Home' Trinidad and Tobago Guardian : January 22nd 2015 Contents JANUARY 2015 • WEEK FOUR www.guardian.co.tt BUSINESS GUARDIAN
THE ECONOMIST | BG23
crime, companies would know better how to spend their
information-security budgets. It also would be easier to work
out what sort of insurance coverage to buy: American firms
spending on cyber-liability coverage jumped from US$1.3
billion in 2013 to roughly US$2 billion in 2014, said Andreas
Schlayer, a senior underwriter at Munich Re of Germany.
Most American states have laws requiring some sort of dis-
closure of hacking attacks. Nevertheless, "a good portion" of
firms still do not announce them for fear of damage to their
brands, said Mark Greisiger of Netdiligence, a Pennsylvanian
European countries generally do not require disclosure, so
even fewer firms there bother, added Costin Raiu of Kaspersky
Lab, a Russian Internet-security firm.
Firms that do acknowledge losses struggle to quantify them.
In a survey last year of 4,881 security practitioners in 15 coun-
tries, conducted by the Ponemon Institute in Michigan, 35 per
cent of organisations which had been subject to a successful
intrusion were unsure of exactly which records the thieves
Even if it is known what information has been taken, cal-
culating the cost still is hard. If a shipyard has details of a big
contract negotiation stolen at the behest of a rival, how can
it be sure it would not have lost the deal anyway? How will
Sony Pictures measure the damage from having executives
emails, containing disparaging comments about its stars,
released on the Internet?
A comprehensive and robust methodology for estimating
such costs does not exist yet, said Roberto Baldoni, who heads
a cyber-intelligence center at La Sapienza University in Rome.
Dmitri Alperovitch, a founder of Crowdstrike, a Californian
security firm, said that cyber-attacks appear to be picking up
significantly, but that to attempt to estimate the damage is
futile. Most figures will be "wack," he said, "so we d rather
not play that game."
Plenty of other groups do publish estimates, however. Con-
sider one from a 2014 study by the Center for Strategic and
International Studies, a think tank in Washington. Cyber-
crime, it concluded, bleeds between US$300 billion and US$1
trillion from businesses worldwide each year.
One of the study team said, however, that good data were
so scarce that they had joked about publishing the findings
along with an online random-number generator that readers
could click on until it produced an estimate to their liking.
"That was a little depressing," he said.
The study was sponsored by McAfee, a large American seller
of antivirus software. Its own 2009 calculation of the global
cost to businesses produced the figure of more than US$1
trillion. This was roundly derided as bloated, even by researchers
who had provided McAfee with data from which the estimate
One of them, computer scientist Eugene Spafford of Purdue
University in Lafayette, Ind, said that he was "really kind of
appalled" by the exaggeration.
McAfee republished the number in 2011, however, and it
The weakness of many estimates is partly due to bogus def-
initions, said Ross Anderson, a security-engineering expert at
the University of Cambridge in Britain. Tax returns and claims
for insurance, welfare benefits and reimbursement for company
travel are increasingly filed online. This has emboldened many
to lump tax, insurance, benefit and expenses frauds together
with genuine cyber-crime,he said, and "hey, ching!," produce
Surveying 1,000 voters about their preferences often can
be a good predictor of an election outcome. Most cyber-crime
estimates are based on surveys, too, but there is a big difference:
Respondents are asked to provide speculative numbers, rather
than report preferences, and this often leads to huge errors.
Say that companies cumulatively producing a quarter of a
percent of GDP reply to a cyber-crime survey. A single firm s
exaggeration by US$1 million adds a bogus US$400 million
to the tally when scaled up to reflect the entire national econ-
Companies which have suffered a loss, or suspect that they
have, are likely to be more willing to fill out a cyber-crime
questionnaire than those with no such worries. Thus there is
bound to be an inherent bias toward overestimating losses. A
research paper from Microsoft, "Sex, Lies and Cyber-crime
Surveys," concludes that "no faith" should be placed in numer-
ical estimates derived by means of this multiplication trick.
Glimmers of hope for better estimates are on the horizon.
Like the Obama administration, the European Union is drafting
legislation to force firms to provide full and prompt information
about hacking attacks. The effort put into quantifying the
harm done will grow as insurance claims and lawsuits multiply.
Home Depot, for example, faces at least 21 suits over customer
data it lost last year.
The losses that hackers cause to businesses sometimes may
be exaggerated, but they are significant and, almost certainly,
@2015 The Economist Newspaper Ltd. Distributed by
the New York Times Syndicate
From Page 22
Links Archive January 21st 2015 January 23rd 2015 Navigation Previous Page Next Page