Virus Damage a Controversial Science --- Philbert Shih --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Original Source: http://www.thewhir.com/features/virus-damage.cfm

Virus Damage a Controversial Science
Author: Philbert Shih

Many observers consider the recent MyDoom virus to be the worst of all time, surpassing last year's Sobig and MS Blaster viruses. But while MyDoom was certainly successful in wreaking havoc on the Internet, it had another effect, raising the question of how we can accurately measure and compare the impact of major viruses and other digital attacks.

Mi2g (mi2g.net), a UK-based digital risk firm, has attempted to do just that, calculating the impact of viruses in terms of economic damage. This is intended to illustrate how "damage is visible from an economic perspective," says DK Matai, mi2g's executive chairman. He says bandwidth overflow or emails deleted by an overzealous spam filter are just two virus effects that have a negative economic component associated with them. One extension of the economic cost, for example, is the man-hours required to deal with such occurrences.

In the case of the MyDoom virus, mi2g estimated over $43.9 billion in economic damage in 215 countries after just two weeks. The United States accounted for $12.2 to $15 billion of that number. Large numbers certainly raise eyebrows. Publications such as CNN, Time, and the New York Times have cited mi2g findings in the past and the attention has prompted observers and critics to question how exactly the firm derives its numbers.

Matai says mi2g employs SIPS (Security Intelligence Products and Systems), an engine that collects and reports on overt hacking activity around the world, to produce its estimates of digital damage. The database in the SIPS engine, maintained since 1995, holds information on over 8,500 hacker groups, keeping records of 380,000 hacking events in addition to other viruses and vulnerabilities as they occur. Updates to the database occur on a daily basis.

The data stored in SIPS is compiled from a wide range of sources. In the first group are "personal relationships" mi2g has with top executives around the world. In addition, mi2g compiles data from its monitoring of hacker bulletin boards, hacker activity and its anonymous communications channels with hacker groups. Matai adds that his organization also works very closely with a range of government intelligence agencies and organizations to investigate specific areas of concern, such as criminal syndicates. Finally, SIPS collects data from various open sources such as anti-virus companies. All of the data that the firm receives from its sources are verified to ensure their accuracy, mi2g says.

EVEDA (Economic Valuation Engine for Damage Analysis) is the component of the SIPS engine that the firm uses to calculate economic damage. EVEDA, according to mi2g, is an econometric model that estimates economic damage caused by digital attacks based on "a unique set of algorithms" that the company's SIPS team has developed in conjunction with economists and risk analysts. When it comes to a specific virus like MyDoom, mi2g aggregates the data it has collected from its various sources and plugs them into EVEDA, which then produces the numbers.

Several economic parameters, weighted to the size of organizations, are factored where applicable and are used to extrapolate the economic damage metric. These include help desk support costs, overtime payments, contingency outsourcing, loss of business, bandwidth clogging, productivity erosion, management time reallocation, recovery cost, software upgrades and others. Matai adds that the algorithm is not static and "continues to modify itself depending on what we have learned from previous outbreaks."

Mi2g's estimates have sparked debate across the industry and in some cases, stern criticism. Rob Rosenberger, a well-known virus expert, is the editor of Vmyths, a Web site dedicated to eradicating what it describes as "computer virus hysteria." Rosenberger has been outspoken about mi2g, accusing the firm of publishing numbers that are inaccurate and designed to attract publicity. "Firms like mi2g make wild guesstimates because they know it will result in valuable free publicity," he says. Rosenberger also criticizes mi2g for not revealing details of its methodology, suggesting that without such information, people are forced to take them on blind faith. "They refuse to explain how they obtain micro-economic data... [and] they even refuse to identify the extrapolation model they use," he explains.

Chris Belthoff, a senior security analyst at Sophos, is also curious about mi2g's methodology. "We don't see how they are able to come up with such numbers and would love to be shown the methods by which they are reached," he says. Belthoff also questions the utility of such numbers. He doesn't see how the average company would find these numbers of much use. "What does $44 billion meant to a typical small or medium sized business," he asks. And while not denying that there is a real cost resulting from virus infections, "it is very difficult and often misleading to make estimates."

Matai disagrees. He believes that estimates can be very useful. "One of the things that these economic damage numbers are meant to do is give a sense of perspective on how big the problem associated with a particular type of malware [virus] is." In fact, mi2g would be the first to say that its economic damage calculations are not exact, but guesstimates. "These numbers, by and large, we say are not accurate... they are estimates."

Critics who dismiss mi2g question the company's methodology as well as its motives, suggesting that the numerous press releases and large damage estimates are designed merely to attract publicity and help sell its research reports and other digital risk products. In response, mi2g has tempered its own numbers with an element of caution while detailing certain elements of how it produces its metrics.

Estimating virus damage is an inexact science at best. But Matai says mi2g's calculations can be used to gauge the overall and relative damage caused by viruses and digital attacks, helping us develop a somewhat clearer picture of a murky reality.