Surveys of cyber crime and numbers of sexual partners have a lot in common, researchers have suggested.
Both are self-reporting, uncorroborated surveys that are subject to "catastrophic errors", according to analysis by a Microsoft research team.
Over-reporting by a small number of survey subjects can wildly skew final estimates.
As a result, they said, no faith should be placed in the evidence these surveys claim to have uncovered.
Body countThere were deep similarities between surveys that try to get a snapshot of hi-tech crime and those that peep into human sexual relations, said Dinei Florencio and Cormac Herley in a paper entitled Sex, Lies and Cyber Crime Surveys.
Typically these surveys build up their totals from self-reported estimates because both phenomena defy "large-scale direct observation".
In the case of sexual partner surveys, such self-reporting produces totals which suggest that men have had far more female sexual partners than women have had male sexual partners. This, according to the researchers, "is impossible".
The truth is that in these surveys men over-report partner numbers and women under-report. Plus, said the researchers, some men tell "whopping" lies about their sexual lives and, as a result, vastly inflate the final results.
The same is true of cyber crime surveys, in that respondents tend to over-report. Also some wildly overestimate the financial loss they suffered or the time it took to resolve problems caused by theft of login details, credit card numbers or other valuable data.
Mathematical analysis of the surveys shows that it only takes a few large overestimates to produce a total that bears little relation to the facts.
"Our assessment of the quality of cyber crime surveys is harsh," wrote the researchers. "They are so compromised and biased that no faith whatever can be placed in their findings."
David Emm, senior security researcher at Kaspersky Labs, said he was always "sceptical" about figures that tried to quantify cyber crime.
"It's by definition a covert economy," he said, "cyber criminals don't publish annual accounts."
But, he said, it was not necessary to produce a global market estimate to be sure it was a big problem.
"Look at the reports in online media of arrests of cyber criminals and the figures cited for what the criminals would have 'earned' had they been successful," he said.
"These are real figures," he added. "Given that this is just the tip of a much larger iceberg, it's clear that it's a lucrative business."
The Sex Lies and Cyber Crime surveys paper is due to be presented at the forthcoming Workshop on the Economics of Information Security.
0 comments:
Post a Comment