Feeds

Counting the cost of cybergeddon

Cyberliability witchdoctors cast the runes

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

Letter Estimating the value of damage caused by viruses is a tricky business, as John Leyden pointed out in his article Q: What's the AV industry's definition of happy?.

Suggestions that the skill involved is akin to checking the direction of the wind with a wetted finger met with some disagreement.

Here, in full, is a letter from mi2g, outlining why it is actually very, very skillful indeed. Judge for yourselves:

Dear Sir

We are concerned that the conclusions drawn in the Register column of 20th February, authored by John Leyden are misleading. While our global economic damage estimate for MyDoom is indeed significant, the assumption is often made by US critics such as Mr Rosenberger that it is US-focused, whereas in reality it is a global estimate. American critics provide World Trade Centre damage numbers or US Federal budget comparisons assuming that the whole world and the American economy are one and the same. This is simply not true.

We could equally argue that it is in the interest of certain software vendors, who pay for advertising on The Register, to downplay damages to the point that they are negligible so as to avoid any liability at all. MyDoom has affected over 215 countries, with the US accounting for damages of between $12.2bn and $15.0bn. Please note our country-specific resolution of the damage estimate below, showing the top 10 most affected countries:

1. USA - $12.2bn to $15.0bn;
2. UK - $10.3bn to $12.7bn;
3. France - $1.5bn to $1.9bn;
4. China - $1.4bn to $1.7bn;
5. Australia - $1.2bn to $1.5bn;
6. Canada - $1.1bn to $1.3bn;
7. South Korea - $0.9bn to $1.2bn;
8. Germany - $0.8bn to $0.9bn;
9. Italy - $0.7bn to $0.9bn; and
10. Spain - $0.6bn to $0.8bn.

As you know we have been estimating economic damages for hacker attacks, malware and digital risks for over five years and our records go back to 1995. We maintain the world's largest database for hacking and malware attacks. Our initial global estimates of MyDoom damage were small as you will have noticed and grew larger with every passing hour last week to touch the midpoint of $38.5bn at the start of February. In fact, contrary to popular belief, most malware never makes it to $1 million in economic damages during its lifetime.

Our cyberliability insurance work for Lloyd's of London syndicates - operating in business interruption, workers' compensation as well as property and liability - and major banks over the past seven years has been the inspiration behind modelling computer crime and its impact. We assess our conclusions against sampled evidence from private and publicly listed corporations; universities and schools; large and small government and non-government organisations; as well as home users that report online delays, congestion and email service disruption worldwide during a major malware epidemic, DDoS or hacker attack.

We are aware that loss adjusting and economic damage calculation is not an exact science at all but as a relative indicator it can work very well. We do feel that society consistently underestimates the reliance we have on computer networks and the level of damage that occurs on a global scale when disruptive events take place.

Our analysis is always based on reliable research and the judgement of experienced risk management and security professionals. If there is a prevailing opinion that somehow we can accomplish our objective in a superior way in the future, we welcome any clear and constructive presentation of how this could be achieved. Such feedback is naturally valuable to us and can be submitted through www.mi2g.net.

Yours sincerely

DK Matai
Executive Chairman, mi2g

Despite serious jet lag following his recent migration to and from California, our security vulture, John Leyden, argues:

It's incredibly hard to calculate the number of infected systems and the total damage caused during a virus outbreak, partly because costs will vary widely by company. If a company doesn't know itself how much a virus outbreak costs it then how can a third party expect to come up with an accurate figure?

Organisations like mi2g attempt to estimate the cost of patching systems and losses in worker productivity from dealing with a viral outbreak. But patching systems is a core part of the work of most sys admins. So how much extra time has actually been wasted? ®

Top three mobile application threats

More from The Register

next story
Och aye! It's the Loch Ness Monster – but only Apple fanbois can see it
Fondleslab-friendly beastie's wake spotted... OR WAS IT?
Spanish village called 'Kill the Jews' mulls rebranding exercise
Not exactly attractive to the Israeli tourist demographic
Sleuths find nosy NORKS drones on the Chinternet
UAVs likely to have been made in the Middle Kingdom
Dorian Nakamoto gets $23,000 payout over Bitcoin invention saga
Maintains he didn't create cryptocurrency, but will join community
Oz bank in comedy Heartbleed blog FAIL
Bank: 'We are now safely patched.' Customers: 'You were using OpenSSL?'
Japanese boffin EYES up big bucks with strap-on digi-glasses
AgencyGlass saddles user with creepy OLED display
Pirate Bay's 10 millionth upload: Colour us shocked, a SMUT FLICK
P2P badboys show online piracy is alive and humping
Forget the beach 'n' boardwalk, check out the Santa Cruz STEVE JOBS FOUNTAIN
Reg reader snaps shot of touching tribute to Apple icon
Happy 40th Playmobil: Reg looks back at small, rude world of our favourite tiny toys
Little men straddle LOHAN, attend tiny G20 Summit... ah, sweet memories...
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.