But that’s a bit like saying the cost of other crime includes all spending on the criminal and civil justice system, all spending on private security and surveillance by individuals and businesses, the entire salary of every cashier (since they wouldn’t be needed if people would just count up their own purchases and leave payment), and every time someone doesn’t do something because they don’t want to go out wandering by themselves at 3am. Not actually a useful metric for deciding where it’s worthwhile to increase or decrease resource allocations or to make regulatory decisions.
That sounds obviously correct and in fact a useful metric which is how you ought to be deciding how much to invest in policing: including the negative externalities and the nice high-trust-society things we could have if there was less crime. Why would you not include those?
In one sense, you’re right, it is obviously correct. *Iff* you can actually do the calculation well, honestly, and convincingly, that is.
In practice, it’s really hard to do that in a way that is consistent and principled. Most who try end up succumbing to various forms of motivated reasoning. And even when you do manage it, you have to make a lot of assumptions and extrapolations that get you really wide error bars, and a result that no one is going to believe unless they already want to believe your conclusion.
The other problem is you can’t assume the analysis still holds if any of all those assumptions change. Two people, each with credible proposals to reduce the risk and cost of cybercrime in that sense, they can both make similar cost and benefit claims, but clearly effects are not additive; your estimate defines a max not a sum. This is always strictly the case, but if you use a narrower analysis than you can often treat them as approximately independent. If you want to make real-world decisions, you should include a sensitivity analysis as well.
That sounds obviously correct and in fact a useful metric which is how you ought to be deciding how much to invest in policing: including the negative externalities and the nice high-trust-society things we could have if there was less crime. Why would you not include those?
In one sense, you’re right, it is obviously correct. *Iff* you can actually do the calculation well, honestly, and convincingly, that is.
In practice, it’s really hard to do that in a way that is consistent and principled. Most who try end up succumbing to various forms of motivated reasoning. And even when you do manage it, you have to make a lot of assumptions and extrapolations that get you really wide error bars, and a result that no one is going to believe unless they already want to believe your conclusion.
The other problem is you can’t assume the analysis still holds if any of all those assumptions change. Two people, each with credible proposals to reduce the risk and cost of cybercrime in that sense, they can both make similar cost and benefit claims, but clearly effects are not additive; your estimate defines a max not a sum. This is always strictly the case, but if you use a narrower analysis than you can often treat them as approximately independent. If you want to make real-world decisions, you should include a sensitivity analysis as well.