Computer security experts apparently are not statistics experts

By | May 23, 2009

In a recent issue of SANS NewsBites, the following item appeared as the headline story:


–One In Five Teenagers Claim to Have Used Hacking Tools (15th May 2009)

A recent survey of 4,000 teenagers between the ages of 15 to 18 years of age states that 17% of those surveyed know how to find hacking tools online with one third of that group admitting that they have used the tools….

In this little blurb, the editors of SANS make two statistical errors, one small and one very, very large.

Here’s the actual press release contents: “The survey also revealed that 17 percent of adolescent users claim to have advanced technical knowledge and are able to find hacking tools on the Internet. Of these, 30 percent claim to have used them on at least one occasion.”

The minor error is that 30% is less than one third. While a 3.33% difference might seem insignificant, it’s little “telephone-game” changes like this that over time result in seriously divergences from reality. Note that one of the articles which SANS cited used the phrase “nearly a third,” which is accurate, and SANS apparently saw fit to drop the “nearly.”

The second, much more serious error, is that the percentage of teenagers who admitted that they have used the tools is not “one in five,” but rather 30% of 17%, which comes out to 5%, or one in twenty, a huge difference from what SANS reported.

I emailed the editors of SANS the same day this issue came out, pointed out both errors, and asked them to post a correction. The next issue was published three days later with no correction included. This is rather unfortunate.

I find it just a bit disturbing that none of the editors of NewsBites, supposedly experts in the field, found the “one in five” statistic sufficiently surprising to dig deeper and discover the truth of the matter. I certainly did.

Print Friendly, PDF & Email

2 thoughts on “Computer security experts apparently are not statistics experts

  1. Wouter

    and that’s ignoring the fact that they defined ‘teenagers’ as ‘between 15 and 18 years old’. Last time I checked, being a teenager lasts longer than 3 years.

  2. ac

    Not surprisingly, the “telephone error” is much worse, when you look at both source articles (both of which cite different statistics)

    17% have knowledge (680 out of 4000)
    30% of the above group have *attempted* to use the tools (204, or 5.1%)
    66% of the above have *actually* used them (135, or 3.375%)
    and finally 20% have used information they gained maliciously.

    That’s 27 out of 4000, or .6%. I guess the alternate headline is not as exciting: “ZOMG, less than 1% of teens are likely to hack into your email and do malicious things with your info!”


Leave a Reply

Your email address will not be published. Required fields are marked *