Feeds

Counting the cost of cybergeddon

Cyberliability witchdoctors cast the runes

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Letter Estimating the value of damage caused by viruses is a tricky business, as John Leyden pointed out in his article Q: What's the AV industry's definition of happy?.

Suggestions that the skill involved is akin to checking the direction of the wind with a wetted finger met with some disagreement.

Here, in full, is a letter from mi2g, outlining why it is actually very, very skillful indeed. Judge for yourselves:

Dear Sir

We are concerned that the conclusions drawn in the Register column of 20th February, authored by John Leyden are misleading. While our global economic damage estimate for MyDoom is indeed significant, the assumption is often made by US critics such as Mr Rosenberger that it is US-focused, whereas in reality it is a global estimate. American critics provide World Trade Centre damage numbers or US Federal budget comparisons assuming that the whole world and the American economy are one and the same. This is simply not true.

We could equally argue that it is in the interest of certain software vendors, who pay for advertising on The Register, to downplay damages to the point that they are negligible so as to avoid any liability at all. MyDoom has affected over 215 countries, with the US accounting for damages of between $12.2bn and $15.0bn. Please note our country-specific resolution of the damage estimate below, showing the top 10 most affected countries:

1. USA - $12.2bn to $15.0bn;
2. UK - $10.3bn to $12.7bn;
3. France - $1.5bn to $1.9bn;
4. China - $1.4bn to $1.7bn;
5. Australia - $1.2bn to $1.5bn;
6. Canada - $1.1bn to $1.3bn;
7. South Korea - $0.9bn to $1.2bn;
8. Germany - $0.8bn to $0.9bn;
9. Italy - $0.7bn to $0.9bn; and
10. Spain - $0.6bn to $0.8bn.

As you know we have been estimating economic damages for hacker attacks, malware and digital risks for over five years and our records go back to 1995. We maintain the world's largest database for hacking and malware attacks. Our initial global estimates of MyDoom damage were small as you will have noticed and grew larger with every passing hour last week to touch the midpoint of $38.5bn at the start of February. In fact, contrary to popular belief, most malware never makes it to $1 million in economic damages during its lifetime.

Our cyberliability insurance work for Lloyd's of London syndicates - operating in business interruption, workers' compensation as well as property and liability - and major banks over the past seven years has been the inspiration behind modelling computer crime and its impact. We assess our conclusions against sampled evidence from private and publicly listed corporations; universities and schools; large and small government and non-government organisations; as well as home users that report online delays, congestion and email service disruption worldwide during a major malware epidemic, DDoS or hacker attack.

We are aware that loss adjusting and economic damage calculation is not an exact science at all but as a relative indicator it can work very well. We do feel that society consistently underestimates the reliance we have on computer networks and the level of damage that occurs on a global scale when disruptive events take place.

Our analysis is always based on reliable research and the judgement of experienced risk management and security professionals. If there is a prevailing opinion that somehow we can accomplish our objective in a superior way in the future, we welcome any clear and constructive presentation of how this could be achieved. Such feedback is naturally valuable to us and can be submitted through www.mi2g.net.

Yours sincerely

DK Matai
Executive Chairman, mi2g

Despite serious jet lag following his recent migration to and from California, our security vulture, John Leyden, argues:

It's incredibly hard to calculate the number of infected systems and the total damage caused during a virus outbreak, partly because costs will vary widely by company. If a company doesn't know itself how much a virus outbreak costs it then how can a third party expect to come up with an accurate figure?

Organisations like mi2g attempt to estimate the cost of patching systems and losses in worker productivity from dealing with a viral outbreak. But patching systems is a core part of the work of most sys admins. So how much extra time has actually been wasted? ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Win a year’s supply of chocolate (no tech knowledge required)
Over £200 worth of the good stuff up for grabs
Facebook's Zuckerberg in EBOLA VIRUS FIGHT: Billionaire battles bug
US Centers for Disease Control and Prevention contacted as site supremo coughs up
Space exploration is just so lame. NEW APPS are mankind's future
We feel obliged to point out the headline statement is total, utter cobblers
Red Bull does NOT give you wings, $13.5m lawsuit says so
Website letting consumers claim $10 cash back crashes after stampede
Down-under record: Australian gets $140k for pussy
'Tiffany' closes deal - 'it's more common to offer your wife', says agent
Internet finally ready to replace answering machine cassette tape
It's a simple message and I'm leaving out the whistles and bells
Swiss wildlife park serves up furry residents to visitors
'It's ecological' says spokesman, now how would you like your Bambi done?
The iPAD launch BEFORE it happened: SPECULATIVE GUFF ahead of actual event
Nerve-shattering run-up to the pre-planned known event
STONER SHEEP get the MUNCHIES after feasting on £4k worth of cannabis plants
Baaaaaa! Fanny's Farm's woolly flock is high, maaaaaan
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.