Figure crazy: the cost of cyber attacks

A few days ago, this article in the Figaro about attempts to evaluate the total cost of cyberattacks caught my eye. The author’s confusion is evident – having found diverse information sources, he had trouble making sense of it all. He’s onto something, however, when he cites a study conducted by McAfee in 2008. This study estimates the total cost of cyberattacks at about $1,000 billion to the world’s economy, which would be 1,64% (to be precise) of the world’s GDP.

A figure like this, so fantastically round as it is large (as

Not so long ago, I showed the so-called worldwide cost of forgery was absurdly estimated – with an ultimate figure that was absolutely false which surfaced at every turn, with so-and-so citing the figure in reference to what’s-his-name, who asserts the figure came from what’s-his-face, who got it from that other really smart guy. This $1,000 billion figure is following the same track. What’s worse is the statistic was cited at the United Nations forum on cyber-security, which referenced Europol data, which itself referenced…. the McAfee study. This is how such a number becomes the “authority” figure, as the author puts it. Yet this still doesn’t tell us how such a statistic is determined.

A totally invented total

I took a look at that infamous study conducted by McAfee on the cost of cybercrime  in 2008. You can also check it out right here [PDF]. Surprisingly, the $1,000 billion statistic is no where to be found. The number was, in fact, cited for the first time by the president of McAfee, at the Davos forum. His exact statement was the report “Shows that the cost of cybercrime is 1,000 billion dollars per year, or more.” Yet the study itself never even mentions this figure!

What was seemingly more surprising than not knowing where the statistic came from was that a contributor actually asked for the source. One way of explaining the figure could be the following: the study was conducted based on interviews with 1,000 company executives (about 500 different companies were interviewed), which estimates an average loss of 4,6 million dollars worth of intellectual property in 2008. We can then guess that the $1,000 billion statistic was established by considering this sample as representative of the entire population (which is absolutely absurd), and applying it to the world’s economy. It is impossible to be certain of such a figure, especially when no mention of methodology appears anywhere in the document. This statistic was completely invented, and legitimized itself by citing a study that never even alludes to such numbers.

Yet this doesn’t stop it from being cited as an “authority” figure, recycled by all kinds of organizations. Others – who without a doubt want to sound impressive – affirm that “The real number must of course be even higher” because study took place in 2008…. They’re just chomping at the bit for the figures that will triumphantly show the $1,000 billion in 2008 has in fact doubled to a grand sum of $2,000 billion! Don’t laugh, it will happen.

Now, you must be asking yourself, how could such a bogus statistic be cited everywhere and become the “authority?” The main reason is well known – citing numbers makes you look authoritative and smart. The sentence “Crime has increased since last year” has a lot less punch than “Crime has increased 4.5% since last year.” I just made up that number, but the second sentence already seems more credible. It gives the impression that I know what I’m talking about, that something has been effectively measured, even though my figure has no significance.

A global problem

We could conduct the same sort of analysis on L. Wauquiez’s claim that “One Internet user out of 30 has lost money due piracy in Europe over the last 12 months.” As is always the case, the figure was recycled and cited, without the slightest effort to check the sources (the article cites even more figures about the costs of cyberattacks which are just as unverifiable). This is proof that the “war on cybercrime” is almost entirely composed of unrelated correlations which are used to stir up trouble and make bigger scandals.

My goal isn’t to assert that cyberattacks aren’t important, that they don’t cost anyone anything, or that we shouldn’t pay attention to them. What I want to remind everyone is that the costs are extremely difficult to determine. Those who multiply the figures are doing so for their own interests. Exhibit A: McAfee to bolster their commercial niche. Exhibit B: Legitimizing the decision to create a Security Theatre (just like the politicians and administrations that use the same kinds of citations to “show” that their government is “working”).

Collective, widespread hysteria

The exaggeration of threats – with the assistance of meaningless figures – has serious consequences. If $100 are stolen from me, the real social cost of this act isn’t the $100 which was just transferred from one person to another. The true cost surfaces because I change my behavior.  I’ll use more of my personal resources on protecting my assets that I would have normally spent on more useful purchases. If a pirate obtains my debit card information, it’s frustrating and annoying, but it isn’t the end of the world (sometimes it’s only necessary to block the fraudulent charges). If a hacker reveals the characteristics of the new iPad and its release date, this will lead to numerous vendors holding out for the new model instead of buying the current model. This is a prejudice against Apple, but also an advantage for consumers. If hackers really succeeded in obtaining the Bercy documents, they would have observed and shared its lack of value. The cost of September 11 for the United States wasn’t a direct cost (death, destruction of property) but the entirety of the actions taken in response to that day’s events (two wars, airport security, deaths caused by automobile accidents due to certain people refusing to take airplanes, etc.)

The principal cost of crime tends to occur when it’s given too much importance, when social resilience is ignored, and when too much money is spent on reducing it which would be better spent elsewhere. Multiplying these fantastical and alarmist “costs” of cyberattacks replaces the reasonable question “What resources – that could be used elsewhere – should be devoted to this problem?” This form of widespread hysteria can not be easily calmed because absolute security is impossible. This hysteria would becomes exponentially more intense, to the detriment of the whole.

—

This article was initially published on Econoclaste
Photo credits: Flickr CC kmichiels, Curtis Gregory Perry, bartb_pt