Symantec’s latest report on its beloved billion-dollar baby  29.9.11

431 million adults, $388 bn, marijuana, cocaine, heroin – cybercrime adds up to just an EFSF per year according to the folks at Symantec:

For the first time a Norton study calculates the cost of global cybercrime: $114 billion annually. Based on the value victims surveyed placed on time lost due to their cybercrime experiences, an additional $274 billion was lost. With 431 million adult victims globally in the past year and at an annual price of $388 billion globally based on financial losses and time lost, cybercrime costs the world significantly more than the global black market in marijuana, cocaine and heroin combined ($288 billion).

The research methodology:

Findings are extrapolations based upon results from a survey conducted in 24 countries among adults 18-64. The financial cost of cybercrime in the last year ($114bn) is calculated as follows: Victims over past 12 months (per country) x average financial cost of cybercrime (per country in US currency).

Between February 6, 2011 and March 14, 2011, StrategyOne conducted interviews with 19,636 people and included 12,704 adults, aged 18 and over 4,553 children aged 8-17 years and 2,379 grade 1-11 teachers from 24 countries (Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, New Zealand, Spain, Sweden, United Kingdom, United States, Belgium, Denmark, Holland, Hong Kong, Mexico, South Africa, Singapore, Poland, Switzerland, United Arab Emirates).

20,000 interviews – interviews, not surveys – sounds impressive. With an interview lasting some 15 minutes, that’s 300,000 minutes or 5000 hrs or 625 days with an 8hrs day. You’d need a team of some 15 persons making telephone interviews for two months. Doable, just a few hundred thousand bucks going from Symantec to StrategyOne. But does such firepower help to dig out the truth™?

StrategyOne – Evidence-based communications:

As the strategic research partner of Edelman, the world’s leading independent PR firm, our heritage is in communications research. We understand that useful research informs strategy that engages, persuades, and moves products, minds, and media alike.

As to the methodology of the report, which is by the way not available as a PDF:

  • A list of questions asked is not attached.
  • Definition of cybercrime I: Cybercrime is, among others, defined as: “Computer viruses or Malware appeared on my computer”. (Chapter 7) So a malware attachment in your inbox qualifies as a single incident of cybercrime. No indication about the percentage of such cybercrime incidents vs., say, credit card fraud.
  • Definition of cybercrime II: Which kind of incidents have been reported as “another type of cybercrime on my computer”? What’s the percentage of this category?
  • Calculation of costs I: No indication whether different price bases are used e.g. for the U.S. and countries with substantial lower price indices, i.e. India, China.
  • Calculation of costs II: How are non-monetary incidents such as “malware or virus appeared on my computer”, “responding to a smishing message”, “approached by a sexual predator”, “Online Harassment” etc. are turned into monetary damages?

Can being exposed to such reports be subsumed under online harassment? We won’t have reliable, sound, unbiased figures on cybercrime and the costs associated with it until a major research endeavour with serious funding spanning institutes in different countries is set up.


The Digital Public Domain: Relevance and Regulation  28.9.11

Brief, informative literature review by Leonhard Dobusch on public domain, its conceptualisation, political regulation, and societal relevance. One of Leonhard’s arguments is that we have no systematic model about the real-world phenomena that can be categorised as public domain:

Empirically, however, a systematic ‘map’ of the public domain is still missing. We do not know yet, what public domain phenomena have the strongest practical relevance for actors in different fields. (p. 21)

This paper tried to provide a survey of our current scholarly knowledge on these issues, which might function as a starting point for further, particularly empirical investigations of the public domain. (p. 23)

Starting to fill these gaps was presumably one of the motivations for this paper. There is decent empirical research going on in that field, but indeed, we lack a systematic survey. The characteristics of public domain can also be found in empirical phenomena other than public domain or commons. Peer production – kind of a sibling of the aforementioned – might serve as an example.

Noteworthy is the locus dissertatii of this paper, the “1st Berlin Symposium on Internet and Society” hosted by Google’s German science proxy, the Internet & Society Institute at the Humboldt University Berlin, which is to be unleashed the day before.

