Scary Stats Don't Spook Netizens

No matter how much bad stuff happens on the Internet, we can't scare away the punters...

Despite mounting risks on an information superhighway jammed up with malware, 419 scams, phishing and credit card fraud, the number of 'net users is still growing rapidly.

All the way back in 1998, America's National Institute of Standards and Technology (NIST) categorised and analysed 237 computer attacks. The results of that analysis revealed such pearls as:

  • 3 percent of the attacks enabled web sites to attack site visitors
  • 4 percent of attacks scan the Internet for vulnerable hosts
  • 5 percent of attacks are effective against routers and firewalls

These figures tell us that surfing the internet, even back in 1998, was not a risk free activity.

But today, the numbers are out of control.

Recently the Pentagon confirmed 360 million attempts to penetrate its networks throughout 2008.

Sure, a lot of that is probably malware background noise, but a million intrusion attempts a day is noteworthy, regardless of whether they're automated or not.

The CERT Coordination Centre at Carnegie Mellon says catalogued vulnerabilities have increased from 171 in 1995 to 7236 in 2007, and to me even that sounds like the tip of the iceberg.

It doesn't stop there. The Anti Phishing Working Group tells us the number of websites infecting PCs with password-stealing 'crimeware' reached an all time high of 31,173 in December 2008. This was an 827 percent increase from January 2008, and again, probably a conservative, tip-of-the-iceberg estimate.

Things have changed a bit since the first ever Australian phishing investigation. In April 2003 we were notified of the existence of a dodgy looking Commonwealth Bank website. It seemed pretty interesting at the time, but today authorities hardly clamour to get involved in phishing investigations. The crime is too common and too hard to investigate.

Along the way there have been numerous vendor, CERT, academic and government inspired surveys and reports, which all point to one thing
-- increased risk.

But what has all this doom and gloom resulted in? The OECD informs that from 2000 to 2007 there has been a 256 percent global increase in the use of the Internet, with take up now standing at 20 percent of the world's population (or 58 percent penetration for OECD member states).

Facebook (in operation since 2004) has 200 million active users with 100 million of these people logging in at least once a day.

The threats just aren't scaring away users.

So why do we need all these numbers?

Alas statistics are the only true way to analyse effectiveness and compare results. As a forecaster I would say (from summarising this collection of data) that threats will continue to increase, but so will the number of Internet users. It's somewhat counterintuitive, but there you go.

As a global economy and more importantly as a global industry we do need to record and analyse these statistics related to IT security. But the more interesting line of inquiry is what you do with such alarming numbers when the average internet user just doesn't seem to care about escalating risks?

Nigel Phair was the Team Leader of Investigations for the Australian High Tech Crime Centre from 2003 to 2007 and the author of Cybercrime: The Reality of the Threat. He is an active cyber crime analyst.