Cyber crime wave: tsunami or ripple?

Just 1 per cent of Australians have experienced identity theft, independent polling shows.

A new cybercrime survey by Australian outfit Essential Research has begun to unravel the threads that vendors tend to tangle. Their initial results suggest things might not be nearly as bad as we're told.

When it comes to inflated online crime statistics, the information security industry has got form. Last year I called out Symantec and McAfee, the global top two, for potentially inflated claims. Of course they're not alone, but bigger budgets fuel a faster flow of flaky factoids.

Symantec's Norton Cybercrime Report 2012, released in September, used significantly better methodology. Credit to them. But it still lumped together all manner of Bad Things That Happen On The Internet to keep those victim numbers looking nice and high. Others vendors use the same trick.

When Symantec claims that there's 556 million victims of online crime every year, for example, that may cover a wide range:

  • "Computer viruses or malicious software appeared on my computer." Sure, but were they detected and disarmed?

  • "I responded to online scams." But did you actually get sucked in and lose money?

  • "Someone has hacked into my social networking profile and pretended to be me." But one-third of those surveyed said they don't log out at the end of a session.

  • "I was approached online by someone in an unwanted sexual way." But did you block them, and that was the end of it? Or did it continue into harassment?

Plus other equally ambiguous possibilities, including "another type of cybercrime". Whatever that might cover.

Extrapolating from the losses reported by the victims, Symantec estimates that the direct cost of cybercrime in Australia is $1.65 billion a year. That's down from last year's estimate of $1.8 billion but, given the survey's margin of error, it's not statistically significant.

The Essential Research, commissioned by Crikey's Canberra correspondent and fellow cybercrime skeptic Bernard Keane, makes two significant improvements. It asks separate questions about each category of crime. And it provided breakdowns of the victims' actual financial losses, if any.

"Based on the Essential results, 44 per cent of Australians, or around 10 million of us, have experienced various types of cybercrime at an average cost of $310," Keane writes.

"Assuming some victims have suffered multiple instances of cybercrime, let's revise the cost upward by a generous 50 per cent to $465. That gives us a total lifetime cost of $4.65 billion for Australians -- far short of even the $1.8 billion pa direct cost estimate from Norton."

Keane derides attorney-general Nicola Roxon's claim that identity fraud is one of Australia's fastest growing crimes and that one in four Australians "had been a victim or had known someone who had been a victim of identity theft" -- a calculus which is really one of perception and fear.

"According to Essential, just 1 per cent of Australians report ever being the victim of identity theft. If identity theft is 'Australia's fastest growing crime' as Nicola Roxon, the AFP [Australian Federal Police] and many media reports insists, then it must have been coming off a positively microscopic base," he writes.

Well, it was.

The term 'identity theft' was coined in 1964, but Google Books' Ngram Viewer shows that it really only came into currency in the last decade or so. Identity theft would have previously been called something like "impersonation with intent to commit fraud". As identity theft, it's a new crime.

This highlights a key weakness in most cybercrime research: it relies on the people being surveyed to understand what's being asked of them.

Do most people really know what "identity theft" means? Are they really in a position to say, with any certainly, that their computer was actually hacked or suffered a virus? Amongst the non-technical, "virus" is just shorthand for "my computer did something weird that I don't understand". As support staff well know, it's often a cover for human error.

Another common weakness is that people are being asked if they've "ever" been a victim, as Essential Research does. But it's now a decade since worms routinely brought Windows to its knees. Defences have improved.

Could this supposed cybercrime wave have actually peaked years ago?

The short answer is that we simply don't know.

These unofficial surveys are relatively small. We don't have any official statistics because, at least here in Australia, the police don't record whether a crime like fraud did or didn't involve the internet. Fraud is fraud.

Indeed, the "cyber" tag tends to cloud what's going on. Fraud, after all, is nothing new. And neither are harassment, theft, romance scams and the rest.

Symantec's improved methodologies and Essential Research's disinterested polling are welcome moves, and there have been others recently. But we still have a long way to go before we really understand the scope of online crime.

Stilgherrian also writes for Crikey. Contact Stilgherrian at or follow him on Twitter at @stilgherrian

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybercrime

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts