On Infosec and Drugs

Sunday, November 06, 2011

Javvad Malik

99edc1997453f90eb5ac1430fd9a7c61

My recent video was a bit of a bodged job. I was away for the weekend and had no internet connection good enough to upload it on time.

Plus I was woefully ill equipped to film in windy conditions resulting in most of the video consisting of my lips moving to the sound of a lot of wind. Finally, I don’t think I got across the point that I was trying to make – so I’ll give it another go!

Symantec published their cybercrime report which has some attention-grabbing headlines. Such as “Cybercrime is bigger than the global black market in marijuana, cocaine and heroin combined ($288bn) and approaching the value of all global drug trafficking ($441bn).

The problem with this is that it doesn’t mean anything at all. Why are these two items even being compared side by side other than cheap sensationalisation.

Cost breakdown:

Lets first see their initial breakdown that cybercrime costs $388bn over the past year.

$274bn is attributed to victims own valuation of the time they lost to cyber-crime. That’s more than 2 thirds of the overall cost down to an arbitrary figure that someone has decided. People are notoriously bad at estimating things like this.

But what it also says is that people are spending on average $2 worth of time to recover each dollar they lost to crime… someone should point this out to them and not only could they recoup their losses, but they would be in a better financial state than before.

The remaining $114bn is broken down into direct cash losses and spent on resolving cyber attacks.

Note that this includes resolution costs. Which actually means the actual stolen amount becomes a lot less. So the figures begin to look a lot less ‘shocking’ as one would initially believe.

If one were to be fair, then the total cost of drug rehabilitation, the time impact on their family and friends, the career losses, or drug-related crime, or the cost of countries maintaining their anti-drug task forces were – then it wouldn’t be surprising to see the cost of drugs is far greater.

What is cybercrime?

The other thing the report fails to clearly define is what is cybercrime? Reading through the report, it appears as if everything from someone giving away their credit card information to a stranger via email through to getting infected by a virus on the computer is all scooped up into the big bucket of cybercrime.

In that case you may as well just go into any chat room and label everyone a cybercriminal because they aren’t using their real name and have an avatar that’s not a true likeness of themselves.

A let down?

But the real disappointment in the report was that after doing their best to  build up such a grim picture the conclusion was flat. It boiled down to install Norton’s full software security suite. Which left a bad taste because even if their suite works perfectly, it won’t defend against all cyber-attacks (whatever your definition may be).

Which is a shame, because it overshadows the good work and research that was done.

To summarise, if you do want to publish a report:

1. Avoid making overblown statements.

Of course it probably wouldn’t be read as much if the headline was cybercrime worth more than Pakistan’s annual crops of sugar cane. But try to find something relevant with which to make a comparison that puts the problem in the proper context. If you’re blogging in an informal way (like me) then you can probably get away with a lot more. A blogger could put a picture of Jessica Alba up and then proceed to write about IDS bypass techniques and it would be considered ok. But a corporate issued report set in a formal tone needs to speak to their audience accordingly.

2. Define the problem

This may seem like a no-brainer, but if you’re talking about a particular issue, it would help if you set the ground rules. Define what you believe a term to mean and then remain consistent with it throughout. Otherwise the audience will apply their own definitions and then shake their head in disagreement as they read through the report. Not too dissimilar to when I watched Top Gun, expecting it to be a macho adrenaline charged dog-fighting film with planes crashing and burning instead of a sappy male-bonding erotica.

3. Don’t turn it into a sales pitch

Picture this, you meet a girl at a party and things are going great. You’ve both got one thing on your mind. But very rarely does the conversation go, “Come back to mine and lets bump uglies”. The girl would probably walk away, even if she was thinking the same. A far better tact is usually, “the view from my balcony is great” or “come check out my CD collection” or even “wanna see me paint my dungeon and dragons characters”.

The point is, when a reader picks up your report and reads it, they know that you wrote it not just to share information but also so that they can come to trust and respect you.

They are giving some of their time to read your report in exchange for information, entertainment or just a different perspective on things. By hard selling to them, you are effectively asking to bump uglies. Don’t be that guy.

Or maybe I’m wrong given the number of people that have quoted “cybercrime is worth more than drugs” recently.

Yeah, that was totally the point I was trying to convey in my video.

Cross-posted from J4vv4D

Possibly Related Articles:
4583
Security Awareness
Information Security
Symantec Cyber Crime report Information Security Infosec FUD vendors
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.