Vendor cybercrime report in the hot seat again

One expert called the loss figure in Norton report 'preposterous,' noting the number might 50 times too high

Symantec's Norton group released a new cybercrime study this week that found the average cost of online crime per victim declined during the past year. However, while down, at $110 billion a year that's still a very big global business.

The credibility of studies commissioned by security vendors has been strained of late. While nobody disputes that the cost of cybercrime is well into the billions, a number of critics have charged that such surveys inflate the numbers to scare more people into buying security software.

McAfee has recently estimated the annual cost of cybercrime worldwide at $1 trillion; Symantec has estimated the annual cost of intellectual property theft in the U.S. at $250 billion.

Computer scientists Dinei Florencio and Cormac Herley, of Microsoft Research, authors of a recent paper titled "Sex, Lies and Cyber-crime Surveys," wrote: "Our assessment of the quality of cybercrime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings."

Norton based its latest report (PDF file) on an online survey of more than 13,000 adults aged 18-65 in 24 countries. It found the average cost per victim of cybercrime was $197. In the U.S., however, it was $290.

"In the past twelve months, an estimated 556 million adults globally experienced cybercrime, more than the entire population of the European Union. This figure represents 46% of online adults who have been victims of cybercrime in the past twelve months, on par with the findings from 2011 (45%)," Symantec said in a press release. Norton extrapolated 71 million cybercrime victims in the U.S., with damages of $21 billion.

Norton, which has hired the market research firm StrategyOne for the past three years to conduct the study, is seeking to preempt any skepticism.

The company acknowledged in a statement that consumer surveys are not subject to peer review, but said that in addition to review by StrategyOne and Norton's own internal experts, it also turned the report over to Jonah Berger, Assistant Professor of Marketing at the University of Pennsylvania's Wharton School, who said, "The standards and best practices for market research were followed and meet the established guidelines of market research."

Andrew Jaquith, CTO of Perimeter E-Security, is not convinced. He called the U.S. loss figures "preposterous." Last year the Federal Trade Commission (FTC) aggregated "more than 1.8m complaints about identify theft, fraud and other types of complaints from a wide variety of law enforcement -- 15% of these were identity theft complaints, and 55% were fraud related. The fraud costs to consumers were reported to be about $1.5 billion. That's less than one-tenth of Norton's $20 billion figure," he said.

[In depth: A few good information security metrics]

Jaquith also said that the FTC found 280,000 cases of bona fide identify theft. "Even if you assume that every one of these were 'cybercrime related,' that's also just 2% of the 71 million victims figure that Norton cited," he said, "which suggests the number might be as much as 50 times too high."

Norton says that self-reporting is more accurate than police reports or fraud statistics, because only about a third of cybercrime victims report it to the police.

"We stand behind the report and its methodology," Norton said. "Self-reported data is a standard research method and the data is normalized by sampling across a large number of adult consumers, nationally representative in each of the 24 countries where the survey took place."

The types of crimes reported ranged from computer viruses and other malware to phishing, including forged, spoofed or fake email or websites. It also included online bullying or harassment, hacked email accounts, hacked social networking profiles, online scams, online credit card fraud, identity theft, smishing (unsolicited SMS text messages), and mobile malware.

Jody Westby, CEO of Global Cyber Risk, faulted the report for what she said was, "not enough depth ... to tell people what was considered, what information was gathered, and how the statistics were calculated."

But Westby said she believes such reports have value because "they raise awareness and they help people understand the extent of the problem, although since the statistics are so grey, it is hard to compare."

Andrew Jaquith said he believes surveys are useful in the aggregate. "I tend to take the different vendor surveys to gain a composite view of the market and to validate trends," he said. "I don't place any weight on any particular surveys."

Norton, of course, offers software security products to tackle the cybercrime menace. But the report also notes that consumers can protect themselves by following advice that has now been around for decades: to be wary of unsolicited emails or texts, to use complex passwords and to change them regularly.

Neal Creighton, CEO of CounterTack, adds that consumers should "only submit personal information on a secure site where the padlock tells them they are secure. For more assurance, look for the green bar in the address window and the padlock -- that tells you that you are on a highly authenticated site."

The study found that consumers' security IQs are improving, in that large majorities don't open links or attachments in unsolicited emails and use a basic antivirus solution. But 40% don't use rigorous password security, and has been reported in the past, many don't upgrade regularly, partially because they suspect automatic prompts to upgrade may be malware, or they don't like additional "crapware" packaged with an update.

Some experts argue that manufacturers should build security into their products. And Gary McGraw, CTO of Cigital, regularly says that security could be vastly improved if product manufacturers would "build things that aren't broken."

Creighton says some of that is happening. "For example, the major browsers have built in extended validation SSL into their products, which gives consumers more protection through higher authentication levels on sites," he said. "If you see a green bar in the URL address bar and a padlock, you can be very certain you are on a legitimate site and not a phishing/ fraud site."

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)