The IT security sector is running the risk of harming its reputation with sensationalist claims, says one industry insider, after US vendor McAfee was forced to admit the $1 trillion figure it slapped on the cost of cybercrime was significantly overstated.
In 2009, McAfee released a report attempting to calculate the financial impact of cyber-attacks globally, taking into account the loss of intellectual property among businesses and the money spent on repairing damages, among other factors.
But in a recent interview with the Australian Financial Review, McAfee’s global CTO Mike Fey said he regretted the gargantuan $1 trillion (£640 billion) estimate the firm attached to the report, and admitted that even the more conservative calculations offered by his company since were “hard for me to swallow”.
Security experts and economists have criticised McAfee and its peers for reporting exaggerated figures based on flawed maths, in order to grab people’s attention in discussions around cybercrime, and Fey confessed, “I wish we had never put a dollar figure on it.” He went to add that it’s “very difficult” to accurately attach a specific cost to cyber-damage.
George Anderson, Enterprise Product Marketing Manager at fellow security firm Webroot, says estimates of this kind have a detrimental effect on his sector as a whole, and called for an end to alarmist reports.
“The security industry has often been accused of using FUD (Fear, Uncertainty & Doubt) to scaremonger and that has to stop – we need to cut the FUD, the fear and the frenzied reaction it instigates,” he said.
“Cybercrime is a significant abuse that impacts us all, but the truth is we very rarely know how much it truly costs. This [the McAfee report] is another case in point of how an estimation that is wildly off the mark can create consumer distrust and further confusion in the market.”
Anderson adds that the industry’s battle against online crime relies on pooling intelligence and formulating combat strategies based on statistics, making it vital that security companies are honest with their research.
“In order to beat cyber-crime, we need to clearly understand its inner workings, objectives and impact. And that information must be accurate. The security industry needs to be especially trustworthy – being even remotely dishonest undermines our role in helping users protect themselves against criminals.
“The information we provide also needs to be transparent, provide context to its use of statistics, and be rigorous in defining the implications of those statistics. Only then will we ensure the security of consumers and businesses alike,” he said.