3/23/2016

Headline March 24, 2016/ ''' EVERY CRIME'S A *CYBER-CRIME* '''


''' EVERY CRIME'S A *CYBER-CRIME* '''




ON JANUARY 12th last year, President Obama launched a new drive to improve data security and privacy to include a new-  *Personal Data Notification and Protection Act*. 

This would require companies to tell customers within 30 days of discovering that their information has been hacked into.

If there were more disclosure, and thus more information on the amount, types and costs of cyber-crime, companies would know better how to spend their  information-security budgets.

It would be also easier to work out what sort of insurance cover to buy. American firms spending on  cyber-liability  cover jumped from $1.3 billion in 2013 to roughly $2 billion in 2014, says Andreas Schlayer, a senior underwriter at Munich Re of Germany. 

Most American states have laws requiring some sort of disclosure of hacking attacks. But  ''a good portion'' of firms still do not announce them for fear of damage to their brands, notes Mark Greisiger of NetDiligence,a Pennnsylvanian cyber-security firm.

European countries generally do not require disclosure, so even fewer firms there bother, says Costin Raiu of Kaspersky Lab, a Russian internet-security firm.

Firms that do acknowledge losses struggle to quantify  them. In a survey a year ago, of  4,881 security practitioners in 15 countries by the Ponemon Institute in Michigan,  35%  of the organizations subject to a successful intrusion were unsure of exactly which records the thieves had copied.

Even if it is known that information has been taken, calculating the cost is still hard. If a shipyard has details of a big contract negotiation stolen at the behest of a rival, how can it be sure it would not have lost the deal anyway?

How will Sony Pictures measure the damage from having executives' e-mails, containing the disparaging comments about its stars, released on the Internet? 

A comprehensive and robust methodology for estimating such costs does not exist yet, says Roberto Baldoni, who heads the cyber-intelligence centre at La Sapienza University in Rome.

Dmitri Alperovitch,   a founder of CrowdStrike, a Californian security firm, says that  cyber-attacks appear to be picking up significantly but attempting to estimate the damage is futile. 

Most figures will be  ''wack'', he says. ''so we'd rather not play that game.'' Plenty of other outfits, however, do publish estimates.

Consider one from a 2014 study by the Centre for Strategic and International Studies,a think-tank in Washington, DC.  Cyber crime, it concluded, bleeds between $300 billion and $1 trillion from businesses worldwide each year. 

One of the study team says that good data were so scarce, they had joked about publishing the findings along with an online random number generator that readers could click on until it produced an estimate to their liking. ''That was a little depressing,'' he says.

The study was sponsored by McAfee, a large American seller of antivirus software.Its own 2009 calculation of the global cost to businesses produced the figure of more than $1 trillion.

This was roundly derided as bloated, even by the researchers who had provided McAfee with data from which the estimate was extrapolated. One of them Eugene Spafford, a Purdue University computer scientist, said he was ''really kind of appalled'' by the exaggeration. McAfee republished the number in 2011. *It still circulates*.

The weakness of many estimates is partly due to bogus definitions, says Ross Anderson, a security-engineering expert at the University of Cambridge in Britain. Tax returns and claims for insurance, welfare benefits and reimbursement for company travel are increasingly filed online.

This has emboldened many to lump tax, insurance, benefit and expenses fiddles together with genuine cyber-crime and, ''hey, ching!''. produce enormous numbers, he says.

Surveying 1,000 voters about their preferences can often be a good predictor of an election outcome. Most cyber-crime estimates are based on surveys, too, but there is a big difference. Respondents are asked to provide speculative numbers rather than report preferences.

This often leads to huge errors. Say that companies cumulatively producing a quarter of a percent of  GDP  reply to a cyber-crime survey. A single firm's exaggeration by $1 million adds a bogus $400 million to the tally when scaled up to reflect the entire national economy.  
Firms which have suffered a loss, or suspect they have, are likely to be more willing to fill out a cyber-crime questionnaire than those with no such worries. So there is bound to be an inbuilt bias towards overestimating losses.

A research paper from  Microsoft, ''Sex, Lies and Cyber-crime Surveys'' concludes that  ''no faith''  should be placed in numerical estimates derived by means of this multiplication trick.

Glimmers of hope for better estimates are on the horizon. Like the American administration, the European Union is also drafting legislation to force firms to provide full and prompt information about hacking attacks.

The effort put into quantifying the harm done will grow as insurance claims and lawsuits multiply. [Home Depot, an American Hardware retailer, faces at least 21 suits over customer data it lost last year].

The losses that hackers cause to businesses may sometimes to be exaggerated, but they are significant  -and almost certainly growing.

With respectful dedication to the Scientists, Technologists, Students, Professors and Teachers of the world. See Ya all on !WOW!  -the World Students Society and the Ecosystem 2011:


''' A World Won Over '''

Good Night and God Bless

SAM Daily Times - the Voice of the Voiceless

0 comments:

Post a Comment

Grace A Comment!