Friday, September 02, 2016

Surveys galore: cybercrime wave, government prodding, and more

One of the biggest problems with fighting cybercrime is knowing how much of it there is. If you or your organization have been a victim of cybercrime - and a recent study said that 80% of organizations have* - then you know there is too much of it. Indeed, another recent survey suggests that 69% of US adults agree their country is experiencing a wave of cybercrime.** This state of affairs has many people thinking that the government is not doing enough to fight cybercrime. How many? About 63% in a recent survey.***

And right there, in that short paragraph, you see how important it is to measure the problems you are trying to solve, whether it's "how big is that gap in the planking that's letting water into the boat?" or "to how big is that gap between the number of people we need to fight cybercrime and the current supply?" That latter question has been preoccupying me a lot this year and it's a tough one to answer, but that doesn't mean we shouldn't try. After all, this gap is causing serious problems for many organizations. According to a CSIS/Intel-McAfee survey more than 70% of enterprises had suffered losses that they attributed to lack of skilled security professionals.

I address this problem in a paper that I am presenting at the 26th Annual Virus Bulletin Conference next month, wherein I conclude that the global cybersecurity skills gap probably is about one million people - a widely quoted figure - and headed on its way to 1.5 million. However, these figures are not what you'd call "official" and in reality, most public policy around cybercrime and cybersecurity is driven by guesswork or academically unsound surveys that are all too easy for policymakers to discount because the studies are financed by entities who, it could be argued, stand to benefit from exaggerating the problem.

Consider the size of the cybercrime problem that is a major cause of the cybersecurity skills gap. There is clearly a lot of criminal activity in cyberspace. Gone are the days when computer systems were not constantly attacked by criminals seeking data and access that they can monetize in virtual black markets - even the tiny website that I put up this summer to conduct a survey of CISOs was assailed from IP addresses on the other side of the planet (that's "the new normal" for IT projects today). But how much cybercrime is a lot? Is it getting worse? Relative to what? I talked about the troubled history of cybercrime surveys at VB last year and concluded that the government was to blame.

That's right, the government. Because keeping track of crime is one of the fundamental functions of government. So it was with a mixture of laughter and anger that I read the recent headline out of the UK: "Cyber-crime now included in government stats." I mean really, it's 2016 people! Shouldn't you have been doing this in 1996, or 2006? And the US government is no better; it's last attempt to measure the impact of cybercrime on US companies was 2005. These days it just tells people to look at private label reports (put together by people who sell security services, which makes them hard to use in policy debates).

*KPMG executive survey

Here's what we know: "Eight out of 10 executives surveyed acknowledge that their companies had been compromised by cyber attacks in the past two years, according to a new study by KPMG." CIO.

Unfortunately, I can't find a link to the actual study from which this statistic is taken, so I don't know how many executives were surveyed or the exact wording of the question. But here's what that statistic would look like if the survey question had been "Do you agree that your company has been compromised by cyber attacks in the past two years?"

**Crime wave survey

In this case, I do know who answered this question: 389 US adults. I know because I have access to the results from Google Consumer Surveys, The question was: "Do you agree that America is currently experiencing a cyber crime wave?" As you can see, more than twice as many people agree as disagree.

If you've never heard of Google Consumer Surveys work, these are the source of those questions websites ask you to answer in order to see content. Google makes a strong case for saying that this survey technique produces academically defensible results - you can read a good discussion here. I have used them myself and have been impressed. I repeated one particular survey and the results compared very favorably. This same system was also used for the following survey.

***Federal government not doing enough about cybercrime survey

Some 676 US adults were asked what they thought about this statement: "The federal government is not doing enough to catch and prosecute people who commit computer crimes." The possible answers were: I agree; I disagree; and Computer crime doesn't bother me. As you can see, a lot of people agree the government is not doing enough.

No comments: