A new cybercrime survey by Australian outfit Essential Research has begun to unravel the threads that vendors tend to tangle. Their initial results suggest things might not be nearly as bad as we're told.
When it comes to inflated online crime statistics, the information security industry has got form. Last year I called out Symantec and McAfee, the global top two, for potentially inflated claims. Of course they're not alone, but bigger budgets fuel a faster flow of flaky factoids.
Symantec's Norton Cybercrime Report 2012, released in September, used significantly better methodology. Credit to them. But it still lumped together all manner of Bad Things That Happen On The Internet to keep those victim numbers looking nice and high. Others vendors use the same trick.
When Symantec claims that there's 556 million victims of online crime every year, for example, that may cover a wide range:
- "Computer viruses or malicious software appeared on my computer." Sure, but were they detected and disarmed?
- "I responded to online scams." But did you actually get sucked in and lose money?
- "Someone has hacked into my social networking profile and pretended to be me." But one-third of those surveyed said they don't log out at the end of a session.
- "I was approached online by someone in an unwanted sexual way." But did you block them, and that was the end of it? Or did it continue into harassment?
Plus other equally ambiguous possibilities, including "another type of cybercrime". Whatever that might cover.
Extrapolating from the losses reported by the victims, Symantec estimates that the direct cost of cybercrime in Australia is $1.65 billion a year. That's down from last year's estimate of $1.8 billion but, given the survey's margin of error, it's not statistically significant.
The Essential Research, commissioned by Crikey's Canberra correspondent and fellow cybercrime skeptic Bernard Keane, makes two significant improvements. It asks separate questions about each category of crime. And it provided breakdowns of the victims' actual financial losses, if any.
"Based on the Essential results, 44 per cent of Australians, or around 10 million of us, have experienced various types of cybercrime at an average cost of $310," Keane writes.
"Assuming some victims have suffered multiple instances of cybercrime, let's revise the cost upward by a generous 50 per cent to $465. That gives us a total lifetime cost of $4.65 billion for Australians -- far short of even the $1.8 billion pa direct cost estimate from Norton."
Keane derides attorney-general Nicola Roxon's claim that identity fraud is one of Australia's fastest growing crimes and that one in four Australians "had been a victim or had known someone who had been a victim of identity theft" -- a calculus which is really one of perception and fear.
"According to Essential, just 1 per cent of Australians report ever being the victim of identity theft. If identity theft is 'Australia's fastest growing crime' as Nicola Roxon, the AFP [Australian Federal Police] and many media reports insists, then it must have been coming off a positively microscopic base," he writes.
Well, it was.
The term 'identity theft' was coined in 1964, but Google Books' Ngram Viewer shows that it really only came into currency in the last decade or so. Identity theft would have previously been called something like "impersonation with intent to commit fraud". As identity theft, it's a new crime.
This highlights a key weakness in most cybercrime research: it relies on the people being surveyed to understand what's being asked of them.
Do most people really know what "identity theft" means? Are they really in a position to say, with any certainly, that their computer was actually hacked or suffered a virus? Amongst the non-technical, "virus" is just shorthand for "my computer did something weird that I don't understand". As support staff well know, it's often a cover for human error.
Another common weakness is that people are being asked if they've "ever" been a victim, as Essential Research does. But it's now a decade since worms routinely brought Windows to its knees. Defences have improved.
Could this supposed cybercrime wave have actually peaked years ago?
The short answer is that we simply don't know.
These unofficial surveys are relatively small. We don't have any official statistics because, at least here in Australia, the police don't record whether a crime like fraud did or didn't involve the internet. Fraud is fraud.
Indeed, the "cyber" tag tends to cloud what's going on. Fraud, after all, is nothing new. And neither are harassment, theft, romance scams and the rest.
Symantec's improved methodologies and Essential Research's disinterested polling are welcome moves, and there have been others recently. But we still have a long way to go before we really understand the scope of online crime.