There are problematic caveats to this list; its sampling and metrics are both somewhat suspect, which I’ll discuss below. But Norton does have access to a huge amount of data, and at the very least, this list is indicative of internet activity, if not legitimate risk.
Without further ado, the list:
- Washington, D.C.
- San Francisco
- Raleigh, N.C.
- Austin, Texas
- Portland, Ore.
Seattle was the clear champion, as the only city to place in the top ten of every single category. But Boston scored highly thanks to its record levels of spam, and our nation’s capital ranked third due to an extremely high level of Internet usage (the percentage of users who access the internet five or more times a day is nearly 40% higher than the national average there).
The most conspicuous absences on the list are any of the three American megacities: New York City, Los Angeles, and Chicago. Their failure to place (or success in not placing, really) is probably due to the problem of population: Many of the metrics used to measure cybercrime risk are directly related to wealth, and it’s much difficult to maintain a steady percentage of wealth in bigger cities. In fact, these ten cities are all relatively small, and relatively rich; the biggest is San Francisco, the 12th biggest (and 1st richest) city in the country. Minneapolis, ranked the 7th riskiest city, is only the 47th biggest, at well under 400,000 people, while Detroit, the nation’s poorest major city and also its 11th largest, ranked at the very bottom as the least risky city in the country.
Now for the problems.
1. While Norton’s sample is undeniably huge, it’s also undeniably homogeneous; it consists entirely of Norton users. Norton estimates that includes about a third of the total internet-using American populace, but a huge percentage of that third consists of either enterprise users (a group with similar internet habits) and inexperienced users (a group highly at risk of cybercrime).
2. It leaves out every single Mac and Linux user in the country. It’s a big sample, yes, but not a particularly representative one.
3. Norton weighs “expenditures on computer hardware and software” in their list–but I fail to see how someone with a $2,500 Mac Pro is more at risk than someone with a $250 Acer netbook. In fact, it seems likely that it’s the other way around–someone willing to spend lots money on a computer is more likely to have both the expertise and the incentive to defend themselves against cybercrime.
4. Many of the metrics simply measure “Internet usage (including time spent online, whether a user has a broadband connection, and wireless hotspots). There’s certainly a correlation between cybercrime and Internet usage, as it’s quite difficult to get a virus if you don’t own a computer, but it’s not a cause-effect relationship.
5. The study ignores the bell curve of Internet usage: The more you use a computer, the more likely it is that you can avoid cybercrime due to experience.
However, Norton’s cybersecurity experts assure me that the hard data on cybercrime (like number of attempted malware infections, spam, bot-infected computers, and cyber-attacks) are weighted much more heavily than those categories I suspect to be irrelevant, like the cost of a user’s computer. The study is better seen as simply a look at American Internet users who are also anti-virus software users–and some of the categories are extremely interesting. Who’d have thought that Boston would be a center for spam? Now you Bostonites know that it’s not your fault–it’s your city.