The Cost of Love
May 22 2000
The "I Love You" bug, officially named "VBS.LoveLetter.A," continues to tunnel through cyberspace, now with well over a dozen variants. In the virus' first few days, thousands of companies were forced to shut down their servers for extended periods.
As the love-letter worm bores on, the purported costs of its damage continue to mount. Estimates range from a paltry few hundred million dollars to over $15 billion worldwide, according to Julian James, managing director of Lloyd's of London's North American unit. You might think that insurers would be committed to tallying every last dime. But Robin Furber, head of the Cyber Risks Practice of Willis , the No. 3 worldwide insurance broker, doesn't think he'll see any claims. Go figure.
The question is, how much does it really cost companies to deal with such attacks?
The Computer Security Institute and the FBI annually publish a survey of U.S. losses related to computer crime and security for corporations, government agencies, financial institutions and universities. The 1999 survey yielded several insights: 1) system penetrations increased for a third consecutive year, with 30 percent of respondents reporting intrusions; 2) financial losses due to security breaches for 163 respondents amounted to almost $124 million; and 3) 32 percent of respondents have reported serious incidents to law enforcement.
As noted in the survey report, "such losses may or may not impact the bottom line." The most serious financial losses occurred through proprietary information theft. Total financial losses reported in the study "by the handful [of organizations] that could quantify them" have increased annually. That throws global estimates further into doubt.
Network security costs fall into two categories: prevention and recovery. Prevention costs, expenses incurred to prevent attacks, are seldom included in loss calculations. If security resources don't work, why include their costs? But continual planning, policy setting, monitoring and response-planning can cost millions of dollars - even without the gore of penetration and debilitation.
Recovery costs are more concrete, yet they are subject to the assumptions, motivations and skills of those who report them. One must recognize that while breaches are being reported more frequently, the ratio of reports to incidents may be declining, since law enforcement involvement could make a corporation's internal practices public.
So let's look at the probable losses the "I Love You" virus has caused:
- Security personnel overtime: cost to determine why prevention didn't work, who's at fault, and what it will take to fix the security gap.
- Tech-support personnel overtime and reassignment: time spent figuring out what should be fixed or replaced, how to repair the damage, the necessary resources and where they can be obtained and which systems require offline cleanup.
- Attacked system downtime: personnel left idle, unable to perform their jobs . Welcome to the new integrated global business community.
- External vulnerabilities: potential loss of passwords and associated intermediate losses, and possible lawsuit expenses for infecting other organizations.
- Opportunity costs: lost business from down or inoperable systems. How should these attack losses be calculated? What assumptions get applied? Considering that these questions are asked in the context of new threats, old breaches and continually escalating security complexities, each organization may use wildly different methods to estimate losses.
With large insurance deductibles, inadequate loss-calculation models and no time to reflect before the morning-after headlines, damage estimates are guesswork at best. That said, $15 billion in damage from a single virus sounds wildly exaggerated. Bottom line: When you see virus loss estimates, caveat emptor.
Martin Goslar is principal analyst and managing partner of e-PHD.com, an Internet security research and analysis firm.