In terms of sheer expense, sources generally rate the same three worms -- Nimda, Code Red and SirCam -- as the heaviest hitters of 2001, though precise figures vary widely.

But antivirus and security experts agreed that they are more concerned with fighting viruses and preventing their spread than with spending the time and resources necessary to accurately assess the impact of a given outbreak.

Trend Micro global director of education David Perry, who referred to discussions with insurance companies calling for better metrics on the subject, said antivirus firms are similar to other businesses when it comes to assessing the impact of malicious code.

"We never assess the cost of damage," Perry told NewsFactor. "We're busy keeping up with new viruses and expanding our technology in the face of new exploits."

Between $10B and $100B?

However, Symantec Security Response director of research Steven Trilling told NewsFactor that while antivirus companies are not in the business of assessing the worldwide economic impact of large outbreaks, the financial damage caused by worms is very real.

"The numbers certainly differ across the various organizations evaluating them," Trilling said. "Clearly there is some cost, and it's significant. Whether it was US$10 billion or $100 billion last year, it's hard to say."

Trilling noted that from his company's perspective, the effect of worms is best measured by the number of submissions the company receives from clients, researchers and others infected by various viruses.

"That gives us some relative idea of the damage," Trilling said. "It can give us an idea of the magnitude of a SirCam or a Nimda."

No Time or Money

Forrester associate analyst Laura Koetzle, who recently wrote a report on incident assessment and response, told NewsFactor that companies can accurately evaluate some "hard cost" impacts of a virus, such as employee hours consumed and hardware replacement costs.

However, Koetzle said, other costs -- such as the price of downtime, lost staff productivity and cost to reputation -- are often much more difficult to measure. In addition, companies cannot devote IT staff resources to assessing threats because they are usually busy trying to prevent them.

"They can't pull their ITs and network administrators (to assess damage)," she said. "They usually shove them on the front lines to fight fires. (continued...)

1  |  2  |  3  |  Next Page >