Shostack + Friends Blog Archive


Trouble with Surveying Cybercrime

In a comment yesterday, Chris Walsh said:

In any case, this should not be a difficult nut to crack, in principle. The US government conducts surveys of businesses all the time, and is capable of obtaining quality samples and high response rates in which academics justly have confidence.

In theory, I agree with Chris. In practice, businesses are very sensitive to the claim that they are insecure, and the potential media firestorm that disclosure can bring. This sensitivity is reflected in a fight to exempt security data from FOIA. The strange part about this fight was that trade secrets provided to the government were already exempt. Nevertheless, businesses fought and won. I expect that this DHS survey will end up as another political hot-potato. I hope that the expanding hunger for good data to drive decision making will win.