Texas University Calculates Financial Benefits Of Its Spam, Virus Defenses

[InfoSec News <isn () c4i org>]

Forwarded from: Richard Caasi <caasi () gort ucsd edu>

http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=15600902&_loopback=1

By Bob Violino
Secure Enterprise
October 29, 2003

When Lew Wagner, chief information security officer of the M.D.
Anderson Cancer Center at the University of Texas, began to build a
business case for investing hundreds of thousands of dollars in
technology to help thwart spam and viruses, he took it a step further
than most IT shops. Realizing that calculating the value of reduced
risk is a murky arena often riddled with holes and question marks,
Wagner sought concrete return-on-investment metrics to boost his
argument.

"The ROI perspective comes from the fact that if you have impact
against your IT and network resources, it results in downtime and lost
ability to get things done," Wagner says.

Spam has been particularly costly. Wagner says the hospital and
research institution's 13,000 employees would have received up to
25,000 spam messages per day had it not been for a spam-prevention
service implemented earlier this year. In June alone, the service
detected and blocked enough spam to account for more than half of all
the messages received.

Wagner says spam threatened not only network performance but also
worker productivity. He estimates that it costs the medical center $1
for each unwanted mail message that gets through to users' computers.
He figures the Houston medical center receives about 620,000 spam
messages during an average month, so successfully blocking them would
theoretically free up $620,000 for other activities.

Wagner's figures are derived from independent studies on the cost of
cleanup and the center's own experience.

"We know we've been hit a certain number of times in the past," Wagner
says. "We know we will have so many virus and service attacks, and we
know how much it costs to fight them."

Crunching The Numbers

Analysts are mixed on whether Wagner's cost-per-spam figure overstates
the problem. Chris Williams, an analyst at Ferris Research, says users
don't spend enough time clearing their inboxes to warrant such a high
estimate. Still, he doesn't dispute that spam is a costly problem.
Spam will cost U.S. businesses $10 billion in 2003--the result of
lower productivity, loss of legitimate messages and the need for
increased bandwidth and storage, according to Williams' research.

The $1-per-spam estimate may represent the far right of the spectrum,
but it's conceivable, says analyst Rebecca Wettemann of Nucleus
Research.

Spam costs U.S. companies $874 per employee per year in lost
productivity, based on hourly pay of $30 and a work year of 2,080
hours, according to a recent Nucleus report. "There are a number of
factors involved with spam, and the impact is different for every
organization," Wettemann says.

Virus Attacks

Viruses are also a major problem for M.D. Anderson, which at one time
was being bombarded by at least one serious virus attack--Klez,
MyParty.com and Nimbda, for instance--every month. Based on what it
cost to clean up the Nimbda outbreak in September 2001, Wagner
estimates virus-cleanup costs at roughly $1 million per outbreak.

"We knew that if we could stop spam and viruses from coming into our
network, we could free up money for research on new cancer-fighting
drugs, to treat more patients, and for revenue-generating purposes and
new projects," Wagner says.

Preventing the losses was part of Wagner's business case for buying
security products, such as network- and server-level antivirus and
antispam software from Trend Micro and a Web-based vulnerability-
detection tool called WebInspect from SPIDynamics.

The Trend Micro antivirus package, which cost $150,000 plus $20,000 in
annual maintenance fees, is stopping thousands of viruses each month
from reaching the medical center's computers, Wagner says.

"I could tell the CFO that we were freeing up $12 million with a
$150,000 investment," Wagner says. "We are in a sense creating revenue
by freeing up money that would have been otherwise wasted. That's a
very compelling ROI argument."

[...]




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.