Sex, Lies and Cyber-crime Surveys

We often hear extravagantly large numbers tossed around for cyber-crime losses. Mostly, we find in a new paper, these numbers are completely unreliable. They’re based on self-reported numbers, where a single lie or  exaggeration, from a single respondent is all it takes to generate a wildly inaccurate estimate. Errors don’t cancel, and errors to the high side are unbounded.

“You should never trust user input” says one standard text on writing secure code [19]. It is ironic then that our cyber-crime survey estimates rely almost exclusively on unveri ed user input. A practice that is regarded as unacceptable in writing code is ubiquitous in forming the estimates that drive policy.


About cormac

Very, very occasional thoughts on security from Cormac Herley
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s