In one sense, you’re right, it is obviously correct. *Iff* you can actually do the calculation well, honestly, and convincingly, that is.
In practice, it’s really hard to do that in a way that is consistent and principled. Most who try end up succumbing to various forms of motivated reasoning. And even when you do manage it, you have to make a lot of assumptions and extrapolations that get you really wide error bars, and a result that no one is going to believe unless they already want to believe your conclusion.
The other problem is you can’t assume the analysis still holds if any of all those assumptions change. Two people, each with credible proposals to reduce the risk and cost of cybercrime in that sense, they can both make similar cost and benefit claims, but clearly effects are not additive; your estimate defines a max not a sum. This is always strictly the case, but if you use a narrower analysis than you can often treat them as approximately independent. If you want to make real-world decisions, you should include a sensitivity analysis as well.
I’d also add that a high fraction of these costs won’t be increased if you improve cyber crime productivity (by e.g. 10%). As in, maybe a high fraction of the costs are due to the possiblity of very low effort cyber crime (analogous to the cashier case).
And Fabien’s original motivation was more closely related to this.
In one sense, you’re right, it is obviously correct. *Iff* you can actually do the calculation well, honestly, and convincingly, that is.
In practice, it’s really hard to do that in a way that is consistent and principled. Most who try end up succumbing to various forms of motivated reasoning. And even when you do manage it, you have to make a lot of assumptions and extrapolations that get you really wide error bars, and a result that no one is going to believe unless they already want to believe your conclusion.
The other problem is you can’t assume the analysis still holds if any of all those assumptions change. Two people, each with credible proposals to reduce the risk and cost of cybercrime in that sense, they can both make similar cost and benefit claims, but clearly effects are not additive; your estimate defines a max not a sum. This is always strictly the case, but if you use a narrower analysis than you can often treat them as approximately independent. If you want to make real-world decisions, you should include a sensitivity analysis as well.
I’d also add that a high fraction of these costs won’t be increased if you improve cyber crime productivity (by e.g. 10%). As in, maybe a high fraction of the costs are due to the possiblity of very low effort cyber crime (analogous to the cashier case).
And Fabien’s original motivation was more closely related to this.