1&1, Gamballa, botnets, and quantitave internet security research  28.10.10

As mentioned the other day, security provider Gamballa released a study stating that some 11% of global botnet command&control servers were hosted by 1&1 Internet AG. Heise, presumably Germany’s most influential IT related news portal, brought the story, mostly citing the findings of the study. 1&1 was not amused about the journalistic performance. The flaws (de) in Gamballa’s study have been quickly uncovered by Thorsten Kraft of 1&1‘s Anti-Abuse team, which is closely linked to the consumer-focussed German Anti-Botnet advisory centre. Heise released another article explaining the flaws in the Gamballa report, and Gamballa has rightly taken its analysis down. The underlying lapse, according the reports linked above, was that Gamballa had allegedly added both ordinary, non-infected infrastructure servers and sinkhole and honeypot machines to the list of C&C server.


Script for turning messy texts into well-structured, -outlined and -formatted Word documents  16.6.10

Some interesting pieces of software have been developed in recent years that aim at replacing the venerable Word as an authoring tool for large and complex writing projects. On the Mac side, two humbly named applications, Ulysses and Scrivener, have most notably emerged as popular writing tools. While everything is nice and fine as long as you write, sharing your output and delivering well-structured (in a technical sense) and formatted documents is a bit cumbersome and usually requires dreary manual intervention. As I had written a script for Word for Windows back in my, well, teens that did just some of that things I until now had to do manually on the Mac, it should be fairly easy to update and extend that thing and write some code.



The emergence of internet security governance as a research field in social sciences  10.6.10

It’s finally happening. After an abysmally long time of politicians, military, and the security industry coming up with streams of innovative policy tangle in the name of internet security or cybersecurity, a critical mass of social scientists and research interested practitioners has teamed up to start deepening our knowledge of internet security and its governance. While Hungary was having difficult times by floods and economic turmoils, Budapest couldn’t have been a more lovely and welcoming place in the last couple of days.



Nagging questions in cybersecurity research  12.4.10

It doesn’t happen too often that you read about a conference or a workshop and think: Now, that was about time! Internet governance is about to undergo some fundamental changes, states are getting ever more involved, mostly for addressing internet security problems. A plethora of questions need to be resolved to deal with these problems with well designed institutions. And yet, as far as I can tell, there is no major research programme on internet security governance going on anywhere on this planet. Hence, the workshop “Europe And The Global Information Society Revisited: Developing A Network Of Scholars And Agenda For Social Science Research On ‘Cyber Security’” could not have been launched more timely.
The Center for Media and Communication Studies at the Central European University (Budapest, Hungary), in partnership with the Centre for Global Communications Studies at the Annenberg School of Communications (Philadelphia, USA) will convene 30 selected experts next week at CEU in Budapest for a Strategic Workshop sponsored by the European Science Foundation (ESF). As flattering as rather undeservedly, I will be on a panel discussing the relations between cybersecurity on the one hand and International Relations, governance and institutions on the other. Following, my take on some blind spots in internet security research from a social scientific perspective.


blog, research, interests  23.11.09

Security of the internet isn’t provided by a hierarchical, secretive and central organisation. There is no global internet police, and there is no internet defence corps. Internet security is the result of the collaboration of diverse types of actors such as internet service providers, technical experts, police and law enforcement, governments and academics. These actors make a dense, highly complex internet security governance network in which each type of actor is characterized by its own organisational idiosyncrasies while at the same time being part of the overall governance structure.

My focus currently is on bottom-up processes to provide internet security, like task-forces and working groups that are set up in an ad-hoc manner to tackle with the lates security phenomenon. Academics, engineers, experts and geeks from all over the world collaborate to provide. The way in which they are addressing security problems resembles what could be called peer production of internet security. My interest is to learn to what extent this mode of security provisioning is used, the settings in which we can observe it and whether this mode is sustainable or not. And how this all relates to internet security and the overall structure of internet security in general.

The internet is a tool that already has fundamentally changed business processes and business models. It is too early to tell what its long-term impact on societies and politics will be. Debates about ‘freedom’ on the internet have been going on for a while, such as if and how the internet fosters freedom of expression, or how authoritarian internet governance approaches could suppress individuals’ rights. The practices of internet security provisioning will have decisive consequences for the shape of ‘freedom’ on the internet.