Telecommunication Advisory Committee provides a good model for sharing and normalizing threat data that could be generalized to various initiatives from defense, finance, or information-based industries.