On Halloween, it seems especially timely to focus on a risk topic that has been described as “frightening,” even “terrifying”: cybercrime statistics. On October 18, the United Kingdom Office for National Statistics (ONS) released the latest estimates from the Crime Survey for England and Wales (CSEW) on fraud and computer misuse, as well as referrals of potential offenses to the City of London Police’s National Fraud Intelligence Bureau (NFIB) by Action Fraud, the United Kingdom’s public-facing national fraud and cybercrime reporting center.
The ONS’s summary bulletin summarized the cybercrime data as follows:
- “In the year ending June 2018, the CSEW estimated that offences involving computer misuse showed a 30% decrease from the previous year (down to 1.1 million offences . . . ). This decrease was largely owing to a fall in “computer viruses” (down 43% to 606,000 offences).
- “Incidents involving ‘unauthorised access to personal information (including hacking)’ (515,000 offences) did not show a significant change from the previous year.”
- “All ‘computer misuse crime’ referred to the NFIB by Action Fraud increased by 4% in the latest year (up to 21,947 offences). This rise was less pronounced than that seen in year ending June 2017, due in part to a notable decrease of 24% for the latest year in computer viruses (down to 6,260 offences).
- “This fall in computer viruses is consistent with the latest CSEW fall in this type of crime. It follows a previous substantial rise where a high number of such offences were reported to Action Fraud in the first part of 2017.
- “The overall rise in computer misuse recorded by Action Fraud was driven by an increase in ‘hacking – social media and email’ over the last year (up 42% to 8,834 offences). This is thought to reflect an increasing awareness of social media scams among the public, leading to a greater likelihood of incidents being reported.”
Because the CSEW computer-misuse survey questions date only from October 2015, the ONS cautioned that it has only two data points from which to draw conclusions. It stated, however, that the CSEW “provides the best indication of the volume of computer misuse offences,” as Action Fraud data on computer misuse “represent only a small fraction of all computer misuse crime” since many incidents are not reported.
Note: The most substantial problem with this ONS cybercrime reporting is the ONS’s characterizations of those data. While survey data – assuming the survey methodology is sound — can have value in measuring the incidences (and changes in those incidences) of behavior over time, users of such data must take care to refrain from inferring that survey responses necessarily reflect the actual incidences of behavior in the whole population under consideration.
In this case, the ONS stated, without qualification, its “estimate” that computer-misuse offenses – to be clear, not reports of such offenses, but the actual offenses – “showed a 30% decrease” from the prior reporting period. Nothing in the CSEW’s explanation of its methodology explains the basis for the ONS’s “estimate” regarding the actual number of computer-misuse offenses. For the other cybercrime categories, the ONS did not even characterize its statements as estimates of the incidence of those cybercrimes, but stated categorically that “unauthorized-access” offenses (as opposed to the survey-measured incidence of such offenses) “did not show a significant decrease” and referred to the “fall in computer viruses” (as opposed to the fall in computer-virus reports). These categorical statements by the ONS immediately prompted some critical comments in computer-related media.
A second concern is the limited options for response to the CSEW’s cybercrime questions. The current survey asks about only two categories of computer misuse: “Computer virus” and “Unauthorised access to personal information (including hacking).” The problem is that these categories are not mutually exclusive. Viruses are just one type of exploit that hackers have long used to obtain unauthorized access to computers and networks and to acquire personally identifying information. Moreover, as indicated in a recent Computer Business Review article, survey respondents who lack sophisticated understanding of hacking and current exploits may not understand the differences between various cybercrime-related terms such as “hacking,” “exploit kits,” and viruses, and may not even know that their computers have been subject to cyberattacks and compromises.
A third concern is the limited population to which the CSEW cybercrime survey questions are directed. The ONS, to its credit, acknowledges in its bulletin that “[w]hile questions on computer misuse in the CSEW provide fuller coverage of computer misuse crimes against the household population, they do not generally include offences committed against businesses and other organisations.” Nonetheless, that is a significant gap in the survey’s coverage. A recent report by Malwarebytes, for example, found, according to TechTarget, that total business threat detections were trending upward by 55 percent, while consumer detections increased by only 4 percent quarter over quarter, and that attacks in the third quarter of 2018 “were targeting businesses in full force through exploit kits, ransomware and banking Trojans alike.”
The ONS deserves support for seeking to compile and disseminate national statistics on cybercrime trends. It needs, however, to refine its methodology to capture more meaningful data about cyberattacks directed at businesses, to revise its questions to compile more data about distinct categories of cybercrime that a lay survey respondent can understand,, and – above all – to characterize its survey and referral data accurately and refrain from inferring actual incidences of cybercrime from survey responses those data. In the meantime, compliance and information-security officers should treat these ONS data with circumspection – though hardly with terror.