I think we should just admit that there's a "cyber-" inflation factor. That is, for anything in which someone puts a prefix of "cyber-" before a word, we can assume that reports of the "impact" are going to be massively inflated. Cyberwar? Totally overhyped. Cyberbullying? Not nearly as crazy as you hear. And now we've got a new report saying that reports of "losses" from "cybercrime" appears to be greatly overestimated
First, losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses. Second, losses are based on unverified self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail (i.e., a majority of the estimate is coming from as few as one or two responses). Finally, the fact that losses are confined to a small segment of the population magnifies the difficulties of refusal rate and small sample sizes. Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N = 1000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion
And yet, of course, such claims of massive losses will still be regularly repeated in the press and by politicians. I've always said that it would be great if we could force feed politicians and journalists economics lessons, but I'd like to propose adding statistics to the required curriculum as well.