The Lack of Cybercrime Statistics: Why the Threat Is Bigger than We Think It Is
How great is the threat of cybercrime to you or your business?
You may think it’s possible to answer this question with a reasonable degree of confidence. It’s easy, after all, to assume that law enforcement and the IT security community have accurate and complete data at their disposal on the frequency of cyber attacks, the organizations they target, and the damage they cause.
The reality, however, couldn’t be more different. The way we measure cybercrime in the US today simply isn’t reliable enough to know this with any degree of certainty – and the statistics we do have only show the tip of the iceberg.
Where do Today’s Cybercrime Statistics Come From?
First, consider our current reporting system for cyberattacks. In 47 states, organizations are required by law to notify customers and other relevant parties when their data is compromised by hackers. However, this only applies to personally identifiable information (PII) – there’s no legal requirement for organizations to issue notifications when their intellectual property (IP) or some other kind of data is stolen.
Should those organizations suffer cyberattacks, the correct course of action is to log a complaint with the local FBI field office or the FBI’s Internet Crime Complaint Center (IC3). However, this is not mandatory, nor are the number of complaints received a statistically valid measure of the frequency of cybercrime. Many incidents go unreported, while others – such as the more high-profile, public ones – attract an above-average volume of complaints.
Meanwhile, local police departments can’t be counted on to produce reliable cybercrime statistics because their own definitions of cybercrime are so inconsistent. Some will categorize identity theft and a subsequent financial loss as a larceny, whereas others will classify it as fraud, forgery, or something else entirely. And again, compared to robberies, burglaries and assault, cybercrime is often unreported in the first place.
Finally, we can look to independent studies for some idea as to the scale of the threat. Verizon’s annual Data Breach Investigations Report is one example of this. However, while Verizon’s methodology is sound, there’s still the problem of underreporting and it generally only indicates the trends in cyber crimes that companies are willing to report. While it is useful in determining whether cybercrime is increasing or decreasing year on year – it’s not an absolute measure of how much of it is out there.
On the whole, the data we have at our disposal is fragmented and incomplete, and our system for reporting cybercrime is vastly inferior to the Uniform Crime Reports (UCR) that have been used by the FBI to track other offenses centrally for the last 80-plus years. The threat could be much, much bigger than we think it is.
Taking Action to Measure and Combat Cybercrime
The paucity of reliable cybercrime statistics has potentially far-reaching implications. As a country, we’re convinced that crime is down, and there’s data – such as the UCR – to support this. But what if criminality is simply moving into the cyber arena? And what could the consequences be of having no way of tracking this?
Without statistics, it becomes difficult to steer government policy and strategy to combat cybercrime, and it becomes difficult for law enforcement to assign sufficient resources to the problem. Until the situation is improved, things are likely to get worse before they get better.
The lesson for the average US business, meanwhile, is this: any data you see on cybercrime, however strongly-worded the report or high the numbers, is based on inconsistent reporting. All you’re seeing is the tip of the iceberg.