One of the numbers often thrown about when discussing cyber crimes, Internet-based crimes, and the like, is "$1 trillion." This is most often cited by politicians in both Washington D.C. and Ottawa when promoting their "solutions" to the "cybercrime threat." Some of these solutions might be good ones, but in the main, they appear to be bumbling attempts to staunch a problem that the politicians don't really seem to understand nor have realistic expectations towards.

Another number often highlighted in these stumps is "$250 billion," referring to annual losses from intellectual property thefts. This number is another of the statistics trotted out when campaigning for the latest and greatest attempt to thwart online evildoers.

Where, exactly, do these numbers come from?

=== McAfee and Symantec

The $1 trillion statistics is courtesy of electronic security firm McAfee, famous for its popular consumer anti-virus software and related tools. The number was given in a 2009 report titled "Unsecured Economies: Protecting Vital Information" (www.cerias.purdue.edu/assets/pdf/mfe_uns...nl_online_012109.pdf) published in conjunction with Purdue University. Except the number never appears in the university's report, only in McAfee's press release announcing the report's findings. McAfee, when questioned by ProPublica.org about the number says it was an "extrapolation by the company, based on data from the report." Purdue researchers and contributors interviewed by ProPublica.org said they'd never seen the trillion dollar number until news stories about the report began to air.

As for the $250 billion number, that comes from McAfee's rival Symantec. That number appeared in a similar Symantec report, but was from un-cited sources and the company has never clarified where the $250B estimate actually comes from. So the only thing we have to back that number is faith that this company whose business it is to provide security against cyber theft is being truthful when they estimate how much cyber theft is happening. That's more than a little shaky.

=== The Real Cost?

So what's the real cost of cyber-based crimes (hacking, theft, security breaches, etc)? That's anyone's guess. Pinning down a real number would not be easy. Think of it this way: if your computer were hacked into right now and all of its information stolen, how much would that information be worth? Some things, like bank account information, you could probably put a realistic dollar figure on. But what about years of family photos? Old credit card information that's no longer valid? Access to your Facebook and other social networking accounts? Got a figure for those? Next, if the information is stolen but never used, was it really "theft" in the sense that there was no financial loss from its being copied?

Now consider those questions on a much larger, grander, and even more convoluted scale. If information from a large array of servers at IBM is stolen.. how much was it worth in dollars? Sensitive information from military contractors?

The reality is, the figures for actual losses could be much larger or much smaller than the $250B and $1T cited. Most likely, they're smaller. Information is stolen all the time. Someone overhearing you recite your Health Canada ID at a doctor's office is technically "stealing" your information since they are privy to something they should not be. If they don't use it, though, was there a loss?

Some additional facts provided by Edelman PR on behalf of Symantec:

"The $250 billion stat you mention below was for the cost of loss of intellectual property and was mentioned in the Symantec whitepaper: Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall. That statistic comes from the Gonzaga Law Review (Almeling, D., Snyder, D., Sapoznikow, M., McCollum, W. and Weader, J.(2010) “Statistical Analysis of Trade Secret Litigation in Federal Courts,” Gonzaga Law Review. No. 45.”).

The federal study was later cited in the State study, which was a follow-up study in 2011.

Gonzaga states in the federal study, “The theft of trade secrets is also big business, costing companies as much as $300 billion per year. [8]” and their citation further clarifies the figure:

[8]. Office of the Nat’l Counterintelligence Executive, Annual Report To Congress on Foreign Economic Collection and Industrial Espionage—2002 vii (2003), available at www.fas.org/irp/ops/ci/docs/2002.pdf. Other studies find different numbers, depending on the methodology used. Compare Am. Soc’y for Indus. Security/Pricewaterhouse Coopers, Trends in Proprietary Information Loss: Survey Report 25 (1999) (reporting $45 billion in costs due to theft of trade secrets), with Am. Soc’y for Indus. Security, Int’l, Trends in Intellectual Property Loss Survey Report 7 (1998) (reporting an estimated $50 billion in direct costs and $200 billion in indirect costs) and Robert S. Mueller, III, Director, Fed. Bureau of Investigation, Address at the Detroit Economic Club (Oct. 16, 2003), available at www.fbi.gov/news/speeches/protecting-the...omy-in-a-global-age/(“Theft of trade secrets and critical technologies—what we call economic espionage—costs our nation upwards of $250 billion a year.”); see also Mark E. A. Danielson, Economic Espionage: A Framework for a Workable Solution, 10 Minn. J. L. Sci. & Tech. 503, 504-15 (2009) (describing the various “damaging effects of economic espionage”).