Microsoft Report Challenges Conventional Wisdom on Cybercrime Losses

Posted on October 16, 2011 by Colin J. Zick

It's a pretty technical read, but this recent Microsoft report, "Sex, Lies and Cyber-crime Surveys" by Dinei Florencio and Cormac Herley tries to support an interesting hypothesis:  cyber-crime surveys that suggest huge losses from hacking and phishing aren't reliable.  Here's an excerpt of their thinking:

First, [cyber-crime] losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses. Second, losses are based on unverifed self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail (i.e., a majority of the estimate is coming from as few as one or two responses). Finally, the fact that losses are confined to a small segment of the population magnifies the dificulties of refusal rate and small sample sizes. Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N = 1000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion.

Tags: , , , ,

Is the Rejection of Security Advice by Users Really Rational? A Response to Cormac Herley

Posted on April 10, 2010 by Colin J. Zick

In the April 11, 2010, Boston Globe, there is an extended discussion of an article by Cormac Herley of Microsoft entitled, "So Long, And No Thanks for the Externalities:  The Rational Rejection of Security Advice by Users."  In his paper, Mr. Herley argues thoughtfully that compliance with even simple security measures, like changing your passwords, is so time-consuming that it is not worth the effort for most users.

This is an interesting argument and article (although it is a mite technical), as it poses an argument worthy of real consideration.  There is no dispute that security measures do decrease productivity to some extent.  The question that needs to be asked is how much does security actually impair productivity and is the cost in lost productivity less than the costs from an actual security breach?

As Mr. Herley suggests, the answers to this question are difficult, because of "externalities" -- economic costs that are visited on some people by the actions of others.   His solution is not simply to reject security measures, but to analyze them and determine what works and what does not, so that it is easier to determine what measures are worth users' time and what measures do not pay off.  In Mr. Herley's words, "security advice that has compelling cost-benefit trade-offs has a real chance of user adoption."  This trade-off analysis is a worthy exercise for any individual and for any organization.

Tags: , , , , ,