« CAPTCHA Right Back Atcha | Main | More Worthless Stats »

March 09, 2008

Maybe I'm just cranky this week, but a lot of journalistic bytes were occupied by reports of studies regarding malware infections in business computers and consumer identity theft. The data points provided in the results were, to my mind, essentially worthless because they revealed only the most easily tabulated information while offering no answers to the real questions that should be asked.

Allow me to look at two in particular.

Exhibit A came from eWeek Mid-Market in the form of results of a survey about malware infections in small- and medium-sized businesses—acronym: SMBs. The article is titled "Survey: SMBs Plagued by Spyware," offering analysis of results of a Computing Technology Industry Association (CTIA) survey. One of the conclusions of the survey is that malware infections cost a typical 50-person shop $8,239 per year in lost productivity.

Taking someone's pulse is easy. That's what this survey did. Understanding why the pulse measured as it did is far more difficult—and far more interesting if you want to get to the bottom of the problem. And that's what I want to know about the malware infections covered in the survey. They exist, sure, but how did they occur in the first place? That, to me, is the real question that needs answering. Did the infections come from weaknesses in the business' IT infrastructure? Did they come from virus-laden email messages passing through the corporate email system? Did they come from automatic downloaders at malicious web sites; and if so, were the sites visited as the result of spam email or compromised legitimate sites? Did they come from email messages opened at work by employees accessing their home email accounts?

I mean the questions are endless. And unasked.

Exhibit B came from a prestigious academic institution: Berkeley Center for Law and Technology. Titled Measuring Identity Theft at Top Banks, this study attempted to take a different type of pulse reading on "the relative incidence of identity theft at major financial institutions." Banks and other commercial entities weren't about to cough up data on customers getting screwed, so the author used the Freedom of Information Act to obtain Federal Trade Commission consumer complaint data from three different months of 2006. There were certainly a lot of data points: over 46,000 complaints that identified an institution.

Now, "identity theft" has a number of guises, as the study readily admits. The study was not able, for instance, to tell if a particular identity theft report was the result of a new account having been opened fraudulently or an existing account having been hijacked. Nor was any distinction drawn between theft with or without an online component. The study appeared to be more interested in the institution names supplied in the complaint form.

The tabulated findings were both predictable and troubling. Predictably, big-name banks that issue credit and debit cards rate high among reported incidents. Troublingly, telecommunications companies (e.g., AT&T, Sprint/Nextel, Verizon) were also among the most-reported.

(What are all these telecom companies doing in identity theft reports to the FTC? I think that finding, in itself, deserves investigation to find out exactly what consumers are reporting. Let's face it, you've got to be pretty pissed off to bother filling out the FTC complaint form. What's happening to all of these pissed-off consumers?)

My issue with the entire study comes from what I believe is a faulty premise stated in the paper's conclusion section:

In order for the market to effectively address the ongoing identity theft epidemic, consumers need reliable information about incidence of the crime among institutions. If data were available on this crime, consumers could choose safer institutions, regulators could focus attention on problem actors, and businesses themselves could compete to protect consumers from this crime.

As with Exhibit A, this paper fails to address the issue of how identity theft occurs at the institutions it has identified. To blame one institution as being inherently less secure than another based solely on the number of theft incident reports just doesn't seem right to me. I have a hard time blaming a financial institution whose customers are phished to death because of the Willie Sutton Rule. If, despite warnings on the bank's web site, a customer falls prey to a clever phisher, that customer has given away the keys to the account. How can anyone blame the bank for believing someone with your full credentials isn't you? If you gave a house key to a tradesman, and he robs you six months later, are you going to file a complaint or law suit against the maker of the door lock?

These two exhibits are simply emblematic of the tons o' surveys and studies about malicious online activity that don't connect the dots. Where there is a successful online crook, there is at least one victim. My inbox and trash pile tell me that email connects those two dots on a consistent basis. That's why I believe the it's vital to arm all email users with the knowledge to identify and ignore every crook that seeps through the technological cracks.