Vendor cybercrime report in the hot seat again

Symantec's Norton group released a new cybercrime study this week that found the average cost of online crime per victim declined during the past year. However, while down, at $110 billion a year that's still a very big global business.

The credibility of studies commissioned by security vendors has been strained of late. While nobody disputes that the cost of cybercrime is well into the billions, a number of critics have charged that such surveys inflate the numbers to scare more people into buying security software.

McAfee has recently estimated the annual cost of cybercrime worldwide at $1 trillion; Symantec has estimated the annual cost of intellectual property theft in the U.S. at $250 billion.

Computer scientists Dinei Florencio and Cormac Herley, of Microsoft Research, authors of a recent paper titled "Sex, Lies and Cyber-crime Surveys," wrote: "Our assessment of the quality of cybercrime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings."

Norton based its latest report (PDF file) on an online survey of more than 13,000 adults aged 18-65 in 24 countries. It found the average cost per victim of cybercrime was $197. In the U.S., however, it was $290.

"In the past twelve months, an estimated 556 million adults globally experienced cybercrime, more than the entire population of the European Union. This figure represents 46% of online adults who have been victims of cybercrime in the past twelve months, on par with the findings from 2011 (45%)," Symantec said in a press release. Norton extrapolated 71 million cybercrime victims in the U.S., with damages of $21 billion.

Norton, which has hired the market research firm StrategyOne for the past three years to conduct the study, is seeking to preempt any skepticism.

The company acknowledged in a statement that consumer surveys are not subject to peer review, but said that in addition to review by StrategyOne and Norton's own internal experts, it also turned the report over to Jonah Berger, Assistant Professor of Marketing at the University of Pennsylvania's Wharton School, who said, "The standards and best practices for market research were followed and meet the established guidelines of market research."

Andrew Jaquith, CTO of Perimeter E-Security, is not convinced. He called the U.S. loss figures "preposterous." Last year the Federal Trade Commission (FTC) aggregated "more than 1.8m complaints about identify theft, fraud and other types of complaints from a wide variety of law enforcement -- 15% of these were identity theft complaints, and 55% were fraud related. The fraud costs to consumers were reported to be about $1.5 billion. That's less than one-tenth of Norton's $20 billion figure," he said.

[In depth: A few good information security metrics]

Jaquith also said that the FTC found 280,000 cases of bona fide identify theft. "Even if you assume that every one of these were 'cybercrime related,' that's also just 2% of the 71 million victims figure that Norton cited," he said, "which suggests the number might be as much as 50 times too high."

Norton says that self-reporting is more accurate than police reports or fraud statistics, because only about a third of cybercrime victims report it to the police.

"We stand behind the report and its methodology," Norton said. "Self-reported data is a standard research method and the data is normalized by sampling across a large number of adult consumers, nationally representative in each of the 24 countries where the survey took place."

The types of crimes reported ranged from computer viruses and other malware to phishing, including forged, spoofed or fake email or websites. It also included online bullying or harassment, hacked email accounts, hacked social networking profiles, online scams, online credit card fraud, identity theft, smishing (unsolicited SMS text messages), and mobile malware.

Jody Westby, CEO of Global Cyber Risk, faulted the report for what she said was, "not enough depth ... to tell people what was considered, what information was gathered, and how the statistics were calculated."

But Westby said she believes such reports have value because "they raise awareness and they help people understand the extent of the problem, although since the statistics are so grey, it is hard to compare."

Andrew Jaquith said he believes surveys are useful in the aggregate. "I tend to take the different vendor surveys to gain a composite view of the market and to validate trends," he said. "I don't place any weight on any particular surveys."

Norton, of course, offers software security products to tackle the cybercrime menace. But the report also notes that consumers can protect themselves by following advice that has now been around for decades: to be wary of unsolicited emails or texts, to use complex passwords and to change them regularly.

Neal Creighton, CEO of CounterTack, adds that consumers should "only submit personal information on a secure site where the padlock tells them they are secure. For more assurance, look for the green bar in the address window and the padlock -- that tells you that you are on a highly authenticated site."

The study found that consumers' security IQs are improving, in that large majorities don't open links or attachments in unsolicited emails and use a basic antivirus solution. But 40% don't use rigorous password security, and has been reported in the past, many don't upgrade regularly, partially because they suspect automatic prompts to upgrade may be malware, or they don't like additional "crapware" packaged with an update.

Some experts argue that manufacturers should build security into their products. And Gary McGraw, CTO of Cigital, regularly says that security could be vastly improved if product manufacturers would "build things that aren't broken."

Creighton says some of that is happening. "For example, the major browsers have built in extended validation SSL into their products, which gives consumers more protection through higher authentication levels on sites," he said. "If you see a green bar in the URL address bar and a padlock, you can be very certain you are on a legitimate site and not a phishing/ fraud site."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts