For the first time a Norton study calculates the cost of global cybercrime: $114 billion annually. Based on the value victims surveyed placed on time lost due to their cybercrime experiences, an additional $274 billion was lost. With 431 million adult victims globally in the past year and at an annual price of $388 billion globally based on financial losses and time lost, cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion).

The research methodology:

Findings are extrapolations based upon results from a survey conducted in 24 countries among adults 18-64. The financial cost of cybercrime in the last year ($114bn) is calculated as follows: Victims over past 12 months (per country) x average financial cost of cybercrime (per country in US currency).

Between February 6, 2011 and March 14, 2011, StrategyOne conducted interviews with 19,636 people and included 12,704 adults, aged 18 and over 4,553 children aged 8-17 years and 2,379 grade 1-11 teachers from 24 countries (Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, New Zealand, Spain, Sweden, United Kingdom, United States, Belgium, Denmark, Holland, Hong Kong, Mexico, South Africa, Singapore, Poland, Switzerland, United Arab Emirates).

20,000 interviews – interviews, not surveys – sounds impressive. With an interview lasting some 15 minutes, that’s 300,000 minutes or 5000 hrs or 625 days with an 8hrs day. You’d need a team of some 15 persons making telephone interviews for two months. Doable, just a few hundred thousand bucks going from Symantec to StrategyOne. But does such firepower help to dig out the truth™?

StrategyOne – Evidence-based communications:

As the strategic research partner of Edelman, the world’s leading independent PR firm, our heritage is in communications research. We understand that useful research informs strategy that engages, persuades, and moves products, minds, and media alike.

As to the methodology of the report, which is by the way not available as a PDF:

• A list of questions asked is not attached.
• Definition of cybercrime I: Cybercrime is, among others, defined as: “Computer viruses or Malware appeared on my computer”. (Chapter 7) So a malware attachment in your inbox qualifies as a single incident of cybercrime. No indication about the percentage of such cybercrime incidents vs., say, credit card fraud.
• Definition of cybercrime II: Which kind of incidents have been reported as “another type of cybercrime on my computer”? What’s the percentage of this category?
• Calculation of costs I: No indication whether different price bases are used e.g. for the U.S. and countries with substantial lower price indices, i.e. India, China.
• Calculation of costs II: How are non-monetary incidents such as “malware or virus appeared on my computer”, “responding to a smishing message”, “approached by a sexual predator”, “Online Harassment” etc. are turned into monetary damages?

Can being exposed to such reports be subsumed under online harassment? We won’t have reliable, sound, unbiased figures on cybercrime and the costs associated with it until a major research endeavour with serious funding spanning institutes in different countries is set up.

Empirically, however, a systematic ‘map’ of the public domain is still missing. We do not know yet, what public domain phenomena have the strongest practical relevance for actors in different fields. (p. 21)

This paper tried to provide a survey of our current scholarly knowledge on these issues, which might function as a starting point for further, particularly empirical investigations of the public domain. (p. 23)

Starting to fill these gaps was presumably one of the motivations for this paper. There is decent empirical research going on in that field, but indeed, we lack a systematic survey. The characteristics of public domain can also be found in empirical phenomena other than public domain or commons. Peer production – kind of a sibling of the aforementioned – might serve as an example.

–

Noteworthy is the locus dissertatii of this paper, the “1st Berlin Symposium on Internet and Society“ hosted by Google’s German science proxy, the Internet & Society Institute at the Humboldt University Berlin, which is to be unleashed the day before.

★

Quantitative analysis of computer security incidents is a terrifically meticulous job. It’s so laborious that useful, reliable, scientifically secured information and knowledge hardly comes from studies done by some small security consultancies unless these studies are a spin-off of larger academic research endeavours. (Which is, of course, a not scientifically-based assumption, too. But anyhow.) If you want to have a look at a prime example of quantitative botnet analysis, download Hadi Asghari’s masterful Master thesis on “Botnet Mitigation and the Role of ISPs” finalised earlier this year. You need to go great length to secure your empirical findings, and the model of measuring botnet and spam activity of ISPs used in the thesis is currently top class. Another good example is a paper that my Delftian colleagues presented at a workshop at Harvard University in June: Van Eeten, M., Bauer, J., Asghari, H., Tabatabaie, S., & Rand, D. (2010). The role of internet service providers in botnet mitigation an empirical analysis based on spam data. (pdf)

When a researcher runs into a figure as peculiar as those eleven percent of global C&C servers allegedly being hosted by a single German ISP, you should start thinking seriously about your data sources, conceptual model and about interfering factors that might render your findings useless – or support it. Empirical findings need to be embedded in qualitative discourses – and vice versa – to be societally useful and help us understanding societal and technological complexities.

I asked Hadi whether he had some figures in his raw data set that could show how 1&1 actually performs botnet-wise compared to some other German ISPs. His data set isn’t quite designed for the task of building the numbers to answer which national ISP is best at anti-botnetting. But anyhow. I used the data to calculate a ratio of the number of unique spam sources over a year and the number of subscribers to the services of the network operator. Sounds like a reasonable approach to allow us comparing different ISPs, doesn’t it?

So, how is 1&1 doing in this playful number-crunching? Have a look at this chart, showing the ratio of unique sources of spam to subscriptions.

Doesn’t this, a day after you could read the headline that 1&1 was the top global botnet C&C server hoster, scream for another headline: “1&1 among the most botnet resilient ISPs worldwide”? That impression might, however, just as well be caused be a little error in organising or dealing with the data – or by using it for purposes it was not intended and originally used for. Hence, before you start blaming individual ISPs for allegedly being among the best or worst, consider the methodological complexities involved in building and interpreting statistical data. The literature mentioned above serves as a good showcase how this is done right.

—

Update: 30.10., 9:50: There were some misunderstandings on how to interpret the data listed above before. Hint: Certainly not as scientific, rigorously peer-reviewed findings suited to judge botnet-resilience on the level of ISPs. I used it to build the chart, which i used to build the main argument: be careful what you read into statistics and graphs.

It turned out that scripting rich formatted documents on the Mac is a bit more tricky that I would have preferred it. Anyhow, its done now. The purpose of the script is to turn a text document with in-text footnotes, in-text comments, distinct rich-text formatting for headings at distinct outline levels into a nicely formatted document, which uses in-built footnotes, comments, styles and ToC features.

For now, the script does the following:

• Space/new line doublets are replaced by single space/new line.
• Outline levels of all paragraphs are set to 0, which means: no more garbage in Word’s Document Map.
• Text with certain formatting is assigned to paragraph styles “Heading 3″, “Heading 2″ or “Heading 3″
• In-text comments, i.e. text like “[AN: this is an in-text comment]“, are replaced by Word’s colourful comment bubble
• In-text footnotes, i.e. text like “[FN: this is an in-text footnote]“, are replaced by a real footnotes
• A table of content is created at a position marked by a certain string.

Find the scripts for Word for Windows (VBA) and Word for Mac (AppleScript) and a test document attached (format document files.zip).

—

For those interested in too much technical background information: Scrivener’s RTF export is somewhat insufficient for academic writing (cf. discussions in their forum), Scrivener’s support for Multi Markdown is weak at exporting footnotes, comments and styles support. Pages (part of Apple iWork 09) has an insufficient API, which provides no access to footnotes and comments. Adobe InDesign CS4 likewise doesn’t provide APIs for comments, neither does Nisus Writer Pro. Microsoft killed VBA with Word 2008, but will be back later this year with Office for Mac 2011. So I considered reusing my 1990s VBA code by using Word 2003 on Windows, using Parallels. Turns out albeit that my aging, crash-happy Macbook doesn’t like running Parallels 5. So, back to the Mac and Word 2008 using Applescript. Turns out though – surprise, surprise – that APIs for Word for Mac slightly, but critically differ from Word for Windows.

Two intense days of workshopping at the Central European University produced a stunningly long list of open questions and – as Rummy would have called – things that we now know we don’t know. Things decision makers however should know before jumping to conclusions in the delicate area of internet security, surveillance, filtering and what else. One of the well-connected participants with intimate knowledge about cybersecurity circles estimated that some 90 percent of knowledge about cybersecurity had been developed by brains sitting in the Pentagon or it’s contractors offices. For the sake of societal values such as openness and transparence, time is ripe to look at internet security from a decisively different angle.

It speaks volumes about the state of European internet research, that roughly half the number of the workshop participants were flown in over the Atlantic. Necessarily so, as the workshop organisers pointed out, given the lack of European social scientist studying internet security governance especially in Eastern European countries.

Anyhow, it’s going to be very interesting to see where this thing is heading to once, if at all, the European Science Foundation will pour some drops out of its funding buckets onto this promising undertaking.

The disruptive nature of the internet has been acknowledged and can be experienced in a wide range of societal dimensions. It has changed and still is changing the ways we communicate, how businesses are organised, how people collaborate, how we produce, exchange and consume informational goods. The internet is making inroads in domestic and international communications. However, the impact of the internet on the core institutions of organising security and the institutional necessity for organising internet security is still nebulous.

Cybersecurity can be seen as the umbrella concept for technologically related problems that are institutionally and in terms of governance addressed in fundamentally different ways: disturbance of infrastructural performance, internet-based crime, warfare and terrorism. As to practical governance, any of these problems needs to be properly assessed, empirically evaluated and practically addressed with appropriate means and institutions.

This is where the problem starts: Empirical analysis seems to be insufficient in nearly all the aforementioned security dimensions. While everyone seems to agree on that cybercrime amounts to billions of damages, the numbers vary widely. Analysis are often funded and executed by persons or organisations with vested interests, problems occasionally exaggerated, hyped and securitised, numbers overblown, not set in context. Hence, the scale of internet security problems and their respective risks need to clarified.

Regarding institutions, we are currently witnessing the emergence of a state-driven internet security architectures as an attempt to deal with cybercrime-type internet security problems. Internet security policy seems to be more and more driven by actors that have always played a crucial role in nation states’ security politics: governments, states, international organisations, police forces, military and intelligence agencies. In a sense, national security institutions are reclaiming the state’s sovereignty to regulate whatever is within their territories. It is arguable whether this institutional approach will solve internet security problems such as phishing or botnets.

Ongoing debates in most Western countries on, e.g., web-filtering are framed by those in favour as a necessity to overcome a lack of enforceability of national criminal laws (sexual criminal law, property law, treason, other types of content regulation). The argument of non-enforceability is based on a) the lack of reach of national law enforcement agencies beyond their jurisdiction and territorial borders, b) the lack of cooperation of foreign national LEA, c) the agility of perpetrators to change their locus of action, technologies and tactics, d) slowness of legal international cooperation, e) unlawfulness of direct cooperation between national LEA and foreign non-states actors such as ISPs , f) non-cooperative stance of rogue countries. The question here is whether those national approaches are caused by a lack of institutional adaptivity on the side of national legislation, by entrenched interests of national security authorities and other societal interests or justified by the nature of the problems. The idea of evidence-based governance suggests that we should know the empirics of the scale of the problem and effects of regulation before regulation is proposed.

Currently, internet governance is characterised by institutional diversity, and likewise, internet security problems are addressed by different organisational and institutional forms. These differences can be found in criteria like the degree of state involvement in policy formulation, policy implementation or security operations, the degree of hierarchical forms of steering, the degree of information sharing, the kind of threats to internet security or the kind of objects of internet security dealt with by the governance form. The diversity of current modes of internet security governance and provisioning seems to be underexamined. The same holds true for the relationship between concurrent modes of governance/provisioning.

New technologies in general allow for reorganising existing organisational, political and production processes. With the rise of the internet, not only new types of security problems have evolved, but also new ways of organising tasks and processes on any societal level have become possible. We need to explore and assess new possibilities in security provisioning and their normative consequences.

The geopolitics of internet security governance and provisioning is another topic lacking thorough research. The role of the internet has played a stunningly minor role for IR theorists for quite a long time. The trend of nationalising regulatory capacities highlights the necessity to analyse and assess the internet as a strategic resource for national politics and foreign policy strategies. Likewise, the idea of networked internet politics and the role of private actors therein, their consequences on shared democratic political values and institutions requires more thorough examination.

My focus currently is on bottom-up processes to provide internet security, like task-forces and working groups that are set up in an ad-hoc manner to tackle with the lates security phenomenon. Academics, engineers, experts and geeks from all over the world collaborate to provide. The way in which they are addressing security problems resembles what could be called peer production of internet security. My interest is to learn to what extent this mode of security provisioning is used, the settings in which we can observe it and whether this mode is sustainable or not. And how this all relates to internet security and the overall structure of internet security in general.

The internet is a tool that already has fundamentally changed business processes and business models. It is too early to tell what its long-term impact on societies and politics will be. Debates about ‘freedom’ on the internet have been going on for a while, such as if and how the internet fosters freedom of expression, or how authoritarian internet governance approaches could suppress individuals’ rights. The practices of internet security provisioning will have decisive consequences for the shape of ‘freedom’ on the internet.