Skip Links

Vendor cybercrime report in the hot seat again

One expert called the loss figure in Norton report 'preposterous,' noting the number might 50 times too high

By Taylor Armerding, CSO
September 07, 2012 08:10 AM ET

CSO - Symantec's Norton group released a new cybercrime study this week that found the average cost of online crime per victim declined during the past year. However, while down, at $110 billion a year that's still a very big global business.

Oft-cited cybercrime cost estimates hosed down

The credibility of studies commissioned by security vendors has been strained of late. While nobody disputes that the cost of cybercrime is well into the billions, a number of critics have charged that such surveys inflate the numbers to scare more people into buying security software.

McAfee has recently estimated the annual cost of cybercrime worldwide at $1 trillion; Symantec has estimated the annual cost of intellectual property theft in the U.S. at $250 billion.

Computer scientists Dinei Florencio and Cormac Herley, of Microsoft Research, authors of a recent paper titled "Sex, Lies and Cyber-crime Surveys," wrote: "Our assessment of the quality of cybercrime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings."

Norton based its latest report (PDF file) on an online survey of more than 13,000 adults aged 18-65 in 24 countries. It found the average cost per victim of cybercrime was $197. In the U.S., however, it was $290.

"In the past twelve months, an estimated 556 million adults globally experienced cybercrime, more than the entire population of the European Union. This figure represents 46% of online adults who have been victims of cybercrime in the past twelve months, on par with the findings from 2011 (45%)," Symantec said in a press release. Norton extrapolated 71 million cybercrime victims in the U.S., with damages of $21 billion.

Norton, which has hired the market research firm StrategyOne for the past three years to conduct the study, is seeking to preempt any skepticism.

The company acknowledged in a statement that consumer surveys are not subject to peer review, but said that in addition to review by StrategyOne and Norton's own internal experts, it also turned the report over to Jonah Berger, Assistant Professor of Marketing at the University of Pennsylvania's Wharton School, who said, "The standards and best practices for market research were followed and meet the established guidelines of market research."

Andrew Jaquith, CTO of Perimeter E-Security, is not convinced. He called the U.S. loss figures "preposterous." Last year the Federal Trade Commission (FTC) aggregated "more than 1.8m complaints about identify theft, fraud and other types of complaints from a wide variety of law enforcement -- 15% of these were identity theft complaints, and 55% were fraud related. The fraud costs to consumers were reported to be about $1.5 billion. That's less than one-tenth of Norton's $20 billion figure," he said.

[In depth: A few good information security metrics]

Jaquith also said that the FTC found 280,000 cases of bona fide identify theft. "Even if you assume that every one of these were 'cybercrime related,' that's also just 2% of the 71 million victims figure that Norton cited," he said, "which suggests the number might be as much as 50 times too high."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News