computing the cost of incidents

From: sam bailey (usenet@entropymedia.com)
Date: 03/29/03 

From: usenet@entropymedia.com (sam bailey)
Date: 29 Mar 2003 09:06:00 -0800

I'm doing some background research for an upcoming television program
on computer security and in the process of reading all the interviews
we've done with people in the field there's a wide variation in the
damage estimates from more recent worms and things like slammer: from
around hundreds of millions ($US) to hundreds of billions.

I'm no expert on the matter but the higher-end numbers seem mighty
inflated to me - they almost seem like they count the salary of
everyone who's touched a system affected by the worm. I know there
were some serious disruptions in the case of slammer (trading desks
closed at financial institutions, atms, credit card clearing systems)
but I can't see it being more than the GNPs of many small countries.

can anyone point me towards some resource or method for estimating
these sorts of things a bit more realistically? I understand nobody
can really say for sure on these matters I feel like there must be
some way to come up with a rough picture of it. or if I'm off base
here and these numbers are indeed realistic that information would be
a great help as well. I worry about this because in news stories on
security issues they often understate some risks and overstate others
- I'm just trying to bring a bit of balance to the process. I'll read
the group here and the email address in the header is valid - any help
would be much appreciated.

thanks.
sam bailey