Editor’s note: As part of our special editorial partnership, Channelnomics is publishing this recent article from CRN in the UK.
McAfee’s chief technology officer has expressed regret at the security vendor’s widely discredited move to put a value of $ 1trillion on annual losses caused by global cybercrime.
The Intel Corp.-owned security vendor first cited the $1 trillion figure in a press release accompanying its 2009 report entitled Unsecured Economies: Protecting Vital Information (the report itself did not refer to it). Although widely panned by academics and the media, the figure — often mentioned in conjunction with it outstripping global losses from drug trafficking — has since been bandied about by prominent politicians and bureaucrats, including most notably President Barack Obama.
Last month, that figure was slashed by two-thirds in McAfee-backed research conducted by the Center for Strategic and International Studies (CSIS). The report stated that losses from cybercrime were probably “in the range” of $300 million, amounting to four tenths of one percent of global GDP and half the $600 billion figure pinned on global losses sustained from drug trafficking.
But talking to The Australian Financial Review, McAfee chief technology officer Mike Fey said he regretted McAfee’s attempts to quantify the market, admitting that even recent, more cautious, estimates were “hard for me to swallow.”
“I wish we had never put a dollar figure on it,” Fey was quoted as saying. ”[It is] very scary to just latch onto the number.
“People take that half-a-trillion number, and say ‘that’s what it’s worth.’ What they forget is organizations are spending a very large amount of money to [deter] attacks today — so there’s an additive number that has to go on top of that. It would be like saying car crashes kill three people a year in this particular city, so how much should we invest in stop lights. It’s flawed.”
Fey said it was tough to put a dollar figure on cybercrime losses. Cumulative losses would ignore data breaches that firms failed to disclose to the public, for instance. Companies that try to quantify what a data breach could cost them may not own up in fear of having to pay out to those affected, he added.
The CSIS notes the estimates for annual losses from cybercrime range from a few billion to hundreds of billions of dollars, which it says reflects difficulties in measuring the market.
“Companies conceal their losses and some are not aware of what has been taken. Intellectual property is hard to value,” it said. “Some estimates relied on surveys, which provide very imprecise results unless carefully constructed. One common problem with cybersecurity surveys is those who answer the questions ‘self-select’, introducing a possible source of distortion into the results.
“Given the data collection problems, loss estimates are based on assumptions about scale and effect-change the assumption, and you get very different results. These problems leave many estimates open to question.”
For more UK channel coverage from CRN, visit www.channelweb.co.uk
Leave a Reply