Cost estimates associated with damages and downtime from worms and viruses are a hot commodity. Unfortunately estimates are all there is, with no solid data to back it up. But CIOs can make all the difference by demanding such information from their security teams.
The following story could serve as a real-life example. A CIO calls down to his webmaster and his security manager. "I want you both in my office at noon. Bring all of your graphs and charts."
When the meeting begins, the webmaster displays two dozen charts and graphs related to the firm's Web site. "We've been collecting data since 1996 when we first arrived on the Web," the webmaster proudly beams. "Are there any questions?"
The CIO nods his approval.
The security manager holds up an international survey. He states with authority, "As this survey attests, the threat of computer viruses has risen from a nuisance to an epidemic. My team has fought them for years, as you well know. Are there any questions?"
The CIO seems bewildered. "Where're the charts and graphs for our firm?"
The computer security manager replies, "We don't keep track of virus infections."
The CIO's jaw drops to the floor. "Why not?"
The computer security manager shakes his head. "We've never seen a need for that data in almost two decades."
This, then, is our first dirty little secret -- security experts don't keep data on virus attacks at the personal/corporate level. We rely exclusively on "international surveys" and "global estimates." But how can we fill out a survey or declare an estimate if we have no data to begin with?
For more info on this topic, visit these SearchSecurity.com resources:
Virus Prevention Tip: Securing wireless access against malware invasion
Executive Security Strategies:
A reality checklist for an effective security policy
Ask the Expert: How to cost-effectively battle viruses
This, then, is our second dirty little secret -- security experts pull estimates out of thin air. And some of them are better at it than others.
Not to name names, but some companies have grown infamous for spouting absurdly "precise" estimates. "Preliminary data shows that all the Netsky variants put together have already caused between $25.6 billion and $31.3 billion of estimated damages worldwide," mi2g trumpeted in a recent press release. "The combined economic damage to date from Bagle, Mydoom and Netsky has now crossed $100 billion worldwide," declared another recent press release from mi2g.
The press routinely publishes "estimates" without question -- not just because they sound so precise, but also because there are no other numbers to publish. Few companies are willing to go out on such a limb in exchange for media exposure, but it wasn't always this way.
Antivirus firms and even government agencies used to declare damage estimates to any reporter who would publish it. Slowly, one by one, they fell by the wayside from criticism. mi2g is currently the major source for virus damage estimates and endures constant criticism, but probably won't stop anytime soon because reporters crave numbers.
The solution may seem simple enough -- start collecting data! -- but it's not as simple as you'd think. You see, webmasters collect data because it's valuable to them. Security experts will only collect data if/when they consider it valuable.
Virus infection data is "irrelevant" right now, and only a CIO can change this. Things will change when CIOs drop their jaws at the utter lack of virus data. That's when we'll start collecting data and stop pulling estimates out of thin air.
Unfortunately, we'll never truly know what's happened in the last 18 years of virus attacks. We lost the most valuable data of all -- the beginning. But you know what upsets me most? We didn't lose all of this data because of a virus....
About this author
Rob Rosenberger is one of the original virus experts from the 1980s, and the first to focus on virus hysteria. He is an editor and columnist at Vmyths.com.
