Feeds

Lies, damned lies and anti-virus statistics

$13.2bn eaten by viruses

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Computer Economics has published its assessment of the damage worldwide caused by malicious code attacks in 2001 - the figure comes in at a whopping $13.2 billion.

This is 23 per cent less than 2000, the year of the Love Bug, when damages from viruses were estimated at $17.1bn. In 1999 the cost to the world was $12.1 billion in 1999, Computer Economics says.

The research firm has totted up the damage wreaked by viruses each year since 1995, But the results are controversial.

Critics in the antivirus industry dismiss Computer Economics assessment of the damage caused by the combined effects of Nimda ($635 million), Code Red variants ($2.62 billion), SirCam ($1.15 billion) et al last year as a "guesstimate".

They argue that it's hard to calculate the number of infected systems and the total damage caused during a virus outbreak, partly because costs will vary widely by company. Patching systems is, after all, a core part of the work of most sysadmins.

Michael Erbschloe, vice president of research at Computer Economics, angrily rejected criticisms of its methodology and said its work helped firms decide how to defend against viruses.

Erbschloe said Computer Economics does "everything we can to get an accurate number and great lengths to determine what the hit rate is". The $13.2 billion figure on the cost of infections in 2001 is "not an audit" but it is "accurate", although Erbschloe declined to say just how accurate it was.

Methodology

Computer Economics' methodology involves first conferring with anti-virus companies, governments, law enforcement and major firms, Erbschloe told us. It then tries to work out how many people received a virus and from that calculates how many were infected. From this, Computer Economics estimates the cost of patching systems and losses in worker productivity from dealing with a viral outbreak, based on benchmarking the cost of cleaning a computer of a virus.

One of the problems of this approach, explains Alex Shipp, chief antivirus technologist at managed services firm MessageLabs, is that "users are unable to estimate the damage a virus outbreak might cause their own company ... so how does a third party get a figure?"

Graham Cluley, senior technology consultant at Sophos Anti-Virus, described Computer Economics figures as a "guesstimate", supported by insufficient data.

"Most companies simply don't know how much a virus cost them," he said. "As well as lost productivity, viruses can also cost money through damaged credibility, effects on customer relations and attacks on confidentiality which is hard to estimate."

MessageLabs and Sophos say that Computer Economics has never contacted them about statistics on infections.

Even if a vendor tracks the percentage of infected emails it blocks (as MessageLabs does), or consumer PCs scanned which are infected (as McAfee does), it is very difficult to place a dollar figure on such data.

Erbschloe said he didn't care what Sophos or MessageLabs thought. He said AV vendors quote Computer Economics figures but disagree when an estimate is either higher or lower than suits them.

"Some of them are full of shit," Erbschloe told us, before calming down to say, "our figures help end-users decide how much to spend on antivirus".

Assessing the cost of virus infections isn't like counting server sales, and whoever you sympathise with here, it would be wise to take any figures with a grain of salt and to remember the AV industry has struggled with metrics for years. ®

External links

Computer Economics: Economic Impact of Malicious Code Attacks
versus
Hysteria roll call: Computer Economics, Inc.

Related stories

Code Red hysteria - $8.7bn in damage estimated
A plague on all our networks

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.