Lies, damned lies and anti-virus statistics

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/56/23707.html

By John Leyden
Posted: 16/01/2002 at 17:33 GMT

Computer Economics has published its assessment of the damage
worldwide caused by malicious code attacks in 2001 - the figure comes
in at a whopping $13.2 billion.

This is 23 per cent less than 2000, the year of the Love Bug, when
damages from viruses were estimated at $17.1bn. In 1999 the cost to
the world was $12.1 billion in 1999, Computer Economics says.

The research firm has totted up the damage wreaked by viruses each
year since 1995, But the results are controversial.

Critics in the antivirus industry dismiss Computer Economics
assessment of the damage caused by the combined effects of Nimda ($635
million), Code Red variants ($2.62 billion), SirCam ($1.15 billion) et
al last year as a "guesstimate".

They argue that it's hard to calculate the number of infected systems
and the total damage caused during a virus outbreak, partly because
costs will vary widely by company. Patching systems is, after all, a
core part of the work of most sysadmins.

Michael Erbschloe, vice president of research at Computer Economics,
angrily rejected criticisms of its methodology and said its work
helped firms decide how to defend against viruses.

Erbschloe said Computer Economics does "everything we can to get an
accurate number and great lengths to determine what the hit rate is".  
The $13.2 billion figure on the cost of infections in 2001 is "not an
audit" but it is "accurate", although Erbschloe declined to say just
how accurate it was.

Methodology

Computer Economics' methodology involves first conferring with
anti-virus companies, governments, law enforcement and major firms,
Erbschloe told us. It then tries to work out how many people received
a virus and from that calculates how many were infected. From this,
Computer Economics estimates the cost of patching systems and losses
in worker productivity from dealing with a viral outbreak, based on
benchmarking the cost of cleaning a computer of a virus.

One of the problems of this approach, explains Alex Shipp, chief
antivirus technologist at managed services firm MessageLabs, is that
"users are unable to estimate the damage a virus outbreak might cause
their own company ... so how does a third party get a figure?"

Graham Cluley, senior technology consultant at Sophos Anti-Virus,
described Computer Economics figures as a "guesstimate", supported by
insufficient data.

"Most companies simply don't know how much a virus cost them," he
said. "As well as lost productivity, viruses can also cost money
through damaged credibility, effects on customer relations and attacks
on confidentiality which is hard to estimate."

MessageLabs and Sophos say that Computer Economics has never contacted
them about statistics on infections.

Even if a vendor tracks the percentage of infected emails it blocks
(as MessageLabs does), or consumer PCs scanned which are infected (as
McAfee does), it is very difficult to place a dollar figure on such
data.

Erbschloe said he didn't care what Sophos or MessageLabs thought. He
said AV vendors quote Computer Economics figures but disagree when an
estimate is either higher or lower than suits them.

"Some of them are full of shit," Erbschloe told us, before calming
down to say, "our figures help end-users decide how much to spend on
antivirus".

Assessing the cost of virus infections isn't like counting server
sales, and whoever you sympathise with here, it would be wise to take
any figures with a grain of salt and to remember the AV industry has
struggled with metrics for years.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.