Re: computing the cost of incidents
From: Bill Unruh (firstname.lastname@example.org)
From: email@example.com (Bill Unruh) Date: 29 Mar 2003 19:09:48 GMT
firstname.lastname@example.org (sam bailey) writes:
]I'm doing some background research for an upcoming television program
]on computer security and in the process of reading all the interviews
]we've done with people in the field there's a wide variation in the
]damage estimates from more recent worms and things like slammer: from
]around hundreds of millions ($US) to hundreds of billions.
]I'm no expert on the matter but the higher-end numbers seem mighty
]inflated to me - they almost seem like they count the salary of
]everyone who's touched a system affected by the worm. I know there
]were some serious disruptions in the case of slammer (trading desks
]closed at financial institutions, atms, credit card clearing systems)
]but I can't see it being more than the GNPs of many small countries.
]can anyone point me towards some resource or method for estimating
]these sorts of things a bit more realistically? I understand nobody
]can really say for sure on these matters I feel like there must be
]some way to come up with a rough picture of it. or if I'm off base
]here and these numbers are indeed realistic that information would be
]a great help as well. I worry about this because in news stories on
]security issues they often understate some risks and overstate others
]- I'm just trying to bring a bit of balance to the process. I'll read
]the group here and the email address in the header is valid - any help
]would be much appreciated.
Almost all such numbers are both pure speculation and self serving. And
without detailing exactly what you mean by "cost" (eg are heart attacks
caused by annoyance at stupid news articles counted as a cost?)
completely impossible to calculate.
And in may cases are they costs atributed to the worm or to the
incompetence of the sysadmins or of the coders (eg not installing
patches which have been available for months or years, or continuing to
use strcpy 10 years after its dangers are well known.)