Skip to main content
Springer Nature Link
Log in

Sex, Lies and Cyber-Crime Surveys

  • Conference paper
  • First Online:
Economics of Information Security and Privacy III

Abstract

Much of the information we have on cyber-crime losses is derived from surveys. We examine some of the difficulties of forming an accurate estimate by survey. First, losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses. Second, losses are based on unverified self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail (i.e., a majority of the estimate is coming from as few as one or two responses). Finally, the fact that losses are confined to a small segment of the population magnifies the difficulties of refusal rate and small sample sizes. Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N = 1, 000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Anderson R, Boehme R, Clayton R, Moore T (2007) Security economics and the internal market. Report for European network and information security agency, 2007

    Google Scholar 

  2. Andreas P, Greenhill K (2010) Sex, drugs, and body counts: the politics of numbers in global crime and conflict. Cornell University Press, New York

    Google Scholar 

  3. Assael H, Keon J (1982) Nonsampling vs. sampling errors in survey research

    Google Scholar 

  4. Avery R, Elliehausen G, Kennickell A (1988) Measuring wealth with survey data: an evaluation of the 1983 survey of consumer finances. Rev Income Wealth 34(4):339–369

    Article  Google Scholar 

  5. Bureau of Justice Statistics. Victims of Identity Theft. http://bjs.ojp.usdoj.gov/content/pub/pdf/vit08.pdf

  6. Federal Trade Commission (2003) Identity theft survey report. http://www.ftc.gov/os/2003/09/synovatereport.pdf

  7. Federal Trade Commission (2007) Identity theft survey report. www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf

  8. Federal Reserve Board. Survey of Consumer Finances. http://www.federalreserve.gov/pubs/oss/oss2/scfindex.html

  9. FlorĂȘncio D, Herley C (2010) Where do security policies come from? In: SOUPS 2010, Redmond

    Google Scholar 

  10. Gartner (2007) Phishing survey. http://www.gartner.com/it/page.jsp?id=565125

  11. Herley C, FlorĂȘncio D (2008) A profitless endeavor: phishing as tragedy of the commons. In: NSPW 2008, Lake Tahoe, CA

    Google Scholar 

  12. Herley C, FlorĂȘncio D (2009) Nobody sells gold for the price of silver: dishonesty, uncertainty and the underground economy. In: WEIS 2009, London

    Google Scholar 

  13. Howard M, LeBlanc D, and Books I (2003) 24x7. Writing secure code, vol 2. Microsoft press, Washington

    Google Scholar 

  14. Internet Crime Complaint Center Annual Crime Report. http://www.ic3.gov/media/annualreports.aspx

  15. Javelin (2003) Identity theft survey report. http://www.javelinstrategy.com/uploads/505.RF_Phishing.pdf

  16. Javelin (2009) Identity theft survey report. http://www.javelinstrategy.com/uploads/505.RF_Phishing.pdf

  17. Kennickell A (1998) Multiple imputation in the Survey of Consumer Finances. In: Proceedings of the section on business and economic statistics, 1998 annual meetings of the American statistical association, Dallas, Texas. Citeseer, 1998

    Google Scholar 

  18. Kennickell A (2009) Getting to the top: reaching wealthy respondents in the SCF. Washington, DC: Federal reserve board of governors, 2009

    Google Scholar 

  19. Lichtman S, Pisarska K, Berman E, Pestone M, Dowling H, Offenbacher E, Weisel H, Heshka S, Matthews D, Heymsfield S (1992) Discrepancy between self-reported and actual caloric intake and exercise in obese subjects. New Engl J Med 327(27):1893–1898

    Article  Google Scholar 

  20. Lorenz J, Rauhut H, Schweitzer F, Helbing D (2011) How social influence can undermine the wisdom of crowd effect. Proc Natl Acad Sci 108(22):9020

    Article  Google Scholar 

  21. Measuring the Effectiveness of In-the-Wild Phishing Attacks. (2009) http://www.trusteer.com/sites/default/files/Phishing-Statistics-Dec-2009-FIN.pdf

  22. Moitra SD. Cyber security violations against businesses: a re-assessment of survey data. http://www.iimcal.ac.in/res/upd\%5CWPS\%20571.pdf

  23. Moore T, Clayton R (2007) Examining the impact of website take-down on phishing. In: Proceedings of APWG eCrime summit, 2007

    Google Scholar 

  24. Morris M (1993) Telling tails explain the discrepancy in sexual partner reports. Nature

    Google Scholar 

  25. National Strategy for Trusted Identities in Cyberspace. Why we need it. http://www.nist.gov/nstic/NSTIC-Why-We-Need-It.pdf

  26. New Scientist (2008) Cybercrime toll threatens new financial crisis. Nov. 20, 2008. http://www.newscientist.com/article/dn16092-cybercrime-toll-threatens-new-financial-crisis.html

  27. Newman M (2005) Power laws, Pareto distributions and Zipf’s law. Contemp Phys 46(5):323–351

    Article  Google Scholar 

  28. Paterson P (2010) The Morphing IT Security Landscape. Nov. 18, 2010 https://vishnu.fhcrc.org/security-seminar/IT-Security-Landscape-Morphs.pdf

  29. Ryan J, Jefferson TI (2003) The use, misuse, and abuse of statistics in information security research. In: Proceedings 23rd ASEM national conference, 2003

    Google Scholar 

  30. Shostack A, Stewart A (2008) The new school of information security research

    Google Scholar 

  31. Systems Solutions Group: Cyber Crime http://www.ssg-inc.net/cyber_crime/cyber_crime.html

  32. TaoSecurity Blog: Brief Thoughts on WEIS (2010) http://taosecurity.blogspot.com/2010/07/brief-thoughts-on-weis-2010.html. July 14, 2010

  33. Tukey J (1960) A survey of sampling from contaminated distributions. I. Olkin, 1960

    Google Scholar 

  34. Wiederman M (1997) The truth must be in here somewhere: examining the gender discrepancy in self-reported lifetime number of sex partners. J Sex Res 34(4):375–386

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Microsoft Research, Redmond, WA, USA

    Dinei FlorĂȘncio & Cormac Herley

Authors
  1. Dinei FlorĂȘncio
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Cormac Herley
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dinei FlorĂȘncio .

Editor information

Editors and Affiliations

  1. Minneapolis, Minnesota, USA

    Bruce Schneier

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer Science+Business Media New York

About this paper

Cite this paper

FlorĂȘncio, D., Herley, C. (2013). Sex, Lies and Cyber-Crime Surveys. In: Schneier, B. (eds) Economics of Information Security and Privacy III. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-1981-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-1981-5_3

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-1980-8

  • Online ISBN: 978-1-4614-1981-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics