But that’s a bit like saying the cost of other crime includes all spending on the criminal and civil justice system, all spending on private security and surveillance by individuals and businesses, the entire salary of every cashier (since they wouldn’t be needed if people would just count up their own purchases and leave payment), and every time someone doesn’t do something because they don’t want to go out wandering by themselves at 3am. Not actually a useful metric for deciding where it’s worthwhile to increase or decrease resource allocations or to make regulatory decisions.
That sounds obviously correct and in fact a useful metric which is how you ought to be deciding how much to invest in policing: including the negative externalities and the nice high-trust-society things we could have if there was less crime. Why would you not include those?
But reducing crime by increasing policing won’t get you “nice high-trust-society things”! That’s almost cargo-cult behavior: the low crime is a symptom of the high trust.
At some point, you’re worldbuilding an alternate society (of dubious plausibility) instead of considering the practical effects of a particular policy. You would ignore comparisons to such a world when making policy decisions for the same reason you’d ignore Cato’s suggestion of razing Carthage: it’s not really related to the matter you’re considering.
In one sense, you’re right, it is obviously correct. *Iff* you can actually do the calculation well, honestly, and convincingly, that is.
In practice, it’s really hard to do that in a way that is consistent and principled. Most who try end up succumbing to various forms of motivated reasoning. And even when you do manage it, you have to make a lot of assumptions and extrapolations that get you really wide error bars, and a result that no one is going to believe unless they already want to believe your conclusion.
The other problem is you can’t assume the analysis still holds if any of all those assumptions change. Two people, each with credible proposals to reduce the risk and cost of cybercrime in that sense, they can both make similar cost and benefit claims, but clearly effects are not additive; your estimate defines a max not a sum. This is always strictly the case, but if you use a narrower analysis than you can often treat them as approximately independent. If you want to make real-world decisions, you should include a sensitivity analysis as well.
I’d also add that a high fraction of these costs won’t be increased if you improve cyber crime productivity (by e.g. 10%). As in, maybe a high fraction of the costs are due to the possiblity of very low effort cyber crime (analogous to the cashier case).
And Fabien’s original motivation was more closely related to this.
The point is that if the majority of the “cost of crime” is actually the cost of preventing potential crime, then it’s not obvious at all that more crime prevention will help.
Sure, sometimes it’s better to shift from private prevention (behavior change) to collective prevention (policing) at the margin, but not always.
That sounds obviously correct and in fact a useful metric which is how you ought to be deciding how much to invest in policing: including the negative externalities and the nice high-trust-society things we could have if there was less crime. Why would you not include those?
But reducing crime by increasing policing won’t get you “nice high-trust-society things”! That’s almost cargo-cult behavior: the low crime is a symptom of the high trust.
At some point, you’re worldbuilding an alternate society (of dubious plausibility) instead of considering the practical effects of a particular policy. You would ignore comparisons to such a world when making policy decisions for the same reason you’d ignore Cato’s suggestion of razing Carthage: it’s not really related to the matter you’re considering.
In one sense, you’re right, it is obviously correct. *Iff* you can actually do the calculation well, honestly, and convincingly, that is.
In practice, it’s really hard to do that in a way that is consistent and principled. Most who try end up succumbing to various forms of motivated reasoning. And even when you do manage it, you have to make a lot of assumptions and extrapolations that get you really wide error bars, and a result that no one is going to believe unless they already want to believe your conclusion.
The other problem is you can’t assume the analysis still holds if any of all those assumptions change. Two people, each with credible proposals to reduce the risk and cost of cybercrime in that sense, they can both make similar cost and benefit claims, but clearly effects are not additive; your estimate defines a max not a sum. This is always strictly the case, but if you use a narrower analysis than you can often treat them as approximately independent. If you want to make real-world decisions, you should include a sensitivity analysis as well.
I’d also add that a high fraction of these costs won’t be increased if you improve cyber crime productivity (by e.g. 10%). As in, maybe a high fraction of the costs are due to the possiblity of very low effort cyber crime (analogous to the cashier case).
And Fabien’s original motivation was more closely related to this.
The point is that if the majority of the “cost of crime” is actually the cost of preventing potential crime, then it’s not obvious at all that more crime prevention will help.
Sure, sometimes it’s better to shift from private prevention (behavior change) to collective prevention (policing) at the margin, but not always.