[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Die Schätzungen der Kosten von Virenattacken
... stammen meistens von der Firma Computer Economics, die allerdings
kaum etwas über ihre Erhebungsmethoden herausrückt. Wired wird da
skeptisch. Andere auch. Rob Rosenberger von der Viren-Hoax-Seite vMyths
listet Computer Economics in seiner Abteilung "Hysteria Roll Call",
einem Who is Who von Leuten, die Viren-Hysterie verbeiten.
Ralf <- neugierig, ob jemand andere Schätzungen kennt als von denen
Find the Cost of (Virus) Freedom
By Michelle Delio
2:00 a.m. Jan. 14, 2002 PST
Virus and worm attacks were at an all-time high in 2001, costing
corporations billions of dollars, according to the news reports that
followed each release of malicious code.
Nimda, we were told by articles quoting Computer Economics, cost
companies $635 million in clean-up and lost productivity. The total sum
for the various versions of Code Red was $2.62 billion, SirCam leeched
$1.15 billion out of corporate coffers, and the unlovely Love Bug cost
$8.75 billion to exterminate.
Computer security incidents related to worms and viruses escalated
dramatically in 2001, according to newly issued statistics by the
Computer Emergency Response Team Coordination Center (CERT/CC). CERT's
statistics, which came out Friday, said that 52,658 security incidents
were reported in 2001, compared to 21,756 in 2000.
To estimate the damage, media organizations nearly always turn to
Computer Economics -- a California-based research firm whose primary
business is to advise companies on technology investment and marketing
But many industry experts wonder how the company arrives at these
seemingly exorbitant figures. Some antivirus firms and industry
watchdogs said that Computer Economics is less than forthcoming about
the specific data, sources and processes that it uses to tabulate the
economic impact of viruses.
Some experts say that lack of documentation renders any virus-damage
statistics from the company all but useless.
"It would be interesting to know why SirCam cost so much, when its
actual impact on systems was pretty negligible," said Keith Cummings, a
London-based systems administrator for a banking and investment firm.
"Why was a self-propagating worm like Code Red, which also opened
security holes, less damaging than the Love Bug? Who exactly was
affected the worst by each worm and why? This data could perhaps be put
to good use, if Computer Economics released complete reports detailing
how they arrive at these figures."
Michael Erbschloe, vice president of research at Computer Economics,
said that the company tabulates virus cleanup and damage costs from
information provided by its clients, antiviral applications vendors and
Erbschloe refused to name the specific sources for the data, saying
that much of this information is provided off the record.
Erbschloe said that once a virus is on the loose, the company starts
tracking it, checking on its impact and severity with a variety of
sources. The Computer Economics staff then enters the information into a
customized database that enables them to compare the current virus's
impact against previous malicious code incidents.
Other security professionals, while also not impressed with the
veracity of the dollar amounts provided by Computer Economics, said the
statistics provide a good, general snapshot of the impact of specific
"Erbschloe says that the company uses valid microeconomic data, but he
won't make it available so that people can analyze and critique it,"
said Rob Rosenberger of virus information site vMyths. "Nor will he
adequately explain his collection methodology or adequately explain his
"When I speak to the press, they openly admit a simple truth -- they
must turn to Erbschloe for virus damage guesstimates. No one else will
prostitute the dollar figures reporters and antivirus vendors so
Others, while questioning the virus impact estimates that Computer
Economics provides to the media, said they believe the company's
statistics do provide a good general snapshot.
Richard Forno, Chief Technology Officer at Shadowlogic, a security
consultancy firm, said that it's "nearly impossible" to quantify the
number of systems impacted and the total amount of damage caused by a
"Many security professionals take such figures with a grain of salt.
I'm leery of any dollar figure and total systems infected claim," Forno
But Forno believes the Computer Economics cost totals do work as a
"But from a big picture perspective, the ratios are about right --
LoveBug was much more devastating than Melissa was -- so that sort of
paints a picture. But I wouldn't use these stats in a master's thesis."
"It doesn't matter if these figures sound plausible -- when you talk
about 'economic impact' in the virus world, you're talking about
table-napkin math," Rosenberger said. "And you're using arbitrary dollar
figures. No one tabulates valid microeconomic data related to computer
viruses. I repeat: No one tabulates it. We can't even create a metric
without data, let alone something as complex as a global damage
Rosenberger lists Computer Economics in his site's "Hysteria Roll
Call" list, a who's who of people feeding the flames of computer virus
Some systems administrators have wondered why Computer Economics cites
such high costs for virus cleanup since many companies don't ordinarily
hire additional staff to deal with the mess.
"I'm paid the same hourly rate whether I'm patching the system or
cleaning a virus," said Aneil Patel, a systems administer for a
Manhattan graphics firm. "I'm paid to deal with whatever comes up, like
most of my colleagues, so the figures cited by Computer Economics for
cleanup costs have always puzzled me. Is someone out there getting
special hazard pay for dealing with viruses?"
Erbschloe said that while large companies do have IT staff, many
small- to mid-size companies do not, and so they must call in a
consultant to purge the infestation.
"Smaller companies are the sitting ducks -- far more likely to be hit
with a virus or worm than the larger firms," Erbschloe said.
Many security experts agreed there are real costs involved in battling
"We can safely assume that there are costs associated with the
remedying of a virus event," said Marquis Grove, a systems administrator
who maintains Security News Portal, a security site.
"However, the slapping of a 'guesstimated' value on that event is open
to debate and challenge as there will never be an accurate accounting of
the expenses incurred by each affected individual. Instead, the
statisticians attempt to slap an estimated cost per incident and
multiply it by the estimated number of affected individuals," Grove
said. He characterized the statisticians as "punching at ghosts." "You
know it is there but you just can't get your hands on anything."
Security experts instead rely on systems administrators' virus reports
such as The Virus Bulletin's Prevalence Table and Joe Wells' WildList.
The lists are regarded as among the most accurate compilations of
malicious code actively propagating online.
"The bottom line is that malicious code events are on the rise, both
in frequency and alleged financial damages," Shadowlogic's Forno said.
The inherent vulnerabilities of the Windows operating system makes it
very easy to exploit by a rogue programmer."
Forno said the constant patching is taking its toll. "It's what I call
a perpetual game of PC-triage, and many of our 'IT paramedics' are
burning out from running on this update treadmill."
Erbschloe agreed that events and costs are clearly on the rise. He
said the company is getting interesting results from its focus groups
where people discuss how and why viruses spread.
"We're starting to hear reports from people, stating that they know
for a fact that their co-workers are opening viruses to get a 'vacation
day.'" Erbschloe said sometimes it's a deliberate act of sabotage
because employees hate their job, or they just want to knock the network
offline so that they can relax for a day.
"That may explain why even the 'dumb viruses' are as effective as they
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.