Writing in the New York Times, Microsoft researchers Dinei Florêncio and Cormac Herley say estimates of cybercrime losses are mostly mythology. They write, “We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority.” They say that estimated annual direct consumer losses from cybercrime–$114 billion worldwide in one recent example–“are generated using absurdly bad statistical methods, making them wholly unreliable.”
The estimates typically are based on narrow surveys of consumers and businesses which are then extrapolated for the broader population, even though big losses by one or two respondents account for the majority of losses. They write, “It is the rule, rather than the exception. Among dozens of surveys, from security vendors, industry analysts and government agencies, we have not found one that appears free of this upward bias. As a result, we have very little idea of the size of cybercrime losses.” They conclude, “Surveys that perpetuate the myth that cybercrime makes for easy money are harmful because they encourage hopeful, if misinformed, new entrants, who generate more harm for users than profit for themselves.”