The cost of phishing
15 March 2008
Late last year, Consumer Reports determined by survey that one in 81 Americans got phished in 2007. The average phishing victim lost $200.
What does this mean for you?
People who assess risk often talk about “expected costs”, which they calculate by multiplying the probability of an event by its cost. The expected cost, then, of getting phished in a given year is 1/81*200 = $2.50.
How can we make sense of the $2.50 figure? One way to think about it is this: it is the amount you would have to pay an insurance company each year for them to be willing to pay out your losses to phishing, should they occur. If the insurance company covered all Americans at this rate, they would break even on their costs.
Seen this way, the threat of phishing isn’t that great. The danger of identity theft when phishers get your bank account information is perhaps greater, but the actual monetary loss, at least on average, is minimal.
Read more about economics of security,phishing
Comment by Tom — 23 March 2008 @ 9:11 am
Although I admittedly don’t know Consumer Reports’ methodology, I kind of question their numbers.
For instance, they say that in terms of cost-per-incident, that spam doesn’t have a cost (that cost-per-incident is non-applicable). I would disagree. There is a cost, an opportunity cost, in dealing with spam: lost wages and lost recreation time. This cost quickly aggregates as you take into account the volume of spam most people deal with.
Taking this a step further, for all 4 of the groups mentioned, preventative costs should be a fairly substantial chunk of their overall cost. Economically rational agents should be willing to pay up to the marginal benefits of avoiding harm to avoid the cost of harm. I mean, consider the aggregate amount spent developing spam filters, anti-virus programs, etc, then the time installing those programs, keeping them up-to-date, etc.
I also wonder about whether people report the truth in these numbers. Companies might underplay the costs of dealing with malware, whereas angry individuals might embellish the cost.
Comment by Ian Saxon — 23 March 2008 @ 10:06 am
From what I gathered in the written portion of their report, CR didn’t think spam was costless – they recognized that there is a cost, but admitted they couldn’t measure it.
Your point about the cost of maintaining a secure system is a good one. It is certainly expensive in terms of time, effort, and money. Each of us has to do our own calculation of the costs and benefits of these measures, something I’ve written about before.
I have my own doubts about CR’s numbers, but they run in the opposite direction. I wonder if individuals downplayed the costs of virus infection. For example, a 1 in 5 chance of losing $100 to a virus problem means people shouldn’t spend more than $20 worth of money, time, and effort combating viruses. If that’s true, those who spend $40 (the current price of Norton Anti-virus) on anti-virus software are making a big mistake, since they’re spending double the expected cost of virus infection before they even install the software.
There is another explanation, however. When asked in a survey, perhaps individuals underreported the incidence or cost of virus troubles. But when they had to put their money where their mouth is, they declared that virus problems are at least as costly as $40. Add in the cost of the time and effort required for installation and maintenance, and we have a clue that individuals think viruses are considerably costlier than $40.
Comment by Tom — 23 March 2008 @ 12:12 pm
Yeah, I’d definitely take the revealed preference of the pricing information over survey data. The more I read, the more I have learned to completely disregard anything coming from surveys.
I don’t have access to the written portion, but that sounds reasonable on Consumer Reports’ part. I’ve seen estimates on the cost of spam, but, as you suggest, those numbers rely on pretty subjective opinions and are not necessarily trusthworthy.