Money for Nothing: The Real Cost of Malware

Viruses , Trojan horses and other types of malware are worthless, but they most certainly affect your company's bottom line. The cost of anti-malware tools and measures, combined with the loss of productivity that occurs when security technologies fail to halt an attack, can amount to big bucks. Technology research firm Computer Economics Inc. reports that malware damages worldwide in 2006 totaled $13.3 billion. That's bad news, of course, but just how many dollars is malware costing your business?

You may feel that malware's cost is inestimable. But it actually can be quantified through some straightforward analysis. Here's what to factor in to the equation.

Assign values. You need to assign a value to your company's data. Determine how much it would cost to restore or re-create different types of lost information. Some types of data, such as sales records, tax information and contact information, will be relatively easy to restore (at least if you regularly back up data). Other kinds of information, including sales data and email received since the last backup, will be much more difficult to reassemble (if it can be done at all). In any case, try to place a dollar figure on the cost of recently received information. (Remember: The more often you back up data, the lower this cost will be.)

Estimate the loss potential. Determine the cost of recovering from a malware attack, including lost productivity and IT staff time. You also need to include revenues that were lost due to systems that were compromised by an attack. Additionally, factor in the potential cost of fines and penalties for violating confidentiality and privacy agreements by allowing the disclosure of sensitive information during a security breach. By estimating these amounts, you can determine the SLE (single loss expectancy) — in other words, the expense of recovering from a single attack.

Determine the risk potential. Now you have to figure out the potential for a malware attack. If, based on past experience, you estimate that your business suffers a significant malware attack approximately once per year, your business has an ALE (annual loss expectancy) that equals the cost of that single attack. If you estimate two attacks per year, the ALE doubles. In any event, multiplying the SLE by the ALE shows the dollar amount that malware is costing your business each year.

Begin planning your anti-malware budget. The ALE will give you a rough idea of the maximum amount you should spend on malware countermeasures. Many companies may wish to spend far less, however. That's because there are situations in which businesses are willing to accept a higher malware risk, either because the likelihood of an attack is so low or the cost of mitigating the risk is so high. Alternatively, an organization could mitigate the risk by purchasing insurance.

Knowing how much malware is costing your business can be an invaluable tool for setting security budgets and determining whether particular anti-malware technologies and methodologies are pulling their weight.