Lies, damn lies and computer virus costs...
Steve Garfink InDefense
Mary Landesman Antivirus.about.com
Corporate stream: Thursday 30 Sept 2004, 11.50-12.30.
Question: How much did damages from computer viruses cost in 2003?
- $15 Billion
- $55 Billion
- $147 Million
- All of the Above
- None of the Above
Your time is up, and the answer is... Take your pick. All three figures were reported by different "expert"
organizations, so any one would be correct. If they are all correct, then "All of the Above" certainly works. Yet,
if they are all correct, how can they provide any meaningful value when the largest is hundreds of times greater than the
smallest? If someone told you the termite damage to your home is somewhere between $100 and $25,000, what would be the
use of such an estimate? "None of the Above" might be the best choice.
The naïve multitudes hear these numbers, dutifully reported in the main press, and shudder. The "knowledgeable"
read them and sneer at their range and sheer audacity. However, dismissing the topic out-of-hand because it has been
hijacked for hype does not improve understanding, and thereby management, of the risk: malicious code attacks are real and
they generate costs.
This paper will briefly review the context within which most virus and spam cost reports are generated, with a view to
establishing how these numbers are largely irrelevant. The focus of the paper is to identify those elements of virus cost
that are relevant to the targets of virus attack: what is the likelihood of exposure, what (not "how much") are the costs
and how are they incurred? Examining these questions from the viewpoint of the virus target can provide a useful
framework for evaluating cost-effective steps for mitigating the threat of malicious code attack; this can optimize the
ability of the virus target to manage costs for a true pay-off.
