We often hear extravagantly large numbers tossed around for cyber-crime losses. Mostly, we find in a new paper, these numbers are completely unreliable. They’re based on self-reported numbers, where a single lie or exaggeration, from a single respondent is all it takes to generate a wildly inaccurate estimate. Errors don’t cancel, and errors to the high side are unbounded.
“You should never trust user input” says one standard text on writing secure code . It is ironic then that our cyber-crime survey estimates rely almost exclusively on unveri ed user input. A practice that is regarded as unacceptable in writing code is ubiquitous in forming the estimates that drive policy.