Fighting malware and spam

Lies, damn lies and computer virus costs...

Steve Garfink InDefense
Mary Landesman Antivirus.about.com

Question: How much did damages from computer viruses cost in 2003?

• $15 Billion
• $55 Billion
• $147 Million
• All of the Above
• None of the Above

Your time is up, and the answer is... Take your pick. All three figures were reported by different "expert" organizations, so any one would be correct. If they are all correct, then "All of the Above" certainly works. Yet, if they are all correct, how can they provide any meaningful value when the largest is hundreds of times greater than the smallest? If someone told you the termite damage to your home is somewhere between $100 and $25,000, what would be the use of such an estimate? "None of the Above" might be the best choice.

The naïve multitudes hear these numbers, dutifully reported in the main press, and shudder. The "knowledgeable" read them and sneer at their range and sheer audacity. However, dismissing the topic out-of-hand because it has been hijacked for hype does not improve understanding, and thereby management, of the risk: malicious code attacks are real and they generate costs.

This paper will briefly review the context within which most virus and spam cost reports are generated, with a view to establishing how these numbers are largely irrelevant. The focus of the paper is to identify those elements of virus cost that are relevant to the targets of virus attack: what is the likelihood of exposure, what (not "how much") are the costs and how are they incurred? Examining these questions from the viewpoint of the virus target can provide a useful framework for evaluating cost-effective steps for mitigating the threat of malicious code attack; this can optimize the ability of the virus target to manage costs for a true pay-off.