Reports of losses from cyber crimes gathered from surveys are greatly exaggerated and often based on unverified, self-reported numbers and skewed results, according to two Microsoft researchers.
In the “Sex, Lies and Cybercrime Surveys” report, Dinei Florencio and Cormac Herley say much of the information on cyber-crime losses comes from surveys, which often overlook the uneven distribution of cyber-crime victims among the populace, and rely on unverified self-reported numbers.
For example, a single individual who claims $50,000 losses, in an N = 1000 person survey, is all it takes to generate a $10 billion loss over the population, the researchers said. Similarly, one unverified claim of $7,500 in phishing losses translates into $1.5 billion, the researchers noted.
Another problem is that cyber-crime value estimates are often inconsistent. As example, the researchers cite the Federal Trade Commission, which in 2004 estimated identity theft at $47 billion, $15.6 billion in 2006, and $54 billion in 2008.
“Either there was a precipitous drop on 2006, or all of the estimates are extremely noisy,” the researchers said.
When surveying cyber-crime estimates, the researchers recommend having a representative sample, without too great of concentration, an adequate upper-tail sampling, and that outliers get checked for error or fabrication.