In addition, industry reports are not subject to the kind of peer review that is done for academic and professional journals.
But experts are also willing to cut the companies some slack, for a couple of reasons. First, it is very difficult to estimate such things. Sometimes, companies don't even know they have been attacked. Many times, when they find out, they don't want to talk about it, lest they damage their brand. And sometimes it is difficult to know how much actual damage has occurred.
"I don't beat them up for it," said Jason Healey, of the Atlantic Council and a former White House and Goldman Sachs security official. "Experts have long had trouble agreeing on estimates that are within even two orders of magnitude of each other."
Healey said the damage estimates of the first large-scale cyber incident, the Morris worm of 1988 "ranged from $200 to more than $53,000 per installation, while the most widely cited estimate of the total damage ranged from $100,000 to $10 million: two full orders of magnitude. And that was 24 years ago."
Gary McGraw, CTO of Cigital, said he suspects McAfee "followed protocol [in its report] up to the end, where they did some crazy math -- I think control got turned over to the marketing guys."
But he admits, "I've cited that [$1 trillion] number in my own work. I was writing a piece about cyberwar for a think tank. I was trying to make a point about cybercrime being worse than cyberwar -- which the risks of cyberwar were exaggerated, and cybercrime was worse. How's that for irony?"
There are other reasons that estimates are difficult. In a recent paper called "Measuring the Cost of Cyber Crime," done for the UK Ministry of Defense, the authors listed a chart that suggested the annual cost of worldwide cybercrime was about $225 billion -- less than 25% of the McAfee estimate.
But the authors included a host of caveats, including: "There are over 100 dierent sources of data on cybercrime, yet the available statistics are still insucient and fragmented; they suer from under- and over-reporting, depending on who collected them, and the errors may be both intentional (e.g., vendors and security agencies playing up threats) and unintentional (e.g., response eects or sampling bias)."
They also note that there are differences between direct and indirect costs. Indeed, the group even refuses to add up its own figures to report a total, noting that, "many of these are extremely rough estimates -- we believe it is entirely misleading to provide totals lest they be quoted out of context, without all the caveats and cautions that we have provided."
Sign up for CIO Asia eNewsletters.