14) Are there virus damage statistics? (Computer virus)
Description
This article is from the Computer viruses FAQ, by David Harley D.Harley@icrf.icnet.uk, George Wenzel gwenzel@telusplanet.net and Bruce Burrell bpb@umich.edu with numerous contributions by others.
14) Are there virus damage statistics? (Computer virus)
Some, possibly even less reliable than the average survey on general
security breaches. Why?
* Many reported virus incidents aren't, in fact, virus incidents, as
many a PC support specialist will confirm. There is a tendency to
attribute any PC anomaly to a virus, among those who are not well
acquainted with the virus arena. Unfortunately, this includes
virtually the entire press corps and many security consultants. Also,
some widely-used packages are noticeably prone to false alarms.
* Many actual virus incidents and other security breaches are not
reported, due to the intervention of top management or Public
Relations, out of fear of losing competitive advantage because of
being perceived as badly-managed and insecure.
* Many other virus incidents and security breaches aren't reported
because they're simply not recognised as such, or at all.
* There are no standards for reporting and assessing damage from
viruses and other security breaches. Take the case of Christopher
Pile (the Black Baron), who was convicted in the UK under the
Computer Misuse Act: I have seen estimates in the UK press of
the damage sustained by the company most affected by the viruses
Pile spread ranging from #40,000 to #500,000, and this is an
unusually well-documented incident. How can the average survey
respondent be expected to make an accurate assessment?
The trouble is, there's a lot more to 'damage' than the figures
estimated for a particular outbreak.
Cost of maintaining virus protection
Training and maintaining a response team
Management costs
Cost of software licences
Cost in time/productivity/money of maintaining upgrades etc.
Formulating and enforcing policy
Educating users in the issues and good hygienic practice
Cost in time of routine anti-virus measures
Cost in money and time of servicing false alarms
Cost of sheepdip systems
Cost of having part-time A/V people taking time off
from their 'real' jobs
Alternatively, the cost of having full-time A/V personnel
Cost of tracking the product market, technological changes
Formulating and enforcing a backup policy
Development of protective systems
Resource utilisation by undetected viruses
Cost of specific outbreaks
Loss of productivity
Workstation/Server downtime
Damage to reputation of the organization
Damage to involved personnel
Psychological damage - witch hunts
Damage limitation
Time spent cleaning up, examining floppies etc.
Restoration of backups/reinstallation
Replacing unrecoverable data
Time and money spent increasing virus protection.....
However, the Poor Bloody Infantry often have to spend time and effort
persuading the Generals of the need to expend money on ammunition.
You might care to check out:
* The Information Security Breaches Survey 1996 [UK]
[National Computing Centre, ICL, ITSEC, Dept. of Trade & Industry]
NCC
Oxford House
Oxford Road
Manchester
M1 7ED
(voice) +44(0) 161 228 6333
(fax) +44(0) 161 242 2171
enquiries@ncc.co.uk
http://www.ncc.co.uk/
This came up with the highly suspect but much quoted average of about
#4000 per virus incident.
* Computer Virus & Security Survey 1995 [Ireland]
[Price Waterhouse, Priority Data Systems]
Price Waterhouse
Wilton Place
Dublin 2
(353 1) 6606700
++Added August 18th.
* ICSA have published surveys for some years. The 1999 survey is the
best to date.
<http://www.icsa.net/>
Continue to:
My Books
