Original URL: http://www.theregister.co.uk/2004/02/27/counting_the_cost_of_cybergeddon/

Counting the cost of cybergeddon

Cyberliability witchdoctors cast the runes

By Lucy Sherriff

Posted in Letters, 27th February 2004 18:17 GMT

Letter Estimating the value of damage caused by viruses is a tricky business, as John Leyden pointed out in his article Q: What's the AV industry's definition of happy?.

Suggestions that the skill involved is akin to checking the direction of the wind with a wetted finger met with some disagreement.

Here, in full, is a letter from mi2g, outlining why it is actually very, very skillful indeed. Judge for yourselves:

Dear Sir

We are concerned that the conclusions drawn in the Register column of 20th February, authored by John Leyden are misleading. While our global economic damage estimate for MyDoom is indeed significant, the assumption is often made by US critics such as Mr Rosenberger that it is US-focused, whereas in reality it is a global estimate. American critics provide World Trade Centre damage numbers or US Federal budget comparisons assuming that the whole world and the American economy are one and the same. This is simply not true.

We could equally argue that it is in the interest of certain software vendors, who pay for advertising on The Register, to downplay damages to the point that they are negligible so as to avoid any liability at all. MyDoom has affected over 215 countries, with the US accounting for damages of between $12.2bn and $15.0bn. Please note our country-specific resolution of the damage estimate below, showing the top 10 most affected countries:

1. USA - $12.2bn to $15.0bn;
2. UK - $10.3bn to $12.7bn;
3. France - $1.5bn to $1.9bn;
4. China - $1.4bn to $1.7bn;
5. Australia - $1.2bn to $1.5bn;
6. Canada - $1.1bn to $1.3bn;
7. South Korea - $0.9bn to $1.2bn;
8. Germany - $0.8bn to $0.9bn;
9. Italy - $0.7bn to $0.9bn; and
10. Spain - $0.6bn to $0.8bn.

As you know we have been estimating economic damages for hacker attacks, malware and digital risks for over five years and our records go back to 1995. We maintain the world's largest database for hacking and malware attacks. Our initial global estimates of MyDoom damage were small as you will have noticed and grew larger with every passing hour last week to touch the midpoint of $38.5bn at the start of February. In fact, contrary to popular belief, most malware never makes it to $1 million in economic damages during its lifetime.

Our cyberliability insurance work for Lloyd's of London syndicates - operating in business interruption, workers' compensation as well as property and liability - and major banks over the past seven years has been the inspiration behind modelling computer crime and its impact. We assess our conclusions against sampled evidence from private and publicly listed corporations; universities and schools; large and small government and non-government organisations; as well as home users that report online delays, congestion and email service disruption worldwide during a major malware epidemic, DDoS or hacker attack.

We are aware that loss adjusting and economic damage calculation is not an exact science at all but as a relative indicator it can work very well. We do feel that society consistently underestimates the reliance we have on computer networks and the level of damage that occurs on a global scale when disruptive events take place.

Our analysis is always based on reliable research and the judgement of experienced risk management and security professionals. If there is a prevailing opinion that somehow we can accomplish our objective in a superior way in the future, we welcome any clear and constructive presentation of how this could be achieved. Such feedback is naturally valuable to us and can be submitted through www.mi2g.net.

Yours sincerely

DK Matai
Executive Chairman, mi2g

Despite serious jet lag following his recent migration to and from California, our security vulture, John Leyden, argues:

It's incredibly hard to calculate the number of infected systems and the total damage caused during a virus outbreak, partly because costs will vary widely by company. If a company doesn't know itself how much a virus outbreak costs it then how can a third party expect to come up with an accurate figure?

Organisations like mi2g attempt to estimate the cost of patching systems and losses in worker productivity from dealing with a viral outbreak. But patching systems is a core part of the work of most sys admins. So how much extra time has actually been wasted? ®