Virus Damage a Controversial Science

• By The WHIR, March 12, 2004

•   Digg
    Delicious
    Reddit
    Newsvine
    Stumbleupon
    Twitter

  (close)

  From:

  To:

  (close)
  Share | Send | Print | Comments (0)

Virus Damage a Controversial Science

Philbert Shih, theWHIR.com

March 12, 2004 -- (WEB HOST INDUSTRY

REVIEW) -- Many observers consider the recent MyDoom virus to be the

worst of all time, surpassing last year's Sobig and MS Blaster viruses.

But while MyDoom was certainly successful in wreaking havoc on the

Internet, it had another effect, raising the question of how we can

accurately measure and compare the impact of major viruses and other

digital attacks.

Mi2g (mi2g.net),

a UK-based digital risk firm, has attempted to do just that,

calculating the impact of viruses in terms of economic damage. This is

intended to illustrate how "damage is visible from an economic

perspective," says DK Matai, mi2g's executive chairman. He says

bandwidth overflow or emails deleted by an overzealous spam filter are

just two virus effects that have a negative economic component

associated with them. One extension of the economic cost, for example,

is the man-hours required to deal with such occurrences.

In the case of the MyDoom virus, mi2g

estimated over $43.9 billion in economic damage in 215 countries after

just two weeks. The United States accounted for $12.2 to $15 billion of

that number. Large numbers certainly raise eyebrows. Publications such

as CNN, Time, and the New York Times have cited mi2g findings in the

past and the attention has prompted observers and critics to question

how exactly the firm derives its numbers.

Matai says mi2g employs SIPS (Security

Intelligence Products and Systems), an engine that collects and reports

on overt hacking activity around the world, to produce its estimates of

digital damage. The database in the SIPS engine, maintained since 1995,

holds information on over 8,500 hacker groups, keeping records of

380,000 hacking events in addition to other viruses and vulnerabilities

as they occur. Updates to the database occur on a daily basis.

The data stored in SIPS is compiled from

a wide range of sources. In the first group are "personal

relationships" mi2g has with top executives around the world. In

addition, mi2g compiles data from its monitoring of hacker bulletin

boards, hacker activity and its anonymous communications channels with

hacker groups. Matai adds that his organization also works very closely

with a range of government intelligence agencies and organizations to

investigate specific areas of concern, such as criminal syndicates.

Finally, SIPS collects data from various open sources such as

anti-virus companies. All of the data that the firm receives from its

sources are verified to ensure their accuracy, mi2g says.

EVEDA (Economic Valuation Engine for

Damage Analysis) is the component of the SIPS engine that the firm uses

to calculate economic damage. EVEDA, according to mi2g, is an

econometric model that estimates economic damage caused by digital

attacks based on "a unique set of algorithms" that the company's SIPS

team has developed in conjunction with economists and risk analysts.

When it comes to a specific virus like MyDoom, mi2g aggregates the data

it has collected from its various sources and plugs them into EVEDA,

which then produces the numbers.

Several economic parameters, weighted to

the size of organizations, are factored where applicable and are used

to extrapolate the economic damage metric. These include help desk

support costs, overtime payments, contingency outsourcing, loss of

business, bandwidth clogging, productivity erosion, management time

reallocation, recovery cost, software upgrades and others. Matai adds

that the algorithm is not static and "continues to modify itself

depending on what we have learned from previous outbreaks."

Mi2g's estimates have sparked debate

across the industry and in some cases, stern criticism. Rob

Rosenberger, a well-known virus expert, is the editor of Vmyths, a Web

site dedicated to eradicating what it describes as "computer virus

hysteria." Rosenberger has been outspoken about mi2g, accusing the firm

of publishing numbers that are inaccurate and designed to attract

publicity. "Firms like mi2g make wild guesstimates because they know it

will result in valuable free publicity," he says. Rosenberger also

criticizes mi2g for not revealing details of its methodology,

suggesting that without such information, people are forced to take

them on blind faith. "They refuse to explain how they obtain

micro-economic data... [and] they even refuse to identify the

extrapolation model they use," he explains.

Chris Belthoff, a senior security analyst

at Sophos, is also curious about mi2g's methodology. "We don't see how

they are able to come up with such numbers and would love to be shown

the methods by which they are reached," he says. Belthoff also

questions the utility of such numbers. He doesn't see how the average

company would find these numbers of much use. "What does $44 billion

meant to a typical small or medium sized business," he asks. And while

not denying that there is a real cost resulting from virus infections,

"it is very difficult and often misleading to make estimates."

Matai disagrees. He believes that

estimates can be very useful. "One of the things that these economic

damage numbers are meant to do is give a sense of perspective on how

big the problem associated with a particular type of malware [virus]

is." In fact, mi2g would be the first to say that its economic damage

calculations are not exact, but guesstimates. "These numbers, by and

large, we say are not accurate... they are estimates."

Critics who dismiss mi2g question the

company's methodology as well as its motives, suggesting that the

numerous press releases and large damage estimates are designed merely

to attract publicity and help sell its research reports and other

digital risk products. In response, mi2g has tempered its own numbers

with an element of caution while detailing certain elements of how it

produces its metrics.

Estimating virus damage is an inexact

science at best. But Matai says mi2g's calculations can be used to

gauge the overall and relative damage caused by viruses and digital

attacks, helping us develop a somewhat clearer picture of a murky

reality.

Tags:  government  security  spam  malware  Intel  mi2g  Sophos 

• Print | Comments (0)

• (0) Comments
• View Post